CCSP 2022 Advanced Quiz - Free Practice Quiz

Question 1 of 60

A cloud security architect must ensure that regulated data processed in a SaaS environment meets GDPR requirements. Which contractual mechanism is MOST essential?

A A signed NDA with the SaaS vendor B A Data Processing Agreement (DPA) establishing controller/processor obligations C An SLA guaranteeing 99.99% uptime D A penetration test report from the vendor

1 / 60

Question 2 of 60

A CCSP 2022 CBK candidate is designing a cloud data loss prevention (DLP) strategy. Which approach MOST comprehensively protects sensitive data across IaaS, PaaS, and SaaS?

A Blocking all personal device access to cloud services B A CASB integrated with DLP policies that inspect data in motion and at rest across all cloud service types C Requiring CSP-managed encryption for all stored data D Limiting cloud usage to a single approved CSP

2 / 60

Question 3 of 60

A cloud security team is performing threat modeling for a new microservices deployment. The CCSP 2022 CBK recommends analyzing which attack surface that is UNIQUE to microservices architectures?

A The physical data center perimeter B Service mesh communication and inter-service API attack surfaces C Traditional DMZ firewall rules D Legacy VPN concentrator configurations

3 / 60

Question 4 of 60

Under the CCSP 2022 CBK, which physical security control is MOST important for preventing unauthorized entry to a cloud data center's server rooms?

A Security awareness training B Two-factor physical access controls such as biometric scanners combined with key cards C Encrypting server hard drives D Installing CCTV cameras without recording

4 / 60

Question 5 of 60

During a cloud incident response engagement, the forensics team needs to acquire volatile memory from a compromised cloud instance. Which challenge is UNIQUE to cloud environments?

A Memory forensics tools are not mature enough for production use B The cloud customer may not have direct access to hypervisor memory or physical RAM C Volatile memory is automatically preserved by the CSP for 30 days D Memory acquisition requires CSP root credentials that customers never hold

5 / 60

Question 6 of 60

Under the CCSP 2022 CBK, which aspect of cloud contracts gives an organization the MOST assurance that a CSP will meet agreed security obligations over time?

A Requiring the CSP to provide a list of its existing customers B Including enforceable SLAs with financial penalties for non-compliance, audit rights, and termination clauses for material breaches C Negotiating the lowest possible price per GB of storage D Ensuring the contract is governed by the CSP's home jurisdiction

6 / 60

Question 7 of 60

Under the CCSP 2022 CBK, which legal concept requires a CSP to preserve specific data and refrain from deletion when notified of pending litigation?

A Data retention policy B Legal hold (litigation hold) C Privacy impact assessment D Business continuity plan

7 / 60

Question 8 of 60

The CCSP 2022 CBK addresses 'security orchestration, automation, and response' (SOAR) as a tool for cloud security operations primarily because it:

A Replaces the need for human security analysts entirely B Automates repetitive response actions and coordinates workflows across security tools to reduce mean time to respond C Increases the number of false positives generated by SIEM D Eliminates the need for logging and monitoring

8 / 60

Question 9 of 60

An organization is designing a multi-cloud strategy to avoid vendor lock-in. From a CCSP 2022 CBK perspective, which approach BEST supports portability?

A Using proprietary CSP-native services for maximum performance B Adopting open standards, containers, and cloud-agnostic APIs C Standardizing on a single CSP to reduce complexity D Negotiating perpetual licensing agreements with each provider

9 / 60

Question 10 of 60

A cloud security professional must assess whether a proposed third-party SaaS vendor meets the organization's security requirements. According to the CCSP 2022 CBK, which is the MOST thorough initial assessment approach?

A Accepting the vendor's marketing materials as sufficient evidence of security B Issuing a security questionnaire, reviewing available SOC 2 Type II reports, and evaluating the vendor's CSA STAR registration C Running a vulnerability scan against the vendor's public IP ranges D Reviewing the vendor's website privacy policy only

10 / 60

Question 11 of 60

A CCSP professional is designing a cloud incident response plan. The CCSP 2022 CBK recommends that which element must be established BEFORE an incident occurs to support effective response?

A A post-incident lessons-learned meeting agenda B Pre-established communication trees, CSP escalation contacts, and documented runbooks C Forensic evidence collection tools and procedures D A list of systems to be decommissioned after compromise

11 / 60

Question 12 of 60

A CCSP professional is evaluating encryption options for a regulated cloud database. The CCSP 2022 CBK would rate which option as providing the STRONGEST protection against CSP-side data exposure?

A CSP default encryption at rest with CSP-managed keys B Application-level encryption before data leaves the application, with customer-controlled keys stored in an HSM outside the CSP C Volume encryption using a CSP-generated and stored key D Database transparent data encryption (TDE) with CSP-managed certificates

12 / 60

Question 13 of 60

A security team is evaluating a CSP's SOC 2 Type II report. Which aspect of the report MOST directly confirms that controls operated effectively over time?

A The auditor's biography and credentials B The testing results and exception notes covering the audit period C The list of controls included in scope D The CSP's management assertion letter

13 / 60

Question 14 of 60

According to the CCSP 2022 CBK, an organization implementing zero trust architecture in a cloud environment MUST prioritize which foundational principle?

A Block all external network access and restrict users to on-premises resources B Verify explicitly â€” authenticate and authorize every request based on all available signals, regardless of network location C Trust internal network traffic without inspection since it has passed the perimeter D Grant all users administrative access to reduce friction

14 / 60

Question 15 of 60

According to the CCSP 2022 CBK, which approach MOST effectively reduces the risk of cross-tenant data exposure in a multitenant cloud database?

A Encrypting all customer data with the same CSP-managed key B Using tenant-specific encryption keys and row-level security with strict schema isolation per tenant C Scheduling regular penetration tests of the shared database D Granting database administrator access to all tenants equally

15 / 60

Question 16 of 60

In the CCSP 2022 CBK, an organization's cloud disaster recovery plan is validated MOST rigorously through:

A Simulation exercises where technical teams restore systems from a declared disaster state in a non-production environment B Tabletop exercises that walk through scenarios verbally only C Reviewing the DR plan document annually without testing D Trusting the CSP's guaranteed SLA uptime as sufficient DR assurance

16 / 60

Question 17 of 60

An organization running containerized workloads discovers that a compromised container could access the host OS via a kernel exploit. Which CCSP 2022 CBK control MOST directly mitigates this risk?

A Running containers in a VM-based isolation sandbox (e.g., gVisor, Kata Containers) B Encrypting all container images at rest C Scanning container images for known CVEs before deployment D Implementing network policies between containers

17 / 60

Question 18 of 60

The CCSP 2022 CBK defines 'cryptographic agility' as the ability to:

A Rapidly replace cryptographic algorithms if they are compromised or deprecated without major system redesign B Encrypt data faster by using smaller key sizes C Use the same key for multiple cryptographic operations D Automatically generate self-signed TLS certificates

18 / 60

Question 19 of 60

In the CCSP 2022 CBK, 'continuous monitoring' of cloud security controls is BEST implemented through:

A Automated security telemetry aggregated in a SIEM with alerting for anomalies and policy violations B Quarterly manual reviews of firewall rules C Annual third-party penetration tests D Monthly password rotation reminders sent to users

19 / 60

Question 20 of 60

The CCSP 2022 CBK identifies which combination as the MOST comprehensive approach to securing APIs exposed by cloud-native applications?

A Using TLS, OAuth 2.0 with short-lived tokens, rate limiting, input validation, and a WAF/API gateway B Blocking all API traffic at the network perimeter C Requiring API keys transmitted via HTTP GET parameters D Relying on CSP-managed API keys rotated annually

20 / 60

Question 21 of 60

Under the CCSP 2022 CBK, a 'quantitative risk assessment' differs from a qualitative one because it:

A Expresses risk in monetary terms using metrics like ALE (Annualized Loss Expectancy) B Requires fewer stakeholders to complete C Uses only expert judgment and descriptive ratings D Cannot be used for cloud environments

21 / 60

Question 22 of 60

A cloud forensic investigator working under the CCSP 2022 CBK framework encounters a situation where critical log data has been deleted from a shared cloud environment. Which principle addresses BOTH data recovery limitations AND investigator conduct?

A Act within legal authority and contractual scope; use CSP-provided log archives where available and document all attempts to recover evidence B Immediately subpoena the CSP regardless of jurisdiction C Reconstruct logs from application caches without legal authorization D Notify the press to pressure the CSP into cooperation

22 / 60

Question 23 of 60

The CCSP 2022 CBK addresses 'cloud service dependency mapping' as important for risk management because:

A Identifying all upstream and downstream service dependencies reveals single points of failure and third-party risk exposure B It replaces the need for a data classification policy C It satisfies PCI DSS cardholder data requirements D It eliminates the need for penetration testing

23 / 60

Question 24 of 60

Under the CCSP 2022 CBK, which cloud security risk is MOST directly created by 'noisy neighbor' conditions in a multitenant IaaS environment?

A Unpredictable performance degradation affecting an organization's workload availability and SLA compliance B Cross-tenant malware propagation through shared storage C Unauthorized access to tenant data D Encryption key exposure through shared hypervisor memory

24 / 60

Question 25 of 60

A cloud security professional is reviewing an organization's key management procedures. The organization stores data encryption keys in the same cloud region as the encrypted data. Which CCSP 2022 CBK concern does this raise?

A A successful breach of the region could expose both keys and ciphertext B It violates FIPS 140-2 Level 3 requirements by default C It prevents key rotation from being automated D It violates GDPR data residency requirements

25 / 60

Question 26 of 60

In CCSP 2022 CBK advanced studies, which data destruction method is considered MOST reliable for ensuring data on cloud storage is unrecoverable, particularly when physical destruction of storage media is not possible and only logical methods are available?

A Cryptographic shredding (destroying all encryption keys so data is permanently unreadable) B Overwriting storage with zeros once C Requesting the CSP to 'delete' the storage volume D Reformatting the virtual disk

26 / 60

Question 27 of 60

A CCSP professional reviews a cloud application that stores user session tokens in browser localStorage. From a CCSP 2022 CBK application security perspective, this represents a risk of:

A Cross-site scripting (XSS) attacks stealing session tokens via malicious JavaScript B Slower application performance C Increased storage costs D CSRF attacks bypassing SameSite cookie policies

27 / 60

Question 28 of 60

A CCSP 2022 CBK candidate is evaluating a CSP's business continuity and resilience capabilities. Which metric BEST represents the CSP's ability to maintain service during infrastructure failures?

A Availability zone and region redundancy architecture with documented failover SLAs B The CSP's annual marketing ranking C The number of employees in the CSP's NOC D Mean Time Between Failures (MTBF) for individual server components

28 / 60

Question 29 of 60

According to the CCSP 2022 CBK, which cloud network security control is MOST effective at detecting lateral movement between workloads in a microsegmented environment?

A East-west traffic inspection with an internal IDS/IPS or network detection and response (NDR) solution B Traditional perimeter firewall logs C Blocking all inter-VLAN routing D Requiring VPN for all internal workload communication

29 / 60

Question 30 of 60

Under the CCSP 2022 CBK, which approach to continuous compliance monitoring MOST effectively demonstrates ongoing control effectiveness to auditors?

A Automated, evidence-collecting compliance pipelines that generate real-time control status dashboards and export audit-ready artifacts B Annual manual audits conducted by internal staff C Providing auditors with a static policy document each year D Relying on CSP compliance certifications without customer-level validation

30 / 60

Question 31 of 60

Under the CCSP 2022 CBK, which privacy impact assessment (PIA) outcome should MOST influence the decision to proceed with a cloud migration involving personal health data?

A The CSP's marketing certification list B The CSP's availability SLA percentage C The PIA's identification of unmitigated residual risks that exceed the organization's risk tolerance D The number of compliance certifications the CSP holds

31 / 60

Question 32 of 60

The CCSP 2022 CBK defines 'security as code' as the practice of:

A Writing security policies in plain English and storing them in Word documents B Manually implementing security controls after deployment C Expressing security controls as machine-executable code integrated into version-controlled CI/CD pipelines D Replacing security engineers with automated scripts

32 / 60

Question 33 of 60

A CCSP candidate is analyzing a cloud provider's shared responsibility matrix for PaaS. Which security control is the CUSTOMER'S responsibility in a PaaS model?

A Physical data center access controls B Hypervisor security and patching C Application code security and access controls for the application D OS patching of the underlying compute instances

33 / 60

Question 34 of 60

According to the CCSP 2022 CBK, which scenario represents the MOST significant abuse of privilege by a cloud administrator?

A Rotating IAM keys for a service account after a security review B Installing approved monitoring agents on production servers C Accessing customer encryption keys without business justification to read sensitive tenant data D Reviewing access logs during an authorized incident investigation

34 / 60

Question 35 of 60

The CCSP 2022 CBK identifies which approach as MOST effective for ensuring cloud infrastructure configurations remain compliant with security baselines over time?

A Manual quarterly configuration reviews by the security team B Relying exclusively on CSP default security settings C Deploying infrastructure via IaC with automated policy-as-code checks enforced in CI/CD pipelines D Issuing annual security reminders to cloud administrators

35 / 60

Question 36 of 60

According to the CCSP 2022 CBK, which cloud architecture pattern MOST effectively protects against a complete service outage caused by a single data center failure?

A Deploying all workloads in a single availability zone with RAID storage B Relying on the CSP's internal redundancy without customer-side configuration C Deploying across multiple availability zones or regions with active-active or active-passive failover D Using a warm site that requires manual activation after a declared disaster

36 / 60

Question 37 of 60

The CCSP 2022 CBK recommends which approach to managing privileged access in cloud environments to reduce the risk of long-standing administrative credentials?

A Issuing permanent admin credentials tied to individual users B Sharing a single admin account among trusted team members C Just-in-time (JIT) privileged access with time-limited elevation and full audit logging D Storing privileged credentials in a shared password spreadsheet

37 / 60

Question 38 of 60

The CCSP 2022 CBK identifies which risk treatment strategy as MOST appropriate when an organization outsources a high-risk cloud workload to a third-party MSSP under a formal contract?

A Risk acceptance â€” doing nothing additional since the MSSP is responsible B Risk avoidance â€” refusing to use cloud services entirely C Risk transfer â€” contractually shifting financial and operational risk to the MSSP through SLAs, indemnification, and insurance requirements D Risk reduction â€” implementing additional encryption on top of the MSSP's controls only

38 / 60

Question 39 of 60

In the CCSP 2022 CBK, which scenario BEST illustrates the application of 'privacy by design' in a cloud-native application?

A Adding a privacy policy page to the application after launch B Encrypting data only when a data breach occurs C Designing data minimization, encryption, and access controls into the architecture from the initial design phase D Obtaining user consent only for marketing email subscriptions

39 / 60

Question 40 of 60

The CCSP 2022 CBK notes that 'cloud security posture management' (CSPM) tools primarily address which challenge?

A Real-time malware scanning of cloud virtual machines B Blocking DDoS attacks against cloud APIs C Continuously identifying misconfigured cloud resources (e.g., open S3 buckets, permissive security groups) and compliance deviations D Managing encryption key rotation schedules

40 / 60

Question 41 of 60

In a CCSP 2022 CBK context, which type of cloud audit provides the DEEPEST visibility into a CSP's internal controls without relying on third-party attestation reports?

A SOC 2 Type I review B Reviewing the CSP's publicly available compliance documentation C CSP-facilitated right-to-audit with direct evidence inspection D Requesting the CSP's self-assessment questionnaire

41 / 60

Question 42 of 60

A CCSP professional conducting a cloud security architecture review identifies that all workloads share a single IAM service account with owner-level permissions. Which CCSP 2022 CBK principle is MOST violated?

A Data minimization â€” too much data is being collected B Defense in depth â€” multiple overlapping security layers are missing C Principle of least privilege â€” workloads should only have the minimum permissions necessary for their specific functions D Separation of duties â€” the account can both read and write data

42 / 60

Question 43 of 60

A cloud security professional discovers that a development team has deployed a publicly accessible storage bucket containing customer PII. From a CCSP 2022 CBK incident management perspective, the FIRST priority is:

A Notifying the press B Initiating a disciplinary process for the developer C Immediately restricting public access to contain the exposure, then beginning breach assessment and notification procedures D Deleting the bucket to remove evidence

43 / 60

Question 44 of 60

In the CCSP 2022 CBK, which factor MOST significantly complicates attribution during a cloud-based cyber incident investigation?

A Lack of available forensic tools B The high cost of cloud logging services C Inability to collect volatile memory from cloud instances D Shared infrastructure, NAT, and ephemeral resources making it difficult to definitively link activity to a specific threat actor

44 / 60

Question 45 of 60

A cloud architect applies the CCSP 2022 CBK concept of 'defense in depth' to a SaaS application. Which combination BEST illustrates this principle?

A Using a single strong firewall rule and full-disk encryption B Replacing all legacy systems with cloud-native alternatives C Layering WAF, MFA, data encryption, CASB, and SIEM with anomaly detection D Implementing RBAC and quarterly access reviews

45 / 60

Question 46 of 60

The CCSP 2022 CBK notes that 'cloud-native application protection platforms' (CNAPP) combine which capabilities to secure cloud workloads holistically?

A Email security gateways and endpoint detection B Only SIEM and log management C Exclusively network-layer firewalls and DDoS protection D CSPM, CWPP, and IaC scanning integrated into a unified platform that provides visibility from code to runtime

46 / 60

Question 47 of 60

Under the CCSP 2022 CBK, a 'hot patching' strategy for cloud workloads is valuable because it:

A Requires complete system reboots before patches are applied B Increases the attack surface by deploying unvetted patches C Automatically rolls back failed patches without alerting administrators D Allows security patches to be applied to running systems with minimal or no downtime

47 / 60

Question 48 of 60

Under the CCSP 2022 CBK, which approach to software supply chain security MOST directly reduces the risk of deploying a malicious container image to production?

A Running containers as root to simplify debugging B Using only the latest CSP-provided base images without inspection C Rebuilding all images from scratch daily D Implementing container image signing, attestation, and admission controls that reject unsigned or unverified images

48 / 60

Question 49 of 60

Under the CCSP 2022 CBK, which regulatory framework mandates security and privacy protections for individually identifiable health information in cloud environments used by U.S. healthcare organizations?

A FERPA B SOX C GLBA D HIPAA / HITECH

49 / 60

Question 50 of 60

In a CCSP 2022 CBK scenario, an organization's cloud application logs show repeated failed login attempts from a single IP, followed by a successful login from the same IP at 3 AM. Which combination of controls MOST effectively addresses this threat?

A Disabling all remote access from non-corporate IPs B Requiring users to set longer passwords annually C Blocking the IP address manually after the incident D Adaptive MFA with anomaly-based login risk scoring, geo-velocity alerting, and automated account lockout after failed attempts

50 / 60

Question 51 of 60

The CCSP 2022 CBK notes that 'data localization' laws in certain jurisdictions affect cloud architectures by requiring:

A All cloud data to be encrypted with government-managed keys B Use of open-source software only in regulated environments C CSPs to publish monthly transparency reports D Personal or regulated data to be stored and processed only within specific geographic boundaries

51 / 60

Question 52 of 60

A CCSP professional is advising on a regulated cloud migration. The CCSP 2022 CBK suggests that 'compliance inheritance' from the CSP:

A Fully satisfies all compliance requirements for the customer B Is illegal under GDPR C Requires the customer to use only CSP-native security tools D Covers only infrastructure-level controls; the customer must still implement their own application and data controls

52 / 60

Question 53 of 60

A security engineer is implementing secrets management for a cloud-native application. The CCSP 2022 CBK MOST recommends which approach?

A Hard-coding secrets in environment variables within container images B Encrypting secrets with AES-128 and storing them in application config files C Storing secrets in a private Git repository with branch protection D Using a dedicated secrets management service (e.g., HashiCorp Vault, AWS Secrets Manager) with access controlled by IAM

53 / 60

Question 54 of 60

Under the CCSP 2022 CBK, when performing due diligence on a new CSP, which evidence MOST directly validates the CSP's physical security controls at data center facilities?

A The CSP's SLA document listing uptime guarantees B The CSP's publicly published blog about their data center design C A marketing brochure describing the facility's location D An on-site audit or third-party assessment report (e.g., SOC 2 Type II physical security criteria) with evidence of access logs and environmental controls

54 / 60

Question 55 of 60

According to the CCSP 2022 CBK, which risk is MOST specific to using open-source software components in cloud-native applications?

A Open-source software cannot be deployed in regulated environments B Open-source licenses require all cloud applications to be made publicly available C Open-source software has no commercial support and therefore no SLA D Unvetted open-source dependencies may contain known vulnerabilities or malicious code (supply chain attack)

55 / 60

Question 56 of 60

The CCSP 2022 CBK identifies which control as MOST critical for detecting compromised cloud service accounts being used for cryptocurrency mining (cryptojacking)?

A Requiring MFA for all user logins B Encrypting all outbound API calls C Installing antivirus on all cloud VMs D Anomaly detection and billing alerts for unexpected compute resource usage spikes

56 / 60

Question 57 of 60

The CCSP 2022 CBK identifies which risk as MOST significant when an organization uses a free-tier CSP service that includes data use in the provider's AI training pipeline?

A The service will have lower availability SLAs B The customer loses GDPR data subject rights automatically C Free tier services never support encryption at rest D Customer data may be used to train CSP models, creating confidentiality and IP exposure risks

57 / 60

Question 58 of 60

The CCSP 2022 CBK defines an effective cloud security governance framework as requiring which foundational element ABOVE all others?

A Annual security training completion for all employees B A large security operations center with 24/7 staffing C Exclusive use of one CSP to reduce governance complexity D Executive sponsorship and clearly defined accountability structures linking cloud security responsibilities to specific roles and business outcomes

58 / 60

Question 59 of 60

A CCSP professional is designing a cloud security architecture for a financial services firm. The CCSP 2022 CBK would MOST strongly recommend which approach to network traffic inspection for workloads handling cardholder data?

A Relying solely on the CSP's built-in network ACLs B Trusting all intra-VPC traffic without inspection C Using a shared network monitoring subscription from the CSP marketplace D Deploying dedicated IDS/IPS with TLS inspection capabilities and strict micro-segmentation policies around cardholder data environments

59 / 60

Question 60 of 60

Under the CCSP 2022 CBK, when evaluating a CSP's right-to-audit provisions, which outcome provides the GREATEST assurance for highly regulated industries?

A The CSP allows auditors to review their marketing materials and press releases B The CSP provides an automated self-assessment portal only C The CSP grants direct access for customer-appointed auditors to inspect control evidence, system configurations, and access logs under NDA D The CSP offers a rebate if audit findings exceed a defined threshold

60 / 60