ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A company is migrating its customer-records service to a public cloud and will expose it as a RESTful API for mobile apps and external partners. The architect must ensure that, if an attacker steals a bearer access token, the token cannot be reused from a different device or network. The solution must keep the API stateless so that horizontal scaling behind a load balancer is unaffected. Which security control BEST meets these requirements?
Configure a web application firewall rule to reject any request missing a valid user-agent header.
Enforce mutual TLS at the API gateway and bind each access token to the client's X.509 certificate.
Restrict the API endpoint to known partner IP address ranges with a cloud network security group.
Issue short-lived JSON Web Tokens (JWT) via OAuth 2.0 and require clients to refresh them frequently.
Binding every issued access token to the client's X.509 certificate and enforcing mutual TLS (mTLS) at the API gateway stops a stolen token from being replayed elsewhere. During each request the client must present the same certificate that was used when the token was issued; if an attacker copies only the token, validation fails because the attacker cannot present the bound certificate. mTLS operates at the transport layer and is compatible with REST's stateless nature, allowing the service to scale horizontally without preserving server-side session state. Short-lived JSON Web Tokens reduce exposure time but do not prevent immediate replay from another host. Restricting traffic with network ACLs protects only against unknown IP ranges and cannot stop replay from within allowed ranges. Dropping requests that lack a user-agent header offers negligible security and is easily spoofed. Therefore, mTLS with certificate-bound tokens is the most effective and scalable control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is mutual TLS (mTLS) and how does it differ from regular TLS?
Open an interactive chat with Bash
What is an X.509 certificate and why is it used in security controls like mTLS?
Open an interactive chat with Bash
How does binding access tokens to X.509 certificates prevent replay attacks?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .