Cloud Security Professional Intermediate Practice Exam: Medium Difficulty 2025

A security team is rolling out Cortex Cloud across multiple cloud accounts and wants a single place to normalize findings from runtime, posture, and application security so they can triage in one workflow. They also want the ability to route prioritized alerts to their existing ITSM tool. Which approach best meets this requirement?

A platform team wants to enforce least privilege for onboarding cloud accounts into Cortex Cloud. They need to collect posture data and ingest cloud activity logs, but they want to avoid granting broad administrative permissions. Which design best aligns with least privilege while still enabling continuous visibility?

A Kubernetes workload begins making outbound connections to a cryptocurrency mining pool. The SOC wants to stop the activity quickly and understand how the container was introduced. Which combination of capabilities is most appropriate?

A company runs serverless functions that access sensitive data. The security team wants detection of suspicious behavior (for example, unusual data access patterns) without deploying agents. They also want to reduce false positives by baselining normal behavior. Which approach is the best fit?

A container image used in production contains a vulnerable library, but the workload is protected by runtime controls. The application team argues there is no need to patch because runtime protection will block exploitation. What is the best security response?

A CI pipeline builds container images and pushes them to a registry. Security requirements state: (1) prevent deployment of images with critical vulnerabilities, (2) allow exceptions only with documented approval, and (3) ensure the running workload matches what was scanned. Which solution pattern best meets these requirements?

A development team uses infrastructure-as-code (IaC) to provision cloud resources. The security team wants to catch misconfigurations (for example, public storage or overly permissive IAM) before deployment, and also ensure production remains compliant over time. Which approach is most effective?

A microservices application runs in Kubernetes. The team wants to reduce the risk of credential theft and lateral movement. They also want to ensure that a compromised container cannot access the Kubernetes API unless necessary. Which combined set of controls is most appropriate?

A SOC receives hundreds of posture alerts for ‘publicly accessible resource’ across multiple cloud accounts. They need to prioritize what to fix first using business context (internet exposure, data sensitivity, and identity privilege). Which workflow is most appropriate?

An organization wants to reduce mean time to respond (MTTR) for cloud incidents. They already use a SIEM and an ITSM platform. They want high-fidelity alerts only, automated enrichment (asset owner, tags, exposure), and a repeatable response workflow for common cloud findings. What is the best design?