Domain 4 – Section C Review: Architecture & IAM
This section integrates:
- API Security
- Supply Chain & Third-Party Software
- Cloud Application Architecture & Security Components
- IAM Solutions for Cloud Applications
Question 1
A SaaS application exposes a REST API that returns full user records including SSNs when any authenticated user queries the /users endpoint. What is the PRIMARY vulnerability?
A. Broken object-level authorization (BOLA)
B. Cross-site scripting
C. SQL injection
D. Insecure deserialization
Answer & reasoning
Correct: A
When any authenticated user can access any user record without authorization checks, the API suffers from broken object-level authorization. This is OWASP API Security Top 1 and allows horizontal privilege escalation.
Question 2
A development team uses a popular open-source library. A critical CVE is published for the library, but the team has no inventory of where the library is deployed. What process failure does this expose?
A. Lack of static code analysis
B. Absence of a software bill of materials (SBOM) and dependency tracking
C. Missing WAF rules
D. Inadequate penetration testing
Answer & reasoning
Correct: B
Without an SBOM and dependency tracking, organizations cannot determine the blast radius of a third-party vulnerability. Supply chain security requires knowing every component in your software stack.
Question 3
An API gateway enforces rate limiting at 100 requests per minute. An attacker distributes requests across 50 compromised accounts, each sending 90 requests per minute. What additional control is needed?
A. Aggregate rate limiting across behavioral patterns, not just per-account
B. Block all accounts with more than 50 requests
C. Increase the rate limit to 200
D. Disable rate limiting since it is ineffective
Answer & reasoning
Correct: A
Per-account rate limiting alone cannot detect distributed attacks. Behavioral analysis and aggregate rate limiting across correlated sessions detect abuse patterns that per-account limits miss.
Question 4
A cloud-native application uses a microservices architecture. Service A calls Service B internally with no authentication. An attacker compromises Service A. What is the impact?
A. Microservices are inherently isolated
B. Only Service A is affected
C. The API gateway blocks lateral movement
D. The attacker can pivot to Service B and any services it trusts
Answer & reasoning
Correct: D
Without service-to-service authentication (mutual TLS, service mesh), compromising one service grants access to every service it can call. Zero-trust principles require authentication at every boundary, not just the perimeter.
Question 5
An organization integrates a third-party payment processing SDK into their cloud application. Six months later, the SDK vendor is acquired by a competitor. What is the PRIMARY supply chain risk?
A. The new owner may alter the SDK behavior, introduce backdoors, or discontinue support
B. The SDK will stop working immediately
C. The competitor will share the organization’s customer data
D. Payment processing will become faster
Answer & reasoning
Correct: A
Vendor acquisition changes the trust relationship. The new owner controls updates, could introduce malicious code, alter terms, or discontinue the product. Organizations must monitor vendor changes and have contingency plans.
Question 6
A cloud application uses OAuth 2.0 for API authorization. A developer stores access tokens in browser localStorage. What risk does this create?
A. Tokens expire too quickly
B. OAuth tokens cannot be stored client-side
C. The tokens will not work across subdomains
D. Tokens are vulnerable to XSS-based theft
Answer & reasoning
Correct: D
localStorage is accessible to any JavaScript running on the page. An XSS vulnerability allows an attacker to steal access tokens. Tokens should be stored in httpOnly cookies or handled server-side using the Backend-for-Frontend (BFF) pattern.
Question 7
A WAF is deployed in front of a cloud application API. The development team complains that legitimate requests containing JSON payloads are being blocked. What is the MOST likely cause?
A. The API should not accept JSON
B. WAF rules are tuned too aggressively, creating false positives on structured data
C. The WAF is defective
D. JSON payloads are inherently insecure
Answer & reasoning
Correct: B
Overly aggressive WAF rules frequently flag legitimate structured payloads as attacks. WAF tuning requires balancing security detection with false positive rates, especially for API traffic patterns that differ from traditional web traffic.
Question 8
A multi-tenant SaaS application uses a single database with a tenant_id column. A developer writes a query that omits the tenant_id filter. What security principle is violated and what is the impact?
A. Separation of duties; the developer should not write queries
B. Defense in depth; the WAF should catch this
C. Least privilege; one tenant can read all tenants’ data
D. Data classification; the data is not labeled
Answer & reasoning
Correct: C
Missing tenant isolation at the query level violates least privilege and enables cross-tenant data exposure. Architectural controls like row-level security policies or ORM-level tenant filters prevent this class of bug.
Question 9
An organization uses SAML-based SSO for a cloud application. Users report they can still access the application after being terminated in the IdP. What is the root cause?
A. SAML is broken
B. SAML does not support user deprovisioning
C. The application caches sessions and does not validate SAML assertions on each request
D. The IdP did not process the termination
Answer & reasoning
Correct: C
If the application creates a long-lived session after initial SAML authentication without revalidating the assertion, terminated users retain access until the session expires. Applications must implement session limits and support SCIM or back-channel logout for timely deprovisioning.
Question 10
A cloud architect is designing an application that must support authentication for employees (SAML), customers (social login), and IoT devices (certificate-based). What is the BEST architectural approach?
A. Use a centralized identity broker that federates multiple identity providers and credential types
B. Build three separate authentication systems
C. Delegate all authentication to the CSP’s built-in IAM
D. Require all users and devices to use the same authentication method
Answer & reasoning
Correct: A
A centralized identity broker (identity platform) abstracts multiple authentication methods behind a single interface. This provides consistent policy enforcement while supporting diverse credential types across different user populations.