Pass the WGU Courses and Certificates Managing-Cloud-Security Questions and answers with CertsForce

A Database Activity Monitor (DAM) is specifically designed to identify and stop attack-based commands from executing on a SQL server. Managing Cloud documentation explains that DAM solutions monitor database traffic in real time, inspecting queries and commands for malicious patterns such as SQL injection, privilege escalation, and unauthorized data access attempts.

Unlike traditional firewalls, which primarily filter network traffic, a DAM understands database-specific protocols and SQL command structures. This allows it to detect abnormal or unauthorized queries that may bypass perimeter defenses. When a suspicious command is identified, the DAM can alert administrators, block the execution, or log the activity for forensic analysis.

The other options do not provide this level of database-specific protection. A host-based firewall controls traffic to and from a server but does not analyze SQL commands. A hardware security module focuses on key management and cryptographic operations. A cloud access and security broker enforces security policies between cloud consumers and providers but does not inspect SQL commands directly. Therefore, the database activity monitor is the correct device for stopping attack-based SQL commands.

A third-party attestation should be used by consumers to determine whether a cloud service provider meets regulatory and legal compliance requirements. Managing Cloud principles explain that independent audits and attestations provide objective evidence of compliance.

Third-party attestations validate that a provider has implemented required controls and follows recognized standards. These reports reduce the need for customers to perform direct audits and increase trust in the provider’s security and compliance posture.

Warrants relate to law enforcement, regulatory obligations define requirements but do not prove compliance, and contracts outline responsibilities but do not independently verify adherence. Therefore, third-party attestation is the correct answer.

Runtime privilege issues can be identified only through dynamic application security testing (DAST). Managing Cloud principles explain that DAST evaluates applications while they are running, allowing testers to observe behavior during execution.

Runtime privileges involve how applications handle permissions, roles, and access controls in real-world conditions. These issues cannot be fully identified through static analysis because they depend on runtime context, user interactions, and environment configurations.

Code quality, null pointer dereferences, and insecure cryptographic functions can typically be detected through static testing or code review. Therefore, runtime privileges are uniquely suited for detection through DAST.

A pipeline refers to the structured process of moving code from development to production, encompassing implementation, review, automated testing, and deployment. In DevOps, this is known as a CI/CD pipeline (Continuous Integration/Continuous Deployment).

An iteration refers to a development cycle, a baseline represents a stable reference configuration, and a framework provides structure but not a deployment sequence. Only pipeline accurately captures the sequential, automated flow of code into production.

Pipelines enhance efficiency, consistency, and quality assurance by automating repetitive tasks, reducing human error, and ensuring that code changes are validated before reaching production. They are essential for modern cloud-native applications where rapid deployment is expected.

The STRIDE threat model identifies six categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. In this scenario, the accountant modified data they were not authorized to change. This is an act of Tampering, which refers to unauthorized alteration of data or systems.

Spoofing would involve impersonating another identity, denial of service would block availability, and elevation of privilege would involve gaining higher access rights. The accountant already had legitimate access but misused it to alter data outside their scope of responsibility.

Tampering compromises data integrity, one of the pillars of the CIA triad. In cloud and enterprise systems, safeguards against tampering include role-based access control, least privilege, and auditing to detect unauthorized changes. Recognizing this as tampering helps in identifying insider misuse and implementing compensating controls.

Infrastructure as a Service (IaaS) allows an organization to maximize control over its information. Managing Cloud principles explain that in the IaaS model, customers manage operating systems, applications, data, access controls, and security configurations.

This high level of control enables organizations to implement customized security policies, encryption mechanisms, and compliance controls tailored to their specific requirements. Customers retain direct responsibility for data protection, system hardening, and monitoring.

In contrast, PaaS and SaaS abstract more control to the provider, limiting customization. DaaS focuses on user desktops rather than data governance. Therefore, IaaS provides the greatest control over information assets.

A host-based agent intrusion detection system (IDS) can be used to provide network monitoring security controls in an IaaS public cloud environment. Managing Cloud principles explain that customers do not control physical network infrastructure in public cloud environments, making traditional network taps or sniffed ports impractical.

Host-based IDS agents monitor traffic, processes, and system activity directly on virtual machines. This approach aligns with PCI DSS requirements by providing visibility into network activity, intrusion attempts, and policy violations without requiring physical hardware.

CSP audit logs provide limited visibility, and redundant firewalls focus on traffic control rather than monitoring. Sniffed network ports require physical access. Therefore, a host-based IDS is the correct solution.

Simple Object Access Protocol (SOAP) is an API format that provides a framework for exchanging structured information using web services. Managing Cloud principles explain that SOAP is a protocol-based messaging standard that relies on XML for message formatting.

SOAP defines strict standards for message structure, communication protocols, and error handling, making it suitable for enterprise environments that require reliability, security, and formal contracts. It supports features such as authentication, encryption, and transaction integrity.

The other options describe characteristics of RESTful APIs. SOAP is XML-based and does not support multiple data formats. Therefore, the correct description is the structured web service framework.

The software agent management plane must support auto-scaling and elasticity because traditional security tools are not designed for the speed and scale of cloud environments. Managing Cloud guidance explains that cloud workloads can be created, scaled, and terminated rapidly, often within minutes or seconds.

If security management systems cannot scale at the same pace, workloads may operate without protection or monitoring. Elastic security management ensures that agents are deployed, configured, and decommissioned automatically as workloads scale up or down.

The other options do not directly explain the need for elasticity. Network isolation, reduced services, and firewall port usage are not the primary drivers. Therefore, the need to match cloud velocity makes option C correct.

The correct approach for sanitizing a USB thumb drive while preserving its usability is overwriting. Overwriting involves replacing the existing data on the device with random data or specific patterns to ensure that the original information cannot be recovered. This process leaves the physical device intact, allowing it to be reused securely.

Physical destruction, such as shredding, renders the device unusable. Degaussing only works on magnetic media like hard disks or tapes, not on solid-state or flash-based USB drives. Key revocation applies to cryptographic keys and not to physical devices.

By using overwriting, organizations comply with data sanitization standards while balancing operational efficiency. Many tools exist that perform multi-pass overwrites to meet regulatory requirements such as those from NIST or ISO. This ensures that sensitive data is removed while allowing the device to remain in circulation for continued use.