FlashGenius Logo FlashGenius
ISC2 CCSP® · Domain 3 · 17% of Exam · August 2026 Outline

CCSP Domain 3:
Cloud Platform & Infrastructure Security

Physical & virtual infrastructure, secure data center design, risk analysis, security controls, and BC/DR planning — 2026 Exam Study Guide

100–150 Questions (CAT)
6 Domains Total
17% This Domain (~17 Qs)
700/1000 Passing Score

Domain 3: Cloud Platform & Infrastructure Security

You can't secure what you don't understand — this domain covers the hardware and virtual infrastructure underpinning every cloud service

Domain 3 accounts for 17% (~17 questions) of the August 2026 CCSP exam. It spans the full infrastructure stack: physical data centers, hypervisors, containers, storage, networking, and the management plane. Security professionals must understand both the threats unique to cloud infrastructure and the controls used to mitigate them — including BC/DR planning with RTO/RPO objectives.

CCSP Domain Weights — August 2026 Exam Outline

DomainTopicWeight~Questions
1Cloud Concepts, Architecture & Design17%~17
2Cloud Data Security20%~20
★ 3Cloud Platform & Infrastructure Security (this page)17%~17
4Cloud Application Security16%~16
5Cloud Security Operations17%~17
6Legal, Risk & Compliance13%~13

Total = 100%. CAT format: 100–150 questions, 3 hours, passing score 700/1000. Testing via Pearson VUE.

🆕 What's New in the August 2026 Exam Outline

  • Domain 3 weight unchanged at 17%, but the outline now explicitly includes container security, serverless, and multi-cloud architecture security within the infrastructure layer
  • New AI/ML subsection 1.6 added to Domain 1 — cloud AI threat detection now explicitly tested
  • New AI/ML data protection subsection 2.9 added to Domain 2
  • Domain 4 weight shifted: 17% → 16%; Domain 5: 16% → 17%
  • OWASP LLM Top-10 added to Domain 4 (Cloud Application Security)
  • CAT (Computerized Adaptive Testing) format effective since October 2025: adaptive 100–150 questions, 3-hour exam

Exam Format & Logistics

  • Format: Computerized Adaptive Testing (CAT)
  • Questions: 100–150 (~25 unscored pretest items)
  • Duration: 3 hours
  • Passing Score: 700 out of 1000
  • Delivery: Pearson VUE testing centers
  • Outline Effective: August 1, 2026

Domain 3 Subdomain Structure

  • 3.1 Comprehend Cloud Infrastructure Components
  • 3.2 Design a Secure Data Center
  • 3.3 Analyze Risks Associated with Cloud Infrastructure
  • 3.4 Plan and Implementation of Security Controls
  • 3.5 Plan Business Continuity (BC) and Disaster Recovery (DR)

Core Concepts

Deep-dive into every subdomain tested in Domain 3 — August 2026 outline

3.1 — Comprehend Cloud Infrastructure Components

Physical Environment

  • Data centers: physical facilities housing compute, storage, and networking equipment
  • Physical access controls: badge readers, mantraps, biometrics, security guards — multi-tiered physical security zones
  • Co-location (colo) facilities: tenant-leased space within a shared data center; tenant is responsible for equipment security, CSP handles facility security

Network and Communications

  • SDN (Software-Defined Networking): decouples the control plane from the data plane; enables programmable, dynamic network configuration
  • Virtual Networks: logically isolated networks within a cloud environment (e.g., AWS VPC, Azure VNet)
  • VLANs: Layer 2 network segmentation; used to isolate traffic within a shared physical network
  • VPNs: encrypted tunnels for secure communication over public networks; site-to-site or client-based
  • Dedicated Circuits: private, direct connections (e.g., AWS Direct Connect, Azure ExpressRoute) — bypass public internet for reliability and security

Compute Resources

  • Virtual Machines (VMs): isolated guest OS instances running on a hypervisor; share underlying physical hardware
  • Containers: lightweight, OS-level virtualization; share the host kernel; isolated via namespaces and cgroups (e.g., Docker, OCI)
  • Serverless Functions: ephemeral compute triggered by events; no persistent server management (e.g., AWS Lambda, Azure Functions)
  • Bare Metal: dedicated physical servers; no hypervisor layer; highest performance and isolation; used for compliance-sensitive workloads

Virtualization and Hypervisors

  • Type 1 Hypervisor (Bare Metal): runs directly on physical hardware — no host OS; examples: VMware ESXi, Microsoft Hyper-V, KVM. Used by cloud providers.
  • Type 2 Hypervisor (Hosted): runs on top of a host OS; examples: VMware Workstation, VirtualBox. Used for desktop virtualization.
  • VM Sprawl: uncontrolled proliferation of VMs; increases attack surface, complicates patch management
  • Hypervisor Vulnerabilities: flaws in the hypervisor can enable VM escape attacks or cross-tenant data access

Storage

  • Block Storage: raw storage volumes attached to compute instances; high performance; used for databases (e.g., AWS EBS)
  • Object Storage: unstructured data stored as objects with metadata; highly scalable; accessed via API (e.g., AWS S3, Azure Blob)
  • File Storage: shared file system accessed over network; hierarchical structure (e.g., AWS EFS, Azure Files)
  • SAN (Storage Area Network): dedicated high-speed network for block storage; used in enterprise environments
  • NAS (Network Attached Storage): file-level storage accessible over standard network protocols (NFS, SMB)

Management Plane

  • The orchestration layer that controls and manages compute, storage, and networking resources
  • Accessed via APIs (REST/HTTPS); cloud portals and CLI tools interact with the management plane
  • High-value attack target: compromise of the management plane grants control over all cloud resources across all tenants
  • Key security controls: MFA on admin accounts, API authentication (IAM), audit logging of all management plane calls, IP allowlisting
3.2 — Design a Secure Data Center

Logical Design

  • Tenant Partitioning: logical isolation between cloud tenants using separate virtual networks, IAM boundaries, and access control policies
  • Access Control Segmentation: role-based and attribute-based policies restrict what users and systems can access within the environment
  • Network Micro-segmentation: fine-grained network policies isolate workloads at the individual VM/container level — limits lateral movement after a breach

Physical Design

  • Geographic Location Selection: evaluate natural disaster risk (flood, earthquake zones), political stability, and legal jurisdiction affecting data sovereignty
  • Build vs. Buy: organizations choose between building proprietary data centers (capital-intensive, full control) or leasing/colo space (OpEx model, shared facility)
  • Physical Access Tiers: layered security zones — Perimeter → Building → Floor → Cage → Rack; each tier requires re-authentication

Environmental Design

  • HVAC: Heating, Ventilation, and Air Conditioning systems manage thermal environment; failure can cause hardware damage or fire
  • Multi-vendor Pathway Connectivity: multiple ISPs and network carriers with diverse physical paths eliminate single points of failure in connectivity
  • Power Redundancy: UPS (Uninterruptible Power Supply) for short-term outages; diesel generators for extended outages; dual utility feeds from separate substations

Data Center Tier Classifications (Uptime Institute)

  • Tier I: Basic site infrastructure — 99.671% uptime (~28.8 hrs downtime/year); no redundancy
  • Tier II: Redundant site infrastructure — 99.741% uptime (~22 hrs/year); some redundant components
  • Tier III: Concurrently maintainable — 99.982% uptime (~1.6 hrs/year); N+1 redundancy; no single point of failure; components maintainable without shutdown
  • Tier IV: Fault tolerant — 99.995% uptime (~26 min/year); 2N+1 redundancy; withstands any single failure without impact
  • Most enterprise cloud providers target Tier III or IV facilities
3.3 — Analyze Risks Associated with Cloud Infrastructure

Risk Assessment Process

  • Identification: threat inventory (STRIDE, threat modeling), vulnerability scanning, penetration testing, asset inventory review
  • Qualitative Analysis: uses expert judgment and risk matrices (likelihood × impact on a 1–5 or High/Med/Low scale)
  • Quantitative Analysis: assigns monetary values; uses ALE (Annualized Loss Expectancy) = ARO × SLE
  • ARO = Annualized Rate of Occurrence; SLE = Single Loss Expectancy

Cloud Vulnerabilities, Threats & Attacks

  • VM Escape: attacker breaks out of the guest VM to gain access to the hypervisor or other VMs on the same host
  • Hyperjacking: attacker compromises or replaces the hypervisor itself, gaining control over all hosted VMs
  • API Vulnerabilities: unauthenticated endpoints, broken object-level authorization, injection flaws — management plane APIs are high-value targets
  • Container Escape: attacker breaks out of container namespace isolation to access the host OS or other containers
  • Management Plane Compromise: attacker gains administrative access to the orchestration layer — can provision/delete resources, exfiltrate data, disable logging
  • Misconfiguration: publicly exposed storage buckets, over-permissive IAM policies, open security groups — largest category of cloud breaches
  • Denial of Service (DoS): resource exhaustion attacks targeting compute, network bandwidth, or API rate limits
  • Insider Threats: privileged CSP employees with access to physical hardware, hypervisors, and management systems; mitigated by CSP internal controls and audit requirements

Risk Treatment Strategies

  • Avoid: eliminate the activity or system that creates the risk (e.g., decommission an insecure legacy system)
  • Mitigate: implement controls to reduce likelihood or impact (e.g., encrypt data, apply patches, enable MFA)
  • Transfer: shift financial impact to a third party (e.g., cyber insurance, contractual indemnification)
  • Accept: consciously acknowledge residual risk that falls within risk appetite; document the decision
  • Mnemonic: MATA — Mitigate, Accept, Transfer, Avoid
3.4 — Plan and Implementation of Security Controls

Physical and Environmental Protection

  • On-premises equipment controls: cable locks, chassis intrusion detection, hardware security modules (HSMs)
  • Surveillance: CCTV, motion detection, 24/7 security operations center monitoring
  • Environmental monitoring: temperature/humidity sensors, water leak detectors, fire suppression systems (FM-200, clean agent)

System, Storage & Communication Protection

  • Encryption at Rest: protects stored data on disks, volumes, and databases (AES-256 standard)
  • Encryption in Transit: protects data moving over networks; TLS 1.2+ required (TLS 1.3 preferred)
  • Secure Protocols: HTTPS, SSH, SFTP — replace insecure equivalents (HTTP, Telnet, FTP)
  • Network Segmentation: isolate production from development, segment by data classification, use security groups and NACLs

Identity, Authentication & Authorization in Cloud

  • IAM Policies: define what actions are allowed on which resources by which principals; apply least privilege
  • RBAC (Role-Based Access Control): permissions assigned to roles, roles assigned to users — simplifies management
  • ABAC (Attribute-Based Access Control): access decisions based on attributes of user, resource, and environment; more granular than RBAC
  • MFA for Privileged Accounts: mandatory multi-factor authentication for all admin/root accounts and management plane access
  • JIT (Just-in-Time) Access: privileged access granted only when needed, for a limited time window — reduces standing privilege
  • Least Privilege Principle: grant the minimum permissions necessary to perform the required function

Audit Mechanisms

  • Log Collection: centralize logs to a SIEM (Security Information and Event Management) system; cloud-native: AWS CloudTrail, Azure Monitor, GCP Audit Logs
  • Log Correlation: SIEM rules detect patterns across multiple log sources to identify threats (e.g., brute force attempts, lateral movement)
  • Packet Capture: network taps, cloud flow logs (VPC Flow Logs), and cloud-native IDS/IPS for traffic analysis
  • Integrity Monitoring: file integrity monitoring (FIM) detects unauthorized changes to system files and configurations
3.5 — Plan Business Continuity (BC) and Disaster Recovery (DR)

BC/DR Site Types

  • Hot Site: fully operational, mirrors production environment in real-time; failover is nearly instantaneous; highest cost
  • Warm Site: partially configured; hardware is present, data may be partially replicated; hours to days to become operational; moderate cost
  • Cold Site: basic physical infrastructure only (power, cooling, connectivity); no equipment or data; days to weeks to activate; lowest cost

Recovery Objectives

  • RTO (Recovery Time Objective): maximum acceptable time to restore operations after a disruption — "how fast can you come back?"
  • RPO (Recovery Point Objective): maximum acceptable data loss measured in time — "how much data can you afford to lose?"
  • Recovery Service Level: agreed performance level that must be maintained during the recovery period (e.g., 50% of normal capacity)
  • RTO drives site type choice (low RTO → hot site); RPO drives backup frequency (low RPO → continuous replication)

BC/DR Plan Testing Methods

  • Tabletop Exercise: discussion-based; team walks through scenarios verbally; no systems affected; low cost; good for gap identification
  • Simulation / Walkthrough: structured rehearsal of the plan; individuals perform their roles without actually failing over systems
  • Parallel Test: both primary and recovery environments run simultaneously; validates DR system without disrupting production
  • Full Interruption Test: actual failover to DR site; production systems taken offline; highest confidence but highest risk and cost
  • Plans must be reviewed and updated regularly — after significant infrastructure changes, after each test, and at minimum annually

Memory Hooks

Six high-impact mnemonics and mental models to lock in Domain 3 concepts on exam day

3.2 — Data Center Tiers

Data Center Tier Uptime

"One Terrible, Two Poor, Three Excellent, Four Flawless"

Tier I = 99.671% · Tier II = 99.741% · Tier III = 99.982% · Tier IV = 99.995%

The quality of each tier maps directly to its description. Tier III is "concurrently maintainable" — no shutdown needed for maintenance. Tier IV is "fault tolerant" — withstands any single failure.

3.5 — BC/DR Objectives

RTO vs. RPO

"RTO = clocks, RPO = checkpoints"

RTO = Recovery Time Objective — how fast can you come back? (measured in hours of downtime)

RPO = Recovery Point Objective — how much data can you afford to lose? (measured in hours of data lost)

Think: Time = how long offline; Point = the last safe backup point in time.

3.1 — Hypervisors

Type 1 vs. Type 2 Hypervisor

"One is bare, two has underwear"

Type 1 (Bare Metal) = runs directly on hardware, no OS beneath it. Used by cloud providers (VMware ESXi, Hyper-V, KVM).

Type 2 (Hosted) = runs on top of a host OS — it "has something underneath." Used for desktop virtualization (VirtualBox, VMware Workstation).

3.5 — BC/DR Sites

Hot / Warm / Cold Site

"Hot coffee, warm tea, cold well water"

Hot = ready right now, instantly usable (like fresh-brewed coffee — no wait)

Warm = needs a little time to heat up (like tea steeping — hours to days)

Cold = you have to do everything from scratch (like fetching water from a well — days to weeks)

3.3 — Risk Treatment

Risk Treatment Strategies: MATA

"MATA: Make A Treatment Action"

Mitigate — implement controls to reduce risk
Accept — document and live with residual risk
Transfer — shift to insurer or third party
Avoid — eliminate the activity creating the risk

On the exam, "transfer" options often mention cyber insurance or contractual indemnification.

3.1 — Management Plane

Management Plane = Crown Jewels

"King of the cloud castle"

Whoever controls the management plane controls all VMs, storage, and networking in the environment.

This is why management plane compromise is the most critical cloud attack vector. Protect it with: MFA, IP allowlisting, API authentication, comprehensive audit logging, and JIT privileged access.

Domain 3 Vignette Quiz

10 scenario-based questions — select the best answer, then review the explanation

Question 1 of 10
Question 1 of 10
A financial services company needs to migrate a critical trading system to the cloud. After a business impact analysis, leadership determines that if a disaster occurs, the trading platform must be available again within 4 hours, but no more than 1 hour of transaction data can be lost. The company selects a cloud DR strategy accordingly.
Which BC/DR site type best satisfies the 4-hour recovery time requirement?
Question 2 of 10
During a cloud security incident investigation, analysts discover that a threat actor managed to execute code that broke out of the containerized microservice environment. The attacker was then able to read files on the underlying host operating system and access other containers running on the same host.
Which specific cloud attack type does this scenario describe?
Question 3 of 10
A cloud security architect is designing the multi-tenant architecture for a SaaS platform. Multiple enterprise customers will share the same underlying cloud infrastructure. The architect must ensure that one tenant's workloads cannot be accessed by another tenant's users or administrators, even in the event of a misconfiguration.
Which logical design control PRIMARILY addresses tenant isolation in a multi-tenant cloud environment?
Question 4 of 10
A large organization requires its primary data center to be maintainable without shutting down systems. They also require that no single point of failure can cause downtime. They have selected a co-location facility and need to confirm the facility meets these minimum requirements.
Which Uptime Institute data center tier MINIMALLY satisfies both the concurrent maintainability and no-single-point-of-failure requirements?
Question 5 of 10
A security operations team detects anomalous behavior in a cloud environment: an attacker appears to have gained root-level control of the virtualization layer itself, not just an individual virtual machine. From this position, the attacker can start and stop VMs, intercept inter-VM communication, and potentially access VM memory contents.
Which hypervisor-level attack does this scenario BEST describe?
Question 6 of 10
A cloud security team has developed a new disaster recovery plan for their critical workloads. Before committing to a full system failover test, the incident response manager wants to evaluate the plan by gathering the team to walk through the scenario verbally, identify gaps in procedures, and ensure all stakeholders understand their roles — without affecting any live systems.
Which DR testing method is the incident response manager describing?
Question 7 of 10
A cloud security architect is reviewing IAM policies for a multi-cloud environment. Several service accounts have been granted full administrator rights to all resources in the environment, even though each service account only needs to perform a specific, limited set of actions (such as reading from an S3 bucket or writing to a specific database table).
Which security principle is being VIOLATED by granting full administrator rights to these service accounts?
Question 8 of 10
A cloud provider's data center experienced an equipment failure that caused temperatures in the server room to rise significantly above normal operating levels, resulting in thermal damage to several physical servers and causing an unplanned outage. A post-incident review is conducted to identify which element of the data center design should be improved.
Which data center design element PRIMARILY failed in this scenario?
Question 9 of 10
A healthcare organization stores patient records in a cloud object storage service. Due to regulatory requirements, the organization must be able to restore to a state no more than 1 hour old in the event of data corruption or accidental deletion. Their cloud architect is designing the backup and replication strategy to meet this requirement.
Which backup strategy BEST satisfies an RPO of 1 hour for cloud object storage?
Question 10 of 10
During a cloud security assessment, a penetration tester discovers that the cloud provider's management plane API endpoint is accessible from the public internet without requiring authentication for certain administrative endpoints. If exploited, an attacker could provision new virtual machines, delete existing ones, and modify network security group rules.
Which cloud risk does this finding MOST directly represent?
🎯

Quiz Complete!

0/10

Domain 3 Flashcards

Click any card to flip it and reveal the answer

RTO vs. RPO

Click to flip ↩
Definition

RTO = Recovery Time Objective — maximum acceptable time to restore operations (measures downtime tolerance).

RPO = Recovery Point Objective — maximum acceptable data loss measured in time (measures backup frequency needed).

Low RTO → hot site. Low RPO → continuous replication.

Type 1 vs. Type 2 Hypervisor

Click to flip ↩
Definition

Type 1 (Bare Metal): runs directly on physical hardware; no host OS beneath it. Examples: VMware ESXi, Hyper-V, KVM. Used by cloud providers.

Type 2 (Hosted): runs on top of a host OS. Examples: VirtualBox, VMware Workstation. Used for desktop virtualization.

VM Escape

Click to flip ↩
Threat

An attack where malicious code running inside a guest virtual machine exploits a hypervisor vulnerability to break out of the VM isolation boundary and gain access to the hypervisor or other VMs on the same physical host.

Mitigation: keep hypervisor software patched, minimize hypervisor attack surface.

Data Center Tier III

Click to flip ↩
Uptime Institute

Concurrently Maintainable

Uptime: 99.982% (~1.6 hours downtime/year)
Redundancy: N+1 — no single point of failure
Components can be maintained without shutting down the facility

Most enterprise cloud providers use Tier III or Tier IV facilities.

Network Micro-segmentation

Click to flip ↩
Security Control

Fine-grained network policy enforcement that isolates individual workloads (VMs or containers) rather than just network segments.

Primary benefit: limits lateral movement — even if an attacker breaches one workload, they cannot easily reach others.

Implemented via security groups, network policies (Kubernetes), or micro-segmentation platforms (VMware NSX).

Management Plane

Click to flip ↩
Cloud Infrastructure

The orchestration layer that provides API-accessible control over all cloud resources: compute, storage, networking, and identity.

Why it's a crown jewel: compromise grants an attacker control over the entire cloud environment — provision/delete VMs, modify firewall rules, disable logging, exfiltrate data.

Protect with: MFA, JIT access, IP allowlisting, audit logging.

Hot / Warm / Cold Site

Click to flip ↩
BC/DR Strategy

Hot Site: Fully operational, real-time mirror. Instant failover. Highest cost.

Warm Site: Pre-configured hardware, partial data replication. Hours to days to activate. Moderate cost.

Cold Site: Basic infrastructure only. Days to weeks to activate. Lowest cost.

Risk Treatment: Transfer

Click to flip ↩
Risk Treatment Strategy

Risk transfer shifts the financial impact of a risk to a third party — the risk itself is not eliminated, but the organization is compensated if it occurs.

Examples: cyber liability insurance, contractual indemnification clauses, outsourcing to a CSP (shared responsibility model).

Part of MATA: Mitigate, Accept, Transfer, Avoid.

Study Advisor

Select the subdomains you feel confident about to get a readiness estimate and targeted study tips

3.1 — Cloud Infrastructure Components

Physical environment, SDN, compute types, hypervisors, storage, management plane

3.2 — Secure Data Center Design

Logical/physical/environmental design, data center tier classifications (I–IV)

3.3 — Risk Analysis & Cloud Threats

VM escape, hyperjacking, container escape, misconfiguration, MATA risk treatment

3.4 — Security Controls & IAM

RBAC, ABAC, MFA, JIT access, least privilege, audit mechanisms, encryption

3.5 — BC/DR Planning (RTO, RPO, Testing)

Hot/warm/cold sites, RTO vs. RPO, tabletop, parallel, full interruption tests

Domain 3 Readiness Estimate
0%

    Resources & References

    Official sources for CCSP Domain 3 preparation

    Quick Reference: Domain 3 Key Numbers

    ItemValueContext
    Domain 3 weight17%~17 of 100–150 adaptive questions
    Tier I uptime99.671%~28.8 hrs downtime/year
    Tier II uptime99.741%~22 hrs downtime/year
    Tier III uptime99.982%~1.6 hrs downtime/year; N+1; concurrently maintainable
    Tier IV uptime99.995%~26 min downtime/year; 2N+1; fault tolerant
    CCSP passing score700/1000CAT format, Pearson VUE
    Exam outline effectiveAugust 1, 2026Includes container/serverless in Domain 3
    FlashGenius CCSP Study

    Ready to Pass Domain 3?

    FlashGenius adapts to your weak spots across all 6 CCSP domains — flashcard drills, vignette questions, and domain-weighted practice tests.

    Start Free → ISC2 Official Site