Free GDSA Cloud-Based and Hybrid Security Architecture Practice Test 2026 — GIAC Defensible Security Architect Questions

This free GDSA Cloud-Based and Hybrid Security Architecture practice test covers cloud and hybrid security architecture, CASB, cloud IAM, shared responsibility, and securing cloud networks. Each question includes a detailed explanation with defensible-architecture context — perfect for GDSA exam prep.

Key Topics in GDSA Cloud-Based and Hybrid Security Architecture

6 Free GDSA Cloud-Based and Hybrid Security Architecture Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius GDSA question bank for the Cloud-Based and Hybrid Security Architecture domain (12% of the exam).

Sample Question 1 — Cloud-Based and Hybrid Security Architecture

A retailer lifted a claims-processing application from on-premises virtual machines into an IaaS environment. A review found the cloud instances are still unpatched, security rules are overly broad, and workload logs are not being collected. Operations argues that because the application is now in the cloud, the provider owns server security. The application cannot be rewritten this quarter. What is the best architecture decision to close the most important gap?

  1. A. Rely on provider-managed infrastructure controls and focus on application fixes and user training.
  2. B. Add a perimeter firewall to the cloud subnet and defer host, identity, and logging work.
  3. C. Establish customer-managed patching, network controls, IAM, and centralized logging for the IaaS instances. (Correct answer)
  4. D. Plan a future move to SaaS so the provider will own server security and monitoring immediately.

Correct answer: C

Explanation: Correct answer (C): In IaaS, the provider secures the underlying infrastructure, but the customer still owns major responsibilities including guest OS patching, workload configuration, network controls, identity, and logging. The current gap is not the cloud platform itself but the missing customer-managed security baseline. Establishing patching, tighter access control, and centralized logging improves both prevention and detection without requiring application refactoring. Why the other options are wrong: - Option A: This repeats the shared-responsibility mistake in the stem. Provider-managed infrastructure does not remove customer responsibility for instance hardening, access control, and telemetry in IaaS. - Option B: A subnet firewall may help with some north-south filtering, but it does not solve the unpatched hosts, broad trust relationships, or missing workload logs. It is too narrow for the stated problem. - Option D: A future SaaS move may change responsibility boundaries later, but it does nothing to reduce the present risk in the current IaaS deployment.

Sample Question 2 — Cloud-Based and Hybrid Security Architecture

A manufacturer migrated a three-tier legacy application into cloud IaaS and connected it to on-premises shared services. To speed migration, the team preserved broad allow rules across peered cloud networks and the data center. The application cannot be refactored this year, but leadership wants to reduce lateral movement if one workload is compromised. Which architecture change is best?

  1. A. Require MFA for application users and keep the current east-west trust model.
  2. B. Implement workload-based segmentation between tiers and limit peering, routes, and security rules to required flows. (Correct answer)
  3. C. Deploy a larger internet-edge firewall and keep internal cloud networks broadly reachable.
  4. D. Mirror all traffic to monitoring tools and postpone segmentation until refactoring is complete.

Correct answer: B

Explanation: Correct answer (B): The primary weakness is preserved east-west trust across hybrid networks, not user authentication or internet-edge filtering. In hybrid lift-and-shift environments, broad peering, routes, and security rules can allow a compromised workload to pivot widely. Workload-based segmentation that allows only required flows is the best architectural control because it reduces attack paths now, even when the legacy application cannot yet be redesigned. Why the other options are wrong: - Option A: MFA for users is useful, but it does not contain workload-to-workload movement after a server compromise. The stated goal is lateral movement reduction inside the hybrid estate. - Option C: A bigger edge firewall mainly addresses north-south exposure. It does not fix the broad internal trust relationships that are enabling hybrid lateral movement. - Option D: Additional monitoring helps detection, but leaving segmentation unchanged preserves the attack path. The question asks for the best architecture change to reduce movement, not only observe it.

Sample Question 3 — Cloud-Based and Hybrid Security Architecture

An enterprise uses the same admin laptops and full-tunnel VPN access to manage on-premises hypervisors, cloud consoles, and container orchestration systems. A red-team exercise showed that a stolen admin session could modify infrastructure and bypass many workload-level controls. What is the best redesign of the administrative access path?

  1. A. Keep VPN access and shorten password rotation for the shared administrator accounts.
  2. B. Expose management interfaces only to the corporate IP range and rely on endpoint antivirus.
  3. C. Grant standing cloud and hypervisor roles to senior administrators and review activity during audits.
  4. D. Create a separate management access path using monitored jump hosts or brokers, MFA, role separation, and time-bounded privilege. (Correct answer)

Correct answer: D

Explanation: Correct answer (D): Management planes in hybrid environments require stronger protection than ordinary workload access because compromise there can bypass workload-level controls entirely. A separate, monitored administrative path with MFA, role separation, and just-in-time or time-bounded privilege reduces standing trust, improves accountability, and creates better visibility for response. VPN presence or trusted network location alone should not be treated as sufficient trust for control-plane access. Why the other options are wrong: - Option A: Password rotation does not address the larger problem of broad standing access through a shared administrative path, and it does little against session theft or overprivileged accounts. - Option B: Restricting by source IP is weaker than identity-aware, monitored admin access. A compromised endpoint inside the trusted range could still reach critical management interfaces. - Option C: Standing roles increase exposure and weaken least privilege. Periodic audits are too slow for control planes that can change infrastructure immediately.

Sample Question 4 — Cloud-Based and Hybrid Security Architecture

A hospital runs several on-premises hypervisors that host workloads synchronized with cloud applications. The security team can fund only one near-term project at the virtualization layer. Their main concern is that compromise of one management workstation could expose many hosted workloads at once. Which project is the best choice?

  1. A. Increase user MFA for the cloud applications and defer hypervisor updates until the next hardware refresh.
  2. B. Patch and harden hypervisors, restrict management interfaces to an admin-only segment, and centralize management logs. (Correct answer)
  3. C. Install more endpoint tools in each guest VM and leave hypervisor management reachable from user networks.
  4. D. Deploy a web application firewall and assume guest segmentation will protect the host layer.

Correct answer: B

Explanation: Correct answer (B): Hypervisors are high-value assets in hybrid environments because one compromise can expose many hosted workloads at once. The best near-term investment is to strengthen the virtualization layer itself by patching and hardening the hypervisors, isolating management access, and collecting centralized logs. This improves both prevention and visibility at the layer where risk is concentrated. Why the other options are wrong: - Option A: User MFA for cloud applications does not address the virtualization-layer risk described in the scenario. The problem is concentrated at the hypervisor management plane. - Option C: Guest-level endpoint tools do not adequately protect the hypervisor or its management interfaces. Leaving management reachable from user networks preserves the main exposure. - Option D: A WAF protects web applications, not hypervisor administration. It does not meaningfully reduce the stated virtualization-layer risk.

Sample Question 5 — Cloud-Based and Hybrid Security Architecture

During a rapid cloud rollout, a company exposed admin portals, SSH gateways, and several internal APIs directly to the internet. Most administrators can instead use private connectivity, and external users only need the public web front end. What is the best architecture change to reduce attack surface?

  1. A. Remove unnecessary internet-facing services, restrict admin endpoints, and place required public access behind proxies or private mediation. (Correct answer)
  2. B. Keep all services public, add geoblocking rules, and monitor failed logins for unusual patterns.
  3. C. Keep admin portals public, require longer passwords, and rotate certificates more frequently.
  4. D. Publish fewer DNS records, leave direct access in place, and rely on cloud rate limiting for protection.

Correct answer: A

Explanation: Correct answer (A): The strongest attack-surface reduction is to eliminate unnecessary public exposure rather than compensate around it. In this scenario, only the public web front end needs internet reachability. Administrative services and internal APIs should be removed from direct internet exposure and accessed through private connectivity or mediated paths such as reverse proxies where required. Why the other options are wrong: - Option B: Geoblocking and login monitoring may add value, but they leave unnecessary public exposure in place and therefore do not best reduce attack surface. - Option C: Password and certificate hygiene are good practices, but they do not address why sensitive administrative services remain internet-reachable. - Option D: Reducing DNS visibility is not the same as reducing exposure. The services would still be directly accessible and attackable.

Sample Question 6 — Cloud-Based and Hybrid Security Architecture

An insurer stores customer records in an on-premises database, replicates selected fields to a cloud-managed database service, and allows analysts to export reports to laptops. The security team wants stronger data protection but has no current map of where sensitive data resides or how it moves between systems. What is the best next architecture action?

  1. A. Deploy edge DLP at the internet boundary first and treat all exports as the same sensitivity level.
  2. B. Encrypt both databases immediately and defer analysis of report movement until after the migration project.
  3. C. Move the replicated dataset into one cloud service first and assume consolidation reduces exposure by itself.
  4. D. Inventory sensitive data locations and flows across storage, applications, networks, and endpoints before placing controls. (Correct answer)

Correct answer: D

Explanation: Correct answer (D): Data-centric protection decisions are only as good as the understanding of where sensitive data resides and how it moves. In this scenario, records exist in multiple storage locations and also flow to analyst laptops, so the team needs data discovery and flow mapping before it can correctly place controls at storage, application, network, and endpoint layers. Starting with DLP or encryption alone risks protecting only part of the real exposure path. Why the other options are wrong: - Option A: Boundary DLP may catch some movement, but it is not the best first step when the organization does not yet know all data locations, paths, or sensitivity differences. - Option B: Encryption may be appropriate, but it does not identify where else sensitive data exists or how report exports to endpoints change the protection strategy. - Option C: Consolidation alone does not guarantee better protection and may simply move poorly understood risk into a different location.

How to Study GDSA Cloud-Based and Hybrid Security Architecture

Combine these GDSA Cloud-Based and Hybrid Security Architecture practice questions with hands-on lab work and the SANS SEC530 course. The GDSA exam emphasizes practical defensible-architecture decisions, so always ask which option is most defensible, most resilient, and aligned with Zero Trust principles.

About the GDSA Exam

Other GDSA Domains

Start the free GDSA Cloud-Based and Hybrid Security Architecture practice test now | 10-question quick start | All GDSA domains | All Sample Tests