Q1. Which cloud service model provides the MOST management control? (Q-924449)
- A.SaaS
- B.PaaS
- C.IaaS✓ Correct
- D.FaaS
Explanation: IaaS provides the most control as customers manage OS and applications. Learn more.
CompTIA CySA+ Practice Questions: Cloud Security
45 free, exam-style CompTIA CySA+ (CS0-003) practice questions covering Cloud Security. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.
Q2. Which cloud security responsibility falls on the customer in an IaaS model? (Q-924482)
- A.Physical server maintenance
- B.Hypervisor patching
- C.Guest OS security✓ Correct
- D.Data center cooling
Explanation: In IaaS, customers manage guest OS security while the provider handles physical/hypervisor layers. Learn more.
Q3. Which AWS service provides centralized security logging? (Q-924487)
- A.EC2
- B.CloudTrail✓ Correct
- C.S3
- D.Lambda
Explanation: AWS CloudTrail logs API calls and account activity. Learn more.
Q4. Which Azure service provides secrets management? (Q-924490)
- A.Azure AD
- B.Key Vault✓ Correct
- C.Blob Storage
- D.Security Center
Explanation: Azure Key Vault stores and manages cryptographic keys, certificates, and secrets. Learn more.
Q5. Which AWS feature enforces resource tagging compliance? (Q-924492)
- A.IAM
- B.Config Rules✓ Correct
- C.Direct Connect
- D.Snowball
Explanation: AWS Config Rules automate compliance checks (e.g., required tags). Learn more.
Q6. Which Google Cloud service provides centralized logging? (Q-924495)
- A.Cloud Storage
- B.Cloud Logging✓ Correct
- C.Compute Engine
- D.Cloud DNS
Explanation: Google Cloud Logging aggregates logs across services. Learn more.
Q7. Which of the following is a risk of container image repositories? (Q-924496)
- A.High storage costs
- B.Malicious or outdated images✓ Correct
- C.Slow download speeds
- D.Complex user interfaces
Explanation: Public repositories may host compromised or vulnerable container images. Learn more.
Q8. What is the MAIN security benefit of ephemeral environments? (Q-628034)
- A.Reduced attack surface due to short lifespans✓ Correct
- B.Lower storage costs
- C.Simplified compliance audits
- D.Faster hardware performance
Explanation: Ephemeral systems are temporary, limiting persistent attack opportunities. Learn more.
Q9. Which AWS service detects unusual API activity? (Q-924499)
- A.GuardDuty✓ Correct
- B.S3
- C.Lambda
- D.ECR
Explanation: Amazon GuardDuty uses ML to detect anomalous API calls and compromised credentials. Learn more.
Q10. Which of the following is a risk of serverless architectures? (Q-924500)
- A.Over-provisioned resources
- B.Increased attack surface due to event triggers✓ Correct
- C.Physical server maintenance
- D.Complex cooling requirements
Explanation: Serverless functions triggered by events may expose new attack vectors. Learn more.
Q11. Which Azure service provides just-in-time VM access? (Q-924503)
- A.Azure AD
- B.Security Center✓ Correct
- C.Sentinel
- D.Monitor
Explanation: Azure Security Center's JIT access reduces exposure of management ports. Learn more.
Q12. What is the MAIN security benefit of immutable infrastructure? (Q-628040)
- A.Prevents configuration drift✓ Correct
- B.Reduces encryption needs
- C.Simplifies compliance audits
- D.Blocks phishing emails
Explanation: Immutable systems are replaced rather than modified, eliminating unauthorized changes. Learn more.
Q13. Which AWS service detects unused IAM permissions? (Q-924505)
- A.IAM Access Analyzer✓ Correct
- B.S3
- C.CloudFront
- D.RDS
Explanation: IAM Access Analyzer identifies unused permissions for least-privilege refinement. Learn more.
Q14. Which of the following is a risk of over-permissioned API keys? (Q-924506)
- A.Slower API response times
- B.Increased lateral movement if compromised✓ Correct
- C.Higher cloud storage costs
- D.Complex logging requirements
Explanation: Over-permissioned keys allow excessive access when leaked. Learn more.
Q15. What is the PRIMARY purpose of a cloud access security broker (CASB)? (Q-628044)
- A.To replace all firewalls
- B.To enforce security policies for cloud services✓ Correct
- C.To provide free cloud storage
- D.To train employees on coding
Explanation: CASBs act as gatekeepers between users and cloud apps, enforcing DLP, authentication, etc. Learn more.
Q16. Which Google Cloud service provides workload identity federation? (Q-924509)
- A.Cloud IAM✓ Correct
- B.Cloud DNS
- C.Cloud Storage
- D.Compute Engine
Explanation: Cloud IAM's workload identity federation allows external identity providers. Learn more.
Q17. Which of the following is a risk of infrastructure-as-code (IaC)? (Q-924510)
- A.Manual server provisioning
- B.Misconfigured cloud resources at scale✓ Correct
- C.Increased physical security requirements
- D.Slower deployment times
Explanation: IaC templates with errors can propagate insecure configurations rapidly. Learn more.
Q18. What does CWPP stand for in cloud security? (Q-628049)
- A.Cloud Workload Protection Platform✓ Correct
- B.Critical Web Protection Protocol
- C.Containerized Web Proxy Platform
- D.Cybersecurity Warning and Prevention Policy
Explanation: CWPPs secure workloads across VMs, containers, and serverless environments. Learn more.
Q19. Which AWS service provides managed rule-based policy evaluation? (Q-924513)
- A.Config✓ Correct
- B.S3
- C.EC2
- D.Lambda
Explanation: AWS Config evaluates resources against compliance rules. Learn more.
Q20. Which AWS service provides secrets rotation? (Q-924516)
- A.Secrets Manager✓ Correct
- B.S3
- C.EC2
- D.CloudFront
Explanation: AWS Secrets Manager automatically rotates database credentials and API keys. Learn more.
Q21. Which Azure service provides just-in-time network access control? (Q-924519)
- A.Azure Firewall
- B.Network Security Groups
- C.Just-In-Time VM Access✓ Correct
- D.DDoS Protection
Explanation: JIT VM Access in Azure Security Center temporarily opens management ports. Learn more.
Q22. Which Google Cloud service provides workload identity federation? (Q-924521)
- A.Cloud IAM✓ Correct
- B.Cloud Storage
- C.Cloud DNS
- D.Compute Engine
Explanation: Workload Identity Federation allows external identities to access GCP resources. Learn more.
Q23. What does CWPP stand for in cloud security? (Q-628059)
- A.Cloud Workload Protection Platform✓ Correct
- B.Critical Web Protection Protocol
- C.Containerized Web Proxy Platform
- D.Cybersecurity Warning and Prevention Policy
Explanation: CWPPs secure workloads across VMs, containers, and serverless. Learn more.
Q24. Which of the following is a risk of container orchestration tools? (Q-924524)
- A.Increased physical security requirements
- B.Exposed management APIs✓ Correct
- C.Slower deployment times
- D.Higher storage costs
Explanation: Kubernetes/Docker APIs may be misconfigured for unauthorized access. Learn more.
Q25. Which AWS service detects unused IAM permissions? (Q-924525)
- A.IAM Access Analyzer✓ Correct
- B.GuardDuty
- C.Macie
- D.Inspector
Explanation: IAM Access Analyzer identifies unused permissions for least privilege. Learn more.
Q26. Which Google Cloud service provides confidential computing? (Q-924527)
- A.Confidential VMs✓ Correct
- B.Cloud Storage
- C.Cloud DNS
- D.Compute Engine
Explanation: Confidential VMs use AMD SEV to encrypt memory during processing. Learn more.
Q27. Which of the following is a risk of infrastructure-as-code (IaC)? (Q-924528)
- A.Manual server provisioning
- B.Misconfigured cloud resources at scale✓ Correct
- C.Increased physical security requirements
- D.Slower deployment times
Explanation: IaC errors can propagate insecure configurations rapidly. Learn more.
Q28. What does CWPP stand for in cloud security? (Q-628067)
- A.Cloud Workload Protection Platform✓ Correct
- B.Critical Web Protection Protocol
- C.Containerized Web Proxy Platform
- D.Cybersecurity Warning and Prevention Policy
Explanation: CWPPs secure workloads across VMs, containers, and serverless. Learn more.
Q29. Which AWS service provides managed rule-based policy evaluation? (Q-924531)
- A.Config✓ Correct
- B.S3
- C.EC2
- D.Lambda
Explanation: AWS Config evaluates resources against compliance rules. Learn more.
Q30. Which AWS service detects unused IAM permissions? (Q-924533)
- A.IAM Access Analyzer✓ Correct
- B.GuardDuty
- C.Macie
- D.Inspector
Explanation: IAM Access Analyzer identifies unused permissions for least privilege. Learn more.
Q31. Which of the following is a risk of over-permissioned API keys? (Q-924534)
- A.Slower API response times
- B.Increased lateral movement if compromised✓ Correct
- C.Higher cloud storage costs
- D.Complex logging requirements
Explanation: Over-permissioned keys allow excessive access when leaked. Learn more.
Q32. What is the PRIMARY purpose of a cloud access security broker (CASB)? (Q-628072)
- A.To replace all firewalls
- B.To enforce security policies for cloud services✓ Correct
- C.To provide free cloud storage
- D.To train employees on coding
Explanation: CASBs act as gatekeepers between users and cloud apps. Learn more.
Q33. Which Google Cloud service provides workload identity federation? (Q-924537)
- A.Cloud IAM✓ Correct
- B.Cloud DNS
- C.Cloud Storage
- D.Compute Engine
Explanation: Workload Identity Federation allows external identities to access GCP resources. Learn more.
Q34. Which of the following is a risk of infrastructure-as-code (IaC)? (Q-924538)
- A.Manual server provisioning
- B.Misconfigured cloud resources at scale✓ Correct
- C.Increased physical security requirements
- D.Slower deployment times
Explanation: IaC templates with errors can propagate insecure configurations rapidly. Learn more.
Q35. What does CWPP stand for in cloud security? (Q-628077)
- A.Cloud Workload Protection Platform✓ Correct
- B.Critical Web Protection Protocol
- C.Containerized Web Proxy Platform
- D.Cybersecurity Warning and Prevention Policy
Explanation: CWPPs secure workloads across VMs, containers, and serverless. Learn more.
Q36. Which AWS service provides managed rule-based policy evaluation? (Q-924541)
- A.Config✓ Correct
- B.S3
- C.EC2
- D.Lambda
Explanation: AWS Config evaluates resources against compliance rules. Learn more.
Q37. Which AWS service detects unused IAM permissions? (Q-924543)
- A.IAM Access Analyzer✓ Correct
- B.GuardDuty
- C.Macie
- D.Inspector
Explanation: IAM Access Analyzer identifies unused permissions for least privilege. Learn more.
Q38. Which of the following is a risk of over-permissioned API keys? (Q-924544)
- A.Slower API response times
- B.Increased lateral movement if compromised✓ Correct
- C.Higher cloud storage costs
- D.Complex logging requirements
Explanation: Over-permissioned keys allow excessive access when leaked. Learn more.
Q39. What is the PRIMARY purpose of a cloud access security broker (CASB)? (Q-628082)
- A.To replace all firewalls
- B.To enforce security policies for cloud services✓ Correct
- C.To provide free cloud storage
- D.To train employees on coding
Explanation: CASBs act as gatekeepers between users and cloud apps. Learn more.
Q40. Which Google Cloud service provides workload identity federation? (Q-924547)
- A.Cloud IAM✓ Correct
- B.Cloud DNS
- C.Cloud Storage
- D.Compute Engine
Explanation: Workload Identity Federation allows external identities to access GCP resources. Learn more.
Q41. Which of the following is a risk of infrastructure-as-code (IaC)? (Q-924548)
- A.Manual server provisioning
- B.Misconfigured cloud resources at scale✓ Correct
- C.Increased physical security requirements
- D.Slower deployment times
Explanation: IaC templates with errors can propagate insecure configurations rapidly. Learn more.
Q42. Which cloud security posture management (CSPM) capability helps identify misconfigurations in cloud environments?
- A.Continuous compliance monitoring✓ Correct
- B.DDoS protection
- C.Web application firewall
- D.Endpoint detection
Explanation: CSPM tools continuously monitor cloud environments for compliance violations and misconfigurations. Learn more.
Q43. What is the primary function of a CASB (Cloud Access Security Broker)?
- A.To provide cloud storage
- B.To enforce security policies between cloud users and cloud providers✓ Correct
- C.To manage on-premise firewalls
- D.To encrypt local hard drives
Explanation: CASBs act as a gatekeeper, enforcing enterprise security policies as users access cloud-based resources. Learn more.
Q44. Cloud audit logs show API calls creating access keys from an unusual region. What is the best interpretation?
- A.Potential cloud account compromise✓ Correct
- B.Normal screen lock event
- C.Expected DHCP discovery
- D.Printer maintenance
Explanation: Unexpected identity and access API activity from unusual locations can indicate compromised cloud credentials. Learn more.
Q45. Which source is most useful for identifying successful and failed authentication attempts in a cloud tenant?
- A.Identity provider sign-in logs✓ Correct
- B.Printer usage report
- C.Local monitor settings
- D.Spreadsheet formulas
Explanation: Identity provider logs record authentication attempts, locations, devices, and conditional access outcomes. Learn more.
More CompTIA CySA+ practice topics
- Security Operations (64)
- Threat Management (53)
- Incident Response (44)
- Security Operations and Monitoring (32)
- Access Control (21)
- Network Security (18)
- Risk Management (17)
- Software Security (16)
- Data Security (14)
- Vulnerability Management (11)
- Cryptography (10)
- Compliance (9)
- Threat Intelligence (9)
- Threat Detection (7)
- Threat and Vulnerability Management (5)
- More Practice Questions (15)
- All CompTIA CySA+ topics →