Cloud Security Flashcards

1
Q

Which one of the following statements about cloud computing is incorrect?

A. Cloud computing offers ubiquitous, convenient access.

B. Cloud computing customers store data on hardware that is shared with other customers.

C. Cloud computing customers provision resources through the service provider’s sales team.

D. Cloud computing resources are accessed over a network.

A

Answer:

C. One of the key characteristics of cloud computing is that customers can access resources on-demand with minimal service provider interaction. Cloud customers do not need to contact a sales representative each time they wish to provision a resource but can normally do so on a self-service basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Under the shared responsibility model, in which tier of cloud computing is the customer responsible for securing the operating system?

A. IaaS

B. PaaS

C. SaaS

D. All of the above

A

Answer:

A. Under the shared responsibility model, the customer only bears responsibility for operating system security in IaaS environments. In all other environments, the service provider is responsible for securing the operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Helen designed a new payroll system that she offers to her customers. She hosts the payroll system in AWS and her customers access it through the web. What tier of cloud computing best describes Helen’s service?

A. PaaS

B. SaaS

C. FaaS

D. IaaS

A

Answer:

B. Helen is using IaaS services to create her payroll product. She is then offering that payroll service to her customers as an SaaS solution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Tony purchases virtual machines from Microsoft Azure and uses them exclusively for use by his organization. What model of cloud computing is this?

A. Public cloud

B. Private cloud

C. Hybrid cloud

D. Community cloud

A

Answer:

A. This is an example of public cloud computing because Tony is using a public cloud provider, Microsoft Azure. The fact that Tony is limiting access to virtual machines to his own organization is not relevant because the determining factor for the cloud model is whether the underlying infrastructure is shared, not whether virtualized resources are shared.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Amanda would like to run a security configuration scan of her Microsoft Azure cloud environment. Which one of the following tools would be most appropriate for her needs?

A. Inspector

B. ScoutSuite

C. Prowler

D. Pacu

A

Answer:

B. ScoutSuite is the only cloud assessment tool listed here that performs security scans of Azure environments. Inspector and Prowler are AWS-specific tools. Pacu is an exploitation framework used in penetration testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Kevin is using a service where a cloud provider offers a platform that executes his code in response to discrete events. He is billed based on the actual resources consumed during each code execution event. What term best describes this service?

A. PaaS

B. SaaS

C. FaaS

D. IaaS

A

Answer:

C. This is an example of function as a service (FaaS) computing, a subset of platform as a service (PaaS). Although both terms may be used to describe the service Kevin uses, the best answer is FaaS, because it is more specific.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Under the shared responsibility model, which component always remains the responsibility of the customer, regardless of the cloud service model used?

A. Application

B. Hardware

C. Datacenter

D. Data

A

Answer:

D. In the shared responsibility model, the customer always retains either full or partial responsibility for data security. Responsibility for hardware and physical datacenters is the cloud provider’s responsibility under all models. Responsibility for applications is the customer’s responsibility under IaaS, the provider’s responsibility under SaaS, and a shared responsibility under PaaS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which one of the following services is not an example of FaaS computing?

A. Lambda

B. DeepLens

C. Google Cloud Functions

D. Azure Functions

A

Answer:

B. AWS Lambda, Google Cloud Functions, and Microsoft Azure Functions are all examples of function as a service (FaaS) computing. AWS DeepLens is an AI-enabled camera.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which cloud computing deployment model requires the use of a unifying technology platform to tie together components from different providers?

A. Public cloud

B. Private cloud

C. Community cloud

D. Hybrid cloud

A

Answer:

D. Hybrid cloud environments blend elements of public, private, and/or community cloud solutions. A hybrid cloud requires the use of technology that unifies the different cloud offerings into a single, coherent platform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which one of the following would not commonly be available as an IaaS service offering?

A. CRM

B. Storage

C. Networking

D. Computing

A

Answer:

A. Customer relationship management (CRM) packages offered in the cloud would be classified as software as a service (SaaS), since they are not infrastructure components. Storage, networking, and computing resources are all common IaaS offerings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which one of the following is a characteristic of DevOps approaches to technology?

A. Isolating operations teams from development teams

B. Requiring clear hand-offs between development and production

C. Increasing the frequency of application releases

D. Eliminating the need for developers to understand business requirements

A

Answer:

C. DevOps approaches to software development and technology operations increase the frequency of releases by automating software testing and release processes. The other options are characteristic of legacy approaches to technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which one of the following is not an example of infrastructure as code?

A. Defining infrastructure in JSON

B. Writing code to interact with a cloud provider’s API

C. Using a cloud provider’s web interface to provision resources

D. Defining infrastructure in YAML

A

Answer:

C. Infrastructure as code is any approach that automates the provisioning, management, and deprovisioning of cloud resources. Defining resources through JSON or YAML is IaC, as is writing code that interacts with an API. Provisioning resources through a web interface is manual, not automated, and therefore does not qualify as IaC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which one of the following conditions is not likely to trigger an alert during an automated cloud security assessment?

A. Presence of an API key in a public repository

B. Unrestricted API keys

C. Transmission of an API key over unsecured channels

D. Sharing of API keys among different developers

A

Answer:

D. All of these issues are security vulnerabilities that should be addressed. Cloud assessment tools would be able to identify most of these issues, but they would have no way of knowing that two or more developers are sharing an API key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Brian is selecting a CASB for his organization and he would like to use an approach that interacts with the cloud provider directly. Which CASB approach is most appropriate for his needs?

A. Inline CASB

B. Outsider CASB

C. Comprehensive CASB

D. API-based CASB

A

Answer:

D. API-based CASB solutions interact directly with the cloud provider through the provider’s API. Inline CASB solutions intercept requests between the user and the provider. Outsider and comprehensive are not categories of CASB solutions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A coalition of universities banded together and created a cloud computing environment that is open to all member institutions. The services provided are basic IaaS components. What term best describes this cloud model?

A. Public cloud

B. Private cloud

C. Community cloud

D. Hybrid cloud

A

Answer:

C. Community cloud deployments may offer IaaS, PaaS, and/or SaaS solutions. Their defining characteristic is that access is limited to members of a specific community.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In which cloud computing service model does the customer share responsibility with the cloud provider for datacenter security?

A. IaaS

B. SaaS

C. PaaS

D. None of the above

A

Answer:

D. Cloud service providers bear sole responsibility for datacenter security in all cloud service models.

17
Q

Which one of the following statements about inline CASB is incorrect?

A. Inline CASB solutions often use software agents on endpoints.

B. Inline CASB solutions intercept requests from users to cloud providers.

C. Inline CASB solutions can monitor activity but cannot actively enforce policy.

D. Inline CASB solutions may require network reconfiguration.

A

Answer:

C. Inline CASB solutions require either network reconfiguration or the use of a software agent. They intercept requests from users to cloud providers and, by doing so, are able to both monitor activity and enforce policy.

18
Q

What type of credential is commonly used to restrict access to an API?

A. Encryption key

B. API key

C. Password

D. Biometrics

A

Answer:

B. API keys are used to identify and authenticate the user, system, or application that is connecting to an API.

19
Q

Gina gained access to a client’s AWS account during a penetration test. She would like to determine what level of access she has to the account. Which one of the following tools would best meet her need?

A. ScoutSuite

B. Inspector

C. Prowler

D. Pacu

A

Answer:

D. Pacu is an AWS-specific exploitation framework. It is particularly well suited to identifying the permissions available to an account during a penetration test. ScoutSuite, Inspector, and Prowler are all assessment tools that would not directly provide the information that Gina seeks.

20
Q

In which of the following cloud categories are customers typically charged based on the number of virtual server instances dedicated to their use?

A. IaaS only

B. SaaS only

C. IaaS and PaaS

D. IaaS, SaaS, and PaaS

A

Answer:

C. Customers are typically charged for server instances in both IaaS environments, where they directly provision those instances, and PaaS environments, where they request the number of servers needed to support their applications. In an SaaS environment, the customer typically has no knowledge of the number of server instances supporting their use.