Domain 5 – Section A Review: Infrastructure Operations
Section A tested your understanding of cloud infrastructure from the physical layer through logical controls. Before moving to maintenance and standards, verify you can think through infrastructure security the way the exam expects.
These questions blend physical security, HSM/TPM, access controls, and network security. For each question, identify whether the issue is physical, logical, identity-based, or network-based before selecting your answer.
Scenario questions (10)
Question 1
A cloud customer's annual security review reveals their IaaS provider's SOC 2 report expired 8 months ago. The provider claims nothing has changed.
What should the customer do?
A. Terminate the contract immediately
B. Conduct their own physical inspection of the data center
C. Request a bridge letter or updated SOC 2 report to cover the gap period
D. Accept the provider's verbal assurance
Answer & reasoning
Correct: C
An expired SOC 2 report creates an assurance gap. A bridge letter or updated report covers the period since the last report ended. Verbal assurance is not audit evidence.
Question 2
An organization stores encryption keys in a cloud-native KMS for their most sensitive regulated data. An auditor questions whether this meets regulatory requirements for key isolation.
What is the auditor's MOST likely concern?
A. Cloud KMS does not support encryption
B. Cloud KMS does not support access logging
C. Cloud KMS keys cannot be rotated
D. Cloud KMS uses shared HSM infrastructure rather than dedicated hardware for the customer's keys
Answer & reasoning
Correct: D
Cloud-native KMS typically uses shared, multi-tenant HSM infrastructure. For the most sensitive regulated data, dedicated HSM with exclusive customer access may be required for key isolation.
Question 3
A security architect proposes implementing ABAC for cloud resource access. Management asks why RBAC alone is insufficient.
What is the BEST justification for ABAC?
A. ABAC enables context-aware policies based on attributes like time, location, and device posture that RBAC cannot express
B. ABAC is required by all compliance frameworks
C. ABAC eliminates the need for authentication
D. ABAC is always more secure than RBAC
Answer & reasoning
Correct: A
ABAC evaluates multiple attributes (time, location, device) for each access decision, enabling fine-grained, context-aware policies that static role assignments cannot achieve.
Question 4
After deploying micro-segmentation in their cloud environment, the security team notices significantly more blocked traffic than expected.
What is the MOST likely explanation?
A. The cloud provider is blocking legitimate traffic
B. DNS is not configured correctly
C. Applications have undocumented communication patterns that the micro-segmentation policies did not account for
D. The micro-segmentation solution is malfunctioning
Answer & reasoning
Correct: C
Micro-segmentation enforces explicit allow rules between workloads. Undocumented application dependencies and communication patterns are commonly discovered during implementation when previously invisible traffic is blocked.
Question 5
A TPM-enabled cloud server reports a measurement change during its boot sequence. The previous boot measurement was verified as trusted.
What does this indicate?
A. The TPM chip has failed
B. A boot component has changed since the last trusted boot, which could indicate tampering or a legitimate update
C. The server needs a firmware update
D. The network connection is unstable
Answer & reasoning
Correct: B
TPM measured boot records hashes of boot components. A measurement change means something in the boot chain is different from the trusted baseline — this could be malicious tampering or a legitimate update that needs re-attestation.
Question 6
An organization connects their on-premises network to their cloud VPC using a site-to-site VPN. A security review finds that any on-premises user can access any cloud resource through the VPN tunnel.
What control is MISSING?
A. Encryption on the VPN tunnel
B. Network access controls and identity-based policies within the cloud VPC to restrict what VPN traffic can reach
C. A second VPN tunnel for redundancy
D. DNS resolution for cloud resources
Answer & reasoning
Correct: B
VPN provides an encrypted tunnel but does not control what traffic flows through it. Security groups, NACLs, and identity-based policies within the cloud VPC must restrict access based on least privilege.
Question 7
During an incident investigation, the team needs to determine whether a cloud server was compromised before or after a specific date. The server uses vTPM.
What evidence can the vTPM provide?
A. Network traffic logs for all connections to the server
B. Boot integrity measurements that show whether the trusted boot state changed at a specific point
C. A complete history of all files accessed on the server
D. A list of all user accounts that accessed the server
Answer & reasoning
Correct: B
vTPM records boot measurements that indicate whether the system's boot integrity changed. Comparing measurements over time can help determine when the boot configuration was modified.
Question 8
A cloud environment uses security groups configured to allow all outbound traffic by default. The security team wants to restrict outbound communication.
What is the PRIMARY security benefit of restricting outbound traffic?
A. Reduced cloud computing costs
B. Improved inbound performance
C. Prevention of data exfiltration and command-and-control communication to unauthorized destinations
D. Simplified network troubleshooting
Answer & reasoning
Correct: C
Unrestricted outbound traffic allows compromised instances to exfiltrate data and communicate with command-and-control servers. Restricting outbound to known, necessary destinations limits attacker options.
Question 9
A cloud customer wants to use a cloud provider's HSM service for PCI DSS compliance. The provider offers a multi-tenant HSM option and a dedicated HSM option at higher cost.
Which option meets PCI DSS key management requirements?
A. Either option, as PCI DSS does not specify HSM requirements
B. Dedicated HSM, because PCI DSS requires cryptographic key isolation from other entities
C. Neither — PCI DSS requires on-premises HSM only
D. Multi-tenant HSM, because it provides sufficient logical separation
Answer & reasoning
Correct: B
PCI DSS requires strong key management controls including isolation. Dedicated HSM provides exclusive hardware ensuring no other entity's keys share the same device, meeting the strictest interpretation of PCI DSS requirements.
Question 10
An organization's cloud architect designs a VPC with all resources in public subnets for simplicity. The security team objects.
What is the MOST important reason to use private subnets?
A. Private subnets are faster than public subnets
B. Private subnets cost less than public subnets
C. Private subnets automatically encrypt all traffic
D. Resources in private subnets are not directly accessible from the internet, reducing the attack surface for sensitive workloads
Answer & reasoning
Correct: D
Private subnets have no direct internet route, meaning resources like databases and internal services cannot be reached from the internet. This reduces the attack surface significantly. Public subnets should only be used for resources that must be internet-accessible.
Section A master pattern
When answering Domain 5 Section A questions, ask yourself:
- Am I the customer or the provider in this scenario?
- Is this a physical, logical, or identity control?
- Am I verifying controls or implementing them?
- Does the shared responsibility model place this in my domain?
- Am I thinking about attestation or direct inspection?
If you verify before you implement, and you match controls to the correct responsibility boundary, you will answer correctly.