Free CCSP Cloud Platform and Infrastructure Security Practice Test 2026 — Aug 2026 Outline Questions

This free CCSP Cloud Platform and Infrastructure Security practice test covers physical and logical cloud infrastructure components, virtualization security, identity and access management, BCDR, and security control planes. Each question includes a detailed explanation aligned to the ISC² CCSP Aug 2026 outline — perfect for cloud security exam prep.

Key Topics in CCSP Cloud Platform and Infrastructure Security

6 Free CCSP Cloud Platform and Infrastructure Security Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius CCSP (Aug 2026) question bank for the Cloud Platform and Infrastructure Security domain (17% of the exam).

Sample Question 1 — Cloud Platform and Infrastructure Security

A company runs a customer-managed Linux web application on virtual machines in an IaaS environment. A critical vulnerability is announced in the guest operating system packages used by the application. The operations manager asks whether the cloud provider should patch the affected systems because the workload is hosted in the provider's cloud. What is the BEST response from the cloud security architect?

  1. A. The provider is responsible because all infrastructure security is transferred in IaaS.
  2. B. The customer is responsible for patching and hardening the guest operating system and workload configuration. (Correct answer)
  3. C. The provider is responsible for the guest operating system, but the customer is responsible for the application code only.
  4. D. Neither party is responsible if the workload is behind private network segmentation.

Correct answer: B

Explanation: Correct answer (B): In IaaS, the provider typically secures the physical facilities, hardware, and core virtualization platform, while the customer remains responsible for the guest operating system, workload configuration, identity design, application security, and data protection. Because the vulnerability affects guest OS packages, patching and hardening the VM is the customer's responsibility. This is a core CCSP shared-responsibility distinction. Why the other options are wrong: - Option A: Incorrect. IaaS does not transfer all infrastructure security to the provider. The customer still owns important workload-layer responsibilities, including guest OS security. - Option C: Incorrect. This overstates the provider's responsibility. In IaaS, the customer typically manages the guest operating system as well as the application. - Option D: Incorrect. Network segmentation can reduce blast radius, but it does not remove patching or hardening responsibilities.

Sample Question 2 — Cloud Platform and Infrastructure Security

A global enterprise is replacing persistent cloud administrator accounts with a more controlled operating model. The security team must support emergency access for incidents, reduce standing privilege, and provide auditable records of administrative activity across multiple cloud environments. Which approach is BEST?

  1. A. Use shared administrator accounts stored in a password vault so multiple responders can access them quickly.
  2. B. Require administrators to connect through a corporate VPN, but keep permanent administrator roles assigned.
  3. C. Use strong federation with role-based access, just-in-time elevation, session logging, and documented break-glass procedures. (Correct answer)
  4. D. Create local administrator accounts inside each workload so teams are not dependent on the central identity platform.

Correct answer: C

Explanation: Correct answer (C): Cloud privileged access is best controlled through strong federation, role-based access, just-in-time elevation, session logging, and emergency access procedures. This approach reduces standing privilege, improves accountability, and still supports urgent operational access when needed. CCSP emphasizes that identity-centric control of administrative APIs is usually more effective than relying on network location alone. Why the other options are wrong: - Option A: Incorrect. Shared accounts weaken accountability and make session attribution difficult, even if passwords are vaulted. - Option B: Incorrect. A VPN may add network control, but it does not address excessive standing privilege or improve administrative accountability as effectively as JIT access. - Option D: Incorrect. Local workload-specific administrator accounts increase sprawl and weaken centralized control, monitoring, and governance.

Sample Question 3 — Cloud Platform and Infrastructure Security

A company is migrating a set of internal microservices to a cloud environment. The platform team proposes relying mainly on network segmentation between application tiers to limit lateral movement. The security architect is concerned that a compromised workload could still call management APIs or other services if identity controls are weak. Which design choice BEST addresses the stated risk?

  1. A. Keep broad service credentials but tighten subnet boundaries between all tiers.
  2. B. Use network segmentation together with least-privilege service identities for service-to-service access and administrative APIs. (Correct answer)
  3. C. Place all microservices on one flat private network and depend on centralized logging to detect misuse.
  4. D. Expose each microservice through a public endpoint so external web protections can inspect all traffic.

Correct answer: B

Explanation: Correct answer (B): Network segmentation helps reduce blast radius, but in cloud environments it does not replace strong IAM. When the main concern is a compromised workload using service credentials or administrative APIs, the best design combines segmentation with least-privilege service identities and tightly controlled access to peer services and management planes. This reflects CCSP's identity-centric cloud security model. Why the other options are wrong: - Option A: Incorrect. Better subnet boundaries help, but broad service credentials leave a major path for misuse and lateral movement. - Option C: Incorrect. Logging is important, but it is detective, not preventive, and a flat network increases exposure. - Option D: Incorrect. Making internal services public increases exposure and does not solve the identity problem described in the scenario.

Sample Question 4 — Cloud Platform and Infrastructure Security

An enterprise runs auto-scaled application servers in the cloud. Operations teams often apply manual fixes directly on running instances during incidents, and audit findings now show substantial configuration drift between servers. The company wants faster recovery and more consistent security baselines. Which approach is BEST?

  1. A. Allow manual administrator changes on running instances, but require better ticket documentation afterward.
  2. B. Rely on periodic snapshots of running instances and restore whichever snapshot was created most recently.
  3. C. Adopt maintained golden images with controlled provenance and redeploy instances immutably instead of manually modifying them in place. (Correct answer)
  4. D. Increase network isolation between servers so differences in host configuration matter less.

Correct answer: C

Explanation: Correct answer (C): Golden images and immutable deployment patterns reduce configuration drift and support faster, more consistent recovery. A governed image pipeline with controlled provenance creates an approved baseline, while redeploying instances avoids repeated in-place changes that undermine security consistency. CCSP also expects candidates to recognize that these images still need ongoing patching and vulnerability review. Why the other options are wrong: - Option A: Incorrect. Better documentation does not solve the underlying drift and inconsistency created by in-place changes. - Option B: Incorrect. Snapshots may preserve a state, but they can also preserve unreviewed drift and do not create a governed secure baseline by themselves. - Option D: Incorrect. Segmentation helps contain impact, but it does not fix insecure or inconsistent host configuration.

Sample Question 5 — Cloud Platform and Infrastructure Security

During a review of a managed Kubernetes environment, a security engineer finds that several application service accounts can read secrets outside their own namespaces, and a development team has broad administrative privileges in the cluster. The organization wants the most effective remediation to reduce privilege escalation and lateral movement. Which action is BEST?

  1. A. Tighten Kubernetes RBAC to least privilege, restrict secret access to required workloads, and strengthen namespace and workload isolation. (Correct answer)
  2. B. Move the cluster to a private subnet and leave current Kubernetes permissions unchanged.
  3. C. Increase the number of worker nodes so workloads are less likely to share infrastructure.
  4. D. Allow broad cluster privileges to remain, but add more application logs inside the containers.

Correct answer: A

Explanation: Correct answer (A): Excessive RBAC privileges, weak secret handling, and inadequate namespace or workload isolation are common Kubernetes failures that enable privilege escalation and lateral movement. The strongest remediation is to reduce RBAC permissions, limit secret access to only what each workload requires, and improve isolation boundaries within the cluster. This addresses the real control-plane and workload authorization problems instead of masking them with network changes alone. Why the other options are wrong: - Option B: Incorrect. Private networking may reduce external exposure, but it does not fix overly broad Kubernetes permissions or secret access. - Option C: Incorrect. More nodes do not solve authorization problems in the control plane or namespace design. - Option D: Incorrect. Additional logs may improve visibility, but leaving broad privileges in place fails to remediate the core security weakness.

Sample Question 6 — Cloud Platform and Infrastructure Security

A development team deploys a serverless function that processes uploaded documents and writes results to a database. The function currently uses a broad execution role, stores a database credential in a plain environment variable, and has minimal logging. The team argues that the provider secures the service, so these issues are low priority. Which recommendation is BEST?

  1. A. Focus only on the provider's patching of the underlying runtime because serverless removes most customer security obligations.
  2. B. Reduce the execution role to least privilege, move the credential to a protected secret store, validate event sources, and improve logging. (Correct answer)
  3. C. Place the function behind a corporate VPN so its broad permissions are less risky.
  4. D. Convert the function to a VM-based deployment because serverless cannot be secured.

Correct answer: B

Explanation: Correct answer (B): In serverless environments, the provider generally secures more of the underlying runtime and infrastructure, but the customer still owns IAM, data security, secure application logic, configuration, logging choices, and exposure introduced through APIs, triggers, and integrations. Least-privilege execution roles, protected secrets, event-source validation, and better logging are the most effective controls for the risks described. Serverless changes the boundary of responsibility; it does not remove customer responsibility. Why the other options are wrong: - Option A: Incorrect. Provider responsibility for the runtime does not remove the customer's responsibilities for IAM, secrets, configuration, and observability. - Option C: Incorrect. A VPN does not meaningfully correct an overprivileged execution role or insecure secret handling inside the function. - Option D: Incorrect. Moving to VMs would increase operational burden and is not required to secure the workload described.

How to Study CCSP Cloud Platform and Infrastructure Security

Combine these CCSP Cloud Platform and Infrastructure Security practice questions with the ISC² Official Study Guide, hands-on labs in AWS, Azure, and GCP security services, and the Cloud Controls Matrix (CCM). The CCSP exam is vendor-neutral, so understanding cloud security concepts that apply across all three major hyperscalers is more important than deep expertise in any single one.

About the CCSP (August 2026 New Outline) Exam

Other CCSP Domains

Start the free CCSP Cloud Platform and Infrastructure Security practice test now | 10-question quick start | All CCSP domains | CCSP Cheat Sheet