Unit 6 - Practice Quiz

Correct Answer: To define which security tasks belong to the provider and which belong to the customer

Explanation: The Shared Responsibility Model delineates the security obligations of the cloud provider (security of the cloud) and the customer (security in the cloud) based on the service model.

Correct Answer: Guest operating system updates and application security

Explanation: In IaaS, the provider manages the physical hardware and hypervisor, while the customer is responsible for the OS, applications, and data.

Correct Answer: Principle of Least Privilege

Explanation: The Principle of Least Privilege ensures that entities (users or services) have only the minimum access rights needed to perform their specific tasks.

Correct Answer: Identity

Explanation: In cloud and microservices architectures, network perimeters are porous. Identity and Access Management (IAM) becomes the new effective security perimeter.

Correct Answer: To authenticate users and authorize access to resources

Explanation: IAM is a framework of policies and technologies for ensuring that the right users have the appropriate access to technology resources.

Correct Answer: Distributed Denial of Service (DDoS)

Explanation: DDoS attacks aim to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target with a flood of Internet traffic.

Correct Answer: It is the foundational layer managed primarily by the Cloud Service Provider

Explanation: Physical security involves protecting the actual data centers, servers, and hardware, which is the responsibility of the CSP.

Correct Answer: A virtual firewall that controls inbound and outbound traffic for instances

Explanation: Security Groups act as virtual firewalls for your instances to control incoming and outgoing traffic at the protocol and port level.

Correct Answer: Encryption in Transit

Explanation: Encryption in transit protects data while it moves between locations, such as between the user and the cloud or between microservices.

Correct Answer: The process of securing a system by reducing its surface of vulnerability

Explanation: Host hardening involves removing unnecessary software, closing unused ports, and configuring settings to make a system more secure.

Correct Answer: Key Management Service (KMS)

Explanation: KMS is a managed service that makes it easy to create and control the encryption keys used to encrypt data.

Correct Answer: General Data Protection Regulation

Explanation: GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.

Correct Answer: PCI DSS

Explanation: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards.

Correct Answer: Vendor Lock-in and inconsistent security APIs across providers

Explanation: Moving security policies and configurations between different cloud providers is difficult due to proprietary formats and APIs, leading to interoperability issues.

Correct Answer: To aggregate logs and analyze security alerts in real-time

Explanation: SIEM software products and services combine security information management (SIM) and security event management (SEM) for real-time analysis of security alerts.

Correct Answer: It expands the attack surface by distributing processing to decentralized locations

Explanation: While Edge computing reduces latency, it places compute resources closer to the source, creating a larger and more distributed attack surface that is harder to secure physically and logically.

Correct Answer: Automated anomaly detection and threat response

Explanation: AI and Machine Learning are used to establish baseline behaviors and detect anomalies that indicate potential security threats much faster than humans can.

Correct Answer: Managing service-to-service communication with mTLS (mutual TLS)

Explanation: A Service Mesh (like Istio or Linkerd) abstracts network communication, providing features like mutual TLS for secure, encrypted service-to-service communication.

Correct Answer: The concept that data is subject to the laws of the country in which it is physically located

Explanation: Data sovereignty refers to the legal requirement that data is subject to the laws and governance structures within the nation it is collected or stored.

Correct Answer: Implementing rate limiting and throttling

Explanation: Rate limiting protects APIs from abuse, such as DDoS attacks or brute force attempts, by limiting the number of requests a user can make.

Correct Answer: Authorized users misusing their access privileges

Explanation: Insider threats come from employees, contractors, or partners who have legitimate access but use it maliciously or accidentally to harm the system.

Correct Answer: It adds layers of verification beyond just a password (e.g., something you have or are)

Explanation: MFA requires two or more verification methods (password + token/biometric), significantly reducing the risk of compromised credentials.

Correct Answer: Logs record discrete events; Metrics measure numerical data over time

Explanation: Logs provide detailed context about specific events (e.g., 'User X failed login'), while metrics provide statistical data (e.g., 'CPU usage is 80%').

Correct Answer: Linking a user's identity across multiple distinct security domains

Explanation: Federated identity allows a user to use one set of credentials to access applications across different organizations or domains (e.g., 'Login with Google').

Correct Answer: Container Registry Scanning

Explanation: Container scanning tools analyze container images for known vulnerabilities (CVEs) before they are deployed.

Correct Answer: To serve as a secure gateway for administrators to access private resources

Explanation: A Bastion Host is a special-purpose computer on a network specifically designed and configured to withstand attacks, used as a secure entry point.

Correct Answer: HIPAA

Explanation: The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection.

Correct Answer: Using multiple layered security controls to protect data

Explanation: Defense in Depth is an information assurance concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system.

Correct Answer: Never trust, always verify, regardless of network location

Explanation: Zero Trust assumes that threats exist both inside and outside the network and requires strict identity verification for every person and device accessing resources.

Correct Answer: SAML (Security Assertion Markup Language)

Explanation: SAML is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Correct Answer: Unsanctioned use of cloud services leads to lack of visibility and control

Explanation: Shadow IT refers to IT systems deployed by departments other than the central IT department, bypassing security controls and compliance checks.

Correct Answer: Data and Identity Management

Explanation: In SaaS, the provider manages the entire stack (App, OS, Infrastructure), leaving the customer responsible primarily for their data, user identities, and access policies.

Correct Answer: Automated tools that identify misconfigurations and compliance risks in cloud environments

Explanation: CSPM tools continuously monitor cloud environments to detect misconfigurations (like open S3 buckets) and ensure compliance.

Correct Answer: It refers to acts that justify war, now potentially including severe state-sponsored cyberattacks

Explanation: While a traditional term, in future trends, severe attacks on critical cloud infrastructure by AI or state actors are increasingly discussed as potential acts of war.

Correct Answer: An attack where the attacker secretly relays and possibly alters communications between two parties

Explanation: In MitM attacks, the attacker intercepts communication between two systems to eavesdrop or manipulate data.

Correct Answer: It enables understanding the internal state of a system based on external outputs (logs, metrics, traces) to diagnose security incidents

Explanation: Observability goes beyond simple monitoring; it helps teams understand why a security anomaly or performance issue is happening within complex microservices.

Correct Answer: Adversarial attacks where attackers manipulate input data to fool AI models

Explanation: A major future risk is adversarial AI, where attackers reverse-engineer or poison the learning models used by security systems to bypass detection.

Correct Answer: It integrates security practices into the DevOps software delivery lifecycle

Explanation: DevSecOps emphasizes 'shifting left', meaning security is addressed early in the development process rather than at the end.

Correct Answer: Software that detects and prevents potential data breaches by blocking sensitive data from leaving the network

Explanation: DLP tools monitor data in use, in motion, and at rest to prevent sensitive information (like credit card numbers) from being leaked.

Correct Answer: Encryption at Rest

Explanation: Encryption at rest ensures that if physical media is stolen or accessed improperly, the data remains unreadable without the key.

Correct Answer: To protect web applications by filtering and monitoring HTTP traffic

Explanation: A WAF protects against web-specific attacks like SQL injection and Cross-Site Scripting (XSS) at the application layer.

Correct Answer: VM Escape, where an attacker breaks out of a virtual machine to access the host

Explanation: If a hypervisor is compromised (VM Escape), the attacker could potentially access all virtual machines running on that physical host.

Correct Answer: The ability to move applications and data from one cloud provider to another

Explanation: Portability ensures that customers are not locked into a single vendor and can migrate their systems with minimal friction.

Correct Answer: A compliance standard for service organizations, focusing on security, availability, processing integrity, confidentiality, and privacy

Explanation: SOC 2 is an auditing procedure that ensures service providers securely manage your data to protect the interests of your organization and the privacy of its clients.

Correct Answer: Edge Computing

Explanation: Edge computing brings computation and data storage closer to the sources of data (IoT devices), improving response times and saving bandwidth.

Correct Answer: When ad-hoc changes cause environments to diverge from their known secure state

Explanation: Configuration drift occurs when changes are made directly to production environments without going through proper configuration management, leading to security inconsistencies.

Correct Answer: Servers are never modified after deployment; they are replaced with new instances

Explanation: Immutable infrastructure prevents configuration drift and ensures that if a server is compromised, it is quickly destroyed and replaced with a fresh, secure image.

Correct Answer: Terraform

Explanation: Terraform allows you to define infrastructure in code, ensuring that security groups, VPCs, and IAM roles are deployed consistently and securely.

Correct Answer: To simulate a cyberattack against your computer system to check for exploitable vulnerabilities

Explanation: Penetration testing (ethical hacking) involves authorized simulated attacks to identify weaknesses before malicious attackers do.

Correct Answer: It is an intermediate layer between the Edge and the Cloud, requiring security protocols for data aggregation

Explanation: Fog computing extends the cloud to be closer to the things that produce and act on IoT data. It requires securing the nodes that aggregate data before sending it to the central cloud.