1
WGU D488 Actual Exam Questions and
Answers with Rationales 2026/2027 |
Cybersecurity Architecture &
Engineering Final | OA Test Bank | Pass
Guarantee
Q001: A multinational enterprise is mapping its cybersecurity architecture to
business objectives. Which SABSA layer is MOST appropriate for defining
security-driven business goals?
Options:
A. Physical
B. Component
C. Contextual - CORRECT
D. Logical
ANSWER: C
Q002: During the TOGAF ADM Phase C, the security architect discovers that
customer PII is stored in an unencrypted RDBMS. Which ADM phase should
address this risk?
Options:
A. Phase A: Architecture Vision
B. Phase B: Business Architecture
C. Phase C: Information Systems Architecture - CORRECT
D. Phase E: Opportunities and Solutions
, 2
ANSWER: C
Q003: A green-field cloud-native application will be deployed in AWS. The CISO
mandates defense-in-depth and zero-trust principles. Which combination BEST
embodies these tenets?
Options:
A. Single VPC, one subnet, security-group rules open to 0.0.0.0/0
B. IAM roles, VPC segmentation, ALB with WAF, GuardDuty, KMS-encrypted S3
- CORRECT
D. Shared SSH keys, public S3 buckets, open NACLs
ANSWER: B
Q004: An architect is selecting a public-key algorithm for long-term data
confidentiality (> 20 years). Which NIST-approved algorithm offers quantum-
resistant security?
Options:
A. RSA-4096
B. ECDH P-384
C. Kyber (ML-KEM) - CORRECT
D. DSA-2048
ANSWER: C
Q005: The enterprise PKI’s CRL endpoint is experiencing availability issues.
Which alternative revocation mechanism provides higher resilience and real-time
status?
Options:
A. Manual certificate whitelisting
B. OCSP stapling - CORRECT
C. Longer certificate lifespans
, 3
D. Static CRL caching only
ANSWER: B
Q006: A DevOps pipeline requires secrets (API keys, DB credentials). Which
toolset BEST enforces least-privilege, auditability, and automatic rotation?
Options:
A. Hard-coded in GitHub
B. Kubernetes ConfigMaps
C. HashiCorp Vault - CORRECT
D. Shared Google Doc
ANSWER: C
Q007: A microservice uses mTLS for east-west traffic. The security engineer wants
to offload TLS processing and enforce consistent policies. Which architectural
pattern is MOST suitable?
Options:
A. Service mesh (e.g., Istio) - CORRECT
B. Direct service-to-service TLS
C. SSH tunnels
D. GRE tunnels
ANSWER: A
Q008: An organization must encrypt data at rest on EBS volumes AND allow
granular key revocation per project. Which AWS encryption approach BEST meets
these requirements?
Options:
A. AWS-managed keys (AWS KMS default)
B. Customer-managed keys in AWS KMS with key policies - CORRECT
C. Transparent disk encryption outside AWS
WGU D488 Actual Exam Questions and
Answers with Rationales 2026/2027 |
Cybersecurity Architecture &
Engineering Final | OA Test Bank | Pass
Guarantee
Q001: A multinational enterprise is mapping its cybersecurity architecture to
business objectives. Which SABSA layer is MOST appropriate for defining
security-driven business goals?
Options:
A. Physical
B. Component
C. Contextual - CORRECT
D. Logical
ANSWER: C
Q002: During the TOGAF ADM Phase C, the security architect discovers that
customer PII is stored in an unencrypted RDBMS. Which ADM phase should
address this risk?
Options:
A. Phase A: Architecture Vision
B. Phase B: Business Architecture
C. Phase C: Information Systems Architecture - CORRECT
D. Phase E: Opportunities and Solutions
, 2
ANSWER: C
Q003: A green-field cloud-native application will be deployed in AWS. The CISO
mandates defense-in-depth and zero-trust principles. Which combination BEST
embodies these tenets?
Options:
A. Single VPC, one subnet, security-group rules open to 0.0.0.0/0
B. IAM roles, VPC segmentation, ALB with WAF, GuardDuty, KMS-encrypted S3
- CORRECT
D. Shared SSH keys, public S3 buckets, open NACLs
ANSWER: B
Q004: An architect is selecting a public-key algorithm for long-term data
confidentiality (> 20 years). Which NIST-approved algorithm offers quantum-
resistant security?
Options:
A. RSA-4096
B. ECDH P-384
C. Kyber (ML-KEM) - CORRECT
D. DSA-2048
ANSWER: C
Q005: The enterprise PKI’s CRL endpoint is experiencing availability issues.
Which alternative revocation mechanism provides higher resilience and real-time
status?
Options:
A. Manual certificate whitelisting
B. OCSP stapling - CORRECT
C. Longer certificate lifespans
, 3
D. Static CRL caching only
ANSWER: B
Q006: A DevOps pipeline requires secrets (API keys, DB credentials). Which
toolset BEST enforces least-privilege, auditability, and automatic rotation?
Options:
A. Hard-coded in GitHub
B. Kubernetes ConfigMaps
C. HashiCorp Vault - CORRECT
D. Shared Google Doc
ANSWER: C
Q007: A microservice uses mTLS for east-west traffic. The security engineer wants
to offload TLS processing and enforce consistent policies. Which architectural
pattern is MOST suitable?
Options:
A. Service mesh (e.g., Istio) - CORRECT
B. Direct service-to-service TLS
C. SSH tunnels
D. GRE tunnels
ANSWER: A
Q008: An organization must encrypt data at rest on EBS volumes AND allow
granular key revocation per project. Which AWS encryption approach BEST meets
these requirements?
Options:
A. AWS-managed keys (AWS KMS default)
B. Customer-managed keys in AWS KMS with key policies - CORRECT
C. Transparent disk encryption outside AWS
