1

Resposta de referência

Encryption in transit protects data as it travels over a network, such as an internet, from one location to another. The data is encrypted during transmission (through HTTPS or SSL/TLS) to prevent tampering or eavesdropping. Encryption at rest protects data stored on a physical device or cloud environment. The data is encrypted to be unreadable without the correct decryption key (in case the device or system is lost or stolen). Encryption of data in use protects data that is being processed, such as when it is being loaded into memory or modified in an application

2

Resposta de referência

Azure Sphere Security Service is a cloud-based service that provides continuous security for Azure Sphere devices. It ensures that devices are authenticated, receives security updates, and monitors for threats. It works with Azure Sphere OS and certified hardware to provide end-to-end security.

3

Resposta de referência

Access Key ID is a unique identifier for an IAM user's long-term access keys, used to sign API requests programmatically (e.g., via AWS CLI or SDK). Principal ID is a unique identifier for an IAM principal (user, role, or federated user) that appears in CloudTrail logs to identify who made an API call. Example: When a user named 'John' uses an access key to call 's3:GetObject', CloudTrail logs the 'userIdentity' field with the 'principalId' (e.g., 'AROA1234567890EXAMPLE:John') and the 'accessKeyId' (e.g., 'AKIA1234567890EXAMPLE'). Use Access Key ID for authentication and Principal ID for auditing and investigation.

4

Resposta de referência

Google Cloud Healthcare API is a managed service for building healthcare solutions. It provides APIs for storing, accessing, and analyzing healthcare data in formats like FHIR, HL7v2, and DICOM. It helps with interoperability, data exchange, and analytics in healthcare.

5

Resposta de referência

AWS Snowmobile is a petabyte-scale data transfer service. Snowmobile is a ruggedized device that can be used to transfer large amounts of data to and from AWS. Snowmobile is a good choice for transferring large amounts of data, such as data for migration or disaster recovery.

6

Resposta de referência

Multi-Factor Authentication (MFA) is a critical security mechanism that enhances user authentication by requiring two or more independent verification factors before granting access to an account, application, or system. Instead of relying solely on a password, MFA combines multiple credentials from distinct categories: something you know (password or PIN), something you have (security token, smartphone, or smart card), and something you are (biometric identifiers like fingerprints or facial recognition). In cloud environments, MFA is particularly important because access is typically internet-based, which exposes accounts to global attack vectors such as phishing, credential stuffing, and brute-force attacks. By adding an extra verification step, MFA significantly reduces the likelihood of unauthorized access—even if a password is compromised. For example, when a user logs into an AWS, Azure, or Google Cloud account, MFA might require entering a one-time passcode (OTP) sent to a mobile device or generated by an authenticator app like Google Authenticator or Microsoft Authenticator. Some organizations deploy hardware security keys compliant with FIDO2 or YubiKey standards for even stronger protection. MFA also supports compliance with security frameworks such as NIST 800-63B, PCI DSS, and ISO 27001, all of which emphasize multi-factor verification for sensitive or privileged accounts. In modern Zero Trust architectures, MFA acts as a foundational layer of defense—verifying identity at every login and access attempt, not just once. It is one of the simplest yet most powerful ways to prevent data breaches and maintain secure access across the cloud ecosystem.

7

Resposta de referência

Google Cloud Identity and Access Management (IAM) is a service that allows you to manage access to GCP resources. IAM allows you to create users and groups, and to assign them permissions to GCP services and resources. IAM also allows you to control access to GCP resources using policies. IAM is a critical part of any GCP deployment. It helps you to protect your resources and to ensure that only authorized users have access to them.

8

Resposta de referência

Selecting cloud-native security tools requires assessing capabilities, integration, scalability, and operational impact: - Identify requirements: Determine which security domains need coverage (e.g., posture management, threat detection, compliance). - Evaluate native tools: Assess provider-native solutions (e.g., AWS Security Hub, Azure Defender, GCP Security Command Center) for integration depth. - Consider multi-cloud: If using multiple providers, choose tools that support cross-cloud visibility (e.g., Prisma Cloud, CrowdStrike). - Check compliance: Ensure tools support required frameworks (e.g., SOC 2, HIPAA). - Scalability: Verify tools can handle your workload volume and growth. - Automation: Look for automated remediation and policy enforcement capabilities. - Ease of use: Consider learning curve, dashboards, and reporting. - Cost: Compare pricing models and total cost of ownership. - Vendor support: Evaluate vendor reputation, updates, and support. Conduct proof-of-concepts (POCs) before adoption, validate detection capabilities, test remediation workflows, and ensure central visibility for enterprise-wide risk management.

9

Resposta de referência

These are the two foundational encryption requirements for any serious cloud security program — and both are non-negotiable. Encryption at rest protects data stored on disk — databases, object storage, block volumes, backups. If someone gains physical or logical access to the underlying storage (a stolen drive, a misconfigured database endpoint, a rogue insider), encryption at rest prevents them from reading the data without the key. Standard is AES-256. Cloud providers offer tiered key management: provider-managed keys (SSE-S3 on AWS), cloud KMS-managed customer keys (SSE-KMS) and fully customer-managed keys with CloudHSM. Encryption in transit protects data as it moves — between a browser and a server, between microservices, between your application and a database. An attacker intercepting network traffic (man-in-the-middle) cannot read the payload. TLS 1.2+ is the baseline; TLS 1.3 is preferred for its improved security properties and reduced handshake latency. Enforce HTTPS everywhere, TLS for all database connections and mTLS for service-to-service communication. The common misconception: Encrypting data at rest does not protect it once it's decrypted and in memory — that's the domain of confidential computing (AWS Nitro Enclaves, Azure Confidential Computing, GCP Confidential VMs). These protect data in use by keeping it encrypted even during processing. The implementation pitfall: Enabling encryption is easy. Managing keys properly — rotation schedules, separation of duties, key hierarchy design — is where organizations fall down.

10

Resposta de referência

Infrastructure as Code (IaC) is a methodology for managing and provisioning IT infrastructure through code rather than manual processes. Its principles include: - Version Control: all code and configurations used to manage infrastructure should be stored in a version control system to track changes, provide a clear history of the infrastructure, and be able to roll back to previous states if necessary - Idempotence: multiple runs of the same code should result in the same infrastructure state to simplify infrastructure provisioning and make it more reliable and consistent - Immutability: changes are made by creating new resources rather than modifying existing ones. This helps prevent configuration drift and promotes scalability - Testing: Checking continually at the lowest possible level to reduce the risk of production issues. - Reusability: Code and configurations should be reusable and modular to promote efficiency and consistency and to mitigate the cost of failure

11

Resposta de referência

Azure DevTest Labs is a service that allows you to create and manage labs for development and testing. It provides a self-service environment where developers and testers can quickly create and manage their own virtual machines and other resources. DevTest Labs is used for: - Reducing costs: DevTest Labs can help you reduce costs by allowing you to set policies for resource usage. - Improving agility: DevTest Labs allows developers and testers to quickly provision resources. - Enforcing governance: DevTest Labs allows you to enforce policies for resource usage and security.

12

Resposta de referência

Logging and monitoring are essential for detecting, understanding, and responding to security incidents. They provide detailed insights into the activities within cloud environments, helping to identify potential security breaches or compliance issues.

13

Resposta de referência

Google Cloud VPC provides a global, scalable, and isolated network for your cloud resources. Key principles include global networking (resources can communicate across regions using internal IPs), subnets (regional), firewall rules, and connectivity options like Cloud VPN, Cloud Interconnect, and VPC peering.

14

Resposta de referência

Google Cloud Composer is a managed workflow orchestration service built on Apache Airflow. It allows you to create, schedule, monitor, and manage workflows across cloud and on-premises environments. It provides a Python-based framework for defining DAGs (Directed Acyclic Graphs) that represent workflows.

15

Resposta de referência

Ensuring compliance with data backup and recovery practices involves implementing robust backup procedures, testing recovery processes, and ensuring that backup practices meet regulatory requirements and organizational policies.

16

Resposta de referência

Secure APIs by using authentication, rate limiting, and input validation.

17

Resposta de referência

Encryption at rest protects stored data using algorithms like AES-256, managed via cloud services such as AWS KMS, Azure Key Vault, or GCP Cloud KMS. Encryption in transit secures data moving between systems using protocols like TLS/SSL. Cloud providers offer default encryption for many services, and customers can also implement client-side encryption for additional control.

18

Resposta de referência

There are three main cloud service models: - Infrastructure as a Service (IaaS): IaaS provides you with access to computing resources, such as servers, storage, and networking. - Platform as a Service (PaaS): PaaS provides you with a platform for developing and deploying applications. - Software as a Service (SaaS): SaaS provides you with access to software applications that are hosted in the cloud. The best cloud service model for your project will depend on your specific needs and requirements.

19

Resposta de referência

Virtualization is the process of creating a virtual computer system (VM) on a physical computer. VMs can be used to run multiple applications on a single physical server, or to isolate applications from each other. Virtualization is essential to cloud computing because it allows cloud providers to pool their resources and deliver them to multiple customers on demand. It also allows customers to easily scale their resources up or down as needed.

20

Resposta de referência

A Cloud Security Engineer should be able to effectively communicate cloud security concepts to non-technical staff members.

21

Resposta de referência

Integrate cloud provider logs by enabling services like AWS CloudTrail, VPC Flow Logs, and GuardDuty; Azure Monitor and Security Center; or GCP Cloud Logging and Security Command Center. Use a log aggregation tool (e.g., AWS Kinesis, Azure Event Hubs) to stream logs to a centralized SIEM (e.g., Splunk, Elasticsearch, Sentinel). Normalize log formats using parsers or custom pipelines. Set up correlation rules to detect threats (e.g., brute force attempts, data exfiltration) and generate alerts. Ensure logs are encrypted in transit and at rest, and retain them according to compliance requirements. Regularly test the integration with red team exercises.

22

Resposta de referência

Security monitoring should utilize the ELK stack for log aggregation, Prometheus and Grafana for metrics, and Falco for runtime security monitoring. Critical alerts should be routed to PagerDuty and security channels. Key metrics should include critical vulnerabilities, mean time to remediation, and security test coverage.

23

Resposta de referência

Google Cloud Identity-Aware Proxy (IAP) is a service that allows you to control access to your applications based on the identity of the user and the context of the request. To set up IAP, you: - Configure your application to use IAP. - Create an IAP policy that defines who can access your application. - Assign the policy to your application. - Users will then be required to authenticate before they can access your application.

24

Resposta de referência

Cloud-native security refers to security strategies and controls specifically designed for cloud environments. It emphasizes automation, microservices security, zero-trust networking, workload protection, and compliance automation to ensure resilience and agility. Example Use Cases: - Securing Kubernetes workloads with role-based access controls (RBAC). - Implementing DevSecOps to integrate security into CI/CD pipelines. - Using cloud-native security tools like AWS GuardDuty, Azure Security Center, and Google Chronicle.

25

Resposta de referência

AWS offers a variety of data encryption features to help you to protect your data at rest and in transit. Data encryption at rest means that your data is encrypted when it is stored on AWS servers. AWS uses a variety of encryption algorithms, including AES-256, to encrypt your data at rest. Data encryption in transit means that your data is encrypted when it is transmitted over the network. AWS uses a variety of protocols, such as HTTPS and TLS, to encrypt your data in transit. You can also use your own encryption keys to encrypt your data at rest and in transit. This is known as customer managed encryption (CME). CME gives you complete control over the encryption of your data.

26

Resposta de referência

When managing multi-tenant cloud environments, it is critical to employ resource management tools such as container orchestration and cluster management tools to avoid resource contention. These technologies can monitor resource utilization in each tenant's environment and ensure that resources are distributed fairly and appropriately. Also, it is essential to set resource quotas for each tenant to prevent one tenant from using too many resources and impacting the performance of other tenants' applications.

27

Resposta de referência

Infrastructure as a service (IaaS) is the most basic cloud service model. It provides access to computing resources, such as servers, storage, and networking. Users are responsible for managing and maintaining the resources, including installing and configuring operating systems and applications. Platform as a service (PaaS) provides a platform for developing, running, and managing applications. It includes IaaS capabilities, plus additional services such as databases, middleware, and development tools. Users do not need to manage the underlying infrastructure, but they are still responsible for managing and maintaining their applications. Software as a service (SaaS) is the most complete cloud service model. It provides access to software applications that are hosted and managed by the cloud provider. Users do not need to manage any infrastructure or applications; they simply access the applications through a web browser or mobile device. | Feature | IaaS | PaaS | SaaS | |---|---|---|---| | Computing resources | Yes | Yes | No | | Operating system | Yes | Yes | No | | Applications | Yes | Yes | No | | Management responsibility | Infrastructure, OS, applications | Platform, applications | Applications only |

28

Resposta de referência

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. It works by allowing you to create and manage users, groups, and roles, and define permissions using policies. IAM policies are JSON documents that specify allowed or denied actions on resources. IAM supports features like multi-factor authentication (MFA), password policies, and integration with identity providers (e.g., Active Directory) for federated access. IAM is the foundation of AWS security, enabling least privilege access and auditability.

29

Resposta de referência

A security group named 'default' with open ports 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 8080 (HTTP-alt), 6443 (Kubernetes API), 3679 (unknown), 3306 (MySQL), and 9001 (various services) is an issue because it exposes a wide range of services to potential attackers. Ports like 22, 3306, and 6443 are commonly targeted for brute-force attacks, and exposing them to the internet (0.0.0.0/0) increases the risk of unauthorized access, data breaches, and service compromise. Additionally, the 'default' security group is often associated with default VPCs, which may be overlooked during security reviews.

30

Resposta de referência

A cloud compliance management platform is a tool that provides centralized visibility and control over compliance efforts. It helps streamline compliance processes, automate reporting, and ensure adherence to regulatory requirements.

31

Resposta de referência

Common cloud misconfigurations include publicly accessible storage buckets, overly permissive IAM policies, unencrypted data at rest, open security group ports (e.g., SSH on 0.0.0.0/0), disabled logging, and unpatched systems. These can be prevented by implementing infrastructure as code (IaC) with security scanning, using cloud security posture management (CSPM) tools, enforcing least privilege IAM policies, enabling encryption by default, restricting network access with security groups and NACLs, enabling logging and monitoring, and conducting regular security audits and compliance checks.

32

Resposta de referência

Lateral movement occurs when attackers move within a network after initial compromise. Detection and prevention in cloud environments involve: - Network segmentation: Use VPCs, subnets, and micro-segmentation to isolate workloads. - Monitor east-west traffic: Analyze traffic between instances and services for anomalies. - Use intrusion detection systems (IDS): Deploy cloud-native IDS (e.g., AWS GuardDuty, Azure Defender) to detect suspicious internal communication. - Implement least privilege: Restrict IAM roles and security groups to limit movement. - Monitor privileged account usage: Track use of admin credentials and service roles. - Use honeypots: Deploy decoy resources to detect lateral movement attempts. - Behavioral analytics: Profile normal traffic patterns and alert on deviations. - Automate response: Isolate compromised instances automatically. - Regular audits: Review network configurations and access logs. By combining segmentation, monitoring, and automated response, lateral movement can be limited or detected early, reducing potential impact.

33

Resposta de referência

I would implement a multi-region architecture with automated failover using load balancers and DNS (e.g., Route 53). Data is replicated across regions with encryption, and IAM policies are consistent. During an outage, I would activate disaster recovery plans, monitor for security anomalies during failover, and ensure that backup regions maintain the same security controls. Regular drills validate the process.

34

Resposta de referência

The shared responsibility model delineates the security obligations of the cloud provider and the customer. While the provider secures the infrastructure, the customer is responsible for securing their data and applications. For instance, in an IaaS model, the provider manages physical security, while the customer handles OS and application security.

35

Resposta de referência

GCP provides a number of ways to achieve data encryption, including: - Encryption at rest: GCP services encrypt data at rest by default. - Encryption in transit: GCP services encrypt data in transit using TLS. - Customer-managed encryption keys (CMEK): You can use your own encryption keys to encrypt your data. - Customer-supplied encryption keys (CSEK): You can supply your own encryption keys for certain services. - Cloud Key Management Service (KMS): You can use Cloud KMS to manage your encryption keys.

36

Resposta de referência

A CASB is a security enforcement layer that sits between your users and the cloud services they access. Think of it as a policy enforcement proxy for all cloud application usage — sanctioned or otherwise. Four core functions: Visibility: Discover every cloud service in use across the organization, including shadow IT. Most enterprise employees use dozens of unsanctioned cloud apps that IT has never reviewed or approved. Data security: Apply DLP policies to data in SaaS applications. Prevent sensitive files from being uploaded to personal Dropbox, shared externally from corporate OneDrive or emailed via a personal Gmail account. Threat protection: Detect compromised accounts through behavioral analytics (impossible travel, bulk downloads), identify insider threats and scan cloud storage for malware. Compliance: Enforce data handling policies across SaaS platforms aligned to GDPR, HIPAA, PCI DSS or internal policies — even when the SaaS provider's native controls are insufficient. Deployment modes: API mode connects directly to SaaS provider APIs for visibility and DLP in sanctioned apps. Proxy mode intercepts traffic inline for real-time blocking. Log-based mode analyzes existing cloud logs retrospectively. Leading vendors: Microsoft Defender for Cloud Apps (formerly MCAS), Netskope, Zscaler and Symantec CloudSOC. CASBs are especially critical in distributed workforces where employees access cloud apps from personal devices and home networks — the traditional network perimeter simply doesn't exist anymore.

37

Resposta de referência

Data classification in the cloud helps apply appropriate security controls based on data sensitivity.

38

Resposta de referência

In a traditional database setup, customers have to manage the provisioning and maintenance of the servers, backups, and other infrastructure needs themselves. However, by using Google Cloud SQL, database scalability, availability, and security are all handled by Google. Cloud service models also differ on pricing, as Google Cloud SQL operates on a pay-as-you-go cloud computing model (in contrast to the traditional model of investing initially in hardware, software, and infrastructure upkeep).

39

Resposta de referência

Azure Backup is a service that provides simple, secure, and cost-effective solutions to back up your data and recover it from the Microsoft Azure cloud. It can back up Azure VMs, on-premises machines, SQL Server databases, and file shares. Azure Site Recovery can be used for disaster recovery by replicating workloads to a secondary region.

40

Resposta de referência

Google Cloud Data Loss Prevention (DLP) is a service that allows you to discover, classify, and protect sensitive data. It protects sensitive data by: - Discovering sensitive data: DLP can scan your data to find sensitive information, such as credit card numbers, social security numbers, and medical records. - Classifying sensitive data: DLP can classify your data based on its sensitivity. - Protecting sensitive data: DLP can redact, mask, or encrypt sensitive data. - Monitoring data access: DLP can monitor access to sensitive data. - Integrating with other GCP services: DLP integrates with Cloud Storage, BigQuery, and other services.

41

Resposta de referência

Automation can be used to manage cloud resources in a number of ways, such as: - Deploying new applications: Automation can be used to deploy new applications to the cloud automatically. This can save time and reduce the risk of errors. - Scaling applications up or down: Automation can be used to scale applications up or down based on demand. This can help to improve the performance and cost-effectiveness of applications. - Patching and updating applications: Automation can be used to patch and update applications automatically. This can help to improve the security and reliability of applications.

42

Resposta de referência

Mainly two types of data centers are there for cloud computing, firstly low-density data centers, and secondly, containerized data centers.

43

Resposta de referência

Google Cloud Apigee is a full lifecycle API management platform that allows you to design, secure, deploy, monitor, and scale APIs. It provides API management by: - Providing an API gateway: Apigee provides a gateway that routes API requests to your backend services. - Providing security features: Apigee provides security features, such as authentication, authorization, and rate limiting. - Providing analytics: Apigee provides analytics on API usage. - Providing a developer portal: Apigee provides a portal where developers can discover and learn about your APIs. - Integrating with other GCP services: Apigee integrates with Cloud IAM and other services.

44

Resposta de referência

CloudWatch Alarms is a service that allows you to monitor your AWS resources and send notifications when certain conditions are met. For example, you could create a CloudWatch Alarm to notify you when your CPU utilization exceeds a certain threshold. CloudWatch Alarms can be used to monitor a variety of metrics, such as CPU utilization, memory utilization, network traffic, and database performance.

45

Resposta de referência

Policy-as-code enables automated validation and enforcement of security and compliance standards in cloud environments. Steps include: - Define policies: Write security rules in code (e.g., using OPA Rego, HashiCorp Sentinel, or cloud-native policy languages). - Integrate with IaC: Embed policy checks into Terraform, CloudFormation, or ARM templates. - Automate in CI/CD: Run policy checks during build and deployment pipelines to block non-compliant changes. - Use CSPM tools: Leverage solutions like AWS Config, Azure Policy, or GCP Organization Policies to enforce rules. - Version control: Store policies in repositories with change tracking. - Test policies: Validate policies against test environments before production. - Monitor compliance: Continuously evaluate resources against policies and alert on violations. - Remediate automatically: Trigger automated fixes for non-compliant resources. Policy-as-code reduces human error, ensures consistent security enforcement, and provides continuous, auditable compliance across cloud environments.

46

Resposta de referência

Continuous Integration (CI) and Continuous Deployment (CD) are related practices in the software development process that focus on automation, collaboration, and rapid feedback. They have distinct goals and functionalities: Continuous Integration (CI): CI focuses on integrating developers' code changes into a shared repository frequently, often several times a day. The primary goal of CI is to identify and fix issues in the codebase as early as possible to reduce the cost and complexity of fixing bugs. Key aspects of CI include: - Frequent code integration into a shared repository. - Automated builds and unit tests to ensure the codebase integrity. - Rapid feedback on code changes, allowing developers to address issues quickly. - Decreased integration issues and merge conflicts. - Early detection and resolution of bugs and code defects. Continuous Deployment (CD): CD is an extension of Continuous Integration, where changes made to the codebase are automatically deployed to production or pre-production environments. The main goal of CD is to ensure that the software is always in a releasable state, reducing the time to deliver new features and bug fixes. Key aspects of CD include: - Automated deployment of changes to various environments (e.g., staging, testing, production). - End-to-end testing of integrated code to ensure stability and functionality. - Ensuring the software is always in a releasable state. - Faster delivery of new features and bug fixes to users. - Decreased risks associated with large, infrequent releases by implementing smaller, incremental changes.

47

Resposta de referência

Common security issues when using cloud services include data breaches, insecure APIs, and compliance violations.

48

Resposta de referência

Current cloud security trends reflect the evolving threat landscape and increasing adoption of cloud technologies: - Zero Trust adoption: Moving from perimeter-based security to continuous verification of every access request. - AI and ML for threat detection: Using machine learning to identify anomalies and predict attacks. - Cloud-native security tools: Increased reliance on provider-native solutions like CSPM, CWPP, and SIEM. - DevSecOps integration: Embedding security into CI/CD pipelines for continuous compliance. - Multi-cloud security: Unified security management across multiple cloud providers. - Serverless and container security: Specialized tools for protecting ephemeral workloads. - Compliance automation: Using policy-as-code to enforce regulatory requirements. - Supply chain security: Focusing on securing dependencies and software pipelines. - Quantum-safe cryptography: Preparing for future quantum computing threats. - Data privacy and sovereignty: Addressing cross-border data regulations. These trends indicate a shift towards proactive, automated, and integrated cloud security strategies, emphasizing resilience, visibility, and compliance in complex cloud ecosystems.

49

Resposta de referência

GDPR (General Data Protection Regulation) is the most impactful data privacy regulation in force globally — its reach extends to any organization processing personal data of EU residents, regardless of where that organization is based. Non-compliance penalties reach up to 4% of global annual revenue or €20 million, whichever is higher. Cloud security implications are pervasive: Data sovereignty and residency: GDPR restricts transferring personal data outside the EU/EEA without adequate safeguards (Standard Contractual Clauses, Binding Corporate Rules or an adequacy decision). This directly constrains which cloud regions you can use, which third-party processors you can engage and how you architect multi-region replication. Privacy by Design: Security and privacy controls must be built into systems from the design phase — not added as afterthoughts. This means threat modeling must explicitly consider privacy risks and architecture decisions must include data minimization from day one. 72-hour breach notification: Organizations must notify supervisory authorities within 72 hours of discovering a personal data breach. This requires mature incident response capabilities, pre-defined breach assessment criteria and documented escalation procedures. Forensics capability isn't optional. Data Subject Rights: Rights to access, rectify, erase and port personal data require systems that can locate all instances of a specific person's data, retrieve it in a portable format and delete it completely — across every system, log, backup and analytics pipeline that touched it. This is architecturally complex in distributed cloud environments. Data Processing Agreements: You must have DPAs with every cloud provider and sub-processor. Review their sub-processor lists. Audit how they handle data on your behalf.

50

Resposta de referência

Azure Data Factory is a cloud-based data integration service that allows you to create data-driven workflows for orchestrating and automating data movement and data transformation. It can connect to various data sources (on-premises and cloud), ingest data, transform it using compute services like Azure HDInsight or Azure Databricks, and load it into data stores.

51

Resposta de referência

AWS CloudTrail is a service that records AWS API calls and related events. CloudTrail can be used to audit your AWS account activity and to track changes to your AWS resources. Some of the benefits of using AWS CloudTrail include: - Compliance: CloudTrail can help you to comply with a variety of compliance requirements, such as PCI DSS and HIPAA. - Security: CloudTrail can help you to identify and investigate security threats. - Troubleshooting: CloudTrail can help you to troubleshoot problems with your AWS applications and resources.

52

Resposta de referência

Google Cloud Load Balancing is a fully managed service that distributes incoming traffic across multiple instances or services. It uses a single anycast IP address and can balance traffic globally. It supports various protocols and provides health checks to route traffic only to healthy instances.

53

Resposta de referência

To isolate, investigate, and remediate a compromised Azure VM: 1) Isolate: apply an NSG rule to block all inbound and outbound traffic, or move the VM to a separate isolated VNet. 2) Investigate: take a snapshot of the VM disk for forensic analysis, review Azure Activity Logs and VM diagnostics for suspicious events, and analyze network traffic using Network Watcher. 3) Remediate: remove malware using antimalware tools, rotate compromised credentials, apply patches, and restore from a clean backup. 4) After remediation, update security configurations (e.g., enable JIT access, apply NSG rules) and monitor for recurrence. 5) Document the incident and update incident response playbooks.

54

Resposta de referência

AWS Serverless Application Model (SAM) is a framework for building and deploying serverless applications on AWS. SAM provides a high-level abstraction for serverless applications, which can make it easier to develop and deploy serverless applications. To deploy a serverless application using SAM, you first need to create a SAM template. A SAM template is a JSON file that defines your serverless application and its resources. Once you have created a SAM template, you can deploy your application using the AWS SAM CLI. The SAM CLI will create and configure all of the resources that are defined in your SAM template.

55

Resposta de referência

Encryption is a crucial security measure that protects sensitive cloud data by converting it into an unreadable format for unauthorized users. To ensure robust cloud security, encryption should be applied at multiple levels, covering data at rest, data in transit, and data in use. Best Practices: Data at Rest Encryption Data at rest refers to stored data, including databases, files, and backups. - Use AES-256 encryption for storage security. - AWS: Amazon S3, EBS, RDS encryption. - Azure: Storage Service Encryption (SSE), Azure Disk Encryption. - Google Cloud: CMEK (Customer-Managed Encryption Keys) for Cloud Storage. - Implement server-side encryption (SSE) and client-side encryption for an additional layer of security. - Utilize Key Management Services (KMS) such as AWS KMS, Azure Key Vault, or Google Cloud KMS to manage and rotate encryption keys securely. Data in Transit Encryption Data in transit refers to data moving between cloud services, applications, and users. - Use TLS 1.2+ or TLS 1.3 to encrypt data transmitted over networks. - Enforce HTTPS for web applications and APIs to protect data integrity. - Secure cloud connections using VPNs, private links (AWS PrivateLink, Azure ExpressRoute), and encrypted tunnels. - Apply mutual TLS authentication (mTLS) for additional security in microservices and API communications. Data in Use Encryption Data in use refers to data actively processed in memory or during computation. - Utilize Confidential Computing to protect data while being processed. - AWS Nitro Enclaves - Azure Confidential Computing (Intel SGX) - Google Confidential VMs - Implement homomorphic encryption for secure computations on encrypted data without decryption. - Use Tokenization and Format-Preserving Encryption (FPE) to ensure data privacy without altering usability. Strong Key Management Practices - Store and manage keys in Hardware Security Modules (HSMs) (AWS CloudHSM, Azure Dedicated HSM). - Regularly rotate encryption keys and enforce least privilege access to cryptographic materials. - Use Bring Your Own Key (BYOK) or Hold Your Own Key (HYOK) strategies for greater control over encryption keys. End-to-End Encryption - Implement client-side encryption to secure data before uploading to the cloud. - Enforce Zero Trust Architecture (ZTA) with encryption ensuring that only authorized applications and users can access decrypted data. - Use email and messaging encryption protocols such as PGP, S/MIME, or end-to-end encrypted messaging (e.g., Signal Protocol).

56

Resposta de referência

Security is paramount in cloud computing because organizations store critical data, applications, and workloads on infrastructures that they don't fully control. Unlike traditional on-premises environments, cloud systems are highly distributed, multi-tenant, and internet-facing, making them attractive targets for cyberattacks. Cloud environments host sensitive assets such as customer data, intellectual property, and financial information. Without proper security, these can be exposed to data breaches, unauthorized access, insider threats, or service disruptions. Since the cloud involves third-party management of infrastructure, strong security measures are essential to preserve trust, compliance, and business continuity. Cloud security ensures data confidentiality, integrity, and availability (CIA). Confidentiality prevents unauthorized access through encryption and access control; integrity ensures data accuracy and consistency via checksums and digital signatures; and availability ensures that resources remain accessible even under attack or failure conditions. Regulatory compliance also drives the importance of cloud security. Organizations must meet standards like GDPR, HIPAA, PCI DSS, or ISO 27001, which mandate data protection controls and breach reporting obligations. A single misconfiguration—like a public storage bucket—can result in major legal and financial penalties. Moreover, modern organizations adopt hybrid and multi-cloud environments, which add complexity and demand unified visibility across systems. Effective cloud security enables scalability and innovation without sacrificing safety. It also supports secure remote work, resilience against ransomware, and defense against advanced persistent threats (APTs). In short, cloud security is not just about protection—it is about enabling business growth with confidence, ensuring that cloud adoption enhances, rather than compromises, organizational integrity.

57

Resposta de referência

Implementing zero trust in hybrid and cloud environments requires continuous verification of all users, devices, applications, and workloads, regardless of their location. Steps include: - Define protect surfaces: Identify critical data, applications, and assets. - Map transaction flows: Understand how data moves between users, devices, and services. - Build a zero trust network: Use micro-segmentation and software-defined perimeters to isolate resources. - Implement continuous authentication: Require MFA and verify identity at every access request. - Enforce least privilege: Grant minimal permissions and use just-in-time access. - Monitor and analyze: Use analytics to detect anomalies and suspicious behavior. - Automate response: Use SOAR to automatically contain threats. - Extend to all environments: Apply zero trust policies across on-premises, cloud, and hybrid workloads. By embedding zero trust principles, organizations can secure hybrid ecosystems against insider threats, compromised credentials, and perimeter bypass attacks.

58

Resposta de referência

Secure serverless functions by applying least privilege IAM roles that allow only necessary actions (e.g., read from S3, write to DynamoDB). Use environment variables for configuration, but store secrets in a secrets manager. Validate and sanitize all input to prevent injection attacks. Enable function-level logging and monitoring (e.g., AWS X-Ray, CloudWatch) for anomaly detection. For event sources, restrict triggers to trusted sources (e.g., specific S3 buckets or SQS queues) and use resource-based policies. Implement function code scanning in CI/CD and use versioning to roll back changes. For scale, use concurrency limits and reserved concurrency to prevent resource exhaustion.

59

Resposta de referência

Various models are used for deployment in cloud computing. They are as follows: Private Cloud, Public Cloud, Hybrid Cloud, and Community Cloud.

60

Resposta de referência

The various layers in cloud architecture are:

61

Resposta de referência

Google Cloud Functions is a serverless execution environment for building and connecting cloud services. It allows you to write single-purpose functions that respond to cloud events (e.g., HTTP requests, Cloud Storage changes) without managing servers. Serverless computing in GCP automatically scales functions based on demand.

62

Resposta de referência

Zero Trust fundamentally changes how we think about network security—instead of trusting anything inside the perimeter, we verify everything. In my current role, I implemented Zero Trust principles using a combination of tools. We used Azure AD Conditional Access to enforce strict identity verification, requiring MFA for all users and implementing risk-based authentication. For network segmentation, I configured micro-segmentation using Azure Network Security Groups and Application Security Groups. We also deployed endpoint detection tools and implemented continuous monitoring with Azure Sentinel to verify device compliance before granting access to resources. The key was starting with our most critical assets and gradually expanding the implementation.

63

Resposta de referência

There are a number of ways to secure data transfer in a cloud environment, including: - Encryption: Encrypting your data at rest and in transit can protect it from unauthorized access. - VPN: Using a VPN can create a secure tunnel between your on-premises network and the cloud. - IAM: Using IAM can control who has access to your data and what they can do with it.

64

Resposta de referência

Azure integrates well with Microsoft's ecosystem of products and services (which may be necessary for enterprises with a significant investment in Microsoft technology). It also has the best support for deploying and managing hybrid cloud architecture and is one of the fastest-growing cloud providers.

65

Resposta de referência

Azure Stream Analytics is a real-time analytics and complex event-processing engine designed to analyze and process high volumes of fast streaming data from sources like IoT devices, sensors, and application logs. It can extract insights, identify patterns, and trigger actions or alerts in real time.

66

Resposta de referência

The reason why microservices are so important for a true cloud environment is because of these four key benefits: - Each microservice is built to serve a specific and limited purpose, and hence application development is simplified. Small development teams can then focus on writing code for some of the narrowly defined and easily understood functions. - Code changes will be smaller and less complex than with a complex integrated application, making it easier and faster to make changes, whether to fix a problem or to upgrade service with new requirements. - Scalability — Scalability makes it easier to deploy an additional instance of a service or change that service as needs evolve. - Microservices are fully tested and validated. When new applications leverage existing microservices, developers can assume the integrity of the new application without the need for continual testing.

67

Resposta de referência

Google Cloud Dataprep by Trifacta is a data preparation service that allows you to clean, transform, and prepare your data for analysis. It provides a visual interface for creating data preparation workflows. Dataprep assists in data preparation by: - Cleaning data: You can remove duplicates, handle missing values, and correct errors. - Transforming data: You can change the format of your data, such as converting dates or splitting columns. - Preparing data for analysis: You can prepare your data for analysis by creating features and aggregating data. - Integrating with other GCP services: Dataprep integrates with BigQuery and Cloud Storage.

68

Resposta de referência

Designing a resilient Azure architecture involves using Availability Zones for redundancy, implementing load balancing and auto-scaling, designing for failure with circuit breakers and retry policies, using geo-redundancy for disaster recovery, and monitoring with Azure Monitor to detect and respond to issues.

69

Resposta de referência

I would ensure the application is deployed in a private subnet with security groups restricting access, enable encryption at rest (e.g., using KMS) and in transit (TLS), implement IAM roles with least privilege, and use a web application firewall. I would also enable logging and monitoring, conduct vulnerability scans, and enforce data retention policies. Regular security reviews and penetration testing would be scheduled.

70

Resposta de referência

Azure Logic Apps and Power Automate are both workflow automation services. Logic Apps is more focused on enterprise integration with a wide range of connectors and is managed in the Azure portal. Power Automate is designed for business users to automate workflows across Microsoft 365 and other applications with a simpler interface.

71

Resposta de referência

The cloud usage monitor mechanism is an autonomous and lightweight software program that is responsible for collecting and processing the IT resource usage data. Cloud usage monitors can exist in different formats depending on what type of usage metrics these are designed to collect and how the usage data needs to be collected. The following points describe 3 common agent-based implementation formats. - Monitoring Agent - Resource Agent - Polling Agent

72

Resposta de referência

During a routine security audit, I discovered a misconfigured S3 bucket that was publicly accessible. I immediately restricted access, implemented proper IAM policies, and conducted a thorough review to ensure no data was compromised.

73

Resposta de referência

The AWS Lambda Dead Letter Queue (DLQ) is a queue where Lambda sends events that it cannot process successfully. This can happen for a variety of reasons, such as: - The event is in an invalid format. - The Lambda function returns an error. - The Lambda function times out. The DLQ can be used to monitor for Lambda function errors and to retry failed events.

74

Resposta de referência

A scenario could involve a DevOps engineer who needs to launch EC2 instances with a specific IAM role that grants access to an S3 bucket. The engineer requires 'iam:PassRole' to attach the role to the instance. To ensure security: 1) Create a custom IAM policy that grants PassRole only for the specific role ARN and only for EC2 service (e.g., 'iam:PassedToService': 'ec2.amazonaws.com'). 2) Use a condition like 'iam:AssociatedResourceArn' to restrict to specific EC2 instances. 3) Enable CloudTrail to log all PassRole actions. 4) Require MFA for the engineer's IAM user. 5) Regularly review and audit the policy.

75

Resposta de referência

There are mainly two security aspects of cloud, these are – - Authentication and authorization, and - Control of access. The former allows only those users who are genuine, to access that data and applications. Whereas, the latter aspect permits the users to control the access of other users who may try to enter into the cloud environment.

76

Resposta de referência

A data lake requires efficient storage, retrieval, and processing of petabyte-scale data. Some optimization strategies include: - Storage tiering: Use Amazon S3 Intelligent-Tiering, Azure Blob Storage Tiers to move infrequently accessed data to cost-effective storage classes. - Partitioning and indexing: Implement Hive-style partitioning for query acceleration and leverage AWS Glue Data Catalog, Google BigQuery partitions for better indexing. - Compression and file format selection: Use Parquet or ORC over CSV/JSON for efficient storage and faster analytics processing. - Data lake query optimization: Utilize serverless query engines like Amazon Athena, Google BigQuery, or Presto for faster data access without provisioning infrastructure.

77

Resposta de referência

Quantum-safe cryptography, or post-quantum cryptography (PQC), prepares cloud systems against future quantum computing attacks that could break current asymmetric algorithms (RSA, ECC). Implementation steps include: - Inventory cryptographic assets: Identify all systems using public-key cryptography (e.g., TLS, digital signatures, code signing). - Assess quantum risk: Prioritize systems that protect long-lived data or critical infrastructure. - Adopt PQC algorithms: Transition to NIST-standardized post-quantum algorithms (e.g., CRYSTALS-Kyber, CRYSTALS-Dilithium) as they become available. - Hybrid approaches: Use hybrid schemes combining current and PQC algorithms during transition. - Update libraries and protocols: Ensure cloud SDKs, TLS libraries, and applications support PQC. - Key management: Implement PQC-compatible key management systems. - Test compatibility: Validate PQC implementations in test environments. - Monitor standards: Stay updated on NIST and industry PQC developments. Quantum-safe cryptography ensures that sensitive cloud workloads and long-lived data remain secure against the emergence of quantum computing threats.

78

Resposta de referência

The most common cloud data storage options are: - Block storage: Block storage is designed for storing and accessing data in blocks, such as volumes and snapshots. It is commonly used for storing operating systems, databases, and other applications. - Object storage: Object storage is designed for storing and accessing data as objects, such as files, images, and videos. It is commonly used for storing large volumes of data, such as backups, archives, and media content. - File storage: File storage is designed for storing and accessing data in a hierarchical file system. It is commonly used for storing documents, spreadsheets, presentations, and other types of files. - Cloud backup and recovery: Cloud data storage can be used to back up data from on-premises systems and applications. This data can then be restored to the on-premises systems in the event of a disaster. - Cloud archiving: Cloud data storage can be used to archive old data that is no longer needed on a regular basis. This data can be easily accessed from the cloud when needed. - Cloud application development and hosting: Cloud data storage can be used to store and host data and applications. This allows organizations to develop and deploy applications quickly and easily without having to invest in their own infrastructure. - Cloud content delivery: Cloud data storage can be used to deliver content, such as images and videos, to users around the world. This allows organizations to scale their content delivery networks without having to invest in their own infrastructure.

79

Resposta de referência

Google Cloud DLP is a service that helps you discover, classify, and protect sensitive data like credit card numbers, social security numbers, and personal health information. It can inspect data in Cloud Storage, BigQuery, and other sources, and apply de-identification techniques like masking and tokenization.

80

Resposta de referência

Container security focuses on securing containerized applications and their underlying infrastructure, including the container runtime and orchestration. It requires specific strategies like container-specific vulnerability management and network segmentation.

81

Resposta de referência

Google Cloud Storage is a unified object storage service for developers and enterprises. It offers various storage classes based on access frequency and durability: Standard (frequently accessed), Nearline (once a month), Coldline (once a quarter), and Archive (once a year). Each class has different pricing and retrieval costs.

82

Resposta de referência

Google Cloud Datastore is a highly scalable NoSQL document database for web and mobile applications. It provides automatic sharding and replication, ACID transactions, and a rich query language. It is suitable for applications requiring a flexible schema and high availability.

83

Resposta de referência

There are two modes in Saas, and they are Fine grain multi-tenancy and simple multi-tenancy. In the case of the former, the resources are shared by many with the functionality remaining the same. On the other hand, in the latter case, every user has an independent resource and thus differs from other users. This is the reason why simple multiple tenancies are considered the most efficient mode.

84

Resposta de referência

Following are the steps:

85

Resposta de referência

I'd implement a multi-layered segmentation strategy starting with VPC-level isolation for different environments and business units. Within VPCs, I'd use subnets to separate different application tiers and implement security groups as application-level firewalls. For micro-segmentation, I'd leverage application security groups in Azure or security group rules in AWS that reference other security groups, allowing me to define policies based on application function rather than IP addresses. In containerized environments, I'd use Kubernetes network policies to control pod-to-pod communication. I'd also implement a zero-trust network model where possible, requiring authentication and authorization for all network communications. The key is making segmentation policies maintainable through automation and infrastructure as code, so they can evolve with the application architecture.

86

Resposta de referência

Azure Blueprints is a service that allows you to define a repeatable set of Azure resources that implements and adheres to your organization's standards, patterns, and requirements. Blueprints can be used to: - Enforce compliance: Blueprints can include policies and role assignments that ensure your resources are compliant with your organization's requirements. - Standardize deployments: Blueprints can define a standard set of resources that are used for all deployments. - Automate governance: Blueprints can be used to automate the process of creating and managing a governed Azure environment.

87

Resposta de referência

The security laws are:

88

Resposta de referência

When designing a cloud data warehouse, you need to consider the following factors: - Data sources: What data sources will your data warehouse be ingesting? - Data volumes: How much data will your data warehouse be storing and processing? - User requirements: What are the analytical and reporting needs of your users? - Budget: How much can you afford to spend on your data warehouse? Once you have considered these factors, you can start to design your data warehouse architecture. Here are some key components of a cloud data warehouse architecture: - Data ingestion: The data ingestion layer is responsible for ingesting data from your data sources and loading it into your data warehouse. - Data storage: The data storage layer is responsible for storing your data in a scalable and efficient manner. - Data processing: The data processing layer is responsible for transforming and processing your data to make it ready for analysis. - Query layer: The query layer is responsible for providing users with access to your data for analysis and reporting.

89

Resposta de referência

Securing a cloud migration involves comprehensive planning, data encryption during transfer, using secure APIs, implementing access controls, and continuously monitoring for security threats throughout the process.

90

Resposta de referência

Azure IoT Central is a fully managed IoT application platform that simplifies the creation of IoT solutions. It provides pre-built templates, dashboards, and rules for common IoT scenarios, reducing the complexity and time required to build and manage IoT applications.

91

Resposta de referência

Serverless architectures offer scalability but introduce security challenges such as managing function permissions and securing event sources.

92

Resposta de referência

The incident response lifecycle includes: 1) Preparation (developing policies, tools, and training), 2) Detection and Analysis (identifying and validating incidents via monitoring and alerts), 3) Containment, Eradication, and Recovery (isolating threats, removing root causes, and restoring services), and 4) Post-Incident Activity (conducting a review, documenting lessons learned, and updating security measures).

93

Resposta de referência

Data discovery is a crucial process in Cloud Security, where various technologies play a significant role in collecting and evaluating data from various sources.

94

Resposta de referência

The main features of the cloud service are mentioned below: - Development of applications that can manage several clients at a time. - Centralization of the update feature of the software which will eliminate the need of downloading the updated versions. - Centralization of the activities of software management in the Web environment. - Access and management of the commercial software.

95

Resposta de referência

SOC 2 (System and Organization Controls 2) and PCI DSS (Payment Card Industry Data Security Standard) are critical compliance frameworks for cloud environments, ensuring that cloud providers and customers maintain robust security practices. - SOC 2: Developed by the American Institute of CPAs (AICPA), SOC 2 focuses on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. It is commonly used by SaaS providers to demonstrate controls over customer data. SOC 2 reports are based on audits of policies and procedures. - PCI DSS: A set of security standards for organizations that handle credit card information. It requires controls like encryption, access control, regular monitoring, and vulnerability management. Cloud providers must comply if they process, store, or transmit cardholder data. In the cloud, these frameworks guide both the provider and customer in implementing secure architectures, access controls, encryption, logging, and monitoring practices. Adhering to SOC 2 or PCI DSS demonstrates commitment to data protection and builds trust with clients, regulators, and stakeholders.

96

Resposta de referência

To implement NSGs in Azure: 1) Create an NSG and associate it with a subnet or network interface. 2) Define inbound and outbound security rules with priority, source/destination IP, port, and protocol. 3) Use service tags (e.g., 'Internet', 'VirtualNetwork') to simplify rule creation. 4) Apply the principle of least privilege by allowing only necessary traffic. 5) Use Azure Policy to enforce NSG rules across subscriptions. 6) Monitor NSG flow logs with Azure Network Watcher for traffic analysis. 7) Regularly review and audit NSG rules for misconfigurations.

97

Resposta de referência

Cloud-native application development is a software development approach that is designed to build and run applications in the cloud. Cloud-native applications are typically built using microservices and containerization. Here are some of the benefits of cloud-native application development: - Scalability: Cloud-native applications are highly scalable and can be easily scaled up or down to meet your changing needs. - Agility: Cloud-native applications can be developed and deployed quickly and easily. - Resilience: Cloud-native applications are highly resilient to failures. - Cost savings: Cloud-native applications can help you to save money on cloud costs. Cloud-native application development can be a good choice for a variety of workloads, such as: - Web applications - Mobile applications - IoT applications - Real-time data processing applications

98

Resposta de referência

Rate Limiting is a way to limit the network traffic. Rate limiting runs within the app rather than the server. It typically tracks the IP addresses and the time between each request. It can eliminate certain suspicious and malicious activities. Bots that impact a website can also be stopped by Rate Limiting. This protects against API overuse which is important to prevent.

99

Resposta de referência

Azure Confidential Computing is a set of technologies that protect your data while it is in use. It does this by isolating your data in a hardware-based trusted execution environment (TEE). Security benefits of Azure Confidential Computing include: - Data protection: Your data is protected from unauthorized access, even from the cloud provider. - Code integrity: Your code is protected from tampering. - Compliance: Confidential Computing can help you meet compliance requirements for data protection.

100

Resposta de referência

Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows. Workflows are created using a visual designer, where you can connect to various services (both Microsoft and third-party) through connectors. Workflows can be triggered by events or scheduled.

101

Resposta de referência

GCP provides a wide range of core services, including: - Compute: Compute Engine (VMs), Google Kubernetes Engine (containers), Cloud Functions (serverless). - Storage: Cloud Storage (object storage), Cloud SQL (relational databases), Cloud Spanner (globally distributed database). - Networking: Virtual Private Cloud (VPC), Cloud Load Balancing, Cloud CDN. - Big Data: BigQuery (data warehouse), Cloud Dataflow (stream and batch processing), Cloud Pub/Sub (messaging). - Machine Learning: Vertex AI (ML platform), Cloud Vision API, Cloud Natural Language API. - Security and Identity: Cloud IAM, Cloud Key Management Service, Cloud Security Command Center.

102

Resposta de referência

AWS Transit Gateway Network Manager is a service that helps you to manage and visualize your AWS Transit Gateway networks. Transit Gateway Network Manager provides a number of features to help you manage your Transit Gateway networks, including: - Network topology visualization: Transit Gateway Network Manager provides a graphical view of your Transit Gateway network topology. This helps you to understand how your network is connected and to identify potential problems. - Route management: Transit Gateway Network Manager allows you to manage the routes in your Transit Gateway network. This helps you to control the flow of traffic in your network. - Monitoring and alerts: Transit Gateway Network Manager monitors your Transit Gateway network and sends you alerts if there are any problems.

103

Resposta de referência

To create a VPC peering connection in AWS, follow these steps: - Open the Amazon VPC console. - In the navigation pane, choose Peering connections. - Choose Create peering connection. - Choose the VPC that you want to peer with. - Choose the VPC that you want to accept the peering connection. - Choose Create peering connection. - The owner of the accepter VPC must accept the peering connection. Once the peering connection is accepted, it is active.

104

Resposta de referência

A cloud virtual private network (VPN) is a secure tunnel between your on-premises network and the cloud. It allows you to access your cloud resources as if they were located on your on-premises network. Cloud VPNs are typically used to connect on-premises networks to public clouds. However, they can also be used to connect on-premises networks to private clouds and hybrid clouds. Cloud VPNs can be used to improve the security of your cloud resources by encrypting traffic between your on-premises network and the cloud. They can also be used to improve the performance of your cloud resources by reducing latency.

105

Resposta de referência

Identity-Aware Proxy (IAP) is a GCP service that controls access to cloud applications and resources based on user identity and context. It acts as a reverse proxy, intercepting requests and enforcing authentication and authorization before allowing access. IAP uses Google identity (e.g., G Suite accounts) and can enforce conditions like IP ranges, device security, and MFA. It is commonly used to secure SSH/RDP access to VMs, web applications behind HTTPS load balancers, and GKE workloads.

106

Resposta de referência

IoT security in the cloud includes device authentication, data encryption, and secure communication protocols.

107

Resposta de referência

Security for big data solutions includes encrypting data, controlling access, and auditing usage.

108

Resposta de referência

Application security in the cloud involves secure coding practices, testing, and using cloud security services.

109

Resposta de referência

There are a number of ways to handle data migration in the cloud, including: - Lift-and-shift: Lift-and-shift migration involves moving your existing applications and data to the cloud without making any changes to them. - Refactor-and-rehost: Refactor-and-rehost migration involves making changes to your applications to take advantage of the benefits of the cloud platform. - Replatform: Replatform migration involves rewriting your applications in a cloud-native programming language. The best data migration strategy for you will depend on your specific needs and environment.

110

Resposta de referência

Zero Trust Architecture is a cybersecurity model based on the absence of implicit trust. The “Zero Trust” security model is based on the principle of “never trust, always verify.” This model is highly relevant to cloud security as it helps protect cloud resources by verifying the identity of users, devices, and applications attempting to access them, irrespective of their location. ZTA is a practice to defend against threats that exist both inside and outside of traditional network boundaries. (Note: It is always advisable to give use cases to solidify the base of your knowledge and understanding of the concept.) So here are some use cases of Zero Trust Architecture, - Control over unauthorized access. (a situation called “shadow IT”) - Multi-factor Authentication (MFA), can be based on hardware-based security tokens or soft tokens like OTP to double verify before giving access to the user to the data. - Microsegmentation: Breaking up security perimeters into small zones to maintain separate access for separate parts of the network.

111

Resposta de referência

Azure Cosmos DB is a fully managed NoSQL database service designed for globally distributed applications. It offers turnkey global distribution across any number of Azure regions, multi-master replication, and multiple consistency models. It provides single-digit millisecond read and write latencies at the 99th percentile.

112

Resposta de referência

Explainable AI encompasses methods and techniques that make the decisions of machine learning models interpretable and understandable to humans — translating opaque statistical computations into actionable reasoning that domain experts can evaluate. Core techniques: LIME (Local Interpretable Model-agnostic Explanations) fits a simple, interpretable model locally around any specific prediction, approximating the complex model's behavior near that data point. SHAP (SHapley Additive exPlanations) uses game-theoretic Shapley values to assign each input feature a contribution score for a given prediction — consistent, theoretically sound and applicable to any model type. Attention visualization highlights which tokens or image regions transformer models focus on when making predictions. Counterfactual explanations answer: "What is the minimal change to this input that would change the model's decision?" Security relevance: Bias and fairness detection: XAI can reveal if a security detection model is making decisions based on spurious correlations, demographic proxies or artifacts in training data rather than genuine security signals — which would both reduce effectiveness and create legal liability. Adversarial detection: Understanding which features drive normal decisions helps identify when adversarial inputs are exploiting unintended model behaviors. If a network intrusion detector's explanations suddenly cite irrelevant features for a specific class of traffic, something may be wrong. Audit and compliance: Regulated industries increasingly require human-reviewable explanations for automated decisions. GDPR's "right to explanation" for automated decisions with significant impact applies directly to ML systems used in security contexts. Analyst trust calibration: Security analysts using AI-assisted threat detection need to evaluate the model's reasoning — not just its output label — to distinguish true positives from false positives confidently. Black-box outputs breed either blind trust or reflexive rejection; neither serves security teams well.

113

Resposta de referência

Google Cloud CDN optimizes content delivery by caching content at Google's global edge locations, reducing latency and improving performance. It also supports features like SSL termination, compression, and origin shielding to further enhance delivery.

114

Resposta de referência

To ensure data encryption in transit, use TLS/SSL protocols for all communications between clients and cloud services, and enforce HTTPS for web applications. For data at rest, enable server-side encryption (SSE) for storage services like S3 or Blob Storage, use AWS KMS or Azure Key Vault to manage encryption keys, and encrypt databases using transparent data encryption (TDE) or native encryption features. Additionally, implement client-side encryption for sensitive data before uploading to the cloud.

115

Resposta de referência

Cloud monitoring and management tools are essential for managing cloud-based applications. These tools can help you to: - Monitor your cloud resources: Cloud monitoring tools can help you to monitor the performance and health of your cloud resources. This includes monitoring your CPU usage, memory usage, and disk usage. - Manage your cloud resources: Cloud management tools can help you to manage your cloud resources. This includes managing your cloud accounts, users, and permissions. - Automate cloud tasks: Cloud automation tools can help you to automate cloud tasks, such as deploying new applications and scaling your applications up or down.

116

Resposta de referência

Security controls like encryption, extensive logging, and real-time monitoring can introduce latency and increase compute or storage costs. For example, encrypting all data in transit may add CPU overhead, while verbose logging generates more data requiring expensive storage. Tradeoffs involve balancing risk: for low-sensitivity data, use lighter controls (e.g., TLS only for external traffic), while for critical data, accept higher costs and performance impacts. Optimize by using efficient encryption algorithms, selective logging, and auto-scaling to manage resource usage. Regularly assess the cost-benefit ratio and adjust controls based on threat landscape.

117

Resposta de referência

The zero trust model assumes no entity, whether inside or outside the network, should be trusted by default. To implement zero trust in cloud environments: - Identity verification: Enforce strong authentication using multi-factor authentication (MFA) and federated identity providers (e.g., Okta, AWS IAM Identity Center). - Least privilege access: Apply role-based access control (RBAC) or attribute-based access control (ABAC) to grant permissions based on job roles and real-time context. - Micro-segmentation: Use firewalls, network policies, and service meshes (e.g., Istio, Linkerd) to isolate workloads and enforce strict communication rules. - Continuous monitoring and auditing: Deploy security information and event management (SIEM) solutions (e.g., AWS GuardDuty, Azure Sentinel) to detect and respond to anomalies. - End-to-end encryption: Ensure TLS encryption for all communications and implement customer-managed keys (CMK) for data encryption at rest.

118

Resposta de referência

Employee training is crucial for ensuring that staff understand compliance requirements, policies, and best practices. It helps promote a culture of compliance and reduces the risk of inadvertent violations.

119

Resposta de referência

Azure Migrate is a service that helps you discover, assess, and migrate your on-premises workloads to Azure. It simplifies migration by: - Providing a centralized hub: Azure Migrate provides a single place to manage your migration projects. - Discovering on-premises workloads: Azure Migrate can discover your on-premises servers, databases, and applications. - Assessing workloads: Azure Migrate can assess your workloads to determine their suitability for Azure. - Migrating workloads: Azure Migrate can help you migrate your workloads to Azure.

120

Resposta de referência

An availability zone is a physically separate location within a cloud region, consisting of one or more data centers with independent power, cooling, and networking. They are used to achieve high availability and fault tolerance.

121

Resposta de referência

Google Cloud Speech-to-Text is a service that uses deep learning to convert audio to text. It supports multiple languages, real-time and batch processing, and can handle noisy audio. It is used for applications like voice commands, transcription, and call center analytics.

122

Resposta de referência

During my previous role as a Cloud Security Engineer at XYZ Company, I was responsible for building and managing the cloud security architecture for various applications and services hosted on AWS and Azure cloud platforms. - To ensure the security of the cloud infrastructure, I configured and monitored network security groups, implemented SSH key rotation, and set up virtual private clouds (VPCs). - In order to protect the data of our users, I implemented data encryption at rest and in transit using various encryption algorithms and protocols such as AES and SSL/TLS. - I also set up centralized logging and monitoring systems with AWS CloudTrail and Azure Monitor to detect any security incidents. - One of my major achievements in the role was implementing a comprehensive access control system for our cloud environment by setting up role-based access controls (RBAC) using AWS IAM and Azure AD. This resulted in reduced risks of unauthorized access to our cloud resources and improved compliance with data privacy regulations, reducing the number of breaches by 25% over the course of one year. Furthermore, I have completed various cloud security certifications, including the AWS Certified Security – Specialty and the Certified Cloud Security Professional (CCSP) to deepen my practical knowledge and understanding of cloud security best practices. Overall, I have a deep understanding of cloud security architecture and have hands-on experience building secure cloud environments, and am confident that my skills and experience make me an excellent candidate for this role.

123

Resposta de referência

Google Cloud KMS enables cryptographic key management by providing a centralized service to create, rotate, destroy, and manage keys. It supports symmetric and asymmetric keys, integrates with other GCP services, and provides audit logging for key usage.

124

Resposta de referência

Cloud network optimization is the process of optimizing your cloud network to improve performance, reliability, and security. Cloud network optimization can involve a variety of activities, such as: - Choosing the right network architecture: Choosing the right network architecture for your cloud environment is essential for optimizing performance and reliability. - Configuring your cloud network: Configuring your cloud network correctly is important for optimizing performance, security, and cost. - Monitoring your cloud network: Monitoring your cloud network for performance issues and security threats is essential for maintaining an optimized cloud network.

125

Resposta de referência

Cloud migration is the process of transferring data, applications, and other IT resources from an organization's on-premises infrastructure or another cloud environment to a cloud-based infrastructure. The migration process can involve moving an entire IT ecosystem or selective components to a public, private, or hybrid cloud environment. Cloud migration aims to achieve operational efficiency, cost savings, scalability, and improved performance by leveraging the power and flexibility of cloud computing. It is essential to develop a well-defined migration strategy, considering factors like security, performance, and cost, to ensure a successful transition and minimize potential risks and downtime.

126

Resposta de referência

Google Cloud Dialogflow is a development suite for building conversational interfaces, such as chatbots and voice assistants. It uses natural language understanding (NLU) to interpret user input and manage conversations. It supports multiple platforms and languages.

127

Resposta de referência

A Distributed Denial of Service (DDoS) attack occurs when a malicious actor floods a server, service, or network with a massive amount of traffic, rendering it unavailable to legitimate users. Mitigation Techniques: - Cloud Provider DDoS Protection: Cloud service providers offer automatic DDoS protection services to detect and mitigate attacks by filtering malicious traffic. - Traffic Scrubbing: Use scrubbing centers to analyze and remove malicious traffic before it reaches the cloud infrastructure. - Web Application Firewalls (WAFs): WAFs can help block malicious requests before they reach cloud servers, preventing DDoS-related issues. - Rate Limiting: Limiting the number of requests from individual IP addresses can mitigate the effects of a DDoS attack.

128

Resposta de referência

Role-based access control in the cloud helps enforce least privilege and simplify permission management.

129

Resposta de referência

To reduce legal risks in Cloud Security, consider and apply legal frameworks and norms, comprehend legal requirements and unique hazards, and process, evaluate, and produce appropriate data from analysis and original storage media.

130

Resposta de referência

It is the acronym for Elastic Utility Computing Architecture for Linking Your Programs.

131

Resposta de referência

Indicates whether the applicant is knowledgeable about compliance-related matters and realistic about timelines.

132

Resposta de referência

AWS Inspector performs checks to identify instance vulnerabilities, including: 1) Network reachability checks: assess whether instances are exposed to common vulnerabilities (e.g., open ports to the internet). 2) Host assessments: scan for OS-level vulnerabilities (e.g., missing patches, insecure configurations) using the Inspector agent or SSM agent. 3) CIS Benchmark checks: evaluate instances against CIS benchmarks for OS hardening. 4) Common vulnerabilities and exposures (CVEs): check for known software vulnerabilities. 5) Security best practices: identify deviations from security best practices (e.g., unencrypted data).

133

Resposta de referência

Google Cloud Build is a fully managed continuous integration and continuous delivery (CI/CD) service that allows you to build, test, and deploy your code. It is used for: - Building code: Cloud Build can build your code from a variety of source repositories. - Running tests: Cloud Build can run tests on your code. - Deploying code: Cloud Build can deploy your code to a variety of environments, such as Compute Engine, Kubernetes Engine, and Cloud Functions. - Automating the CI/CD pipeline: Cloud Build can be used to automate your entire CI/CD pipeline.

134

Resposta de referência

There are a number of ways to ensure data privacy in the cloud, including: - Encrypt your data: Encrypting your data at rest and in transit can protect it from unauthorized access. - Use access control: Use access control to control who has access to your data and what they can do with it. - Audit your data: Audit your data to track who accesses it and when. - Use a cloud security information and event management (SIEM) tool: A cloud SIEM tool can help you to detect and respond to security threats to your cloud data.

135

Resposta de referência

The core principles of DevSecOps are: - Automation of security controls - Continuous security testing - Security as code - Shared responsibility for security - Agile security processes

136

Resposta de referência

A buffer is used to make systems more efficient against the traffic or load. It helps in the synchronization of different components. The buffer helps in maintaining the balance between those components and also makes them work at the same speed in order to get the work done faster.

137

Resposta de referência

Common standards and regulations include GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), and SOC 2 (System and Organization Controls).

138

Resposta de referência

Resource Replication is the creation of multiple instances of the same IT resource. It is typically performed when an IT resource's availability and performance are needed to be enhanced. The virtualization technology is adopted to implement the resource replication mechanism in order to replicate the cloud-based IT resources.

139

Resposta de referência

Securing data pipelines requires controls at ingestion, transit, processing, storage, and access. At ingestion, authenticate producers with strong identity (certificates, mTLS, or IAM roles) and validate data. Encrypt data in transit using TLS and consider end-to-end encryption where possible. Use secure ingestion endpoints behind API gateways or private links (Direct Connect, ExpressRoute) to avoid public internet exposure. Apply schema validation and sanitization to prevent injection or malformed data that could poison downstream systems. During processing, run workloads in least-privileged environments, isolate sensitive processing in private subnets, and use ephemeral compute for riskier workloads. Protect intermediate storage (message queues, temporary blobs) with encryption at rest and strict ACLs. Implement strict access controls and logging so every access to the pipeline is auditable. In hybrid scenarios, use data classification and tagging to enforce policy-based routing (sensitive data stays on-prem or in specific regions). Integrate DLP to prevent exfiltration and deploy monitoring for anomalous data flows or spikes that might indicate abuse. Finally, use automated testing and canaries for pipeline changes, and ensure backups and replay capabilities for forensic analysis and recovery.

140

Resposta de referência

Azure Cost Management and Billing is a suite of tools that help you monitor, allocate, and optimize your Azure costs. It provides cost analysis dashboards, budget creation, anomaly alerts, and recommendations for cost savings. It helps you understand your spending and manage your cloud budget.

141

Resposta de referência

An ARM template is a JSON file that defines the infrastructure and configuration for your Azure solution. It allows you to declaratively specify the resources you need and their properties, enabling consistent and repeatable deployments. ARM templates are a key component of Infrastructure as Code (IaC) in Azure.

142

Resposta de referência

AWS Fargate is a serverless compute engine for Docker containers. Fargate makes it easy to run Docker containers on AWS without having to manage servers. Some of the benefits of using AWS Fargate include: - Reduced operational overhead: Fargate manages the servers and infrastructure that are needed to run your containers, so you don't have to worry about managing them yourself. - Improved scalability: Fargate automatically scales your containers to meet demand, so you don't have to worry about scaling them yourself. - Increased security: Fargate isolates your containers from each other and from the underlying infrastructure, which helps to improve security.

143

Resposta de referência

If a pod is compromised, an attacker can: 1) Access other pods in the cluster via network communication. 2) Escalate privileges using Kubernetes RBAC misconfigurations. 3) Access cloud resources if the node's IAM role has broad permissions. 4) Exfiltrate data from mounted volumes or secrets. 5) Launch attacks on other services. To limit the blast radius: 1) Use network policies to isolate pods. 2) Apply least privilege IAM roles for nodes and service accounts. 3) Use Pod Security Standards to restrict capabilities. 4) Enable container runtime security monitoring. 5) Use secrets management (e.g., HashiCorp Vault) instead of Kubernetes secrets. 6) Implement micro-segmentation with service mesh.

144

Resposta de referência

AWS Organizations allows you to consolidate billing for your AWS accounts. This can be useful for organizations that have multiple AWS accounts and want to manage their billing centrally. To consolidate billing with AWS Organizations, you must create an organization and add your AWS accounts to the organization. Once you have added your AWS accounts to the organization, you can create a consolidated bill for all of your AWS accounts. To create a consolidated bill, follow these steps: - Open the AWS Organizations console. - In the navigation pane, choose Bills. - Choose Create consolidated bill. - Choose the accounts that you want to include in the consolidated bill. - Choose Create consolidated bill. Once you have created a consolidated bill, you will be able to view and download the bill from the AWS Organizations console.

145

Resposta de referência

Google Cloud Storage Transfer Service is a managed service for transferring data from other cloud providers, on-premises locations, or the internet to Cloud Storage. It supports scheduled transfers, incremental syncing, and validation.

146

Resposta de referência

Disaster recovery (DR) is essential for ensuring business continuity in case of outages, attacks, or hardware failures. A strong DR plan includes the following: - Recovery point objective (RPO) and recovery time objective (RTO): Define acceptable data loss (RPO) and downtime duration (RTO). - Backup and replication: Use cross-region replication, AWS Backup, or Azure Site Recovery to maintain up-to-date backups. - Failover strategies: Implement active-active (hot standby) or active-passive (warm/cold standby) architectures. - Testing and automation: Regularly test DR plans with chaos engineering tools like AWS Fault Injection Simulator or Gremlin.

147

Resposta de referência

Secure data sharing is handled by encrypting data in transit using TLS, establishing VPNs or direct interconnects, using federated identity for access control, and implementing data loss prevention (DLP) policies. I would also use cloud data transfer services with encryption, and ensure compliance with data residency requirements. Auditing all data access is critical.

148

Resposta de referência

Google Cloud AutoML is a suite of machine learning products that enables developers with limited ML expertise to train high-quality models. It provides a graphical interface to upload data, train models, and deploy them. It supports tasks like image classification, natural language processing, and translation.

149

Resposta de referência

According to the most recent version of the Google Cloud Architecture Framework, some ways to design cloud computing architecture for scale and high availability include: - Creating redundancy with replication across multiple domains and no single point of failure - Multi-zone cloud architecture implementation with load balancing and automated failover between zones - Eliminate scalability bottlenecks, such as by scaling horizontally with sharding, or partitioning, across VMs or zones - Degrade service levels gracefully when overloaded rather than failing completely - Prevent and mitigate traffic spikes in cloud computing architecture with techniques such as throttling, queuing, load shedding, circuit breaking, and prioritizing critical requests

150

Resposta de referência

A cloud security policy is a formal set of guidelines, standards, and procedures that define how an organization secures its cloud environments and protects data. It serves as a governance framework that outlines roles, responsibilities, and acceptable practices for cloud usage. A well-structured policy covers aspects such as data classification, access management, encryption requirements, incident response, compliance obligations, and third-party risk management. For example, a cloud security policy may require that all storage buckets be encrypted, all users use MFA, and that logs be retained for a minimum of 90 days for audit purposes. The policy ensures consistency across multiple teams, reduces the risk of human error, and provides a foundation for compliance with standards such as ISO 27001 or SOC 2. It also defines escalation procedures for security incidents and mandates continuous monitoring. In short, the cloud security policy acts as a blueprint for safeguarding assets and enforcing accountability across the cloud ecosystem.

151

Resposta de referência

For microservices logging, I'd implement the ELK stack (Elasticsearch, Logstash, Kibana) or AWS managed alternatives. Each microservice would write structured logs in JSON format to stdout, captured by log agents like Filebeat or Fluentd running as sidecars. Logs would be forwarded to a central aggregation layer like Logstash or AWS Kinesis Data Firehose for processing and enrichment. I'd add correlation IDs to track requests across services and standardize log formats across all services. For storage, I'd use Elasticsearch or AWS OpenSearch for searchable logs with appropriate retention policies. Kibana dashboards would provide visualization and alerting capabilities. For high-volume systems, I'd implement log sampling and use structured logging levels to manage costs. Critical errors would trigger immediate alerts while debug logs might be sampled at 1%.

152

Resposta de referência

AI/ML workloads in the cloud introduce unique security challenges due to data sensitivity, model integrity, and infrastructure complexity. Key considerations include: - Data protection: Encrypt training and inference data at rest and in transit, and use anonymization or differential privacy for sensitive data. - Model security: Protect models from theft, tampering, or adversarial attacks (e.g., input manipulation to alter outputs). - Access control: Restrict access to training data, models, and ML pipelines using IAM and least privilege. - Supply chain security: Verify the integrity of ML libraries, frameworks, and pre-trained models. - Monitoring: Detect anomalous model behavior or data drift that could indicate compromise. - Compliance: Ensure ML workloads comply with regulations (e.g., GDPR for automated decision-making). - Infrastructure security: Secure GPU clusters, storage, and network configurations used for ML. - Explainability: Maintain transparency in model decisions for audit and regulatory purposes. Securing AI/ML workloads requires integrating traditional cloud security controls with domain-specific protections to ensure privacy, integrity, and reliability of predictions and insights.

153

Resposta de referência

One common misconception is that cloud security is solely the provider's responsibility. In reality, it's a shared responsibility, requiring proper configuration and management by the customer to ensure a secure environment.

154

Resposta de referência

A processing module that is used to collect usage data by having event-driven interactions with the specialized resource software, is a resource agent. This agent is applied to check the usage metrics based on pre-defined, observable events at the resource software level, like initiating, suspending, resuming, and vertical scaling.

155

Resposta de referência

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network that you'd operate in your own data center, but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation. Key components include subnets, network security groups (NSGs), and route tables.

156

Resposta de referência

Cloud monitoring focuses on dynamic, scalable resources and often includes auto-scaling, cost tracking, and service-level metrics. It uses cloud-native tools like AWS CloudWatch or Azure Monitor and supports distributed tracing and log aggregation.

157

Resposta de referência

Strategies to detect and respond to bypass attempts: 1) Monitor pipeline logs for anomalies (e.g., skipped security steps, unusual API calls). 2) Use SIEM tools to correlate pipeline events with security alerts. 3) Implement automated alerts for configuration changes to pipeline definitions. 4) Use runtime security tools to detect unauthorized deployments. 5) Conduct regular audits of pipeline configurations and access controls. 6) Set up honeytokens to detect unauthorized access. 7) Have an incident response plan specific to pipeline compromises. 8) Use automated rollback mechanisms to revert unauthorized changes.

158

Resposta de referência

Azure Virtual Desktop is a desktop and app virtualization service that runs on Azure. It allows you to deliver virtualized Windows desktops and applications to users on any device. Azure Virtual Desktop is used for: - Remote work: Enabling employees to work from anywhere. - Bring your own device (BYOD): Allowing employees to use their own devices to access corporate resources. - Application delivery: Delivering applications to users without having to install them on their devices. - Development and testing: Providing developers and testers with virtualized environments.

159

Resposta de referência

A cloud security incident response plan is a plan for responding to a security incident in the cloud. The plan should include the following components: - Incident detection: How will you detect security incidents in your cloud environment? - Incident response: What steps will you take to respond to a security incident? - Incident recovery: How will you recover your cloud environment from a security incident?

160

Resposta de referência

To secure GKE clusters: 1) Enable GKE Security Posture Dashboard for visibility. 2) Use private clusters with authorized networks. 3) Enable Workload Identity to bind Kubernetes service accounts to GCP IAM roles. 4) Implement network policies to restrict pod-to-pod traffic. 5) Enable Binary Authorization to enforce container image signing. 6) Use GKE Sandbox for untrusted workloads. 7) Enable audit logging with Cloud Audit Logs. 8) Regularly update node images and enable auto-upgrades. 9) Use IAM roles with least privilege for cluster management. 10) Enable Shielded GKE Nodes for protection against rootkits and bootkits.

161

Resposta de referência

Common security concerns when moving to the cloud include data loss, compliance issues, and loss of control over infrastructure.

162

Resposta de referência

AWS Global Accelerator is a service that improves the performance of your global applications. Global Accelerator works by routing traffic to the closest regional endpoint, which can improve latency and reduce packet loss. Global Accelerator can be used to improve the performance of a variety of applications, such as web applications, gaming applications, and video streaming applications.

163

Resposta de referência

Google Cloud Security Command Center (SCC) is a centralized security and risk management platform for GCP. It provides visibility into assets, detects threats and vulnerabilities, and helps enforce security policies. Key features include: 1) Asset inventory and discovery. 2) Threat detection (e.g., from Cloud Armor, Web Security Scanner). 3) Vulnerability scanning. 4) Compliance monitoring (e.g., CIS benchmarks). 5) Security health analytics. 6) Integration with SIEM and SOAR tools. SCC helps organizations identify misconfigurations, prioritize risks, and respond to incidents.

164

Resposta de referência

Cloud encryption at rest and in transit is used to protect cloud data from unauthorized access, use, disclosure, disruption, modification, or destruction. - Cloud encryption at rest: Cloud encryption at rest encrypts data when it is stored on cloud storage devices. - Cloud encryption in transit: Cloud encryption in transit encrypts data when it is being transmitted between cloud resources or between your on-premises network and the cloud.

165

Resposta de referência

Public clouds are generally cost-effective because users only pay for the resources they use. However, they are less secure than private clouds because they are shared with other users and managed by a third-party provider. Private clouds provide greater control, security, and customization than public clouds but are also more expensive. The hybrid cloud provides a good blend of affordability, scalability, and security.

166

Resposta de referência

Secrets and API keys are managed using dedicated secrets management services like AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. These services store secrets encrypted at rest and in transit, support automatic rotation, enforce access policies via IAM, and integrate with applications through secure APIs. Avoid hardcoding secrets in code or configuration files; use environment variables or runtime retrieval instead.

167

Resposta de referência

Google Cloud Resource Manager allows you to hierarchically organize your GCP resources using projects, folders, and organization nodes. It enables you to manage access control, apply policies, and track costs across your entire cloud environment.

168

Resposta de referência

Cloud data warehousing is the use of cloud computing to build and manage data warehouses. Cloud data warehouses offer a number of advantages over on-premises data warehouses, such as: - Scalability: Cloud data warehouses are highly scalable, so you can easily scale them up or down to meet your changing needs. - Reliability: Cloud data warehouses are highly reliable, and cloud providers offer a variety of services to ensure the reliability of your data warehouses. - Security: Cloud data warehouses are secure, and cloud providers offer a variety of security services to protect your data.

169

Resposta de referência

There are a number of ways to optimize costs in AWS. Some common cost optimization techniques include: - Choose the right instance type: AWS offers a variety of instance types, each with a different price-performance ratio. Choose the instance type that is best suited for your workload. - Use reserved instances: Reserved instances offer a significant discount on EC2 instances. If you know that you will need to use an EC2 instance for a long period of time, consider using a reserved instance. - Spot instances: Spot instances are unused EC2 instances that are available at a discounted price. Spot instances are ideal for workloads that can be interrupted, such as batch processing jobs. - Use managed services: AWS offers a variety of managed services that can help you to optimize your costs. For example, Amazon RDS is a managed database service that can help you to reduce the cost of managing your own database servers. - Monitor your costs: Use AWS Cost Explorer to track your AWS costs. Cost Explorer can help you to identify areas where you can optimize your costs.

170

Resposta de referência

Amazon ElastiCache is a managed in-memory data store service that improves the performance of web applications by caching frequently accessed data in memory. ElastiCache supports two popular in-memory data stores: Memcached and Redis. ElastiCache can improve application performance by reducing the number of database queries that are required. ElastiCache can also improve application performance by reducing the latency of database queries.

171

Resposta de referência

Azure Policy evaluates your resources and identifies those that are not compliant with the policies you have created. It can take actions like denying the creation of non-compliant resources, auditing existing resources, or applying remediation. Policy definitions can be assigned at management group, subscription, or resource group levels.

172

Resposta de referência

Vertical scaling involves scaling up a web server to its full capacity, while horizontal scaling involves scaling out a web server to meet user demand.

173

Resposta de referência

Autoscaling allows cloud environments to dynamically adjust resources based on demand, ensuring cost efficiency and performance. It works in two ways: - Horizontal scaling (scaling out/in): Adds or removes instances based on load. - Vertical scaling (scaling up/down): Adjusts the resources (CPU, memory) of an existing instance. Cloud providers offer autoscaling groups, which work with load balancers to distribute traffic effectively.

174

Resposta de referência

Azure DevTest Labs is a service that helps developers and testers quickly create environments in Azure while minimizing waste and controlling cost. It provides pre-configured base images, reusable templates, and policies for auto-shutdown and cost tracking, making it easier to set up development and test environments.

175

Resposta de referência

Handling data sovereignty involves ensuring that data is stored and processed in compliance with local laws and regulations. This includes selecting cloud providers with data centers in specific regions and implementing controls to manage data location.

176

Resposta de referência

Workloads specifically means an independent set of codes or instructions that can be executed to perform a specific task. It can be either a part of the application or the complete application itself. Therefore, an organization is likely to manage these due to the following reasons: - In order to know that whether the applications are running properly. - In order to know the functions, they are performing. - In order to know the changes in the individual department with respect to the service provided.

177

Resposta de referência

Cloud storage device mechanisms provide common levels of data storage, such as: - Files – These are collections of data that are grouped into files that are located in folders. - Blocks – A block is the smallest unit of data that is individually accessible. It is the lowest level of storage and the closest to the hardware. - Datasets – Data sets organized into a table-based, delimited, or record format. - Objects – Data and the associated metadata with it are organized as web-based resources. Each of the above data storage levels is associated with a certain type of technical interface. This interface corresponds to a particular type of cloud storage device and the cloud storage service used to expose its API.

178

Resposta de referência

Azure Virtual Network (VNet) is a service that allows customers to create a logically isolated section of the Azure Cloud where they can launch Azure resources in a private network. A VNet can be used to create a secure and isolated environment for running applications, storing data, and deploying development environments. Components of Azure Virtual Network include: - Subnets: Subnets are ranges of IP addresses within a VNet. Subnets are used to group Azure resources together and to control how they interact with each other. - Network Security Groups (NSGs): NSGs are firewall rules that control inbound and outbound traffic to your Azure resources. - Virtual Network Peering: This allows you to connect VNets together, enabling resources in different VNets to communicate with each other. - Azure VPN Gateway: This provides a secure connection between your on-premises network and your VNet. - Azure Load Balancer: This distributes traffic across multiple resources in your VNet.

179

Resposta de referência

Windows Azure is a virtualized environment that runs on a Hyper-V platform that has been customized. The host OS is in charge of managing the server's resources as well as executing the Windows Azure Agent, which communicates with the Windows Azure Fabric Controller. Windows Azure isn't a single OS but rather a collection of several OSs that function together.

180

Resposta de referência

Secrets management should be centralized using HashiCorp Vault, integrated with cloud KMS systems. Secrets should rotate automatically every 30 days, with dynamic secrets using short TTLs for application access. All secret access should be logged and monitored.

181

Resposta de referência

Public and private clouds differ significantly in terms of ownership, control, and security responsibility. In a public cloud, resources are hosted and managed by third-party providers like AWS, Azure, or Google Cloud, and shared among multiple tenants. Public clouds benefit from large-scale infrastructure and advanced built-in security features such as automated patching, encryption, and compliance certifications. However, customers must ensure proper configuration and access control to avoid exposure. In contrast, a private cloud is dedicated to a single organization—either hosted on-premises or in a dedicated data center—providing greater control over hardware, network policies, and data security. Private clouds allow for customized security policies, stricter access controls, and better compliance alignment for sensitive workloads. However, they require significant investment and skilled management. In short, public clouds offer scalability and cost efficiency with shared responsibility, while private clouds prioritize control and isolation at higher operational costs.

182

Resposta de referência

Data in Google Cloud Storage is secured using encryption at rest (default or CMEK), access control via IAM and ACLs, and signed URLs. Data in Google Cloud SQL is secured using encryption at rest (default or CMEK), SSL/TLS for connections, and IAM-based access control.

183

Resposta de referência

Cloud monitoring refers to the continuous process of observing, collecting, and analyzing data from cloud-based infrastructure, applications, and services to ensure optimal performance, reliability, and security. It involves using automated tools and dashboards to track metrics such as network traffic, CPU usage, storage utilization, latency, and error rates. From a security perspective, cloud monitoring helps detect anomalies, unauthorized access, and configuration changes that could signal potential threats. Modern monitoring solutions—like AWS CloudWatch, Azure Monitor, or Google Cloud Operations—integrate with Security Information and Event Management (SIEM) systems to provide real-time alerts and insights. Effective cloud monitoring enables proactive incident detection, performance optimization, compliance tracking, and rapid response to vulnerabilities. It serves as the foundation for maintaining visibility and control over complex, dynamic, and distributed cloud environments.

184

Resposta de referência

Secure data in transit in the cloud by using TLS/SSL encryption and VPNs.

185

Resposta de referência

Data privacy and compliance in GCP are ensured through features like data encryption at rest and in transit, access control via IAM, data loss prevention (DLP), audit logging with Cloud Audit Logs, and compliance certifications (e.g., SOC, ISO, HIPAA). GCP also provides tools like VPC Service Controls for data exfiltration prevention.

186

Resposta de referência

Google Cloud SQL for PostgreSQL is a fully managed relational database service that makes it easy to set up, operate, and scale a PostgreSQL database in the cloud. It plays a key role in managed relational databases by: - Providing a managed service: Cloud SQL manages the infrastructure, so you don't have to worry about it. - Providing high availability: Cloud SQL provides built-in high availability with automatic failover. - Providing scalability: You can easily scale your database up or down. - Providing security: Cloud SQL provides a variety of security features. - Providing performance: Cloud SQL provides a variety of performance features.

187

Resposta de referência

Infrastructure as Code (IaC) is a practice of managing and provisioning cloud infrastructure using code. IaC can help you to: - Automate the provisioning and configuration of cloud resources. - Reduce manual errors. - Improve consistency and repeatability. - Facilitate collaboration. There are a number of different IaC tools available, such as Terraform, AWS CloudFormation, and Azure Resource Manager. To manage cloud resources using IaC, you can follow these steps: - Define your infrastructure in code using an IaC tool. - Apply the code to your cloud provider. - Monitor your infrastructure for changes and apply updates as needed.

188

Resposta de referência

AWS Step Functions is a serverless workflow orchestration service that makes it easy to build and run state machines and workflows. Step Functions helps you to coordinate the execution of multiple steps across multiple AWS services. Step Functions works by defining a state machine, which is a visual representation of the workflow. The state machine defines the steps in the workflow, the order in which the steps are executed, and the transitions between steps. Step Functions then executes the state machine and manages the flow of data between steps. Step Functions also handles errors and retries, so you don't have to worry about managing these yourself. Step Functions can be used to build a variety of workflows, such as: - Order fulfillment workflows - Customer onboarding workflows - Data processing workflows - Machine learning workflows - Security incident response workflows

189

Resposta de referência

Example answer: High latency in a cloud application can be caused by several factors, including network congestion, inefficient database queries, suboptimal instance placement, or load balancing misconfigurations. To diagnose the issue, I would start by isolating the bottleneck using cloud monitoring tools. The first step would be to analyze the application response times and network latency by checking logs, request-response times, and HTTP status codes. If the issue is network-related, I would use a traceroute or ping test to check for increased round-trip times between users and the application. If a problem exists, enabling a CDN could help cache static content closer to users and reduce latency. If the database queries are causing delays, I would profile slow queries and optimize them by adding proper indexing or denormalizing tables. Additionally, if the application is under high traffic, enabling horizontal scaling with autoscaling groups or read replicas can reduce the load on the primary database. If latency issues persist, I would check the application's compute resources, ensuring it runs in the correct availability zone closest to end users. If necessary, I would migrate workloads to a multi-region setup or use edge computing solutions to process requests closer to the source.

190

Resposta de referência

A cloud compliance checklist is a tool that outlines the specific requirements and controls needed for compliance. It is used to ensure that all necessary compliance measures are implemented and verified.

191

Resposta de referência

Azure IoT Hub is a managed service that acts as a central message hub for bi-directional communication between IoT applications and the devices it manages. It enables IoT device communication by: - Providing a secure and reliable connection: IoT Hub uses per-device authentication and encrypted communication. - Supporting multiple communication protocols: IoT Hub supports protocols like MQTT, AMQP, and HTTPS. - Scaling to millions of devices: IoT Hub can handle millions of simultaneously connected devices. - Integrating with other Azure services: IoT Hub can send data to Azure Stream Analytics, Azure Functions, and other services for processing.

192

Resposta de referência

To detect and respond to a ransomware attack on an S3 bucket in real-time: 1) Enable S3 Event Notifications to trigger a Lambda function on object modifications or deletions. 2) Use Amazon GuardDuty to detect unusual API calls (e.g., mass deletions) and generate findings. 3) Set up CloudWatch alarms for spikes in S3 API calls (e.g., DeleteObject, PutObject). 4) Upon detection, immediately isolate the affected bucket by updating the bucket policy to deny all access except from a forensic account. 5) Use S3 Object Lock to prevent further modifications. 6) Restore objects from versioning or backups. 7) Conduct forensic analysis using CloudTrail logs to identify the source of the attack. 8) Rotate compromised credentials and tighten IAM policies. 9) Notify stakeholders and report the incident as required.

193

Resposta de referência

Azure Private DNS provides a reliable and secure DNS service for your virtual network. You can configure it by creating a private DNS zone and linking it to one or more virtual networks. It allows you to use custom domain names for resources within the VNet without needing a custom DNS solution.

194

Resposta de referência

Azure Data Explorer (ADX) is a fast and highly scalable data exploration service that allows you to analyze large volumes of data in real time. It enables data exploration and analysis by: - Providing a powerful query language: ADX uses a Kusto Query Language (KQL) that is optimized for data exploration. - Ingesting data from a variety of sources: ADX can ingest data from Azure Event Hubs, Azure IoT Hub, and Azure Blob Storage. - Processing data in real time: ADX can process data in real time. - Visualizing data: ADX can be used with Power BI and other visualization tools.

195

Resposta de referência

Cloud-based message queues are a way to decouple applications and services. Message queues allow applications to send and receive messages asynchronously. This can improve the performance, scalability, and reliability of applications. Some popular cloud-based message queues include: - Amazon Simple Queue Service (SQS) - Google Cloud Pub/Sub - Azure Service Bus Cloud-based message queues can be used for a variety of tasks, such as: - Decoupling applications and services - Implementing event-driven architectures - Processing large volumes of data - Building scalable and reliable applications

196

Resposta de referência

197

Resposta de referência

Security for serverless functions includes securing function code, managing permissions, and monitoring for vulnerabilities.

198

Resposta de referência

SIEM solutions aggregate, correlate, and analyze security logs to detect potential threats and automate incident response. Key Features: - Centralized Log Collection: Collect logs from cloud services, network devices, and applications. - Threat Intelligence Integration: Correlate logs with external threat intelligence feeds to detect malicious activity. - Real-time Monitoring and Alerts: Automate security alerts based on predefined and AI-driven threat detection rules. - Incident Response Automation: Use Security Orchestration, Automation, and Response (SOAR) tools like Splunk, Microsoft Sentinel, or IBM QRadar to contain threats.

199

Resposta de referência

The AWS Lambda Dead Letter Queue (DLQ) is a queue where Lambda sends events that it cannot process successfully. This can happen for a variety of reasons, such as: - The event is in an invalid format. - The Lambda function returns an error. - The Lambda function times out. The DLQ can be used to monitor for Lambda function errors and to retry failed events.

200

Resposta de referência

Candidate NPS went from 32 to 78 after implementing AIR, as candidates love the flexibility of interviewing on their own schedule.

NÃO QUER PERDER NADA?

Os testes práticos Cisco, PMP, CISA, CISM e AWS 100% aprovados estão à venda!
Obtenha agora

Obtenha uma certificação para destacar o seu currículo.

NÃO QUER PERDER NADA?

Os testes práticos Cisco, PMP, CISA, CISM e AWS 100% aprovados estão à venda! Obtenha agora

Obtenha uma certificação para destacar o seu currículo.

Os testes práticos Cisco, PMP, CISA, CISM e AWS 100% aprovados estão à venda!
Obtenha agora