WGU C838 Managing Cloud Security OA Exam – Complete
Exam-Style Questions with Detailed Rationales | 100%
Verified – Pass Guaranteed – A+ Graded
SECTION A: CLOUD CONCEPTS & SHARED RESPONSIBILITY MODEL
Question 1 (MCQ – Remembering)
Which NIST essential characteristic of cloud computing enables a consumer to
unilaterally provision computing capabilities automatically without requiring human
interaction with each service provider?
A. Measured service
B. Rapid elasticity
C. On-demand self-service
D. Broad network access
Correct Answer: C – On-demand self-service allows consumers to provision resources
automatically without provider human interaction.
Rationale: On-demand self-service is defined by NIST SP 800-145 as the capability for
unilateral automatic provisioning. The primary distractor, rapid elasticity (B), refers to
the ability to scale resources outward and inward automatically, not the provisioning
mechanism itself.
Question 2 (MCQ – Understanding)
,A healthcare startup deploys a patient portal application using a cloud provider's
managed database and application runtime environment, while the startup retains
responsibility for patient data classification, application code security, and user access
management. Which cloud service model is being described?
A. Infrastructure as a Service (IaaS)
B. Platform as a Service (PaaS)
C. Software as a Service (SaaS)
D. Function as a Service (FaaS)
Correct Answer: B – Platform as a Service (PaaS), where the CSP manages the runtime,
middleware, OS, and infrastructure, while the customer manages applications, data, and
user access.
Rationale: The scenario describes the classic PaaS shared responsibility split. Distractor
A (IaaS) is incorrect because in IaaS the customer also manages the OS, middleware,
and runtime.
Question 3 (Scenario-Based – Applying)
A financial services firm is migrating its trading platform to the cloud. The firm must
manage its own operating system patching, application security, and data encryption,
while the cloud provider manages the hypervisor, physical servers, storage, and
networking. Under which service model does this responsibility allocation fall?
A. SaaS
B. PaaS
,C. IaaS
D. Private cloud
Correct Answer: C – Infrastructure as a Service (IaaS), where the CSP manages
virtualization, servers, storage, and networking, and the customer manages everything
above the hypervisor.
Rationale: The explicit customer responsibility for OS patching confirms IaaS. Distractor
B (PaaS) is incorrect because in PaaS the CSP, not the customer, manages the OS
patching.
Question 4 (MCQ – Remembering)
Which cloud deployment model is characterized by infrastructure provisioned for
exclusive use by a single organization comprising multiple consumers, and may be
owned, managed, and operated by the organization, a third party, or some combination?
A. Public cloud
B. Community cloud
C. Private cloud
D. Hybrid cloud
Correct Answer: C – Private cloud, per NIST SP 800-145, is provisioned for exclusive use
by a single organization.
Rationale: Private cloud is defined by exclusive single-organization use. Distractor D
(Hybrid cloud) involves two or more distinct cloud infrastructures bound by
standardized technology.
, Question 5 (MCQ – Analyzing)
An organization using a SaaS email solution discovers that a misconfigured
administrative setting exposed employee mailboxes to external enumeration. The SaaS
vendor states that application security is their responsibility. Who is accountable for this
security failure?
A. The CSP alone, because SaaS application security is entirely their responsibility
B. The customer alone, because they configured the setting and manage user access
C. Both share accountability; the CSP secures the application, but the customer must
properly configure tenant-level settings and user access controls
D. Neither, because the contract specifies the CSP holds all liability
Correct Answer: C – In SaaS, the CSP secures the underlying application and
infrastructure, but the customer is responsible for tenant-level configuration, user
access management, and data classification.
Rationale: Shared responsibility in SaaS means the customer still owns identity, access,
and configuration of their tenant. Distractor A reflects a dangerous misconception that
SaaS absolves the customer of all security duties.
Question 6 (MCQ – Applying)
A Type 1 hypervisor runs directly on the host's hardware to control hardware and
manage guest operating systems. Which security concern is MOST critical when
multiple tenants share the same Type 1 hypervisor in a public cloud?
Exam-Style Questions with Detailed Rationales | 100%
Verified – Pass Guaranteed – A+ Graded
SECTION A: CLOUD CONCEPTS & SHARED RESPONSIBILITY MODEL
Question 1 (MCQ – Remembering)
Which NIST essential characteristic of cloud computing enables a consumer to
unilaterally provision computing capabilities automatically without requiring human
interaction with each service provider?
A. Measured service
B. Rapid elasticity
C. On-demand self-service
D. Broad network access
Correct Answer: C – On-demand self-service allows consumers to provision resources
automatically without provider human interaction.
Rationale: On-demand self-service is defined by NIST SP 800-145 as the capability for
unilateral automatic provisioning. The primary distractor, rapid elasticity (B), refers to
the ability to scale resources outward and inward automatically, not the provisioning
mechanism itself.
Question 2 (MCQ – Understanding)
,A healthcare startup deploys a patient portal application using a cloud provider's
managed database and application runtime environment, while the startup retains
responsibility for patient data classification, application code security, and user access
management. Which cloud service model is being described?
A. Infrastructure as a Service (IaaS)
B. Platform as a Service (PaaS)
C. Software as a Service (SaaS)
D. Function as a Service (FaaS)
Correct Answer: B – Platform as a Service (PaaS), where the CSP manages the runtime,
middleware, OS, and infrastructure, while the customer manages applications, data, and
user access.
Rationale: The scenario describes the classic PaaS shared responsibility split. Distractor
A (IaaS) is incorrect because in IaaS the customer also manages the OS, middleware,
and runtime.
Question 3 (Scenario-Based – Applying)
A financial services firm is migrating its trading platform to the cloud. The firm must
manage its own operating system patching, application security, and data encryption,
while the cloud provider manages the hypervisor, physical servers, storage, and
networking. Under which service model does this responsibility allocation fall?
A. SaaS
B. PaaS
,C. IaaS
D. Private cloud
Correct Answer: C – Infrastructure as a Service (IaaS), where the CSP manages
virtualization, servers, storage, and networking, and the customer manages everything
above the hypervisor.
Rationale: The explicit customer responsibility for OS patching confirms IaaS. Distractor
B (PaaS) is incorrect because in PaaS the CSP, not the customer, manages the OS
patching.
Question 4 (MCQ – Remembering)
Which cloud deployment model is characterized by infrastructure provisioned for
exclusive use by a single organization comprising multiple consumers, and may be
owned, managed, and operated by the organization, a third party, or some combination?
A. Public cloud
B. Community cloud
C. Private cloud
D. Hybrid cloud
Correct Answer: C – Private cloud, per NIST SP 800-145, is provisioned for exclusive use
by a single organization.
Rationale: Private cloud is defined by exclusive single-organization use. Distractor D
(Hybrid cloud) involves two or more distinct cloud infrastructures bound by
standardized technology.
, Question 5 (MCQ – Analyzing)
An organization using a SaaS email solution discovers that a misconfigured
administrative setting exposed employee mailboxes to external enumeration. The SaaS
vendor states that application security is their responsibility. Who is accountable for this
security failure?
A. The CSP alone, because SaaS application security is entirely their responsibility
B. The customer alone, because they configured the setting and manage user access
C. Both share accountability; the CSP secures the application, but the customer must
properly configure tenant-level settings and user access controls
D. Neither, because the contract specifies the CSP holds all liability
Correct Answer: C – In SaaS, the CSP secures the underlying application and
infrastructure, but the customer is responsible for tenant-level configuration, user
access management, and data classification.
Rationale: Shared responsibility in SaaS means the customer still owns identity, access,
and configuration of their tenant. Distractor A reflects a dangerous misconception that
SaaS absolves the customer of all security duties.
Question 6 (MCQ – Applying)
A Type 1 hypervisor runs directly on the host's hardware to control hardware and
manage guest operating systems. Which security concern is MOST critical when
multiple tenants share the same Type 1 hypervisor in a public cloud?
