Cloud Data Security: Questions and Answers - Prof.
Mumo (2026/2027)
Principles of Cloud Computing Security | Key Domains: Shared Responsibility Model, Data
Encryption (In-Transit & At-Rest), Identity & Access Management (IAM), Cloud Security Posture
Management (CSPM), Incident Response in the Cloud, and Compliance Frameworks (SOC 2, ISO
27001, GDPR) | Expert-Aligned Structure | Multiple-Choice Q&A Format
Introduction
This structured Cloud Data Security Q&A for 2026/2027 provides 70 multiple-choice questions
with correct answers and rationales. It is designed to address the unique security challenges and
best practices associated with protecting data and workloads in public, private, and hybrid cloud
environments, aligning with industry standards and major cloud provider frameworks.
Q&A Structure:
• Cloud Security Practice Bank: (70 MULTIPLE-CHOICE QUESTIONS)
Answer Format
All correct answers and security configurations must appear in bold and cyan blue, accompanied
by concise rationales explaining the division of responsibility in the cloud shared responsibility
model, the appropriate use of a specific security service (e.g., AWS KMS for encryption key
management), the principle of least privilege in IAM policy design, the purpose of a CSPM tool, the
steps in a cloud incident response plan, and why the alternative multiple-choice options create
security gaps, misconfigure resources, or violate compliance requirements.
1. In the AWS Shared Responsibility Model, which of the following is the customer’s
responsibility?
A. Physical security of data centers
B. Patching of the hypervisor
, C. Configuration of security groups for EC2 instances
D. Maintenance of the underlying network infrastructure
Rationale: Under the AWS Shared Responsibility Model, AWS is responsible for "security of the cloud"
(infrastructure), while customers are responsible for "security in the cloud." This includes configuring
firewalls (security groups), managing IAM policies, and encrypting data. Options A, B, and D fall under
AWS’s infrastructure responsibilities.
2. Which encryption method protects data as it moves between a user’s browser and a cloud
application?
A. AES-256 at rest
B. TLS (Transport Layer Security)
C. Disk-level full volume encryption
D. Hash-based message authentication
Rationale: TLS encrypts data in-transit over networks, such as between a client and a web server.
AES-256 and disk encryption protect data at-rest. Hashing ensures integrity but not confidentiality.
Only TLS secures data during transmission.
3. What is the primary purpose of Identity and Access Management (IAM) in cloud
environments?
A. To monitor network traffic for anomalies
B. To automatically scale compute resources
C. To enforce the principle of least privilege for users and services
D. To back up data to secondary regions
Rationale: IAM systems control who (users, roles, services) can access which resources and under what
conditions. The core security principle is least privilege—granting only necessary permissions. Other
options relate to monitoring, scaling, and backup, which are separate functions.
, 4. A Cloud Security Posture Management (CSPM) tool is primarily used to:
A. Encrypt all stored customer data automatically
B. Provide real-time DDoS protection
C. Detect misconfigurations and compliance violations across cloud accounts
D. Replace the need for manual penetration testing
Rationale: CSPM tools continuously assess cloud environments against security best practices and
compliance benchmarks (e.g., CIS, GDPR). They identify risky configurations like public S3 buckets or
overly permissive IAM roles. They do not handle encryption, DDoS mitigation, or fully replace
human-led testing.
5. During a cloud security incident, what is the first recommended step in an incident
response plan?
A. Notify all customers immediately
B. Contain the affected systems to prevent further damage
C. Delete all logs to preserve system performance
D. Rebuild all virtual machines from scratch
Rationale: Containment is critical to limit blast radius—e.g., isolating a compromised instance or
revoking credentials. Notification follows after assessment; deleting logs destroys evidence; rebuilding
may be part of recovery but not the first step. Preservation of forensic data is essential.
6. Which compliance framework specifically addresses data protection and privacy for
individuals within the European Union?
A. SOC 2
B. ISO 27001
C. GDPR
Mumo (2026/2027)
Principles of Cloud Computing Security | Key Domains: Shared Responsibility Model, Data
Encryption (In-Transit & At-Rest), Identity & Access Management (IAM), Cloud Security Posture
Management (CSPM), Incident Response in the Cloud, and Compliance Frameworks (SOC 2, ISO
27001, GDPR) | Expert-Aligned Structure | Multiple-Choice Q&A Format
Introduction
This structured Cloud Data Security Q&A for 2026/2027 provides 70 multiple-choice questions
with correct answers and rationales. It is designed to address the unique security challenges and
best practices associated with protecting data and workloads in public, private, and hybrid cloud
environments, aligning with industry standards and major cloud provider frameworks.
Q&A Structure:
• Cloud Security Practice Bank: (70 MULTIPLE-CHOICE QUESTIONS)
Answer Format
All correct answers and security configurations must appear in bold and cyan blue, accompanied
by concise rationales explaining the division of responsibility in the cloud shared responsibility
model, the appropriate use of a specific security service (e.g., AWS KMS for encryption key
management), the principle of least privilege in IAM policy design, the purpose of a CSPM tool, the
steps in a cloud incident response plan, and why the alternative multiple-choice options create
security gaps, misconfigure resources, or violate compliance requirements.
1. In the AWS Shared Responsibility Model, which of the following is the customer’s
responsibility?
A. Physical security of data centers
B. Patching of the hypervisor
, C. Configuration of security groups for EC2 instances
D. Maintenance of the underlying network infrastructure
Rationale: Under the AWS Shared Responsibility Model, AWS is responsible for "security of the cloud"
(infrastructure), while customers are responsible for "security in the cloud." This includes configuring
firewalls (security groups), managing IAM policies, and encrypting data. Options A, B, and D fall under
AWS’s infrastructure responsibilities.
2. Which encryption method protects data as it moves between a user’s browser and a cloud
application?
A. AES-256 at rest
B. TLS (Transport Layer Security)
C. Disk-level full volume encryption
D. Hash-based message authentication
Rationale: TLS encrypts data in-transit over networks, such as between a client and a web server.
AES-256 and disk encryption protect data at-rest. Hashing ensures integrity but not confidentiality.
Only TLS secures data during transmission.
3. What is the primary purpose of Identity and Access Management (IAM) in cloud
environments?
A. To monitor network traffic for anomalies
B. To automatically scale compute resources
C. To enforce the principle of least privilege for users and services
D. To back up data to secondary regions
Rationale: IAM systems control who (users, roles, services) can access which resources and under what
conditions. The core security principle is least privilege—granting only necessary permissions. Other
options relate to monitoring, scaling, and backup, which are separate functions.
, 4. A Cloud Security Posture Management (CSPM) tool is primarily used to:
A. Encrypt all stored customer data automatically
B. Provide real-time DDoS protection
C. Detect misconfigurations and compliance violations across cloud accounts
D. Replace the need for manual penetration testing
Rationale: CSPM tools continuously assess cloud environments against security best practices and
compliance benchmarks (e.g., CIS, GDPR). They identify risky configurations like public S3 buckets or
overly permissive IAM roles. They do not handle encryption, DDoS mitigation, or fully replace
human-led testing.
5. During a cloud security incident, what is the first recommended step in an incident
response plan?
A. Notify all customers immediately
B. Contain the affected systems to prevent further damage
C. Delete all logs to preserve system performance
D. Rebuild all virtual machines from scratch
Rationale: Containment is critical to limit blast radius—e.g., isolating a compromised instance or
revoking credentials. Notification follows after assessment; deleting logs destroys evidence; rebuilding
may be part of recovery but not the first step. Preservation of forensic data is essential.
6. Which compliance framework specifically addresses data protection and privacy for
individuals within the European Union?
A. SOC 2
B. ISO 27001
C. GDPR
