Back to CompTIA Cloud+ (Cloud+)

Security

Implement security measures, address vulnerabilities, and ensure compliance (19% of exam).

Encompasses identifying and addressing vulnerabilities in cloud environments, implementing Identity and Access Management (IAM) to control resource access, safeguarding containerized applications and resources, ensuring compliance with standards like PCI DSS, SOC 2, and ISO 27001, and deploying security controls to protect cloud environments.
5 minutes 5 Questions

In the context of CompTIA Cloud+, security is a comprehensive discipline fundamentally anchored in the Shared Responsibility Model. This model delineates that while the Cloud Service Provider (CSP) is responsible for the security 'of' the cloud (physical infrastructure, hypervisors, and networking …

Concepts covered: Cloud vulnerability assessment, Vulnerability scanning tools, Patch management for security, Security threat remediation, Cloud IAM fundamentals, Role-based access control (RBAC), Least privilege principle, Multi-factor authentication (MFA), Single sign-on (SSO), Identity federation, Service accounts and API keys, Container security best practices, Container image scanning, Runtime container security, Kubernetes security, Container network policies, PCI DSS compliance, SOC 2 compliance, ISO 27001 compliance, GDPR and data privacy, Compliance auditing and reporting, Cloud security controls, Encryption at rest and in transit, Key management services, Network security groups, Web application firewalls (WAF), DDoS protection, Security information and event management (SIEM)

Test mode:
Start practice test
Cloud+ - Security Example Questions

Test your knowledge of Security

Question 1

A security administrator is configuring MFA for a cloud-based application. Users will authenticate using a password and a time-based one-time password (TOTP) generated by an authenticator app. Which authentication factor categories are being combined in this implementation?

Correct Answer: Something you know combined with something you have

The correct answer is 'Something you know combined with something you have.'

In this MFA implementation, two distinct authentication factor categories are being used:

  1. Password - This is classified as 'something you know' because it is knowledge that only the user should possess. It's information stored in the user's memory.

  2. TOTP from an authenticator app - This is classified as 'something you have' because the one-time password is generated by a physical device (smartphone or hardware token) that the user possesses. Even though the TOTP appears as a code, the factor category is determined by what generates it - the authenticator app on the user's device.

The other options are incorrect for the following reasons:

  • The option combining 'something you have' with 'something you are' is wrong because there is no biometric factor (something you are) in this scenario. A password is knowledge-based, not possession-based.

  • The option mentioning 'something you know combined with biometric verification factors' is incorrect because TOTP is not a biometric factor. Biometrics include fingerprints, facial recognition, iris scans, or voice recognition - none of which are present in this implementation.

  • The option describing 'two separate knowledge-based factors' is incorrect because TOTP is not a knowledge factor. While the user does enter a code, that code is generated by a device they possess, making it a possession factor rather than a knowledge factor. True MFA requires combining different categories of factors, not two factors from the same category.

Question 2

A cloud administrator is configuring network security for a web application that uses a load balancer to distribute traffic across multiple backend instances. The security team requires that only HTTPS traffic on port 443 be allowed to reach the load balancer from the internet, while backend instances should only accept traffic from the load balancer itself. Which security control configuration would MOST effectively implement this tiered traffic filtering approach?

Correct Answer: Configure security groups with inbound rules allowing port 443 from any source on the load balancer, and backend instance security groups allowing traffic only from the load balancer security group

The correct answer describes configuring security groups with inbound rules allowing port 443 from any source (0.0.0.0/0) on the load balancer, and then configuring backend instance security groups to allow traffic only from the load balancer's security group. This is the most effective tiered traffic filtering approach because:

  1. Security groups are stateful firewalls that operate at the instance level, making them ideal for this use case
  2. Allowing port 443 from any source on the load balancer permits HTTPS traffic from the internet
  3. Referencing the load balancer's security group as the source for backend instances ensures only traffic originating from the load balancer can reach them - this is a best practice known as security group chaining
  4. This approach is more secure and maintainable than using IP ranges because the security group reference automatically adapts to any load balancer scaling or IP changes

The second option is incorrect because NACLs are stateless (not stateful as stated), and allowing traffic from all internal IP ranges defeats the purpose of restricting backend access to only the load balancer.

The third option is incorrect because a WAF is designed for application-layer filtering (Layer 7) such as SQL injection and XSS protection, not for basic port filtering. Additionally, allowing connections from the entire virtual network CIDR block is overly permissive and doesn't restrict traffic to only the load balancer.

The fourth option is incorrect because it focuses on outbound rules for the load balancer, which doesn't control incoming traffic. The requirement specifies controlling inbound HTTPS traffic. Also, allowing backend traffic from the public subnet IP range is less secure than restricting to the load balancer security group specifically.

Question 3

A security analyst discovers that an attacker has exploited a misconfigured network security group to gain access to internal cloud resources. The attacker has been performing reconnaissance activities and has mapped out the internal network topology over the past 12 hours. Traffic analysis shows the attacker is using encrypted tunnels to exfiltrate discovered information. Which remediation action should be prioritized to contain this network-based threat?

Correct Answer: Restrict the misconfigured security group rules to deny unauthorized access and enable enhanced network flow logging for continued monitoring

The correct answer is to restrict the misconfigured security group rules to deny unauthorized access and enable enhanced network flow logging for continued monitoring.

This is the best remediation action because it addresses the root cause of the breach - the misconfigured network security group - while also establishing monitoring capabilities to track any continued attacker activity. In incident response, containment is the priority, and fixing the security group misconfiguration will cut off the attacker's access path. Enhanced logging ensures visibility into whether the attacker attempts alternative entry methods.

The other answers are less appropriate for the following reasons:

Implementing micro-segmentation across all network tiers and conducting a full vulnerability assessment before modifying firewall configurations is too slow and comprehensive for an active incident. While micro-segmentation is valuable, performing a full vulnerability assessment before taking action allows the attacker to continue their activities. The priority should be containment first.

Deploying additional intrusion detection sensors and scheduling security group audits for the following business day is inadequate because it delays the critical remediation action. The attacker has been active for 12 hours and is actively exfiltrating data. Waiting until the next business day to address the misconfigured security group allows continued unauthorized access and data loss.

Rotating all network encryption keys and updating security group rules only after completing a comprehensive impact analysis introduces unnecessary delay. While impact analysis has merit, the known root cause (misconfigured security group) should be addressed promptly. Rotating encryption keys does not address the access problem since the attacker gained entry through misconfigured rules, not compromised keys.

More Security questions
143 questions (total)
Start 100 question test