WGU Managing Cloud Security (JY02) Exam Questions

Page: 1 / 14
Total 80 questions
Question 1

Which tool provides a dedicated environment to contain and analyze malware?



Answer : C

A sandbox is a controlled, isolated environment used to safely run, observe, and analyze potentially malicious code. In cybersecurity, sandboxes allow analysts to execute malware samples without risking contamination of production systems. This enables identification of malware behavior, persistence techniques, and indicators of compromise.

Encryption protects confidentiality, but does not allow safe execution. Gateways control traffic flow, and controllers manage devices or workloads. Only a sandbox provides the dedicated containment required for malware analysis.

In cloud environments, sandboxing is often implemented at scale to analyze suspicious files or traffic automatically. This practice enhances defenses against zero-day exploits, advanced persistent threats, and polymorphic malware. By preventing malware from escaping, sandboxes provide essential forensic and detection insights without endangering the wider environment.


Question 2

Which group should be notified for approval when a planned modification to an environment is scheduled?



Answer : C

The Change Management Board (CMB), also called the Change Advisory Board (CAB), is the formal authority responsible for reviewing, assessing, and approving planned modifications to IT environments. This group ensures that proposed changes align with business objectives, do not introduce unnecessary risks, and comply with security and regulatory requirements.

Event management teams focus on monitoring events, problem management teams handle root-cause analysis, and executive boards provide strategic direction but are not operational approval authorities. Only the CMB has the explicit role of validating technical and security implications before implementation.

By involving the CMB, organizations enforce structured governance, minimize disruptions, and establish accountability. This practice is central in ITIL and ISO/IEC 20000 standards, ensuring that operational integrity and security are preserved during change cycles.


Question 3

Which device is used to create and manage encryption keys used for data transmission in a cloud-based environment?



Answer : A

A Hardware Security Module (HSM) is a dedicated, tamper-resistant device designed for creating, managing, and storing encryption keys. In cloud environments, HSMs are essential for securing cryptographic operations, such as SSL/TLS key management, digital signatures, and secure data transmission.

TPMs are hardware chips used to secure local devices, such as laptops. Memory controllers and RAID controllers manage system performance and storage but are not cryptographic devices.

HSMs provide strong protection against key theft or misuse by isolating cryptographic functions from general-purpose computing resources. They are often certified under standards like FIPS 140-2, ensuring compliance with stringent security requirements. In cloud services, customers can use provider-managed HSMs or deploy dedicated virtual HSM instances for secure key management.


Question 4

Which type of storage includes categories such as relational, nonrelational, key-value, and document-oriented?



Answer : B

The categories mentioned---relational, nonrelational, key-value, and document-oriented---refer to different types of databases. Relational databases (SQL) organize data into tables with rows and columns, nonrelational databases (NoSQL) provide flexibility for unstructured data, key-value stores map identifiers to values, and document-oriented databases manage data in formats such as JSON or BSON.

Object-based storage and volumes are alternative storage architectures but are not described by these categories. XML is a data format, not a storage type.

In the cloud, database services are offered as managed solutions, reducing the administrative burden on organizations. Properly managing database storage is critical for data governance, confidentiality, and compliance. Databases are also central to security strategies, where access control, encryption, and auditing are applied.

Thus, the correct answer is database storage, which encompasses multiple architectures that address different performance, scalability, and data management needs.


Question 5

An organization is reviewing a contract from a cloud service provider and wants to ensure that all aspects of the contract are adhered to by the cloud service provider. Which control will allow the organization to verify that the cloud provider is meeting its obligations?



Answer : A

Continuous monitoring is the control that allows organizations to actively verify that a cloud provider is fulfilling contractual and compliance obligations. This involves automated collection and analysis of operational, security, and performance data. It enables organizations to ensure that service-level agreements (SLAs) are being honored and that compliance requirements are being met in real time.

While regulatory oversight is provided by external authorities and incident management is reactive in nature, continuous monitoring is a proactive approach. It allows customers to maintain visibility into provider operations. Confidential computing focuses on data protection but does not verify contract adherence.

By employing continuous monitoring, organizations establish transparency and accountability. It also supports audit processes by providing evidence that controls remain effective over time. This reduces risk associated with outsourcing critical functions to a cloud provider and ensures resilience against potential provider-side failures.


Question 6

An organization wants to secure the boundary between a lower-security zone and a higher-security zone. Which security measure should it use?



Answer : C

A bastion host is a hardened system placed at the boundary between different security zones. It acts as a gateway, controlling access from a less secure network (such as the internet or a lower-trust zone) into a higher-security zone (such as an internal cloud environment).

Secure Shell (SSH) provides secure communication but does not create a boundary. Virtual clients and host isolation are endpoint measures, not boundary defenses.

By placing a bastion host at the perimeter, organizations centralize monitoring, apply strict access controls, and reduce attack surfaces. These hosts are typically stripped down to essential services, patched frequently, and monitored closely. In cloud environments, bastion hosts are essential for controlling administrative access while enforcing strong authentication and logging.


Question 7

Which data destruction technique involves encrypting the data, followed by encrypting the resulting keys with a different engine, and then destroying the keys resulting from the second encryption round?



Answer : D

Cryptographic erasure is a secure data sanitization technique that relies on encryption. The process involves encrypting the data, encrypting the keys with a second layer, and then destroying the encryption keys. Without the keys, the encrypted data becomes unreadable and is effectively destroyed, even though the storage media remains intact.

One-way hashing is used for password storage, not full data destruction. Degaussing is for magnetic media, and overwriting involves physically writing new data over existing sectors.

Cryptographic erasure is widely used in cloud environments where physical media cannot be easily destroyed or reclaimed by customers. It ensures compliance with data retention and privacy regulations while maintaining environmental sustainability by allowing reuse of storage hardware.


Page:    1 / 14   
Total 80 questions