CompTIA Cloud+ Cloud Security Controls Questions and Answers

Question 1

A cloud administrator needs to enforce security policies that govern how users interact with multiple SaaS applications.
The primary goals are to gain visibility into application usage, prevent sensitive data from being uploaded to unapproved cloud services, and enforce data loss prevention (DLP) policies.
Which of the following security controls is BEST suited for these requirements?

Accepted Answer

Cloud Access Security Broker (CASB)

Answer

Cloud Workload Protection Platform (CWPP)

Answer

Cloud Security Posture Management (CSPM)

Answer

Web Application Firewall (WAF)

Question 2

An organization has deployed a containerized application on a Kubernetes cluster in a public cloud. A security audit reveals that many containers are running with unnecessary root privileges, and there are no restrictions on network communication between pods. Which of the following security controls should be implemented to address these specific container security issues?

Accepted Answer

Enforcing role-based access control (RBAC) and network policies

Answer

Implementing a Cloud Security Posture Management (CSPM) tool

Answer

Deploying a host-based intrusion detection system (HIDS) on the worker nodes

Answer

Encrypting all data at rest using a key management service (KMS)

Question 3

A DevOps team is building a serverless application using function-as-a-service (FaaS). To maintain security, they need to ensure that sensitive information, such as API keys and database credentials, is not hard-coded in the function's source code or stored in environment variables. What is the MOST secure method for managing these secrets?

Accepted Answer

Pass the secrets as encrypted parameters through the API Gateway.

Answer

Store the secrets in an encrypted file within the deployment package.

Answer

Use a dedicated secrets management service like AWS Secrets Manager or Azure Key Vault.

Answer

Obfuscate the secrets within the function code.

Question 4

A security team wants to automate the detection of misconfigurations and compliance violations across their entire multi-cloud IaaS environment. Their goal is to continuously scan for issues like publicly accessible storage buckets, overly permissive IAM policies, and unused security groups. Which type of tool is specifically designed for this purpose?

Accepted Answer

Cloud Security Posture Management (CSPM)

Answer

Cloud Workload Protection Platform (CWPP)

Answer

Cloud Access Security Broker (CASB)

Answer

Security Information and Event Management (SIEM)

Question 5

According to the shared responsibility model for a Platform-as-a-Service (PaaS) offering, which of the following is typically the CUSTOMER'S responsibility to secure?

Accepted Answer

The applications and data deployed on the platform

Answer

The underlying physical servers and data center security

Answer

The operating system and patching of the platform's servers

Answer

The network infrastructure and hypervisor

Question 6

Which of the following describes a security tool that provides a unified solution by combining the capabilities of Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), and sometimes Cloud Infrastructure Entitlement Management (CIEM) into a single platform?

Accepted Answer

Cloud-Native Application Protection Platform (CNAPP)

Answer

Data Loss Prevention (DLP)

Answer

Next-Generation Firewall (NGFW)

Answer

Identity and Access Management (IAM)