Quiz: Cloud Security

A 26-question self-check covering shared responsibility, cloud IAM, the misconfiguration epidemic, CSPM/CWPP and guardrails, and cloud logging. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] Under the shared-responsibility model, which task is always the customer's, in every service model including SaaS? A. patching the hypervisor B. physical datacenter security C. managing who has access to the data D. maintaining the storage service's durability

2. As you move from IaaS to PaaS to SaaS, the customer's share of the security responsibility: A. increases B. stays the same C. decreases D. becomes the provider's entirely

3. [Sec+] A storage bucket whose ACL grants READ to the AllUsers group is: A. readable only by your account B. readable by anyone on the internet C. encrypted by default D. blocked by IAM automatically

4. The leading cause of cloud data-exposure breaches is: A. provider hypervisor compromise B. customer misconfiguration C. expired TLS certificates D. quantum decryption

5. [CISSP] In the cloud, the statement "identity is the new perimeter" means that access is primarily decided by: A. the source IP's network location B. who the authenticated principal is and what it may do C. the physical datacenter D. the VLAN the resource sits on

6. An IAM policy with "Action": "*" and "Resource": "*" on an Allow statement grants the principal: A. read-only access B. access to one bucket C. effectively administrative control of the account D. nothing until MFA is added

7. [Sec+] A security-group rule TCP / 3389 / 0.0.0.0/0 exposes which service to the entire internet? A. SSH B. PostgreSQL C. Windows Remote Desktop (RDP) D. HTTPS

8. The instance metadata service is reachable from a cloud VM at the address: A. 127.0.0.1 B. 10.0.0.1 C. 169.254.169.254 D. 8.8.8.8

9. [CISSP] A tool that continuously scans cloud accounts for misconfigurations and compliance violations (public buckets, over-broad IAM, open security groups) is best described as: A. CWPP B. CSPM C. SIEM D. WAF

10. A control that protects the running workload (VM, container, function) against vulnerabilities and runtime threats — rather than the account's configuration — is: A. CSPM B. CWPP C. an IAM policy D. a service control policy

11. [Sec+] The difference between a guardrail and a gate is best stated as: A. a guardrail is detective; a gate is preventive B. a guardrail blocks only the unsafe action automatically; a gate stops a deployment for human review C. they are identical D. a gate scales better in the cloud

12. On AWS, the service that records every API call (who, what, when, from where, result) is: A. CloudWatch metrics B. CloudTrail C. S3 access points D. GuardDuty

13. [Sec+] Which CloudTrail event is among the highest-value alerts because there is almost no legitimate reason for it? A. GetObject B. DescribeInstances C. StopLogging / DeleteTrail D. ListBuckets

14. The recommended way to give a cloud VM the credentials it needs is: A. embed a long-lived AKIA... access key in the code B. attach an IAM role that supplies temporary, auto-rotating credentials C. share the root account password D. disable IAM for that VM

15. "S3 Block Public Access" enabled account-wide is an example of a: A. detective control B. preventive guardrail C. compensating control D. gate

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

16. "Because AWS, Azure, and GCP are highly secure, a deployment on them is automatically secure."

17. [Sec+] "Encryption at rest in the cloud is entirely the provider's responsibility and is always on by default."

18. "A least-privilege IAM policy and an over-broad one are equally fine as long as the application works correctly in testing."

19. "A security group is conceptually a firewall, so the default-deny principle from Chapter 7 applies to it."

20. "If logging is disabled in a cloud account, a breach in that account may leave no trace."

Section 3 — Fill in the blank (1 pt each)

21. The model that divides security duties between the cloud provider and the customer is the _ _ model.

22. [Sec+] A cloud resource left in an insecure state through a setting the customer controls is a cloud __.

23. The principle that a principal should hold only the minimum permissions required for its job is called _ _.

24. The hierarchy of cloud control-plane defenses is: prevent with _, detect with _, and protect workloads with __.

Section 4 — Short answer (2 pts each)

25. [CISSP] Explain why "data" and "identity/access" are the customer's responsibility in every cloud service model, and why this explains where most cloud breaches occur.

26. A single CloudTrail event shows PutBucketAcl with x-amz-acl: public-read on a customer-data bucket, made by an unfamiliar IAM user from an unusual source IP. State the three facts this one event gives a defender and the immediate action.

Answer Key

Click to reveal answers and explanations 1. **C** — data and access management are always the customer's, in every model. 2. **C** — moving up the stack hands more layers to the provider, shrinking your share. 3. **B** — `AllUsers` means everyone on the internet, unauthenticated. 4. **B** — customer misconfiguration is the dominant cause; provider-side compromise is rare. 5. **B** — access is decided by the authenticated principal and its permissions, not network location. 6. **C** — wildcard action and resource is effectively administrator. 7. **C** — port 3389 is RDP. 8. **C** — `169.254.169.254` is the link-local metadata endpoint. 9. **B** — CSPM scans configuration. 10. **B** — CWPP protects the running workload. 11. **B** — a guardrail auto-blocks only the unsafe action; a gate halts for human review. 12. **B** — CloudTrail. 13. **C** — disabling logging has almost no legitimate use and signals an intruder covering tracks. 14. **B** — an attached IAM role supplies temporary credentials with no stored secret. 15. **B** — a preventive guardrail that makes public buckets structurally impossible. 16. **F** — provider infrastructure security does not extend into the customer's configuration; you can still expose data. 17. **F** — encryption at rest is typically *shared*: the provider supplies it but it is often off until the customer enables it and manages keys. 18. **F** — the over-broad policy enables total account compromise if the credential leaks; "it works" does not measure blast radius. 19. **T** — a security group is a stateful firewall, so default-deny (restrict source, expose only what is needed) applies. 20. **T** — without the audit log there is no record of the attacker's API calls, which is why protecting and enabling logging is foundational. 21. shared responsibility. 22. misconfiguration. 23. least privilege. 24. guardrails; CSPM; CWPP. 25. The provider cannot decide which of the customer's data is sensitive or who in the customer's organization should have access — these are business judgments encoded by the customer — so they remain the customer's in every model; consequently most cloud breaches are data exposed via misconfigured storage or access granted too broadly via misconfigured IAM, the two always-yours layers. 26. The event tells the defender (a) *what* — a customer-data bucket just became publicly readable; (b) *who/what* — the named IAM user; (c) *from where* — the source IP (unfamiliar, suggesting possible credential compromise). Immediate action: make the bucket private again (or rely on Block Public Access), then disable/investigate the credential and scope what data was exposed. **Topics to review by question:** 1–2, 16–17, 21 → §15.1–15.2 (shared responsibility, service models); 5–6, 14, 23 → §15.3 (cloud IAM); 3–4, 7–8, 18–19, 22 → §15.4 (misconfigurations); 9–11, 15, 24 → §15.5 (CSPM/CWPP/guardrails); 12–13, 20, 26 → §15.6 (logging & detection); 25 → §15.1–15.2.