Back to the course
Test yourself

Advanced cloud security

Final exam · 60 questions · answers explained as you pick
Identity & access at scale
12 questions
01Workload identity federation (OIDC to a cloud) primarily replaces…
Incorrect — It still assumes a role — via a short-lived token, not a stored key.
Correct — The workload trades a static credential for an identity-scoped, expiring token.
Incorrect — Federation here is about workloads, not human MFA.
Incorrect — Logging is unrelated to how the workload authenticates.
02A permission boundary (AWS) or org/deny policy (GCP/Azure) sets…
Incorrect — That is billing, not IAM.
Correct — Policies grant; the boundary caps — safe delegation without escalation.
Incorrect — Duration is a session setting, not a ceiling on permissions.
Incorrect — Boundaries govern permissions, not region.
03When an explicit Deny and an Allow both match, cloud IAM…
Correct — Evaluation is deny-by-default with explicit Deny winning.
Incorrect — Breadth never beats an explicit Deny.
Incorrect — Recency is not a factor in evaluation.
Incorrect — There is no partial merge; Deny wins outright.
04A landing-zone, multi-account structure improves security mainly by…
Incorrect — Cost is a side effect, not the security goal.
Correct — A compromise in one account is bounded; SCP/Org Policy caps every account.
Incorrect — Each account still needs IAM; there is just cleaner separation.
Incorrect — A shared root is the opposite of isolation.
05An IAM access analyzer / policy simulator is used to…
Incorrect — It analyzes access, it does not encrypt.
Incorrect — Performance is unrelated.
Correct — You find who can reach a resource, and how privileges chain, before an attacker does.
Incorrect — Rotation is a separate mechanism.
06Scoping a CI federation trust to a specific repo and branch prevents…
Incorrect — Performance is not the concern.
Correct — The token subject claim must satisfy your trust conditions.
Incorrect — The role assumption is still logged.
Incorrect — You still use a role, just tightly trusted.
07Cross-account access is best granted by…
Incorrect — Sharing static keys defeats isolation and auditing.
Correct — Short-lived assumed-role sessions are logged and revocable.
Incorrect — Mutual admin is maximal blast radius.
Incorrect — Removing guardrails to grant access is backwards.
08Standing, always-on admin access is risky mainly because…
Correct — Elevate on demand, with approval and expiry, instead of permanent privilege.
Incorrect — Speed is not the issue.
Incorrect — It can be logged; the problem is the standing exposure.
Incorrect — Standing access does not turn off MFA by itself.
09Human access to the cloud console at scale should go through…
Incorrect — Per-user credentials sprawl and drift.
Correct — People authenticate via the IdP; access is centrally managed and revoked.
Incorrect — Shared logins destroy attribution.
Incorrect — That is a guaranteed leak.
10Short-lived assumed-role sessions beat long-lived keys because…
Incorrect — Length is not the lever.
Correct — A captured session that already expired is a non-event.
Incorrect — They are logged like any API activity.
Incorrect — They are exactly a role assumption.
11A wildcard "Action: *" on "Resource: *" in a policy is dangerous because…
Correct — Scope actions and resources to what the principal actually needs.
Incorrect — Evaluation cost is not the issue.
Incorrect — A boundary still caps it, but you should not rely on that.
Incorrect — It is not region-limited.
12The safest way for an app on a VM/pod to get cloud credentials is…
Incorrect — Baked keys leak with the image and never rotate.
Correct — No static secret ships; the platform issues short-lived credentials.
Incorrect — Manual secrets are stale and leak-prone.
Incorrect — Config gets committed and copied.
12 questions · explanations appear as you answer
Network & data-plane security
12 questions
01PrivateLink / Private Service Connect lets you…
Incorrect — It does the opposite — keeps traffic private.
Correct — The data plane stays on the cloud backbone, not the open internet.
Incorrect — It is about connectivity, not storage encryption.
Incorrect — Network privacy is not an authorization control.
02Controlling egress (not just ingress) matters because…
Correct — Default-open outbound lets a compromised workload phone home freely.
Incorrect — Performance is not the point.
Incorrect — Ingress is filtered too; egress is the commonly-neglected half.
Incorrect — Egress control and TLS are complementary.
03An egress proxy with an allowlist is used to…
Incorrect — Caching is a side benefit, not the security purpose.
Correct — Unapproved egress is blocked and visible.
Incorrect — That is an ingress/load-balancer role.
Incorrect — Proxies do not grant IAM.
04Network segmentation limits an attacker by…
Incorrect — That is TLS; segmentation is about reachability.
Correct — A foothold in one segment cannot reach everything.
Incorrect — Speed is not the goal.
Incorrect — You still log; segmentation reduces reach.
05A security group / NSG is fundamentally…
Correct — Deny-by-default; you open only what is needed.
Incorrect — It filters traffic; it does not store keys.
Incorrect — It governs network flows, not API permissions.
Incorrect — It is not a resolver.
06DNS filtering contributes to security by…
Incorrect — Encryption (DoH/DoT) is separate from filtering.
Correct — It cuts off C2/exfil domains and gives visibility.
Incorrect — Speed is not the purpose.
Incorrect — That is DHCP/IPAM, not filtering.
07Service-mesh mTLS gives workloads…
Incorrect — The mesh runs its own internal CA.
Correct — Both sides prove identity; certs are short-lived and auto-rotated.
Incorrect — It does not change egress policy.
Incorrect — mTLS protects traffic in transit.
08Terminating TLS at the edge but leaving the internal hop plaintext…
Correct — Prefer TLS/mTLS end-to-end; internal networks are not inherently safe.
Incorrect — Assuming the internal network is trusted is a classic mistake.
Incorrect — Nothing encrypts it if the hop is plaintext.
Incorrect — mTLS is precisely about encrypting that internal hop.
09A default VPC with public subnets for everything is risky because…
Incorrect — Performance is not the concern.
Correct — Private subnets plus deliberate egress shrink the attack surface.
Incorrect — Networking does not turn off IAM.
Incorrect — Security groups still apply.
10Placing databases in private subnets means…
Correct — You remove the public attack surface on the data tier.
Incorrect — Backups work fine privately.
Incorrect — Auth is still required.
Incorrect — Encryption is a separate setting.
11A WAF in front of an app primarily…
Incorrect — It complements, not replaces, segmentation.
Correct — It is a layer-7 control, not a substitute for secure code.
Incorrect — It inspects HTTP; it does not encrypt storage.
Incorrect — Unrelated to identity.
12Flow logs (VPC flow logs) are valuable for…
Incorrect — They record; they do not enforce.
Correct — They reconstruct network activity after the fact.
Incorrect — They are logs, not crypto.
Incorrect — Unrelated to addressing.
12 questions · explanations appear as you answer
Encryption, keys & secrets
12 questions
01Envelope encryption means…
Incorrect — It uses a two-tier key hierarchy, not double-encryption with one key.
Correct — You store the wrapped data key beside the ciphertext; only KMS can unwrap it.
Incorrect — The payload is what gets encrypted.
Incorrect — Encoding is not encryption.
02A KMS key policy / IAM on the CMK controls…
Correct — Even a bucket reader cannot decrypt without key permissions.
Incorrect — It governs access, not just the cipher.
Incorrect — It is not a networking control.
Incorrect — Unrelated to logging config.
03Separating the key admin from the data admin (dual control) prevents…
Incorrect — Performance is not the point.
Correct — Two independent permissions must be held to get plaintext.
Incorrect — It does not block rotation.
Incorrect — Both actions are still logged.
04Customer-managed keys (CMK/CMEK) over provider-default keys give you…
Correct — Disabling the key renders the data unreadable — a powerful kill switch.
Incorrect — Throughput is comparable.
Incorrect — Key policies are IAM.
Incorrect — The opposite — you gain tighter control.
05BYOK (bring your own key) primarily addresses…
Incorrect — Not a performance feature.
Correct — You can prove custody and, with HYOK, retain the ability to withdraw it.
Incorrect — It is about how keys are sourced, not removing crypto.
Incorrect — It concerns your own key material, kept controlled.
06An HSM (FIPS 140-2/3) is used when you need…
Correct — Regulated workloads often require hardware-backed, non-exportable keys.
Incorrect — HSMs are not a cost optimization.
Incorrect — Unrelated to the network.
Incorrect — It manages keys, not logs.
07Rotating a KMS master key does NOT require re-encrypting all data because…
Correct — Envelope encryption makes rotation cheap and non-disruptive.
Incorrect — It is encrypted — that is the point.
Incorrect — Master keys are never public.
Incorrect — Old data remains readable across rotations.
08A cloud secrets manager over a KMS-encrypted config file adds…
Incorrect — The manager adds lifecycle features a static file lacks.
Correct — Secrets become a governed resource, not a file to copy.
Incorrect — That is not the value proposition.
Incorrect — The opposite — access is tightly controlled.
09Automatic secret rotation reduces risk because…
Correct — Short validity shrinks the exposure of any single leak.
Incorrect — Length is not the mechanism.
Incorrect — The manager is what performs rotation.
Incorrect — Rotations are logged.
10Encryption at rest with a provider-default key still leaves which gap?
Incorrect — You do not control the key policy or revocation.
Correct — Customer-managed keys close that gap.
Incorrect — It is encrypted, just with a provider-owned key.
Incorrect — Backups are unaffected.
11Storing a KMS-wrapped data key next to the ciphertext is…
Correct — That is the intended envelope-encryption pattern.
Incorrect — The stored key is encrypted, not plaintext.
Incorrect — It is the standard approach.
Incorrect — It applies to sensitive data by design.
12Field-level (application) encryption on top of at-rest encryption helps when…
Incorrect — It usually adds overhead, not speed.
Correct — You narrow who can ever see the plaintext of the most sensitive data.
Incorrect — Transit encryption is still needed.
Incorrect — It restricts, not shares.
12 questions · explanations appear as you answer
Detection, logging & response
12 questions
01The foundation of cloud detection and IR is…
Incorrect — Dashboards visualize; they are not the source of truth.
Correct — Without the trail you cannot reconstruct what happened.
Incorrect — Speed is unrelated to detection.
Incorrect — That increases risk, not detection.
02An organization-wide trail delivered to a separate logging account…
Correct — Segregating logs protects evidence integrity.
Incorrect — Not a performance measure.
Incorrect — Logs should still be encrypted and access-controlled.
Incorrect — It strengthens it.
03Making an audit-log bucket immutable (object-lock/retention) defends against…
Incorrect — Immutability is about integrity, not speed.
Correct — Write-once retention preserves the evidence trail.
Incorrect — It may raise cost, not lower it.
Incorrect — It protects logs, not IAM policy.
04Managed detection (GuardDuty / Security Command Center / Defender for Cloud) works by…
Incorrect — They mostly detect and alert, not inline-block.
Correct — They surface likely-malicious behavior for triage and response.
Incorrect — Not their function.
Incorrect — Unrelated to detection.
05Alert quality matters because…
Correct — Tune, dedupe, and prioritize so responders act on what matters.
Incorrect — Volume without signal degrades response.
Incorrect — Alerts are signals, not crypto.
Incorrect — That is not the primary reason.
06Routing findings into a pipeline (SIEM/SOAR) enables…
Incorrect — It adds correlation and automation, not just another view.
Correct — e.g. auto-isolate a resource or revoke a key on a high-severity finding.
Incorrect — You need the trail feeding it.
Incorrect — Findings stay internal.
07On a confirmed compromised cloud credential, the first action is…
Incorrect — Destroying everything is not measured containment.
Correct — Contain first; the trail tells you the blast radius.
Incorrect — Too broad and slow for the immediate threat.
Incorrect — Active compromise is not backlog work.
08Isolating a compromised instance for forensics means…
Correct — You contain and capture evidence rather than destroying it.
Incorrect — Deletion destroys the evidence you need.
Incorrect — A reboot can wipe volatile evidence.
Incorrect — That would worsen exposure.
09Pre-written IR runbooks matter because…
Incorrect — They use the trail; they do not replace it.
Correct — Speed and correctness come from practice, not invention mid-incident.
Incorrect — Runbooks are procedures, not crypto.
Incorrect — Cost is not their purpose.
10A "detection as code" approach means…
Correct — Rules become auditable, repeatable, and hard to silently weaken.
Incorrect — They are developed and tested like any code.
Incorrect — The opposite — rules are codified.
Incorrect — It improves alerting, not removes it.
11Honeytokens (canary credentials) are useful because…
Incorrect — They grant nothing — they only signal use.
Correct — A triggered canary is a near-certain intrusion indicator.
Incorrect — They are decoys, not crypto.
Incorrect — They add a signal, not throughput.
12Metric-based alerting on anomalous API calls (e.g. mass GetObject, DisableKey) catches…
Correct — A permitted action at abnormal volume/pattern is the tell.
Incorrect — It covers control-plane behavior too.
Incorrect — Behavioral signals are highly valuable.
Incorrect — It is far broader than that.
12 questions · explanations appear as you answer
Posture, compliance & workloads
12 questions
01CSPM (cloud security posture management) primarily…
Incorrect — That is a network control, not posture management.
Correct — It flags the public bucket or open group before an attacker finds it.
Incorrect — It assesses config; it does not encrypt.
Incorrect — That is PKI, not CSPM.
02Configuration drift is a security signal because…
Correct — Detecting drift from the approved baseline catches both.
Incorrect — Drift is not a performance indicator.
Incorrect — Unexplained change is exactly what you watch for.
Incorrect — It can directly weaken security posture.
03CIS benchmarks provide…
Incorrect — They are configuration guidance, not a protocol.
Correct — They turn "secure config" into checkable, standard controls.
Incorrect — Not a cipher.
Incorrect — They are standards, not identities.
04Scanning IaC (Terraform/CloudFormation) before deploy…
Correct — Shift-left posture: the public bucket is blocked in the PR, not in prod.
Incorrect — It complements, not replaces, runtime controls.
Incorrect — Scanning does not encrypt.
Incorrect — Fixing in review is far cheaper than in prod.
05A container workload should run with…
Incorrect — Shared broad roles maximize blast radius.
Correct — Per-workload identity limits what a compromised container can reach.
Incorrect — That defeats isolation.
Incorrect — Static mounted keys leak and never rotate.
06Runtime workload protection detects…
Correct — It catches post-exploitation activity image scanning cannot see.
Incorrect — That is image scanning; runtime is behavior at execution.
Incorrect — That is CSPM/IAM analysis.
Incorrect — Runtime behavior is precisely its focus.
07Image provenance/signing (e.g. cosign) ensures…
Incorrect — Signing does not change runtime speed.
Correct — Admission verifies the signature before the workload runs.
Incorrect — Signing is about integrity/authenticity, not just encryption.
Incorrect — Auth is still required.
08Serverless (functions) security differs from VMs mainly in that…
Correct — No OS to patch, but over-broad roles and vulnerable deps dominate the risk.
Incorrect — They very much can, via inputs and permissions.
Incorrect — The execution role is the central control.
Incorrect — Vulnerable dependencies are a top risk.
09Guardrails as code (SCPs / Org Policy) differ from detective controls because they…
Correct — A preventive guardrail stops the misconfig from ever happening.
Incorrect — That is a detective/alerting control.
Incorrect — They act at request time, before the action.
Incorrect — They are hard limits accounts cannot cross.
10A "secure by default" landing zone means new accounts arrive with…
Incorrect — That leaves a window of exposure on every new account.
Correct — Security is provisioned with the account, not bolted on afterward.
Incorrect — That is maximal risk.
Incorrect — The opposite of secure defaults.
11Mapping controls to a compliance framework (e.g. SOC 2, PCI) is valuable because…
Correct — Automated posture checks become your audit evidence.
Incorrect — It documents and evidences them, not replaces them.
Incorrect — Frameworks are requirements, not crypto.
Incorrect — Done well, it drives real, evidenced control coverage.
12Least-privilege at the workload level is enforced by…
Incorrect — Uniform admin is the opposite of least privilege.
Correct — Tight per-workload roles cap what a compromise can touch.
Incorrect — IAM is how you enforce it.
Incorrect — Shared keys broaden blast radius.
12 questions · explanations appear as you answer