CySA+ Chapter 6 Cloud Security
Under the shared responsibility model, in which tier of cloud computing is the customer responsible for securing the operating system? A. IaaS B. PaaS C. SaaS D. All of the above
Answer A- IaaS Under the shared responsibility mode, the customer only bears responsibility for operating system security in IaaS environments. IN all other environments, the service provider is responsible for securing the operating systems.
In which cloud computing service model does the customer share responsibility with the cloud provider for datacenter security? A. IaaS B. SaaS C. PaaS D. None of the above
Answer D- None of the above Cloud service providers bear sole responsibility for datacenter security in all cloud service models.
Tony purchases virtual machines from Microsoft Azure and uses them exclusively for use by his organization. What model of cloud computing is this? A. Public cloud B. Private cloud C. Hybrid cloud D. Community cloud
Answer A- Public Cloud This is an example of public cloud computing because Tony is using a public cloud provider, Microsoft Azure. The fact that Tony is limiting access to virtual machines to his own organization is not relevant because the determining factor for the cloud model is whether the underlying infrastructure is shared, not whether virtualized resources are shared.
Which one of the following would not commonly be available as an IaaS service offering? A. CRM B. Storage C. Networking D. Computing
Answer A-CRM Customer relationship management (CRM) packages offered in the cloud would be classified as software as a service (SaaS), since they are not infrastructure components. Storage, networking, and computing resources are all common IaaS offerings.
What type of credential is commonly used to restrict access to an API? A. What type of credential is commonly used to restrict access to an API? A. Encryption Key B. API Key C. Password D. Biometrics
Answer B- API Key API keys are used to identify and authenticate the user, system, or application that is connection to an API.
Which one of the following services is not an example of FaaS computing? A. Lambda B. DeepLens C. Google Cloud Functions D. Azure Functions
Answer B- DeepLens AWS Lambda, Google Cloud Functions, and Microsoft Azure Functions are all examples of function as a service (FaaS) computing. AWS DeepLens is an AI-enabled camera.
Helen designed a new payroll system that she offers to her customers. She hosts the payroll system in AWS and her customers access it through the web. What tier of cloud computing best describes Helen's service? A. PaaS B. SaaS C. FaaS D. IaaS
Answer B- SaaS Helen is using IaaS services to create her payroll product. She is then offering that payroll service to her customers as an SaaS solution.
Amanda would like to run a security configuration scan of her Microsoft Azure cloud environment. Which one of the following tools would be most appropriate for her needs? A. Inspector B. ScoutSuite C. Prowler D. Pacu
Answer B- Scoutsuite ScoutSuite is the only cloud assessment tool listed here that performs security scans of Azure environments. Inspector and Prowler are AWS-specific tools. Pacu is an exploitation framework used in penetration testing.
Which one of the following statements about cloud computing is incorrect? A. Cloud computing offers ubiquitous, convenient access B. Cloud computing customers store data on hardware that is shared with other customers C. Cloud computing customers provision resources through the service provider's sales team D. Cloud computing resources are accessed over a network
Answer C- Cloud computing customers provision resources through the service provider's sales team One of the key characteristics of cloud computing is that customers can access resources on-demand with minimal service provider interaction. Cloud customers do not need to contact a sales representative each time they wish to provision a resource be can normally do so on a self-service basis.
A coalition of universities banded together and created a cloud computing environment that is open to all member institutions. The cloud computing environment provided is a basic IaaS component. Which of the following best describes the cloud model narrated in the given scenario? A. Public cloud B. Private cloud C. Community cloud D. Hybrid cloud
Answer C- Community Cloud Community cloud deploymets may offer IaaS, PaaS, and/or SaaS solutions. Their defining characteristic is that access is limited to members of a specific community.
Which one of the following is a characteristic of DevOps approaches to technology? A. Isolating operations teams from development teams B. Requiring clear hands-offs between development and production C. Increasing the frequency of application releases D. Eliminating the need for developers to understand business requirements
Answer C- DevOps approaches to software development and technology operations increase the frequency of release by automating software testing and release process. The other options are characteristic of legacy approaches to technology.
Kevin is using a service where a cloud provider offers a platform that executes his code in response to discrete events. He is billed based on the actual resources consumed during each code execution event. What term best describes this service? A. PaaS B. SaaS C. FaaS D. IaaS
Answer C- FaaS This is an example of function as a service.
Which one of the following statements about inline CASB is incorrect? A. Inline CASB solutions often use software agents on endpoints B. Inline CASB solutions intercept requests from users to cloud providers C. Inline CASB solutions can monitor activity but cannot actively enforce policy D. Inline CASB solutions may require network reconfiguration
Answer C- Inline CASB solutions can monitor activity but cannot actively enforce policy Inline CASB solutions require either network reconfiguration or the use of a software agent. They intercept requests from users to cloud providers and, by doing so, are able to both monitor activity and enforce policy.
Which one of the following is not an example of infrastructure as code? A. Defining infrastructure in JSON B. Writing code to interact with a cloud provider's API C. Using a cloud provider's web interface to provision resources D. Defining infrastructure in YAML
Answer C- Using a cloud provider's web interface to provision resources Infrastructure as code is any approach that automates the provision, management and deprovisioning of cloud resource. Defining resources through JSON or YAML is IaC as is writing code that interacts with an API. Provisioning resources through a web interface is manual, not autmoated, and there does not qualify as IaC.
In which of the following cloud categories are customers typically charged based on the number of virtual server instances dedicated to their use? A. IaaS only B. SaaS only C. IaaS and PaaS D. IaaS, SaaS, and PaaS
Answer C-IaaS and PaaS Customers are typically charged for serer instances in both IaaS environments, where they directly provision those instances, and PaaS environments, where they request the number of servers needed to support their applications. In an SaaS environment, the customer typically has no knowledge of the number of server instances supporting their use.
Brian is selecting a CASB for his organization and he would like to use an approach that interacts with the cloud provider directly. Which CASB approach is most appropriate for his needs? A. Inline CASB B. Outsider CASB C. Comprehensive CASB D. API-based CASB
Answer D- API-based CASB API-based CASB solutions interact directly with the cloud provider through the provider's API. Inline CASB solutions intercept requests between the user and the provider. Outsider and comprehensive are not categories of CASB solutions.
Under the shared responsibility model, which component always remains the responsibility of the customer, regardless of the cloud service model used? A. Application B. Hardware C. Datacenter D. Data
Answer D- Data In the shared responsibility model, the customer always retains either full or partial responsibility for data security. Responsibility for hardware and physical datacenters is the cloud provider's responsibility under all models. Responsibility for applications is the customer's responsibility under IaaS, the provider's responsibility under SaaS, and a shared responsibility under PaaS.
Gina gained access to a client's AWS account during a penetration test. She would like to determine what level of access she has to the account. Which one of the following tools would best meet her need? A. ScoutSuite B. Inspector C. Prowler D. Pacu
Answer D- Pacu Pacu is an AWS-specific exploitation framework. it is particularly well suited to identifying the permissions available to an account during a penetration test. ScoutSuite, Inspector, and Prowler are all assessment tools that would not directly provide the information that Gina seeks.
Which one of the following conditions is not likely to trigger an alert during an automated cloud security assessment? A. Presence of an API key in a public repository B. Unrestricted API keys C. Transmission of an API key over unsecured channels D. Sharing of API keys among different developers
Answer D- Sharing of API keys among different developers
Which cloud computing deployment model requires the use of a unifying technology platform to tie together components from different providers? A. Public cloud B. Private cloud C. Community cloud D. Hybrid cloud
Answer D-Hybrid Cloud Hybrid cloud environments blend elements of public, private, and/or community cloud solutions. A hybrid cloud requires the use of technology that unifies the different cloud offerings into a single, coherent platform.