ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A DevOps team has deployed a three-tier application to a public IaaS provider. All virtual machines (web, application, and database) reside in the same virtual network and currently share one permissive security group that allows any TCP/UDP traffic between members. During an internal audit, the CISO requests that the environment be aligned with zero-trust networking principles to curb lateral movement while avoiding additional hardware appliances or major architectural changes.
Which action will BEST meet the CISO's requirement?
Move all instances to a private subnet and rely on the provider's default network ACLs to block unwanted traffic.
Enable host-based firewalls inside every VM but leave the existing permissive security group unchanged.
Deploy a virtual next-generation firewall in a separate transit VPC and mirror all virtual network traffic to it for inspection.
Create distinct, least-privilege security groups for each tier and only allow the minimum required ports between specific groups while denying all other traffic.
Zero-trust networking treats every workload inside a cloud virtual network as untrusted, so only explicitly required flows should be permitted. Replacing the single permissive security group with granular, per-tier security groups lets the team specify exactly which ports each tier may use to communicate and deny all other east-west and north-south traffic by default. Because the public cloud provider enforces security-group rules at the virtual network layer, this change does not require new appliances or significant redesign.
Simply moving the VMs to a private subnet does not restrict their ability to talk to each other when network ACLs remain permissive. Depending only on host-based firewalls leaves the broad security group in place; if any host firewall is misconfigured or bypassed, lateral movement is still possible. Deploying a separate next-generation firewall adds complexity and cost and, without tightening the existing security groups, still allows unrestricted instance-to-instance traffic. Therefore, implementing least-privilege, tier-specific security groups is the most effective and straightforward way to achieve the CISO's zero-trustč¦ę±.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is zero-trust networking?
Open an interactive chat with Bash
What is a security group in a cloud environment?
Open an interactive chat with Bash
How does least-privilege access work within security groups?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Concepts, Architecture and Design
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .