Study Guide · CCSP

CCSP Cheat Sheet

804 entries · 36 chapters · 6 domains

Cloud Concepts, Architecture & Design

Cloud Computing Concepts

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

NIST SP 800-145 is the definition CCSP grades against

The exam settles "what is cloud" with NIST SP 800-145: on-demand network access to a shared pool of configurable resources, rapidly provisioned and released with minimal management. It fixes exactly five essential characteristics, three service models (IaaS, PaaS, SaaS), and four deployment models (public, private, community, hybrid). When a stem asks whether something qualifies as cloud, check it against this definition rather than any vendor description.

A service is cloud only if it shows all five essential characteristics

The five are on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. They are required together: drop any one and the offering is hosting or managed IT, not cloud, under the NIST test. Questions commonly describe a setup missing exactly one and ask which characteristic is absent.

Trap Treating high availability, automation, or security as a sixth NIST characteristic; availability is a shared consideration, not one of the five essential characteristics.

On-demand self-service means no human ticket to provision

On-demand self-service lets the consumer provision compute and storage automatically, without human interaction with the provider. The tell that it is absent is a required phone call, email, or support ticket to add capacity. If a stem says the customer must contact the provider to scale, this characteristic fails and the service is not cloud.

Resource pooling is the source of multi-tenancy and isolation risk

Resource pooling means the provider serves many consumers from one pool using a multi-tenant model, with physical location abstracted from the consumer. Because tenants share underlying hardware, pooling is the root of every tenant-isolation, data co-residency, and noisy-neighbor concern in the rest of the exam. Dedicated single-tenant hardware fails this characteristic.

Trap Assuming a single-tenant dedicated host still counts as cloud; without pooling it fails the NIST test even if it is virtualized.

4 questions test this
Rapid elasticity scales out and in, appearing unlimited

Rapid elasticity provisions and releases capacity quickly, often automatically, scaling outward and inward with demand so capacity appears effectively unlimited to the consumer. It is the characteristic that turns fixed capacity planning into scale-with-demand, and it is delivered by virtualization plus auto-scaling orchestration. A fixed pool that cannot shrink back down does not exhibit it.

1 question tests this
Measured service meters usage, enabling pay-per-use

Measured service monitors, controls, and reports resource usage, so billing matches consumption and both parties get transparency. It is what converts capital expense into metered operating expense, and its usage logs double as audit and anomaly-detection data. A flat fee unrelated to usage means measured service is absent.

Trap Reading a flat, usage-independent monthly fee as cloud pricing; without metering tied to consumption, measured service fails.

1 question tests this
Broad network access enlarges the attack surface

Broad network access means capabilities are reachable over the network through standard mechanisms across heterogeneous clients like laptops, phones, and thin clients. The same reach-from-anywhere property that defines it also widens exposure, which is why transport encryption and strong access control are baseline. It is about network reachability, not about bandwidth.

Cloud roles assign accountability for each control

CCSP names the cloud service customer (consumer) who uses the service, the cloud service provider who builds and operates it, the cloud service partner who supports either side, the cloud broker who acts as a value-adding commercial intermediary, and the cloud auditor who independently assesses controls. Naming the role is how a question pins who is responsible for a given duty.

Trap Confusing the cloud broker with a partner; the broker is specifically the value-adding intermediary in the commercial relationship, while partner is the broader supporting category that also includes auditors.

2 questions test this
The cloud auditor independently assesses, it does not operate

The cloud auditor is an oversight role that independently examines a provider's services and controls against a standard, producing an opinion rather than running anything. Distinguish it from the provider (operates the service) and the broker (intermediates the deal). A stem describing someone who evaluates controls but does not deliver the service is naming the auditor.

5 questions test this
Shared responsibility shifts up the stack from IaaS to SaaS

Security duties split between provider and customer by service model: the provider always secures the layers below the line and the customer the layers above, and the line climbs the stack as you move IaaS to PaaS to SaaS. In IaaS the customer owns the OS, runtime, and data; in PaaS the provider also takes OS and runtime; in SaaS the provider runs almost everything. Match the model to the line to settle who is accountable for an incident.

Trap Assuming the provider handles everything in SaaS; the customer still owns data, identities, and access configuration in every model.

1 question tests this
Data and identity are always the customer's responsibility

Two duties never transfer to the provider regardless of service model: classifying and protecting your own data, and managing your own identities and access. So a leaked record from a misconfigured sharing setting or a weak user credential is the customer's fault even in SaaS, where the provider runs the platform. Exam items that hand data protection to the provider in SaaS are wrong for this reason.

8 questions test this
Virtualization via the hypervisor is the foundation of pooling

A hypervisor abstracts one physical host into many isolated virtual machines, which is what makes resource pooling and elasticity possible. Type 1 (bare-metal) hypervisors run directly on hardware and host cloud tenant workloads; Type 2 (hosted) hypervisors run on a host OS and are desktop or lab tools. The hypervisor is a high-value target because compromising it reaches every tenant on that host.

Trap Picking a Type 2 hosted hypervisor as the basis of a multi-tenant cloud platform; clouds run Type 1 bare-metal hypervisors for tenant workloads.

18 questions test this
Containers share the kernel, so isolation is weaker than a VM

Containers isolate at the operating-system level and share the host kernel rather than emulating hardware, so they start in milliseconds and pack densely but provide weaker isolation than a full virtual machine. Choose them for lightweight, fast-scaling workloads while accepting that the shared kernel is the boundary an attacker would attack. A VM gives stronger isolation at the cost of weight.

Trap Assuming a container provides the same isolation strength as a VM; containers share the host kernel, so a kernel-level escape crosses the boundary.

5 questions test this
A VM escape breaks tenant isolation from the hypervisor up

A VM escape is when a workload breaks out of its virtual machine or container to reach the host or other tenants, the worst-case failure of multi-tenancy. It traces to the hypervisor (or shared kernel), the highest-value target in the virtualization block, because reaching it exposes every co-resident tenant. Mitigation centers on hardening and patching the hypervisor and on strong tenant isolation.

8 questions test this
Software-defined storage and networking are provisioned by API

In cloud, storage and networking are software-defined: capacity and connectivity are provisioned programmatically through APIs rather than by racking disks or cabling, which is what self-service and elasticity actually require. SDN separates the control plane that decides routing from the data plane that forwards traffic. The risk is that a single misconfigured API call, like a public storage bucket or an open security-group rule, exposes data at scale.

Orchestration and IaC make elasticity real but concentrate power

Orchestration automates provisioning, scaling, and teardown across the other building blocks, and modern practice expresses it as Infrastructure as Code: the whole environment defined in version-controlled templates. This is what makes rapid, automatic elasticity possible. Its risk is concentration: whoever controls the orchestration or IaC pipeline can build or destroy the entire estate, so that pipeline demands least privilege and change control.

Trap Treating the IaC or orchestration pipeline as low-risk plumbing; control of it is control of the whole environment, making it a prime target for privilege abuse.

Managed databases trade control for less operational burden

Managed database services push patching, backup, and replication to the provider, so the customer trades some low-level control for reduced operational work, and they come in relational and non-relational (NoSQL) forms. The provider taking patching does not remove the customer's duty to secure access and classify the data inside. Choose managed services when operational simplicity outweighs the need for full host control.

Cloud Reference Architecture

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The service model fixes the customer/provider responsibility line

Across the layered stack (facility, hardware, virtualization, OS, runtime/middleware, application, data), IaaS hands you the guest OS and everything above it; PaaS keeps the OS and runtime and leaves you the application and data; SaaS keeps the whole application and leaves you only data and access configuration. Moving SaaS to PaaS to IaaS increases your control and your security burden while the provider's shrinks. This boundary is what answers nearly every 'who is responsible for which layer' question, with the shared-responsibility principle from cloud-computing-concepts as its backdrop.

Trap Assuming the provider patches the guest OS in IaaS; in IaaS the customer owns the OS and up, so OS patching is the customer's job.

3 questions test this
There are exactly three service models: SaaS, PaaS, IaaS

NIST SP 800-145 names three and only three service models. Newer 'as-a-service' marketing terms (FaaS for functions, DBaaS for databases, and so on) are subsets or refinements that the exam still slots under one of the three canonical models, usually PaaS. When asked to classify a managed runtime or function platform, place it in the closest NIST model rather than treating the marketing label as a fourth category.

Drop to PaaS or IaaS when a control needs OS-level access

Pick the highest service-model abstraction that still lets you meet your control obligations: SaaS minimizes operational burden but the provider owns the OS, kernel, and host network. When a requirement forces you to touch the operating system, kernel modules, or host stack, SaaS cannot satisfy it, so move down to PaaS or IaaS where the responsibility line sits below your requirement. The choice is driven by the lowest layer you must control, not by cost alone.

There are four NIST deployment models: public, private, community, hybrid

Public cloud pools resources across unrelated tenants on provider infrastructure; private cloud is provisioned for a single organization; community cloud is shared by organizations with a common concern such as a shared regulator or mission; hybrid binds two or more of these with technology that lets data and applications move between them. The deployment model answers who you share the tenancy boundary with, which is a different axis from the service model's responsibility line.

1 question tests this
Private cloud means single-tenant, not on-premises

A private cloud is defined by exclusive use by one organization, and it can be owned, managed, or operated by that organization, a third party, or both, located on or off premises. What makes it private is single-tenancy and the isolation that buys, not the physical location of the hardware. A provider-hosted environment dedicated to one customer is still a private cloud.

Trap Equating private cloud with on-premises data centers; a third-party-hosted single-tenant environment is also a private cloud.

5 questions test this
Community cloud is shared by organizations with a common concern

Community cloud is provisioned for exclusive use by a specific community of organizations that share a concern such as a mission, security requirement, policy, or compliance regime. The textbook example is a group of agencies under one regulator pooling a vetted environment to share both cost and a common control baseline. It sits between public (any tenant) and private (one tenant) on the tenancy axis.

3 questions test this
Hybrid cloud binds models together for data and app portability

Hybrid is two or more distinct deployment models joined by technology that enables data and application portability between them, the classic case being cloud bursting where a private workload spills into public capacity at peak. It is the standard answer when regulated or sensitive data must stay private while the rest of a workload needs public elasticity. The defining feature is the binding that lets work move across the boundary, not merely owning both a private and a public environment.

Multi-cloud is a strategy, not a fifth NIST deployment model

Using several public cloud providers at once is multi-cloud, a deployment strategy layered over the four NIST models rather than a model itself. Organizations adopt it to avoid single-provider dependency, to place each workload on its best-fit provider, or to meet data-residency needs, and they pay for it with extra identity federation, consistent-policy, and interoperability work across providers. Do not force multi-cloud into the public/private/hybrid/community taxonomy on the exam.

Trap Listing multi-cloud as one of the NIST deployment models; the four NIST models are public, private, community, and hybrid only.

Interoperability is systems working together, portability is moving the workload

Interoperability is the ability of systems to exchange data and work together through common standards while you stay on a provider; portability is the ability to move a workload or its data to another environment and run it with little rework. They are different knobs: open APIs give interoperability, open formats and container images give portability. High values of both are what reduce vendor lock-in.

Trap Using interoperability and portability interchangeably; interoperability is communicating between systems, portability is relocating the workload itself.

Reversibility is the verified clean-exit guarantee

Reversibility is the ability to retrieve all of your data and artifacts when leaving a provider and to have the provider verifiably delete its copies, so you can exit cleanly. It is a distinct shared consideration from portability: portability is whether the workload can run elsewhere, reversibility is whether you can fully extract and confirm deletion on the way out. Candidates most often forget reversibility exists as its own concept, so the exit clause in a contract is testing it.

SaaS carries the highest lock-in, portable IaaS images the lowest

Lock-in tracks how much of the stack you can take with you. SaaS is highest because you can export your data but not the provider's application; PaaS is in the middle because your code is tied to platform-specific APIs; IaaS workloads packaged as portable VM or container images are lowest because the whole unit relocates. Interoperability and portability are the two considerations you assess up front to keep that lock-in manageable.

SLAs make availability, performance, and remedies contractually measurable

Availability, resilience, and performance are shared considerations that set what service level you can commit to, and the service level agreement is where they become enforceable: it states the measurable target such as uptime percentage or response time and the remedy if it is missed. An SLA without a defined remedy or measurement method is not enforceable, so the exam treats the metric plus the consequence as the substance of the SLA.

Governance and auditability decide whether a deployment is defensible

Security, privacy, governance, maintenance, and auditability are the shared considerations that make a deployment defensible to an auditor: governance is the policy and oversight framework, auditability is the ability to produce evidence that a control operated, and privacy is the obligation specific to personal data. These apply across every service and deployment model, which is exactly why NIST calls them shared considerations rather than features of one product.

Confidential computing protects data in use inside an enclave

Confidential computing runs sensitive workloads inside a hardware-enforced trusted execution environment, or enclave, so data is protected while in use, closing the gap left by encryption that only covers data at rest and in transit. It is the control to reach for when the threat model includes the cloud operator, the host OS, or another tenant on the same hardware. The protected state it adds is in use, the one the traditional two states miss.

Trap Reaching for at-rest or in-transit encryption when the requirement is to protect data while it is being processed; that needs confidential computing's in-use protection.

Edge computing trades latency for a wider physical attack surface

Edge computing pushes processing close to where data is produced, at devices, sensors, or branch sites, to cut latency and bandwidth back to a central cloud. The security cost is that compute now lives on many nodes outside the protected data center, often physically accessible, which widens the attack surface and complicates patching and monitoring. Treat each edge node as an exposed endpoint rather than as a trusted data-center server.

Blockchain provides integrity and non-repudiation, not confidentiality

A blockchain is a distributed, tamper-evident ledger whose security value is integrity and non-repudiation: entries are chained and hard to alter without detection. It does not by itself provide confidentiality, since the ledger is typically shared and visible to participants. When a question frames blockchain as a confidentiality control it is steering you wrong; its strength is verifiable, append-only history.

Trap Selecting blockchain to keep data secret; a shared ledger gives integrity and non-repudiation, not confidentiality.

Quantum computing is the forward-looking threat to current public-key crypto

Large-scale quantum computers threaten today's public-key algorithms such as RSA and elliptic-curve, which is why cloud security roadmaps track post-quantum cryptography and crypto-agility (the ability to swap algorithms without re-architecting). The exam treats quantum as a future risk that motivates planning for algorithm migration now, not as a present-day operational control you deploy today.

The cloud carrier's role stays connectivity-and-transport across service models

In the NIST cloud computing reference architecture (SP 500-292) the cloud carrier is defined as the intermediary that provides connectivity and transport of cloud services between consumer and provider. Because its job is the network path rather than the application stack, its core responsibility (and the security concern that follows, protecting data in transit, e.g. via dedicated, encrypted connections per the SLA) stays the same whether the workload is IaaS, PaaS, or SaaS, whereas the consumer's and provider's responsibilities shift with the service model.

Trap Assuming the cloud provider or broker is model-independent because it 'always' operates the platform; the provider's duties expand or shrink as you move down the stack.

3 questions test this
Broker arbitrage picks providers dynamically; aggregation combines fixed ones

NIST SP 500-292 splits cloud broker services into three categories: service intermediation (the broker enhances a single service), service aggregation (it combines and integrates multiple fixed services into a new one with secure data movement), and service arbitrage (like aggregation but the underlying services are not fixed, so the broker can dynamically choose providers on price or performance).

Trap Calling dynamic, criteria-driven provider selection 'aggregation'; in aggregation the chosen services are fixed, arbitrage is the one that swaps them on the fly.

5 questions test this

Cloud Security Concepts

Read full chapter
  • Encryption protects you from the provider only if you hold the key
  • Cloud platforms wrap data with envelope encryption (DEK under a KEK)
  • Customer-managed keys give you rotation and revocation; provider-managed keys do not
  • Keep the key entirely outside the provider with BYOK/HYOK plus your own HSM
  • Key management spans the full lifecycle, and destruction is a control
  • Cloud media sanitization can't overwrite or shred shared drives, so crypto-erase is the option
  • Crypto-erase requires encryption first and no escrowed key
  • Identity is the cloud perimeter, so least privilege carries the weight
  • Govern three access subjects: user, privilege, and service
  • Use just-in-time elevation instead of standing admin rights
  • Require MFA on every privileged path
  • Zero trust means network location grants no trust
  • Security groups are stateful instance-level firewalls
  • Geofencing is a coarse filter that layers on top of identity, never replaces it
  • Micro-segmentation is how zero trust contains lateral movement
  • Crossing a tenant boundary is far worse than compromising one host
  • VMs isolate strongest; containers share the host kernel and isolate weaker
  • Ephemeral and serverless compute shrink the attack window rather than the wall
  • Patch elastic fleets by replacing immutable images, not in place
  • Baselining means a known-good config plus continuous drift detection
  • Misconfiguration is the leading cause of cloud breaches
  • Insecure interfaces and APIs make the whole cloud weak
  • Regulated key hardware is validated to FIPS 140-2 or 140-3
  • In federation the IdP authenticates the user and issues the signed assertion
  • SAML trust rests on signing assertions with the IdP's key and exchanging X.509 metadata
  • OAuth 2.0 is delegated authorization; OIDC adds the authentication layer on top
  • Zero trust splits the decision (PDP/PE) from the enforcement (PEP)
  • Silo isolates strongest at highest cost; pool plus row-level security is the cheap middle
  • Throttling, rate limiting, and quotas tame the noisy-neighbor tenant
  • Protect logs from tamper with hashing, signing, and immutable centralized storage
  • HSM-generated keys never leave in plaintext; mark them non-extractable
  • Rotating a key keeps the old versions so prior data still decrypts
  • NIST SP 800-57 key states are distinct from lifecycle functions

Unlock with Premium — includes all practice exams and the complete study guide.

Secure Cloud Design Principles

Read full chapter
  • The cloud secure data lifecycle has six phases in fixed order
  • Destroy data in the cloud by crypto-shredding, not by wiping media
  • At-rest encryption does nothing for data in the Use phase
  • The shared-responsibility line moves with the service model
  • Data and identity stay with the customer in every service model
  • In PaaS and SaaS the provider patches the OS; in IaaS you do
  • Size BC/DR from a business impact analysis, not from technology
  • RTO sizes recovery speed; RPO sizes acceptable data loss
  • Pick the cheapest recovery tier that meets the RTO/RPO
  • Test the DR plan; an untested plan is not a plan
  • Vendor lock-in is an availability risk, not just a commercial one
  • Portability, interoperability, and reversibility are distinct properties
  • Preserve portability with open formats, abstraction, and IaC
  • Put reversibility (data return and verified deletion) in the contract
  • Classic secure-design principles still govern cloud
  • Well-Architected security pillars are vendor-neutral principles
  • CSA Enterprise Architecture maps controls, it is not a product
  • Each pipeline stage runs its own DevSecOps control
  • The CSA Enterprise Architecture was built from TOGAF, ITIL, SABSA, and Jericho
  • CSA EA has four domains: BOSS, ITOS, TSS, and SRM
  • CSA EA's TSS domain stacks four layers from Presentation down to Infrastructure

Unlock with Premium — includes all practice exams and the complete study guide.

Cloud Service Provider Evaluation

Read full chapter
  • Evaluate a provider on independent evidence, not its own claims
  • Match the assurance artifact to the layer your question lives in
  • Who verified the claim is the sharpest axis on any artifact
  • SOC 2 is the security report; SOC 1 is for financial reporting
  • SOC 2 Type II beats Type I because it tests controls over time
  • SOC 3 is a public summary with no detailed test results
  • ISO/IEC 27001 certifies a managed ISMS, not a single control
  • ISO/IEC 27017 is cloud controls; 27018 is cloud PII protection
  • CSA STAR has two levels: self-assessment, then third-party audit
  • CCM is the control framework, CAIQ the questionnaire, STAR the registry
  • Use CSA STAR and CAIQ to screen many providers against one control set
  • Common Criteria's EAL measures evaluation rigor, not absolute security
  • FIPS 140-2/3 validates cryptographic modules at four security levels
  • An HSM for high-value keys typically targets FIPS 140-2/3 Level 3
  • FIPS 140-3 is the current standard, superseding 140-2
  • Confirm a crypto module runs in its validated FIPS-approved mode
  • Match a regulated workload to its specific mandate, then check scope
  • PCI DSS allows a self-assessment path or a QSA audit by volume
  • An attestation covers a fixed scope and a past window, not forever
  • A provider's attestation never discharges the customer's own duty
  • SLA service credits are usually the sole, capped remedy, not damages
  • Judge an SLA by actual historical uptime, not just the stated percentage
  • FedRAMP High is for severe-or-catastrophic-impact data and is continuously monitored
  • ISO/IEC 27036 is the supplier-relationship and supply-chain security standard
  • Under GDPR Article 28 a CSP needs controller consent for subprocessors and stays liable

Unlock with Premium — includes all practice exams and the complete study guide.

Cloud Data Security

Cloud Data Concepts

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The CSA cloud data lifecycle has six phases in order

Create, Store, Use, Share, Archive, Destroy is the canonical CSA cloud data lifecycle, and the exam expects you to name them in that order. The phases are a logical sequence rather than a strict one-way clock, because data loops back: an archived record retrieved for an audit re-enters Use, and shared data is also in use. The point of the model is that each phase exposes data differently and so calls for a different control, which is what scenario questions are really testing.

2 questions test this
Classify data at Create, the earliest phase

A classification or label applied when data is first created travels with that data through every later phase, so Create is the correct answer when a stem asks where data should be classified. Tagging later means everything before the tag was handled at an unknown sensitivity, which you cannot retroactively fix. This is why classification belongs at the front of the lifecycle rather than at Store or Use.

Trap Choosing Store or Use as the phase to classify data; both are too late, leaving earlier handling done at an unknown sensitivity.

7 questions test this
Store and Archive are the data-at-rest phases

Store commits data to a repository and Archive moves it to long-term lower-cost storage, and both leave data at rest, so encryption at rest and access policy are the dominant controls. Archive adds a time dimension the regular Store phase does not: the encryption keys must outlive the retained data, and you must still be able to retrieve and decrypt records years later when a regulator or court asks.

Use is the data-in-use phase and the hardest to protect

During Use an application or person reads or processes the data, which means it must be in cleartext in memory for the CPU to operate on it, so encryption at rest and in transit do not help here. The controls that fit Use are fine-grained access control, masking of fields the user should not see, activity monitoring, and confidential-computing enclaves that keep data encrypted even while processed.

1 question tests this
Share is the phase where data crosses a trust boundary

Share is data moving to another user, tenant, partner, or region, the point where it can leave your control entirely, so it is the home of DLP, tokenization, information rights management, and encryption in transit. Treating Share as just another read misses that the recipient is outside your administrative control, which is exactly why egress-focused controls live here rather than at Use.

Trap Answering a Share scenario with only "encrypt the data"; encryption in transit protects the hop but does nothing once the outside recipient decrypts it, which is what DLP and IRM address.

1 question tests this
Destroy in the cloud means cryptographic erase

Because you do not own or control the physical disks in a public cloud, you cannot degauss or shred media, so the practical Destroy control is cryptographic erase: destroy the encryption keys and the remaining ciphertext is unrecoverable. This is the answer when a stem describes needing to permanently delete data in a multi-tenant environment where physical sanitization is impossible.

Trap Choosing degaussing or physical media destruction to delete cloud data; in a multi-tenant cloud you have no access to the underlying disks, so neither is available to you.

3 questions test this
Data dispersion scatters object fragments for durability

Data dispersion is the provider splitting a stored object into chunks, often adding parity or erasure-coding fragments, and spreading them across many disks, nodes, and availability zones so any single failure loses nothing. It is conceptually RAID stretched across a data center, and it is why cloud object stores advertise very high durability such as eleven nines. The security trade is that you lose precise knowledge of where each byte physically sits.

1 question tests this
Data dispersion is the threat behind data-residency requirements

Because dispersion lets the provider place fragments wherever it has capacity, you cannot prove a byte stayed inside a country, which directly conflicts with data-residency and sovereignty laws. The control is contractual and configurational rather than physical: pin the provider to a specific region or set of regions in the contract and service settings, so dispersion still happens but only within the boundary you allow. You cannot point a regulator at a specific drive, so the region constraint is the enforceable unit.

Trap Answering a residency requirement with "encrypt the data"; encrypted data sitting in the wrong jurisdiction still violates a sovereignty law, because the law restricts location, not readability.

1 question tests this
Dispersion is not replication and not sharding

Dispersion keeps individually-useless fragments that must be reassembled, which adds some confidentiality on top of durability. Replication keeps whole readable copies of an object in several places, so each copy is independently usable. Sharding splits database rows across nodes for scale and is a design choice you make, whereas dispersion is storage-layer behavior the provider runs underneath you. Exam stems blur these three to see whether you pick the fragment-scattering one.

Trap Calling whole-copy replication "dispersion"; replicas are independently readable, while dispersed fragments are useless until reassembled, so only the latter adds confidentiality.

1 question tests this
A data flow is the path data travels across its lifecycle

A data flow maps how data moves between services, tenants, regions, and outside parties, and mapping it is how you locate every point where data crosses a trust boundary into systems you do not control or a jurisdictional boundary into different laws. Those crossings are where the Share phase happens and where most data-loss and compliance failures begin, so the flow map turns a vague worry into specific checkpoints.

Map the data flow before placing DLP or residency controls

Data-flow mapping is an input to other controls rather than a control itself, so the correct first step when you need to protect where data can go is to map the flows, because a control placed without the map is a guess about where the data is. The map tells DLP which egress points to watch, tells discovery and classification where sensitive data travels, tells residency which hops leave the allowed region, and tells audit which events to log.

Trap Buying and deploying a DLP tool before mapping the flows; without knowing the egress points you cannot tell the tool what to watch, so you protect the wrong boundaries.

One record can occupy more than one lifecycle phase at once

The lifecycle phases are not mutually exclusive: data being shared with a partner is simultaneously being used, and an archived record retrieved for analysis is back in Use while still archived. Treating the model as a strict single-state machine leads you to apply only one control when a scenario actually spans two phases. Read the scenario for every activity happening to the data, not just the most obvious one.

Match the control to the lifecycle phase, not to the data type

The same record needs different protection depending on where it is in its life, so the reliable method for a scenario question is to identify the phase first and let the phase name the control family: classify at Create, encrypt at rest at Store and Archive, access control and masking at Use, DLP and IRM at Share, cryptographic erase at Destroy. This phase-first reading is what most cloud-data-concepts questions reward.

1 question tests this
Data residency and data sovereignty are not the same thing

Data residency means the data physically sits in a specified location, while data sovereignty means the data is also subject to the laws of the country it sits in, including that government's lawful-access powers. Constraining a provider region satisfies residency, but sovereignty can still bite if the provider is headquartered under a foreign disclosure law. The exam uses the distinction to test whether you treat "keep it in-region" as a complete answer to a sovereignty concern.

Trap Treating a region constraint as a full answer to data sovereignty; residency fixes physical location, but a provider subject to a foreign government's lawful-access law can still expose the data.

1 question tests this
Encrypt data before splitting and dispersing it so collected fragments stay unreadable

Bit splitting and data dispersion scatter fragments so no single storage node or CSP holds the whole dataset, protecting confidentiality across providers. Encrypting before fragmentation adds defense in depth: even an attacker who collects enough fragments to reconstruct recovers only ciphertext without the key. This is the standard way to get both CSP-proof confidentiality and (with erasure coding) fault tolerance in multi-cloud storage.

Trap Encrypting only after dispersal or relying on splitting alone — fragments reassembled by an attacker are readable unless the data was encrypted before it was split.

3 questions test this

Cloud Data Storage Architectures

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Classify cloud storage by service model first

Cloud storage types follow the service model, and that is what decides which control is yours: IaaS exposes volume and object storage (plus raw and ephemeral), PaaS exposes structured and unstructured storage, and SaaS exposes content and information storage in the application. Place the storage in IaaS, PaaS, or SaaS before reasoning about a fix, because the model tells you whether you even own a disk-level lever or only data and access.

Volume storage is block storage attached to one instance

Volume (block) storage presents a fixed-size disk to a single virtual machine, formatted with a filesystem, and is the home for boot drives, filesystems, and self-managed databases that need low-latency random read-write. Vendor examples are Amazon EBS, Azure managed disks, and Google Cloud persistent disks. It persists independently of the instance's run state, so stopping the VM does not lose it, unlike ephemeral storage.

Trap Putting a transactional database on object storage; object storage handles whole-object writes over an API, not the in-place random read-write a database filesystem needs.

Object storage is API-reached and internet-addressable

Object storage keeps each file as a self-contained object (data plus metadata plus a unique key) in a flat namespace reached by an HTTP API, not a mounted disk, and it scales effectively without limit. Vendor examples are Amazon S3, Azure Blob Storage, and Google Cloud Storage. It is the natural home for backups, static content, logs, and data lakes, and because objects are immutable you change one by writing a new version rather than editing in place.

Trap Treating an object store like a low-latency filesystem; it is reached by API for whole objects and is wrong for random in-place updates.

A public bucket is the signature object-storage threat

The most common cloud data exposure is an object store left readable to anyone by a misconfigured access policy. The control is least-privilege access policy and blocking public access at the account level, plus encryption at rest. This is an identity-and-policy failure, not a network failure, so the fix lives in the bucket policy and access settings, not a firewall.

Trap Reaching for a network ACL or firewall to fix a public bucket; the exposure is a permissions misconfiguration, so the answer is least-privilege access policy and blocking public access.

1 question tests this
Block-volume deletion risks data remanence

Deleted volumes and old snapshots can leave recoverable blocks behind, which is the data remanence threat for block storage. In a shared multi-tenant cloud you cannot physically destroy a disk, so the cloud-correct sanitization is cryptographic erasure: destroy the encryption key so the ciphertext is unrecoverable, following NIST SP 800-88 media-sanitization guidance. Snapshots are full copies with their own access controls, so they need the same protection as the source volume.

Trap Specifying physical media destruction (degaussing or shredding) to sanitize a cloud volume; you do not own the shared hardware, so cryptographic erasure is the applicable method.

1 question tests this
Ephemeral storage is wiped when the instance stops

Ephemeral (instance-local) storage is disk, RAM, and cache that exists only while the VM runs and is erased when the instance stops, terminates, or migrates to new hardware. AWS calls it an instance store. It is fast and free of network latency, which suits caches, scratch space, and temporary files, but it must never hold the only copy of data you need to keep. The testable contrast: a volume persists independently of the instance; ephemeral storage does not.

Trap Storing the only copy of durable data on instance-local storage; a stop, terminate, or host migration wipes it, so durable data belongs on block or object storage.

Raw storage is unmanaged device or LUN access

Raw storage is direct access to the underlying device or logical unit number (LUN) with no filesystem the cloud manages for you. It gives the most control and the most responsibility, and it exposes the disk at the lowest level, so low-level tampering and the burden of all higher-layer protections fall to you. The exam names it alongside long-term and ephemeral as a way data can be held, distinct from the managed volume and object services.

Match the persistence horizon: long-term, ephemeral, raw

Beyond the service model, the blueprint classifies storage by how long data lives and how it is held: long-term storage retains data for archival and compliance windows and so carries retention, deletion, and encryption-at-rest duties; ephemeral storage holds transient state that is fine to lose; raw storage is direct unmanaged device access. Each horizon changes the dominant threat, so map the data's lifetime to the tier before choosing controls.

PaaS structured storage is a managed database with a schema

Structured storage in PaaS is a managed database that enforces a defined schema and answers queries, covering managed relational engines (Amazon RDS, Azure SQL Database, Cloud SQL) and managed NoSQL stores (Amazon DynamoDB, Azure Cosmos DB). The provider patches and replicates the engine; you still own the schema, the data classification, the encryption keys, and the credentials. Its known shape makes structured data the easiest to discover and label.

Database storage is threatened by injection and over-broad credentials

The signature threats to structured (database) storage are SQL or NoSQL injection and credentials that grant more than the application needs. The controls are parameterized queries, least-privilege database accounts, encryption in transit, and secrets management for the credentials. An attacker reading other tenants' records through an application input points to injection against the database, fixed by input validation and least privilege, not by a storage-encryption change.

Trap Answering a search-box data-leak with encryption at rest; the breach is injection against a structured store, so the fix is parameterized queries and least-privilege accounts.

PaaS unstructured storage holds schemaless files

Unstructured storage in PaaS is the managed blob or bucket the platform gives your application for files with no schema: images, documents, logs, and media. It is the PaaS-managed cousin of IaaS object storage. Because the content is opaque, you cannot assume its sensitivity, so it must be scanned and classified after it lands, which makes data discovery harder than for structured stores.

Semi-structured data sits between structured and unstructured

Many real datasets are semi-structured: they carry tags or markers such as JSON or XML but no rigid table schema. For discovery and classification they fall between structured storage (known schema, easy to label) and unstructured storage (opaque, must be scanned), so treat them as needing markup-aware discovery rather than assuming either extreme.

SaaS gives content and information storage, no disk control

In SaaS the provider stores your data inside the application as content storage (the files and objects users upload and share) and information storage (the structured records and fields the app maintains). You have no volume to encrypt and no bucket policy to set, so disk-level controls are the provider's, and your storage levers collapse to classification, sharing and access settings, and identity.

Trap Assuming you can set disk encryption or a storage policy in SaaS; those are the provider's, and your controls are classification, sharing settings, and identity.

SaaS content storage is threatened by over-sharing and shadow data

The defining SaaS storage risk is over-sharing (links or permissions opened too widely) and shadow data, the exported or copied data that leaves the platform's visibility, rather than a misconfigured disk that you do not own. The levers are sharing-policy enforcement, identity, and data loss prevention, since you cannot lock down the underlying storage.

The storage model is the responsibility line

Which storage type you have also fixes who secures it: in IaaS you own encryption, access policy, and sanitization of volumes and objects; in PaaS the provider secures the storage engine while you keep the keys, classification, and access; in SaaS the provider owns nearly the whole storage stack and your only actionable storage problems are sharing and identity. This is why the exam asks 'which storage type, in which model' before it asks for a control.

Each storage type carries one signature threat to bind a control to

Threats are testable per storage type, not in the abstract: object storage fails through public access policies, block storage through data remanence, structured databases through injection, unstructured uploads through unscanned and unclassified data, ephemeral storage through silent data loss, and SaaS content through over-sharing. Pick the control from the type the question names rather than applying one blanket measure, because the distractor usually offers a control that fits a different storage type.

Trap Applying one blanket control to every storage type; the exam binds a specific threat to each type, so a control that fits a different type is the wrong answer.

1 question tests this
Reed-Solomon erasure coding RS(n,k) needs any k fragments to rebuild and tolerates n-k failures

Reed-Solomon erasure coding splits data into k data fragments plus parity for n total fragments. Any k of the n fragments reconstruct the original, so the system survives up to n-k simultaneous node failures (e.g., RS(14,10) tolerates 4). Compared with replication, erasure coding delivers equivalent fault tolerance at far lower storage overhead (roughly 50% vs 200% for three-way replication), which is why it suits large, rarely accessed archival datasets.

Trap Treating erasure coding as confidentiality — it provides durability and availability only; protecting fragments from a compromised CSP still requires encrypting the data first.

5 questions test this
A snapshot inherits its source volume's encryption key; changing it requires an encrypted copy

A snapshot of an encrypted block volume inherits the source's encryption state and uses the same KMS key by default, and volumes restored from it stay encrypted. To encrypt a snapshot taken from a previously unencrypted volume, or to share one cross-account, create a copy specifying encryption (and a key whose policy grants the partner account access) — you cannot change an existing snapshot's encryption in place.

Trap Assuming enabling encryption-by-default retroactively encrypts old snapshots — it applies only to new volumes and copies; existing unencrypted snapshots must be copied with encryption specified.

3 questions test this

Data Security Technologies & Strategies

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Sort data-protection techniques by reversibility and where the recovery secret lives

The whole 2.3 toolbox separates on one axis: can you recover the original, and what holds the secret that does it. Encryption is reversible and the secret is the key; tokenization is reversible and the secret is the token vault; static masking, anonymization, and hashing are one-way with no recovery secret at all. Place any stem's goal on that axis and the wrong family eliminates itself, which is exactly what the distractors bait you to miss.

Tokenization removes the real value from scope; encryption keeps it present but unreadable

Tokenization swaps a sensitive value for a surrogate with no mathematical link to the original and parks the real value in a separate vault, so systems holding only tokens leave compliance scope. Encryption leaves the real value in place as ciphertext, so the system is still processing regulated data and stays in scope, just protected. For PCI DSS scope reduction the answer turns on where the value lives, not on which is stronger.

Trap Reaching for encryption to take a system out of PCI DSS scope; the real value is still present as ciphertext, so the system remains in scope.

2 questions test this

A token is an arbitrary surrogate, not a transform of the input, so a leaked token reveals nothing and there is no algorithm to reverse it; recovery happens only by lookup in the hardened vault. That property, plus the separate vault, is what lets tokenization shrink the systems that handle real data. It is the opposite of format-preserving encryption, where the protected output is still derived from the value under a key.

Static masking writes a one-way safe copy; dynamic masking gates a live view by role

Static data masking irreversibly transforms production data into a sanitized copy for dev, test, or analytics, so the lower-trust environment never held real values. Dynamic masking leaves the source untouched and redacts at read time based on the requester's role, so one query sees a card number and another sees only the last four digits. Use static to make a safe copy, dynamic to gate a live system per query.

Trap Using static masking when the requirement is to hide a column from some roles on the live system; static produces a separate copy rather than gating the source at query time.

8 questions test this
Masking is for usable non-production data, not for storing data securely

Masking substitutes realistic but fake values so people can work with data's shape without seeing the secret, which fits test data and partial-display views. It is not a confidentiality control for the system of record, because the masked output is fake and the technique is one-way. When the real value must survive somewhere recoverable, masking is the wrong tool; encryption or tokenization is.

4 questions test this
Anonymization leaves the privacy regime; pseudonymization and tokenization do not

Anonymization removes or generalizes identifiers so a record can no longer be tied to a person even by the holder, which under GDPR Recital 26 takes the data outside the regulation. Pseudonymization (a stable code in place of a name) and tokenization still count as personal data because the mapping back exists. Confusing reversible de-identification with true anonymization is a recurring privacy trap.

Trap Treating tokenized or pseudonymized records as anonymous; the mapping still links to the individual, so privacy law still applies.

Hashing is one-way verification, never confidentiality you can read back

A cryptographic hash is a fixed-length digest where the same input always yields the same output and no key or inverse exists. That makes it right for integrity checks, deduplication, and password storage, and wrong for any value you must later recover. Calling hashing a way to encrypt a recoverable field is the mistake the exam baits, because there is nothing to decrypt.

Trap Using a hash to protect a field the application must later display; hashing has no decrypt, so the value is gone.

Store passwords as a salted hash with a slow KDF, never encrypted or plain

Passwords are stored hashed with a per-user salt and a deliberately slow key-derivation function such as PBKDF2, bcrypt, scrypt, or Argon2. The salt defeats precomputed rainbow tables by making identical passwords hash differently, and the slow KDF caps brute-force speed. Encryption would be wrong here because it is reversible: you should never be able to recover a stored password.

Trap Encrypting stored passwords instead of hashing them; encryption is reversible, so a key compromise exposes every password in plaintext.

Encryption only relocates the secret to the key, so key management is the real control

Encrypting cloud data moves the protected secret from the data to the key that decrypts it, which is why NIST SP 800-57 treats the full key lifecycle as the control: generation, distribution, storage, use, rotation, and destruction. Lose the key and the ciphertext is plaintext to whoever holds it. An answer that secures only one phase while ignoring storage or destruction is usually incomplete.

One KEK gates everything under it, which is what makes fast revocation and crypto-erase possible

Because envelope encryption wraps every object's data key under a single key-encryption key in the key service, that one KEK controls access to all the data beneath it. Disable the KEK and every object under it becomes undecryptable at once; destroy the KEK and that data is cryptographically erased. This one-key-gates-many structure is why you never have to re-encrypt at scale to revoke or delete.

5 questions test this
Customer-managed keys give you rotation, instant revocation, and audit; provider-managed do not

With a customer-managed key you own the KEK inside the provider's key service, so you schedule rotation, disable the key to revoke access immediately, and get a usage audit trail. Provider-managed keys are lower effort but you cannot independently rotate or revoke, and the provider can technically decrypt. When a stem wants control with convenience, customer-managed is the answer; BYOK/HYOK is for keeping the key entirely outside the provider at higher operational cost.

Trap Choosing provider-managed keys when the requirement is independent revocation or an audit trail; only customer-managed (or BYOK) gives you that control.

8 questions test this
Disable the key to revoke access to encrypted data instantly across any volume

Because one KEK gates all data encrypted under it, disabling that customer-managed key cuts off decryption for petabytes at once, with no need to re-encrypt anything. Re-encrypting everything to cut off access is slow, costly, and unnecessary when the key already controls all of it. This is the practical payoff of envelope encryption plus customer-managed keys.

Trap Re-encrypting all the data to revoke access when disabling the single key that gates it achieves the same thing instantly.

1 question tests this
Cryptographic erase destroys data by destroying its key, not the blocks

Cryptographic erase is a key-destruction technique: the data was written encrypted, so deleting the key that protects it, the KEK that gates the DEK, turns the ciphertext into unrecoverable noise without ever touching the storage blocks. The recovery secret lives entirely in the key, so once every copy of the key is gone the data is irretrievable on demand. This makes key destruction itself a confidentiality control and is why it can sanitize media you can never physically reach.

Trap Believing the data is gone after deleting the ciphertext or disabling the key while a copy survives; cryptographic erase requires destroying every copy of the key, since that key is the only thing protecting the data.

5 questions test this
An HSM keeps key material in tamper-resistant hardware and is validated to FIPS 140-2/3

A hardware security module generates, stores, and uses keys inside tamper-resistant hardware so the key never leaves in plaintext, and its assurance level is certified under FIPS 140-2 or 140-3. Reach for an HSM (or BYOK/HYOK backed by one) when the requirement is the highest key assurance or keeping keys outside the provider's reach. Software-only key storage cannot make the same hardware tamper-resistance claim.

5 questions test this
Storage encryption (NIST SP 800-111) protects data at rest at disk, volume, or file level

NIST SP 800-111 covers encrypting stored data and distinguishes full-disk, volume or virtual-disk, and file/folder-level encryption, each protecting against a different exposure of media at rest. The granularity you pick decides what an attacker who gets the raw media or a stray snapshot can read. It governs data at rest specifically, not data in transit, which is a separate TLS concern.

2 questions test this
DLP enforces classification-driven policy across data at rest, in motion, and in use

Data loss prevention discovers and classifies sensitive content, then blocks, quarantines, alerts, or encrypts it across three states: at rest in stores, in motion on the network, and in use at the endpoint. It is the policy layer that decides which technique a given piece of data must get, not a replacement for encryption or access control. Coverage across all three states is what a strong DLP answer requires.

Trap Assuming network-only DLP is sufficient; it misses data at rest in stores and data in use at the endpoint, leaving two of the three states uncovered.

6 questions test this
In the cloud a CASB carries the DLP coverage a perimeter appliance cannot reach

A cloud access security broker sits inline or via API between users and cloud apps and applies DLP, access, and threat controls to both sanctioned and unsanctioned (shadow IT) cloud use. It exists because browser-to-SaaS traffic never crosses a traditional network perimeter, so a gateway appliance simply cannot see it. When a stem describes controlling data going to cloud apps, the CASB is the cloud-native enforcement point.

Trap Relying on a traditional perimeter DLP appliance for SaaS traffic; browser-to-cloud flows bypass it, which is why a CASB is needed.

7 questions test this
Keys, secrets, and certificates are managed separately, each with issue, rotate, and revoke

Keys are cryptographic material in a KMS or HSM; secrets are application credentials like database passwords and API keys in a managed secrets store; certificates are X.509 identities from a certificate manager or CA. Each needs a managed home that can issue, rotate, and revoke centrally so nothing is hardcoded. The exam expects you to keep the three distinct rather than treating them as one bucket.

Hardcoded secrets in source or images are the canonical finding; use a managed secrets store

A managed secrets store holds credentials encrypted, serves them to workloads at runtime by identity, and rotates them automatically, so no password or API key sits in a repository, container image, or config file. Hardcoded secrets are the recurring vulnerability because anyone who reads the artifact reads the credential. The fix the exam wants is centralizing the secret with runtime retrieval and rotation, not obscuring it in config.

Trap Storing credentials in environment files or config baked into an image instead of a secrets manager; the secret travels with the artifact and leaks with it.

Certificate management must support revocation via CRL or OCSP, not just expiry

A certificate manager or internal CA issues X.509 certs, tracks expiry, and automates renewal, but the load-bearing capability is revocation: a compromised certificate must be invalidated before it expires using a certificate revocation list (CRL) or OCSP. Relying only on expiry leaves a compromised key trusted for its remaining lifetime. Expired or unrotated certs causing outages, and slow revocation, are the recurring operational risks.

Trap Treating certificate expiry as the only control; without CRL or OCSP a compromised certificate stays trusted until it would have expired anyway.

Encryption protects against the provider only when you control the key

Provider-managed encryption protects data from outside attackers and stolen media, but if the provider holds the key it can technically decrypt your data, so it does not protect you from the provider itself. To exclude the provider you must hold the key, through customer-managed keys at minimum or BYOK/HYOK with your own HSM. The threat model the stem names decides which is required.

Trap Assuming provider-managed encryption keeps your data confidential from the provider; whoever holds the key can decrypt, so provider-held keys do not exclude the provider.

6 questions test this
A CASB risk-scores discovered apps on dozens of security, compliance, and legal factors to prioritize them

After discovery surfaces hundreds of apps, a CASB's catalog scores each one against many risk factors (often 80-90+) spanning security controls, compliance certifications (SOC 2, HIPAA), and legal factors (data residency, terms of service). This scoring is what lets the team prioritize which shadow-IT apps to sanction or block first.

2 questions test this
DLP detects more than regex can: fingerprinting for forms, EDM for exact records, OCR for images

Regular-expression pattern matching suits structured, predictable formats (credit-card, SSN). For other data, DLP uses stronger techniques: document fingerprinting hashes a blank form or template's unique word pattern to catch any filled-in copy by structure, even when values vary; Exact Data Match (EDM), also called structured-data fingerprinting, indexes specific values from a source database and flags only those exact records, slashing false positives; OCR extracts text from images, scanned PDFs, and screenshots so the classifiers can inspect it.

Trap Reaching for a generic regex when the requirement is to catch a known template or an exact database record — fingerprinting matches by structure and EDM matches by indexed values, both far more precise than a format pattern.

9 questions test this
Cut DLP false positives with context keywords, exclusion rules, and predefined sensitive-info types

Over-broad patterns produce excessive matches. Reduce false positives without losing recall by: adding context keywords (hotwords like 'Employee ID') near the pattern so a match needs supporting evidence; writing exclusion rules that filter known non-sensitive values (test SSNs, product SKUs); and using predefined sensitive-information types that combine pattern matching, dictionaries, and confidence levels. These tune accuracy rather than weakening detection.

5 questions test this
DLP policy templates ship pre-built detection rules for PCI-DSS, HIPAA, and GDPR

DLP engines include regulatory policy templates with pre-configured sensitive-information types, conditions, and actions for frameworks like PCI-DSS, HIPAA, and GDPR. Using a template is the fastest way to align a deployment with a specific regulation, cutting setup time while ensuring coverage of the required data types.

3 questions test this
Roll out a DLP policy in simulation/audit mode first, then enforce gradually

Best practice is to deploy a new DLP policy in simulation mode (also called audit or monitor mode), which logs matches and potential violations without blocking users. This lets the team measure impact, surface false positives, and tune rules before turning on enforcement, minimizing business disruption. Enforcement actions can then be tiered (audit-only, block-with-override requiring justification, full block) by severity.

7 questions test this
Vaulted tokenization keeps a token-to-value database; vaultless derives tokens cryptographically with no mapping store

Vaulted tokenization stores the mapping between each token and its real value in a central vault, which becomes the highest-value target and must be protected to full PCI-DSS scope because it holds the actual PANs. Vaultless tokenization uses cryptographic methods (often HSM-backed) to generate and reverse tokens by computation rather than database lookup, eliminating the central mapping store and shrinking the attack surface.

Trap Assuming vaultless removes all risk — vaultless built on format-preserving encryption inherits FPE's weakness on small domain sizes, which NIST flags as exploitable.

3 questions test this
Deterministic tokenization yields the same token for the same input so tokenized data still joins

Deterministic tokenization produces an identical token every time for a given input value under the same key and context, preserving referential integrity. This lets analytics teams join and aggregate de-identified records across multiple tables and datasets without exposing the real values. Format-preserving encryption on the identifier can serve the same purpose where field length and format must be retained.

5 questions test this
Format-preserving encryption (NIST FF1) keeps a field's original length and format

Format-preserving encryption (FPE) encrypts data while keeping the ciphertext in the same format and length as the input, so a 16-digit card number stays 16 digits and fits legacy schemas, foreign keys, and validation. NIST SP 800-38G specifies FPE modes built on AES; the published standard defined FF1 and FF3-1, but cryptanalysis (notably Beyne 2021) prompted NIST's draft revision to drop FF3/FF3-1, leaving FF1 as the recommended mode. NIST also warns that FPE weakens when the domain (range of possible inputs) is small (it now requires a minimum domain of one million).

Trap Choosing standard AES when the database field cannot change length or format — only a format-preserving mode like FF1 keeps the original structure.

4 questions test this
BYOK imports your key into the cloud KMS; HYOK keeps the key entirely outside the provider

Bring Your Own Key (BYOK) generates keys on your own HSM and imports them into the cloud KMS, demonstrating control over key generation while still using KMS features. Hold Your Own Key (HYOK), also called external key manager integration, keeps key material in your own KMS outside any single cloud so the provider never holds the key, even during operations. Client-side encryption likewise encrypts before upload so the CSP never sees plaintext. The more the provider must never access the key, the further you move from provider-managed toward HYOK/client-side.

Trap Picking provider-managed or BYOK when the requirement is the CSP never has the key material — only HYOK/external key manager (or client-side encryption) keeps the key out of the provider's reach.

7 questions test this
ABAC makes access decisions from subject, resource, and environment attributes, solving role explosion

Attribute-Based Access Control evaluates attributes of the subject (department, project), the resource (classification label), and the environment (time, location) against policy to decide access dynamically (NIST SP 800-162). One attribute policy replaces the many roles that cause role explosion, and decisions adjust automatically as attributes change. A hybrid RBAC+ABAC model uses roles for baseline permissions and ABAC conditions for classification-driven granularity.

Trap Reaching for more RBAC roles when access must turn on data classification and changing context — that is what drives role explosion; ABAC evaluates classification as a resource attribute instead.

6 questions test this
DAM dynamic profiling baselines each account's normal objects and alerts on deviations

Database Activity Monitoring with dynamic profiling automatically builds, per database account, the list of data objects that account regularly accesses, forming a behavioral baseline. When a profiled account (including a privileged DBA) touches an object outside its baseline, DAM alerts or blocks. DAM also provides near-real-time policy-violation alerting and built-in sensitive-data discovery for standards like HIPAA and GDPR.

3 questions test this
Agent-based DAM sees local DBA sessions that network-based DAM misses

Network-based DAM inspects database traffic on the wire and cannot see local connections that bypass the network, such as direct console access or local sockets used by DBAs. Host/agent-based DAM runs on the database server and captures both network and local privileged activity, which is why agent-based deployment connecting to a central collector is the common cloud DAM approach when local DBA actions must be monitored.

Trap Blaming a DAM gap on misconfiguration when local DBA sessions go unseen — network-only monitoring structurally cannot observe local connections; host-based agents are required.

3 questions test this

Data Discovery

Read full chapter
  • Discover data before you classify it
  • Treat discovery as a recurring control, not a one-time project
  • Match the discovery technique to the data's structure
  • Structured data is discovered by scanning the schema
  • Unstructured data has no schema, so you must inspect its content
  • Semi-structured data carries tags but no rigid schema
  • Data structure describes format, not sensitivity
  • Three discovery approaches: metadata, labels, content
  • Metadata-based discovery is fast but only as honest as the metadata
  • Label-based discovery is blind to whatever was never labeled
  • Content-based discovery is the only approach that catches untagged or mislabeled data
  • Content discovery and DLP share an engine but do different jobs
  • Layer the three approaches to keep the costly content pass focused
  • Location tracking is part of discovery, because the law follows the bytes
  • The cloud creates copies you must still track
  • A location record names the service, region, jurisdiction, and copy type
  • Discovery finds; classification, IRM, and DLP each do something else

Unlock with Premium — includes all practice exams and the complete study guide.

Data Classification

Read full chapter
  • Classification runs policy, then mapping, then labeling
  • Discovery finds the data; classification decides what it is
  • Classify by impact of disclosure, not by where the data is stored
  • The data owner sets the class; the custodian enforces the controls
  • Keep the scheme to three or four clearly-triggered tiers
  • Regulation, contract, and business impact each force a class, and the highest wins
  • Mixed data takes the highest class present, not the average
  • Derived data inherits the source class until it is provably de-identified
  • Data mapping ties each class to its locations and cross-border flows
  • In the cloud, mapping must include provider regions and sub-processors
  • Labels reach objects three ways: user, administrator, and automated
  • A label only protects data if it is persistently bound to the object
  • The label is the hand-off to IRM, DLP, access control, and retention
  • Cloud object tags and resource labels are the key controls match against
  • Automated classification scales to unstructured data that humans cannot label by hand
  • Use a standardized classification schema with consistent key-value tags for accurate reporting
  • Classification labels go stale, so build periodic review into operations

Unlock with Premium — includes all practice exams and the complete study guide.

Information Rights Management

Read full chapter
  • IRM protection rides inside the file, so it survives leaving your perimeter
  • IRM and DRM are the same concept; CCSP uses them interchangeably
  • Every open is an online policy check, not a one-time unlock
  • Revocation is effectively instant, even on already-distributed copies
  • IRM enforces; classification decides and DLP detects
  • Use DLP, not IRM, to stop a file from leaving in the first place
  • Use encryption at rest, not IRM, when you only need data unreadable on disk
  • IRM rests on PKI: a certificate per user and device
  • Provisioning means issue a certificate and map rights; deprovisioning means revoke it
  • IRM data rights are far finer than read/write on a storage ACL
  • IRM's online dependency is its main operational constraint
  • Offline IRM use is a bounded pre-issued window, not indefinite
  • Match the IRM access model to who the recipients are
  • IRM enforcement needs a compatible client or viewer
  • Chain classification to IRM so protection applies automatically
  • When a stem says already sent yet still need control, the answer is IRM

Unlock with Premium — includes all practice exams and the complete study guide.

Data Retention, Deletion & Archiving

Read full chapter
  • Crypto-shredding is the cloud-canonical secure delete
  • Crypto-erase only works if you control and can destroy the key
  • Scope encryption keys so you can shred one dataset without the rest
  • NIST SP 800-88 recognizes cryptographic erase as a Purge technique
  • Every retention period must trace to a driver
  • Over-retention is a risk, not a safe default
  • Automate retention with lifecycle rules, not manual cleanup
  • A real end-of-life delete must reach every copy
  • Log every destruction to make it defensible
  • Archiving is for cheap long-term keep, not fast recovery
  • An archive is not a backup
  • Archived keys must outlive the data they protect
  • A legal hold overrides retention expiry and lifecycle deletion
  • Destroying data you were obligated to preserve is spoliation
  • Enforce a legal hold with immutability, not a request to staff
  • Legal-hold mode fits an open-ended hold; retention lock fits a fixed term
  • Scope and release a legal hold to avoid new over-retention
  • Physical destruction is available only on media you actually control
  • RPO sets the maximum backup interval; RTO sets the required restore speed
  • WORM Compliance mode blocks deletion even by admins; flexible mode lets policies be changed

Unlock with Premium — includes all practice exams and the complete study guide.

Data Event Auditability & Accountability

Read full chapter
  • Auditability, traceability, and accountability are three cumulative layers
  • Log identity, IP, geolocation, timestamp, and object/operation on every data event
  • Authenticate to individual identities so actions are accountable
  • Non-repudiation comes from signing, not from access control or encryption
  • Encryption gives confidentiality, not integrity or non-repudiation
  • Chain of custody and non-repudiation answer different questions
  • Hash-chaining makes a log tamper-evident
  • Store logs append-only or WORM so they cannot be quietly deleted
  • Ship logs to a separate, access-restricted central store
  • Separate who can act on data from who can manage its logs
  • Synchronize clocks to a common UTC source before correlating events
  • Combine layered event sources; no single log sees the whole event
  • Control-plane (management-API) logs record who changed access and configuration
  • Log both successful and failed access to sensitive data
  • Never write secrets or raw sensitive values into the log body
  • Set log retention to the longest of business, regulatory, and legal-hold needs
  • Hash collected logs at the moment of collection to anchor chain of custody
  • Protect the log's confidentiality, integrity, and availability across its lifecycle
  • Designing data events is here; running the SOC and SIEM is operations
  • Normalize multi-cloud logs to one schema before SIEM correlation

Unlock with Premium — includes all practice exams and the complete study guide.

Cloud Platform & Infrastructure Security

Cloud Infrastructure & Platform Components

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A cloud platform has six component layers; name the layer before the control

CCSP objective 3.1 breaks every cloud platform into six layers: physical environment, network and communications, compute, virtualization, storage, and the management plane. Each layer has its own threats and controls, so the first move on a Domain 3 stem is to place the symptom in exactly one layer, because that decides which control and which owner are correct. Misplacing the layer is what leads to picking a real but wrong-layer control.

The management plane is the highest-value target because it controls every other layer

The management plane is the orchestration and administration layer (provider portal, cloud APIs, hypervisor and orchestration consoles) that provisions, configures, snapshots, moves, and destroys all other resources. A single privileged credential here lets an attacker copy every snapshot or delete the whole estate without ever touching a guest OS or breaking a hypervisor, so its blast radius is the entire environment. That breadth is why CCSP elevates it above the technically harder attacks on lower layers.

Trap Assuming the hardest attack (VM escape, hypervisor compromise) is the biggest risk; the management plane is more dangerous because it reaches every layer at once through ordinary API calls.

4 questions test this
Protect the management plane with MFA, least privilege, a bastion host, and full logging

Because management-plane access reaches the whole estate, it gets controls out of proportion to any single workload: enforce multi-factor authentication on every admin identity, separate roles so no account can both configure and audit, route administrative sessions through a hardened bastion (jump) host instead of exposing consoles to the internet, and log every privileged action to an append-only store. These map to the access-control (AC) and audit (AU) families of NIST SP 800-53.

2 questions test this
Virtualization is the boundary that makes multi-tenancy safe

Compute, virtualization, and storage are pooled and shared across unrelated tenants, so the core security question at these layers is whether one tenant can reach another's resources. Virtualization (a hypervisor isolating virtual machines, or a runtime isolating containers) is the boundary that keeps co-resident tenants apart, so isolation is the central control. When a stem raises one tenant reaching another's compute, the fix lives at the virtualization layer, not at a network firewall.

4 questions test this
VM escape breaks tenant isolation, so harden and patch the hypervisor

A VM escape (hypervisor escape) is a guest breaking out of its virtual machine to run on the underlying host or hypervisor, which would let it reach co-resident tenants and defeat multi-tenant isolation entirely. The container analogue is a container escape to the shared kernel. The defense is hypervisor hardening and prompt patching, which is why the provider, not the customer, owns hypervisor security in public cloud.

Trap Reaching for a network firewall or security group to contain a VM escape; the breach is at the virtualization layer, so the answer is hypervisor hardening and patching, not network filtering.

11 questions test this
Type 1 hypervisors run on bare metal; Type 2 run on a host OS

A Type 1 (bare-metal) hypervisor runs directly on the hardware and is what cloud providers use for production multi-tenancy because it has a smaller attack surface. A Type 2 (hosted) hypervisor runs as an application on top of a host operating system and is typical of desktop or lab use, where the host OS adds attack surface beneath the guests.

Trap Assuming providers run production tenants on Type 2 hypervisors; bare-metal Type 1 is preferred for multi-tenancy because there is no host OS layer to compromise.

3 questions test this
Containers share the host kernel, a weaker boundary than a VM

Containers isolate at the process and namespace level and share the host kernel, which makes them faster to start than virtual machines but gives them a weaker isolation boundary, because a single kernel vulnerability is exposed to every container on that host. A VM carries its own guest OS and is isolated by the hypervisor, so it survives a kernel flaw that would compromise neighboring containers.

Trap Treating a container and a VM as equally strong isolation; the container's shared kernel is a single shared fault domain that a VM's hypervisor boundary does not have.

8 questions test this
Side-channel attacks infer data without breaking isolation

A side-channel attack lets a workload co-resident on the same physical host infer another tenant's data from timing, cache, or power behavior rather than breaking the isolation boundary outright. It is a compute-layer multi-tenancy risk distinct from VM escape, because no boundary is actually crossed; the leakage rides shared hardware. Mitigations include dedicated hosts and provider-side microarchitectural patching.

3 questions test this
Data remanence is the storage-layer leak; defeat it with encryption and cryptographic erase

Data remanence is residual data left on physical media after it is released, which a later tenant could recover if the provider reassigns that capacity without sanitizing it. Encrypting tenant data at rest makes leftover bytes useless without the key, and cryptographic erase (destroying the encryption key) renders all that data instantly unrecoverable, which scales far better than physically overwriting shared media. Both techniques are covered in NIST SP 800-88 on media sanitization.

Trap Insisting on physically overwriting media to handle remanence on shared cloud storage; you cannot reach the physical disks, so cryptographic erase by destroying the key is the cloud-appropriate control.

7 questions test this
Storage failures are usually exposure or missing encryption, not just remanence

Beyond remanence, the classic storage-layer failures are exposure and weak encryption: an object store left publicly readable, or a volume created without encryption at rest. These are configuration faults the customer typically owns, so the storage-layer answer to an exposed bucket is access policy plus encryption, not a control borrowed from another layer.

1 question tests this
The network layer is increasingly software-defined, so segmentation is configured not cabled

The network and communications layer carries tenant traffic between components and is increasingly software-defined, meaning segmentation, routing, and isolation are configured in software rather than wired into hardware. Its signature risks are east-west lateral movement, traffic interception, and missing segmentation, so the controls are network segmentation and traffic inspection. Because segmentation is a setting, a missing boundary is a misconfiguration, not a cabling gap.

1 question tests this
Compute is pooled CPU and memory allocated on demand

The compute layer is the provider's pooled CPU and memory that actually run workloads, allocated elastically on demand. Its multi-tenancy risks are resource exhaustion (one tenant's load starving others, which providers limit through quotas and scheduling) and side-channel leakage between workloads sharing a physical host. Compute is owned by the provider in every public-cloud service model.

1 question tests this
The physical layer is the data-center facility itself

The physical environment is the data-center building, power, cooling, cabling, and physical access control beneath every other layer. Its concerns are physical breach, environmental failure, and safe disposal of failed media, and in public cloud the provider owns it entirely; the customer relies on attestation reports rather than inspecting the facility. Detailed facility design (site selection, HVAC, tiering) is the separate secure-data-center-design subtopic.

Shared responsibility shifts down the stack from IaaS to PaaS to SaaS

Moving to the cloud transfers the lower layers to the provider in a predictable order. Under IaaS the provider owns physical, network, and the virtualization host while the customer owns the guest OS and up. Under PaaS the provider also owns the OS and runtime, leaving the customer the application and data. Under SaaS the provider owns everything down to the application, leaving the customer only their data, access configuration, and identities. A stem naming a component plus a service model is asking for that intersection.

The customer never secures the hypervisor in public cloud

Across all public-cloud service models the provider owns the virtualization layer, so the customer cannot reach or harden the hypervisor; that responsibility is always the provider's. Guest-OS patching, by contrast, is the customer's job under IaaS but the provider's under PaaS and SaaS, where the provider owns the operating system. Any answer telling a public-cloud customer to harden the hypervisor is assigning provider-owned infrastructure to a party that cannot even access it.

Trap Assigning hypervisor hardening to the customer in public cloud; the customer has no access to the virtualization layer, so that is always the provider's responsibility.

Match the symptom to its layer, then take that layer's control

Domain 3.1 items usually describe a symptom and expect you to route it: residual files recovered by a new tenant means storage and data remanence, so encrypt with cryptographic erase; a guest running on the hypervisor host means virtualization, so harden and patch; leaked API keys snapshotting databases means the management plane, so MFA, least privilege, and logging. When two options both sound plausible, the one matching the layer the symptom lives in is correct; the distractor borrows a real control from the wrong layer.

Trap Picking a genuine control aimed at the wrong layer, such as a network firewall offered as the fix for a data-remanence problem; correct control follows the layer the symptom actually sits in.

Bare metal gives dedicated hardware with no hypervisor and the strongest isolation

Bare metal (dedicated-host) compute hands the customer a whole physical server with direct CPU and memory access and no virtualization layer, so there is no hypervisor to escape and no noisy neighbor. Choose it when a workload needs maximum tenant isolation, full OS control, hardware-level performance features, or licensing that forbids shared hosts.

Trap Reaching for a dedicated VM or single-tenant hypervisor when the requirement is no hypervisor at all; that still runs a virtualization layer.

5 questions test this
The noisy neighbor problem is one tenant's load degrading another's on shared hardware

In pooled multi-tenant infrastructure, one tenant consuming a disproportionate share of CPU, storage I/O, or network can degrade performance for other tenants on the same physical host. This is a performance and operational risk of resource sharing, not a breach of isolation; bare metal or dedicated capacity eliminates it.

2 questions test this
Micro-segmentation enforces policy per workload, not per subnet, to stop east-west lateral movement

Micro-segmentation places a virtual firewall at each workload's network interface (often via the SDN/NSG layer) so traffic is controlled host-by-host rather than at the subnet perimeter. Its purpose is to limit east-west (workload-to-workload) lateral movement inside a zone, a gap traditional perimeter segmentation leaves open. Zero Trust micro-segmentation keys rules to workload identity so only explicitly required flows are allowed.

Trap Treating subnet- or VLAN-level segmentation as equivalent; those control north-south perimeter traffic and still allow free lateral movement within a segment.

6 questions test this
East-west traffic flows between workloads inside the network; north-south crosses the perimeter

East-west traffic is internal flow between components such as web, app, and database tiers or microservices within the same virtual network. North-south traffic enters or leaves the network through the perimeter. Perimeter firewalls inspect north-south; micro-segmentation and distributed virtual firewalls are needed to inspect east-west.

8 questions test this
Tag- or identity-based segmentation lets policies follow workloads as they move or scale

Tag-based (identity-based) segmentation attaches security policy to a workload's labels or identity rather than its IP address, so rules automatically follow a VM as it migrates, scales, or changes IP. This avoids the continuous policy resynchronization that IP- and VLAN-based rules require whenever workload network locations change.

4 questions test this
Network security groups should be deny-by-default with explicit allow rules only

Network security groups (NSGs) provide stateful 5-tuple filtering (source/destination IP, source/destination port, protocol) at the virtual-switch level. Configure them deny-by-default and add explicit allow rules only for required flows; by default, subnets within one virtual network can talk freely, so isolation must be configured, not assumed.

Trap Assuming subnets in the same VNet are isolated by default; intra-VNet communication is permitted until an NSG denies it.

7 questions test this
VLANs cap at ~4,094 segments (12-bit ID); VXLAN's 24-bit VNI scales to ~16 million

The 802.1Q VLAN ID is 12 bits, limiting a network to about 4,094 usable VLANs, which is too few for large multi-tenant clouds. VXLAN overlay networking uses a 24-bit segment ID (VNI) supporting roughly 16 million logical segments and decouples the logical network from the physical fabric by encapsulating Layer 2 frames in UDP.

6 questions test this
SDN centralizes control in the controller, which becomes the single point of compromise

Software-defined networking separates the control plane from the data plane and centralizes decision-making in the SDN controller. That centralization simplifies and standardizes policy but makes the controller a single point of failure and the highest-value target: compromising it lets an attacker rewrite flow rules across the whole network. Controller-to-switch traffic is also exposed to man-in-the-middle flow-rule tampering if unencrypted.

Trap Picking a data-plane switch as the critical asset; the control-plane controller is the component that must be hardened first.

6 questions test this
Manage the SDN controller only from PAWs on a segmented out-of-band network

NSA guidance is to physically segment SDN controller management interfaces from the data interfaces and administer the controller exclusively from privileged access workstations (PAWs) connected to a dedicated out-of-band management (OOBM) network. This isolates administrative access so it cannot be reached through the production data path.

3 questions test this
Object, block, and file storage differ by access model: object = metadata + ID + API

Object storage holds data as objects, each with the payload, a unique identifier, and rich customizable metadata, accessed over HTTP/HTTPS REST APIs in a flat namespace; it suits unstructured data at petabyte scale. Block storage exposes raw fixed-size blocks for low-latency, high-IOPS workloads like databases and VM volumes. File storage offers a hierarchical NFS/SMB share for concurrent multi-user access with file-level permissions.

Trap Choosing object storage for a database needing high IOPS, or block storage for shared concurrent file access; match the access pattern to the type.

8 questions test this
Persistent block volumes survive VM stop or failure; ephemeral storage is lost on stop

Persistent block storage is network-attached and lives independently of the instance, so data survives a VM stop, restart, termination, or host failure and the volume can be reattached. Ephemeral (instance/local SSD) storage is physically tied to the host and is wiped permanently when the VM stops, terminates, or the host fails; use it only for caches and scratch data.

5 questions test this
Object storage reaches 11 nines durability via erasure coding across multiple AZs

Cloud object storage achieves extreme durability (e.g. 99.999999999%, '11 nines') by erasure-coding objects into data and parity fragments spread across many devices in multiple availability zones, plus redundant metadata and regular checksum validation. Durability protects against hardware failure and corruption only.

Trap Assuming high durability also protects against malicious or accidental deletion; a compromised account's delete is a valid operation, so versioning, MFA-delete, and immutable backups are still required.

5 questions test this
For VM-grade container isolation, run each container in a lightweight micro-VM (e.g. Kata)

Standard containers share the host kernel, a weaker boundary than a VM. When untrusted workloads need hardware-level isolation while keeping container tooling, use sandboxed runtimes like Kata Containers or Hyper-V isolation that run each container inside a stripped-down, OCI-compliant lightweight VM with its own guest kernel.

2 questions test this
KMS key rotation makes a new version for new encryption but keeps old versions for decryption

Automatic key rotation creates a new key version used for all new encryption, while the KMS retains previous versions to decrypt data already written under them. Existing ciphertext is not re-encrypted automatically, so rotation is transparent and requires no application change or bulk re-encryption.

Trap Assuming rotation re-encrypts existing data with the new key; old data stays under its original version until rewritten.

2 questions test this

Secure Data Center Design

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Design a data center along four axes: logical, physical, environmental, resilience

Secure data center design splits into four separate problems, each with its own controls and failure mode. Logical design partitions tenants and controls access on shared hardware, and fails as a cross-tenant breach. Physical design picks the site and building, and fails as a location loss. Environmental design keeps power, cooling, and connectivity running, and fails as an availability loss. Resilience design sizes redundancy, and fails as a single point of failure. When a question names one axis, answer with that axis's control rather than a generic notion of security.

Trap Answering a tenant-isolation question with power redundancy, or an availability question with access control; each axis fails differently and needs its own control.

Logical isolation is what keeps multi-tenancy from leaking

Because many tenants share the same physical compute, storage, and network, every wall between them is built in software, so logical design carries the isolation. It works at several layers at once: per-tenant virtual networks, hypervisor-enforced VM boundaries, logically segregated storage with per-tenant keys, and identity-based access to the management plane. A cross-tenant breach is categorically worse than compromising one host because it reaches another customer's data, which is why isolation is enforced redundantly across all those layers.

Tenant partitioning starts with separate virtual networks per tenant

Network-layer tenant partitioning gives each customer its own logically separate virtual network (a VPC on AWS, a virtual network on Azure) with private address space, routing, and security groups, so one tenant cannot route to or even address another's resources. This is the first and broadest isolation layer; compute (hypervisor) and storage (per-tenant keys) isolation sit beneath it as defense in depth.

The hypervisor enforces the strongest tenant boundary, and a hypervisor escape is the catastrophic failure

Hypervisor-enforced VM isolation gives each guest its own kernel and virtual hardware so a tenant cannot read a co-resident tenant's memory or CPU state, making it the strongest software boundary in a shared facility. The high-severity failure is a hypervisor escape (VM escape), where code breaks out of a guest to the host or a neighbor; it is rare but catastrophic, defended by keeping the hypervisor minimal and patched.

4 questions test this
Encrypt tenant data with per-tenant keys so shared media yields nothing across the boundary

Storage isolation logically segregates each tenant's data and, on professional designs, encrypts it with per-tenant keys, so even physical media shared with other customers produces nothing readable across the tenant boundary. Per-tenant keys also bound the blast radius: compromising one tenant's key never exposes another's data.

Trap Relying on a single shared encryption key across tenants; one key compromise then exposes every tenant's data on the shared media.

2 questions test this
Access to the management plane is identity-first, with least privilege and MFA

The control plane that provisions tenants and isolation is an API, so access to it is governed by identity, not network position. Administrative access follows least privilege, uses role-based access control to scale by role, and prefers just-in-time elevation over standing admin rights, with multi-factor authentication on every privileged path. A single over-permissioned administrative credential can collapse every isolation layer at once, so this is the load-bearing control.

Trap Securing tenant VMs and networks but leaving the management plane on a static, over-permissioned admin credential; that one credential undoes all the lower-layer isolation.

3 questions test this
Physical design begins with site selection, which is hard to reverse

Physical design decides where and how to build before any wall goes up, so location choices carry the most weight. A site is evaluated for natural-hazard exposure (flood plains, seismic zones, storm tracks), distance from high-risk neighbors, reliable reach to the power grid and multiple carriers, and the legal jurisdiction. Build decisions (physical access control, surveillance, hardened structure) follow the site, not the other way around.

Data center jurisdiction determines data residency and who can compel access

The country a facility sits in sets the legal jurisdiction over the data stored there, which governs data-residency obligations and which government can lawfully compel the provider to hand over data. That makes location a legal and privacy decision, not only an availability one, so siting must account for the regulatory regime, not just the hazard map.

The power chain is utility, then UPS, then generator, and the UPS bridges the gap

Environmental power design chains redundant utility feeds to an uninterruptible power supply (UPS) to on-site generators with stored fuel. The UPS exists specifically to hold the load on battery for the seconds-to-minutes gap between a utility failure and the generators reaching full load; the generators then carry a sustained outage. Drop the UPS and the facility goes dark in that gap even with generators installed.

Trap Assuming generators alone cover a utility outage; generators take time to start and reach load, so without a UPS to bridge that gap the IT load drops.

3 questions test this
Precision HVAC holds temperature and humidity inside the equipment's tolerance band

Cooling is an availability control because servers fail within minutes without it. Precision HVAC maintains temperature and humidity within the IT equipment's recognized envelope (the ASHRAE thermal-guidelines range): too hot and components throttle or fail, too humid and condensation forms, too dry and static discharge becomes a risk. Cooling redundancy matters as much as power redundancy when sizing a Tier.

1 question tests this
Data center fire suppression protects equipment, so it avoids dumping water

Fire suppression in a server hall is designed to protect equipment rather than soak it, typically clean-agent gaseous suppression or a pre-action sprinkler system that does not charge the pipes with water until a fire is actually detected. The pre-action design means a single false trigger or a burst head does not destroy a hall of running servers.

Trap Specifying a standard wet-pipe sprinkler system for a server hall; a single accidental discharge then soaks and destroys the equipment the suppression was meant to protect.

1 question tests this
Multi-vendor diverse connectivity stops one carrier or one cable from isolating the site

A facility with perfect power and cooling is still down if its single network link is cut, so environmental and resilience design provision diverse connectivity: physically separate fiber paths entering the building at different points, served by different carriers. One cable cut or one carrier outage then cannot take the site offline. This is the connectivity half of removing single points of failure.

Trap Treating two circuits from the same carrier entering the same conduit as redundant; a single cut or that carrier's outage drops both, so it is not true path diversity.

Redundancy is expressed as N, N+1, and 2N

Resilience is sized in redundancy terms. N is exactly the capacity the load needs with no spare, so any failure or maintenance causes an outage. N+1 adds one spare component beyond the requirement, so one unit can fail or be serviced while the rest carry the load. 2N is full duplication, two complete independent systems, so an entire system can fail and the other carries the full load with no impact. 2N+1 is a duplicated system that also holds a spare.

Trap Reading N+1 as full duplication; N+1 is one spare component, while 2N is a second complete independent system, a much higher (and costlier) level.

4 questions test this
Uptime Institute Tiers I-IV are a cumulative redundancy ladder

The Uptime Institute Tier Standard classifies a facility I through IV by the redundancy of its power and cooling, and the levels are cumulative: each Tier includes the lower ones and adds one requirement. Tier I is a single non-redundant path (N); Tier II adds redundant components (N+1); Tier III adds a second distribution path so it is concurrently maintainable; Tier IV adds fault tolerance (typically 2N). Higher Tier means higher sustained availability.

1 question tests this
Tier III's defining property is concurrent maintainability

Tier III adds a second distribution path (one active, one alternate) on top of redundant components, so any single component or path can be removed for planned maintenance with no downtime. That property, concurrently maintainable, is what distinguishes Tier III from Tier II: Tier II's redundant components survive a failure but its single distribution path still forces downtime to service.

Trap Choosing Tier II / N+1 when the requirement is zero-downtime maintenance; N+1 components survive a failure, but a single distribution path still requires downtime to service, which only Tier III avoids.

2 questions test this
Tier IV adds fault tolerance: any single failure is absorbed automatically

Tier IV has everything Tier III has plus fault tolerance, typically 2N active-active distribution, so any single unplanned failure is absorbed with no impact and no human intervention. It is the level to choose when the requirement is to survive any single failure automatically, not merely to maintain without downtime, which is the Tier III bar.

2 questions test this
A Tier rating measures availability, not security

The Uptime Institute Tier classification rates a facility on the redundancy of its power and cooling and the resulting sustained availability. It says nothing about access control, encryption, or tenant isolation, so a Tier IV facility can still be insecure. Treat a high Tier as a resilience assurance only, never as proof the facility's security controls are sound.

Trap Citing a Tier IV rating to answer a security question; Tier measures availability through redundancy, so it is the distractor when the stem asks about access control or data protection.

Resilience extends beyond one building with geographic separation

No amount of in-building redundancy survives a regional event such as a flood or grid-wide outage, so resilience design also separates redundant facilities geographically and pairs that with diverse multi-vendor connectivity. Cloud providers apply the same logic at scale with availability zones engineered as physically separated facilities, so a fault in one does not cascade to another. This is where data center design hands off to business continuity and disaster recovery.

Trap Adding more UPS or generator capacity to survive a regional disaster; in-building redundancy does nothing against a flood or area-wide event, which requires a geographically separate facility.

PUE is total facility energy divided by IT energy; WUE measures cooling water per IT energy

Power Usage Effectiveness (PUE) = total facility energy / IT equipment energy; a PUE of 1.25 means 25% extra goes to cooling, power distribution, and lighting, and a value nearer 1.0 is more efficient. Water Usage Effectiveness (WUE) divides annual cooling and humidification water by IT energy to track water efficiency, with lower being better.

3 questions test this
Hot/cold aisle containment physically separates supply and exhaust air to stop recirculation

Hot- or cold-aisle containment uses barriers (sidewalls, ceiling panels, end doors) to keep hot server exhaust from mixing with cold supply air. Eliminating recirculation lets cooling deliver just enough cold air, cutting energy use. Very high-density racks may add direct-to-chip liquid cooling because water absorbs far more heat than air.

4 questions test this
Data centers use clean-agent suppression: nonconducting, residue-free, with room sealing and HVAC shutdown

Clean agents are electrically nonconducting gaseous extinguishants that leave no residue, so they protect IT equipment that water would damage. To maintain extinguishing concentration NFPA requires the room to be sealed and HVAC to shut down automatically on discharge. Inert-gas agents like IG-541 (Inergen) include about 8% CO2 to stimulate breathing at reduced oxygen levels.

Trap Specifying wet-pipe sprinklers for the server room; for accidental-discharge concerns use a double-interlock pre-action system that needs both detection and a fused head before water flows.

4 questions test this
Server-room access is multi-factor (badge plus biometric) with liveness detection

Industry practice secures data-center server rooms with multi-factor physical authentication, typically a proximity badge (something you have) plus a biometric scan (something you are), with progressively stronger checks closer to the equipment. Biometric readers need liveness detection or spoofed samples can defeat them; self-expiring visitor badges prevent retained credentials from granting later access.

5 questions test this

Cloud Infrastructure Risk Analysis

Read full chapter
  • A risk needs both a threat and a vulnerability; one alone is nothing
  • Identify before you analyze, analyze before you treat
  • Single loss expectancy is asset value times exposure factor
  • Annualized loss expectancy is SLE times the annual rate of occurrence
  • Quantitative analysis exists to make cost-benefit decisions in money
  • Qualitative analysis ranks risks by judgment when data is scarce
  • Run qualitative first to triage, then quantify the few biggest risks
  • Misconfiguration is the most common cause of cloud breaches
  • A hypervisor escape crosses a tenant boundary, which is worse than one host
  • Containers share the host kernel, so a breakout reaches the host
  • Management-plane compromise has the widest blast radius in cloud
  • Side-channel attacks leak data across tenants on shared hardware
  • Mitigate when the risk is likely and the control is affordable
  • Transfer a low-likelihood, high-impact risk with insurance
  • Accept a risk only as a documented decision, never by silence
  • Residual risk is what remains after controls, and the customer owns their half
  • Assess the provider's layers through its audit reports, not your scanner
  • NIST SP 800-88: Purge keeps media reusable; Destroy gives the highest assurance

Unlock with Premium — includes all practice exams and the complete study guide.

Security Controls Planning

Read full chapter
  • Classify every control on two axes: function and nature
  • Preventive stops it, detective notices it, corrective recovers from it
  • Defense in depth means diverse control types, not redundant ones
  • Map each control to a NIST SP 800-53 family
  • Plan only the controls your service tier leaves you
  • Data and identity controls are always the customer's, in every tier
  • Verify provider-owned controls through attestations, do not re-implement them
  • IAAA runs in order: identify, authenticate, authorize
  • Authentication and authorization are separate decisions
  • Prefer federation over local credentials in the cloud
  • MFA proves a factor was used, not that it was used recently
  • Authorize by least privilege, and an explicit deny always wins
  • Give workloads short-lived role credentials, not embedded static keys
  • Plan audit mechanisms up front, alongside IAAA
  • Audit events must carry identity, source IP, and geolocation
  • Correlate logs in a SIEM, and make the store tamper-resistant
  • The tenant boundary limits what you can audit in a public cloud
  • Control-plane logging is the audit control you cannot lose
  • Use a control matrix to satisfy several frameworks at once
  • System, storage, and communication protection are distinct SC planning targets
  • HSMs zeroize keys on tamper; FIPS 140-2 Level 3 mandates tamper-evidence and tamper-response
  • In SAML SSO the IdP authenticates users and issues signed assertions the SP trusts
  • Broken Object Level Authorization is OWASP's top API risk; check authorization in the backend
  • ABAC with resource tags scales to new resources without editing policies, unlike RBAC
  • Just-in-time PAM grants time-bound, approved elevation to remove standing privilege

Unlock with Premium — includes all practice exams and the complete study guide.

Business Continuity & DR

Read full chapter
  • RPO is the data you can lose; RTO is how long you can be down
  • RPO is set by backup or replication frequency
  • RTO is shortened by a hotter standby, not by more backups
  • RSL is the percentage of capacity the recovered service must deliver
  • RTO and RPO sit on opposite sides of the failure point
  • Pick the cheapest DR strategy that still meets RTO and RPO
  • Backup and restore is cheapest but recovers in hours to days
  • Pilot light keeps a minimal core warm and scales the rest on failover
  • Warm standby runs a scaled-down full stack ready to scale up
  • Multi-site active-active gives near-zero RTO at the highest cost
  • Cloud DR usually fails over to another region or availability zone
  • Recovery targets are derived from the BIA, never assigned by intuition
  • RTO is set shorter than the maximum tolerable downtime
  • Business continuity is broader than disaster recovery, which it contains
  • A DR plan must define failback to primary, not just failover
  • An untested DR plan is an assumption, not a capability
  • Start DR testing low-risk and escalate as each level passes
  • A tabletop exercise validates a new plan with zero production risk
  • A parallel test runs recovery beside live production without risking it
  • Full interruption proves the plan but is the only test that can break it
  • Unacceptable data loss is an RPO problem; too-long downtime is an RTO problem
  • Resilience handles routine failures; declare a disaster only when it overflows
  • Synchronous replication is required for RPO of zero; cross-region sync adds too much latency
  • Async cross-region read replicas allow quick promotion with a small, non-zero RPO
  • For DNS-based failover, set the record TTL below the RTO
  • Point-in-time recovery restores a full backup then replays transaction logs to a chosen instant
  • Independent point-in-time backups are needed because replication propagates corruption
  • WORM compliance-mode retention locks block deletion by anyone, even admins, for SEC 17a-4
  • Archive storage tiers need hours to rehydrate, so they can blow a short RTO
  • An isolated recovery or test environment must share no identity, network, or storage with production

Unlock with Premium — includes all practice exams and the complete study guide.

Cloud Application Security

AppSec Training & Awareness

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The OWASP Top 10 and CWE/SANS Top 25 are the two awareness catalogs CCSP grades against

When the exam asks what application-security awareness training should reference, the answer is the OWASP Top 10 for web application risk categories and the CWE/SANS Top 25 for the underlying software weaknesses. The two are zoom levels on one problem, not competitors: OWASP frames broad risks for prioritization, while CWE names the exact weakness so it can be tracked and trained against.

OWASP lists broad risk categories; CWE lists specific weaknesses

The OWASP Top 10 entries are broad risk categories such as Broken Access Control or Injection, ten of them, ranked by incidence and exploitability across many applications. The CWE Top 25 entries are individual weakness types with stable identifiers, such as CWE-79 (cross-site scripting) or CWE-89 (SQL injection), ranked by how often they appear in reported CVEs and how severe they are. A stem that names a broad risk points to OWASP; one that gives a specific weakness or a CWE number points to the CWE Top 25.

Trap Treating OWASP and CWE as the same granularity; OWASP is risk categories, CWE is individual weakness identifiers, and a question can hinge on that distinction.

Broken Access Control rose to the #1 OWASP risk in 2021

In the OWASP Top 10:2021, A01 Broken Access Control became the top-ranked risk, displacing Injection, because the supporting data showed it was the most common serious flaw across tested applications. It means a user reaching data or actions they are not authorized for.

Trap Naming Injection as the current #1 OWASP risk; it led in 2017 but Broken Access Control overtook it in the 2021 edition.

1 question tests this
OWASP 2021 folded XSS into the Injection category

Cross-site scripting is no longer its own OWASP Top 10 entry; in the 2021 edition it sits inside A03 Injection alongside SQL injection and command injection, because all share the root cause of untrusted input being interpreted. As a CWE it is still CWE-79.

Trap Expecting a standalone Cross-Site Scripting entry in the OWASP Top 10:2021; XSS was merged into A03 Injection that edition.

Insecure Design (A04) is the OWASP category for missing security design, not coding bugs

A04 Insecure Design was introduced in 2021 to capture flaws that come from weak or absent security design rather than an implementation mistake, which is why threat modeling and secure design patterns are its countermeasures. A perfectly coded feature can still be insecure by design if the design never considered the threat.

Trap Assuming better code review or testing fixes Insecure Design; the flaw is in the design, so it is addressed by threat modeling and secure design, not by catching bugs.

1 question tests this
SSRF (A10) and Misconfiguration (A05) are the OWASP risks the cloud sharpens most

Server-Side Request Forgery was added as A10 in 2021 partly because cloud metadata endpoints make a tricked internal request especially damaging, exposing instance credentials. Security Misconfiguration (A05) is the OWASP category that maps most directly to cloud breaches, because insecure defaults and exposed configuration are the dominant cloud failure. Both are general risks, but cloud raises their impact.

Trap Dismissing SSRF as a niche web bug in a cloud context; against a metadata endpoint it can leak the instance's IAM credentials.

2 questions test this
CWE is MITRE's dictionary of weakness types; the Top 25 ranks the most dangerous

Common Weakness Enumeration (CWE) is maintained by MITRE as a catalog of software and hardware weakness types, each with a stable CWE-number. The CWE Top 25 Most Dangerous Software Weaknesses ranks the 25 most prevalent and severe, scored from reported CVE data. It was historically co-published with SANS, which is why it is still called the CWE/SANS Top 25.

An OWASP category contains several CWE weaknesses

The two catalogs nest: OWASP A03 Injection contains CWE-89 (SQL injection) and CWE-79 (cross-site scripting); OWASP A01 Broken Access Control contains weaknesses such as CWE-22 (path traversal) and CWE-862 (missing authorization). OWASP is the awareness framing for prioritizing what to teach; CWE is the precise label you attach to a specific finding so it can be tracked and deduplicated.

The cloud dissolves the network as a trust boundary, so authenticate every call

Cloud workloads are reachable through public control-plane and data-plane APIs, so an internal source address is no longer authorization. Code that trusted any caller already inside the data center must be rewritten to authenticate and authorize every request, because the perimeter the old code leaned on does not exist in the cloud.

Trap Relying on network position or a VPC boundary to authorize requests between cloud services; location grants no trust, so each call still needs its own authentication.

Keep secrets out of code and images; fetch them from a secrets manager at runtime

In the cloud, credentials travel through source repositories, CI/CD pipelines, container images, and environment variables, any of which can leak them. The awareness rule is that secrets belong in a managed secrets store the app reads at runtime, never hardcoded in source or baked into an image. This is the developer-side habit; OWASP catalogs the failure as part of misconfiguration and integrity risks.

Trap Storing a secret in an environment variable or container image and treating it as hidden; both are readable and leak the credential.

2 questions test this
Misconfiguration and insecure defaults are the most common cloud-breach root cause

A publicly exposed storage bucket, debug mode left on in production, or a default admin password unchanged is consistently the largest single source of cloud breaches, and it is OWASP A05 Security Misconfiguration. The defense taught in awareness is hardened baselines (for example a CIS Benchmark) deployed from a golden image, plus configuration scanning that flags drift. When a scenario shows data exposed with no exploit or malware, this is the root cause.

Trap Reaching for a new firewall or perimeter device when data is exposed with no exploit; the cause is misconfiguration, fixed by a hardened baseline, not a network control.

1 question tests this
Over-permissive IAM turns a compromised component into a full-account compromise

A function or container granted a wildcard or admin role hands an attacker everything that role can reach if the code is compromised, so least privilege is a coding and design concern, not just an operations one. Grant each component only the actions and resources it needs, and prefer short-lived credentials over long-lived static keys. A stem where a compromised component reached far more than its job required points here.

Trap Attaching a broad or admin role to a workload because scoping it is more effort; one compromise then exposes everything that role can reach.

2 questions test this
Unvalidated input is the root of the entire injection family

Trusting data from a request, a queue, or another service is what lets untrusted input be interpreted as a command or query, which is OWASP A03 Injection. The awareness-level defense is to validate input against an allowlist and encode output for its context. Awareness names the weakness; the secure-coding subtopic implements the parameterized query and the encoder.

Trap Validating only with a denylist of known-bad patterns; attackers bypass denylists, so an allowlist of permitted input is the durable control.

7 questions test this
Vulnerable and outdated dependencies (A06) need software composition analysis

Most cloud applications are mostly other people's code, so shipping a library or platform with a known CVE is a leading risk, catalogued as OWASP A06 Vulnerable and Outdated Components. The awareness-level defense is software composition analysis (SCA) in the pipeline to detect known-vulnerable dependencies, plus keeping components current.

Trap Assuming your own code review covers third-party libraries; SCA tooling, not manual review, is what finds known-vulnerable dependencies at scale.

Awareness names the weakness and the defense; secure coding implements it

AppSec training and awareness is the what and the why: which weaknesses exist, why the cloud makes them sharper, and how to recognize them in a question stem. The hands-on secure coding, threat modeling, and SDLC-phase work belong to the secure SDLC subtopics. On the exam, a question about recognizing a risk category or a common pitfall is awareness; a question about how to implement the fix is the secure SDLC.

Role-based awareness training is most effective before the first commit

Secure software depends more on what developers know going in than on what testing catches coming out, because the cheapest defect to fix is the one never written. Awareness training therefore targets onboarding and is role-based, so developers, testers, and operators each learn the pitfalls relevant to their work before insecure code or defaults enter the repository.

2 questions test this
Match the symptom to the awareness answer when reading the stem

The recurring pattern: data exposed with no exploit points to misconfiguration and a hardened baseline; a credential found in a repo or image points to a secrets manager plus rotation; a compromised component that reached too far points to over-permissive IAM and least privilege. Match the described symptom to the concept rather than to the most technically impressive option, which is usually the distractor.

Secure SDLC Process

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The secure SDLC is the normal SDLC with a security activity per phase

The SSDLC does not replace the development life cycle; it attaches a deliberate security activity to each existing phase so security is designed in rather than inspected in at the end. The phases ISC2 commonly uses are requirements, design, development, testing, deployment, and operations and maintenance. Knowing the backbone matters more than the exact count, because different models compress or rename phases while keeping the same flow.

Fix flaws as early as possible because cost rises about 10x per later phase

The cheapest place to fix a defect is the earliest phase that could catch it, which is why the whole life cycle is phased. A requirements or design flaw fixed on paper costs roughly an order of magnitude less than the same flaw found in testing, and far less again than a vulnerability patched in production. This cost-to-fix curve is the reasoning behind shift-left, so a question describing an expensive late patch is signalling a skipped early activity.

1 question tests this
Capture security requirements at the requirements phase, not before launch

Security and privacy requirements are gathered alongside functional requirements at the very start, driven by the data handled, the regulations in scope, and the threat environment. They then shape design, constrain code, and define what tests must prove. A team that writes only functional stories and discovers its encryption, logging, and access needs during a pre-launch pen test has inverted the life cycle and pays for it in rework.

Trap Treating security as a final review gate just before go-live; that lets flawed requirements and insecure design accumulate to where they are expensive to remove, the exact shift-left failure the phase model prevents.

Abuse cases are the security counterpart to use cases, written at requirements

An abuse case describes how an attacker would deliberately misuse a feature, the mirror image of a use case that describes intended behavior. Writing abuse cases during the requirements phase surfaces the misuse paths controls must block before any design is drawn. They feed the threat model that the design phase produces.

1 question tests this
Threat modeling belongs to the design phase, before code exists

The design phase produces a secure architecture and a threat model that names what could go wrong and which control answers each threat. Trust boundaries, authentication flows, and where data is encrypted are decided here on paper, where changes are cheap. The describe-the-process view places threat modeling in design; the specific methods used to do it live in the apply-the-SDLC objective.

Trap Placing threat modeling in the coding phase; it belongs to design, because you model the architecture before the code that implements it exists.

1 question tests this
SAST is a white-box code-time check run during development

Static application security testing (SAST) analyzes source code or bytecode without running it, flagging vulnerable patterns early in the development phase. It is a white-box technique because it sees the code, so it catches issues like injection-prone patterns before a build runs. It cannot see behavior that only emerges at runtime, which is what dynamic testing covers.

Trap Expecting SAST to catch runtime-only flaws such as misconfigured server responses or auth bypasses that appear only when the app runs; those need dynamic testing.

2 questions test this
DAST is a black-box runtime check run during testing

Dynamic application security testing (DAST) exercises the running application from the outside, finding flaws that surface only at runtime. It is a black-box technique because it sees behavior, not source, so it complements rather than replaces SAST. A complete secure SDLC uses both: SAST in development on the code, DAST in testing on the running system.

Trap Choosing DAST alone as sufficient application security testing; without SAST you miss code-level defects that never surface in black-box behavior.

1 question tests this
Each phase owns a distinct, named security activity

The phase model assigns one security activity per phase so nothing is implicit: requirements gathers security requirements and abuse cases, design produces the threat model and secure architecture, development applies secure coding and SAST, testing runs DAST and abuse-case testing, deployment hardens config and manages secrets, and operations patches, monitors, and securely decommissions. The exam frequently hands you a phase and asks for its activity, or an activity and asks for its phase.

Maintenance and secure decommissioning are phases of the SSDLC, not afterthoughts

Operations and maintenance is a full phase: the live system is patched, monitored, and its dependencies tracked, and when the application retires it is securely decommissioned with data sanitized or crypto-shredded and access revoked. Treating retirement as outside the life cycle leaves orphaned data and credentials behind. In the cloud, crypto-shredding the keys is the practical decommission step because you do not control the physical disks.

Waterfall runs the phases once in sequence with sign-off gates

Waterfall executes the phases strictly in order, each formally signed off before the next begins, which gives traceability and predictability that suit fixed-scope, heavily regulated work. Its cost is that most testing is deferred to a late dedicated phase, so security defects appear where the cost-to-fix curve is steepest, and mid-project requirement changes are expensive to absorb. Choose it when requirements are stable and a regulator expects documented phase gates.

Trap Forcing waterfall onto volatile requirements; its single ordered pass ships software that no longer matches need by release, which is exactly when an iterative methodology fits better.

Agile delivers the same phases in short repeating iterations

Agile runs requirements, design, build, and test inside short sprints, producing working tested software continuously and absorbing changing requirements gracefully. The risk is that security drifts when it is not made an explicit part of every sprint, because deferred security work tends never to arrive. Choose agile when requirements evolve and fast feedback matters more than fixed up-front scope.

Trap Assuming agile is automatically secure; without security work built into each sprint, the iterative cadence just defers security indefinitely.

DevSecOps shifts security left by automating it into the pipeline

DevSecOps extends DevOps by wiring security into the automated CI/CD pipeline so it runs on every change: SAST and software composition analysis on code and dependencies, DAST on the running build, infrastructure-as-code and container-image scanning, and policy-as-code gates. The principle is continuous automated assurance instead of a one-time release gate, the same shift-left idea the cost-to-fix curve demands, now enforced by the pipeline rather than by discipline alone.

Trap Treating a single security review just before launch as a secure pipeline; that is a release gate, not shift-left, and lets insecure design accumulate until it is costly to fix.

14 questions test this
Agile is iteration cadence; DevSecOps is automated security in delivery

The two are complementary, not synonyms: agile decides how often you run the phases, while DevSecOps decides how security is built into delivery. You can run agile with manual security reviews each sprint, and you can apply DevSecOps practices on top of waterfall or agile alike. A question about automating SAST/DAST into CI/CD points to DevSecOps, while a question about short iterations and changing scope points to agile.

Trap Equating agile with DevSecOps; adopting sprints does not by itself automate security, and automating security does not require agile.

Software composition analysis covers vulnerable third-party dependencies

Software composition analysis (SCA) inventories the open-source and third-party components a build pulls in and flags known-vulnerable versions, which neither SAST nor DAST reliably catch because the flaw lives in code you did not write. In a DevSecOps pipeline SCA runs automatically on each change so a newly disclosed dependency CVE is caught at build time. It is the supply-chain-facing leg of automated assurance.

Trap Relying on SAST to catch vulnerable libraries; SAST scans your code, while a known-vulnerable dependency version is found by SCA against a vulnerability database.

1 question tests this
Security is a system requirement, designed in, not bolted on

The governing principle of the secure SDLC is that security is a property of the system and its delivery process, captured as a requirement and carried through every phase, never a checklist added before release. This is why the phase model exists and why shift-left is the recurring corrective. A process whose only security step is a final gate has misunderstood the model regardless of which methodology it uses.

1 question tests this

Applying the Secure SDLC

Read full chapter
  • Threat model at design time, before code exists
  • STRIDE enumerates threats by six categories
  • DREAD ranks threats, it does not discover them
  • PASTA is the risk- and attacker-centric process
  • ATASM is the lightweight architecture-first flow
  • The four methods compose rather than compete
  • Shared responsibility decides which threats are yours to fix
  • Make the management plane an in-scope trust boundary
  • Multi-tenancy adds isolation and noisy-neighbor threats
  • Ephemeral compute means security state cannot live on the host
  • In the cloud the API is the primary attack surface
  • OWASP ASVS gives verifiable, pass/fail security requirements
  • Pick the ASVS level from data sensitivity, L1 to L3
  • SAFECode prescribes practices; ASVS verifies them
  • Default-deny outbound and validate URLs to stop SSRF on metadata
  • Enforce object-level authorization on the server for every access
  • A release you cannot reproduce or trace cannot be secured
  • Sign commits and tags so a forged history is detectable
  • Releases are immutable; a fix is a new version, never an in-place edit
  • An SBOM answers whether you shipped a now-vulnerable dependency
  • Sigstore keyless signing uses short-lived Fulcio certificates bound to an OIDC identity
  • Signature integrity depends on the hash algorithm and a trusted timestamp, not just key size
  • Every change needs review by someone other than the author before merge to a protected branch
  • Scan the rendered IaC plan and enforce guardrails with policy-as-code
  • Immutable infrastructure rebuilds from a golden image instead of patching in place

Unlock with Premium — includes all practice exams and the complete study guide.

Software Assurance & Validation

Read full chapter
  • Classify a test by two independent axes: visibility and what it analyzes
  • SAST reads source at rest and pinpoints the vulnerable line
  • DAST attacks the running app and confirms exploitability but not the line
  • IAST instruments the runtime to get low false positives plus the code line
  • SCA inventories third-party components, the code you did not write
  • SAST and DAST are complements, not substitutes
  • Black-box is the attacker's no-source view; white-box has full internals
  • Functional testing proves the feature works; security is non-functional
  • Abuse-case testing flips a use case into what an attacker must not achieve
  • Abuse cases come from the threat model, not improvised
  • Quality assurance gates the release against defined exit criteria
  • Anchor secure-testing decisions to OWASP guidance and ASVS
  • Map the stem's clue to exactly one method
  • Reachability analysis and runtime/severity ranking focus SCA remediation on real risk
  • Place SCA before SAST and DAST, and pull from a golden repository of vetted components
  • Run DAST against a production-equivalent staging environment, never live production
  • DAST output is made actionable by triaging, deduplicating, and suppressing verified false positives
  • SAST cannot find authorization or business-logic flaws and over-reports on external code

Unlock with Premium — includes all practice exams and the complete study guide.

Verified Secure Software

Read full chapter
  • Verify acquired software before you trust it; most of your app is code you didn't write
  • Treat every API as a trust boundary, internal endpoints included
  • Broken object-level authorization is the #1 API risk, and it is an authz failure not injection
  • On API questions, suspect authorization and authentication before injection
  • Broken function-level authorization lets an ordinary user reach admin operations
  • Validate API requests against a strict schema to stop injection and mass assignment
  • Rate limit APIs, because unrestricted consumption is a denial-of-wallet risk in the cloud
  • An API key identifies an app; it is not user authentication
  • Validate responses from APIs you consume; upstream data is untrusted input
  • An SBOM is the inventory that tells you where a vulnerable component ships
  • Provenance proves an artifact came from where it claims, via signatures and pinning
  • SCA runs continuously, because a clean component becomes vulnerable when a CVE is published
  • A dependency pulls in its transitive dependencies, maintainers, and build pipeline
  • Open source is free to use, not free to trust: validate the project, not the download count
  • Distinguish permissive from copyleft licenses, because copyleft can force source disclosure
  • Treat a license as a security and compliance control, not paperwork
  • Assess a vendor's posture before you buy, using attestations and a mapped questionnaire
  • Source-code escrow protects continuity if a critical vendor goes dark
  • SBOM is the list, SCA is the watch, provenance is the proof of origin
  • VEX is the machine-readable attestation of whether a CVE is actually exploitable in your product
  • Fix a vulnerable transitive dependency by upgrading the direct dependency that pulls it in

Unlock with Premium — includes all practice exams and the complete study guide.

Cloud Application Architecture

Read full chapter
  • A WAF inspects HTTP at layer 7 for injection and XSS, so it matches web-application attacks
  • A WAF is a compensating control, not a replacement for input validation
  • A WAF in monitor/count mode blocks nothing
  • An XML firewall validates XML schema and stops XML-specific attacks a WAF cannot
  • An API gateway centralizes authN/Z, rate limiting, and metering for many APIs
  • Database activity monitoring is a detective control that watches queries at the data store
  • Pick the supplemental component by the layer the threat lives on
  • Storage encryption does not hide data from a compromised app, an insider, or the provider
  • Application- or client-side encryption narrows who can read the plaintext
  • Tokenization removes the sensitive value and shrinks compliance scope
  • Keys belong in a KMS or HSM, separated from the ciphertext
  • Customer-held keys (BYOK/HYOK) answer 'the provider must never decrypt our data'
  • Sandboxing contains a compromise; it does not prevent malicious code from running
  • A container shares the host kernel, so it is weaker isolation than a VM
  • Harden containers: non-root, dropped capabilities, seccomp/AppArmor, scanned images
  • Microservices multiply the attack surface, so isolate and least-privilege each service
  • The orchestrator's control plane is itself a high-value target
  • Supplemental controls layer on the secure SDLC; they are not the SDLC
  • RASP is embedded inside the running app to detect and block attacks in real time
  • RASP must be performance-trialed and baked into the base image for ephemeral workloads
  • Scan container images before pushing them to the trusted registry
  • Images with HIGH or CRITICAL findings are rebuilt or deleted, not deployed
  • In a service mesh the sidecar proxy intercepts all traffic and enforces mTLS
  • Zero trust in a mesh denies by default and authenticates every workload call
  • A TPM seals secrets to PCR boot measurements and signs quotes for remote attestation
  • FaaS statelessness enables flow-bypass and residual /tmp data leakage across invocations

Unlock with Premium — includes all practice exams and the complete study guide.

Identity & Access Management Solutions

Read full chapter
  • Authentication proves identity; authorization grants rights
  • OAuth 2.0 authorizes; it does not authenticate
  • OIDC adds authentication on top of OAuth 2.0
  • SAML is the enterprise web SSO assertion (signed XML)
  • Federation keeps the IdP authoritative so the cloud app never holds the password
  • SSO is the user-facing payoff of federation, and concentrates risk on the IdP
  • SCIM handles account lifecycle; SAML/OIDC handle sign-in
  • Real MFA combines factors from different categories
  • FIDO2/WebAuthn is the phishing-resistant factor; SMS OTP is the weakest
  • TOTP beats SMS but is still phishable
  • Step-up and adaptive auth raise assurance only when risk rises
  • A CASB governs cloud services the enterprise does not run
  • Know the four CASB pillars: visibility, compliance, data security, threat protection
  • CASB deployment mode decides coverage: proxy is inline, API mode is out-of-band
  • Reach unmanaged/BYOD devices with a reverse proxy or API mode, not a forward proxy
  • Secrets management protects the credentials applications authenticate with
  • A leaked secret must be rotated, not just deleted from the latest commit
  • Automatic rotation, and dynamic secrets, shrink the window a leak is useful
  • Keys go in a KMS/HSM; secrets go in a secrets manager; certs come from a CA
  • An HSM holds keys when FIPS validation or key custody is required
  • JIT access grants temporary elevated privileges that auto-revoke after the task
  • Zero Standing Privileges creates and deletes permissions per session so no privileged role exists
  • ABAC evaluates attributes to fix RBAC role explosion while staying granular
  • In XACML the PDP decides, the PIP supplies attributes, and combining algorithms resolve conflicts

Unlock with Premium — includes all practice exams and the complete study guide.

Cloud Security Operations

Building Cloud Infrastructure

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A TPM measures and attests platform state; it is not a key vault

A Trusted Platform Module is a passive chip soldered to one physical host that hashes firmware, boot loader, and kernel into Platform Configuration Registers as they load, then signs those values so a remote verifier can confirm the host booted known-good software (measured boot and remote attestation). It can also seal a small secret to a specific PCR state so the secret only unseals on that exact configuration. It is not built for bulk encryption or holding many keys.

Trap Reaching for a TPM to store and serve application encryption keys; that throughput-and-storage role belongs to an HSM, while the TPM only measures, attests, and seals a tiny secret.

1 question tests this
An HSM keeps key material inside its boundary and returns only the result

A Hardware Security Module is a high-throughput cryptographic processor whose defining guarantee is that the private key never leaves its tamper-resistant boundary in plaintext. You send it data plus an operation (encrypt, decrypt, sign, generate); it performs the operation internally and returns only the result. That property is what lets you prove a key was never exposed to the operating system or to a co-tenant.

3 questions test this
FIPS 140 levels name specific physical-tamper guarantees, not brands

HSMs are validated against FIPS 140-2 or its successor FIPS 140-3, and the level is the testable detail. Level 1 is software-grade with no physical security; Level 2 adds tamper-evidence and role-based authentication; Level 3 adds active tamper response (the device zeroizes its keys on physical intrusion) plus identity-based operator authentication; Level 4 adds resistance to environmental attacks. When a mandate says "FIPS 140-2 Level 3" it is specifying the tamper-response and operator-auth guarantee, so record the certificate number as evidence.

Trap Treating any FIPS 140 validation as equivalent; Level 1 has no physical protection at all, so it does not satisfy a Level 3 zeroize-on-intrusion requirement.

5 questions test this
Multi-tenant KMS vs dedicated HSM is a custody decision

Cloud key services come in two shapes that differ by who controls the partition. A multi-tenant key management service (AWS KMS, Azure Key Vault, Google Cloud KMS) is HSM-backed but shared across customers, which is fine for most workloads. A dedicated single-tenant HSM (AWS CloudHSM, Azure Dedicated HSM) gives one customer sole control of the hardware partition and the keys, for when regulation or contract makes shared custody unacceptable. Choose dedicated only when single-tenant custody is genuinely required, because it costs more and you operate it.

Trap Provisioning a dedicated single-tenant HSM for an ordinary workload that the multi-tenant KMS already protects; you take on cost and operational burden with no custody requirement to justify it.

1 question tests this
Production multi-tenant cloud runs Type-1 hypervisors

A Type-1 (bare-metal) hypervisor installs directly on the hardware with no host operating system beneath it, so its trusted computing base is small, which is why every IaaS provider runs one (KVM, Xen, ESXi). A Type-2 (hosted) hypervisor runs as an application on a general-purpose OS, inheriting that OS's vulnerabilities, suitable for a developer laptop but not a multi-tenant host. Fewer layers below the isolation boundary means fewer paths for a guest to escape it.

Trap Picking a Type-2 hypervisor for a multi-tenant cloud host because it is easier to set up; the underlying host OS becomes an extra attack surface directly beneath every tenant's guest.

2 questions test this
VM escape is the threat the hypervisor build exists to prevent

VM escape (guest-to-host breakout, sometimes hyperjacking) is when a guest exploits a flaw in the hypervisor or emulated virtual hardware to run code at host level, which on a shared host means reaching co-tenants. Build-phase defenses all shrink the path to it: run Type-1 to drop the host-OS layer, keep the hypervisor patched to a known baseline, strip and isolate the management interface, and enforce isolation with CPU virtualization extensions rather than fragile software emulation.

6 questions test this
CPU virtualization extensions enforce isolation in silicon

Require the hardware virtualization extensions on every host: Intel VT-x or AMD-V for CPU virtualization, plus Intel VT-d or AMD-Vi (IOMMU) for DMA isolation so a passed-through or malicious device cannot read host memory. Hardware-enforced isolation is stronger than software emulation, so the build that turns these on is the more secure one. Also apply microcode and firmware updates that mitigate speculative-execution side channels.

Trap Assuming software emulation isolates guests as well as the hardware extensions; without VT-d/AMD-Vi, a passthrough device can DMA into memory the guest should never reach.

2 questions test this
Disable memory deduplication across tenants and encrypt sensitive guest memory

Shared physical RAM is partitioned among guests, so the threats are cross-VM reads and side channels. Disable transparent page sharing and memory deduplication across tenants, because identical-page merging has enabled cross-VM information leaks. For high-isolation or confidential workloads, enable hardware memory encryption (AMD SEV, Intel SGX enclaves, or Intel TDX trust domains) so guest memory is encrypted even from the hypervisor and the host operator, not only from other guests.

Trap Relying on hypervisor partitioning alone for confidential data; without hardware memory encryption a compromised hypervisor or host operator can still read the guest's RAM.

Lock down the virtual switch so a guest cannot sniff or spoof neighbors

On virtual switch port groups, disable promiscuous mode so a guest cannot capture traffic destined for other VMs, and disable MAC-address changes and forged transmits so a guest cannot impersonate another's address. Segment tenants onto their own virtual networks or VLANs/VXLANs with default-deny security groups, and isolate the management plane onto a separate network that guest workloads cannot route to.

Trap Leaving promiscuous mode enabled on a port group for troubleshooting convenience; any guest on that group can then sniff its neighbors' traffic.

1 question tests this
Cryptographic erase is the scalable way to sanitize reclaimed cloud storage

A virtual disk reassigned from one tenant to another must not carry the previous tenant's bytes (data remanence). Encrypt every volume and image at rest, then sanitize by destroying the encryption key (cryptographic erase), which renders the data unrecoverable instantly and at scale, consistent with NIST SP 800-88 media sanitization. Physical overwrite or degaussing does not fit shared, abstracted cloud storage the way crypto-erase does.

Trap Assuming you can degauss or physically destroy a specific tenant's blocks in a shared cloud array; you do not control the physical media, so cryptographic erase via key destruction is the workable control.

3 questions test this
Containers share a kernel, so isolate untrusted workloads in their own VM

Containers are not a hypervisor type; they isolate at the OS level with namespaces and cgroups while sharing one host kernel, a weaker boundary than a hypervisor's because a kernel exploit can cross between containers. When untrusted or strongly-isolated workloads need the VM boundary back, run each container or pod inside its own lightweight VM on a Type-1 hypervisor.

Trap Treating the container boundary as equivalent to the VM boundary; a single host-kernel vulnerability can compromise every container on the host, which the hypervisor boundary would have contained.

Build every host and image from a hardened baseline, not a default install

Build is the one clean moment, so produce hosts, hypervisors, and golden guest images from a defined baseline mapped to a recognized standard such as a CIS Benchmark or DISA STIG. The baseline removes default and unused accounts, changes or removes every default credential including the management agent's, disables unused services and ports, sets the host firewall to default-deny, enables disk encryption, and configures secure logging and time sync. Anything left at vendor defaults is the easiest thing for an attacker to use.

Trap Leaving the management agent's or appliance's default credentials in place after deployment; default credentials are among the first things scanned for and exploited.

Capture the hardened build as a signed, immutable golden image

Provision every host and VM from a single golden image rather than configuring each by hand. Immutability is the security property: identical instances make configuration drift detectable (anything differing from the image is suspect), patching becomes rebuild-and-replace instead of in-place editing, and a compromised instance is discarded rather than cleaned. Sign or hash the image and verify it at launch so a tampered image is caught before it boots.

Harden the management plane before handing it to operators

The management plane (hypervisor management interface, orchestration and configuration tools, cloud control APIs) controls every guest, so it is the highest-value target. At build time isolate it on its own network away from tenant traffic, install its tools only from verified sources, require MFA and least-privilege RBAC for administrators, and enable full audit logging of management actions from day one. A breach here is a breach of the whole estate, not one tenant.

Trap Putting the management interface on the same network tenants can reach so admins can connect conveniently; that exposes the control plane of every guest to tenant-side attackers.

2 questions test this
Keep IaC and config-management credentials in a secrets manager, never in an image

Infrastructure-as-Code and configuration-management tooling is part of the build attack surface because the credentials it holds can rebuild the entire estate. Store those secrets in a dedicated secrets manager and inject them at run time; never bake them into a golden image, a container layer, or a source repository, where they persist and leak. The blast radius of a leaked build credential is the whole platform.

Trap Embedding deploy keys or API tokens directly in the golden image or IaC repo for convenience; they ship to every host and survive in version history where they are trivially harvested.

Install the guest virtualization toolset from the trusted source during build

Part of building a guest is installing its virtualization toolset (VMware Tools, virtio paravirtualized drivers, cloud-init or the cloud agent) so paravirtualized I/O performs well and the orchestration hook is present. Pull these only from the platform vendor's trusted source, then harden the guest OS itself to the baseline. The toolset runs with privilege inside the guest, so a tampered package is a direct foothold.

Build sets the secure starting state; operate keeps it secure over time

The build phase produces a hardened, immutable starting point: trust anchors, hypervisor choice, baselines, golden images. Keeping that state hardened (patch management, drift remediation, monitoring, backup/restore, availability tuning) is the operate phase, covered in the operating-cloud-infrastructure subtopic. Questions about standing up infrastructure point to baselines and trust anchors, while questions about maintaining it point to patching and monitoring.

Trap Answering a standing-up question with an operate-phase control like patch cadence; the build question is asking for the baseline, golden image, or hardware trust anchor that defines the secure starting state.

CSP-managed keys let the provider decrypt; hold the keys yourself for regulated data

When the CSP manages encryption keys it retains the technical ability to decrypt tenant data, so for regulated data the recommendation is customer-managed keys (CMK) held in a key store separate from the provider — or client-side encryption — so provider insiders cannot read the plaintext. This applies segregation of duties between the data host and the key holder.

Trap Accepting default CSP-managed platform keys for regulated data, leaving the provider technically able to decrypt it.

5 questions test this
Unique per-tenant keys give cryptographic isolation on shared storage

Encrypting each tenant's volumes or objects with its own unique key, managed through a centralized KMS, ensures one tenant's data cannot be decrypted with another tenant's key even if storage-layer isolation fails. Centralized key management supplies consistent lifecycle, access control, and audit across SAN, NAS, and object storage.

Trap Using one shared key across all tenants so a single key compromise exposes every tenant's data.

4 questions test this
Set EXTRACTABLE=false so an HSM key can never be exported

Creating a key with the EXTRACTABLE attribute set to false (EXTRACTABLE=0) makes it non-extractable: it can only be used for cryptographic operations inside the HSM and cannot be exported even via key wrapping. This is the configuration for highly sensitive master keys that must never leave the HSM boundary, and it cannot be reversed after creation.

Trap Leaving keys extractable for portability when the requirement is that they never leave the HSM under any circumstance.

3 questions test this
Uptime Tier III is concurrently maintainable; Tier IV is also fault tolerant

Tier III is the minimum that supports concurrent maintainability — any component can be taken offline for maintenance without disrupting service. Tier IV adds fault tolerance, so a single unplanned component failure also causes no disruption (about 99.995%, ~26 minutes annual downtime); a requirement for both fault tolerance and maintenance without interruption needs Tier IV.

Trap Selecting Tier III when the requirement also demands surviving an unplanned single-component failure — that is Tier IV.

3 questions test this
PUE is total facility power divided by IT power, so lower is more efficient

Power Usage Effectiveness is total data-center energy divided by the energy delivered to IT equipment. A PUE of 1.2 means 1 watt powers IT and 0.2 watts goes to overhead (cooling, power distribution, lighting); a PUE of 1.8 means 0.8 watts of overhead per IT watt. The closer to 1.0, the more efficient the facility.

Trap Reading a higher PUE as better — a larger ratio means more overhead and worse efficiency.

4 questions test this
A Building Management System monitors and controls facility environment proactively

A Building Management System (BMS) continuously monitors data-center temperature, humidity, airflow, and power via facility-wide sensors, automates HVAC control, and alerts operations staff as conditions approach (before they exceed) thresholds. The correct response to a trending-toward-threshold alert is to investigate and adjust proactively, not wait for the alarm.

Trap Waiting until the BMS alarm threshold is breached to act, instead of remediating while conditions are merely trending upward.

4 questions test this
Hot/cold aisle containment stops exhaust and supply air from mixing

Hot-aisle/cold-aisle containment erects physical barriers that separate server hot exhaust from cold supply air, eliminating the recirculation that causes localized hot spots and inconsistent inlet temperatures even when overall cooling capacity is adequate. It is the targeted fix for air-mixing problems and improves cooling efficiency.

Trap Adding more raw cooling capacity to chase hot spots when the root cause is hot/cold air recirculation that containment resolves.

5 questions test this
UPS provides instant bridge power until generators assume the load

On utility power loss the UPS comes online instantly, supplying short-term battery bridge power for the seconds-to-minutes it takes diesel generators to start, stabilize, and take over the sustained facility load. The UPS is the gap-filler, not the long-duration source.

Trap Expecting the UPS to carry the facility for hours — its role is to bridge only until the generators assume the load.

3 questions test this
Lowering a biometric threshold trades FRR for FAR; CER is where they meet

Loosening a biometric system's matching threshold lowers the False Rejection Rate (fewer legitimate users denied) but raises the False Acceptance Rate (more impostors admitted). The Crossover Error Rate (CER), also called Equal Error Rate, is the threshold where FAR equals FRR and is the standard single-number accuracy comparison — lower CER is a better system.

Trap Tuning only for low False Rejection (user convenience) while ignoring the rising False Acceptance Rate that admits impostors.

3 questions test this
Physical defense in depth layers controls from perimeter inward to the rack

Defense in depth applies multiple concentric physical barriers — perimeter fencing, building access control, data-center floor restrictions, then server-rack locks — so if one layer is defeated the next still protects the asset. The layers run from the outermost perimeter inward to rack-level security.

Trap Relying on a single strong control (e.g. a guarded entrance) instead of layered concentric barriers from perimeter to rack.

3 questions test this

Operating Cloud Infrastructure

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Reach hosts through a bastion, never an open management port

A bastion host, also called a jump box, is a hardened VM in a public subnet that is the only machine allowed to accept inbound RDP or SSH; workload hosts in private subnets accept admin traffic only from the bastion's security group, never from the internet. Concentrating access at one logged choke point lets you enforce MFA, tight allow-lists, and session recording in a single place, instead of securing every host's exposed port. An internet-facing RDP (3389) or SSH (22) rule open to 0.0.0.0/0 is the classic exposure these patterns exist to remove.

Trap Putting the bastion in the same security group rules as the workload but still leaving the workload's RDP/SSH open to the internet, which defeats the single-entry-point design.

Use a managed session broker for admin access with no inbound port

When a scenario wants administrative access with no open management port and centralized, identity-bound logging, the answer is a managed broker rather than a hand-built bastion. AWS Systems Manager Session Manager, Azure Bastion, and GCP Identity-Aware Proxy all reach the host through the provider's control plane over an outbound or TLS-brokered connection, so the instance needs no inbound rule and often no public IP, and every session is scoped by IAM and logged centrally by default.

Trap Choosing a public RDP/SSH rule plus a network ACL allow-list when the requirement is no inbound port at all; only a brokered service removes the port.

VPN gives broad network reach; a jump box gives one audited host entry

A VPN establishes an encrypted tunnel onto the private network so an operator can reach many hosts as if local, which suits broad operational reach. A bastion brokers access to one target through a single recorded hop, which suits a clean per-host audit trail. Pick the VPN when the operator legitimately needs to touch many systems, and the jump box when the requirement is a single controlled, logged entry point.

Trap Reaching for a VPN when the real requirement is per-session recording of who touched which host; a plain VPN logs the tunnel, not each host session.

Out-of-band console access is the recovery path, so guard it like the bastion

The provider's serial or hypervisor console reaches a guest even when its network stack or SSH daemon is broken, which makes it the recovery channel of last resort. Because it bypasses the normal network controls, it must be protected as tightly as the primary admin path, with MFA and tight authorization, or it becomes an unmonitored back door.

Security groups are stateful; network ACLs are stateless

A security group is a stateful per-instance firewall: allow an inbound flow and its return traffic is permitted automatically, so you do not write a matching outbound rule. A network ACL is a stateless subnet-level filter, so return traffic needs its own explicit rule in the opposite direction, including the ephemeral-port range. Knowing which is stateful decides how many rules a given scenario actually requires.

Trap Treating a network ACL as stateful and forgetting the return-direction rule, so the response traffic is silently dropped even though the request was allowed.

VLANs segment at layer 2; security groups filter at layer 3/4

A VLAN partitions one physical network into isolated broadcast domains so tenants or tiers cannot see each other's traffic at the link layer. A security group, by contrast, filters allowed flows per instance higher up the stack. They are complementary: VLANs isolate the network, security groups govern which allowed flows cross between hosts; neither replaces the other.

1 question tests this
DNSSEC protects integrity and authenticity, not confidentiality

DNSSEC signs DNS records so a resolver can verify an answer was not forged or tampered with in transit. It does not encrypt the query or response, so it provides no confidentiality; an observer still sees which names are looked up. The exam pairing to lock in: DNSSEC defends against spoofing and cache poisoning, while encryption of the lookup itself is a separate concern.

Trap Assuming DNSSEC encrypts DNS traffic; it only signs records for integrity, so confidentiality requires a different control.

Lock DHCP to authorized servers to stop rogue configuration

DHCP hands clients their IP address, gateway, and DNS resolver, so an unguarded segment lets a rogue DHCP server feed clients a malicious gateway or resolver and silently intercept traffic. Restricting DHCP to authorized servers (and enabling DHCP snooping where the platform supports it) keeps an attacker from redirecting hosts through their own machine.

TLS secures one session; a VPN secures the whole link

TLS protects an individual connection such as an API call or a management session, giving that session confidentiality and integrity. A VPN tunnels everything crossing an untrusted path between two endpoints. Use TLS for application and management endpoints, and a VPN when an entire site or operator must reach the private network over hostile transit.

IDS detects and alerts; IPS is inline and blocks

An intrusion detection system inspects a copy of the traffic and raises an alert on a match, but it does not stop the flow. An intrusion prevention system sits inline in the traffic path and can drop or reset the offending connection in real time. The distinction the exam turns on is action plus placement: detection-only and out-of-band for IDS, blocking and inline for IPS.

Trap Selecting an IDS when the requirement is to actively stop malicious traffic; an IDS only alerts, so blocking needs an inline IPS.

A honeypot is a decoy, so any interaction with it is suspicious

A honeypot is a deliberately exposed system with no production value, so any connection to it signals reconnaissance or attack and yields early warning and threat intelligence. It must be isolated from real systems so a compromise of the decoy cannot pivot into production, and organizations often weigh legal and entrapment concerns before deploying one.

Trap Placing a honeypot with network reach into production so a compromised decoy becomes a foothold rather than a contained sensor.

A vulnerability scan enumerates weaknesses; a pen test exploits them

Routine authenticated vulnerability scanning finds missing patches and weak configurations and feeds the patch and hardening cycle, but it only reports known weaknesses. A penetration test goes further and actively exploits them to prove real-world impact. In the cloud, confirm the provider's testing policy before scanning shared infrastructure.

Trap Calling a vulnerability scan a penetration test; the scan lists potential issues, while the pen test demonstrates exploitability.

Harden hosts to a published baseline like a CIS Benchmark or STIG

Hardening reduces a host to a documented, measurable configuration standard, most often a CIS Benchmark or a DISA STIG in government contexts, then audits the host against it. NIST SP 800-123 frames the goal as least functionality: run only the accounts, ports, and services the role requires, and turn on audit logging. Building from a named baseline gives you a repeatable target and a way to detect drift, rather than ad hoc per-server tweaks.

Bake the baseline into the golden image, not into a live server

Because cloud hosts are short-lived, the hardened baseline is applied to the golden image and re-applied on every rebuild, instead of being hand-configured on a running instance. This keeps every host in the fleet identical to the audited standard and removes the configuration drift that accumulates when operators patch live servers by hand.

1 question tests this
Patch immutable infrastructure by re-imaging, not in-place updates

The cloud-native patch model treats servers as cattle: rebuild the golden image with the fixed packages, roll the fleet to the new image, and terminate the old instances, rather than updating each running host. This guarantees every host is identical, erases drift, and lets you roll back instantly by redeploying the prior image. In-place patching is reserved for genuinely stateful hosts that cannot be replaced.

Trap Hand-patching a fraction of a fleet in place, which leaves the rest unpatched and reintroduces the drift immutable rebuilds exist to prevent.

3 questions test this
Follow the patch loop in order: identify, test, schedule, deploy, verify

Patch management runs a fixed sequence: identify missing patches from scans and advisories, test the patch in non-production, schedule it through change management, deploy to a canary subset before the full fleet, then verify the patch took and the service is healthy while keeping the previous image for rollback. A scenario about a patch that broke production is usually testing whether the test or canary step was skipped.

Trap Deploying a patch fleet-wide without a canary or a tested rollback image, so a bad patch takes the whole service down at once.

5 questions test this
HA restarts failed guests; fault tolerance runs a zero-downtime shadow

High availability automatically restarts a failed host's guests on a surviving cluster member, accepting a brief restart outage in exchange for recovery without human action. Fault tolerance instead runs a lockstep shadow VM so a host failure causes no downtime at all, at much higher cost. Match the mechanism to how much interruption the workload can absorb.

Trap Assuming HA gives zero-downtime failover; HA tolerates a short restart gap, and only fault tolerance avoids the outage entirely.

Use maintenance mode to drain a host before patching it

Maintenance mode tells the cluster to evacuate every guest off a host, using live migration (a resource scheduler such as VMware DRS), so the host can be patched or rebooted with no guest downtime. It is how immutable patching and HA fit together: the scheduler empties the host, you service it, and the guests keep running on other cluster members meanwhile.

1 question tests this
DRS live-migrates running guests to balance load and drain hosts

A distributed resource scheduler, with VMware DRS as the canonical example, live-migrates running guests between cluster hosts to balance CPU and memory load and to honor placement rules. The same migration machinery powers maintenance-mode evacuation, so the scheduler is doing double duty for both performance balancing and planned maintenance.

1 question tests this
Monitor hardware health and capacity to catch failure before outage

Availability depends on seeing trouble early, so operators track two signals: performance and capacity (network throughput, compute utilization, storage I/O, response time) to catch saturation before it degrades service, and hardware health (disk SMART status, CPU, fan speed, temperature) to catch a failing component before it dies. In managed cloud the provider owns the physical sensors, but the tenant still watches guest-level capacity and cluster headroom.

Clustering survives host failure; backups survive data loss and corruption

Cluster HA protects against a host dying, but it cannot recover from data corruption, ransomware, or accidental deletion because it keeps running the same bad data. Backups cover exactly those cases. Store backup copies off the primary cluster, ideally in another region or account, and keep at least one immutable copy that cannot be altered or deleted by a compromised admin.

Trap Relying on cluster HA or replication as the backup; replication faithfully copies corruption and ransomware to the replica, so it is not a recovery control.

1 question tests this
An untested backup is not a control; schedule restore tests

Backups fail silently, so a backup you have never restored is a hope rather than a control. Schedule periodic restore tests to prove the data is recoverable and that the process meets the recovery objectives. The recovery targets themselves (RTO and RPO) are set in the BC/DR plan, not chosen during day-to-day operations; backup operations exist to meet them.

Trap Treating successful backup jobs as proof of recoverability; only a tested restore confirms the backup can actually be brought back.

Define infrastructure as code for identical, auditable, rollback-able fleets

Infrastructure as Code defines servers, networks, and policies in versioned templates (Terraform, CloudFormation, ARM/Bicep) that the platform provisions automatically. Three properties make it the operate-and-maintain default: every change is reviewed and recorded like source code, the same template yields identical environments with no drift, and a bad change is rolled back by redeploying the prior version. A scenario about keeping hundreds of hosts configured identically and auditably is pointing at IaC.

2 questions test this
The management plane is the highest-value target, so guard it hardest

The management plane is the control layer (console, APIs, orchestration) that can create, destroy, and reconfigure every resource, so an attacker who owns it owns the whole cloud. No host-level control can contain a management-plane compromise, which is why the exam frames it as catastrophic. Protect it with MFA on every admin identity, least-privilege roles, no standing root or owner access, and complete logging of every control-plane action.

Trap Assuming host hardening or network controls limit the blast radius of a management-plane compromise; control of the plane overrides controls beneath it.

Patching responsibility shifts with the service model: IaaS customer patches the guest OS

Under shared responsibility the customer's patching burden grows as you move down the stack: in IaaS the customer patches the guest operating system and applications, in PaaS the CSP patches the platform and OS while the customer patches their code, and in SaaS the CSP patches everything. The provider always owns the underlying infrastructure and hypervisor.

Trap Assuming the CSP patches the guest OS on IaaS VMs — that responsibility stays with the customer.

5 questions test this
Virtual patching shields a zero-day until the real patch ships

When a vendor patch is unavailable or systems cannot be taken offline, virtual patching applies a security-policy enforcement layer (such as IPS or WAF signatures) that blocks exploitation attempts without modifying the underlying code. It is an interim compensating control, paired with an expedited emergency-patching process once the fix is released.

Trap Waiting out the normal multi-week test cycle for a live zero-day instead of deploying virtual patching as an interim shield.

2 questions test this
ESXi lockdown mode forces administration through vCenter, not direct host login

Enabling lockdown mode on an ESXi host restricts direct local logins and forces administrative operations through vCenter Server, which enforces centralized authentication, role-based access control, and audit logging. Effective hypervisor hardening layers this with MFA, application allowlisting, regular patching, and behavioral anomaly monitoring.

Trap Leaving direct local ESXi access open for convenience, bypassing the centralized authentication and audit trail vCenter provides.

2 questions test this
Credentialed scans see far more than unauthenticated scans

An authenticated (credentialed) vulnerability scan logs into the target with valid credentials and enumerates installed software, patch levels, and configuration from the inside, revealing weaknesses invisible to an external unauthenticated scan. For ephemeral auto-scaling fleets, baking scanning agents into the base image gives every new instance coverage on launch.

Trap Trusting a thin unauthenticated scan result as complete when a credentialed scan would expose far more internal findings.

3 questions test this
Encryption at rest does not cover the wire; add in-transit encryption

Server-side encryption at rest protects stored data but leaves it exposed as it crosses the network over file or block protocols, so NAS (NFS/SMB) and iSCSI SAN traffic needs TLS or IPsec for confidentiality and integrity in transit. The at-rest encryption should also be transparent to standard protocol clients so operations are unaffected.

Trap Assuming at-rest encryption alone secures NAS or iSCSI data, leaving the protocol traffic open to interception on the network.

3 questions test this

Operational Controls & Standards

Read full chapter
  • ISO/IEC 20000-1 is the certifiable SMS standard; ITIL is the practice guidance
  • Incident management restores service; problem management removes the cause
  • A known error is a problem whose cause is understood but not yet fixed
  • Change management authorizes; release builds; deployment installs
  • One change can yield several releases, and one release can deploy to many targets
  • Normal changes go to the CAB; emergency changes use the ECAB but are still recorded
  • Configuration management keeps the CMDB of CIs and their relationships
  • An inaccurate CMDB silently breaks every process that trusts it
  • Service level management owns the SLA the other delivery processes serve
  • Availability management designs for uptime; incident management restores a down service
  • Capacity management matches resource to demand cost-effectively
  • Service continuity management owns the recover-after-disruption plan
  • Continual service improvement is the measure-and-feed-back loop, not a delivery process
  • Information security management is part of the SMS and overlaps the ISO 27001 ISMS
  • The detection tooling that finds incidents belongs to security operations, not the incident process
  • Map the question's verb to the process that owns the activity
  • SOC 3 is the general-use report you can share without an NDA
  • SOC 1 covers controls relevant to financial reporting; SOC 2 covers security
  • SOC Type I is a point-in-time design opinion; Type II tests operating effectiveness over a period
  • A bridge letter covers the gap after a SOC report period ends
  • RPO is the maximum tolerable data loss, and it sets backup frequency
  • Pick the DR strategy that meets the required RTO and RPO at acceptable cost
  • A tabletop exercise validates the DR plan by discussion, without failing over systems
  • In multi-tenant cloud you rely on the CSP's audit report, not direct infrastructure access

Unlock with Premium — includes all practice exams and the complete study guide.

Digital Forensics

Read full chapter
  • In the cloud you cannot image the physical disk, so acquire virtual artifacts
  • Multi-tenancy stops you from capturing a whole host
  • Cloud compute is ephemeral, so preserve before it auto-terminates
  • Collect by order of volatility: most perishable first
  • Isolate a compromised instance, do not power it off
  • Snapshot the volume as the cloud equivalent of disk imaging
  • NIST SP 800-86 defines the four-phase forensic process
  • ISO/IEC 27037 governs handling, collecting, and preserving evidence
  • Keep 27037 and 27050 straight: handle the evidence vs produce it for court
  • The ISO/IEC forensics family splits by phase: 27037, 27041, 27042, 27043
  • Chain of custody is the unbroken record that makes evidence admissible
  • Hash each artifact at collection and re-verify at every transfer
  • Cloud chain of custody crosses the provider boundary
  • Forensic cooperation must be in the provider contract before an incident
  • Acquire with least disturbance: copy and snapshot, do not mutate
  • Evidence management means restricted, logged storage of every artifact
  • Synchronize clocks before correlating forensic timelines
  • Export provider logs promptly because they age out on a retention clock
  • Forensics begins where detection ends
  • Data location uncertainty complicates cloud forensics and jurisdiction
  • A legal hold overrides retention policies, so suspend automated deletion first
  • Use a legal hold when the preservation duration is unknown
  • WORM / Compliance-mode immutability blocks deletion even by privileged or root users
  • In the eDiscovery lifecycle, preservation follows identification and protects the ESI
  • SaaS gives the customer the least forensic control, complicating chain of custody
  • Suspend a running VM before imaging so before/after hashes can validate

Unlock with Premium — includes all practice exams and the complete study guide.

Communication with Relevant Parties

Read full chapter
  • Build the stakeholder communication map before an incident, not during one
  • CCSP names five categories of relevant party for communication
  • The cloud provider is a communication party because it holds the evidence you must relay
  • GDPR Article 33 requires notifying the supervisory authority within 72 hours of awareness
  • High-risk breaches also require notifying the affected individuals
  • Assign each notification an owner with a RACI so none falls through the gap
  • Drive all external statements from a single authoritative source
  • Pre-establish channels and keep an out-of-band path
  • Match the message to the party's contractual and legal entitlement
  • Routine governance communication runs continuously, not only during incidents
  • Communication operates the rules; it does not write the contract or set the thresholds
  • Make the provider's notification SLA short enough to leave you room
  • Aggregate every CSP's advisory feed into one centralized vulnerability workflow
  • Put security-notification timeframes and channels in the cloud contract
  • Coordinated disclosure means report privately to the vendor and honor the embargo

Unlock with Premium — includes all practice exams and the complete study guide.

Security Operations Management

Read full chapter
  • The SOC is the team; the SIEM is its main tool
  • A SIEM aggregates, then correlates; correlation is what detects
  • SOAR acts on alerts; the SIEM only detects them
  • Gate risky SOAR containment behind approval
  • IDS detects, IPS prevents
  • Signature detection misses novel attacks; behavioral catches the unknown
  • A honeypot turns any interaction into a high-confidence alert
  • In the cloud, feed control-plane API logs to the SIEM
  • Run incidents on the four NIST SP 800-61 phases
  • Preparation is the highest-payoff incident-response phase
  • Contain before you eradicate, eradicate before you recover
  • SP 800-61 eradication is narrower than ITIL problem management
  • Post-incident review feeds lessons back into preparation
  • Continuous monitoring keeps the security picture current
  • Ephemeral cloud resources force continuous monitoring over periodic scans
  • A vulnerability assessment finds weaknesses; a pen test exploits them
  • Vulnerability scanning is scoped by shared responsibility
  • Match each operations activity to its NIST standard
  • Detection belongs to security operations; restoring service is the ITIL process
  • Synchronized, centralized logs are the precondition for correlation
  • CVSS base scores must be enriched with environmental and threat context to prioritize
  • A complete asset inventory is the precondition for patch and vulnerability coverage
  • Drive SIEM log selection by use cases and risk, not by ingesting everything
  • CSPM continuously compares cloud config to a baseline and flags drift
  • CSPM assesses configuration posture; CWPP protects workloads at runtime

Unlock with Premium — includes all practice exams and the complete study guide.