Domain 5 – Section B Review: Maintenance & Standards
Section B tested whether you can maintain and operate cloud infrastructure securely at scale. Hardening, automation, resilience, and monitoring are the foundations. Make sure you can apply these operationally, not just define them.
These questions combine hardening, IaC, availability, and monitoring concepts. Focus on scalability, automation, and operational maturity in your reasoning.
Scenario questions (10)
Question 1
An organization discovers that a security misconfiguration exists identically across development, staging, and production cloud environments. All environments were deployed using the same IaC templates.
What is the root cause?
A. Independent administrators made the same mistake in each environment
B. The cloud provider applied the misconfiguration to all accounts
C. A recent security patch changed the configuration across all environments
D. The IaC template contains the misconfiguration, which was replicated to every environment
Answer & reasoning
Correct: D
IaC templates replicate their configuration — good or bad — to every environment they manage. Identical misconfigurations across all environments point to the template as the source.
Question 2
A cloud security team implements immutable infrastructure. When a vulnerability is discovered, they update the golden image and redeploy rather than patching running instances.
What is the PRIMARY security advantage?
A. Immutable infrastructure is cheaper to operate
B. Redeployment is always faster than patching
C. Every deployment starts from a known, verified state, eliminating configuration drift from in-place patches
D. Immutable infrastructure prevents all vulnerabilities
Answer & reasoning
Correct: C
Immutable infrastructure ensures consistency — every instance starts from a verified, hardened image. In-place patching can introduce drift as instances diverge from the baseline over time.
Question 3
An organization's business impact analysis requires an RPO of 15 minutes and an RTO of 1 hour for their cloud-hosted transaction processing system.
Which resilience pattern BEST meets these requirements?
A. Pilot light with hourly data synchronization
B. Active-active across two regions
C. Active-passive with real-time or near-real-time data replication
D. Backup and restore with daily snapshots
Answer & reasoning
Correct: C
Active-passive with real-time replication meets both the 15-minute RPO (near-zero data loss with real-time replication) and 1-hour RTO (standby infrastructure activates quickly). Active-active exceeds requirements. Backup-and-restore cannot meet the 15-minute RPO.
Question 4
A cloud monitoring alert fires 200 times per day, but investigation shows 95% of alerts are false positives. Analysts begin ignoring most alerts.
What is the MOST appropriate corrective action?
A. Hire more analysts to handle the volume
B. Tune the detection rules and thresholds to reduce false positives while maintaining genuine threat detection
C. Switch to a different SIEM platform
D. Disable the alerting rule entirely
Answer & reasoning
Correct: B
Alert fatigue from false positives degrades detection effectiveness. Tuning rules reduces noise while preserving the ability to detect real threats. Disabling rules creates blind spots.
Question 5
An auto-scaling group has no maximum instance limit. During a DDoS attack, the group scales to 500 instances before the team intervenes.
What TWO problems does this create?
A. Massive unplanned cost and the scaling did not actually mitigate the application-layer attack
B. Improved performance and better user experience
C. Enhanced security posture and automatic threat response
D. Better compliance posture and automated evidence collection
Answer & reasoning
Correct: A
Unlimited auto-scaling during a DDoS attack creates an Economic Denial of Service — massive costs without actual mitigation. Auto-scaling addresses capacity, not attack traffic. Maximum limits prevent cost explosion.
Question 6
A CIS Benchmark scan reveals that cloud instances have unnecessary services running, default accounts enabled, and unused ports open.
What hardening principle is being violated?
A. Defense in depth
B. Separation of duties
C. Least functionality — minimizing the attack surface by removing unnecessary components
D. Data classification
Answer & reasoning
Correct: C
Least functionality requires disabling unnecessary services, removing default accounts, and closing unused ports. CIS Benchmarks define these baselines specifically to reduce the attack surface.
Question 7
An IaC pipeline deploys infrastructure without any security scanning. The security team discovers the pipeline has deployed publicly accessible databases three times in the past month.
What control should be added?
A. Automated policy enforcement in the CI/CD pipeline that blocks non-compliant IaC templates before deployment
B. Manual review of all deployed infrastructure monthly
C. Post-deployment penetration testing
D. Database encryption at rest
Answer & reasoning
Correct: A
Automated policy enforcement (policy as code) in the pipeline is a preventive control that catches misconfigurations before deployment. Post-deployment controls are detective and reactive — the damage is already done.
Question 8
An organization's cloud environment generates logs from 15 different services, but logs are stored separately in each service's native logging.
What is the PRIMARY security risk?
A. Log retention may exceed compliance requirements
B. Fragmented logs prevent cross-service correlation needed to detect multi-stage attacks
C. Excessive storage costs
D. Individual service logs are too detailed
Answer & reasoning
Correct: B
Fragmented logs create blind spots. Multi-stage attacks span multiple services, and without centralized logging, correlation across services is impossible. Centralization enables holistic threat detection.
Question 9
The IT team manually patches cloud instances once per quarter. Between patching cycles, a critical vulnerability is disclosed and actively exploited.
What process improvement addresses this?
A. Increase the patch cycle to monthly
B. Wait for the next quarterly cycle since the process is already defined
C. Delegate all patching to the cloud provider
D. Implement risk-based patch prioritization with emergency patching procedures for critical vulnerabilities outside the regular cycle
Answer & reasoning
Correct: D
Rigid patching schedules cannot respond to critical zero-day or actively exploited vulnerabilities. Risk-based prioritization with emergency procedures allows rapid response while maintaining a regular cycle for routine patches.
Question 10
A cloud environment has backup data stored in the same account and region as production. The backup is accessible to the same administrator accounts.
What is the PRIMARY risk?
A. Backups may consume too much storage
B. A compromise of the production environment — including ransomware — can also destroy the backup data
C. Backups in the same region may violate data sovereignty requirements
D. Administrator accounts may accidentally delete production data
Answer & reasoning
Correct: B
Co-located backups accessible from the same accounts as production are vulnerable to the same attacks. Ransomware or account compromise can destroy both production and backup data. Backups should be in separate accounts with separate credentials.
Section B master pattern
When answering Domain 5 Section B questions, ask yourself:
- Am I thinking at scale or for a single instance?
- Is automation or manual process the right answer?
- Does the solution prevent problems or just detect them?
- Are business requirements driving technical decisions?
- Is the control centralized or fragmented?
If you choose scalable, automated, preventive controls driven by business requirements, you will answer correctly.