Cloud Misconfigurations – The #1 Security Risk – MCQ Questions

1. What is the most common cause of cloud misconfigurations?

A) Weak passwords
B) Lack of encryption
C) Human error and lack of security awareness
D) Outdated software

✅ Answer: C) Human error and lack of security awareness
📌 Explanation: The majority of cloud misconfigurations occur due to human error, such as misconfigured access policies, public exposure of sensitive resources, or improper IAM role assignments.

---

2. Which of the following is a primary security risk due to cloud storage misconfiguration?

A) Insecure API endpoints
B) Publicly exposed storage buckets
C) Lack of compliance policies
D) Slow network performance

✅ Answer: B) Publicly exposed storage buckets
📌 Explanation: Many cloud data breaches happen due to improperly configured S3 buckets, Blob storage, or Google Cloud Storage, leading to unauthorized access to sensitive data.

---

3. Which cloud misconfiguration can allow unauthorized users to gain administrative privileges?

A) Unrestricted SSH access
B) Overly permissive IAM roles
C) Improper DNS settings
D) Slow database response time

✅ Answer: B) Overly permissive IAM roles
📌 Explanation: Assigning overly broad permissions (e.g., granting AdministratorAccess to users who don’t need it) can escalate privileges and lead to security breaches.

---

4. A public cloud bucket with sensitive information is discovered. What is the first action to take?

A) Notify all users about the breach
B) Delete all data immediately
C) Restrict public access and audit access logs
D) Change the cloud provider

✅ Answer: C) Restrict public access and audit access logs
📌 Explanation: The best practice is to immediately restrict access, analyze logs for unauthorized access, and rotate credentials if needed.

---

5. Which security principle should be followed to minimize the impact of misconfigurations?

A) Least Privilege
B) Full Trust Model
C) Allow All Traffic
D) Open Access to Everyone

✅ Answer: A) Least Privilege
📌 Explanation: Principle of Least Privilege (PoLP) ensures users, services, and applications get only the access they need, reducing risk in case of misconfiguration.

---

6. What type of cloud misconfiguration could lead to a Server-Side Request Forgery (SSRF) attack?

A) Unencrypted databases
B) Improper API rate limits
C) Overly permissive IAM roles
D) Exposed metadata API

✅ Answer: D) Exposed metadata API
📌 Explanation: Many SSRF attacks exploit unprotected cloud metadata APIs, allowing attackers to steal credentials, escalate privileges, or move laterally.

---

7. How can organizations detect cloud misconfigurations in real time?

A) Manual log inspections
B) Cloud Security Posture Management (CSPM) tools
C) Waiting for an external audit
D) Only relying on cloud provider security

✅ Answer: B) Cloud Security Posture Management (CSPM) tools
📌 Explanation: CSPM tools like AWS Config, Azure Security Center, and Prisma Cloud continuously monitor, detect, and alert on cloud misconfigurations.

---

8. What is a common risk when configuring public cloud storage with “read-only” access?

A) Data theft via public downloads
B) High cloud bills
C) Slower data access
D) Poor customer experience

✅ Answer: A) Data theft via public downloads
📌 Explanation: Even “read-only” permissions expose sensitive data if configured publicly, leading to data breaches.

---

9. Which AWS service helps detect and prevent cloud misconfigurations?

A) AWS Lambda
B) AWS Shield
C) AWS Config
D) AWS CloudFront

✅ Answer: C) AWS Config
📌 Explanation: AWS Config continuously monitors AWS resource configurations and alerts on non-compliant configurations.

---

10. What is the impact of misconfigured security groups in cloud environments?

A) Data corruption
B) Unauthorized network access
C) Increased cloud cost
D) Service unavailability

✅ Answer: B) Unauthorized network access
📌 Explanation: Overly permissive security groups (e.g., 0.0.0.0/0 for SSH) expose cloud instances to external threats.

---

11. How can cloud misconfigurations affect compliance requirements?

A) They make compliance audits easier
B) They increase the risk of non-compliance penalties
C) They improve security posture
D) They reduce the need for security teams

✅ Answer: B) They increase the risk of non-compliance penalties
📌 Explanation: Misconfigured resources often violate industry regulations (GDPR, HIPAA, PCI-DSS) and lead to heavy fines.

---

12. What is the most effective way to enforce proper cloud security configurations?

A) Implement automated security policies
B) Perform manual audits once a year
C) Disable all cloud services
D) Use shared login credentials

✅ Answer: A) Implement automated security policies
📌 Explanation: Automation (e.g., Infrastructure as Code (IaC) with security guardrails) ensures consistent, secure configurations.

---

13. What is a common mistake in cloud identity and access management (IAM)?

A) Assigning least privilege permissions
B) Using granular roles
C) Assigning excessive privileges to all users
D) Enforcing MFA for admin accounts

✅ Answer: C) Assigning excessive privileges to all users
📌 Explanation: Over-privileged accounts increase security risks. Following least privilege reduces potential attack vectors.

---

14. How can attackers exploit misconfigured APIs in cloud environments?

A) Through brute-force attacks
B) By sending unauthorized API requests
C) By guessing admin passwords
D) By shutting down the server

✅ Answer: B) By sending unauthorized API requests
📌 Explanation: Misconfigured APIs (without proper authentication/authorization) allow attackers to extract sensitive data or control cloud resources.

---

15. Why should default cloud credentials be changed immediately?

A) Default credentials are easy to remember
B) They provide the highest security
C) They are commonly known and can be exploited
D) They are encrypted

✅ Answer: C) They are commonly known and can be exploited
📌 Explanation: Default credentials (e.g., “admin/admin”) are publicly documented, making them a prime target for attackers.

---

16. What is the best approach to prevent public access to cloud storage?

A) Enable encryption only
B) Manually check every file
C) Apply access control policies & enforce bucket policies
D) Allow public access and monitor logs

✅ Answer: C) Apply access control policies & enforce bucket policies
📌 Explanation: Cloud storage should have explicit access controls to prevent accidental public exposure.

---

17. Which misconfiguration can lead to Denial-of-Service (DoS) attacks?

A) Excessive IAM permissions
B) Unrestricted API rate limits
C) Using complex passwords
D) Disabling firewall rules

✅ Answer: B) Unrestricted API rate limits
📌 Explanation: Without rate limits, attackers can overwhelm APIs with excessive requests, leading to DoS attacks.

---

18. What can be the consequence of exposing cloud storage (e.g., S3 bucket) to the public?

A) Increased cloud bill
B) Unauthorized data access and leakage
C) Faster data transfer speeds
D) Improved API performance

✅ Answer: B) Unauthorized data access and leakage
📌 Explanation: A publicly accessible cloud storage bucket can leak sensitive files, leading to data breaches and compliance violations.

---

19. Which security control can help detect and alert on unauthorized changes in cloud configurations?

A) CloudTrail or Activity Logs
B) Increasing compute resources
C) Deleting all users regularly
D) Disabling logging for performance

✅ Answer: A) CloudTrail or Activity Logs
📌 Explanation: Cloud logging solutions (AWS CloudTrail, Azure Monitor, GCP Audit Logs) track changes and help detect security incidents.

---

20. How can misconfigured Kubernetes clusters be exploited by attackers?

A) By launching denial-of-service (DoS) attacks
B) By gaining unauthorized access to cluster nodes
C) By improving deployment efficiency
D) By reducing cloud costs

✅ Answer: B) By gaining unauthorized access to cluster nodes
📌 Explanation: Kubernetes misconfigurations (e.g., open API servers, weak RBAC permissions) allow attackers to compromise cluster nodes.

---

21. Which of the following is a sign of cloud resource hijacking?

A) Increased CPU utilization and unexpected costs
B) Faster database queries
C) Improved security performance
D) Decreased data storage

✅ Answer: A) Increased CPU utilization and unexpected costs
📌 Explanation: Cloud resource hijacking (e.g., crypto mining attacks) results in high compute usage and increased billing.

---

22. Why should public access to cloud VMs (e.g., SSH on 0.0.0.0/0) be avoided?

A) It increases API response times
B) It allows anyone on the internet to attempt unauthorized access
C) It speeds up SSH logins
D) It improves cloud performance

✅ Answer: B) It allows anyone on the internet to attempt unauthorized access
📌 Explanation: Allowing SSH (port 22) from “0.0.0.0/0” makes VMs vulnerable to brute-force attacks and unauthorized access.

---

23. Which AWS service helps identify security misconfigurations in an AWS account?

A) AWS Lambda
B) AWS Inspector
C) AWS GuardDuty
D) AWS Security Hub

✅ Answer: D) AWS Security Hub
📌 Explanation: AWS Security Hub provides a unified security dashboard, detecting misconfigurations, vulnerabilities, and compliance issues.

---

24. What is a key risk of misconfigured cloud DNS records?

A) Domain hijacking
B) Faster domain resolution
C) Reduced cost
D) Increased internet speed

✅ Answer: A) Domain hijacking
📌 Explanation: Improper DNS settings (e.g., unclaimed subdomains) allow attackers to hijack domains and redirect traffic.

---

25. How can cloud misconfigurations lead to privilege escalation attacks?

A) By increasing system performance
B) By providing excessive IAM permissions
C) By enforcing strong authentication
D) By enabling auto-scaling

✅ Answer: B) By providing excessive IAM permissions
📌 Explanation: Over-permissive IAM roles enable attackers to escalate privileges and take over cloud accounts.

---

26. What is the best way to prevent excessive cloud costs due to misconfigurations?

A) Enable billing alerts and cost monitoring
B) Disable all security controls
C) Use only default configurations
D) Avoid monitoring usage

✅ Answer: A) Enable billing alerts and cost monitoring
📌 Explanation: Misconfigured resources (e.g., unused VMs, open storage, crypto mining malware) can cause unexpected high costs.

---

27. What cloud misconfiguration can result in unauthorized API access?

A) Exposed API keys in code repositories
B) Encrypted storage buckets
C) Implementing rate limits
D) Using strong passwords

✅ Answer: A) Exposed API keys in code repositories
📌 Explanation: Publicly exposed API keys allow attackers to interact with cloud services, bypassing authentication.

---

28. Why should multi-factor authentication (MFA) be enforced for cloud accounts?

A) To make logins slower
B) To increase phishing attempts
C) To prevent unauthorized access even if credentials are compromised
D) To make password resets easier

✅ Answer: C) To prevent unauthorized access even if credentials are compromised
📌 Explanation: MFA prevents attackers from accessing accounts even if login credentials are leaked.

---

29. What happens if a cloud firewall is misconfigured with an “allow-all” rule?

A) Unrestricted access to cloud resources
B) Faster application performance
C) Improved network security
D) Reduced latency

✅ Answer: A) Unrestricted access to cloud resources
📌 Explanation: “Allow-all” rules expose services to unauthorized access, increasing attack risks.

---

30. What tool helps prevent misconfigured infrastructure-as-code (IaC) deployments?

A) Terraform
B) AWS Lambda
C) Policy-as-Code (PaC) tools
D) Cloud storage

✅ Answer: C) Policy-as-Code (PaC) tools
📌 Explanation: PaC tools (e.g., Open Policy Agent, Terraform Sentinel) help enforce security policies in IaC deployments.

---

31. How can cloud misconfigurations affect business reputation?

A) Increased customer trust
B) Loss of sensitive data leading to reputational damage
C) Improved security policies
D) Lower cloud bills

✅ Answer: B) Loss of sensitive data leading to reputational damage
📌 Explanation: Data breaches from cloud misconfigurations can lead to loss of customer trust, legal actions, and brand damage.

---

32. Why is logging and monitoring important in cloud security?

A) To detect security incidents and misconfigurations
B) To reduce cloud storage costs
C) To avoid compliance audits
D) To speed up database queries

✅ Answer: A) To detect security incidents and misconfigurations
📌 Explanation: Continuous logging and monitoring help identify unauthorized activities and misconfigurations before they cause harm.

---

33. What is the risk of using shared IAM credentials in cloud environments?

A) Easier collaboration
B) Loss of accountability and security risks
C) Faster API performance
D) Reduced security costs

✅ Answer: B) Loss of accountability and security risks
📌 Explanation: Sharing IAM credentials makes it impossible to track individual actions, increasing security risks.

---

34. Which compliance standard is most relevant for cloud security misconfigurations?

A) PCI-DSS
B) HIPAA
C) ISO 27001
D) All of the above

✅ Answer: D) All of the above
📌 Explanation: Cloud misconfigurations can impact PCI-DSS (financial data), HIPAA (health data), and ISO 27001 (security management).

---

35. What is a common risk when cloud IAM roles are assigned without proper scoping?

A) Reduced storage cost
B) Unintended privilege escalation
C) Faster API execution
D) Improved system performance

✅ Answer: B) Unintended privilege escalation
📌 Explanation: Improperly scoped IAM roles can allow users or services to gain more privileges than needed, leading to security risks and lateral movement attacks.

---

36. What is the best way to prevent cloud infrastructure from being exposed to the public?

A) Assigning unique domain names
B) Disabling all firewall rules
C) Applying proper access controls and private networking
D) Increasing cloud storage

✅ Answer: C) Applying proper access controls and private networking
📌 Explanation: Misconfigured cloud infrastructure can lead to data exposure, unauthorized access, and breaches. Restricting access through VPCs, firewalls, and IAM roles helps mitigate risks.

---

37. How can weak encryption settings in cloud storage lead to security risks?

A) It reduces data processing time
B) It allows unauthorized users to decrypt sensitive data
C) It improves data transfer speeds
D) It helps in compliance audits

✅ Answer: B) It allows unauthorized users to decrypt sensitive data
📌 Explanation: If weak encryption algorithms or default encryption settings are used, attackers can easily decrypt sensitive data, leading to data breaches.

---

38. What happens if a cloud administrator grants ‘wildcard’ permissions (e.g., * in IAM policies)?

A) Users get unrestricted access to all cloud resources
B) It improves security
C) It speeds up cloud operations
D) It enforces stricter access control

✅ Answer: A) Users get unrestricted access to all cloud resources
📌 Explanation: Using wildcard (*) permissions in IAM roles can accidentally grant users full administrative control, leading to severe security risks.

---

39. Which security risk arises from not regularly updating cloud security policies?

A) Slower network performance
B) Outdated and insecure configurations remain active
C) Faster data retrieval
D) Improved logging performance

✅ Answer: B) Outdated and insecure configurations remain active
📌 Explanation: Not updating security policies can leave outdated rules, excessive privileges, or misconfigurations active, making it easier for attackers to exploit weaknesses.

---

40. What is a risk of enabling anonymous access to cloud-based databases?

A) Unauthorized users can access sensitive data
B) Improved database query performance
C) Increased storage space
D) Faster database indexing

✅ Answer: A) Unauthorized users can access sensitive data
📌 Explanation: Enabling anonymous access to databases exposes data to the public, increasing data breach risks.

---

41. What is a security risk when cloud applications are not patched regularly?

A) Reduced cloud storage costs
B) Increased vulnerability to exploits and attacks
C) Improved system performance
D) Faster database transactions

✅ Answer: B) Increased vulnerability to exploits and attacks
📌 Explanation: Unpatched cloud applications contain known vulnerabilities, making them an easy target for attackers.

---

42. What is the best method to prevent cloud service abuse (e.g., cryptocurrency mining)?

A) Implement strict IAM policies and usage monitoring
B) Disable all cloud resources
C) Allow unlimited API requests
D) Increase server performance

✅ Answer: A) Implement strict IAM policies and usage monitoring
📌 Explanation: Cloud service abuse, such as unauthorized crypto mining, can be prevented using IAM restrictions, rate limiting, and activity monitoring.

---

43. What is a key benefit of using Infrastructure as Code (IaC) security scanning?

A) Detects misconfigurations before deployment
B) Reduces storage consumption
C) Increases cloud billing
D) Disables cloud monitoring

✅ Answer: A) Detects misconfigurations before deployment
📌 Explanation: IaC security scanning tools (e.g., Checkov, Terraform Sentinel) detect misconfigurations early and enforce secure configurations.

---

44. How can an attacker exploit a cloud instance with a misconfigured metadata service?

A) By obtaining temporary security credentials
B) By speeding up system performance
C) By improving encryption security
D) By reducing API call failures

✅ Answer: A) By obtaining temporary security credentials
📌 Explanation: Exposed cloud metadata services can allow attackers to retrieve IAM credentials, leading to account takeovers and lateral movement.

---

45. What is a common security risk of cloud-based APIs without authentication?

A) Unauthorized access and data leaks
B) Faster API response times
C) Reduced database queries
D) Increased API documentation

✅ Answer: A) Unauthorized access and data leaks
📌 Explanation: Exposed APIs without authentication allow unauthorized users to interact with cloud services, leading to data breaches.

---

46. Why should cloud storage objects have versioning enabled?

A) To track and recover changes in case of accidental deletion or ransomware attacks
B) To speed up cloud deployments
C) To improve database indexing
D) To reduce cloud costs

✅ Answer: A) To track and recover changes in case of accidental deletion or ransomware attacks
📌 Explanation: Enabling versioning in cloud storage (e.g., AWS S3, Google Cloud Storage) ensures data recovery after accidental deletions or ransomware incidents.

---

47. What is a major security concern with hardcoding credentials in cloud applications?

A) Faster application response times
B) Easier credential exposure and unauthorized access
C) Improved user experience
D) Reduced need for monitoring

✅ Answer: B) Easier credential exposure and unauthorized access
📌 Explanation: Hardcoded credentials in cloud applications can be exposed in source code, leading to unauthorized access.

---

48. What tool helps enforce security compliance in cloud environments?

A) AWS Security Hub
B) CloudFront
C) AWS Lambda
D) Azure Blob Storage

✅ Answer: A) AWS Security Hub
📌 Explanation: AWS Security Hub monitors cloud environments and helps enforce compliance with security best practices.

---

49. What is a risk of granting full administrator privileges to all cloud users?

A) Increased risk of accidental or malicious changes
B) Improved system uptime
C) Reduced cloud storage costs
D) Faster cloud performance

✅ Answer: A) Increased risk of accidental or malicious changes
📌 Explanation: Giving all users admin access increases the chance of unauthorized or accidental changes, leading to potential security incidents.

---

50. How can attackers exploit misconfigured cloud-based logging?

A) By modifying or deleting log files to erase evidence
B) By increasing cloud storage space
C) By speeding up data retrieval
D) By improving encryption security

✅ Answer: A) By modifying or deleting log files to erase evidence
📌 Explanation: If cloud logging is misconfigured, attackers can tamper with logs, making incident detection and forensic analysis difficult.

---

51. Which of the following is a common mistake when configuring cloud security groups?

A) Blocking all traffic by default
B) Using the principle of least privilege
C) Allowing inbound traffic from 0.0.0.0/0
D) Enabling multi-factor authentication

✅ Answer: C) Allowing inbound traffic from 0.0.0.0/0
📌 Explanation: Allowing traffic from 0.0.0.0/0 means that anyone on the internet can access the resource, leading to potential unauthorized access and attacks.

---

52. What is a major consequence of not properly configuring API Gateway authentication?

A) Unauthorized users can access the API
B) The API response time increases
C) The API logs are disabled
D) The API is automatically encrypted

✅ Answer: A) Unauthorized users can access the API
📌 Explanation: Failing to configure authentication in an API Gateway allows attackers to interact with backend services, leading to data breaches and security incidents.

---

53. What cloud security risk arises from excessive use of wildcard (*) permissions in IAM policies?

A) Users gain broad, unrestricted access
B) Improved application performance
C) Faster database queries
D) Reduced cloud costs

✅ Answer: A) Users gain broad, unrestricted access
📌 Explanation: Using * in IAM roles grants overly broad permissions, which can lead to privilege escalation and unauthorized actions.

---

54. Why should temporary credentials be used instead of long-lived credentials in cloud environments?

A) Temporary credentials expire automatically, reducing exposure risk
B) Long-lived credentials improve cloud security
C) Temporary credentials make authentication easier
D) Long-lived credentials prevent unauthorized access

✅ Answer: A) Temporary credentials expire automatically, reducing exposure risk
📌 Explanation: Temporary credentials (e.g., AWS STS, Azure Managed Identity) reduce the attack surface by automatically expiring.

---

55. How does misconfigured public cloud object storage affect data security?

A) It allows unauthorized access to sensitive data
B) It speeds up storage performance
C) It reduces cloud storage costs
D) It prevents network attacks

✅ Answer: A) It allows unauthorized access to sensitive data
📌 Explanation: Misconfigured cloud storage buckets (e.g., AWS S3, Google Cloud Storage) can expose confidential data to the internet, leading to data breaches.

---

56. What is a potential risk of failing to enable logging in cloud environments?

A) Inability to detect and respond to security incidents
B) Faster system performance
C) Reduced compliance requirements
D) Lower cloud storage costs

✅ Answer: A) Inability to detect and respond to security incidents
📌 Explanation: Without logging, organizations cannot detect threats, investigate incidents, or ensure compliance.

---

57. What type of attack can result from allowing unrestricted outbound traffic in cloud security groups?

A) Data exfiltration
B) Reduced CPU performance
C) Faster network speeds
D) Improved encryption

✅ Answer: A) Data exfiltration
📌 Explanation: Unrestricted outbound rules allow attackers to exfiltrate sensitive data from compromised cloud instances.

---

58. What is the best practice for securing cloud service accounts?

A) Use dedicated service accounts with the least privilege
B) Grant administrative access to all service accounts
C) Disable all service accounts
D) Use shared credentials for all cloud services

✅ Answer: A) Use dedicated service accounts with the least privilege
📌 Explanation: Each service should have a dedicated account with only the necessary permissions, reducing the impact of security breaches.

---

59. How can an attacker exploit a misconfigured identity federation setup?

A) By obtaining unauthorized access via Single Sign-On (SSO) loopholes
B) By reducing cloud storage costs
C) By improving system efficiency
D) By increasing encryption strength

✅ Answer: A) By obtaining unauthorized access via Single Sign-On (SSO) loopholes
📌 Explanation: Weak identity federation configurations can allow attackers to bypass authentication and access cloud resources.

---

60. What happens when cloud storage versioning is disabled?

A) Data cannot be recovered after accidental deletion or modification
B) Cloud costs decrease
C) Data integrity improves
D) Cloud security is enhanced

✅ Answer: A) Data cannot be recovered after accidental deletion or modification
📌 Explanation: Without versioning, deleted or modified data cannot be restored, increasing the risk of data loss.

---

61. Why should security groups be reviewed regularly?

A) To ensure unnecessary open ports are closed
B) To increase cloud billing
C) To improve API response time
D) To reduce log size

✅ Answer: A) To ensure unnecessary open ports are closed
📌 Explanation: Regular reviews of security groups help detect and remove excessive permissions, reducing attack surfaces.

---

62. What is a risk of not setting expiration policies for cloud storage objects?

A) Accidental data leaks over time
B) Reduced storage availability
C) Improved encryption security
D) Lower API performance

✅ Answer: A) Accidental data leaks over time
📌 Explanation: Without expiration policies, old data remains exposed, increasing the risk of data leaks.

---

63. What happens if a cloud administrator accidentally deletes encryption keys used for data at rest?

A) Encrypted data becomes permanently inaccessible
B) Data is automatically decrypted
C) Storage costs decrease
D) System performance improves

✅ Answer: A) Encrypted data becomes permanently inaccessible
📌 Explanation: If encryption keys are lost, data cannot be decrypted, making it permanently inaccessible.

---

64. What is the best method to prevent cloud misconfigurations?

A) Automate security configurations and compliance checks
B) Disable monitoring services
C) Allow full administrator access to all users
D) Ignore security warnings

✅ Answer: A) Automate security configurations and compliance checks
📌 Explanation: Automation tools (e.g., CSPM, IaC scanning) detect and remediate misconfigurations, reducing human error.

---

65. What is the risk of using default security settings in cloud environments?

A) Increased exposure to cyber threats
B) Faster system performance
C) Improved compliance
D) Reduced log storage

✅ Answer: A) Increased exposure to cyber threats
📌 Explanation: Default cloud settings are often not secure, making systems more vulnerable to attacks.

---

66. Why is restricting unused cloud services important?

A) To reduce attack surfaces and minimize risks
B) To increase CPU utilization
C) To improve UI design
D) To enhance data visualization

✅ Answer: A) To reduce attack surfaces and minimize risks
📌 Explanation: Unused services should be disabled to reduce the number of potential entry points for attackers.

---

67. What is a common risk of not enabling API rate limiting in cloud environments?

A) APIs become vulnerable to Denial-of-Service (DoS) attacks
B) API response times improve
C) API costs decrease
D) Cloud storage usage is reduced

✅ Answer: A) APIs become vulnerable to Denial-of-Service (DoS) attacks
📌 Explanation: Without rate limits, attackers can flood an API with requests, causing service disruptions.

---

68. Why should organizations conduct regular cloud security audits?

A) To identify misconfigurations and compliance gaps
B) To improve cloud billing
C) To disable unnecessary logging
D) To reduce encryption strength

✅ Answer: A) To identify misconfigurations and compliance gaps
📌 Explanation: Regular audits help detect vulnerabilities and ensure cloud environments remain secure and compliant.

---

69. What is the best way to prevent cloud credential leaks in public repositories (e.g., GitHub)?

A) Use environment variables and secrets management tools
B) Hardcode credentials for faster access
C) Store credentials in a public text file
D) Use shared credentials across multiple services

✅ Answer: A) Use environment variables and secrets management tools
📌 Explanation: Cloud credentials should never be hardcoded. Instead, use secrets management solutions (AWS Secrets Manager, HashiCorp Vault) and environment variables.

---

70. Which cloud misconfiguration could lead to an attacker accessing internal services?

A) Improperly configured VPC peering and firewall rules
B) Using encrypted storage buckets
C) Enforcing strict IAM policies
D) Disabling logging

✅ Answer: A) Improperly configured VPC peering and firewall rules
📌 Explanation: Misconfigured VPC peering and firewall rules can expose internal cloud resources to external threats.

---

71. What is the risk of enabling anonymous access to cloud-hosted databases?

A) Unauthorized access and potential data breaches
B) Faster database queries
C) Lower storage costs
D) Improved database indexing

✅ Answer: A) Unauthorized access and potential data breaches
📌 Explanation: Anonymous access allows anyone to query, modify, or delete database contents, leading to security and compliance issues.

---

72. What type of attack can occur due to weak session management in cloud applications?

A) Session hijacking and unauthorized account access
B) Faster response times
C) Reduced database queries
D) Improved application performance

✅ Answer: A) Session hijacking and unauthorized account access
📌 Explanation: Weak session management (e.g., no session expiration, lack of MFA) allows attackers to steal active session tokens and take over accounts.

---

73. What is a security risk of not using encryption for cloud-stored data?

A) Data can be exposed if accessed by unauthorized entities
B) Faster data processing
C) Reduced storage space usage
D) Improved API response times

✅ Answer: A) Data can be exposed if accessed by unauthorized entities
📌 Explanation: Unencrypted data in cloud storage is easily readable if compromised, leading to data breaches.

---

74. What security risk arises when multi-factor authentication (MFA) is disabled?

A) Increased risk of account takeover
B) Faster login times
C) Lower cloud billing
D) Improved security

✅ Answer: A) Increased risk of account takeover
📌 Explanation: Without MFA, attackers can access cloud accounts using stolen credentials, increasing unauthorized access risks.

---

75. How can an attacker exploit weak firewall configurations in cloud environments?

A) By bypassing security controls and gaining unauthorized access
B) By speeding up internet traffic
C) By reducing cloud service costs
D) By improving system performance

✅ Answer: A) By bypassing security controls and gaining unauthorized access
📌 Explanation: Misconfigured firewalls (e.g., allowing 0.0.0.0/0 access) can expose cloud services to unauthorized users.

---

76. What is the best way to restrict public access to cloud-based APIs?

A) Implement authentication, authorization, and API gateways
B) Allow all traffic to reduce downtime
C) Disable logging for API performance
D) Share API keys with all users

✅ Answer: A) Implement authentication, authorization, and API gateways
📌 Explanation: APIs should be protected with authentication (OAuth, JWT, API keys) and gateways to prevent unauthorized access.

---

77. What is a consequence of allowing unrestricted outbound traffic in a cloud security group?

A) Data exfiltration and command-and-control (C2) attacks
B) Faster network performance
C) Improved data encryption
D) Reduced API latency

✅ Answer: A) Data exfiltration and command-and-control (C2) attacks
📌 Explanation: Allowing unrestricted outbound traffic can allow malware and attackers to exfiltrate sensitive data or establish C2 channels.

---

78. What happens if cloud service accounts are assigned excessive permissions?

A) They can be abused for privilege escalation attacks
B) They improve system performance
C) They reduce storage costs
D) They allow faster API responses

✅ Answer: A) They can be abused for privilege escalation attacks
📌 Explanation: Overly permissive service accounts can be exploited by attackers to gain higher privileges in cloud environments.

---

79. What risk arises from using default security settings in cloud deployments?

A) Increased exposure to cyber threats
B) Faster system configuration
C) Lower storage consumption
D) Improved cloud service performance

✅ Answer: A) Increased exposure to cyber threats
📌 Explanation: Default security settings are often insecure and may expose cloud environments to unauthorized access and attacks.

---

80. What is the impact of failing to monitor cloud access logs?

A) Security breaches go undetected
B) Faster database queries
C) Reduced logging costs
D) Improved network performance

✅ Answer: A) Security breaches go undetected
📌 Explanation: Without monitoring logs, security teams cannot detect unauthorized access or potential threats in cloud environments.

---

81. How can attackers exploit weak cloud identity and access management (IAM) policies?

A) By escalating privileges and gaining full control of cloud resources
B) By reducing cloud costs
C) By improving security
D) By increasing storage performance

✅ Answer: A) By escalating privileges and gaining full control of cloud resources
📌 Explanation: Weak IAM policies allow attackers to elevate privileges, enabling full control over cloud assets.

---

82. Why should cloud storage access be restricted using IAM policies?

A) To prevent unauthorized users from accessing or modifying data
B) To improve data encryption
C) To reduce API request times
D) To increase cloud billing efficiency

✅ Answer: A) To prevent unauthorized users from accessing or modifying data
📌 Explanation: IAM policies should enforce least privilege to restrict access and protect sensitive data from exposure.

---

83. What risk is associated with failing to rotate API keys in cloud applications?

A) Long-term key exposure can lead to security breaches
B) Improved API response times
C) Reduced database storage costs
D) Increased system uptime

✅ Answer: A) Long-term key exposure can lead to security breaches
📌 Explanation: API keys should be rotated regularly to minimize exposure risks and prevent unauthorized API usage.

---

84. What is the impact of failing to enforce strong password policies in cloud environments?

A) Increased risk of brute-force attacks and credential theft
B) Faster authentication times
C) Improved encryption
D) Reduced cloud costs

✅ Answer: A) Increased risk of brute-force attacks and credential theft
📌 Explanation: Weak passwords are easily cracked by brute-force or dictionary attacks, leading to account compromises.

---

85. What is the best approach to avoid misconfigurations in Infrastructure as Code (IaC) deployments?

A) Use automated security scanning tools before deployment
B) Manually review all configuration files
C) Allow all default security settings
D) Disable security policies

✅ Answer: A) Use automated security scanning tools before deployment
📌 Explanation: IaC security tools (e.g., Checkov, Terraform Sentinel) detect misconfigurations before deployment, ensuring secure infrastructure.

---

86. What is a potential risk of publicly exposing cloud compute instances?

A) Unauthorized remote access and cryptojacking attacks
B) Reduced data storage
C) Improved API performance
D) Faster compute processing

✅ Answer: A) Unauthorized remote access and cryptojacking attacks
📌 Explanation: Publicly exposed cloud instances (e.g., open SSH or RDP access) allow attackers to hijack compute resources, often for cryptojacking or botnet attacks.

---

87. Why should cloud users enable encryption for data in transit?

A) To protect against Man-in-the-Middle (MitM) attacks
B) To improve cloud billing efficiency
C) To increase data redundancy
D) To allow public access to data

✅ Answer: A) To protect against Man-in-the-Middle (MitM) attacks
📌 Explanation: Encrypting data in transit (e.g., TLS/SSL) prevents attackers from intercepting and modifying sensitive data.

---

88. What security issue can arise from unrestricted IAM role assumption?

A) Attackers can assume privileged roles and escalate privileges
B) Cloud applications run faster
C) Cloud storage becomes cheaper
D) It reduces security alert notifications

✅ Answer: A) Attackers can assume privileged roles and escalate privileges
📌 Explanation: IAM role assumption should be restricted to prevent attackers from gaining excessive access.

---

89. How can attackers exploit a cloud environment with open database ports (e.g., MySQL, MongoDB)?

A) By accessing and exfiltrating sensitive data
B) By improving database indexing
C) By reducing latency
D) By increasing data redundancy

✅ Answer: A) By accessing and exfiltrating sensitive data
📌 Explanation: Exposed database ports allow unauthorized users to directly query, modify, or steal sensitive data.

---

90. What is a security risk of failing to implement log retention policies in cloud environments?

A) Loss of forensic evidence in security incidents
B) Reduced storage costs
C) Faster API response times
D) Improved user experience

✅ Answer: A) Loss of forensic evidence in security incidents
📌 Explanation: Log retention policies ensure that logs are available for forensic analysis, helping investigate security breaches.

---

91. Why should cloud applications avoid using hardcoded API keys?

A) Hardcoded keys can be extracted by attackers and misused
B) It improves system performance
C) It reduces cloud billing costs
D) It speeds up application deployment

✅ Answer: A) Hardcoded keys can be extracted by attackers and misused
📌 Explanation: API keys should be stored securely (e.g., Secrets Manager, Vault) to prevent unauthorized access.

---

92. What is a security concern when cloud storage is misconfigured with weak access control lists (ACLs)?

A) Unauthorized users can read, modify, or delete files
B) Cloud storage costs increase
C) File transfer speeds decrease
D) Backup efficiency is improved

✅ Answer: A) Unauthorized users can read, modify, or delete files
📌 Explanation: Weak ACLs allow unauthorized users to access sensitive data, leading to data breaches and compliance violations.

---

93. How can an attacker exploit cloud environments with publicly exposed Kubernetes dashboards?

A) By gaining administrative control over Kubernetes clusters
B) By reducing cloud costs
C) By improving cluster performance
D) By speeding up API requests

✅ Answer: A) By gaining administrative control over Kubernetes clusters
📌 Explanation: Exposed Kubernetes dashboards allow attackers to manage workloads, deploy malicious containers, and escalate privileges.

---

94. What is the impact of failing to define proper resource quotas in cloud environments?

A) Uncontrolled resource consumption leading to denial-of-service (DoS) risks
B) Faster deployment times
C) Reduced security logging requirements
D) Improved cloud performance

✅ Answer: A) Uncontrolled resource consumption leading to denial-of-service (DoS) risks
📌 Explanation: Without resource quotas, a single compromised service can consume excessive resources, affecting service availability.

---

95. What security risk can arise from enabling default network settings in cloud environments?

A) Open access to unauthorized traffic
B) Faster network speeds
C) Reduced cloud billing
D) Improved storage efficiency

✅ Answer: A) Open access to unauthorized traffic
📌 Explanation: Default cloud network settings often lack strict security controls, leading to unintended exposure to external threats.

---

96. How can excessive permissions in cloud logging services be exploited?

A) Attackers can delete logs to cover their tracks
B) Logs are processed faster
C) Logging costs decrease
D) Logs become more accurate

✅ Answer: A) Attackers can delete logs to cover their tracks
📌 Explanation: Overprivileged accounts with log deletion access allow attackers to erase evidence of security breaches.

---

97. What is a major risk of using a shared cloud account across multiple users?

A) Lack of accountability and increased insider threat risks
B) Faster authentication processes
C) Improved API security
D) Reduced IAM policy complexity

✅ Answer: A) Lack of accountability and increased insider threat risks
📌 Explanation: Shared accounts make it impossible to track user activity, increasing the risk of insider attacks and unauthorized changes.

---

98. Why should cloud administrators enforce strict security policies on container registries?

A) To prevent deployment of malicious or unauthorized container images
B) To improve cloud billing accuracy
C) To enhance Kubernetes performance
D) To reduce API response time

✅ Answer: A) To prevent deployment of malicious or unauthorized container images
📌 Explanation: If a container registry is misconfigured, attackers can push and deploy malicious images, leading to supply chain attacks.

---

99. What security risk arises from failing to enforce API request validation?

A) Injection attacks (e.g., SQL injection, command injection)
B) Reduced API response times
C) Improved authentication speed
D) Increased cloud storage capacity

✅ Answer: A) Injection attacks (e.g., SQL injection, command injection)
📌 Explanation: Without proper request validation, attackers can manipulate API input to perform injection attacks.

---

100. How can attackers exploit a cloud environment with open ports and no network segmentation?

A) By moving laterally and accessing unauthorized resources
B) By reducing cloud storage usage
C) By improving network performance
D) By decreasing system downtime

✅ Answer: A) By moving laterally and accessing unauthorized resources
📌 Explanation: Open ports and lack of segmentation allow attackers to pivot through the network, gaining access to multiple cloud services.

---

101. What is the main risk of failing to apply the Principle of Least Privilege (PoLP) in cloud environments?

A) Unauthorized users gain excessive permissions
B) Increased API response time
C) Reduced data redundancy
D) Improved compliance with security policies

✅ Answer: A) Unauthorized users gain excessive permissions
📌 Explanation: PoLP ensures users have only the access they need. Without it, attackers or insiders can exploit excessive privileges.

---

102. Why should cloud administrators disable unused services and ports?

A) To minimize the attack surface and reduce security risks
B) To increase storage capacity
C) To speed up network traffic
D) To improve database performance

✅ Answer: A) To minimize the attack surface and reduce security risks
📌 Explanation: Unused cloud services and open ports can be exploited by attackers. Disabling them reduces security vulnerabilities.

---

103. What is the best way to enforce cloud compliance policies?

A) Use automated compliance frameworks and policy-as-code (PaC) tools
B) Manually check for compliance violations once a year
C) Disable all logging for compliance
D) Allow all users to configure security settings

✅ Answer: A) Use automated compliance frameworks and policy-as-code (PaC) tools
📌 Explanation: Automating compliance with tools like AWS Config, Azure Policy, and Terraform Sentinel ensures continuous policy enforcement.

---

104. How can an attacker exploit an exposed cloud metadata API?

A) By stealing IAM credentials and escalating privileges
B) By improving cloud performance
C) By increasing API request rates
D) By reducing cloud billing costs

✅ Answer: A) By stealing IAM credentials and escalating privileges
📌 Explanation: If a metadata API is exposed, attackers can steal IAM credentials, gaining unauthorized access to cloud resources.

---

105. What is a risk of using shared encryption keys across multiple cloud applications?

A) A single key compromise can expose multiple applications
B) Increased cloud billing costs
C) Reduced encryption speed
D) Improved cloud security

✅ Answer: A) A single key compromise can expose multiple applications
📌 Explanation: Each application should use unique encryption keys. Shared keys create a single point of failure.

---

106. What security risk arises from storing sensitive cloud credentials in environment variables?

A) Unauthorized users or malware can extract credentials
B) Increased system efficiency
C) Faster API execution
D) Reduced cloud storage costs

✅ Answer: A) Unauthorized users or malware can extract credentials
📌 Explanation: Cloud credentials stored in environment variables can be extracted by attackers, leading to data breaches.

---

107. Why should cloud infrastructure be regularly scanned for vulnerabilities?

A) To identify misconfigurations and security weaknesses before exploitation
B) To improve cloud billing
C) To speed up system performance
D) To reduce the number of security alerts

✅ Answer: A) To identify misconfigurations and security weaknesses before exploitation
📌 Explanation: Regular vulnerability scanning helps detect exposed services, outdated configurations, and security flaws.

---

108. How can attackers exploit misconfigured logging permissions in cloud environments?

A) By disabling logs to cover their tracks
B) By speeding up log processing
C) By improving storage efficiency
D) By reducing API request times

✅ Answer: A) By disabling logs to cover their tracks
📌 Explanation: If attackers have excessive permissions, they can disable or delete logs, preventing detection and forensic analysis.

---

109. What is a major risk of allowing unrestricted cross-origin resource sharing (CORS) in cloud applications?

A) Malicious websites can steal sensitive data via cross-site scripting (XSS)
B) Increased network speed
C) Improved API security
D) Faster API response times

✅ Answer: A) Malicious websites can steal sensitive data via cross-site scripting (XSS)
📌 Explanation: Misconfigured CORS policies allow attackers to execute unauthorized cross-origin requests, leading to data exposure.

---

110. Why should IAM policies avoid using wildcards (*) for resource access?

A) It grants excessive privileges that attackers can exploit
B) It speeds up authentication
C) It improves compliance auditing
D) It reduces cloud costs

✅ Answer: A) It grants excessive privileges that attackers can exploit
📌 Explanation: Wildcards (*) in IAM policies provide unrestricted access, allowing attackers to escalate privileges.

---

111. What is a common security issue when using cloud-based CI/CD pipelines?

A) Exposing secrets and credentials in pipeline configurations
B) Faster deployment times
C) Reduced storage requirements
D) Improved compliance auditing

✅ Answer: A) Exposing secrets and credentials in pipeline configurations
📌 Explanation: Hardcoded credentials in CI/CD pipelines can be extracted by attackers, leading to unauthorized access.

---

112. Why should cloud providers’ default security settings not be solely relied upon?

A) They may not enforce strict security policies by default
B) They improve security over time
C) They always provide maximum protection
D) They reduce the need for security teams

✅ Answer: A) They may not enforce strict security policies by default
📌 Explanation: Many cloud providers prioritize usability over security, requiring manual security hardening.

---

113. What is a security risk of granting “Full Access” to cloud storage for all users?

A) Any user can read, modify, or delete sensitive data
B) It reduces network latency
C) It improves cloud billing efficiency
D) It speeds up file transfers

✅ Answer: A) Any user can read, modify, or delete sensitive data
📌 Explanation: Granting unrestricted access to cloud storage increases the risk of data exposure and accidental deletions.

---

114. Why should cloud-based applications enforce strict API rate limits?

A) To prevent API abuse and denial-of-service (DoS) attacks
B) To improve encryption
C) To increase cloud billing efficiency
D) To reduce compliance requirements

✅ Answer: A) To prevent API abuse and denial-of-service (DoS) attacks
📌 Explanation: Without API rate limits, attackers can flood APIs with requests, leading to DoS attacks and system downtime.

---

115. What risk does allowing “public read/write” access to cloud storage objects pose?

A) Attackers can modify or delete stored files
B) Faster data retrieval
C) Reduced storage costs
D) Increased network speeds

✅ Answer: A) Attackers can modify or delete stored files
📌 Explanation: Misconfigured public storage access allows unauthorized modifications, leading to data loss or malicious file uploads.

---

116. How can cloud users mitigate the risks of orphaned cloud resources?

A) Regularly audit and delete unused cloud assets
B) Increase API request limits
C) Disable security alerts
D) Reduce storage capacity

✅ Answer: A) Regularly audit and delete unused cloud assets
📌 Explanation: Unused resources (e.g., VMs, databases, IAM roles) can be exploited by attackers if not properly managed.

---

117. What is a risk of not enforcing session timeouts in cloud applications?

A) Attackers can hijack inactive sessions and gain unauthorized access
B) Faster login times
C) Improved system performance
D) Reduced cloud storage usage

✅ Answer: A) Attackers can hijack inactive sessions and gain unauthorized access
📌 Explanation: Without session timeouts, an attacker can reuse active sessions to access sensitive data even after the user has left the system.

---

118. What is a security risk of allowing unrestricted egress (outbound) traffic in cloud security groups?

A) Attackers can exfiltrate data or establish remote access tunnels
B) Improved system performance
C) Faster API responses
D) Reduced cloud billing costs

✅ Answer: A) Attackers can exfiltrate data or establish remote access tunnels
📌 Explanation: Without egress restrictions, attackers can send stolen data to external locations or establish remote command-and-control (C2) connections.

---

119. How can attackers exploit misconfigured object storage permissions?

A) By accessing, modifying, or deleting sensitive files
B) By improving cloud storage speeds
C) By reducing data encryption requirements
D) By lowering API latency

✅ Answer: A) By accessing, modifying, or deleting sensitive files
📌 Explanation: Misconfigured object storage permissions (e.g., S3 buckets, Blob storage) expose data to unauthorized users, leading to data leaks or tampering.

---

120. Why should IAM access keys be rotated regularly in cloud environments?

A) To minimize the risk of long-term credential exposure
B) To increase cloud billing
C) To improve user experience
D) To speed up authentication

✅ Answer: A) To minimize the risk of long-term credential exposure
📌 Explanation: Regular key rotation prevents attackers from using compromised keys indefinitely, reducing security risks.

---

121. What is a security risk of using default passwords for cloud services?

A) Attackers can guess and exploit these credentials easily
B) Improved login speeds
C) Reduced need for multi-factor authentication
D) Increased cloud storage capacity

✅ Answer: A) Attackers can guess and exploit these credentials easily
📌 Explanation: Default passwords are commonly known and can be brute-forced or publicly available, leading to unauthorized access.

---

122. Why should cloud administrators restrict root account access in cloud environments?

A) To prevent full administrative control from being abused
B) To improve cloud performance
C) To increase API request rates
D) To optimize network speeds

✅ Answer: A) To prevent full administrative control from being abused
📌 Explanation: The root account has unrestricted access to all cloud resources, making it a high-value target for attackers.

---

123. What happens if a cloud user assigns broad permissions to a service account?

A) The service account can be exploited to access multiple resources
B) API requests become faster
C) Cloud billing decreases
D) Network speed improves

✅ Answer: A) The service account can be exploited to access multiple resources
📌 Explanation: Service accounts with excessive permissions can be used to access and manipulate cloud services maliciously.

---

124. Why should encryption keys never be stored inside source code repositories?

A) They can be leaked and used by attackers to decrypt sensitive data
B) It increases cloud billing
C) It speeds up encryption processing
D) It improves user authentication

✅ Answer: A) They can be leaked and used by attackers to decrypt sensitive data
📌 Explanation: Storing encryption keys in source code repositories (e.g., GitHub, GitLab) makes them easy to find and exploit.

---

125. What is a security risk of failing to validate API input in cloud applications?

A) Attackers can exploit injection vulnerabilities, such as SQL Injection
B) Improved API response time
C) Lower cloud storage costs
D) Reduced need for authentication

✅ Answer: A) Attackers can exploit injection vulnerabilities, such as SQL Injection
📌 Explanation: Without input validation, attackers can insert malicious code into API requests, leading to SQL Injection, command execution, or data corruption.

---

126. How can attackers exploit a cloud account with missing multi-factor authentication (MFA)?

A) By using stolen credentials to gain full access
B) By improving authentication response times
C) By reducing encryption overhead
D) By lowering cloud costs

✅ Answer: A) By using stolen credentials to gain full access
📌 Explanation: Without MFA, attackers only need a username and password to access an account, increasing the likelihood of successful breaches.

---

127. What is a common security risk of allowing unrestricted API access to cloud databases?

A) Unauthorized users can query and modify data
B) Improved cloud billing efficiency
C) Faster data retrieval speeds
D) Increased cloud storage capacity

✅ Answer: A) Unauthorized users can query and modify data
📌 Explanation: APIs without proper authentication allow attackers to read, modify, or delete database records.

---

128. Why should logging and monitoring be enabled in cloud environments?

A) To detect and respond to unauthorized access attempts
B) To increase system latency
C) To reduce storage costs
D) To disable compliance enforcement

✅ Answer: A) To detect and respond to unauthorized access attempts
📌 Explanation: Without logging, security teams cannot track suspicious activity or investigate breaches.

---

129. What risk arises from failing to apply security patches to cloud workloads?

A) Vulnerabilities can be exploited by attackers to gain unauthorized access
B) Improved system performance
C) Lower network latency
D) Increased cloud storage

✅ Answer: A) Vulnerabilities can be exploited by attackers to gain unauthorized access
📌 Explanation: Unpatched workloads may contain known vulnerabilities that can be leveraged by attackers.

---

130. What is a potential impact of an insecure cloud storage configuration?

A) Unauthorized access to confidential data
B) Reduced API response times
C) Increased cloud performance
D) Lower storage costs

✅ Answer: A) Unauthorized access to confidential data
📌 Explanation: Misconfigured cloud storage buckets (e.g., S3, Azure Blob, Google Cloud Storage) can lead to public data exposure.

---

131. Why should unused cloud IAM roles and users be regularly removed?

A) To prevent attackers from exploiting old accounts with lingering permissions
B) To increase cloud billing efficiency
C) To reduce cloud storage usage
D) To improve database query performance

✅ Answer: A) To prevent attackers from exploiting old accounts with lingering permissions
📌 Explanation: Unused IAM roles and user accounts are a common target for attackers who can use them for lateral movement and privilege escalation.

---

132. What is the security risk of exposing a cloud database to the public internet?

A) Attackers can perform brute-force attacks or exploit vulnerabilities
B) Faster database queries
C) Improved cloud cost efficiency
D) Enhanced network speeds

✅ Answer: A) Attackers can perform brute-force attacks or exploit vulnerabilities
📌 Explanation: Publicly accessible databases are vulnerable to credential brute-force attacks, SQL injections, and data exfiltration.

---

133. Why is it important to enable automatic backup encryption in cloud storage?

A) To prevent unauthorized access to backup data
B) To reduce API latency
C) To increase network throughput
D) To lower cloud billing costs

✅ Answer: A) To prevent unauthorized access to backup data
📌 Explanation: Without encryption, backup data can be accessed or stolen, leading to data breaches and compliance violations.

---

134. What is a common security misconfiguration in serverless cloud applications?

A) Over-permissive IAM roles assigned to functions
B) Faster execution times
C) Increased application uptime
D) Improved API response

✅ Answer: A) Over-permissive IAM roles assigned to functions
📌 Explanation: Serverless functions (e.g., AWS Lambda, Azure Functions) should follow the principle of least privilege to prevent unnecessary access to sensitive resources.

---

135. Why should cloud users regularly review security group rules?

A) To identify and remove unnecessary open ports
B) To increase network speeds
C) To improve database indexing
D) To reduce compliance requirements

✅ Answer: A) To identify and remove unnecessary open ports
📌 Explanation: Security group misconfigurations, such as open RDP or SSH ports, can expose cloud resources to external attacks.

---

136. What is the impact of failing to implement strong password policies in cloud environments?

A) Increased risk of password brute-force attacks
B) Reduced API response times
C) Improved user authentication
D) Faster login times

✅ Answer: A) Increased risk of password brute-force attacks
📌 Explanation: Weak password policies make brute-force and credential stuffing attacks easier for attackers.

---

137. Why should cloud customers enforce network segmentation?

A) To prevent attackers from moving laterally across cloud environments
B) To increase cloud billing efficiency
C) To lower API request times
D) To enhance data retrieval speeds

✅ Answer: A) To prevent attackers from moving laterally across cloud environments
📌 Explanation: Network segmentation isolates workloads and limits attack surfaces, preventing lateral movement in case of a breach.

---

138. What is the security risk of exposing cloud function logs publicly?

A) Attackers can extract sensitive data, such as API keys or credentials
B) Logs load faster
C) Improved application performance
D) Lower cloud costs

✅ Answer: A) Attackers can extract sensitive data, such as API keys or credentials
📌 Explanation: Exposed logs may contain debugging information, API keys, or error messages that attackers can exploit.

---

139. What is the recommended way to restrict public access to cloud-based databases?

A) Use private subnets and firewall rules to control access
B) Increase database query limits
C) Disable encryption to reduce processing overhead
D) Increase API rate limits

✅ Answer: A) Use private subnets and firewall rules to control access
📌 Explanation: Databases should only be accessible through controlled network configurations (e.g., VPNs, private IPs, or bastion hosts).

---

140. How can an attacker exploit weak API authentication in cloud services?

A) By sending unauthorized requests to extract sensitive data
B) By improving API response times
C) By increasing storage capacity
D) By reducing cloud costs

✅ Answer: A) By sending unauthorized requests to extract sensitive data
📌 Explanation: APIs without proper authentication controls can be accessed by attackers, leading to data breaches and service abuse.

---

141. Why should security alerts and anomaly detection be enabled in cloud environments?

A) To detect suspicious activity in real-time
B) To increase system latency
C) To improve cloud cost management
D) To disable compliance enforcement

✅ Answer: A) To detect suspicious activity in real-time
📌 Explanation: Security alerts and anomaly detection tools help detect malicious activities, unauthorized access, and misconfigurations.

---

142. What is a major risk of failing to log cloud access and events?

A) Security incidents go undetected
B) Faster query response times
C) Improved cloud billing
D) Increased API availability

✅ Answer: A) Security incidents go undetected
📌 Explanation: Without logs, security teams cannot track unauthorized access attempts or investigate security breaches.

---

143. How can attackers exploit misconfigured serverless function permissions?

A) By gaining access to unauthorized cloud services
B) By reducing function execution time
C) By improving API latency
D) By increasing cloud efficiency

✅ Answer: A) By gaining access to unauthorized cloud services
📌 Explanation: Serverless functions with excessive permissions can be exploited to access unauthorized cloud resources.

---

144. Why should expired or inactive cloud accounts be deleted?

A) To prevent unauthorized access through unused accounts
B) To improve database indexing
C) To reduce cloud storage usage
D) To increase API response times

✅ Answer: A) To prevent unauthorized access through unused accounts
📌 Explanation: Expired or inactive accounts are common attack vectors for credential stuffing or privilege escalation.

---

145. What security risk arises from using unpatched cloud service dependencies?

A) Attackers can exploit known vulnerabilities to gain access
B) Faster service execution
C) Improved API security
D) Lower data transfer costs

✅ Answer: A) Attackers can exploit known vulnerabilities to gain access
📌 Explanation: Unpatched cloud dependencies may contain vulnerabilities that attackers can use to compromise services.

---

146. How can cloud users prevent unauthorized resource modifications?

A) By implementing strict IAM role policies and access controls
B) By allowing public write permissions
C) By disabling encryption
D) By increasing API request rates

✅ Answer: A) By implementing strict IAM role policies and access controls
📌 Explanation: Access controls should enforce least privilege to prevent unauthorized modifications to cloud resources.

---

147. What is the security impact of not enforcing identity federation in cloud environments?

A) Increased risk of account compromise due to weak authentication methods
B) Faster user authentication
C) Reduced cloud billing costs
D) Improved network performance

✅ Answer: A) Increased risk of account compromise due to weak authentication methods
📌 Explanation: Identity federation provides centralized authentication, reducing the risk of compromised credentials across multiple cloud environments.

---

148. Why should cloud users avoid using default security settings for firewall configurations?

A) Default settings may allow unintended access to cloud resources
B) Faster network traffic
C) Lower API response times
D) Improved system performance

✅ Answer: A) Default settings may allow unintended access to cloud resources
📌 Explanation: Firewalls should be manually configured to enforce least privilege access and protect cloud workloads.

---

149. What is the risk of leaving cloud admin credentials stored in application configuration files?

A) Attackers can gain administrative access if they access the configuration files
B) Improved system performance
C) Reduced network traffic
D) Increased authentication speed

✅ Answer: A) Attackers can gain administrative access if they access the configuration files
📌 Explanation: Storing credentials in configuration files makes them easily accessible if the file is leaked or exposed.

---

151. Why should cloud administrators restrict access to metadata APIs?

A) To prevent attackers from retrieving IAM credentials and escalating privileges
B) To improve cloud billing efficiency
C) To speed up API request processing
D) To enhance cloud storage capacity

✅ Answer: A) To prevent attackers from retrieving IAM credentials and escalating privileges
📌 Explanation: Unprotected cloud metadata APIs can be exploited via Server-Side Request Forgery (SSRF) to retrieve IAM credentials.

---

152. What is the primary risk of not setting expiration dates on access tokens?

A) Stolen or leaked tokens can be used indefinitely
B) Faster authentication processes
C) Improved API rate limits
D) Enhanced cloud security

✅ Answer: A) Stolen or leaked tokens can be used indefinitely
📌 Explanation: Access tokens should have expiration policies to minimize the impact of a token leak.

---

153. How can attackers exploit weak security settings in cloud-based CI/CD pipelines?

A) By injecting malicious code into automated deployments
B) By improving build speed
C) By increasing cloud storage efficiency
D) By reducing cloud service costs

✅ Answer: A) By injecting malicious code into automated deployments
📌 Explanation: If security controls are weak, attackers can modify CI/CD configurations and introduce vulnerabilities.

---

154. What happens if logging is disabled for security events in a cloud environment?

A) Security incidents remain undetected
B) Increased network speed
C) Lower cloud storage usage
D) Faster cloud deployments

✅ Answer: A) Security incidents remain undetected
📌 Explanation: Without security logging, unauthorized activities cannot be detected, making it easier for attackers to remain hidden.

---

155. Why should cloud storage permissions be regularly reviewed?

A) To identify and remove overly permissive access that could lead to data exposure
B) To improve cloud billing efficiency
C) To increase API performance
D) To enhance network latency

✅ Answer: A) To identify and remove overly permissive access that could lead to data exposure
📌 Explanation: Storage misconfigurations are a leading cause of cloud data breaches due to overly permissive access settings.

---

156. What security risk arises from allowing cloud instances to run with root privileges?

A) Attackers can take full control of the system if compromised
B) Reduced network bandwidth
C) Faster system performance
D) Lower API response times

✅ Answer: A) Attackers can take full control of the system if compromised
📌 Explanation: Running cloud instances with root privileges increases the impact of an attack, as attackers can modify system configurations.

---

157. Why should firewall rules be configured to allow only necessary traffic?

A) To prevent unauthorized network access and reduce attack surfaces
B) To improve application response time
C) To increase data transfer speeds
D) To enhance compliance logging

✅ Answer: A) To prevent unauthorized network access and reduce attack surfaces
📌 Explanation: Restricting firewall rules ensures that only legitimate traffic can reach cloud services, reducing the risk of exploitation.

---

158. What is the risk of exposing an unsecured cloud-based load balancer to the internet?

A) Attackers can perform Distributed Denial-of-Service (DDoS) attacks
B) Increased network efficiency
C) Faster request processing
D) Reduced security alerts

✅ Answer: A) Attackers can perform Distributed Denial-of-Service (DDoS) attacks
📌 Explanation: Publicly exposed load balancers can become targets for DDoS attacks, overwhelming cloud resources.

---

159. What is the best practice for securing API keys in cloud applications?

A) Store them in a secrets manager or environment variables
B) Hardcode them in source code for easy access
C) Share them with all developers
D) Store them in plaintext inside a database

✅ Answer: A) Store them in a secrets manager or environment variables
📌 Explanation: Secrets management tools prevent accidental leaks of API keys and other credentials.

---

160. Why should cloud users avoid using default security configurations?

A) Default settings may expose resources to unnecessary security risks
B) They improve cloud service performance
C) They increase compliance scores
D) They reduce network latency

✅ Answer: A) Default settings may expose resources to unnecessary security risks
📌 Explanation: Cloud service providers prioritize usability, but users must manually configure security controls.

---

161. What is the primary risk of not implementing cloud security monitoring?

A) Cyberattacks and misconfigurations go undetected
B) Faster system updates
C) Reduced storage costs
D) Improved API response times

✅ Answer: A) Cyberattacks and misconfigurations go undetected
📌 Explanation: Security monitoring is essential for detecting unauthorized access and potential security breaches.

---

162. What is the impact of allowing unrestricted SSH access to cloud virtual machines?

A) Increased risk of brute-force attacks and unauthorized access
B) Faster login times
C) Improved server uptime
D) Lower cloud billing

✅ Answer: A) Increased risk of brute-force attacks and unauthorized access
📌 Explanation: Unrestricted SSH (port 22 open to 0.0.0.0/0) exposes cloud instances to attacks.

---

163. What happens if role-based access control (RBAC) is not enforced in cloud environments?

A) Unauthorized users may gain access to sensitive data or services
B) Increased storage performance
C) Reduced API response times
D) Enhanced network speeds

✅ Answer: A) Unauthorized users may gain access to sensitive data or services
📌 Explanation: RBAC ensures users only have permissions relevant to their job functions.

---

164. Why should security teams use cloud workload protection platforms (CWPP)?

A) To detect and mitigate misconfigurations, malware, and runtime threats
B) To increase API request rates
C) To improve authentication response times
D) To lower cloud storage costs

✅ Answer: A) To detect and mitigate misconfigurations, malware, and runtime threats
📌 Explanation: CWPP tools help secure cloud workloads from misconfigurations, unauthorized access, and runtime threats.

---

165. What security issue can result from not restricting database queries in cloud applications?

A) Attackers can execute SQL Injection attacks
B) Faster query execution
C) Reduced database storage usage
D) Improved API performance

✅ Answer: A) Attackers can execute SQL Injection attacks
📌 Explanation: Failing to validate and restrict database queries leaves applications vulnerable to SQL Injection.

---

166. What is the impact of failing to enforce multi-factor authentication (MFA) on privileged cloud accounts?

A) Increased risk of credential-based attacks
B) Faster authentication speeds
C) Reduced security alerts
D) Improved network efficiency

✅ Answer: A) Increased risk of credential-based attacks
📌 Explanation: Without MFA, attackers can use stolen credentials to gain unauthorized access to privileged accounts.

---

167. What is the best way to prevent API abuse in cloud applications?

A) Implement API rate limiting and authentication mechanisms
B) Disable all API access
C) Increase database request limits
D) Allow anonymous API requests

✅ Answer: A) Implement API rate limiting and authentication mechanisms
📌 Explanation: Rate limiting prevents excessive API requests, while authentication ensures only authorized users can access the API.

---

168. What is the risk of using weak encryption algorithms in cloud applications?

A) Attackers can decrypt sensitive data using brute-force methods
B) Faster encryption processes
C) Lower storage costs
D) Reduced network congestion

✅ Answer: A) Attackers can decrypt sensitive data using brute-force methods
📌 Explanation: Weak encryption algorithms are vulnerable to attacks, allowing attackers to decrypt data.

---

169. What is the impact of not restricting administrative privileges on cloud storage?

A) Unauthorized users may modify or delete critical data
B) Faster data retrieval speeds
C) Reduced cloud costs
D) Improved compliance

✅ Answer: A) Unauthorized users may modify or delete critical data
📌 Explanation: Over-permissive administrative privileges can allow accidental or malicious data modifications or deletions.

---

170. Why should cloud users avoid using deprecated security protocols (e.g., TLS 1.0, SSL 3.0)?

A) These protocols have known vulnerabilities that attackers can exploit
B) They increase network latency
C) They reduce cloud billing costs
D) They improve API performance

✅ Answer: A) These protocols have known vulnerabilities that attackers can exploit
📌 Explanation: Deprecated security protocols contain cryptographic weaknesses that make them susceptible to attacks, such as downgrade or man-in-the-middle (MitM) attacks.

---

171. What is the best way to prevent unauthorized API key usage in cloud environments?

A) Implement API key rotation and usage monitoring
B) Hardcode API keys in source code for faster access
C) Store API keys in publicly accessible files
D) Share API keys with all team members

✅ Answer: A) Implement API key rotation and usage monitoring
📌 Explanation: Regular API key rotation and monitoring help prevent unauthorized access and key abuse.

---

172. What security risk arises from failing to encrypt backups in cloud environments?

A) Unencrypted backups can be accessed by attackers if leaked or exposed
B) Improved system performance
C) Reduced storage requirements
D) Increased API response times

✅ Answer: A) Unencrypted backups can be accessed by attackers if leaked or exposed
📌 Explanation: Unencrypted backups are a prime target for attackers, leading to data breaches and compliance violations.

---

173. Why is it important to enable audit logging for cloud IAM changes?

A) To track and detect unauthorized access or privilege escalation attempts
B) To improve cloud billing efficiency
C) To reduce API response times
D) To increase network speed

✅ Answer: A) To track and detect unauthorized access or privilege escalation attempts
📌 Explanation: Audit logs help security teams identify unauthorized access attempts and privilege escalations in real-time.

---

174. What is a common risk of using cloud storage with publicly writable access?

A) Attackers can upload malicious files or overwrite critical data
B) Reduced cloud costs
C) Faster data retrieval times
D) Improved network performance

✅ Answer: A) Attackers can upload malicious files or overwrite critical data
📌 Explanation: Publicly writable cloud storage can be exploited by attackers to store malware, launch phishing attacks, or overwrite existing data.

---

175. Why should cloud customers disable unused cloud services?

A) To reduce attack surfaces and minimize security risks
B) To increase cloud billing costs
C) To improve API response times
D) To increase network congestion

✅ Answer: A) To reduce attack surfaces and minimize security risks
📌 Explanation: Unused cloud services can be exploited by attackers if left enabled with default configurations.

---

176. What happens if security groups allow unrestricted inbound RDP access (port 3389)?

A) The system becomes vulnerable to brute-force attacks
B) Improved system performance
C) Reduced API request times
D) Increased compliance with security policies

✅ Answer: A) The system becomes vulnerable to brute-force attacks
📌 Explanation: Allowing unrestricted RDP access (0.0.0.0/0) exposes cloud servers to brute-force attacks and unauthorized access.

---

177. Why should cloud users implement network access control lists (ACLs)?

A) To restrict network traffic and prevent unauthorized access
B) To increase API response times
C) To improve database indexing
D) To reduce security alerts

✅ Answer: A) To restrict network traffic and prevent unauthorized access
📌 Explanation: Network ACLs help enforce security policies by restricting inbound and outbound traffic at a subnet level.

---

178. What risk is introduced when cloud administrators use personal email accounts for cloud account registration?

A) Increased risk of phishing attacks and account takeovers
B) Improved authentication speeds
C) Reduced cloud costs
D) Increased cloud service performance

✅ Answer: A) Increased risk of phishing attacks and account takeovers
📌 Explanation: Using personal email accounts for cloud registration increases the likelihood of phishing-based account compromise.

---

179. What security risk arises from failing to configure proper data retention policies?

A) Sensitive data may be stored indefinitely and become a target for attackers
B) Reduced cloud storage costs
C) Improved network performance
D) Faster database queries

✅ Answer: A) Sensitive data may be stored indefinitely and become a target for attackers
📌 Explanation: Without proper retention policies, old or sensitive data may be unnecessarily retained and become vulnerable to breaches.

---

180. Why is it important to use time-based access controls for temporary cloud credentials?

A) To ensure credentials expire after a defined period and reduce security risks
B) To speed up authentication requests
C) To improve cloud storage performance
D) To reduce API latency

✅ Answer: A) To ensure credentials expire after a defined period and reduce security risks
📌 Explanation: Time-based access controls prevent the long-term exposure of temporary credentials.

---

181. What is the risk of allowing unrestricted outbound SMTP (port 25) traffic in cloud environments?

A) Attackers can use cloud resources to send spam or launch phishing campaigns
B) Faster email processing
C) Reduced storage costs
D) Improved cloud performance

✅ Answer: A) Attackers can use cloud resources to send spam or launch phishing campaigns
📌 Explanation: Unrestricted SMTP traffic can be abused by attackers to send spam emails from compromised cloud instances.

---

182. How can cloud users mitigate risks associated with third-party integrations?

A) By applying least privilege access and monitoring API usage
B) By enabling unrestricted API access
C) By disabling security alerts
D) By allowing full administrative access

✅ Answer: A) By applying least privilege access and monitoring API usage
📌 Explanation: Third-party integrations should follow the principle of least privilege to reduce risks associated with unauthorized access.

---

183. What is a major risk of not monitoring IAM user activity in cloud environments?

A) Unauthorized access attempts can go undetected
B) Increased API performance
C) Improved compliance auditing
D) Reduced cloud storage usage

✅ Answer: A) Unauthorized access attempts can go undetected
📌 Explanation: Without IAM activity monitoring, unauthorized actions or privilege escalation attempts may go unnoticed.

---

184. What risk arises from using publicly available machine images in cloud deployments?

A) They may contain embedded malware or vulnerabilities
B) Reduced instance launch times
C) Increased system efficiency
D) Faster application deployment

✅ Answer: A) They may contain embedded malware or vulnerabilities
📌 Explanation: Public machine images should be carefully vetted to ensure they do not contain malicious software or misconfigurations.

---

185. Why should cloud environments use automated remediation for security incidents?

A) To respond to threats faster and mitigate misconfigurations before exploitation
B) To increase cloud billing efficiency
C) To reduce security alerts
D) To enhance database performance

✅ Answer: A) To respond to threats faster and mitigate misconfigurations before exploitation
📌 Explanation: Automated remediation helps security teams respond to misconfigurations and threats in real time.

---

186. What is a security risk of leaving cloud storage buckets without versioning enabled?

A) Accidental or malicious deletions cannot be recovered
B) Improved API response time
C) Reduced cloud billing
D) Faster data access

✅ Answer: A) Accidental or malicious deletions cannot be recovered
📌 Explanation: Without versioning, critical files that are deleted or modified accidentally or maliciously cannot be restored.

---

187. What risk is introduced by allowing unrestricted outbound DNS traffic in a cloud environment?

A) Attackers can use DNS tunneling to exfiltrate sensitive data
B) Increased cloud storage efficiency
C) Reduced database query latency
D) Improved network speed

✅ Answer: A) Attackers can use DNS tunneling to exfiltrate sensitive data
📌 Explanation: Unrestricted outbound DNS traffic can be exploited to send data outside the network using covert channels.

---

188. Why should cloud accounts use hardware security modules (HSMs) for key management?

A) To securely store and manage encryption keys, preventing unauthorized access
B) To improve database query speeds
C) To reduce cloud computing costs
D) To increase API request rates

✅ Answer: A) To securely store and manage encryption keys, preventing unauthorized access
📌 Explanation: HSMs provide highly secure, tamper-resistant environments for managing encryption keys, reducing exposure to breaches.

---

189. What is the risk of using default virtual machine (VM) images without hardening?

A) They may contain security vulnerabilities and misconfigurations
B) They increase application performance
C) They reduce cloud costs
D) They improve system efficiency

✅ Answer: A) They may contain security vulnerabilities and misconfigurations
📌 Explanation: Default VM images often include unnecessary services, outdated packages, and default credentials, increasing security risks.

---

190. What is a common risk of exposing cloud databases without IP restrictions?

A) Attackers can launch brute-force attacks and unauthorized queries
B) Improved system response time
C) Reduced data redundancy
D) Faster API authentication

✅ Answer: A) Attackers can launch brute-force attacks and unauthorized queries
📌 Explanation: Databases without IP restrictions are accessible to the public and can be exploited by attackers using brute-force and injection attacks.

---

191. Why should organizations avoid using wildcard (*) certificates for securing cloud applications?

A) If compromised, all subdomains are at risk
B) They improve encryption speed
C) They reduce cloud billing costs
D) They enhance API performance

✅ Answer: A) If compromised, all subdomains are at risk
📌 Explanation: Wildcard certificates secure multiple subdomains, but if an attacker gains access to one, all related domains become vulnerable.

---

192. What is the best way to secure cloud-based NoSQL databases from unauthorized access?

A) Implement authentication, access controls, and network restrictions
B) Allow open public access for improved performance
C) Disable database logging
D) Use weak password policies

✅ Answer: A) Implement authentication, access controls, and network restrictions
📌 Explanation: NoSQL databases (e.g., MongoDB, Firebase) should be secured with authentication, role-based access control, and private networking.

---

193. How can an attacker exploit unrestricted cross-account access in cloud environments?

A) By using excessive privileges to access and manipulate resources in another account
B) By reducing API response times
C) By increasing cloud storage efficiency
D) By lowering encryption overhead

✅ Answer: A) By using excessive privileges to access and manipulate resources in another account
📌 Explanation: Poorly configured cross-account permissions can allow attackers to access and exploit another organization’s cloud resources.

---

194. What is the impact of failing to revoke temporary credentials after their intended use?

A) Attackers can use them for unauthorized access if compromised
B) Reduced security alert notifications
C) Improved authentication processing
D) Increased database query speeds

✅ Answer: A) Attackers can use them for unauthorized access if compromised
📌 Explanation: Temporary credentials should be revoked after use to limit the risk of unauthorized access if exposed.

---

195. Why should organizations enforce time-based access controls for privileged cloud accounts?

A) To limit access duration and reduce attack windows
B) To improve cloud billing efficiency
C) To increase API request throughput
D) To reduce logging requirements

✅ Answer: A) To limit access duration and reduce attack windows
📌 Explanation: Time-based access ensures privileged accounts have only temporary access, minimizing security risks.

---

196. How can a cloud misconfiguration lead to business email compromise (BEC) attacks?

A) By exposing email server credentials or allowing email spoofing
B) By increasing email delivery speeds
C) By reducing cloud security alerts
D) By improving email encryption

✅ Answer: A) By exposing email server credentials or allowing email spoofing
📌 Explanation: Misconfigured email services can be exploited to send fraudulent emails that appear to come from legitimate sources.

---

197. What risk is introduced by allowing public access to a cloud message queue service?

A) Attackers can send malicious messages, causing disruptions
B) Reduced cloud costs
C) Faster message processing
D) Improved API response times

✅ Answer: A) Attackers can send malicious messages, causing disruptions
📌 Explanation: Publicly accessible message queues (e.g., AWS SQS, RabbitMQ) can be abused to flood the system with spam or malicious payloads.

---

198. What security control helps detect misconfigurations in cloud resources before deployment?

A) Policy-as-Code (PaC) tools and security automation
B) Disabling all security logs
C) Allowing unrestricted access to developers
D) Using only default cloud security settings

✅ Answer: A) Policy-as-Code (PaC) tools and security automation
📌 Explanation: PaC tools (e.g., Open Policy Agent, Terraform Sentinel) help enforce security policies before cloud resources are deployed.

---

199. Why should organizations implement a centralized identity provider (IdP) for cloud access?

A) To enforce consistent authentication policies across all cloud resources
B) To improve API request speeds
C) To lower encryption overhead
D) To reduce cloud storage costs

✅ Answer: A) To enforce consistent authentication policies across all cloud resources
📌 Explanation: A centralized IdP ensures standardized authentication and authorization controls across multi-cloud environments.

---

200. What risk is introduced by allowing unlimited inbound ICMP traffic in a cloud network?

A) Attackers can perform network reconnaissance and DDoS amplification attacks
B) Reduced cloud billing
C) Faster network response times
D) Improved system performance

✅ Answer: A) Attackers can perform network reconnaissance and DDoS amplification attacks
📌 Explanation: Allowing unrestricted ICMP (ping) traffic enables attackers to map network topology and launch reflection-based DDoS attacks.