ISC2 Certified Cloud Security Professional (CCSP) Practice Question
An organization uses a public IaaS provider that exposes its management plane through both a web console and a REST API. The same identity store is leveraged for interactive logins and for programmatic access keys consumed by the company's CI/CD pipeline. To minimize the blast radius if any one credential set is compromised-while still allowing the pipeline to deploy new virtual machines automatically-which of the following controls BEST addresses the management-plane risk?
Provision a dedicated service identity with only the required API permissions and disable its ability to sign in to the web console.
Configure host-based firewalls on every virtual machine to accept management traffic only from corporate IP addresses.
Force all automation traffic through an MFA-protected bastion host before it reaches the provider endpoints.
Raise the provider's default service quotas for the automation account to prevent API throttling during deployments.
Separating human and machine identities limits the permissions available to any single credential set. Creating a distinct, least-privilege service account (or role) that is restricted to the minimum API actions required by the CI/CD pipeline, with interactive (console) login explicitly disabled, ensures that an attacker who steals that key cannot reach the broader web console or elevate privileges reserved for administrators. The bastion-host approach protects in-guest management such as SSH and RDP, not the cloud provider's control plane itself. Host-based firewalls on individual virtual machines defend the data plane, not the management plane. Increasing service quotas does nothing to contain credential compromise or reduce attack surface. Therefore, using a dedicated, API-only service identity with narrowly scoped permissions is the most effective option.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the management plane in a public IaaS provider?
Open an interactive chat with Bash
What is a REST API, and why is it used in cloud infrastructure?
Open an interactive chat with Bash
What is a dedicated service identity, and how does it improve security?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Platform & Infrastructure Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .