Domain 1: Cloud Concepts, Architecture & Design Capstone Review

Domain 1 Capstone Review: Cloud Concepts Integration

CCSP Domain 1 — Cloud Concepts, Architecture & Design Capstone 20 scenarios
This capstone integrates concepts from all 12 modules in Domain 1. These scenarios require you to combine knowledge across sections — service models with cryptography, deployment models with IAM, SLAs with CSP evaluation. If you can handle these, you are ready for Domain 1 on the exam.

Scenario 1

A multinational corporation migrates their core ERP system to a PaaS environment. Post-migration, they discover the PaaS provider uses proprietary APIs for all integrations. A board member asks about the risk. What is the PRIMARY concern?

  1. A) The PaaS provider might go out of business
  2. B) Vendor lock-in — proprietary PaaS APIs create tight coupling that makes migration to another provider expensive and complex, reducing the organization's negotiating power and strategic flexibility
  3. C) Proprietary APIs are less secure than open standards
  4. D) Higher operational costs compared to on-premises
Answer & reasoning

Correct: B

PaaS vendor lock-in through proprietary APIs is a strategic risk. It limits flexibility, creates dependency on a single provider, and weakens negotiating position for contract renewals. Open standards and portability should be evaluated before commitment.

Scenario 2

A cloud security architect must protect classified government data in a public cloud. The assessment identifies multi-tenancy as a risk due to potential side-channel attacks. What is the MOST effective mitigation?

  1. A) Add additional network monitoring for anomalous behavior
  2. B) Implement microsegmentation between all workloads
  3. C) Encrypt all data at rest and in transit using AES-256
  4. D) Deploy on dedicated/isolated hosts that are not shared with other tenants, eliminating the physical co-tenancy that enables side-channel attacks
Answer & reasoning

Correct: D

Side-channel attacks exploit shared physical hardware. Network controls and encryption do not address this. Dedicated hosts eliminate the co-tenancy that makes side-channel attacks possible.

Scenario 3

An organization uses SAML for federation, OAuth 2.0 for API authorization, and OpenID Connect for mobile app authentication. A security reviewer asks which protocol handles user identity verification for the mobile app. What is the correct answer?

  1. A) OpenID Connect — it adds an identity layer (authentication) on top of OAuth 2.0. The mobile app uses OIDC for identity verification and the underlying OAuth for resource authorization
  2. B) All three protocols provide identical identity verification capabilities
  3. C) SAML handles all identity verification across the organization
  4. D) OAuth 2.0 handles both authorization and identity verification
Answer & reasoning

Correct: A

OIDC adds authentication (identity verification) on top of OAuth 2.0's authorization framework. The mobile app uses OIDC to verify who the user is and OAuth to determine what they can access.

Scenario 4

A financial services company evaluates a CSP that holds SOC 2 Type II, ISO 27001, and CSA STAR certifications. However, the CSP uses three sub-processors with no disclosed security certifications. The contract does not mention sub-processors. What risk exists?

  1. A) Supply chain risk — customer data handled by unaudited sub-processors with unknown security controls, potentially in unknown jurisdictions, outside the scope of the CSP's certifications
  2. B) Sub-processors do not handle customer data and pose no risk
  3. C) The CSP's certifications cover all sub-processors automatically
  4. D) The CSA STAR certification addresses sub-processor risk
Answer & reasoning

Correct: A

Certifications only cover the audited entity. Sub-processors operating outside the audit boundary handle customer data with unknown controls. The contract must require sub-processor disclosure, minimum security standards, and audit rights.

Scenario 5

A company's SLA specifies 99.95% availability. The service maintains uptime but response times increase from 200ms to 5 seconds over three months. Users cannot effectively use the application. The provider claims SLA compliance. Is we provider correct?

  1. A) Technically yes — if the SLA only specifies availability without performance metrics. This highlights the need for comprehensive SLAs that include response time, latency, and throughput alongside availability
  2. B) No — availability inherently includes performance
  3. C) Yes — performance is solely the customer's responsibility
  4. D) No — degraded performance always constitutes an SLA breach
Answer & reasoning

Correct: A

Availability and performance are separate metrics. A service can be 'up' but unusably slow. Comprehensive SLAs must specify performance metrics. Without them, the provider is technically compliant despite poor service.

Scenario 6

An organization wants to destroy data across a cloud environment where the data is replicated across 5 regions, exists in 12 backup snapshots, and has been cached by a CDN in 30 countries. What is the MOST reliable destruction method?

  1. A) Crypto-shredding — destroy all encryption keys, rendering ALL copies of the encrypted data permanently unrecoverable regardless of how many locations or copies exist
  2. B) Wait for natural data rotation to overwrite all copies eventually
  3. C) Overwrite the data with random bytes in each storage location
  4. D) Submit deletion requests to the provider for each of the 47+ locations
Answer & reasoning

Correct: A

Crypto-shredding is the only practical method for distributed cloud data destruction. Destroying the encryption keys makes all copies across all locations simultaneously unrecoverable, without needing to identify or access each individual copy.

Scenario 7

A cloud environment undergoes a zero trust architecture implementation. A senior network engineer argues that traffic within the internal VPC should be exempt from authentication and authorization checks since it has already passed perimeter controls. Is this appropriate?

  1. A) Yes — for non-sensitive workloads within the VPC
  2. B) No — zero trust requires verification of every access request regardless of network location. Internal VPC traffic could originate from compromised workloads, and assuming trust based on network position violates zero trust principles
  3. C) Yes — VPC traffic has already been validated at the perimeter
  4. D) No — but only because VPCs lack perimeter controls
Answer & reasoning

Correct: B

Zero trust means never trust, always verify, regardless of network location. Internal VPC traffic may come from compromised instances. Every request must be authenticated and authorized independently of its network origin.

Scenario 8

An organization uses a cloud KMS with BYOK (Bring Your Own Key). A security auditor asks if the CSP can ever access plaintext data. The CISO claims BYOK prevents all CSP access. Is the CISO correct?

  1. A) No — with BYOK, the key is imported into the CSP's KMS and exists in CSP memory during cryptographic operations. The CSP could theoretically access it. Only HYOK (Hold Your Own Key) keeps keys entirely outside the cloud
  2. B) No — but the risk is negligible because CSP employees are background-checked
  3. C) Yes — BYOK means the CSP never touches the key
  4. D) Yes — BYOK keys are hardware-protected within customer-controlled HSMs at all times
Answer & reasoning

Correct: A

BYOK imports keys into the CSP's infrastructure. During encryption/decryption, keys exist in CSP memory. HYOK keeps keys entirely outside the cloud, preventing any CSP access, but limits cloud-native functionality.

Scenario 9

A community cloud serves five healthcare organizations with shared regulatory requirements. One member organization suffers a major breach, and compromised credentials are used to access shared infrastructure. Three other members' patient data is exposed. What governance control was missing?

  1. A) Community clouds should not be used for healthcare data
  2. B) Better network isolation between community members
  3. C) Minimum security requirements for all community members, including mandatory MFA, privilege management, incident notification, and regular security assessments. Each member's security posture affects all members
  4. D) The cloud provider should have prevented cross-member access
Answer & reasoning

Correct: C

Community cloud governance must include minimum security standards for all members because each member's security posture affects the entire community. Shared infrastructure means shared risk requires shared governance.

Scenario 10

A data lifecycle assessment reveals that production customer data is used directly in cloud test environments. Developers have full access to unmasked production data. The data is encrypted at rest with the same keys as production. What is the risk?

  1. A) Only the key sharing is a concern; the data usage pattern is acceptable
  2. B) The risk is acceptable if developers sign non-disclosure agreements
  3. C) Encrypted data in test environments is adequately protected
  4. D) Developers with test environment access can decrypt and view full production customer data, violating least privilege and data minimization. Production data in non-production environments should be statically masked with realistic but fictional data
Answer & reasoning

Correct: D

Using unmasked production data in test environments gives all test users access to real customer data, violating least privilege and data minimization. Static masking permanently replaces sensitive data with fictional equivalents for safe test use.

Scenario 11

An AI-powered cloud service processes customer support tickets. The organization discovers the AI provider retains submitted data for model training. Some tickets contain PII and health information. What governance issue does this raise?

  1. A) AI training data is automatically anonymized and poses no risk
  2. B) Data submitted for AI processing may be used in ways that violate privacy regulations, data governance policies, and the purpose limitation principle. The organization must verify AI data handling through the SLA and ensure retention policies comply with regulations
  3. C) Only the AI provider bears responsibility for how they use submitted data
  4. D) AI providers always retain training data and this is standard practice
Answer & reasoning

Correct: B

AI data retention for training creates multiple governance issues: potential GDPR violations (purpose limitation), unauthorized secondary use of PII/health data, and data residency concerns if training occurs in different jurisdictions.

Scenario 12

An organization's identity provider (IdP) experiences a complete outage. All federated cloud access is unavailable. IT staff cannot manage cloud infrastructure during a simultaneous security incident. What control should have been in place?

  1. A) Local admin accounts on every cloud service
  2. B) Cached federation tokens that remain valid during outages
  3. C) Break-glass emergency accounts that exist outside the federated identity system, providing emergency access to critical cloud infrastructure when the IdP is unavailable
  4. D) A secondary federated IdP with automatic failover
Answer & reasoning

Correct: C

Break-glass accounts are emergency credentials outside normal authentication flows. They provide access when federated authentication fails, enabling incident response even during IdP outages. They must be tightly controlled, monitored, and regularly tested.

Scenario 13

A company uses three cloud providers: AWS for compute, Azure for data analytics, and GCP for machine learning. Each provider has different logging formats and retention periods. During an incident spanning all three, the investigation team cannot correlate events. What is missing?

  1. A) The investigation team should analyze each provider's logs independently
  2. B) Centralized logging with log normalization (converting different formats into a common schema) and cross-provider event correlation through a unified SIEM platform
  3. C) The company should standardize on a single cloud provider
  4. D) Each cloud provider should investigate their own portion of the incident
Answer & reasoning

Correct: B

Multi-cloud environments require centralized logging with normalization and correlation. Without a unified view, investigators cannot trace events across providers, leaving gaps in incident understanding and response.

Scenario 14

A cloud architect designs a system with VPC isolation, security groups, IAM policies, encryption at rest, encryption in transit, DLP, and SIEM monitoring. The CFO asks why removing any single control would matter since there are so many. What is the architect's BEST response?

  1. A) All controls are equally critical and none can be removed
  2. B) The controls are redundant and any two could be removed without impact
  3. C) Defense in depth means each layer protects against different attack vectors and compensates for potential failures in other layers. Removing one creates a gap that could be exploited if the remaining controls face their own failures
  4. D) Each control addresses a unique compliance requirement and cannot be removed
Answer & reasoning

Correct: C

Defense in depth is not redundancy — each layer addresses different threats and compensates for potential failures in other layers. Removing a layer creates a specific gap. The value is not duplication but complementary coverage.

Scenario 15

An EU company stores personal data with a US CSP that replicates to Ireland and Singapore. A legal dispute raises the question of applicable law. The CSP argues only US law applies since they are a US company. Is this correct?

  1. A) Yes — the provider's nationality determines applicable law
  2. B) No — multiple jurisdictions may apply simultaneously: EU regulations for the data subjects, US law for the provider, Irish law for EU data residency, and Singapore law for data stored there. The SLA must address multi-jurisdictional compliance
  3. C) No laws apply because cloud data is considered borderless
  4. D) Only EU law applies since the data subjects are European
Answer & reasoning

Correct: B

Cloud data can be subject to multiple overlapping jurisdictions based on data subject nationality, provider location, and data physical location. All applicable laws must be addressed in the governance framework and SLA.

Scenario 16

A cloud provider offers a standard SLA with service credits for downtime. A customer experiences $2M in lost revenue during a 4-hour outage. They file a claim for the full amount. What will the SLA MOST likely cover?

  1. A) Nothing — the customer accepted the risk by using cloud
  2. B) The full $2M in lost revenue as direct damages
  3. C) 50% of the lost revenue as a compromise
  4. D) Only service credits against future billing. Standard cloud SLAs exclude consequential and indirect damages like lost revenue, limiting remedies to credits regardless of the customer's actual losses
Answer & reasoning

Correct: D

Standard cloud SLAs limit remedies to service credits and explicitly exclude consequential damages. The $2M revenue loss is the customer's business risk. Customers needing financial protection must obtain separate business interruption insurance.

Scenario 17

A security team implements CSPM (Cloud Security Posture Management) and discovers that 30% of cloud resources violate security policies. Most violations are publicly accessible storage, unencrypted databases, and over-permissive IAM roles. What does this reveal?

  1. A) Cloud misconfiguration is pervasive when governance guardrails are absent. The ease of provisioning cloud resources (on-demand self-service) without automated policy enforcement leads to security drift at scale
  2. B) 30% is an acceptable violation rate for cloud environments
  3. C) The security policies are too strict and should be relaxed
  4. D) CSPM tools generate too many false positives
Answer & reasoning

Correct: A

Cloud self-service provisioning creates rapid configuration changes without review. Without automated guardrails (preventive controls) and continuous monitoring (detective controls), misconfigurations accumulate at cloud speed.

Scenario 18

An organization archives data encrypted with RSA-2048 for a 25-year retention requirement. A post-quantum cryptography assessment suggests RSA-2048 may be vulnerable within 15 years. What is the MOST appropriate action now?

  1. A) Begin transition planning: conduct a cryptographic inventory, evaluate post-quantum algorithms, and develop a migration roadmap. The harvest-now-decrypt-later threat means adversaries may already be collecting this encrypted data for future decryption
  2. B) Wait for NIST to mandate specific post-quantum algorithms before taking action
  3. C) No action needed — 15 years provides plenty of time to react
  4. D) Immediately re-encrypt all data with AES-256
Answer & reasoning

Correct: A

For data with a 25-year confidentiality requirement, the harvest-now-decrypt-later threat makes this urgent. Adversaries collecting RSA-encrypted data today may decrypt it when quantum computers arrive in 10-15 years. Transition planning should start now.

Scenario 19

A serverless function processes sensitive financial data and terminates in 15 seconds. A security audit finds no persistent logs exist from function executions. The cloud team argues serverless functions are too short-lived for logging. Is this correct?

  1. A) No — but logging should only be added for functions processing sensitive data
  2. B) Yes — the cloud provider captures all serverless logs automatically
  3. C) No — ephemeral compute environments must forward logs to persistent centralized storage in real-time during execution. Without persistent logs, there is no audit trail for sensitive data processing, creating compliance and forensic gaps
  4. D) Yes — serverless functions are too ephemeral for meaningful logging
Answer & reasoning

Correct: C

Ephemeral environments destroy local storage on termination. Logs must be forwarded in real-time to persistent centralized storage. Without this, sensitive data processing has no audit trail, violating compliance requirements and preventing forensic investigation.

Scenario 20

A comprehensive cloud security assessment covers network isolation, IAM, encryption, DLP, monitoring, and incident response. However, it does not evaluate the cloud provider's sub-processors or the data exit strategy. What governance gaps exist?

  1. A) Sub-processors and exit strategy are operational details, not governance concerns
  2. B) Supply chain risk (unaudited sub-processors handling customer data) and lack of exit strategy (no plan for data portability, return format, or deletion verification at contract end) are significant governance gaps that could leave the organization vulnerable
  3. C) The assessment is comprehensive enough — sub-processors and exit strategy can be addressed later
  4. D) Only the exit strategy matters; sub-processors are the provider's responsibility
Answer & reasoning

Correct: B

Both are critical governance gaps. Sub-processors create supply chain risk outside the primary provider's security boundary. Lack of exit strategy creates dependency risk and potential data loss at contract termination. Both should be addressed contractually before commitment.

Domain 1 Readiness Checklist

Before moving to Domain 2, confirm you can confidently:

  • Evaluate scenarios against all five NIST essential characteristics
  • Assign responsibility correctly across IaaS, PaaS, and SaaS models
  • Distinguish between deployment models and recommend the right one
  • Evaluate SLAs for completeness, including exit strategy and performance
  • Identify security implications of AI, IoT, containers, and quantum computing
  • Choose the right key management model for a given scenario
  • Apply IAM principles including federation, least privilege, and zero trust
  • Identify network security controls and their cloud adaptations
  • Map data to lifecycle phases and apply appropriate controls
  • Evaluate CSPs using audit reports, certifications, and due diligence
Next Domain Module 13: Cloud Data Concepts and Data Lifecycle