Crucial Exams

ISC2 Certified Cloud Security Professional (CCSP) Practice Question

You are designing a key-management architecture for a highly regulated workload that will run on a public IaaS cloud. The policy states that root cryptographic keys must be generated and stored only in tamper-resistant hardware certified to at least FIPS 140-2 Level 3, and that cloud provider personnel must be technically prevented from extracting or replacing those keys. Which option best meets these requirements while still allowing the virtual machines to use the keys for encryption and signing operations?

  • Use the provider's shared, multi-tenant Key Management Service (KMS) to create customer master keys for the workload.

  • Enable guest-OS disk encryption and store the encryption passphrases in the cloud provider's secrets-management service.

  • Attach a virtual Trusted Platform Module (vTPM) to each virtual machine and place the root keys in the vTPM.

  • Provision a dedicated, customer-managed network Hardware Security Module (HSM) and integrate the virtual machines with it through PKCS#11.

ISC2 Certified Cloud Security Professional (CCSP)
Cloud Security Operations
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot