-:CCSK Module 1 to 6 With All Units Answers by Atul Gupta:-

-:MODULE - 1 // UNIT 2 – 6:-

1. Which technology is generally required to build resource pools?

2. What is the key difference between traditional virtualization and cloud?

3. Which of the following is *not* a key potential benefit of cloud computing:

4. What business benefit(s) was Amazon attempting to realize when they

created their internal cloud computing program? Select all that apply.
5. Resource pools permanently assign resources to a user.

6. Cloud computing supports scaling up of required resources, but not scaling

down.
7. Which of the following appear in both the NIST and ISO/IEC cloud
computing definitions? Select all that apply.

8. Click and drag the correct NIST model element to the appropriate category
below.
9. Services scaling out and scaling in quickly are an example of which essential
characteristic of cloud.

10.Click and drag the Essential Characteristics to the box below.

11.Which of the following is not an emergent property of resource pooling?

12.Which service model would a cloud database be considered?

13.Software as a Service is always built on top of Platform as a Service which is
always built on Infrastructure as a Service.

14.Which of the following is most likely to be considered laaS:

15.In laaS, individual virtual machines use which kind of storage?

16.Platform as a Service abstracts application platforms and platform

components from underlying resources, and can be built on top of laaS.
17.Which of the following is not required to be considered SaaS?

18.Drag the labels to indicate which of the SaaS components are built on laaS.
19.If an organization uses a Community Cloud Deployment Model, some
portion of the physical infrastructure MUST be on-premises with one of the
community members.

20.If an organization employs the technique of cloud bursting, which cloud

deployment model are they utilizing?
21.Which element of the logical model describes the cloud management
plane?

22.Click and drag the Accessible and Consumed By items on the left to
complete the column
23.In which service model does the cloud consumer have the least amount of
control over security?

24.In which cloud service model is the cloud consumer responsible for
ensuring that the hypervisor is not vulnerable to attack?
25.When should you define the security controls when building a cloud
deployment?

26.Click and drag the items to the correct category.

 -:CCSK Module 2 // Unit 2-7:-
1. Cloud infrastructure security does not include the virtualization components:

2. Which of the following resource pools is not associated with laaS:

3. Click on the components that the cloud consumer is primarily responsible for
securing.

4. Which of the following are typically in the underlying infrastructure of a

cloud? (click all that apply)
5. Why is hardening infrastructure components so important?

6. Which of the following physical networks is used for Internet to instance

traffic?
7. Why should cloud providers use multiple underlying physical networks?
(select all that apply)

8. Which virtual network technology is best suited for cloud?

9. Virtual networks:

10.Which is a defining characteristic of Software Defined Networks

11.Which SDN security capability often replaces the need for a physical or
virtual appliance?

12.The most effective way for an attacker to compromise a security group is to

compromise the host/virtual machine and then modify the rules.
13.Which of the following is the most effective security barrier to contain blast
radius?

14.How does a virtual network affect network visibility?

15.Place the following network security tools in the preferred order in most
cloud deployments, from 1 (most preferred) to 4.

16.What is the purpose of a bastion network/transit VPC?

17.Which of the following is primarily a responsibility of the cloud provider?

18.Of the following, which is the most important use case for the Software
Defined Perimeter?
19.Which of the following are cloud workloads? Select all that apply:

20.Click on the pipeline component that executed security tests and builds
images:
21.Which of the following *most impacts traditional workload security controls
when applied to cloud deployments?

22.How can immutable workloads improve security?

23.Select the cloud workload security option that can most improve overall
security and reduce attack surface:

24.Which of the following is primarily a cloud consumer workload security

responsibility?
25.Why is management plane security so critical?

26.Select the best option for authenticating to a cloud API

27.Click and drag the management plane security steps to the correct order

28.Multi factor authentication is the single most important management plane

security control.
29.Identify one drawback to managing users in the management plane:

30.What is the role of a service administrator?

31.Select the best option for management plane monitoring, when it is
available:

32.What is the single most important rule for cloud BC/DR?

33.Which is not a key aspect of cloud BC/DR?

34.Click on the logical model layer that is most difficult to enable for DR across
cloud providers.
35.Select a technique to manage continuity within the cloud provider.

-:CCSK Module 3 // Unit 2-7:-

1. Select the governance tool that is most affected by the transition to cloud
computing:
2. In terms of cloud computing and security... what is the primary governance
role of a contract?

3. Does the shared responsibilities model define the contract or the contract
define the shared responsibilities model?
4. Select the layer where you evaluate your providers in the diagram:

*Click on SUPPLIER ASSESSMENT

5. What is the responsibility of information risk management?

6. Your risk assessment effort should be equal for all information assets

7. In which service model does the cloud consumer have to rely most on what
is in the contract and documented to enforce and manage security?
8. Under which conditions is managing risk similar for public and private
cloud?

9. Which do you need to rely more on to manage risks when using public
cloud computing?
10.What is critical when evaluating a cloud service within your risk
management program?

11.How can you manage risk if you can't negotiate a contract with the cloud
provider?
12.Audits are only used to meet government regulatory requirements.

13.Cloud changes compliance. Select the statement that is incorrect:

14.Which is *not* a source of compliance obligations?

15.Compliance inheritance means that an application built on top of a cloud

provider's service that is compliant with a regulation/standard is always
guaranteed to be compliant.
16.The Cloud Security Alliance Security Guidance provides:

17.The Australian Privacy Act of 1988 can apply to Australian customers, even
if the cloud service provider is based elsewhere:
18.What is the purpose of a data localization law?

19.Which of the following is correct?:

20.The Federal Government in the United States does not directly address
issues of data privacy, but instead leave it up to the states to create laws
that address privacy concerns:

21.If a business is located outside the European Union it does not have to
comply with the privacy laws of the European Union
22.In the United States, only entities that collect or process financial data or
health data must comply with privacy or security laws

23.Which of the following is a standard?

24.When selecting a cloud provider, if a provider won't negotiate a contract:

25.Cloud consumers are ultimately responsible for understanding the legal

implications of using a particular cloud provider and service.
26.A contract with a cloud service provider can fulfill all of the following except
one

27.If you own the data, it is still possible for your CSP to own the metadata:
28.Why do cloud providers typically limit their customers' ability to directly
assess and inspect their facilities and services?

29.Audit scopes for any given standard, like an SSAE16 are always consistent.
30.Select all the following sources that are considered artifacts of Compliance

31.Which CSA tool maps cloud security control specifications to architectural

relevance?
32.You are a cloud provider and struggling to respond to a large amount of
highly variable customer RFP requests for security controls documentation.
Which CSA document could you instead complete and send to customers:

33.Where can cloud providers publish their CAIQ and other

security/compliance documents to help cloud prospects and customers
assess the provider's current security posture?
34.Which CSA tool allows you to quickly search a providers assessment for
controls that map to regulations you care about and see the responses to
those controls?

35.The CSA Cloud Controls Matrix v3.0.1 maps control specifications to

FedRAMP High Impact Level.
36.The CSA Cloud Controls Matrix v3.0.1 contains how many control
specifications?

-:CCSK Module 4 // Unit 2-8:-

1. All cloud data is eventually stored on a physical device, like a hard drive.
2. Which of the following cloud data storage types can be described as "a
database for files":

3. Why do we use data dispersion in cloud computing?

4. Which security tool can help detect sensitive data migrating to the cloud?

5. Which of the available CASB modes is most cloud-native but often not
supported by smaller, especially SaaS, providers:
6. Which is the preferred model of protecting data migrating to the cloud:

7. How does cloud complicate access controls as compared to traditional data

storage?
8. In a Cloud Computing Environment, what is always your most significant
security control?

9. In the entitlement matrix below, click the boxes to allow the service
administrator to describe and modify volumes but not access logs or object
storage:
10.In the entitlement matrix below, select which entitlement allows users to
view metadata:

11.Click on the layer in the stack where encryption is best for protecting discrete
data throughout the layers, but may be more complex and is less effective for
bulk data.
12.Select the 3 components of an encryption system.

13.In "externally managed” encryption, which is the key component that should
be kept externally to improve security:
14.Instance managed encryption is:

15.Which of the following options encrypts data before you transfer it to object
storage:
16.Select all *potential* options for encrypting data in PaaS, if they are
supported by the platform:

17.Click on the location that would provide the most secure place to keep
encryption keys:
18.When using provider managed encryption you are always sharing the same
keys with other tenants.

19.Proxy-encryption requires you to break any existing secure connection to

your cloud provider:
20.Which is the most inherently secure key management option, but it may not
be viable or even needed depending on your project requirements and
platform/provider support:

21.To be considered Bring Your Own Key (BYOK) the provider must not be able
to ever see or manage your keys:
22.Which key management option should you select if you are dealing with
highly sensitive data that you don't want your provider to potentially access
under any circumstances:

23.Which option allows you to use an existing build for key management without
replicating everything in the cloud?
24.In the diagram below, what area shows the greatest reduction in attack
surface?

25.For cloud, where is DLP often best integrated?

26.What is the primary goal of data masking?

27.Logs of some events in a cloud environment may not be available to you

depending on your choice of cloud provider.
28.How should the data security lifecycle be used?

29.Place the lifecycle phases in order:

30.Why do we map locations and access?

31.What is the primary objective of mapping functions, actors, and locations?

32.What do we use to reduce what is possible to what should be allowed within
the context of the lifecycle?
 -:CCSK Module 5 // Unit 2-8:-
1. When moving to cloud, what now becomes within the scope of application
security unlike with traditional infrastructure?

2. Click and drag the phases of the lifecycle to the correct order.
3. STRIDE is a common thread modeling framework. Which of the four
categories does a cloud provider typically take more responsibility to
manage:

4. What is one example of a control that can reduce the potential of spoofing:
5. Specific testing techniques are tightly aligned and should only be performed
during their designated phase in the secure software development process:

6. Which kind of test should be added to static analysis for cloud

deployments?
7. Which kind of testing will most likely require permission from your cloud
provider before performing?

8. Which vulnerability analysis option will always comply with the terms of
service of the cloud provider, but may require paying close attention to
network architecture:
9. While there are many definitions of DevOps, one technology/process is
typically considered to be central to any DevOps program. Which
technology is that?

10.Click and drag the version control repository and the continuous integration
server to the correct location.
11.Identify the core security benefit of immutable:

12.Which of the following are security benefits of DevOps?

13.Which of the following is not a new concern of secure operations for
applications in the cloud?

14.Which of the following is an inherent architectural security advantage of

cloud?
15.How can serverless improve security?

16.Many of the new architectural options for cloud offer security benefits over
what is possible in traditional infrastructure:
17.What could an email address be considered?

18.What is the technical definition of authentication?

19.What is the defining characteristic of federated identity?

20.Which of the following is a discrete type that will have an identity?

Examples include users and organizations.
21.What is the biggest difference between IAM in cloud and in traditional
environments?

22.Which IAM standard is best suited for enterprises federating with cloud
providers?
23.Which of the following is one of the 3 most common identity standards in
cloud environments?

24.In the OpenID exchange below, click on the element that represents the
enterprise's directory server? Select the correct item below.
25.In a hub and spoke model, which technology mediates between directory
servers/identity providers and the service providers/relying parties:

26.Which of the following IAM security incidents is more likely in cloud versus
traditional infrastructure and requires a dedicated incident response focus?
27.Multifactor authentication is absolutely mandatory for cloud computing due
to the higher potential for remote account takeovers.

28.Checking to see if a user authenticated with MFA from a corporate IP

address to authorize an action is an example of?
29.What is an entitlement matrix used for?
 -:CCSK Module 6 // Unit 2-6:-
1. Why are elasticity and infrastructure templating critical laaS security
capabilities?

2. Which of the following protocols should a SaaS provider support to help

extend an enterprises existing user management security controls and is
considered a critical security capability?
3. Why are reviewable audits important when evaluating a cloud provider?

4. Frequent audits and assessments are important when looking at a cloud

provider due to how rapidly they evolved their services
5. Security as a Service is only used to secure cloud services.

6. Select all of the following characteristics that are required for something to
be considered Security as a Service:
7. Which of the following is one of the more unique potential benefits of
Security as a Service:

8. Why are regulation differences a potential concern of using Security as a

Service?
9. Using SecaaS removes accountability for the client, but only for the
particular security control the service addresses.

10.What characteristic would make a Federated Identity Broker be considered

SECaaS vs. a traditional tool?
11.What is a potential advantage of a web security gateway SECaaS over an on-
premise tool?

12.What is required to redirect traffic to a cloud WAF?

13.Can a cloud-based key management service be integrated with on- premise
encryption?

14.If an attacker compromises one of your virtual machines, and then uses it to
attack other clients on the same cloud platform, what is the cloud provider's
likely action?
15.Click and drag the incident response phases in the proper order.

16.In which phase would you build a cloud "jump kit" of tools and code to speed
a response?
17.In which phase would you snapshot a virtual machine for forensics?

18.Which of the following most helps you quickly build parallel infrastructure,
so that you can rapidly restore operations while still having the compromised
environment for analysis?
19.In a postmortem what would be your highest priority to review and
remediate if it was a blocker in your incident response?

20.Which of the following is not considered a related technology?

21.Big Data is often defined as "high volume, high velocity, and high variety”.
What does "high velocity" mean?

22.Why should you consider relying extensively on the isolation capabilities of

cloud to defend a big data deployment?
23.While not directly related to cloud, which loT principle is critical for long-
term security?

24.While not directly related to cloud, which loT principle is critical for long-
term security?
 25.Which of the following issues on a mobile device can actually create security
risks for the cloud deployment?

26.Serverless, used properly, can offer more security benefits than risks.

**********Subscribe for more videos:- https://www.youtube.com/@atulgupta-g/ **********