1
WGU D488 Final Exam Actual Exam
2026/2027 | Cybersecurity
Architecture and Engineering | WGU |
Questions with Verified Answers |
100% Correct | Pass Guaranteed
Q001: A global enterprise is migrating its legacy SOA stack to a cloud -native
microservices architecture. The CISO mandates that every service-to-service call
use short-lived, identity-bound tokens that are automatically rotated and that
include claims for both authentication and fine-grained authorization. Which
architectural pattern best satisfies these requirements while minimizing latency in a
zero-trust network? A. Embed long-lived API keys in Kubernetes secrets and
rotate them weekly via CI/CD
B. Issue JWT-SVIDs from an SPIFFE-compliant identity plane and verify them at
each hop using Envoy sidecars with mTLS
C. Store static OAuth2 bearer tokens in Vault and inject them into pods via init
containers
D. Use AWS IAM user access keys signed with SHA-256 and attach resource
policies to each microservice
ANSWER: B
Q002: During the design phase of a green-field IaaS landing zone, the architecture
team must choose a key-management strategy that provides deterministic
addressing of keys across 30 AWS accounts, enforces quorum-based deletion, and
maintains a 1:1 mapping between key policy versions and CMK rotations. Which
AWS-native construct should be adopted? A. AWS-managed CMKs with
automatic rotation every 365 days
B. Customer-managed CMKs in a central KMS account with cross-account key
policies and AWS CloudHSM for quorum controls
C. External key material imported into KMS using RSA-2048 and stored in S3
, 2
with bucket-key encryption
D. AWS CloudHSM clusters in each account with client-side SDK caching and
manual key synchronization
ANSWER: B
Q003: A SaaS provider is implementing a SABSA-based security architecture. The
business-attribute “Assured Customer Data Isolation” is mapped to a control
objective requiring that a tenant’s encrypted backup cannot be decrypted even if
another tenant’s application credentials are compromised. Which technical control
best realizes this objective? A. Tenant-scoped IAM roles with S3 bucket policies
and SSE-S3
B. Envelope encryption using per-tenant KEKs in a FIPS-140-3 HSM and separate
data-keys stored in DynamoDB with tenant-id as partition key
C. AWS KMS multi-tenant CMK with key-policy conditions on aws:userid
D. Server-side encryption using AES-256-GCM with a single shared KEK rotated
every 90 days
ANSWER: B
Q004: A Fortune 100 company is adopting a TOGAF ADM cycle. In Phase C
(Information Systems Architecture) the security team discovers that a proposed
CRM system will store EU employee data in a US-based data lake without
tokenization. Which ADM security extension artifact should be updated first? A.
Solution Concept Diagram
B. Risk Management Framework (RMF) overlay in the Architecture Requirements
Specification
C. Business Footprint Matrix
D. Consolidated Gaps, Solutions, & Dependencies matrix
ANSWER: B
Q005: A cloud-security reference architecture requires that every CI/CD pipeline
stage produce a signed SBOM in CycloneDX format and that the image be rejected
if any component has a CVSS >7.0 without a compensating control. Which open -
source toolchain best automates this gating rule in a GitOps workflow? A. Sigstore
Cosign + Syft + Open Policy Agent (OPA) gatekeeper in Kubernetes
B. OWASP ZAP + SonarQube + Jenkins “fail-fast” plugin
C. Anchore Engine + Clair + Kubernetes NetworkPolicies
, 3
D. Snyk CLI + Terraform Sentinel + AWS Config Rules
ANSWER: A
Q006: A zero-trust network segmentation project mandates that east-west traffic
between Kubernetes pods in different namespaces be denied by default and that
policy changes be version-controlled in Git. Which Kubernetes-native combination
best enforces this requirement? A. Calico NetworkPolicies with optional egress
controllers and Styra Declarative Authorization Service
B. Kubernetes NetworkPolicies alone with kubectl apply
C. Istio AuthorizationPolicies with mTLS strict mode and OPA Gatekeeper
syncing policies via CRDs
D. Cilium ClusterwideNetworkPolicies with BPF-based enforcement and Flux
GitOps reconciliation
ANSWER: D
Q007: A financial-services firm is designing a cryptographic key lifecycle for post-
quantum readiness. Data-at-rest must remain confidential for 25 years. Which
hybrid approach provides the strongest forward secrecy while maintaining FIPS
compliance today? A. RSA-3072 with AES-256-GCM and SHA-384
B. ECDH P-384 with Kyber-768 key encapsulation and AES-256-XTS
C. Lattice-based NTRU with classical TLS 1.3 handshake
D. DH-2048 with 3DES-EDE and SHA-256
ANSWER: B
Q008: An enterprise wants to implement a cloud-agnostic secret-management
plane that supports automatic rotation of RDS credentials, injects secrets as tmpfs
volumes into containers, and maintains an audit trail with immutable logs. Which
solution best fits these requirements? A. AWS Secrets Manager with Lambda
rotation and CloudTrail Lake
B. HashiCorp Vault with dynamic secrets, Kubernetes CSI driver, and integrated
audit device
C. Azure Key Vault with Event Grid and AKS pod-identity
D. Google Secret Manager with Cloud Functions rotation and Cloud Logging
ANSWER: B
Q009: A security architect is mapping CIS Controls v8 to AWS controls. CIS
Control 3 (Data Protection) requires that sensitive data be encrypted in transit and
WGU D488 Final Exam Actual Exam
2026/2027 | Cybersecurity
Architecture and Engineering | WGU |
Questions with Verified Answers |
100% Correct | Pass Guaranteed
Q001: A global enterprise is migrating its legacy SOA stack to a cloud -native
microservices architecture. The CISO mandates that every service-to-service call
use short-lived, identity-bound tokens that are automatically rotated and that
include claims for both authentication and fine-grained authorization. Which
architectural pattern best satisfies these requirements while minimizing latency in a
zero-trust network? A. Embed long-lived API keys in Kubernetes secrets and
rotate them weekly via CI/CD
B. Issue JWT-SVIDs from an SPIFFE-compliant identity plane and verify them at
each hop using Envoy sidecars with mTLS
C. Store static OAuth2 bearer tokens in Vault and inject them into pods via init
containers
D. Use AWS IAM user access keys signed with SHA-256 and attach resource
policies to each microservice
ANSWER: B
Q002: During the design phase of a green-field IaaS landing zone, the architecture
team must choose a key-management strategy that provides deterministic
addressing of keys across 30 AWS accounts, enforces quorum-based deletion, and
maintains a 1:1 mapping between key policy versions and CMK rotations. Which
AWS-native construct should be adopted? A. AWS-managed CMKs with
automatic rotation every 365 days
B. Customer-managed CMKs in a central KMS account with cross-account key
policies and AWS CloudHSM for quorum controls
C. External key material imported into KMS using RSA-2048 and stored in S3
, 2
with bucket-key encryption
D. AWS CloudHSM clusters in each account with client-side SDK caching and
manual key synchronization
ANSWER: B
Q003: A SaaS provider is implementing a SABSA-based security architecture. The
business-attribute “Assured Customer Data Isolation” is mapped to a control
objective requiring that a tenant’s encrypted backup cannot be decrypted even if
another tenant’s application credentials are compromised. Which technical control
best realizes this objective? A. Tenant-scoped IAM roles with S3 bucket policies
and SSE-S3
B. Envelope encryption using per-tenant KEKs in a FIPS-140-3 HSM and separate
data-keys stored in DynamoDB with tenant-id as partition key
C. AWS KMS multi-tenant CMK with key-policy conditions on aws:userid
D. Server-side encryption using AES-256-GCM with a single shared KEK rotated
every 90 days
ANSWER: B
Q004: A Fortune 100 company is adopting a TOGAF ADM cycle. In Phase C
(Information Systems Architecture) the security team discovers that a proposed
CRM system will store EU employee data in a US-based data lake without
tokenization. Which ADM security extension artifact should be updated first? A.
Solution Concept Diagram
B. Risk Management Framework (RMF) overlay in the Architecture Requirements
Specification
C. Business Footprint Matrix
D. Consolidated Gaps, Solutions, & Dependencies matrix
ANSWER: B
Q005: A cloud-security reference architecture requires that every CI/CD pipeline
stage produce a signed SBOM in CycloneDX format and that the image be rejected
if any component has a CVSS >7.0 without a compensating control. Which open -
source toolchain best automates this gating rule in a GitOps workflow? A. Sigstore
Cosign + Syft + Open Policy Agent (OPA) gatekeeper in Kubernetes
B. OWASP ZAP + SonarQube + Jenkins “fail-fast” plugin
C. Anchore Engine + Clair + Kubernetes NetworkPolicies
, 3
D. Snyk CLI + Terraform Sentinel + AWS Config Rules
ANSWER: A
Q006: A zero-trust network segmentation project mandates that east-west traffic
between Kubernetes pods in different namespaces be denied by default and that
policy changes be version-controlled in Git. Which Kubernetes-native combination
best enforces this requirement? A. Calico NetworkPolicies with optional egress
controllers and Styra Declarative Authorization Service
B. Kubernetes NetworkPolicies alone with kubectl apply
C. Istio AuthorizationPolicies with mTLS strict mode and OPA Gatekeeper
syncing policies via CRDs
D. Cilium ClusterwideNetworkPolicies with BPF-based enforcement and Flux
GitOps reconciliation
ANSWER: D
Q007: A financial-services firm is designing a cryptographic key lifecycle for post-
quantum readiness. Data-at-rest must remain confidential for 25 years. Which
hybrid approach provides the strongest forward secrecy while maintaining FIPS
compliance today? A. RSA-3072 with AES-256-GCM and SHA-384
B. ECDH P-384 with Kyber-768 key encapsulation and AES-256-XTS
C. Lattice-based NTRU with classical TLS 1.3 handshake
D. DH-2048 with 3DES-EDE and SHA-256
ANSWER: B
Q008: An enterprise wants to implement a cloud-agnostic secret-management
plane that supports automatic rotation of RDS credentials, injects secrets as tmpfs
volumes into containers, and maintains an audit trail with immutable logs. Which
solution best fits these requirements? A. AWS Secrets Manager with Lambda
rotation and CloudTrail Lake
B. HashiCorp Vault with dynamic secrets, Kubernetes CSI driver, and integrated
audit device
C. Azure Key Vault with Event Grid and AKS pod-identity
D. Google Secret Manager with Cloud Functions rotation and Cloud Logging
ANSWER: B
Q009: A security architect is mapping CIS Controls v8 to AWS controls. CIS
Control 3 (Data Protection) requires that sensitive data be encrypted in transit and
