Pass the WGU Courses and Certificates Managing-Cloud-Security Questions and answers with CertsForce

Abastion hostis a hardened system placed at the boundary between different security zones. It acts as a gateway, controlling access from a less secure network (such as the internet or a lower-trust zone) into a higher-security zone (such as an internal cloud environment).

Secure Shell (SSH) provides secure communication but does not create a boundary. Virtual clients and host isolation are endpoint measures, not boundary defenses.

By placing a bastion host at the perimeter, organizations centralize monitoring, apply strict access controls, and reduce attack surfaces. These hosts are typically stripped down to essential services, patched frequently, and monitored closely. In cloud environments, bastion hosts are essential for controlling administrative access while enforcing strong authentication and logging.

The correct approach for sanitizing a USB thumb drive while preserving its usability isoverwriting. Overwriting involves replacing the existing data on the device with random data or specific patterns to ensure that the original information cannot be recovered. This process leaves the physical device intact, allowing it to be reused securely.

Physical destruction, such as shredding, renders the device unusable. Degaussing only works on magnetic media like hard disks or tapes, not on solid-state or flash-based USB drives. Key revocation applies to cryptographic keys and not to physical devices.

By using overwriting, organizations comply with data sanitization standards while balancing operational efficiency. Many tools exist that perform multi-pass overwrites to meet regulatory requirements such as those from NIST or ISO. This ensures that sensitive data is removed while allowing the device to remain in circulation for continued use.

TheOperational Excellencepillar emphasizes practices that allow organizations to develop, deploy, and operate workloads effectively. It includes monitoring operations, responding to incidents, and continuously improving processes. By embedding feedback loops, organizations enhance agility and ensure that technology supports business value.

Performance efficiency deals with using computing resources efficiently, reliability ensures system availability, and sustainability focuses on environmental responsibility. While important, these do not encompass the process-driven improvements at the heart of operational excellence.

Operational excellence ensures that organizations can adapt quickly to changes, implement automation, and drive consistent improvements across cloud workloads. It is a key principle in cloud frameworks like AWS Well-Architected, Microsoft CAF, and Google’s Reliability Engineering practices.

When a required PCI DSS control cannot be implemented due to technical limitations, the organization must apply acompensating control. A compensating control is an alternative safeguard that meets the intent and rigor of the original requirement.

Risk acceptance is insufficient under PCI DSS, as compliance demands enforceable safeguards. Privacy controls and protection levels may enhance data security but do not formally replace mandatory encryption requirements.

For example, a provider may use strict access controls, network segmentation, or monitoring to mitigate risks from unencrypted cardholder data. Documenting these compensating controls is essential during audits, ensuring compliance despite system limitations.

The categories mentioned—relational, nonrelational, key-value, and document-oriented—refer to different types of databases. Relational databases (SQL) organize data into tables with rows and columns, nonrelational databases (NoSQL) provide flexibility for unstructured data, key-value stores map identifiers to values, and document-oriented databases manage data in formats such as JSON or BSON.

Object-based storage and volumes are alternative storage architectures but are not described by these categories. XML is a data format, not a storage type.

In the cloud, database services are offered as managed solutions, reducing the administrative burden on organizations. Properly managing database storage is critical for data governance, confidentiality, and compliance. Databases are also central to security strategies, where access control, encryption, and auditing are applied.

Thus, the correct answer is database storage, which encompasses multiple architectures that address different performance, scalability, and data management needs.

The cloud data life cycle defines distinct stages that data goes through from its origin until its disposal. TheCreatephase is the very first stage, and this is where data is generated or captured by systems, applications, or users. At this point, data does not yet have context for storage or use, so it must be appropriately categorized and classified. Activities like labeling, marking, tagging, and assigning metadata are critical because they establish the foundation for enforcing controls throughout the rest of the life cycle.

Classification ensures that data is aligned with sensitivity levels, regulatory requirements, and business value. For example, financial records may be labeled “confidential” while general marketing content may be marked “public.” These distinctions guide how encryption, access controls, and monitoring will be applied in subsequent phases such as storage, sharing, or use.

According to industry frameworks, starting security at theCreatephase ensures that controls “follow the data” across environments. Without proper classification at creation, organizations risk mismanaging sensitive data downstream.

Infrastructure as a Service (IaaS) delivers fundamental computing resources over the cloud. These include virtual machines, block storage, networking, and load balancers. Customers use these resources to build and manage custom IT solutions, while the provider manages the underlying hardware.

PaaS abstracts infrastructure further, providing a development environment for applications without requiring infrastructure management. SaaS delivers fully functional applications over the internet. NaaS is a narrower category focusing on network delivery.

IaaS is the correct answer because it gives maximum flexibility and control compared to the other models, allowing organizations to build tailored environments. It also requires customers to manage operating systems, middleware, and runtime security, making shared responsibility an essential part of the model.

The correct time for data deletion isafter the specified retention perioddefined by contractual agreements, regulatory frameworks, or internal policies. Retention policies ensure that data is kept for as long as necessary for business, legal, or compliance reasons but not longer than required.

Oversubscription, inactivity, or review cycles are not valid triggers because they may conflict with compliance mandates such as GDPR, HIPAA, or PCI DSS. Deleting data prematurely could result in legal penalties or business risks, while keeping it longer than necessary could increase exposure.

By deleting data only after the retention period, providers demonstrate adherence to data governance principles and protect customer rights while minimizing storage costs and liability.

Baselining is the process of establishing a reference point for the standard configuration of systems, networks, or applications. This baseline represents the approved, secure state. By continuously comparing the current environment to the baseline, organizations can detect deviations, unauthorized changes, or misconfigurations.

Patch management involves updating systems, deployment refers to installing new systems, and capacity management focuses on resource planning. While important, these do not establish a standard state for comparison.

Baselining is essential for change management and security auditing. It supports configuration management databases (CMDBs), intrusion detection, and compliance requirements. When deviations are detected, they can be escalated for remediation or formally approved through change control processes.

Trust in digital certificates comes from their issuance by aCertificate Authority (CA). A CA is a trusted entity that validates identities and signs certificates. In internal environments, organizations often operate aprivate CAto issue certificates for users, systems, and services.

If certificates were generated by individual private keys or systems without central authority, there would be no unified trust chain, and validating authenticity across the organization would be impossible. A certificate repository server only distributes certificates but cannot establish trust.

By using an organizational CA server, all certificates are linked to a root of trust. Systems configured to trust the organization’s CA will trust any certificate it issues. This allows secure internal communications (TLS, VPN, email signing) and ensures scalability as new services come online. It also supports compliance with enterprise PKI policies.