WGU D320 80 QUESTION VERSION (JYO2) LATEST (CREATED JANUARY 2026/27. D320 - MANAGING CLOUD SECURITY (WGU) ALREADY PASSED!!
2026/2027 2026/2027 | Page 1 | Passing Score: 80%
WESTERN GOVERNORS UNIVERSITY
WGU D320 80 QUESTION VERSION (JYO2) LATEST
(CREATED JANUARY 2026/27. D320 - MANAGING CLOUD
SECURITY (WGU) ALREADY PASSED!! 2026/2027
2026/2027
MANAGING CLOUD SECURITY · Official Exam 2026/2027
80 80% CERTIFIED
QUESTIONS PASSING SCORE RECERTIFICATION
TABLE OF CONTENTS
Section 1 Cloud Concepts, Architecture, and Design Q1-Q16
Section 2 Cloud Data Security Q17-Q32
Section 3 Cloud Platform and Infrastructure Security Q33-Q48
Section 4 Cloud Application Security Q49-Q64
Section 5 Cloud Security Operations Q65-Q80
Instructions: Select the single best answer for each question. This exam is designed for WGU D320 Managing Cloud Security
preparation. Passing score: 80% (64 questions correct).
WGU D320 80 QUESTION VERSION (JYO2) LATEST (CREATED JANUARY 2026/27. D320 - MANAGING CLOUD SECURITY (WGU) ALREADY PASSED!!
2026/2027 - 2026/2027 | Passing Score: 80% | Page 1 of 34
, SECTION(CREATED
LATEST
2026/202712026/2027
| Cloud Concepts,
JANUARYArchitecture,
2026/27. D320and
- MANAGING
Design | Q1-Q16
CLOUD | WGU
SECURITY
D320 80
(WGU)
QUESTION
ALREADY
VERSION
PASSED!!
(JYO2)
Q1 Question 1 of 80
A security analyst reviews a cloud application and discovers that user input is concatenated directly into SQL
queries without parameterization. The analyst recommends prepared statements. Which type of attack does
this vulnerability enable?
A. Cross-site scripting that executes malicious scripts in user browsers
B. Server-side request forgery that forces the server to make requests to internal resources
C. Cross-site request forgery that tricks users into performing unintended actions
D. SQL injection that manipulates database queries through unsanitized input
Correct Answer: D
Rationale:
Concatenating user input directly into SQL queries creates a SQL injection vulnerability, allowing attackers to
manipulate the query structure and access or modify unauthorized data. Prepared statements with parameterized
queries prevent this by separating query logic from user input.
Q2 Question 2 of 80
A penetration tester discovers that a cloud-hosted application exposes detailed error messages including
stack traces and database schema information when exceptions occur. The tester recommends implementing
custom error pages. Which security risk do detailed error messages create?
A. They provide attackers with internal application details that aid in crafting targeted attacks
B. They slow down application performance during error handling
C. They prevent users from understanding what went wrong with their requests
D. They increase storage requirements for application logs
Correct Answer: A
Rationale:
Detailed error messages including stack traces and database schema information provide attackers with valuable
intelligence about the application's internal structure, technology stack, and potential vulnerabilities. Custom error
pages prevent information leakage while still logging details for administrators.
WGU D320 80 QUESTION VERSION (JYO2) LATEST (CREATED JANUARY 2026/27. D320 - MANAGING CLOUD SECURITY (WGU) ALREADY PASSED!!
2026/2027 - 2026/2027 | Passing Score: 80% | Page 2 of 34
, Q3 Question 3 of 80
A cloud engineer needs to implement data-in-transit protection for API communications between a mobile
application and cloud services. The security requirements specify mutual authentication. Which protocol best
meets these requirements?
A. TLS with server-side certificates only for one-way authentication
B. SSH tunneling for secure remote access to cloud resources
C. IPSec with pre-shared keys for network-layer encryption
D. TLS with mutual authentication using both client and server certificates
Correct Answer: D
Rationale:
TLS with mutual authentication (mTLS) requires both the client and server to present certificates, providing
bidirectional authentication. This ensures that the client verifies the server's identity and the server verifies the client's
identity, meeting the requirement for mutual authentication.
Q4 Question 4 of 80
A cloud application uses OAuth 2.0 for API authentication. The security team discovers that the application is
using the implicit grant flow, which returns access tokens in the URL fragment. The team recommends
switching to the authorization code flow with PKCE. Why is the implicit flow considered insecure?
A. Access tokens exposed in the URL fragment can be intercepted through browser history or referrer
headers
B. The implicit flow requires client-side certificates that are difficult to manage
C. The implicit flow does not support refresh tokens for long-lived sessions
D. The implicit flow is slower than the authorization code flow for token acquisition
Correct Answer: A
Rationale:
The implicit grant flow returns access tokens in the URL fragment, which can be exposed through browser history,
referrer headers, or malicious browser extensions. The authorization code flow with PKCE returns tokens in a secure
server-to-server exchange, preventing token exposure to the client.
WGU D320 80 QUESTION VERSION (JYO2) LATEST (CREATED JANUARY 2026/27. D320 - MANAGING CLOUD SECURITY (WGU) ALREADY PASSED!!
2026/2027 - 2026/2027 | Passing Score: 80% | Page 3 of 34
, Q5 Question 5 of 80
A company migrating to the cloud wants to implement a key management solution that provides
hardware-level protection for encryption keys. The security architect recommends using a cloud hardware
security module. What is the primary advantage of an HSM over software-based key management?
A. HSMs are less expensive than software-based key management solutions
B. HSMs are compatible with all cloud service models without integration
C. HSMs automatically generate encryption keys without any configuration
D. HSMs provide tamper-resistant hardware that protects keys from extraction even by privileged
administrators
Correct Answer: D
Rationale:
Hardware Security Modules provide tamper-resistant physical protection for encryption keys, making it extremely
difficult even for privileged administrators or attackers with physical access to extract the keys. This hardware-level
isolation is the primary advantage over software-based key management.
Q6 Question 6 of 80
A cloud security team implements a web application firewall in front of a cloud-hosted application. The WAF is
configured with rules to block SQL injection, XSS, and file inclusion attacks. Which type of security control
does the WAF represent?
A. Preventive control that stops attacks before they reach the application
B. Detective control that identifies attacks after they have occurred
C. Corrective control that repairs damage caused by successful attacks
D. Deterrent control that discourages attackers from targeting the system
Correct Answer: A
Rationale:
A web application firewall with blocking rules acts as a preventive control by stopping known attack patterns before
they reach the application. When configured in detection-only mode, it would be a detective control, but with blocking
rules enabled, it prevents attacks in real time.
Q7 Question 7 of 80
A company evaluates a cloud provider and finds that the provider holds certifications for ISO 27001, SOC 2,
and FedRAMP. The company's compliance officer explains that these certifications demonstrate which aspect
of the provider's operations?
A. The provider has implemented and been audited against recognized security control frameworks
B. The provider guarantees zero security incidents across all customer environments
C. The provider is legally immune from data breach liability under international law
D. The provider encrypts all customer data by default with no exceptions
Correct Answer: A
Rationale:
Certifications like ISO 27001, SOC 2, and FedRAMP demonstrate that the cloud provider has implemented controls
aligned with recognized frameworks and has undergone independent audits to verify compliance. They do not
guarantee zero incidents or provide legal immunity.
WGU D320 80 QUESTION VERSION (JYO2) LATEST (CREATED JANUARY 2026/27. D320 - MANAGING CLOUD SECURITY (WGU) ALREADY PASSED!!
2026/2027 - 2026/2027 | Passing Score: 80% | Page 4 of 34
2026/2027 2026/2027 | Page 1 | Passing Score: 80%
WESTERN GOVERNORS UNIVERSITY
WGU D320 80 QUESTION VERSION (JYO2) LATEST
(CREATED JANUARY 2026/27. D320 - MANAGING CLOUD
SECURITY (WGU) ALREADY PASSED!! 2026/2027
2026/2027
MANAGING CLOUD SECURITY · Official Exam 2026/2027
80 80% CERTIFIED
QUESTIONS PASSING SCORE RECERTIFICATION
TABLE OF CONTENTS
Section 1 Cloud Concepts, Architecture, and Design Q1-Q16
Section 2 Cloud Data Security Q17-Q32
Section 3 Cloud Platform and Infrastructure Security Q33-Q48
Section 4 Cloud Application Security Q49-Q64
Section 5 Cloud Security Operations Q65-Q80
Instructions: Select the single best answer for each question. This exam is designed for WGU D320 Managing Cloud Security
preparation. Passing score: 80% (64 questions correct).
WGU D320 80 QUESTION VERSION (JYO2) LATEST (CREATED JANUARY 2026/27. D320 - MANAGING CLOUD SECURITY (WGU) ALREADY PASSED!!
2026/2027 - 2026/2027 | Passing Score: 80% | Page 1 of 34
, SECTION(CREATED
LATEST
2026/202712026/2027
| Cloud Concepts,
JANUARYArchitecture,
2026/27. D320and
- MANAGING
Design | Q1-Q16
CLOUD | WGU
SECURITY
D320 80
(WGU)
QUESTION
ALREADY
VERSION
PASSED!!
(JYO2)
Q1 Question 1 of 80
A security analyst reviews a cloud application and discovers that user input is concatenated directly into SQL
queries without parameterization. The analyst recommends prepared statements. Which type of attack does
this vulnerability enable?
A. Cross-site scripting that executes malicious scripts in user browsers
B. Server-side request forgery that forces the server to make requests to internal resources
C. Cross-site request forgery that tricks users into performing unintended actions
D. SQL injection that manipulates database queries through unsanitized input
Correct Answer: D
Rationale:
Concatenating user input directly into SQL queries creates a SQL injection vulnerability, allowing attackers to
manipulate the query structure and access or modify unauthorized data. Prepared statements with parameterized
queries prevent this by separating query logic from user input.
Q2 Question 2 of 80
A penetration tester discovers that a cloud-hosted application exposes detailed error messages including
stack traces and database schema information when exceptions occur. The tester recommends implementing
custom error pages. Which security risk do detailed error messages create?
A. They provide attackers with internal application details that aid in crafting targeted attacks
B. They slow down application performance during error handling
C. They prevent users from understanding what went wrong with their requests
D. They increase storage requirements for application logs
Correct Answer: A
Rationale:
Detailed error messages including stack traces and database schema information provide attackers with valuable
intelligence about the application's internal structure, technology stack, and potential vulnerabilities. Custom error
pages prevent information leakage while still logging details for administrators.
WGU D320 80 QUESTION VERSION (JYO2) LATEST (CREATED JANUARY 2026/27. D320 - MANAGING CLOUD SECURITY (WGU) ALREADY PASSED!!
2026/2027 - 2026/2027 | Passing Score: 80% | Page 2 of 34
, Q3 Question 3 of 80
A cloud engineer needs to implement data-in-transit protection for API communications between a mobile
application and cloud services. The security requirements specify mutual authentication. Which protocol best
meets these requirements?
A. TLS with server-side certificates only for one-way authentication
B. SSH tunneling for secure remote access to cloud resources
C. IPSec with pre-shared keys for network-layer encryption
D. TLS with mutual authentication using both client and server certificates
Correct Answer: D
Rationale:
TLS with mutual authentication (mTLS) requires both the client and server to present certificates, providing
bidirectional authentication. This ensures that the client verifies the server's identity and the server verifies the client's
identity, meeting the requirement for mutual authentication.
Q4 Question 4 of 80
A cloud application uses OAuth 2.0 for API authentication. The security team discovers that the application is
using the implicit grant flow, which returns access tokens in the URL fragment. The team recommends
switching to the authorization code flow with PKCE. Why is the implicit flow considered insecure?
A. Access tokens exposed in the URL fragment can be intercepted through browser history or referrer
headers
B. The implicit flow requires client-side certificates that are difficult to manage
C. The implicit flow does not support refresh tokens for long-lived sessions
D. The implicit flow is slower than the authorization code flow for token acquisition
Correct Answer: A
Rationale:
The implicit grant flow returns access tokens in the URL fragment, which can be exposed through browser history,
referrer headers, or malicious browser extensions. The authorization code flow with PKCE returns tokens in a secure
server-to-server exchange, preventing token exposure to the client.
WGU D320 80 QUESTION VERSION (JYO2) LATEST (CREATED JANUARY 2026/27. D320 - MANAGING CLOUD SECURITY (WGU) ALREADY PASSED!!
2026/2027 - 2026/2027 | Passing Score: 80% | Page 3 of 34
, Q5 Question 5 of 80
A company migrating to the cloud wants to implement a key management solution that provides
hardware-level protection for encryption keys. The security architect recommends using a cloud hardware
security module. What is the primary advantage of an HSM over software-based key management?
A. HSMs are less expensive than software-based key management solutions
B. HSMs are compatible with all cloud service models without integration
C. HSMs automatically generate encryption keys without any configuration
D. HSMs provide tamper-resistant hardware that protects keys from extraction even by privileged
administrators
Correct Answer: D
Rationale:
Hardware Security Modules provide tamper-resistant physical protection for encryption keys, making it extremely
difficult even for privileged administrators or attackers with physical access to extract the keys. This hardware-level
isolation is the primary advantage over software-based key management.
Q6 Question 6 of 80
A cloud security team implements a web application firewall in front of a cloud-hosted application. The WAF is
configured with rules to block SQL injection, XSS, and file inclusion attacks. Which type of security control
does the WAF represent?
A. Preventive control that stops attacks before they reach the application
B. Detective control that identifies attacks after they have occurred
C. Corrective control that repairs damage caused by successful attacks
D. Deterrent control that discourages attackers from targeting the system
Correct Answer: A
Rationale:
A web application firewall with blocking rules acts as a preventive control by stopping known attack patterns before
they reach the application. When configured in detection-only mode, it would be a detective control, but with blocking
rules enabled, it prevents attacks in real time.
Q7 Question 7 of 80
A company evaluates a cloud provider and finds that the provider holds certifications for ISO 27001, SOC 2,
and FedRAMP. The company's compliance officer explains that these certifications demonstrate which aspect
of the provider's operations?
A. The provider has implemented and been audited against recognized security control frameworks
B. The provider guarantees zero security incidents across all customer environments
C. The provider is legally immune from data breach liability under international law
D. The provider encrypts all customer data by default with no exceptions
Correct Answer: A
Rationale:
Certifications like ISO 27001, SOC 2, and FedRAMP demonstrate that the cloud provider has implemented controls
aligned with recognized frameworks and has undergone independent audits to verify compliance. They do not
guarantee zero incidents or provide legal immunity.
WGU D320 80 QUESTION VERSION (JYO2) LATEST (CREATED JANUARY 2026/27. D320 - MANAGING CLOUD SECURITY (WGU) ALREADY PASSED!!
2026/2027 - 2026/2027 | Passing Score: 80% | Page 4 of 34
