Prepare for CompTIA Cloud+ (CV0-004) with free sample questions, a full-length diagnostic, topic drills, timed practice, cloud architecture, deployment, operations, security, DevOps fundamentals, troubleshooting scenarios, and detailed explanations in IT Mastery.
CompTIA Cloud+ (CV0-004) is CompTIA’s vendor-neutral cloud-infrastructure route for candidates who work across cloud architecture, deployment, operations, security, DevOps fundamentals, and troubleshooting.
IT Mastery practice for Cloud+ CV0-004 is live now. Use this page to start the web simulator, review the exam snapshot, work through 24 public sample questions, and continue into full IT Mastery practice with the same IT Mastery account on web, iOS, iPadOS, macOS, or Android.
Start a practice session for CompTIA Cloud+ (CV0-004) below, or open the full app in a new tab. For the best experience, open the full app in a new tab and navigate with swipes/gestures or the mouse wheel—just like on your phone or tablet.
Open Full App in a New TabA small set of questions is available for free preview. Subscribers can unlock full access by signing in with the same app-family account they use on web and mobile.
Prefer to practice on your phone or tablet? Download the IT Mastery – AWS, Azure, GCP & CompTIA exam prep app for iOS or IT Mastery app on Google Play (Android) and use the same IT Mastery account across web and mobile.
Free diagnostic: Try the 90-question CompTIA Cloud+ full-length practice exam before subscribing. Use it to separate misses around architecture, deployment, operations, security, DevOps fundamentals, and cloud troubleshooting.
Cloud+ questions usually reward the option that keeps cloud infrastructure secure, recoverable, observable, automated, and operationally realistic across more than one platform.
| Domain | Weight |
|---|---|
| Cloud architecture | 23% |
| Deployment | 19% |
| Operations | 17% |
| Security | 19% |
| DevOps fundamentals | 10% |
| Troubleshooting | 12% |
Cloud+ questions usually reward operationally realistic choices that work across vendor platforms.
| Scenario signal | First check | Strong answer usually… | Weak answer usually… |
|---|---|---|---|
| A workload must be resilient | Availability and recovery objective | Chooses redundancy, backups, replication, failover, and testing that match RTO/RPO | Adds capacity without recovery design |
| Costs increase unexpectedly | Utilization and commitment model | Checks rightsizing, autoscaling, storage tier, reserved/spot fit, and idle resources | Turns off monitoring or removes redundancy blindly |
| Deployment fails repeatedly | Pipeline, image, config, and dependency path | Checks IaC/templates, versioning, permissions, dependencies, and rollback | Manually changes production to get unstuck |
| A cloud account is over-permissioned | IAM and least privilege | Applies scoped roles, MFA, secrets control, and audit logging | Shares admin credentials temporarily |
| Observability is weak | Logs, metrics, traces, and alerts | Defines signals and thresholds tied to service health | Waits for users to report outages |
| A multi-cloud choice is proposed | Portability and operational burden | Balances resilience, compliance, skills, cost, tooling, and data movement | Chooses multi-cloud because it sounds safer |
| Domain | What the exam tests | What IT Mastery practice should force | Common trap |
|---|---|---|---|
| Cloud architecture | Whether you can design for availability, scalability, resiliency, and cost | Tie architecture to workload requirements | Choosing maximum redundancy without trade-off |
| Deployment | Whether builds, templates, images, CI/CD, and rollout controls are understood | Prefer repeatable, versioned, rollback-ready deployment | Making manual production fixes |
| Operations | Whether monitoring, backup, capacity, lifecycle, and continuity are practical | Connect operations to service reliability | Treating cloud as self-managing |
| Security | Whether IAM, data protection, secrets, network controls, and compliance are applied | Enforce least privilege and evidence | Over-permissioning for convenience |
| DevOps fundamentals | Whether automation supports safe delivery | Use automation with validation and control | Automating an unsafe process |
| Troubleshooting | Whether cloud symptoms are isolated across app, network, IAM, and platform layers | Diagnose dependencies before remediation | Blaming the provider first |
| Timing | Practice focus | What to review after the set |
|---|---|---|
| Days 7-5 | One 90-question diagnostic plus drills in weak Cloud+ domains | Whether misses came from architecture, deployment, operations, security, DevOps, or troubleshooting |
| Days 4-3 | Mixed cloud operations and troubleshooting scenarios | Whether you can explain the reliability, security, cost, or automation trade-off |
| Days 2-1 | Light review of IAM, backup/DR, monitoring, autoscaling, IaC, deployment rollback, and shared responsibility | Only recurring traps; avoid diving into one vendor’s proprietary details |
| Exam day | Short warm-up if useful | Choose the vendor-neutral cloud action that is secure, observable, recoverable, and practical |
If you can score above 75% on several unseen mixed attempts and explain the cloud trade-off behind each miss, you are likely ready. Repeating familiar cloud scenarios can overtrain pattern recognition; the useful skill is deciding from requirements, constraints, and operational evidence.
Use these child pages when you want focused IT Mastery practice before returning to mixed sets and timed mocks.
Need concept review first? Read the CompTIA Cloud+ CV0-004 Cheat Sheet on Tech Exam Lexicon, then return here for timed mocks, topic drills, and full IT Mastery practice.
These are original IT Mastery practice questions aligned to Cloud+ architecture, deployment, security, operations, troubleshooting, and cloud service-management decisions. They are not CompTIA exam questions and are not copied from any exam sponsor. Use them to check readiness here, then continue in IT Mastery with mixed sets, topic drills, and timed mocks.
Topic: Domain 2: Deployment
A company is preparing runbooks for two deployment migrations:
Which TWO migration paths match the source and target environments? (Select TWO.)
Best answer: A
Explanation: Migration path selection is based on where the workload starts and where it is going. The VM-based inventory application moves from an on-premises data center to public cloud IaaS, while the static web application moves from one cloud provider to another. The core concept is matching the migration path to the source and target environments. A workload that begins in a private data center and is moved into public cloud infrastructure is an on-premises-to-cloud migration. A workload that already runs in one cloud environment and is moved to another cloud environment is a cloud-to-cloud migration. The service type, such as VM, object storage, or CDN, helps describe the implementation, but it does not change the basic migration path. The closest traps reverse the direction or misidentify the source environment.
Topic: Domain 5: DevOps Fundamentals
A team deploys a containerized web application to test, staging, and production. Recent releases failed because engineers ran different build commands and manually changed environment settings before each deployment. Which approach BEST uses automation to improve CI/CD pipeline consistency and repeatability?
Best answer: C
Explanation: Automation improves CI/CD consistency by codifying the steps that build, test, provision, and deploy an application. Keeping pipeline and IaC definitions in version control makes those steps repeatable, reviewable, and reusable across environments. The core concept is pipeline automation as code. When CI/CD stages and infrastructure configuration are stored in version control, each run uses the same defined process instead of relying on memory or local engineer habits. This reduces configuration drift, makes changes auditable, and supports repeatable deployments to test, staging, and production. It also allows teams to roll back or review pipeline changes like application code. Manual deployment steps may still require approvals, but they should not be the main mechanism for ensuring repeatability. The key takeaway is that automation makes the deployment process deterministic and consistent across runs.
Topic: Domain 1: Cloud Architecture
A team is containerizing a document-processing application. The application writes uploaded files to /app/uploads, and those files must remain available if a container is restarted, rescheduled to another host in the cluster, or replaced during an image update. Which implementation best meets this requirement?
/app/uploadsBest answer: A
Explanation: Container writable layers are ephemeral and tied to a specific container instance. Mounting a persistent volume at the upload path keeps application data outside the container, allowing it to survive restarts, replacements, and rescheduling. The core concept is separating persistent application data from the container lifecycle. Containers are designed to be replaceable, so data written only inside the container’s writable layer can be lost when the container is removed or recreated. A persistent volume provides durable storage that can be mounted into the container at the path the application already uses, such as /app/uploads. This allows new or restarted container instances to access the same data without changing the image. Restart policies can improve availability, but they do not make container-local data durable. The key takeaway is to use persistent volumes for state that must survive container replacement.
Topic: Domain 3: Operations
A cloud operations team is preparing to update the base image for a group of production VMs that host a customer-facing application. The service has strict uptime requirements, and management wants confidence that the change can be reversed quickly if errors appear after rollout. Which action best manages this lifecycle change before production deployment?
Best answer: C
Explanation: Lifecycle changes such as base image updates should be tested before production when uptime and rollback confidence are required. A production-like validation environment plus an explicit rollback test confirms both the change behavior and the recovery path. The core concept is pre-production lifecycle validation. For an operational change that can affect availability, the team should use a staging or test environment that closely matches production, run functional or smoke tests, and verify that rollback to the prior image or snapshot works within expectations. This reduces the chance of discovering compatibility, performance, or recovery issues only after users are impacted. A maintenance window, monitoring change, or longer backup retention can support operations, but none of them proves the updated image is safe or that rollback works quickly. The key takeaway is to test both the change and the recovery mechanism before production rollout.
Topic: Domain 6: Troubleshooting
A cloud team reruns an IaC deployment artifact to recreate a staging environment after decommissioning old resources. The pipeline fails during validation with: Unsupported component definition: load_balancer.backendPool is deprecated; use targetGroups with schemaVersion 2024-02 or later. The artifact has not been updated in over a year. Which action best resolves the deployment issue while preserving repeatability?
Best answer: D
Explanation: The validation error identifies an outdated deployment artifact, not a transient operations issue. Updating the IaC schema and replacing deprecated fields preserves repeatability and aligns the artifact with the currently supported cloud deployment API. Deployment artifacts such as IaC templates, modules, and configuration files must be maintained as provider-neutral schemas, APIs, and component definitions evolve. In this scenario, validation fails before provisioning because the artifact still uses a deprecated load balancer field. The best operational response is to update the artifact to the supported schema, replace the deprecated component definition, validate it, and redeploy through the pipeline. This keeps the environment reproducible and avoids configuration drift. Manual console changes may work temporarily, but they bypass the source-controlled artifact and can cause future deployments to fail again.
Topic: Domain 4: Security
A healthcare company stores patient records in a cloud file repository. Compliance requires the company to prevent users from emailing, downloading, or sharing files that contain regulated patient identifiers outside approved domains. Which security control should the cloud administrator implement?
Best answer: B
Explanation: Data loss prevention is the right control when the requirement is to stop sensitive information from leaving approved locations or channels. In this scenario, the key need is preventing unauthorized disclosure or movement of patient identifiers, not blocking attacks against a network or application endpoint. DLP focuses on identifying sensitive data, such as regulated identifiers, and enforcing policies that prevent unauthorized transmission, sharing, copying, or downloading. In cloud environments, DLP can inspect content and metadata across SaaS, storage, endpoints, email, and collaboration tools, then allow, quarantine, encrypt, alert, or block based on policy. This directly matches a compliance requirement to prevent patient records from being shared outside approved domains. Network and application security controls may reduce attack exposure, but they do not primarily classify sensitive content and stop data exfiltration through user actions.
Topic: Domain 2: Deployment
A company needs to move an aging three-tier business application from an on-premises virtualization cluster to the cloud before the data center lease expires. The application uses fixed OS versions, local configuration files, and a self-managed database. The business requires the fastest migration with minimal application code or database schema changes. Which migration approach best fits these requirements?
Best answer: A
Explanation: Rehost, often called lift and shift, is the best fit when the priority is moving quickly with minimal application change. It keeps the workload architecture largely intact while placing it on cloud infrastructure such as virtual machines. The core concept is matching the migration strategy to the amount of change the workload can tolerate. In this scenario, the application depends on fixed OS versions, local configuration files, and a self-managed database, and the business wants the fastest move before a lease deadline. Rehosting preserves the existing application stack and moves it to cloud IaaS with little or no code or schema change. It may not fully optimize cost or cloud-native capabilities immediately, but it reduces migration risk and time compared with redesigning or replacing the application. Refactoring or replacing can provide long-term benefits, but those approaches require more application change and planning than the stated requirement allows.
Topic: Domain 5: DevOps Fundamentals
A company is migrating an order platform from a private cloud monolith to public cloud microservices. During the transition, order status updates must be delivered asynchronously, services must remain loosely coupled, and cloud services must not directly access the monolith’s database. Which proposed integration pattern should the team reject?
Best answer: D
Explanation: The rejected pattern is direct database integration from the new microservices to the monolith. It conflicts with the requirements for asynchronous communication, loose coupling, and no direct database access. System integration patterns must match the coupling, communication, and data ownership requirements. In this migration, the cloud microservices should receive order status changes through an asynchronous interface, such as events or queues, rather than depending on the monolith’s internal database schema. Direct database access couples services to tables, permissions, and schema changes owned by another application, making migration and versioning harder. The key takeaway is to integrate through owned interfaces or events when loose coupling is required.
Topic: Domain 1: Cloud Architecture
A company is migrating a customer portal to a public cloud. The application servers will run 24x7, have predictable utilization, and are expected to remain at the same capacity for at least three years. The workload does not require physical host isolation or bring-your-own-license placement, and instances must not be interrupted. Which billing model should the cloud engineer recommend?
Best answer: B
Explanation: Reserved resources are best for predictable, continuously running workloads with a known capacity commitment. The stem rules out host isolation and interruption tolerance, making a reservation more cost-effective than pay-as-you-go while avoiding spot-instance risk. The core concept is matching the billing model to workload predictability and constraints. A reserved resource provides discounted pricing in exchange for committing to a term or capacity level, which fits servers running 24x7 for several years. Dedicated hosts are mainly justified when the organization needs physical host isolation, specific licensing placement, or compliance-driven tenancy controls. Pay-as-you-go is flexible but usually costs more for stable long-term use. Spot instances can be cheaper, but they are interruptible and unsuitable when the application must remain continuously available.
Topic: Domain 3: Operations
A company is migrating a customer order application to a public cloud. The database must lose no more than 15 minutes of committed transactions, and service must resume within 1 hour after a regional outage. The business also wants to avoid paying for a fully active duplicate environment. Which backup and recovery approach BEST meets these requirements?
Best answer: B
Explanation: RPO defines acceptable data loss, while RTO defines acceptable recovery time. Continuous replication to a warm standby is the best fit because it limits data loss to minutes and enables faster recovery than restoring backups from scratch. The core concept is matching recovery design to RTO and RPO. A 15-minute RPO requires frequent or continuous protection of committed transactions; nightly or manual backups would allow too much data loss. A 1-hour RTO requires a recovery target that is already partially prepared, such as a warm standby with replicated data and deployable application components. This avoids the cost of a fully active duplicate site while still recovering faster than a cold restore. The key takeaway is that tighter RPO and RTO targets usually require replication and pre-provisioned recovery capacity, not only periodic backups.
Topic: Domain 6: Troubleshooting
A cloud engineer is reviewing a security ticket for a PaaS database console. The user successfully signs in through SSO with MFA, but an attempt to export a backup returns 403 AccessDenied. Audit logs show the user’s role lacks the database.backupExport permission, and no backup was created. Which security issue classification BEST matches these symptoms?
Best answer: C
Explanation: This is an authorization failure because the user authenticated successfully but was denied a specific permission. The 403 AccessDenied result and missing role permission point to an access control decision, not a sign-in problem or a successful breach. Authentication verifies identity, while authorization determines what an authenticated identity can do. In this scenario, SSO and MFA succeeded, so the cloud platform knows who the user is. The failed backup export occurs because the assigned role does not include the required permission, and the audit log shows the action was blocked. A 403 AccessDenied response commonly indicates that the request was understood but not allowed by policy. The key takeaway is to separate identity proof from permission enforcement when interpreting cloud security symptoms.
Topic: Domain 4: Security
A security engineer reviews firewall and security group rules for a public web application. The architecture standard states that only the load balancer should accept internet traffic, application instances must be administered through a bastion subnet, and the database must remain private. Which finding is an unnecessary open port exposure requiring review or remediation?
Best answer: B
Explanation: The exposed administrative port is the key security finding. Because the standard requires administration through a bastion subnet, allowing SSH directly from the internet to application instances is unnecessary and should be reviewed or remediated. Unnecessary open ports increase the attack surface and often violate hardening baselines, CIS-style benchmarks, and Zero Trust principles. In this scenario, public access should terminate only at the load balancer. Administrative access to application instances should be restricted to the bastion subnet, and database access should be limited to the application subnet. Internet-facing SSH on the application tier creates avoidable exposure for brute-force attempts, credential attacks, and unauthorized management access. The key takeaway is to compare open ports against the approved network path and remove or restrict anything not required for the workload.
Topic: Domain 2: Deployment
A cloud engineer is provisioning a worker pool by using IaC variables. The requirements are: exactly three VMs, one per availability zone; at least 24 total vCPU and 96 GiB total RAM; estimated compute cost no more than 1,000 USD per month; and no unnecessary overprovisioning.
Available sizes:
Which variable set should be used?
instance_count = 3, size = mediuminstance_count = 3, size = xlargeinstance_count = 6, size = mediuminstance_count = 3, size = largeBest answer: D
Explanation: The large size is the smallest VM size that satisfies the total CPU and memory requirements with exactly three instances. It also stays within the monthly cost limit, avoiding both underprovisioning and unnecessary overprovisioning. Provisioning from requirements means matching the stated capacity, placement, and cost constraints without adding excess resources. With exactly three VMs required, each VM must contribute enough capacity so the total reaches at least 24 vCPU and 96 GiB RAM. Three large VMs provide 8 vCPU and 32 GiB each, totaling 24 vCPU and 96 GiB, and the monthly cost is 3 × 300 = 900 USD. That meets the budget and avoids the extra capacity and cost of xlarge instances. The key takeaway is to size resources against all constraints, not just one metric such as cost or CPU.
Topic: Domain 5: DevOps Fundamentals
A team deployed a new checkout integration that must keep order processing loosely coupled from inventory, billing, and shipping. After deployment, checkout latency spikes and orders fail whenever the shipping service is slow. Logs show the order service making synchronous HTTP calls to each downstream service before returning a response.
What is the best next fix?
Best answer: D
Explanation: The stated requirement is loose coupling, but the symptom shows synchronous downstream calls blocking checkout. Publishing events through a broker or pub/sub pattern lets each consumer process independently without making checkout depend on shipping latency. The core concept is matching the integration pattern to the coupling and communication requirement. Synchronous REST or RPC-style calls are appropriate when the caller needs an immediate response from the callee, but they create runtime coupling: slow or unavailable downstream services can make the caller fail. For a checkout workflow that only needs to notify inventory, billing, and shipping, an asynchronous message broker or pub/sub event pattern is a better fit because producers and consumers do not need to be available at the same time. The key takeaway is to avoid synchronous request/response integration when the requirement is loosely coupled fan-out communication.
Topic: Domain 1: Cloud Architecture
A healthcare company is hardening its private cloud virtualization cluster for a regulated database application. The VM disks must be accessible from multiple hypervisor hosts for HA failover and live migration, and the database requires low-latency block-level storage. Encryption and access controls will be centrally managed on the storage platform. Which storage architecture is the best fit?
Best answer: D
Explanation: The key requirement is shared block-level storage for a virtualization cluster. A SAN can present shared LUNs to multiple hypervisors while supporting centralized controls, making it the best match for HA failover and live migration of database VMs. SAN storage is commonly used for virtualization workloads that need block-level access, consistent performance, and shared availability across multiple hosts. In this scenario, local storage would tie VM disks to a single hypervisor, limiting failover and migration. NAS can provide shared file access, but the stated workload specifically requires block storage for database VM disks. Centralized encryption and access controls can be applied on enterprise SAN platforms without sacrificing the access model required by the cluster. The deciding factor is the combination of shared host access and block-level VM storage.
Topic: Domain 3: Operations
A cloud team is planning lifecycle changes for a production PaaS database used by a highly available web application. The change policy defines a minor update as a low-risk, backward-compatible change that needs only targeted validation. A major update may affect compatibility, data format, topology, or rollback and requires staging and regression testing. Which planned change should be classified as a major update?
Best answer: A
Explanation: The major-version database upgrade is the highest-risk lifecycle change because it can introduce compatibility and data-format changes. It should be validated in staging with regression testing before production rollout. Major and minor updates are distinguished by change risk and testing scope. Minor updates are usually backward-compatible operational changes, such as patching within the same version, adjusting retention, or rotating a certificate with a planned process. A major update changes a core platform component or behavior and can affect application drivers, SQL compatibility, stored procedures, data format, backup/restore behavior, or rollback plans. In this scenario, upgrading the database engine across major versions is the only change that clearly crosses that risk boundary and requires staging validation plus broader regression testing. The key takeaway is to classify updates by potential production impact, not just by how common the task is.
Topic: Domain 6: Troubleshooting
During a blue-green migration of a web application, a cloud engineer signs in through SSO with MFA and runs an IaC plan against the new environment. The identity provider shows a successful login, but the deployment fails with 403: not permitted to create load balancer in this VPC. No unexpected resources are created. Which security issue do these symptoms indicate?
Best answer: D
Explanation: This is an authorization failure because the identity was verified successfully, but the requested cloud action was denied. The 403 permission error points to inadequate privileges for creating the load balancer, not a failed sign-in. Authentication verifies who the user or workload is, while authorization determines what that identity is allowed to do. In this scenario, SSO and MFA succeeded, so authentication is not the problem. The deployment reaches the cloud API but receives a 403 for creating a load balancer in a specific VPC, which means the authenticated identity lacks the required permission or role assignment. Privilege escalation would involve gaining higher permissions than intended, and unauthorized access would involve accessing resources without approval or valid entitlement. The key takeaway is that successful login followed by a permission denial is authorization troubleshooting evidence.
Topic: Domain 4: Security
A company uses federated IAM for a SaaS analytics platform. Users sign in through a corporate identity provider with MFA. After sign-in, the platform evaluates group membership to grant read-only access to specific storage datasets, and all dataset access is written to audit logs. Which action represents authorization in this scenario?
Best answer: A
Explanation: Authorization is the IAM function that determines permissions after identity is established. In this scenario, evaluating group membership and granting read-only access defines what the user can do with the datasets. Authentication verifies identity, authorization grants or denies access, and accounting records activity for audit and traceability. The user’s federated sign-in and MFA challenge are authentication steps because they prove who the user is. Evaluating group membership to grant read-only dataset access is authorization because it maps the verified identity to allowed actions and resources. Writing access events to audit logs is accounting because it tracks what happened after access was attempted or used. The key distinction is: prove identity first, then enforce permissions, then record activity.
Topic: Domain 2: Deployment
A company is assessing migration options for a legacy order-processing workload. The application is still required by the business and has no approved SaaS replacement. It currently runs as a VM-based monolith that stores session state locally, but the target requirement is active-active availability across two cloud availability zones and independent scaling of the payment and inventory components.
Which migration disposition best fits these facts?
Best answer: C
Explanation: The workload is still needed, so retiring it does not fit. It also cannot meet the stated active-active and independent scaling requirements without design changes, making refactor the best disposition. Migration disposition decisions match the workload’s business value and required changes. Retain means keep the workload where it is, usually because it is not ready or should not move yet. Retire means remove a workload that is no longer needed. Refactor means rework the application or architecture to meet new business or technical requirements, such as cloud-native scaling, stateless design, or multi-zone availability. In this scenario, the application is required and has no replacement, but its local session state and monolithic design conflict with the target architecture. The key takeaway is that required architectural change points to refactor, not retain, retire, or lift-and-shift.
Topic: Domain 5: DevOps Fundamentals
A team is updating a CI/CD pipeline for a microservice that will run on a managed container platform. The deployment stage must pull a versioned, immutable artifact that includes the application code, runtime, and OS-level dependencies. The team does not want to provision or boot full VMs for each release. Which artifact should the pipeline publish?
Best answer: A
Explanation: The requirement points to a container image because the workload runs on a managed container platform and needs an immutable artifact with code, runtime, and dependencies. A container image is designed to be pulled from an image registry and instantiated as containers without booting full virtual machines. Pipeline artifacts are the outputs passed from build to deployment stages. For containerized workloads, the deployable artifact is a container image, typically stored in an image registry and tagged by version or digest. It contains the application and its required runtime dependencies in a portable format that the container platform can pull and run. A VM image is also immutable, but it includes a full guest OS and is used to boot virtual machines, which the stem explicitly excludes. Archive files can carry application bits, but they do not directly provide the standardized runtime image expected by a container orchestrator.
Topic: Domain 1: Cloud Architecture
A company must retain compressed application log bundles for 7 years after they age out of the active monitoring platform. The logs are accessed only for rare legal or audit requests, retrieval can take up to 12 hours, and the primary goal is minimizing ongoing storage cost. Which storage tier best fits these requirements?
Best answer: C
Explanation: Archive storage is the best fit for data that is retained long term, rarely accessed, and can tolerate delayed retrieval. The 12-hour recovery expectation makes slower restore acceptable in exchange for lower storage cost. Storage tiers balance access frequency, retrieval speed, and cost. Hot tiers are optimized for frequent access and low latency, while warm and cold tiers reduce cost as access becomes less frequent. Archive tiers are intended for long-term retention, compliance records, and data that is rarely read. Because the log bundles are accessed less than annually and can wait up to 12 hours for retrieval, the architecture can prioritize the lowest recurring storage cost over immediate availability. The key takeaway is that archive is appropriate only when delayed recovery is acceptable; otherwise, cold or warmer tiers may be needed.
Topic: Domain 3: Operations
A company runs an order-processing application on IaaS VMs with a managed relational database. The business requires recovery from a full regional outage with an RTO of 30 minutes and an RPO of 5 minutes. Management wants to avoid the cost of running a full active-active deployment. Which backup and recovery approach is the BEST fit?
Best answer: B
Explanation: The RTO requires the application to be restored quickly, and the RPO requires very little data loss. A warm standby in another region with continuous or near-real-time database replication best balances those recovery targets with the requirement to avoid active-active cost. RTO defines how quickly service must be restored, while RPO defines how much data loss is acceptable. A 30-minute RTO is too aggressive for a cold recovery that requires provisioning and restoring everything after an outage. A 5-minute RPO also requires frequent or continuous replication, not daily or hourly backups. A warm standby keeps enough compute, networking, configuration, and replicated data ready in a secondary region so the environment can be promoted quickly during a regional failure. It is less costly than full active-active because the standby environment does not have to carry normal production traffic all the time. The key takeaway is to match recovery design to both time-to-restore and data-loss limits.
Topic: Domain 6: Troubleshooting
A cloud operations team is tuning alert routing for a centralized logging platform. An alert was generated after a contractor reported being unable to rotate an encryption key.
Log excerpt:
Federated sign-in: success
MFA result: success
Issued role: app-support-readonly
API action: RotateKey
Decision: Deny
Reason: No matching allow in IAM policy
Source network: expected VPN range
Role changes: none
Which classification should the operations team use to route this alert?
Best answer: C
Explanation: This is an authorization failure because the contractor authenticated successfully but lacked the required permission. The logs show successful federated sign-in and MFA, followed by an IAM policy denial for the requested action. Authentication answers the question, “Are you who you claim to be?” Authorization answers, “Are you allowed to do this?” In this case, the user passed federation and MFA, so authentication succeeded. The API request was denied because the assigned role did not allow RotateKey, making the symptom an authorization failure. The key operational takeaway is to route the alert toward access policy review rather than identity verification or incident containment for compromised access.
Topic: Domain 4: Security
A company is migrating a CRM application from a private cloud to public IaaS using IaC templates. The security team requests MFA for administrators, encrypted storage, and a WAF. The legal team states that customer records are subject to a data-sovereignty regulation requiring regulated data to remain in approved national regions. Which migration requirement should be classified as compliance-driven rather than an ordinary security best practice?
Best answer: B
Explanation: Compliance requirements come from laws, regulations, contracts, or formal standards that the organization must satisfy. In this scenario, the data-sovereignty rule specifically dictates where regulated customer records may reside during the migration. The core distinction is source of obligation. MFA, encryption, and WAF protection are strong security best practices and may support compliance, but the stem does not state that a regulation requires those specific controls. The legal team explicitly identifies a data-sovereignty regulation requiring customer records to stay in approved national regions, so the migration design and IaC templates must enforce that placement constraint. For migration planning, compliance-driven requirements should be traceable to the applicable law or policy and documented as acceptance criteria.
Use this map after the sample questions to connect individual items to the vendor-neutral cloud architecture, security, deployment, and operations decisions these practice samples test.
flowchart LR
S1["Cloud business requirement"] --> S2
S2["Choose architecture and deployment model"] --> S3
S3["Secure identity network and data"] --> S4
S4["Automate operations and cost controls"] --> S5
S5["Monitor troubleshoot and recover"] --> S6
S6["Improve resilience and governance"]
| Cue | What to remember |
|---|---|
| Architecture | Match public, private, hybrid, multicloud, IaaS, PaaS, SaaS, containers, and serverless to requirements. |
| Security | Review IAM, network segmentation, encryption, key handling, vulnerability management, and compliance. |
| Operations | Understand monitoring, logging, backup, patching, scaling, automation, and incident response. |
| Resilience | Connect RTO, RPO, backups, replication, warm standby, and failover to business targets. |
| Troubleshooting | Classify evidence before acting: authentication, authorization, network, quota, capacity, DNS, or service failure. |