Domain 3: Cloud Platform & Infrastructure Security Module 34 of 70

Module 34: Security Controls Implementation

CCSP Domain 3 — Cloud Platform & Infrastructure Security Section C 6–8 min read
The CCSP exam tests whether you can select the RIGHT type of control for a given cloud scenario — not just list controls from memory.

Control Types: The Exam Framework

Every security control question on the exam maps to one of these functional categories:

  • Preventive — stops an incident before it happens (firewall rules, encryption, access controls)
  • Detective — identifies that an incident occurred (logging, monitoring, IDS, SIEM)
  • Corrective — fixes the damage after an incident (patching, restoring from backup, incident response)
  • Deterrent — discourages an attacker (warning banners, audit trails, legal notices)
  • Compensating — alternative control when the primary control is not feasible
When the exam asks for the BEST control type, match the scenario to the function. If the scenario describes an active breach, the answer is corrective. If it describes preventing future incidents, the answer is preventive. If it describes detecting unknown threats, the answer is detective.

Cloud-Native Security Controls

CSPs provide built-in security controls. The exam expects you to know when to use cloud-native versus third-party solutions:

  • IAM policies — preventive control for access management
  • Security groups and NACLs — preventive network controls
  • Cloud trail/activity logging — detective control for audit trails
  • Key management services — preventive control for encryption key lifecycle
  • Configuration compliance tools — detective control for drift detection
  • DDoS protection services — preventive/corrective for availability attacks

Exam thinking: Cloud-native controls are generally preferred over third-party tools when they meet requirements, because they integrate natively with the platform and scale automatically. The exam will not ask you to choose a specific vendor product, but it will test whether you understand the control category.

Defense-in-Depth in Cloud

Layered security applies to cloud just as it does to traditional environments, but the layers are different:

  • Identity layer — MFA, least privilege IAM, conditional access
  • Network layer — VPC isolation, security groups, WAF, DDoS protection
  • Compute layer — hardened images, patch management, endpoint protection
  • Application layer — input validation, secure coding, runtime protection
  • Data layer — encryption at rest and in transit, tokenization, masking

The exam tests whether you understand that a single control is never sufficient. If a scenario shows reliance on only one security mechanism, the correct answer involves adding defense at another layer.

Infrastructure as Code (IaC) Security

Modern cloud infrastructure is defined in code (Terraform, CloudFormation, ARM templates). The exam tests security implications:

  • IaC templates should be version-controlled and peer-reviewed like application code
  • Security scanning of IaC templates catches misconfigurations before deployment
  • Secrets (API keys, passwords) must never be hardcoded in IaC templates
  • IaC provides consistent, repeatable security configurations — eliminating configuration drift
IaC is both a security control and a security risk. It ensures consistency (preventive) but can propagate misconfigurations at scale if templates are not validated. The exam expects you to see both sides.

Compensating Controls in Cloud

Sometimes the ideal control is not available in a cloud environment. The exam tests your ability to identify appropriate compensating controls:

  • Cannot inspect provider infrastructure? Use audit reports as a compensating assurance
  • Cannot install a network IDS on the cloud network? Use host-based detection and cloud-native logging
  • Cannot physically destroy storage media? Use cryptographic erasure
  • Cannot enforce a specific security configuration on a SaaS application? Use CASB as a compensating control layer

The exam rewards creative but practical thinking. A compensating control must address the same risk as the original control, even if through a different mechanism.

Control Monitoring and Effectiveness

Implementing controls is not enough. The exam tests continuous validation:

  • Regular control testing through automated scanning
  • Compliance dashboards showing control status across cloud accounts
  • Alert fatigue management — tuning detective controls to reduce false positives
  • Control effectiveness metrics reported to management

A control that generates thousands of unreviewed alerts is functionally equivalent to no control at all.

Next Module Module 35: Identification, Authentication, and Authorization