Cloud Infrastructure & Platform Components
The six component layers of a cloud platform
Picture a tenant clicking "launch" in a provider portal. That one action reaches down through six distinct layers, and CCSP asks you to name them because each layer is secured by a different control set and owned by a different party. From the floor up, the layers are the physical environment, network and communications, compute, virtualization, storage, and the management plane. The ISC2 CCSP exam outline[1] lists these exact six under objective 3.1, and the cloud reference model in NIST SP 800-145[2] frames why they exist: resource pooling and rapid elasticity require a stack that abstracts shared hardware into on-demand, multi-tenant services.
The physical environment is the data-center building itself: power, cooling, cabling, and physical access control. The network and communications layer is the fabric that carries tenant traffic between components, increasingly software-defined so that segmentation and routing are configured rather than cabled. Compute is the pooled CPU and memory that actually run workloads. Virtualization is the hypervisor or container runtime that carves that pooled compute into isolated, shareable units so many tenants safely share one physical host. Storage is the pooled persistent and ephemeral data tier. The management plane is the orchestration and administration layer (the portal, the cloud APIs, the hypervisor management consoles, the orchestration tooling) that provisions, configures, moves, and destroys everything in the five layers beneath it.
The practical skill is layer placement. When a stem describes a problem, locate it in exactly one layer first, because that decision drives which control and which owner are correct. A leaked snapshot is a storage-layer concern; a guest reaching the host kernel is a virtualization-layer concern; an exposed admin API key is a management-plane concern. Get the layer wrong and you will reach for the wrong control.
Compute, virtualization, and storage: pooling makes isolation the control
Resource pooling is the defining trait of these three layers, and isolation is the security property that pooling puts at risk. The provider takes physical CPU, memory, and disks and shares them across many unrelated tenants, so the central question at every one of these layers is the same: can one tenant reach another tenant's resources?
Compute and virtualization
Compute is the raw pooled CPU and memory; virtualization is the boundary that makes sharing it safe. A hypervisor is software that runs multiple virtual machines on one physical host and keeps each VM's memory and CPU state separate. Two types matter for the exam: a Type 1 (bare-metal) hypervisor runs directly on the hardware and is what providers use for production multi-tenancy because it has a smaller attack surface, while a Type 2 (hosted) hypervisor runs as an application on top of a host operating system and is typical of desktop or lab use. Containers are the lighter-weight alternative: they share the host kernel and isolate at the process and namespace level rather than virtualizing hardware, which makes them faster to start but gives them a weaker isolation boundary than a VM, because a kernel vulnerability is shared by every container on the host.
The headline threat at this layer is VM escape (also called hypervisor escape): a guest breaks out of its virtual machine and executes on the underlying host or hypervisor, which would let it reach co-resident tenants. The container analogue is container escape to the shared kernel. Both defeat multi-tenant isolation entirely, which is why hardening the hypervisor and patching it promptly is a top control. A related, subtler risk is the side-channel attack, where a malicious workload co-resident on the same physical host infers another tenant's data from timing, cache, or power behavior rather than breaking isolation outright.
Storage
Storage is pooled the same way, so it has the same family of risks expressed in data terms. Data remanence is the storage-layer parallel to a leaked resource: residual data left on physical media after it is released, which a later tenant could recover if the provider reassigns that capacity without sanitizing it. The cloud answer is twofold. Encrypting tenant data at rest means leftover bytes are useless without the key, and cryptographic erase (destroying the encryption key) instantly renders all that data unrecoverable, which scales far better than physically overwriting shared media; both techniques appear in NIST SP 800-88 on media sanitization[3]. The other classic storage failure is exposure rather than remanence: an object store left publicly readable, or a volume created without encryption.
Why the management plane is the apex target
If you remember one thing from objective 3.1, make it this: the management plane is the single most valuable target in a cloud platform, because it controls every other layer at once. The management plane is the orchestration and administration layer (the provider web portal, the cloud control APIs, the hypervisor and orchestration consoles) used to provision, configure, snapshot, relocate, and destroy resources. An attacker who never touches a guest operating system, never exploits a hypervisor, and never breaks storage isolation can still copy every snapshot, recreate every key, and delete every workload if they hold a privileged management-plane credential. That breadth is exactly why CCSP elevates it above the technically harder attacks on the layers below.
The practical consequence is that management-plane access deserves controls disproportionate to any single workload. The core set is consistent across providers and frameworks: enforce multi-factor authentication on every administrative identity so a stolen password alone is not enough; apply least privilege and role separation so no one account can both configure and audit; route all administrative sessions through a hardened bastion host (jump host) rather than exposing consoles directly to the internet; and log every privileged action to an append-only store for detection and forensics. These map directly to the access-control and audit families in NIST SP 800-53[4], specifically the AC (access control) and AU (audit and accountability) families.
The reason the management plane concentrates risk is the cloud's own design. A traditional data center forces an attacker to be physically present or pivot host by host; the cloud collapses that into an API call. The same elasticity that lets a tenant create a thousand servers in a minute lets a compromised admin destroy them just as fast, so the blast radius of a management-plane breach is the entire estate, not one machine.
Exam-pattern recognition for component layers
Domain 3.1 items are almost always a layer-identification or an ownership question wearing a scenario. Train two reflexes and most of them resolve quickly.
Reflex one: name the layer, then the control
The stem describes a symptom; you locate the layer; the layer dictates the control. "A departing tenant's deleted volume is reassigned and the new tenant recovers old files" is storage / data remanence, so the answer is encryption with cryptographic erase, not a network firewall. "A guest VM executes code on the hypervisor host" is virtualization / VM escape, so the answer is hypervisor hardening and patching, not data classification. "An attacker uses leaked API keys to snapshot and exfiltrate every database" is management plane, so the answer is MFA, least privilege, and privileged-action logging, not host antivirus. When two options both sound plausible, the one that matches the layer the symptom lives in is correct; the distractor usually borrows a real control from the wrong layer.
Reflex two: map the component to its owner by service model
The shared-responsibility line moves with the service model, and the exam tests whether you know where it sits. Under IaaS the provider owns the physical, network, and virtualization host layers while the customer owns the guest OS, its patching, and everything above. Under PaaS the provider additionally owns the operating system and runtime, leaving the customer the application and its data. Under SaaS the provider owns everything down to the application, and the customer owns only their data, their access configuration, and their identities. So "who patches the guest OS" is the customer under IaaS but the provider under PaaS and SaaS; "who secures the hypervisor" is always the provider in public cloud. A question that names a component and a service model is asking you to find the intersection.
Distractor patterns to expect
Watch for an answer that is a genuine control but aimed at the wrong layer (a firewall offered for a data-remanence problem), an answer that assigns provider-owned infrastructure to the customer ("the customer should harden the hypervisor" in public cloud, which the customer cannot even reach), and an answer that treats containers and VMs as equally strong isolation when the question hinges on the container's shared-kernel weakness.
The six cloud component layers: what each is and its signature concern
| Component layer | What it is | Vendor examples | Signature security concern |
|---|---|---|---|
| Physical environment | The data-center building, power, cooling, and physical access controls beneath everything else | Provider regions, availability zones, and on-site security | Physical breach, environmental failure, and disposal of failed media |
| Network and communications | The fabric that connects components and carries tenant traffic, including software-defined networking | VPC / VNet / VPC networks, load balancers, software-defined networking | East-west lateral movement, traffic interception, and missing segmentation |
| Compute | The pooled CPU and memory that run workloads, allocated on demand | Physical hosts behind EC2 / Azure VMs / Compute Engine | Resource exhaustion, side-channel leakage between co-resident workloads |
| Virtualization | The hypervisor or container runtime that divides compute into isolated, shareable units for multiple tenants | Hypervisors (Type 1/Type 2), container runtimes, serverless platforms | VM escape, container escape, and hypervisor compromise breaking tenant isolation |
| Storage | The pooled persistent and ephemeral data tier shared across tenants | Block, object, and file storage offered by the provider | Data remanence, unencrypted volumes, and exposed object stores |
| Management plane | The orchestration and administration layer that provisions and operates every other layer | Provider portal, cloud APIs, hypervisor management consoles, orchestration tooling | Privileged-credential compromise that controls all other layers at once |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- A cloud platform has six component layers; name the layer before the control
CCSP objective 3.1 breaks every cloud platform into six layers: physical environment, network and communications, compute, virtualization, storage, and the management plane. Each layer has its own threats and controls, so the first move on a Domain 3 stem is to place the symptom in exactly one layer, because that decides which control and which owner are correct. Misplacing the layer is what leads to picking a real but wrong-layer control.
- The management plane is the highest-value target because it controls every other layer
The management plane is the orchestration and administration layer (provider portal, cloud APIs, hypervisor and orchestration consoles) that provisions, configures, snapshots, moves, and destroys all other resources. A single privileged credential here lets an attacker copy every snapshot or delete the whole estate without ever touching a guest OS or breaking a hypervisor, so its blast radius is the entire environment. That breadth is why CCSP elevates it above the technically harder attacks on lower layers.
Trap Assuming the hardest attack (VM escape, hypervisor compromise) is the biggest risk; the management plane is more dangerous because it reaches every layer at once through ordinary API calls.
4 questions test this
- An organization is migrating to a public cloud environment and the security team is concerned about the risks associated with the cloud…
- An organization's security team is conducting a risk assessment of their cloud environment. They discover that attackers could potentially…
- An organization is migrating to a public cloud platform and the security team is assessing risks associated with the management plane.…
- A security analyst discovers that an attacker successfully compromised the cloud management plane by stealing OAuth access tokens from an…
- Protect the management plane with MFA, least privilege, a bastion host, and full logging
Because management-plane access reaches the whole estate, it gets controls out of proportion to any single workload: enforce multi-factor authentication on every admin identity, separate roles so no account can both configure and audit, route administrative sessions through a hardened bastion (jump) host instead of exposing consoles to the internet, and log every privileged action to an append-only store. These map to the access-control (AC) and audit (AU) families of NIST SP 800-53.
- Virtualization is the boundary that makes multi-tenancy safe
Compute, virtualization, and storage are pooled and shared across unrelated tenants, so the core security question at these layers is whether one tenant can reach another's resources. Virtualization (a hypervisor isolating virtual machines, or a runtime isolating containers) is the boundary that keeps co-resident tenants apart, so isolation is the central control. When a stem raises one tenant reaching another's compute, the fix lives at the virtualization layer, not at a network firewall.
4 questions test this
- A healthcare organization hosts patient record systems in a multi-tenant IaaS cloud environment. During a risk assessment, the security…
- A cloud service provider is analyzing security risks associated with their virtualization infrastructure. An attacker has gained access to…
- A cloud security analyst is assessing risks in a multi-tenant IaaS environment. The analyst is concerned about an attack where malicious…
- A cloud security professional is analyzing threats to a virtualized infrastructure. Which attack type poses the GREATEST risk to…
- VM escape breaks tenant isolation, so harden and patch the hypervisor
A VM escape (hypervisor escape) is a guest breaking out of its virtual machine to run on the underlying host or hypervisor, which would let it reach co-resident tenants and defeat multi-tenant isolation entirely. The container analogue is a container escape to the shared kernel. The defense is hypervisor hardening and prompt patching, which is why the provider, not the customer, owns hypervisor security in public cloud.
Trap Reaching for a network firewall or security group to contain a VM escape; the breach is at the virtualization layer, so the answer is hypervisor hardening and patching, not network filtering.
11 questions test this
- A healthcare organization hosts patient record systems in a multi-tenant IaaS cloud environment. During a risk assessment, the security…
- A cloud service provider is analyzing security risks associated with their virtualization infrastructure. An attacker has gained access to…
- A cloud security analyst is assessing risks in a multi-tenant IaaS environment. The analyst is concerned about an attack where malicious…
- A cloud security professional is analyzing threats to a virtualized infrastructure. Which attack type poses the GREATEST risk to…
- A security analyst discovers that attackers have exploited a vulnerability in the hypervisor to gain access from one virtual machine to the…
- A security analyst discovers that an attacker has compromised a guest virtual machine and is attempting to break out of the VM to access…
- A cloud security team is assessing risks to their hypervisor infrastructure. They are concerned about attacks where malicious code within a…
- A security analyst discovers that ransomware groups are increasingly targeting VMware ESXi hypervisors in multi-tenant environments.…
- A security analyst discovers that an attacker has exploited a vulnerability in a guest operating system to gain access to the hypervisor…
- A security analyst discovers that an attacker exploited a vulnerability in the hypervisor's device driver emulation to execute malicious…
- A security analyst discovers that an attacker has exploited a vulnerability in the virtualization layer to access memory belonging to other…
- Type 1 hypervisors run on bare metal; Type 2 run on a host OS
A Type 1 (bare-metal) hypervisor runs directly on the hardware and is what cloud providers use for production multi-tenancy because it has a smaller attack surface. A Type 2 (hosted) hypervisor runs as an application on top of a host operating system and is typical of desktop or lab use, where the host OS adds attack surface beneath the guests.
Trap Assuming providers run production tenants on Type 2 hypervisors; bare-metal Type 1 is preferred for multi-tenancy because there is no host OS layer to compromise.
3 questions test this
- A cloud architect is evaluating hypervisor options for a new private cloud deployment that will host mission-critical workloads. Which…
- An organization is deploying workloads in a public cloud and the security team is evaluating hypervisor security. Which characteristic…
- An organization is evaluating hypervisor types for their cloud data center where security and performance are critical requirements. Which…
Containers isolate at the process and namespace level and share the host kernel, which makes them faster to start than virtual machines but gives them a weaker isolation boundary, because a single kernel vulnerability is exposed to every container on that host. A VM carries its own guest OS and is isolated by the hypervisor, so it survives a kernel flaw that would compromise neighboring containers.
Trap Treating a container and a VM as equally strong isolation; the container's shared kernel is a single shared fault domain that a VM's hypervisor boundary does not have.
8 questions test this
- A security architect is designing a container deployment strategy that requires VM-level isolation for untrusted workloads while…
- A security architect is concerned about isolation in a containerized environment. Which mechanism is PRIMARILY responsible for providing…
- During a cloud security assessment, an analyst discovers that development teams are running containerized workloads from multiple trust…
- A security analyst discovers that a container orchestration platform has placed a public-facing web server container on the same node as a…
- An organization needs to run containerized workloads that require stronger isolation than traditional process-based container isolation.…
- An organization is deploying containers in a shared multi-tenant cloud environment. The security team is concerned about potential…
- An organization is evaluating compute abstraction options for a multi-tenant cloud environment hosting workloads with varying trust levels.…
- A security architect is analyzing container technology risks for a cloud deployment. Which Linux kernel feature is primarily responsible…
- Side-channel attacks infer data without breaking isolation
A side-channel attack lets a workload co-resident on the same physical host infer another tenant's data from timing, cache, or power behavior rather than breaking the isolation boundary outright. It is a compute-layer multi-tenancy risk distinct from VM escape, because no boundary is actually crossed; the leakage rides shared hardware. Mitigations include dedicated hosts and provider-side microarchitectural patching.
3 questions test this
- A cloud service provider discovers that a malicious tenant was able to read sensitive data from another tenant's virtual machine memory on…
- A financial services company is evaluating HSM options for their cloud deployment. They require FIPS 140-3 Level 3 validation and want…
- An organization is migrating highly sensitive workloads to a cloud environment. The NSA's cloud security guidance recommends specific…
- Data remanence is the storage-layer leak; defeat it with encryption and cryptographic erase
Data remanence is residual data left on physical media after it is released, which a later tenant could recover if the provider reassigns that capacity without sanitizing it. Encrypting tenant data at rest makes leftover bytes useless without the key, and cryptographic erase (destroying the encryption key) renders all that data instantly unrecoverable, which scales far better than physically overwriting shared media. Both techniques are covered in NIST SP 800-88 on media sanitization.
Trap Insisting on physically overwriting media to handle remanence on shared cloud storage; you cannot reach the physical disks, so cryptographic erase by destroying the key is the cloud-appropriate control.
7 questions test this
- An organization is terminating its contract with a cloud service provider and needs to ensure its data cannot be recovered from shared…
- An organization discovers that sensitive data may still be recoverable from cloud storage volumes that were deleted three months ago due to…
- During a security assessment of a multi-tenant cloud environment, an auditor discovers that tenant data is only logically isolated on…
- An organization needs to securely destroy data stored across multiple cloud regions when a customer terminates their service agreement. The…
- A cloud service provider is decommissioning storage infrastructure that contained multiple tenants' data. According to NIST SP 800-88…
- A security analyst is conducting a risk assessment for cloud storage in a multi-tenant environment. Which storage-related risk is MOST…
- An organization is terminating cloud services with a CSP that uses shared storage infrastructure. The security team needs to ensure…
- Storage failures are usually exposure or missing encryption, not just remanence
Beyond remanence, the classic storage-layer failures are exposure and weak encryption: an object store left publicly readable, or a volume created without encryption at rest. These are configuration faults the customer typically owns, so the storage-layer answer to an exposed bucket is access policy plus encryption, not a control borrowed from another layer.
- The network layer is increasingly software-defined, so segmentation is configured not cabled
The network and communications layer carries tenant traffic between components and is increasingly software-defined, meaning segmentation, routing, and isolation are configured in software rather than wired into hardware. Its signature risks are east-west lateral movement, traffic interception, and missing segmentation, so the controls are network segmentation and traffic inspection. Because segmentation is a setting, a missing boundary is a misconfiguration, not a cabling gap.
- Compute is pooled CPU and memory allocated on demand
The compute layer is the provider's pooled CPU and memory that actually run workloads, allocated elastically on demand. Its multi-tenancy risks are resource exhaustion (one tenant's load starving others, which providers limit through quotas and scheduling) and side-channel leakage between workloads sharing a physical host. Compute is owned by the provider in every public-cloud service model.
- The physical layer is the data-center facility itself
The physical environment is the data-center building, power, cooling, cabling, and physical access control beneath every other layer. Its concerns are physical breach, environmental failure, and safe disposal of failed media, and in public cloud the provider owns it entirely; the customer relies on attestation reports rather than inspecting the facility. Detailed facility design (site selection, HVAC, tiering) is the separate secure-data-center-design subtopic.
Moving to the cloud transfers the lower layers to the provider in a predictable order. Under IaaS the provider owns physical, network, and the virtualization host while the customer owns the guest OS and up. Under PaaS the provider also owns the OS and runtime, leaving the customer the application and data. Under SaaS the provider owns everything down to the application, leaving the customer only their data, access configuration, and identities. A stem naming a component plus a service model is asking for that intersection.
- The customer never secures the hypervisor in public cloud
Across all public-cloud service models the provider owns the virtualization layer, so the customer cannot reach or harden the hypervisor; that responsibility is always the provider's. Guest-OS patching, by contrast, is the customer's job under IaaS but the provider's under PaaS and SaaS, where the provider owns the operating system. Any answer telling a public-cloud customer to harden the hypervisor is assigning provider-owned infrastructure to a party that cannot even access it.
Trap Assigning hypervisor hardening to the customer in public cloud; the customer has no access to the virtualization layer, so that is always the provider's responsibility.
- Match the symptom to its layer, then take that layer's control
Domain 3.1 items usually describe a symptom and expect you to route it: residual files recovered by a new tenant means storage and data remanence, so encrypt with cryptographic erase; a guest running on the hypervisor host means virtualization, so harden and patch; leaked API keys snapshotting databases means the management plane, so MFA, least privilege, and logging. When two options both sound plausible, the one matching the layer the symptom lives in is correct; the distractor borrows a real control from the wrong layer.
Trap Picking a genuine control aimed at the wrong layer, such as a network firewall offered as the fix for a data-remanence problem; correct control follows the layer the symptom actually sits in.
- Bare metal gives dedicated hardware with no hypervisor and the strongest isolation
Bare metal (dedicated-host) compute hands the customer a whole physical server with direct CPU and memory access and no virtualization layer, so there is no hypervisor to escape and no noisy neighbor. Choose it when a workload needs maximum tenant isolation, full OS control, hardware-level performance features, or licensing that forbids shared hosts.
Trap Reaching for a dedicated VM or single-tenant hypervisor when the requirement is no hypervisor at all; that still runs a virtualization layer.
5 questions test this
- A financial services company requires maximum isolation for processing sensitive cryptographic operations in the cloud. They need dedicated…
- An organization processes highly sensitive data and requires the strongest possible isolation from other cloud tenants. Which compute…
- A cloud service provider is designing infrastructure for a customer with highly sensitive workloads that require strict regulatory…
- An organization requires compute resources that provide direct hardware access with no virtualization layer due to strict performance…
- An organization is migrating highly sensitive workloads to a cloud environment. The NSA's cloud security guidance recommends specific…
- The noisy neighbor problem is one tenant's load degrading another's on shared hardware
In pooled multi-tenant infrastructure, one tenant consuming a disproportionate share of CPU, storage I/O, or network can degrade performance for other tenants on the same physical host. This is a performance and operational risk of resource sharing, not a breach of isolation; bare metal or dedicated capacity eliminates it.
- Micro-segmentation enforces policy per workload, not per subnet, to stop east-west lateral movement
Micro-segmentation places a virtual firewall at each workload's network interface (often via the SDN/NSG layer) so traffic is controlled host-by-host rather than at the subnet perimeter. Its purpose is to limit east-west (workload-to-workload) lateral movement inside a zone, a gap traditional perimeter segmentation leaves open. Zero Trust micro-segmentation keys rules to workload identity so only explicitly required flows are allowed.
Trap Treating subnet- or VLAN-level segmentation as equivalent; those control north-south perimeter traffic and still allow free lateral movement within a segment.
6 questions test this
- Your organization is deploying a multi-tier application in a cloud environment and needs to control traffic between the web tier,…
- An organization wants to implement security controls that can restrict lateral movement at the individual workload level rather than at the…
- An organization is implementing microsegmentation as part of their Zero Trust strategy for their cloud environment. The security team needs…
- A cloud security architect is implementing network security controls to prevent lateral movement of threats within the data center.…
- A cloud security architect is designing virtual network segmentation for a multi-tier application. The architecture includes web,…
- An organization is deploying multiple application workloads in a cloud environment. The security architect is concerned that if a single…
- East-west traffic flows between workloads inside the network; north-south crosses the perimeter
East-west traffic is internal flow between components such as web, app, and database tiers or microservices within the same virtual network. North-south traffic enters or leaves the network through the perimeter. Perimeter firewalls inspect north-south; micro-segmentation and distributed virtual firewalls are needed to inspect east-west.
8 questions test this
- A security architect is implementing network segmentation in a cloud environment and needs to control communication between different…
- A cloud security architect is designing network security controls for a cloud-native application. The security team requires inspection of…
- Your organization is deploying a multi-tier application in a cloud environment and needs to control traffic between the web tier,…
- A cloud architect is designing network segmentation for a three-tier application consisting of web, application, and database tiers in a…
- A cloud security architect is implementing network security controls to prevent lateral movement of threats within the data center.…
- A security operations team is implementing traffic inspection controls in their cloud data center. They need to monitor and secure traffic…
- A cloud security architect is designing virtual network segmentation for a multi-tier application. The architecture includes web,…
- An organization is deploying multiple application workloads in a cloud environment. The security architect is concerned that if a single…
- Tag- or identity-based segmentation lets policies follow workloads as they move or scale
Tag-based (identity-based) segmentation attaches security policy to a workload's labels or identity rather than its IP address, so rules automatically follow a VM as it migrates, scales, or changes IP. This avoids the continuous policy resynchronization that IP- and VLAN-based rules require whenever workload network locations change.
4 questions test this
- A security team is transitioning from traditional IP-based firewall rules to tag-based segmentation in their cloud virtual network…
- A cloud security architect is implementing network security groups (NSGs) to protect virtual machines in a multi-tier application. The…
- An organization is implementing microsegmentation as part of their Zero Trust strategy for their cloud environment. The security team needs…
- When designing network segmentation for a cloud data center, a security architect must decide between segment-based microsegmentation using…
- Network security groups should be deny-by-default with explicit allow rules only
Network security groups (NSGs) provide stateful 5-tuple filtering (source/destination IP, source/destination port, protocol) at the virtual-switch level. Configure them deny-by-default and add explicit allow rules only for required flows; by default, subnets within one virtual network can talk freely, so isolation must be configured, not assumed.
Trap Assuming subnets in the same VNet are isolated by default; intra-VNet communication is permitted until an NSG denies it.
7 questions test this
- A security team is conducting a risk assessment for a multi-tier application deployed in an IaaS cloud environment. The application uses…
- A cloud security team is implementing network segmentation using virtual networks and network security groups. They want to ensure proper…
- A cloud architect is designing network segmentation for a three-tier application consisting of web, application, and database tiers in a…
- A security team is configuring virtual firewall rules for their cloud deployment. Following the principle of least privilege, which…
- A cloud security architect is implementing network security groups (NSGs) to protect virtual machine workloads. Which capability do NSGs…
- A security team is configuring Network Security Groups (NSGs) in their cloud virtual network to implement workload-level…
- A security team is implementing network security groups (NSGs) in their cloud environment to segment virtual networks. They notice that by…
- VLANs cap at ~4,094 segments (12-bit ID); VXLAN's 24-bit VNI scales to ~16 million
The 802.1Q VLAN ID is 12 bits, limiting a network to about 4,094 usable VLANs, which is too few for large multi-tenant clouds. VXLAN overlay networking uses a 24-bit segment ID (VNI) supporting roughly 16 million logical segments and decouples the logical network from the physical fabric by encapsulating Layer 2 frames in UDP.
6 questions test this
- A cloud security architect is designing a data center network and wants to implement network segmentation using VLANs to separate tenant…
- A cloud security architect is designing network segmentation for a multi-tenant IaaS environment. The organization needs to support more…
- A cloud architect is designing tenant isolation for a cloud data center. The design requires network segmentation that can support over 16…
- An organization is migrating to a multi-tenant cloud environment and discovers that traditional VLAN-based segmentation cannot scale to…
- An organization is deploying a multi-tenant cloud environment and needs to create network segments for tenant isolation. The security…
- A security team is evaluating network segmentation technologies for a cloud data center that requires supporting more than 4,000 isolated…
- SDN centralizes control in the controller, which becomes the single point of compromise
Software-defined networking separates the control plane from the data plane and centralizes decision-making in the SDN controller. That centralization simplifies and standardizes policy but makes the controller a single point of failure and the highest-value target: compromising it lets an attacker rewrite flow rules across the whole network. Controller-to-switch traffic is also exposed to man-in-the-middle flow-rule tampering if unencrypted.
Trap Picking a data-plane switch as the critical asset; the control-plane controller is the component that must be hardened first.
6 questions test this
- An organization is evaluating the implementation of Software-Defined Networking (SDN) in their cloud environment. The security architect…
- A cloud security professional is assessing risks associated with Software-Defined Networking in their organization's infrastructure. The…
- An organization is deploying Software-Defined Networking (SDN) in their cloud environment. The security team is concerned about the…
- A cloud security architect is assessing the risks associated with implementing Software-Defined Networking (SDN) in the organization's…
- An organization is evaluating the security implications of implementing Software-Defined Networking (SDN) in their cloud environment. Their…
- An organization's security team has identified that the SDN controller represents a critical point of compromise in their cloud…
- Manage the SDN controller only from PAWs on a segmented out-of-band network
NSA guidance is to physically segment SDN controller management interfaces from the data interfaces and administer the controller exclusively from privileged access workstations (PAWs) connected to a dedicated out-of-band management (OOBM) network. This isolates administrative access so it cannot be reached through the production data path.
3 questions test this
- According to NSA guidance for managing SDN controller risks, what is the recommended approach for securing administrative access to SDN…
- A cloud administrator is configuring SDN controller management access for their enterprise environment. Following NSA recommendations,…
- An organization's security team has identified that the SDN controller represents a critical point of compromise in their cloud…
- Object, block, and file storage differ by access model: object = metadata + ID + API
Object storage holds data as objects, each with the payload, a unique identifier, and rich customizable metadata, accessed over HTTP/HTTPS REST APIs in a flat namespace; it suits unstructured data at petabyte scale. Block storage exposes raw fixed-size blocks for low-latency, high-IOPS workloads like databases and VM volumes. File storage offers a hierarchical NFS/SMB share for concurrent multi-user access with file-level permissions.
Trap Choosing object storage for a database needing high IOPS, or block storage for shared concurrent file access; match the access pattern to the type.
8 questions test this
- An organization is deploying a cloud-based application that requires shared file access for multiple users across different geographic…
- An organization needs to select cloud storage for a database application requiring high IOPS and low latency. The data must persist even if…
- An organization is deploying a cloud-based application that requires database storage with high IOPS and low latency. The database performs…
- An organization is migrating a large repository of unstructured data including images, videos, and backup archives to the cloud. The…
- Which characteristic MOST accurately distinguishes object storage from block and file storage in a cloud environment?
- A cloud security architect is designing storage for a mission-critical database application that requires low-latency access, high IOPS,…
- Multiple distributed teams need to concurrently access and modify shared project documents and application configuration files stored in…
- An organization stores large volumes of unstructured data including images, videos, and backup archives in the cloud. They require 11 nines…
- Persistent block volumes survive VM stop or failure; ephemeral storage is lost on stop
Persistent block storage is network-attached and lives independently of the instance, so data survives a VM stop, restart, termination, or host failure and the volume can be reattached. Ephemeral (instance/local SSD) storage is physically tied to the host and is wiped permanently when the VM stops, terminates, or the host fails; use it only for caches and scratch data.
5 questions test this
- An organization needs to select cloud storage for a database application requiring high IOPS and low latency. The data must persist even if…
- A cloud architect is designing a solution for a stateful database application requiring high-performance I/O and data that must persist…
- A cloud security professional is evaluating ephemeral storage volumes used by virtual machine instances for temporary data processing.…
- A cloud security team is implementing storage for a containerized application that processes temporary analytical data. The data does not…
- A cloud security architect is designing storage for a mission-critical database application that requires low-latency access, high IOPS,…
- Object storage reaches 11 nines durability via erasure coding across multiple AZs
Cloud object storage achieves extreme durability (e.g. 99.999999999%, '11 nines') by erasure-coding objects into data and parity fragments spread across many devices in multiple availability zones, plus redundant metadata and regular checksum validation. Durability protects against hardware failure and corruption only.
Trap Assuming high durability also protects against malicious or accidental deletion; a compromised account's delete is a valid operation, so versioning, MFA-delete, and immutable backups are still required.
5 questions test this
- A security analyst is assessing threats to the organization's cloud object storage containing sensitive customer data. According to current…
- A cloud service provider advertises that their object storage service is designed for 99.999999999% (11 nines) annual durability. Which…
- An organization is migrating a large repository of unstructured data including images, videos, and backup archives to the cloud. The…
- A cloud service provider advertises their object storage service with 99.999999999% (11 nines) annual durability. What is the PRIMARY…
- An organization stores large volumes of unstructured data including images, videos, and backup archives in the cloud. They require 11 nines…
- For VM-grade container isolation, run each container in a lightweight micro-VM (e.g. Kata)
Standard containers share the host kernel, a weaker boundary than a VM. When untrusted workloads need hardware-level isolation while keeping container tooling, use sandboxed runtimes like Kata Containers or Hyper-V isolation that run each container inside a stripped-down, OCI-compliant lightweight VM with its own guest kernel.
- KMS key rotation makes a new version for new encryption but keeps old versions for decryption
Automatic key rotation creates a new key version used for all new encryption, while the KMS retains previous versions to decrypt data already written under them. Existing ciphertext is not re-encrypted automatically, so rotation is transparent and requires no application change or bulk re-encryption.
Trap Assuming rotation re-encrypts existing data with the new key; old data stays under its original version until rewritten.
Also tested in
References
- CCSP Certification Exam Outline — Domain 3 (Cloud Platform & Infrastructure Security)
- NIST SP 800-145 — The NIST Definition of Cloud Computing Whitepaper
- NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization Whitepaper
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations Whitepaper