Cloud Security Operations for CCSP

Sample Practice Questions

1. Question 1

   Which of the following roles is responsible for preparing systems for the cloud, administering and monitoring services, and managing inventory and assets?
   1. A. Cloud service business manager
   2. B. Cloud service deployment manager
   3. C. Cloud service operations manager
   4. D. Cloud service manager
   Explanation

   The correct answer is: C. Cloud service operations manager.

   Per the ISO/IEC 17789 cloud computing reference architecture, the cloud service operations manager is the role responsible for preparing systems for the cloud, administering and monitoring running services, and tracking inventory and assets so the service stays operational and accountable. The cloud service business manager focuses on commercial concerns such as offerings, customer relationships, and accounts. The cloud service deployment manager is responsible for designing and executing the deployment processes that put services into production, not the day-to-day operations afterward. The generic cloud service manager is a broader umbrella role over service management activities rather than the specific operational, monitoring, and asset-tracking duties described. Only the cloud service operations manager matches all three responsibilities in the question.

2. Question 2

   What is the best approach for dealing with services or utilities that are installed on a system but not needed to perform their desired function?
   1. A. Remove
   2. B. Monitor
   3. C. Disable
   4. D. Stop
   Explanation

   The correct answer is: A. Remove.

   The cleanest approach is to remove unused services and utilities entirely, because that eliminates the underlying code, configuration, and binaries that could be exploited, patched, or re-enabled in error. Removal also takes the service off the patching, monitoring, and audit treadmill, reducing operational cost. Disabling leaves the binaries and configuration on disk where they can be reactivated by an attacker, malware, or a misguided administrator and still demands ongoing patching. Stopping merely halts the current running instance; the service can restart automatically on reboot or through a dependency. Monitoring is appropriate when something must stay installed and active, but it does not address an installation that is not needed in the first place. Removal is therefore the strongest hardening action available.

3. Question 3

   Which of the following threat types can occur when baselines are not appropriately applied or unauthorized changes are made?
   1. A. Insecure direct object references
   2. B. Unvalidated redirects and forwards
   3. C. Security misconfiguration
   4. D. Sensitive data exposure
   Explanation

   The correct answer is: C. Security misconfiguration.

   Security misconfiguration is the OWASP-recognized weakness that arises when systems, applications, frameworks, or cloud services are deployed without the secure baseline being properly applied, when unauthorized changes drift a system away from that baseline, or when patches and hardening steps are skipped, leaving default credentials, open ports, or unnecessary services exposed. Insecure direct object references is an authorization flaw in which an application exposes internal object identifiers and fails to verify access rights; it is unrelated to baseline drift. Unvalidated redirects and forwards is an input-handling weakness used in phishing or open-redirect attacks. Sensitive data exposure stems from inadequate encryption or data-protection controls in transit and at rest. Only security misconfiguration directly maps to baselines not being applied or unauthorized changes being made.

4. Question 4

   Which of the following roles is responsible for gathering metrics on cloud services and managing cloud deployments and the deployment processes?
   1. A. Cloud service business manager
   2. B. Cloud service operations manager
   3. C. Cloud service manager
   4. D. Cloud service deployment manager
   Explanation

   The correct answer is: C. Cloud service manager.

   Within the ISO/IEC 17789 CCRA role taxonomy, the cloud service manager is the role that gathers service-level metrics on cloud offerings and oversees the deployment and deployment processes of those services as part of broader service governance. The cloud service business manager focuses on commercial and customer-account aspects rather than metrics gathering and deployment oversight. The cloud service operations manager runs the day-to-day administration, monitoring, and asset inventory of services once they are live, not the metrics gathering and deployment-process management. The cloud service deployment manager actually executes deployments but works under the broader service manager who is accountable for metrics and the deployment program as a whole. The combination of metrics gathering plus deployment management therefore points to the cloud service manager.

5. Question 5

   What is a standard configuration and policy set that is applied to systems and virtual machines called?
   1. A. Standardization
   2. B. Baseline
   3. C. Hardening
   4. D. Redline
   Explanation

   The correct answer is: B. Baseline.

   A baseline is the formally approved, standardized set of configurations and policies that the organization applies to physical systems, virtual machines, and cloud instances so that every deployed host starts from the same known-good state and any drift can be measured against it. Standardization is the broader concept of imposing uniformity across the organization, but the specific concrete artifact applied to systems is the baseline itself. Hardening is the activity of reducing attack surface, typically performed by applying a security baseline plus additional controls, but it is not the named artifact. Redline is not a recognized term for a configuration set in this context. Only baseline describes the standardized configuration-and-policy set applied to systems and virtual machines.

Other CCSP domains

• Cloud Application Security (71 questions)
• Cloud Concepts, Architecture, and Design (97 questions)
• Cloud Data Security (107 questions)
• Cloud Platform and Infrastructure Security (74 questions)
• Legal, Risk, and Compliance (115 questions)