C838 Managing Cloud Security Final
Actual Practice Exam & WGU
Certification Preparation
DOMAIN 1: CLOUD ARCHITECTURE & SHARED RESPONSIBILITY (Q1-12)
1. According to the Cloud Security Alliance (CSA) shared responsibility model, which
security controls are ALWAYS the cloud customer's responsibility regardless of service
model (IaaS, PaaS, SaaS)?
A. Physical security of data centers
B. Network infrastructure security
C. Data classification and accountability
D. Hypervisor security
Correct Answer: C
Rationale: C is correct. Per CSA guidance, data classification, governance, and
accountability remain the customer's responsibility across all cloud service models
(IaaS, PaaS, SaaS). Physical security (A) and hypervisor security (D) are provider
responsibilities. Network security (B) varies by service model - more customer
responsibility in IaaS, less in SaaS.
2. A company uses AWS EC2 instances (IaaS) to host their application. Under the AWS
shared responsibility model, which security component is AWS's responsibility?
A. Operating system patches and updates
B. Application security and code vulnerabilities
C. Physical security of availability zones
D. Database encryption configuration
Correct Answer: C
,Rationale: C is correct. In AWS IaaS model, physical security of data centers (availability
zones) is always AWS's responsibility. OS patches (A), application security (B), and
database encryption (D) are customer responsibilities in IaaS. This delineation is critical
for proper security control implementation in cloud environments.
3. An organization is deploying a multi-cloud architecture using both AWS and Azure.
Which approach ensures consistent security policy enforcement across both platforms?
A. Configure security groups independently in each cloud
B. Use cloud-native security tools for each platform separately
C. Implement a Cloud Access Security Broker (CASB) for unified policy enforcement
D. Rely on each provider's default security configurations
Correct Answer: C
Rationale: C is correct. A Cloud Access Security Broker (CASB) provides unified security
policy enforcement, visibility, and compliance across multiple cloud platforms (AWS,
Azure, GCP). Independent configuration (A) leads to inconsistent policies and gaps.
Separate native tools (B) lack centralized control. Default configurations (D) are
insufficient and often insecure.
4. When migrating from on-premises to a public cloud IaaS environment, which security
concern is typically transferred to the cloud provider?
A. Application-level firewall configuration
B. Hardware maintenance and lifecycle management
C. Identity and access management policies
D. Data encryption key management
Correct Answer: C
Rationale: C is correct. In IaaS models, hardware maintenance and lifecycle
management (servers, storage, networking equipment) transfer to the cloud provider.
Application firewalls (A), IAM policies (C), and key management (D) remain customer
responsibilities. Understanding this transfer is essential for risk assessment and
security planning during cloud migration.
, 5. Under the CSA Cloud Controls Matrix (CCM), which domain addresses the security of
cloud infrastructure virtualization layers?
A. Application and Interface Security
B. Encryption and Key Management
C. Infrastructure and Virtualization Security
D. Security Incident Management
Correct Answer: C
Rationale: C is correct. CSA CCM Domain IV: Infrastructure and Virtualization Security
specifically addresses hypervisor security, virtual machine isolation, and network
segmentation in cloud environments. Application security (A) and encryption (B) are
separate domains. Incident management (D) covers response procedures, not
infrastructure virtualization.
6. A DevOps team is implementing infrastructure as code (IaC) using Terraform for AWS
deployments. Which security risk is most critical to address in the IaC templates?
A. Using hardcoded API keys in configuration files
B. Implementing least privilege IAM roles
C. Validating templates with automated security scanning tools
D. Enabling AWS CloudTrail for all regions
Correct Answer: C
Rationale: C is correct. Hardcoded credentials in IaC templates (secrets) represent
critical security risks leading to unauthorized access and data breaches. Hardcoded
keys (A) violate security fundamentals. Least privilege (B) and CloudTrail (D) are
security controls but don't address the immediate vulnerability of exposed credentials in
code.
7. According to NIST SP 800-144, which factor should organizations evaluate when
selecting a cloud deployment model (public, private, hybrid, community)?
A. Cost savings compared to on-premises only
B. Cloud provider market share and brand recognition
C. Data sensitivity, compliance requirements, and risk tolerance
D. Availability of free-tier services for testing
Actual Practice Exam & WGU
Certification Preparation
DOMAIN 1: CLOUD ARCHITECTURE & SHARED RESPONSIBILITY (Q1-12)
1. According to the Cloud Security Alliance (CSA) shared responsibility model, which
security controls are ALWAYS the cloud customer's responsibility regardless of service
model (IaaS, PaaS, SaaS)?
A. Physical security of data centers
B. Network infrastructure security
C. Data classification and accountability
D. Hypervisor security
Correct Answer: C
Rationale: C is correct. Per CSA guidance, data classification, governance, and
accountability remain the customer's responsibility across all cloud service models
(IaaS, PaaS, SaaS). Physical security (A) and hypervisor security (D) are provider
responsibilities. Network security (B) varies by service model - more customer
responsibility in IaaS, less in SaaS.
2. A company uses AWS EC2 instances (IaaS) to host their application. Under the AWS
shared responsibility model, which security component is AWS's responsibility?
A. Operating system patches and updates
B. Application security and code vulnerabilities
C. Physical security of availability zones
D. Database encryption configuration
Correct Answer: C
,Rationale: C is correct. In AWS IaaS model, physical security of data centers (availability
zones) is always AWS's responsibility. OS patches (A), application security (B), and
database encryption (D) are customer responsibilities in IaaS. This delineation is critical
for proper security control implementation in cloud environments.
3. An organization is deploying a multi-cloud architecture using both AWS and Azure.
Which approach ensures consistent security policy enforcement across both platforms?
A. Configure security groups independently in each cloud
B. Use cloud-native security tools for each platform separately
C. Implement a Cloud Access Security Broker (CASB) for unified policy enforcement
D. Rely on each provider's default security configurations
Correct Answer: C
Rationale: C is correct. A Cloud Access Security Broker (CASB) provides unified security
policy enforcement, visibility, and compliance across multiple cloud platforms (AWS,
Azure, GCP). Independent configuration (A) leads to inconsistent policies and gaps.
Separate native tools (B) lack centralized control. Default configurations (D) are
insufficient and often insecure.
4. When migrating from on-premises to a public cloud IaaS environment, which security
concern is typically transferred to the cloud provider?
A. Application-level firewall configuration
B. Hardware maintenance and lifecycle management
C. Identity and access management policies
D. Data encryption key management
Correct Answer: C
Rationale: C is correct. In IaaS models, hardware maintenance and lifecycle
management (servers, storage, networking equipment) transfer to the cloud provider.
Application firewalls (A), IAM policies (C), and key management (D) remain customer
responsibilities. Understanding this transfer is essential for risk assessment and
security planning during cloud migration.
, 5. Under the CSA Cloud Controls Matrix (CCM), which domain addresses the security of
cloud infrastructure virtualization layers?
A. Application and Interface Security
B. Encryption and Key Management
C. Infrastructure and Virtualization Security
D. Security Incident Management
Correct Answer: C
Rationale: C is correct. CSA CCM Domain IV: Infrastructure and Virtualization Security
specifically addresses hypervisor security, virtual machine isolation, and network
segmentation in cloud environments. Application security (A) and encryption (B) are
separate domains. Incident management (D) covers response procedures, not
infrastructure virtualization.
6. A DevOps team is implementing infrastructure as code (IaC) using Terraform for AWS
deployments. Which security risk is most critical to address in the IaC templates?
A. Using hardcoded API keys in configuration files
B. Implementing least privilege IAM roles
C. Validating templates with automated security scanning tools
D. Enabling AWS CloudTrail for all regions
Correct Answer: C
Rationale: C is correct. Hardcoded credentials in IaC templates (secrets) represent
critical security risks leading to unauthorized access and data breaches. Hardcoded
keys (A) violate security fundamentals. Least privilege (B) and CloudTrail (D) are
security controls but don't address the immediate vulnerability of exposed credentials in
code.
7. According to NIST SP 800-144, which factor should organizations evaluate when
selecting a cloud deployment model (public, private, hybrid, community)?
A. Cost savings compared to on-premises only
B. Cloud provider market share and brand recognition
C. Data sensitivity, compliance requirements, and risk tolerance
D. Availability of free-tier services for testing
