Managing-Cloud-Security WGU Managing Cloud Security (JY02, GZO1) Free Practice Exam Questions (2026 Updated)

Tabletop testing is the disaster recovery testing method with the least impact on production systems. Managing Cloud guidance explains that tabletop exercises are discussion-based scenarios where stakeholders walk through response procedures without executing actual system changes.

This approach allows teams to validate roles, responsibilities, communication paths, and decision-making processes. Tabletop testing is cost-effective, low-risk, and ideal for early validation of disaster recovery and business continuity plans.

Dry runs and full tests involve actual system actions and can impact production. Unit testing focuses on individual components. Therefore, tabletop testing is the correct answer.

In cloud contract design, transportable means that data, applications, or services are able to be moved to another vendor. Managing Cloud principles explain that transportability supports exit strategies, reduces vendor lock-in risk, and enables business continuity.

Transportable solutions rely on standardized data formats, documented APIs, and interoperable architectures. Contracts often include provisions ensuring customers can retrieve data in usable formats and migrate workloads if needed.

Access by mobile devices, proprietary formats, or rapid archiving do not address vendor independence. Therefore, the correct definition of transportable is the ability to move to another vendor.

Multitenancy of networks is a logical design consideration when planning a data center. Managing Cloud principles explain that logical considerations focus on how systems, networks, and services are structured and interact, rather than physical infrastructure components.

Multitenancy requires logical separation of tenants to ensure confidentiality, integrity, and availability of data. This includes network segmentation, virtual LANs, access controls, and isolation mechanisms that prevent one tenant from accessing another tenant’s resources. Proper logical design is critical in cloud environments where multiple customers share the same physical infrastructure.

The other options represent non-logical considerations. Heating and cooling and utility power availability are physical and environmental concerns, while ability for expansion relates to physical capacity planning. Therefore, multitenancy of networks is the correct logical consideration.

Dedicated memory allocation ensures isolation between virtual machines in a shared environment. Without memory isolation, remnants of one VM’s operations might remain in physical memory and be accessible to another VM, leading to cross-tenant data leakage. Assigning dedicated memory prevents attackers from exploiting memory-sharing vulnerabilities.

Encrypted network protocols protect data in transit, not memory. Encrypted file systems safeguard storage, not volatile memory. A dedicated processor helps with performance and isolation of compute tasks but does not secure temporary memory contents.

Cloud environments are multi-tenant, which makes memory isolation a critical safeguard. By dedicating memory or enforcing strict hypervisor-level isolation, providers prevent data exposure between customers. This aligns with best practices for virtualization security and the “resource pooling” characteristic of cloud computing, ensuring that shared infrastructure does not compromise confidentiality.

Risk mitigation reduces the impact of risk within BCDR planning. Managing Cloud principles explain that mitigation involves implementing controls and safeguards to lessen the likelihood or severity of adverse events.

Examples include redundancy, backups, failover mechanisms, and monitoring. These measures do not eliminate risk but significantly reduce operational disruption and data loss when incidents occur.

Insurance transfers financial risk, avoidance eliminates activities, and acceptance acknowledges risk without action. Therefore, mitigation is the correct strategy for reducing impact.

Architecting for failure is a fundamental business continuity and disaster recovery consideration in cloud application architecture. Managing Cloud principles emphasize that cloud systems must be designed with the assumption that components will fail.

Architecting for failure involves implementing redundancy, fault tolerance, automated recovery, and failover mechanisms. Applications should be resilient to infrastructure outages and capable of continuing operation despite component failures. This approach reduces downtime and ensures service availability during incidents.

Health status pages provide visibility, compliance addresses regulatory needs, and message queues support communication but do not fully address BC/DR requirements. Therefore, architecting for failure is the correct answer.

A dry run disaster recovery plan test requires broad organizational participation in a simulated disaster scenario without executing all production-impacting tasks. Managing Cloud principles explain that dry run testing validates coordination, communication, and procedural readiness while avoiding the risks of full operational disruption.

In a dry run, teams follow documented recovery steps conceptually or in limited execution, verifying that dependencies, responsibilities, and sequencing are correct. This approach provides higher fidelity than tabletop exercises, which are discussion-based, while avoiding the operational risks of full or parallel tests.

Parallel tests involve running recovery systems alongside production, and full tests execute all recovery actions, often causing service disruption. Therefore, a dry run offers a balanced method to test preparedness across the organization without full execution.

A Web Application Firewall (WAF) allows customers to redirect traffic as part of securing cloud-hosted applications. Managing Cloud principles explain that WAFs operate at the application layer and can inspect, filter, allow, block, or redirect HTTP and HTTPS traffic based on defined security rules.

Traffic redirection is commonly used to route suspicious or malicious requests away from protected applications, forward traffic to alternate services, or enforce secure communication paths. WAFs can also integrate with load balancers and content delivery networks to manage traffic flow efficiently while protecting applications from attacks such as SQL injection, cross-site scripting, and denial-of-service attempts.

The other options do not provide traffic redirection. SIEM systems aggregate and analyze logs, intrusion detection and prevention systems focus on detection and blocking, and cryptographic key management handles encryption keys. Therefore, a web application firewall is the correct answer.

Acceptance testing evaluates whether the system meets user requirements and performs as expected in real-world conditions. In this case, employees need the graphical interface to work properly for customer data entry. Acceptance testing confirms usability, accuracy, and functionality from the end user’s perspective.

Load testing measures performance under stress, regression testing checks for errors introduced by new changes, and security testing ensures system defenses. These are valuable, but they do not validate end-user satisfaction and workflow alignment.

Acceptance testing is the final validation step before production deployment. It ensures that updates deliver intended business value and user experience. By involving employees in acceptance testing, organizations ensure successful adoption of new systems.

The correct time for data deletion is after the specified retention period defined by contractual agreements, regulatory frameworks, or internal policies. Retention policies ensure that data is kept for as long as necessary for business, legal, or compliance reasons but not longer than required.

Oversubscription, inactivity, or review cycles are not valid triggers because they may conflict with compliance mandates such as GDPR, HIPAA, or PCI DSS. Deleting data prematurely could result in legal penalties or business risks, while keeping it longer than necessary could increase exposure.

By deleting data only after the retention period, providers demonstrate adherence to data governance principles and protect customer rights while minimizing storage costs and liability.

The compute component of a cloud platform encompasses resources used to run workloads, including containers, virtual machines, and storage tied directly to those workloads. Compute services are the foundation of cloud infrastructure, enabling execution of applications and management of data.

Security, monitoring, and networking are supporting components but do not include execution environments. Compute resources scale elastically, allowing organizations to match demand and optimize cost.

By combining containers and storage within compute, cloud platforms allow rapid deployment, portability, and isolation of applications. This component underpins modern architectures like Kubernetes and serverless computing, providing agility and efficiency.

Threat modeling is the approach that helps developers prepare for common application vulnerabilities in cloud environments. Managing Cloud principles explain that threat modeling is a proactive security activity performed during the design and development phases of an application.

This approach involves identifying potential threats, attack vectors, and weaknesses based on application architecture, data flows, trust boundaries, and usage patterns. By anticipating how attackers may exploit cloud-specific characteristics—such as exposed APIs, shared resources, and identity-based access—developers can design controls to mitigate risks early in the lifecycle.

Sandboxing and application virtualization are isolation techniques rather than preparation methods, and multitenancy describes a cloud architecture characteristic. Threat modeling directly supports secure design by aligning security controls with known vulnerability patterns. Therefore, threat modeling is the correct answer.

Cryptographic erasure is a secure data sanitization technique that relies on encryption. The process involves encrypting the data, encrypting the keys with a second layer, and then destroying the encryption keys. Without the keys, the encrypted data becomes unreadable and is effectively destroyed, even though the storage media remains intact.

One-way hashing is used for password storage, not full data destruction. Degaussing is for magnetic media, and overwriting involves physically writing new data over existing sectors.

Cryptographic erasure is widely used in cloud environments where physical media cannot be easily destroyed or reclaimed by customers. It ensures compliance with data retention and privacy regulations while maintaining environmental sustainability by allowing reuse of storage hardware.

A cloud-based DDoS protection strategy helps mitigate attacks by rerouting traffic to specialized mitigation services. Managing Cloud guidance explains that cloud providers leverage large-scale, distributed infrastructures capable of absorbing and filtering massive volumes of malicious traffic.

When an attack is detected, traffic is redirected to scrubbing centers or mitigation platforms that analyze and filter malicious packets before forwarding legitimate traffic to the target application. This prevents backend systems from becoming overwhelmed and ensures service availability.

The other options provide limited protection. Load balancing and multiple endpoints distribute traffic but do not filter attacks, and scaling applications may still fail under volumetric attacks. Therefore, rerouting traffic to mitigation services is the most effective strategy.

Under the General Data Protection Regulation (GDPR), an EU citizen must provide specific consent before an organization may process their personal data, unless another lawful basis explicitly applies. Managing Cloud principles explain that consent must be freely given, specific, informed, and unambiguous. This ensures individuals retain control over how their personal information is collected and used.

Consent must clearly state the purpose of processing and cannot be implied or bundled with unrelated terms. Organizations must also be able to demonstrate that consent was obtained and allow individuals to withdraw consent at any time. This requirement strengthens transparency and accountability in data handling practices.

The other options do not satisfy GDPR consent requirements. Legal purpose attestation is an organizational responsibility, data accuracy verification is a data quality obligation, and statements of need do not replace explicit consent. Therefore, specific consent is required before processing personal data.

Key escrow is the management process that involves multiple key holders, where each party has access to a portion of the cryptographic information. Managing Cloud principles explain that key escrow is designed to ensure availability and recoverability of encrypted data while maintaining security controls.

In this model, encryption keys are stored securely with trusted third parties or divided among multiple custodians. No single individual has full access to the complete key, reducing the risk of misuse or compromise. Key escrow is often used to support compliance, lawful access requirements, and business continuity needs, ensuring that encrypted data can be recovered if the primary key holder is unavailable.

The other options do not fit this definition. Recovery refers to restoring keys or data, revocation disables compromised keys, and distribution focuses on delivering keys to authorized systems. Therefore, escrow is the correct answer.

Industry best practice requires that encryption keys are stored separately from the data they protect. This ensures that if the data storage system is compromised, attackers cannot immediately decrypt sensitive information. The use of a secure escrow system is a recognized approach.

An escrow provides controlled storage for encryption keys, ensuring they are only accessible by authorized processes and not co-located with the protected data. Keeping keys “local” to the data creates a single point of failure. A public or private repository without specialized protection mechanisms would also be insufficient due to risks of insider threats or misconfiguration.

By placing keys in an independent escrow system, the organization enforces separation of duties, strengthens defense-in-depth, and aligns with cryptographic standards from NIST and ISO. This practice is vital when dealing with archival data, where long-term confidentiality must be preserved even as systems evolve.

Vendor lock-in is a risk most closely associated with the public cloud. Managing Cloud guidance explains that public cloud providers often use proprietary services, APIs, tools, and architectures that make migration to another provider difficult and costly.

Organizations may heavily invest in provider-specific technologies, which can limit flexibility and increase dependency. If pricing models change, services are discontinued, or availability issues arise, customers may face significant challenges in exiting the provider’s ecosystem.

While regulatory noncompliance, malware, and personnel threats exist in all environments, vendor lock-in is especially prominent in public cloud adoption due to its scale and proprietary service offerings. Therefore, vendor lock-in is the correct answer.

A loss of policy control is a key risk when using a community cloud compared to a private cloud. Managing Cloud principles explain that community clouds are shared by multiple organizations with common objectives, compliance needs, or industry requirements.

Because governance is shared across participants, individual organizations may have reduced ability to enforce customized security policies, configurations, or controls. Policy decisions often require consensus, which can limit flexibility and slow response to emerging risks.

Private clouds provide full control over governance, security policies, and configurations. The other options are not inherent risks of community cloud models. Therefore, loss of policy control is the correct answer.