Questions for the CCSK were updated on : Nov 21 ,2025
What is the purpose of the "Principle of Least Privilege" in Identity and Access Management (IAM)?
A
Explanation:
The Principle of Least Privilege (PoLP) is a foundational concept in IAM, highlighted in the CSA
Security Guidance v4.0 – Domain 12: Identity, Entitlement, and Access Management. It ensures
users, systems, and processes are granted only the permissions necessary to perform their tasks —
and nothing more.
“Least privilege refers to granting the minimum level of access — or permissions — needed for users
or services to perform their required functions, thereby reducing the attack surface and limiting
potential damage from misuse or compromise.”
— CSA Security Guidance v4.0, Domain 12
This principle:
Reduces the likelihood of accidental or malicious misuse
Limits damage in the case of credential theft
Supports compliance with least privilege mandates in frameworks like ISO/IEC 27001 and NIST
Incorrect options:
B is related to federation, not least privilege
C involves monitoring and analytics, not permission assignment
D is about defense in depth, which is broader than PoLP
Reference:
CSA Security Guidance v4.0 – Domain 12: IAM
CCM v3.0.1 – IAM-01, IAM-05 (Covers least privilege and role-based access control)
What is an important step in conducting forensics on containerized and serverless environments?
D
Explanation:
The CSA Security Guidance v4.0, Domain 9: Incident Response highlights that traditional forensic
techniques don't always apply in cloud-native environments like containers and serverless platforms.
Instead, forensic investigators must capture ephemeral data such as logs, snapshots, and execution
traces early and often.
“Forensic techniques must adapt to cloud-native environments such as containers and serverless.
Important forensic data — including container logs, snapshots, and function execution logs — may
be short-lived or non-persistent, so timely collection is critical.”
— CSA Security Guidance v4.0, Domain 9: Incident Response
Key points:
Containers and serverless functions are often short-lived.
You need to capture logs and memory state before they're destroyed.
Serverless platforms (like AWS Lambda, Azure Functions) often provide execution logs via services
like CloudWatch or Application Insights.
Incorrect options:
A: EDR is typically focused on traditional endpoints, not containers/serverless.
B: Useful in general, but not specific or always applicable to serverless/container forensics.
C: Antivirus doesn’t apply well to ephemeral or function-based environments.
Reference:
CSA Security Guidance v4.0 – Domain 9: Incident Response (Container and Serverless Forensics)
CCM v3.0.1 – DSI-05, IVS-04 (Covers logging and snapshot control)
Which of the following best describes the primary function of Cloud Detection and Response (CDR) in
cybersecurity?
A
Explanation:
Cloud Detection and Response (CDR) is an emerging capability that focuses specifically on detecting
and responding to threats in cloud environments. While not deeply detailed in the core CSA Security
Guidance v4.0, CDR is an evolution of traditional SIEM and endpoint detection strategies applied to
cloud-native infrastructures.
In CSA Security Guidance v4.0 – Domain 9: Incident Response, it’s made clear that:
“Security monitoring and detection capabilities in the cloud must be able to identify suspicious
behavior, policy violations, and misconfigurations — often across multiple layers such as
infrastructure, applications, and identity.”
— CSA Security Guidance v4.0, Domain 9: Incident Response
CDR platforms typically include:
Threat detection across cloud workloads (e.g., compute, storage, IAM misuse)
Real-time alerts
Automated or manual response mechanisms
Integration with cloud-native logging services like AWS CloudTrail, Azure Monitor, or GCP Audit Logs
Incorrect options:
B is about application management, not threat detection.
C relates to cloud cost optimization tools.
D refers to cloud storage tuning, unrelated to threat detection.
Reference:
CSA Security Guidance v4.0 – Domain 9: Incident Response
Industry context: CDR builds upon the principles of SIEM/EDR adapted for cloud
Which Identity and Access Management (IAM) component verifies the identity of a user, process, or
device, as a prerequisite to allowing access?
D
Explanation:
In the CSA Security Guidance v4.0, Domain 12: Identity, Entitlement, and Access Management,
authentication is explicitly defined as the process that verifies the identity of a user, process, or
device before granting access.
"Authentication is the act of verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources in an information system."
— CSA Security Guidance v4.0, Domain 12
Here's what each term means:
Authentication = Verifies identity
Authorization = Determines access rights
Entitlement = Set of access rights assigned to a user
Assertion = Statement from an identity provider, often used in federation
So, authentication must happen before authorization. It's the first gate.
Reference:
CSA Security Guidance v4.0 – Domain 12: Identity, Entitlement, and Access Management
CCM v3.0.1 – IAM-02, IAM-03 (Covers authentication requirements)
After an incident has been identified and classified, which activity is typically performed during the
Containment, Eradication, and Recovery phase of incident response?
B
Explanation:
According to the CSA Security Guidance v4.0, Domain 9: Incident Response, the Containment,
Eradication, and Recovery phase follows detection and analysis. This phase focuses on limiting the
damage, removing the threat, and restoring systems to a secure operational state.
"After detection and analysis, containment, eradication, and recovery are necessary to prevent
further damage and restore systems."
"Recovery is the process of restoring affected systems and services to a fully operational state in a
controlled and safe manner."
This includes activities such as:
Removing malware or compromised systems
Rebuilding or restoring from backups
Applying patches
Validating that vulnerabilities are fixed
Monitoring for any recurrence
Incorrect options:
A refers to the Post-Incident Activity phase.
C is part of Detection and Analysis.
D is also part of the initial phase of the incident response cycle.
Reference:
CSA Security Guidance v4.0 – Domain 9: Incident Response (Section: Containment, Eradication, and
Recovery)
NIST SP 800-61 (Referenced by CSA) – Incident Response Life Cycle
Which of the following best describes the shared responsibility model in cloud security?
A
Explanation:
The shared responsibility model is a key concept in cloud security. According to the CSA Security
Guidance v4.0, Domain 1, Section 1.2.1, the responsibility for security is shared between the cloud
provider and the customer, depending on the service model (IaaS, PaaS, SaaS).
Specifically:
"Infrastructure as a Service: Just like PaaS, the provider is responsible for foundational security, while
the cloud user is responsible for everything they build on the infrastructure."
"At a high level, security responsibility maps to the degree of control any given actor has over the
architecture stack."
This means the cloud provider handles the physical security (data center, servers, etc.), while the
customer is responsible for securing the workloads they deploy on the infrastructure, such as their
applications, data, configurations, and access controls.
Incorrect Options:
B is incorrect because providers do not manage your workload or data security.
C is false – both parties share responsibilities.
D is incorrect because customers do not manage the cloud’s physical infrastructure.
Reference:
CSA Security Guidance v4.0 – Domain 1, Section 1.2.1: "Cloud Security and Compliance Scope and
Responsibilities"
CSA CCM v3.0.1 – STR-02 (Responsibility Ownership)
An organization deploys an AI application for fraud detection. Which threat is MOST likely to affect its
AI model’s accuracy?
A
Explanation:
Correct Option: A. Adversarial attacks
Adversarial attacks are specifically designed to deceive AI and machine learning models by feeding
them crafted inputs that result in incorrect outputs. These attacks are highly effective against AI
models, especially in areas like fraud detection, where accuracy is critical.
From CSA Security Guidance v4.0 – Domain 13: Security as a Service (SecaaS) and related AI-focused
security discussions:
“AI models are vulnerable to adversarial inputs, where attackers introduce subtle perturbations to
input data that are imperceptible to humans but cause the AI system to make wrong decisions. These
attacks degrade the accuracy and reliability of machine learning models.”
— CSA Guidance on AI Security (in Security as a Service domain)
Adversarial ML is a well-recognized field of AI security, where the goal of the attacker is to
intentionally corrupt or manipulate input data, thereby lowering the performance or biasing the
output of the model.
Why the Other Options Are Incorrect:
B . DDoS attacks
Affects availability, not accuracy. DDoS can cause downtime but doesn’t interfere with model
➤
predictions.
C . Third-party services
May introduce supply chain or dependency risks, but they don’t directly impact the AI model’s
➤
accuracy unless involved in training data pipelines.
D . Jailbreak attack
More relevant to LLMs (Large Language Models) or chatbots, not structured AI fraud detection
➤
models.
Which feature of cloud networks ensures strong separation between customer environments?
A
Explanation:
Correct Option: A. Virtual Local Area Networks (VLANs)
VLANs are widely used in cloud and traditional environments to provide logical separation of
network traffic. In a multi-tenant cloud environment, VLANs help ensure that one customer's
network traffic is isolated from another’s, providing a key layer of segmentation and security.
From CSA Security Guidance v4.0 – Domain 7: Infrastructure Security:
“To isolate tenants in multi-tenant environments, cloud providers often rely on mechanisms such as
VLANs, VXLANs, or other software-defined networking technologies. VLANs ensure that different
customer environments remain logically separated even though they share the same physical
infrastructure.”
— Domain 7: Infrastructure Security, CSA Security Guidance v4.0
Why the Other Options Are Incorrect:
B . Resource pooling
Refers to shared infrastructure in the cloud. It enables multi-tenancy but does not enforce
➤
separation between tenants.
C . Software-defined networking (SDN)
SDN provides flexibility and programmability in networking. While it can support separation,
➤
VLANs are the actual mechanism used for enforcing it.
D . Elasticity
Elasticity refers to scaling resources up/down based on demand. It has nothing to do with tenant
➤
isolation or network separation.
Why is it important to plan and coordinate response activities for incidents affecting the Cloud
Service Provider (CSP)?
B
Explanation:
Correct Option: B. It ensures a systematic approach, minimizing damage and recovery time
Effective incident response planning is critical in cloud environments due to the shared responsibility
model. When an incident affects the CSP, cloud customers must be prepared to coordinate response
activities, ensure clarity of roles, and maintain continuity of operations.
From CSA Security Guidance v4.0 – Domain 9: Incident Response:
“Organizations must establish systematic and coordinated incident response plans for cloud
incidents. This helps to reduce the impact, minimize damage, and shorten recovery time.
Coordination with the CSP is vital to ensure responsibilities are understood and executed.”
— Domain 9: Incident Response, CSA Security Guidance v4.0
The guidance emphasizes that preparation and communication channels with CSPs should be defined
in advance, as delays in joint response can significantly increase the scope and impact of incidents.
Why the Other Options Are Incorrect:
A . It eliminates the need for monitoring systems
Incorrect. Monitoring remains essential for detecting incidents early. Planning and monitoring
➤
serve different functions.
C . It guarantees that no incidents will occur in the future
No system is immune to incidents. Planning reduces impact, but does not prevent incidents
➤
entirely.
D . It reduces the frequency of security audits required
Audits are required based on compliance and regulatory needs, not on incident response
➤
planning.
What technology is commonly used to establish an encrypted tunnel between a remote user's device
and a private network over the public Internet?
A
Explanation:
Correct Option: A. Virtual Private Network (VPN)
A Virtual Private Network (VPN) is a widely used technology that enables secure communication
over untrusted networks like the public Internet. It works by creating an encrypted tunnel between
the user's device and the internal private network, thereby ensuring data confidentiality, integrity,
and authentication.
From CSA Security Guidance v4.0 – Domain 7: Infrastructure Security:
“Remote access solutions, such as VPNs, are commonly used to provide users with secure access to
cloud or on-premises resources. VPNs create encrypted tunnels that protect data in transit,
preventing unauthorized disclosure or tampering over public networks.”
— Domain 7: Infrastructure Security, CSA Security Guidance v4.0
This makes VPNs a fundamental security control when users are working remotely and need access
to sensitive or internal systems.
Why the Other Options Are Incorrect:
B . Domain Name System (DNS)
DNS translates domain names to IP addresses. It does not provide encryption or secure tunneling.
➤
C . Network Address Translation (NAT)
NAT modifies IP address information but does not encrypt data or create tunnels.
➤
D . Virtual Local Area Network (VLAN)
VLANs segment network traffic within a LAN. They do not secure remote communications over
➤
the Internet.
Which of the following best describes the primary purpose of image factories in the context of virtual
machine (VM) management?
A
Explanation:
Correct Option: A. Automating the VM image creation processes
Image factories are tools or systems designed to automate the building and maintenance of virtual
machine images. They ensure that images are consistently created, updated, and patched, which is
essential for maintaining a secure and manageable cloud infrastructure.
From the CSA Security Guidance v4.0 – Domain 8: Virtualization and Containers:
“Image factories are systems that automate the creation of virtual machine images. They help ensure
that base images are consistently built and can include controls for security, configuration
management, and compliance.”
— Domain 8: Virtualization and Containers, CSA Security Guidance v4.0
These factories often integrate with CI/CD pipelines to streamline deployment and reduce human
error — a key concern in cloud security operations.
Why the Other Options Are Incorrect:
B . Managing network configurations for VMs
This task is typically handled by orchestration layers or cloud networking tools, not image
➤
factories.
C . Providing backup solutions for VM images
Image factories are not responsible for backups; they are focused on creation, not preservation.
➤
D . Enhancing security of VM images
While image factories can embed security best practices during creation, their primary purpose is
➤
automation, not security enhancement per se.
Main Topic: Virtualization and Containers
Source: CSA Security Guidance v4.0, Domain 8 – Virtualization and Containers
What is the primary purpose of virtual machine (VM) image sources?
B
Explanation:
Correct Option: B. To provide core components for VM images
In cloud computing and virtualization, VM image sources serve as base templates used to build new
virtual machine instances. These image sources typically contain the core operating system,
necessary drivers, and pre-installed software configurations that allow users to deploy environments
quickly and consistently.
From the CSA Security Guidance v4.0 – Domain 8: Virtualization and Containers:
"The VM image repository (or image store) contains templates from which new VMs are instantiated.
These base images include the core operating system and predefined settings. VM image sources
ensure that instances can be created consistently and securely."
— Domain 8: Virtualization and Containers, CSA Security Guidance v4.0
Additionally, cloud providers often pre-harden these images to enhance security and ensure that
they meet organizational compliance standards. However, the primary function remains to serve as
starting points or blueprints for VM creation — not performance tuning or backup.
Why the Other Options Are Incorrect:
A . To back up data within the VM
VM image sources are not used for data backup. Backups involve capturing dynamic runtime data,
➤
while image sources are static templates used at deployment.
C . To optimize VM performance
Image sources do not optimize performance. Performance is influenced by hardware, resource
➤
allocation, and tuning — not the image source itself.
D . To secure the VM against unauthorized access
While hardened images may help reduce attack surface, security is not the primary purpose of VM
➤
image sources. That responsibility falls more under access controls, patching, and configuration
management.
Main Topic: Virtualization and Containers
Source: CSA Security Guidance v4.0, Domain 8 – Virtualization and Containers
In the context of IaaS, what are the primary components included in infrastructure?
B
Explanation:
Correct Option: B. Compute, network, and storage resource pools
In the Infrastructure as a Service (IaaS) model, the term “infrastructure” refers to the core physical
and virtualized building blocks that form the basis of a cloud environment. These components are
abstracted and pooled to offer on-demand provisioning to cloud consumers.
From the CSA Security Guidance v4.0 – Domain 1: Cloud Computing Concepts and Architectures:
“Infrastructure: The core components of a computing system: compute, network, and storage. The
foundation that everything else is built on. The moving parts.”
— Section 1.1.4 Logical Model, CSA Security Guidance v4.0
Furthermore:
“IaaS consists of a facility, hardware, an abstraction layer, an orchestration (core connectivity and
delivery) layer to tie together the abstracted resources, and APIs to remotely manage the resources
and deliver them to consumers.”
— Section 1.1.3.1 Infrastructure as a Service, CSA Security Guidance v4.0
These are commonly referred to as resource pools, and form the foundation of what IaaS delivers:
virtual machines (compute), virtual networks (networking), and object/block storage systems
(storage).
Why the Other Options Are Incorrect:
A . Network configuration tools, storage encryption, and virtualization platforms
These are supporting technologies and security tools, not the actual infrastructure components
➤
that make up IaaS.
C . User authentication systems, application deployment services, and database management
These fall under PaaS (Platform as a Service) and SaaS. IaaS does not manage applications or
➤
authentication; it provides the foundation upon which these services run.
D . Load balancers, firewalls, and backup solutions
These are add-on services or features, not the core infrastructure components of IaaS. While often
➤
used alongside IaaS, they are not the essential building blocks of infrastructure.
Main Topic: Cloud Computing Concepts and Architectures
Source: CSA Security Guidance v4.0, Domain 1, Sections 1.1.3.1 & 1.1.4
Which of the following is a common risk factor related to misconfiguration and inadequate change
control in cybersecurity?
A
Explanation:
Correct Option: A. Failure to update access controls after employee role changes
This falls under one of the most common risk factors related to cloud misconfiguration and poor
change management. Misconfiguration errors often stem from insufficient change control, especially
in dynamic environments like the cloud. According to CSA’s Security Guidance v4.0, poor governance
of identity and access management (IAM) changes — such as not updating access privileges when
user roles change — introduces serious security risks.
"Cloud computing is dynamic by nature. This places more importance on automation and proper
governance, especially for identity and access control. Failure to remove or update access
permissions after personnel changes leads to orphaned or over-permissioned accounts, which are
prime targets for attackers."
— Domain 2: Governance and Enterprise Risk Management, CSA Security Guidance v4.0
Also highlighted in ENISA’s Cloud Risk Assessment:
"Loss of governance includes failing to maintain proper control over access privileges and role
assignments. Poor change management and inadequate configuration reviews can leave systems
open to unauthorized access."
— ENISA Cloud Computing Risk Assessment, Section R.2: Loss of Governance
Why the Other Options Are Incorrect:
B . Lack of sensitive data encryption: While encryption is critical, it is not directly tied to change
control or misconfiguration, but rather falls under Data Security and Encryption domain.
C . Lack of 3rd party service provider specialized in patch management procedures: This refers more
to vendor management and Security-as-a-Service, not internal change control or misconfigurations.
D . Excessive SBOM focus: Software Bill of Materials (SBOM) is important for supply chain
transparency, but excessive focus on it isn’t a typical misconfiguration or change control risk.
Reference:
CSA Security Guidance v4.0 – Domain 2: Governance and Enterprise Risk Management
ENISA Cloud Computing Security Risk Assessment – R.2 Loss of Governance
When leveraging a cloud provider, what should be considered to ensure application security
requirements are met?
D
Explanation:
Application security in the cloud must be viewed as a shared responsibility. Providers deliver basic
security features, but custom configurations and additional controls are often needed to meet
organizational requirements.
From CSA Security Guidance v4.0 – Domain 10: Application Security:
“Cloud consumers should not assume default security settings are sufficient. Security features
provided by cloud service providers often require additional configuration and hardening. Custom
security controls may be needed to address specific organizational risks and compliance needs.”
(CSA Security Guidance v4.0, Domain 10)