By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Cloud security protects data, applications, and infrastructure in cloud environments from threats like breaches, leaks, and unauthorized access. Businesses use it to secure workloads in AWS, Azure, or Google Cloud while maintaining compliance, reducing risk, and enabling safe digital transformation.
A secure cloud deployment typically includes:
DDoS Protection: Mitigate attacks (e.g., AWS Shield, Azure DDoS Protection).
Identity Layer
Multi-Factor Authentication (MFA): Require a second factor for logins.
Data Layer
Access Controls: Restrict who can read/write data (e.g., S3 bucket policies).
Application Layer
Container Security: Scan images for vulnerabilities (e.g., AWS ECR, Azure Container Registry).
Monitoring & Response
Simple Diagram (Text-Based):
[Internet] → [Firewall/WAF] → [Public Subnet (Web Servers)] → [Private Subnet (DB/App Servers)] ↑ ↑ [DDoS Protection] [IAM + MFA] ↑ ↑ [CloudTrail Logs] → [SIEM (GuardDuty/Sentinel)]
Goal: Create an S3 bucket with encryption, logging, and restricted access.
Create a bucket with encryption: bash aws s3api create-bucket --bucket my-secure-bucket --region us-east-1 --create-bucket-configuration LocationConstraint=us-east-1 aws s3api put-bucket-encryption --bucket my-secure-bucket --server-side-encryption-configuration '{ "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }'
bash aws s3api create-bucket --bucket my-secure-bucket --region us-east-1 --create-bucket-configuration LocationConstraint=us-east-1 aws s3api put-bucket-encryption --bucket my-secure-bucket --server-side-encryption-configuration '{ "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }'
Enable access logging: bash aws s3api put-bucket-logging --bucket my-secure-bucket --bucket-logging-status '{ "LoggingEnabled": { "TargetBucket": "my-secure-bucket", "TargetPrefix": "logs/" } }'
bash aws s3api put-bucket-logging --bucket my-secure-bucket --bucket-logging-status '{ "LoggingEnabled": { "TargetBucket": "my-secure-bucket", "TargetPrefix": "logs/" } }'
Restrict access with a bucket policy: bash aws s3api put-bucket-policy --bucket my-secure-bucket --policy '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-secure-bucket", "arn:aws:s3:::my-secure-bucket/*" ], "Condition": { "NotIpAddress": {"aws:SourceIp": "192.0.2.0/24"} } } ] }'
bash aws s3api put-bucket-policy --bucket my-secure-bucket --policy '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-secure-bucket", "arn:aws:s3:::my-secure-bucket/*" ], "Condition": { "NotIpAddress": {"aws:SourceIp": "192.0.2.0/24"} } } ] }'
Enable versioning (for recovery): bash aws s3api put-bucket-versioning --bucket my-secure-bucket --versioning-configuration Status=Enabled
bash aws s3api put-bucket-versioning --bucket my-secure-bucket --versioning-configuration Status=Enabled
Expected Outcome: - Bucket is encrypted at rest.- Access is restricted to a specific IP range.- All actions are logged.- Files can be recovered if deleted.
*
"Action": "s3:*"
json { "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": "arn:aws:s3:::my-bucket/*" }
allowBlobPublicAccess
false
Your team deploys a new S3 bucket for storing customer uploads. Which of the following is the most secure way to configure it?
A) Enable public read access so customers can download their files.B) Use a bucket policy to restrict access to a specific IP range and enable encryption.C) Store files without encryption to improve performance.D) Use IAM roles with full S3 access for all developers.
Correct Answer: B Explanation: Restricting access to a specific IP range and enabling encryption follows the principle of least privilege and data protection.Why the Distractors Are Tempting: - A: Public access is convenient but risky (common misconfiguration).- C: Performance is important, but encryption is non-negotiable for security.- D: Over-permissive IAM roles are a frequent cause of breaches.
A developer accidentally commits AWS access keys to a public GitHub repository. What is the first action you should take?
A) Delete the repository to remove the keys.B) Rotate the keys immediately and revoke the old ones.C) Contact GitHub support to remove the commit.D) Enable MFA for the IAM user.
Correct Answer: B Explanation: Rotating keys prevents attackers from using the exposed credentials. Revoking old keys is critical.Why the Distractors Are Tempting: - A: Deleting the repo doesn’t invalidate the keys.- C: GitHub support may take time; immediate action is needed.- D: MFA is important but doesn’t address the immediate risk.
You’re designing a cloud architecture for a financial app. Which of the following is the best way to secure database credentials?
A) Store them in a configuration file in the application code.B) Use environment variables in the deployment script.C) Store them in a cloud secret manager (e.g., AWS Secrets Manager) and rotate them automatically.D) Hardcode them in the database connection string.
Correct Answer: C Explanation: Secret managers provide encryption, access controls, and automatic rotation.Why the Distractors Are Tempting: - A/B/D: These are common but insecure practices (credentials can leak in logs or code).
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.