ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A fintech startup is refactoring its monolithic payment system into several microservices that will run on the cloud provider's managed Kubernetes platform. Compliance mandates state that all pod-to-pod (east-west) traffic must be encrypted in transit and that each microservice must be able to prove its identity so it can decrypt only the data it is explicitly authorized to access. Which cloud-native architectural feature will best meet both security requirements with minimal application code changes?
Place a cloud web application firewall in front of every microservice ingress endpoint to inspect and filter traffic.
Implement a service mesh that injects sidecar proxies and enforces mutual TLS with certificates issued by the provider's private CA.
Enable server-side encryption with customer-managed keys on the object storage used for configuration files.
Create a dedicated network security group for each pod and restrict ingress and egress ports to required services only.
A service mesh deploys a data-plane sidecar proxy next to every pod and a control plane that issues X.509 certificates to each workload through an internal certificate authority. Mutual TLS (mTLS) between the sidecars encrypts every connection, satisfying the requirement for encrypted east-west traffic. Because each microservice presents its unique certificate, the receiving service can authenticate the caller and enforce authorization policies, ensuring only authorized workloads decrypt or consume protected data. Network security groups alone control IP-level reachability but do not provide identity-based encryption. A web application firewall focuses on north-south traffic at the edge, not internal service calls. Server-side encryption of object storage protects data at rest, not service-to-service communications.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a service mesh and why is it important in Kubernetes?
Open an interactive chat with Bash
What is mutual TLS (mTLS), and how does it ensure secure communications?
Open an interactive chat with Bash
Why wouldn't using security groups or a web application firewall (WAF) work for this scenario?
Open an interactive chat with Bash
What is a service mesh?
Open an interactive chat with Bash
What is mutual TLS (mTLS)?
Open an interactive chat with Bash
What is a cloud provider's private CA and its role in mTLS?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .