1.Which technology is generally required to build resource pools?

Virtualization
2.What is the key difference between traditional virtualization and cloud?
Orchestration
3. Which of the following is *not* a key potential benefit of cloud computing:
-Compliance
Agility
Resiliency
Economics
4.What business benefit(s) was Amazon attempting to realize when they
created their internal cloud computing program? Select all that apply.
Beat Microsoft
-Better match real-time capacity to fluctuating demand
-Faster time to deploy developer resources
Build a world-class public cloud computing platform
5.Resource pools permanently assign resources to a user.
False
6. Cloud computing supports scaling up of required resources, but not scaling down.
False
7. Which of the following appear in both the NIST and ISO/IC cloud
computing definitions? Select all that apply.
8.

9. Services scaling out and scaling in quickly are an example of which essential characteristic of
cloud.
Resource Pooling
Measured Service
Broad Network Access
- Rapid Elasticity
On-Demand Self Service
10.

11. Which of the following is not an emergent property of resource pooling?

• Segmentation
• Isolation
• Governance
• Broad Network Access
12. Which service model would a cloud database be considered?
• Infrastructure as a Service
• Storage as a Service
© Platform as a Service
• Software as a Service
13. Software as a Service is always built on top of Platform as a Service which is always built on
Infrastructure as a Service.
False
14. Which of the following is most likely to be considered laaS:
O A container registry
O A cloud message queue
• The cloud's management console
© A virtual machine
15. In laaS, individual virtual machines use which kind of storage?
OVSTOR-based hardware
• The local hard drives on the servers
Virtual volumes from a storage pool
A database platform
16. Platform as a Service abstracts application platforms and platform components from
underlying resources, and can be built on top of laaS.
True
17. Which of the following is not required to be considered SaaS?
• A complete application
• The essential characteristics
• Customer management of the underlying resources
• Underlying physical hardware
18.
19. If an organization uses a Community Cloud Deployment Model, some portion of the physical
infrastructure MUST be on-premises with one of the community members.
False
20. If an organization employs the technique of cloud bursting, which cloud deployment model
are they utilizing?
• Hybrid
• Proprietary
• Multi-Tenancy
Pass
21. Which element of the logical model describes the cloud management plane?
Applistructure
Infostructure
• Metastructure
• Infrastructure
22.
23. In which service model does the cloud consumer have the least amount of control over
security?
• Platform as a Service
- Infrastructure as a Service
• Security as a Service
• Software as a Service
24. In which cloud service model is the cloud consumer responsible for ensuring that the
hypervisor is not vulnerable to attack?
O Platform as a Service
• Infrastructure as a Service
• Software as a Service
• None of the above
25. When should you define the security controls when building a cloud deployment?
• Before selecting the provider
• After identifying requirements
• Before determining the service and deployment models gaps
© After identifying control gaps
26.

Modue2:
27.Cloud infrastructure security does not include the virtualization Components.
False
28.Which of the following resource pools is not associated with laaS:
• Network
-Compute
• Middleware
• Storage

30.Which of the following are typically in the underlying infrastructure of a cloud? (click all that
apply)
• API server
Database
© Hypervisors
Message queue
Identity service
-> All
31.Why is hardening infrastructure components so important?
O Clouds are sometimes based on common components that may contain vulnerabilities.
O All security is important
O Infrastructure components are most likely to be exposed to cloud consumers
This prevents the cloud provider from accessing cloud consumer data.
32.Which of the following physical networks is used for Internet to instance traffic?
Virtual
Service
• Storage
• Management
33. Why should cloud providers use multiple underlying physical networks?
Better isolation
Better performance
Resiliency
Cost management
34. Which virtual network technology is best suited for cloud?
v-flow
SDN
VLAN
• Token Ring
35. Virtual networks:
• Are more flexible, but more difficult to secure
Substitute for physical networks
Take fewer resources
• May include inherent security capabilities
36. Which is a defining characteristic of Software Defined Networks
O Uses OpenFlow
O Decouples the control plane from the underlying physical network
O Leverages packet tagging
• Autoscaling for resiliency
37. Which SD security capability often replaces the need for a physical or virtual appliance?
• Integrated isolation
O Lack of support for packet sniffing
• Default deny
• Security groups
38. The most effective way for an attacker to compromise a security group is to compromise
the host/virtual machine and then modify the rules. False
39. Which of the following is the most effective security barrier to contain blast radius?
© Cloud account/project/subscription
O Virtual network
• Virtual subnet (with or without ACLs)
O Security group
40. How does a virtual network affect network visibility?
O Virtual machines on the same physical host don't use the physical network
O An SD can provide more visibility than a physical network
O Virtual networks block packet capture for better isolation
O Virtual networks always encrypt traffic and break packet capturing
41.

42. What is the purpose of a bastion network/transit VPC?

-To better support multiple virtual networks and accounts in hybrid scenarios
-To better lock down a hybrid cloud
-To create a cloud DMZ
-To improve internal routing and IP address space availability
43. Which of the following is primarily a responsibility of the cloud provider?
• Configuring security groups
• Securing the underlying virtualization technology
O Correct configuration in the management plane
• Designing subnets, virtual networks, and ACLs2.
44. Of the following, which is the most important use case for the Software Defined
Perimeter?
• To secure hybrid networks
• To encrypt SDN traffic
• For federated network identity
• To improve and secure remote access
45. Which of the following are cloud workloads? Select all trừ Host servers
46.

47. Which of the following *most* impacts traditional workload security controls when applied
to cloud deployments?
Hypervisors
Serverless
© High volatility/rates of change
Low resiliency
Security groups
48. How can immutable workloads improve security?
• They eliminate error-prone manual management
• They better meet performance requirements
• They better support use of traditional security tools
• They scale for DDOS
49. Select the cloud workload security option that can most improve overall security and reduce
attack surface:
Store logs external to instances
• Use immutable as much as possible
Select cloud aware host security agents
Leverage existing/traditional vulnerability assessment tools
50. Which of the following is primarily a cloud consumer workload security responsibility?
O Volatile memory security
• Hypervisor security
• Underlying infrastructure security
• Monitoring and logging
51. Why is management plane security so critical?
• It is the best way for cloud consumers to protect themselves from hostile cloud provider
emplovees.
REST APIs are inherently insecure.
• It is the primary integration point for hybrid cloud.
Compromise of the management plane potentially compromises all cloud assets
52. Select the best option for authenticating to a cloud API

• Biometrics

• HTTP request signing

O Username/password

O TLS-MA

53.
54. Multi factor authentication is the single most important management plane security
control. True
55. Identify one drawback to managing users in the management plane:
• High variability between cloud providers
O The reliance on RBAC
O Lack of SSO support
O Insufficient MFA support.
56. What is the role of a service administrator?
• To administer cloud platform/management plane users.
To isolate application security
• They are the core administrators for a cloud account.
• To administer a limited set of cloud services
57. Select the best option for management plane monitoring, when it is
available:
• Inherent cloud auditing, since it captures the most activity
• Inherent cloud auditing, since that offloads responsibility to the cloud provider
• Proxy-based auditing, since it eliminates the need to trust the cloud provider
• Proxy-based auditing, since it captures more activity.
58. What is the single most important rule for cloud BC/DR?
O Architect for failure
O Use object storage for backups
O Snapshot regularly
© Use multiple cloud providers
59. Which is not a key aspect of cloud BC/DR?
• Continuity within the provider/platform
• Hypervisor resiliency
O Preparing for provider outages
O Portability
60.

61. Select a technique to manage continuity within the cloud provider.

• Data portability
• Multi-cloud provider plans
• Cross-location/region design
• Hybrid cloud backup
62. Select the governance tool that is most affected by the transition to cloud computing:
• Chart of accounts
• Mission statement
• Board of director reporting
• Compliance reporting
63. In terms of cloud computing and security... what is the primary governance role of a
contract?
Defines how you extend internal controls to the cloud provider
• Cost management
To define the data custodian
• Regulatory requirements
64. Does the shared responsibilities model define the contract or the contract define the shared
responsibilities model?
The contract defines the shared responsibilities model
• The shared responsibilities model defines the contract
65.

66. What is the responsibility of information risk management?

• Manage overall risk to the organization
• Determine the overall risk of cloud providers
• Align risk management to the tolerance of the data owner
• Eliminate all risks to information assets
67. Your risk assessment effort should be equal for all information assets
• False
68. In which service model does the cloud consumer have to rely most on what is in the
contract and documented to enforce and manage security?
• laas
• Saas
• Hybrid
• Paas
69. Under which conditions is managing risk similar for public and private cloud?
• The risk profiles are always the same
• No conditions; public cloud is always riskier
• When using a major public cloud provider
• When your private cloud is third party hosted and managed
70. Which do you need to rely more on to manage risks when using public cloud computing?
• Physical control of assets
• Consultants
• Testing instead of assessm ents and attestations
• Contracts and SLAs
71. What is critical when evaluating a cloud service within your risk management program?
Minimizing regional harm
• Accounting for the context of the information assets involved
• Eliminating all outsourcing risk
• Ensuring the provider's security program supports your existing on-premise tools
72. How can you manage risk if you can't negotiate a contract with the cloud provider?
• Obtain cyberinsurance
• Always choose a different provider
• Accept all potential risks
• Use compensating controls and your own risk mitigation mechanisms
73. Audits are only used to meet government regulatory requirements.
False
74. Cloud changes compliance. Select the statement that is incorrect:
• Metastructure/management may span jurisdictions even if data is localized
• There may be a greater reliance on third party audits
There are large variations between the compliance capabilities of different cloud providers
• The cloud provider is ultimately responsible for their customer's compliance
75. Which is *not* a source of compliance obligations?
• Contracts
• Legislation
© Internal Audits
• Industry Standards
76. Compliance inheritance means that an application built on top of a cloud provider's service
that is compliant with a regulation/standard is always guaranteed to be compliant.
• False
77. The Cloud Security Alliance Security Guidance provides:
• Legal Advice
• Legal Guidance
• Legal Recommendation
• Information you should discuss with your attorneys.
78. The Australian Privacy Act of 1988 can apply to Australian customers, even if the cloud
service provider is based elsewhere:
• True
79. What is the purpose of a data localization law?
• To require that all business documents be in the country's official language
To require service providers to register with the country's data protection commission
• To require company to hire only local workers
• To require that data about the country's citizens be stored in the country
80. Which of the following is correct?:
• GDPR Stands for "Government Data Privacy Rule".
• GDPR Establishes fines of $1,000 per credit card number compromised
GDPR prohibits the transfer of personal data outside the EU or EA to a country that does not
offer a similar privacy rights
GDPR requires that EU member state's national laws impose network requirements on
operators of essential services
81. The Federal Government in the United States does not directly address issues of data
privacy, but instead leave it up to the states to create laws that address privacy concerns:
• False
82. If a business is located outside the European Union it does not have to comply with the
privacy laws of the European Union
• False
83. In the United States, only entities that collect or process financial data or health data must
comply with privacy or security laws
• False
84. Which of the following is a standard?
• APPI
• COPPA
O PCIDSS
• GDPR
85. When selecting a cloud provider, if a provider won't negotiate a contract:
• Always choose another provider
Read the contract carefully, and consult with your advisors, to evaluate the terms and
understand the potential risks.
• Always trust the provider
• Contracts are not enforceable in cloud due to the wide range of jurisdictions
86.Cloud consumers are ultimately responsible for understanding the legal implications of using
a particular cloud provider and service.
True
87. A contract with a cloud service provider can fulfill all of the following except one
• Clarify what happen when the service is terminated
• Define the minimum security measures taken by the cloud provider
• Clarify whether metadata can be reused for secondary purposes
• Prevent a breach of security
• Clarify the price for the service
88. If you own the data, it is still possible for your SP to own the metadata:
• True
89. Which CSA tool maps cloud security control specifications to architectural relevance?
• STARWatch
• Consensus Assessment Initiative Questionnaire
• The Security, Trust and Assurance Registry (STAR)
• Cloud Controls Matrix
90. You are a cloud provider and strugging to respond to a large amount of highly variable
customer RFP requests for security controls documentation. Which CA document could you
instead complete and send to customers:
• Cloud Controls Matrix
• STARWatch
• The Security, Trust and Assurance Registry (STAR)
• Consensus Assessment Initiative Questionnaire
91. Where can cloud providers publish their CAIQ and other security/compliance documents to
help cloud prospects and customers assess the provider's current security posture?
• The Security, Trust and Assurance Registry (STAR)
• Google
• The United States Federal Register of Cloud Providers
• The AWS marketplace
92. Which CSA tool allows you to quickly search a providers assessment for controls that map to
regulations you care about and see the responses to those controls?
CAIQ
• ССМ
• STAR
• STARWatch
93. The CSA Cloud Controls Matrix v3.0.1 maps control specifications to FedRAMP High Impact
Level.
False
94.The CSA Cloud Controls Matrix v3.0.1 contains how many control specifications?
57
• 295
• 133
• 16
95. Why do cloud providers typically limit their customers' ability to directly assess and inspect
their facilities and services?
• Cost management
• Do deter paying out bug bounties
On-site inspections can be a security risk, and remote assessments are hard to
distinguish from real attacks
• They are worried customers will find vulnerabilities and they will lose business
96. Audit scopes for any given standard, like an SSAE16 are always
consistent.
• True
. False
97. Select all the following sources that are considered artifacts of compliance
Change management details
System configuration details
Log files
Activity reports
98. Should you assess or review the audits of a cloud provider more or less frequently than
traditional outsourcers?
• More
• Less