Security for CompTIA Cloud+

Sample Practice Questions

1. Question 1

   A company just learned that the data in its object storage was accessed by an unauthorized party. Which of the following should the company have done to make the data unusable?
   1. A. The company should have switched from object storage to file storage.
   2. B. The company should have hashed the data.
   3. C. The company should have changed the file access permissions.
   4. D. The company should have encrypted the data at rest.
   Explanation

   The correct answer is: D. The company should have encrypted the data at rest..

   Encrypting the data at rest using KMS-managed keys (AWS SSE-KMS, Azure Storage Service Encryption, GCP CMEK) renders the bytes unintelligible to anyone who reads them outside of an authorized decrypt call, so an unauthorized party who exfiltrated objects obtains only ciphertext; this satisfies NIST SP 800-53 SC-28 protection of information at rest. Switching from object to file storage changes the access protocol but does not by itself protect the data from unauthorized read. Hashing is a one-way operation suitable for verifying integrity or storing password digests; it cannot be reversed, so hashed data is also useless to its legitimate consumers and is not a confidentiality control for stored objects that must be retrieved. Changing file access permissions tightens authorization for future requests but does nothing for an exfiltration that already occurred and provides no protection if the access control itself is bypassed.

2. Question 2

   A customer relationship management application, which is hosted in a public cloud IaaS network, is vulnerable to a remote command execution vulnerability. Which of the following is the best solution for the security engineer to implement to prevent the application from being exploited by basic attacks?
   1. A. IPS
   2. B. ACL
   3. C. DLP
   4. D. WAF
   Explanation

   The correct answer is: D. WAF.

   A Web Application Firewall (WAF) is the right control to deploy in front of an internet-facing application that has a remote command execution vulnerability because it inspects HTTP requests at Layer 7 and applies rules from the OWASP Core Rule Set that block typical command injection payloads (suspicious shell characters, encoded operators, well-known exploit patterns) before they reach the vulnerable code. AWS WAF, Azure Front Door WAF, and Cloudflare WAF ship with managed rules specifically targeting these attack classes. An IPS inspects general network protocol traffic and may catch some attacks but lacks the HTTP-specific request parsing and rule sets that a WAF brings. An ACL filters only on IP and port and cannot read request bodies. DLP watches outbound traffic for sensitive content; it is irrelevant to blocking inbound exploit attempts against an application.

3. Question 3

   A cloud engineer is reviewing the following Dockerfile to deploy a Python web application: Which of the following changes should the engineer make to the file to improve container security?
   1. A. Add the instruction USER nonroot.
   2. B. Change the version from latest to 3.11.
   3. C. Remove the ENTRYPOINT instruction.
   4. D. Ensure myapp/main/py is owned by root.
   Explanation

   The correct answer is: A. Add the instruction USER nonroot..

   Adding a USER nonroot directive forces the container process to drop privileges so that the running application cannot perform host-level escalation actions, which is the single largest container-security improvement available in a Dockerfile and is explicitly called out by CIS Docker Benchmark 4.1 and NIST SP 800-190. Pinning the Python image from latest to 3.11 is a build-stability and reproducibility win and reduces drift surprises, but it does not by itself fix any concrete security weakness. Removing the ENTRYPOINT instruction breaks the container's launch behavior and contributes nothing to security. Ensuring application code is owned by root is the opposite of best practice; runtime files should be owned by the unprivileged user that runs the process, and the executable should not be writable by that user to prevent self-modification by a compromised process.

4. Question 4

   Which of the following vulnerability management phases includes the process of discovering newly introduced security vulnerabilities?
   1. A. Scanning
   2. B. Identification
   3. C. Reporting
   4. D. Remediation
   Explanation

   The correct answer is: A. Scanning.

   Scanning is the technical discovery phase of vulnerability management in which automated tools enumerate hosts, applications, and configurations to discover newly introduced security vulnerabilities; agents compare installed software versions and exposed services against feeds such as the NVD CVE list and vendor advisories. NIST SP 800-115 describes scanning as the primary detection activity. Identification is sometimes used interchangeably with scanning, but in many lifecycle models it is the broader phase that includes scanning plus other discovery sources (SBOM ingestion, threat intel, bug reports); when scanning is offered as a distinct option, it is the precise term for the discovery activity. Reporting is the communication of validated findings to stakeholders, not the discovery itself. Remediation is the corrective action that follows discovery and validation, applying patches or configuration changes to remove the underlying flaw.

5. Question 5

   A healthcare organization must follow strict compliance requirements to ensure that PII is not leaked. The cloud administrator needs to ensure the cloud email system can support this requirement. Which of the following should the organization enable?
   1. A. IPS
   2. B. DLP
   3. C. ACL
   4. D. WAF
   Explanation

   The correct answer is: B. DLP.

   Data Loss Prevention (DLP) is purpose-built to inspect outbound email traffic for sensitive content such as PII or PHI and block, quarantine, or encrypt it before it leaves the organization. Cloud email systems like Microsoft 365 and Google Workspace ship with DLP engines that recognize patterns (Social Security numbers, ICD-10 codes, member IDs) and enforce policies aligned with HIPAA Privacy Rule and Security Rule safeguards. An Intrusion Prevention System (IPS) inspects network protocol streams for known attacker behavior and signatures; it is not tuned to detect outbound content disclosures. An ACL is a coarse allow/deny rule on addresses and ports and cannot read message bodies. A Web Application Firewall (WAF) protects HTTP/HTTPS applications from web-layer attacks like SQLi and XSS; it has no role in inspecting outbound mail content for PII leakage.

Other CompTIA Cloud+ domains

• Cloud Architecture (46 questions)
• Deployment (46 questions)
• DevOps Fundamentals (28 questions)
• Operations (53 questions)
• Troubleshooting (43 questions)