- (Topic 4)
An IT professional is selecting the appropriate cloud storage solution for an application that has the following requirements:
. The owner of the objects should be the object writer.
· The storage system must enforce TLS encryption.
Which of the following should the IT professional configure?

1. A. A bucket
2. B. A CIFS endpoint
3. C. A SAN
4. D. An NFS mount

Correct Answer: A
A bucket is a cloud storage solution that allows users to store and access objects, such as files, images, videos, etc. A bucket is typically associated with object storage services, such as Amazon S3, Google Cloud Storage, or Microsoft Azure Blob Storage123. A bucket has the following characteristics that match the requirements of the application:
✑ The owner of the objects is the object writer. This means that the user who
uploads or writes an object to the bucket becomes the owner of that object and can control its access permissions456.
✑ The storage system enforces TLS encryption. This means that the data in transit
between the client and the bucket is encrypted using the Transport Layer Security (TLS) protocol, which provides security and privacy for the communication .
A CIFS endpoint, a SAN, and an NFS mount are not cloud storage solutions, but rather network protocols or architectures that enable access to storage devices

- (Topic 3)
A cloud security engineer needs to ensure authentication to the cloud pro-vider console is secure. Which of the following would BEST achieve this ob-jective?

1. A. Require the user's source IP to be an RFC1918 address.
2. B. Require the password to contain uppercase letters, lowercase letters, numbers, and symbols.
3. C. Require the use of a password and a physical token.
4. D. Require the password to be ten characters long.

Correct Answer: C
A password and a physical token are two factors of authentication that can provide a higher level of security than a password alone. A physical token is a device that generates a one-time code or password that the user must enter along with their password to access the cloud provider console. This is an example of multi-factor authentication (MFA), which requires the user to present two or more pieces of evidence to prove their identity. MFA can prevent unauthorized access even if the password is compromised, as the attacker would also need to have the physical token to log in.

- (Topic 4)
A cloud administrator created four VLANs to autoscale the container environment. Two of the VLANs are on premises, while two VLANs are on a public cloud provider with a direct link between them. Firewalls are between the links with an additional subnet for communication, which is 192.168.5.0/24.
The on-premises gateways are:
* 192.168.1.1/24
* 192.168.2.1/24
The cloud gateways are:
* 192.168.3.1/24
* 192.168.4.1/24
The orchestrator is unable to communicate with the cloud subnets. Which Of the following should the administrator do to resolve the issue?

1. A. Allow firewall traffic to 192.168.5.0/24.
2. B. Set both firewall interfaces to 192.168.5.1/24.
3. C. Add interface 192.168.3.1/24 on the local firewall.
4. D. Add interface 192.168.1.1/24 on the cloud firewall.

Correct Answer: A
To allow communication between the on-premises and cloud subnets, the firewall traffic should be allowed to pass through the additional subnet for communication, which is 192.168.5.0/24. This subnet acts as a bridge between the two networks and should have firewall rules that permit traffic from and to both sides.
References: [CompTIA Cloud+ Study Guide], page 181.

- (Topic 1)
An organization is hosting a cloud-based web server infrastructure that provides web- hosting solutions. Sudden continuous bursts of traffic have caused the web servers to saturate CPU and network utilizations.
Which of the following should be implemented to prevent such disruptive traffic from reaching the web servers?

1. A. Solutions to perform NAC and DLP
2. B. DDoS protection
3. C. QoS on the network
4. D. A solution to achieve microsegmentation

Correct Answer: B
Distributed denial-of-service (DDoS) protection is a type of security solution that detects and mitigates DDoS attacks that aim to overwhelm or disrupt a system or service by sending large volumes of traffic from multiple sources. DDoS protection can prevent such disruptive traffic from reaching the web servers by filtering out malicious or unwanted traffic and allowing only legitimate traffic to pass through. DDoS protection can also help maintain the availability and functionality of web services and applications during a DDoS attack. References: CompTIA Cloud+ Certification Exam Objectives, page 14, section 2.7
Reference: https://blog.paessler.com/the-top-5-causes-of-sudden-network-spikes

- (Topic 1)
Which of the following strategies will mitigate the risk of a zero-day vulnerability MOST efficiently?

1. A. Using only open-source technologies
2. B. Keeping all resources up to date
3. C. Creating a standby environment with a different cloud provider
4. D. Having a detailed incident response plan

Correct Answer: D
An incident response plan is a document or procedure that defines the roles, responsibilities, and actions to be taken in the event of a security incident or breach. Having a detailed incident response plan can help mitigate the risk of a zero-day vulnerability most efficiently, as it can provide a clear and consistent framework for identifying, containing, analyzing, and resolving any potential threats or exploits related to the unknown or unpatched vulnerability. Having a detailed incident response plan can also help minimize the impact and damage of a security incident or breach, as it can enable timely and effective recovery and restoration processes. References: CompTIA Cloud+ Certification Exam Objectives, page 14, section 2.7