Try 10 focused CompTIA Security+ SY0-701 questions on Security Architecture, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Security+ SY0-701 on Web View full CompTIA Security+ SY0-701 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Security+ SY0-701 |
| Topic area | Security Architecture |
| Blueprint weight | 18% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security Architecture for CompTIA Security+ SY0-701. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 18% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Security Architecture
A development team is deploying a new serverless function that runs in a cloud provider and is triggered whenever a file is uploaded to a specific object storage bucket. The function reads the file, validates its contents, and writes sanitized metadata into a managed database. During a security review, the architect asks for changes to permissions and event-source configuration.
Which of the following proposed configurations is the LEAST appropriate and should NOT be implemented?
Options:
A. Attach an execution role that grants full administrative access to all services in the cloud account so the function will not encounter permission errors as its responsibilities grow.
B. Grant the function an execution role that can read objects only from the specific bucket and write only to the required database table.
C. Validate and sanitize all input fields and file types within the function before committing metadata to the database.
D. Configure the object storage event so that the function is triggered only for uploads to a dedicated incoming folder in the bucket from authenticated clients.
Best answer: A
Explanation: Serverless and function-as-a-service architectures rely heavily on correct configuration of permissions and event sources. Because functions often run with powerful identities and are triggered automatically, over-privileged roles or overly broad triggers can turn a small bug into a serious breach.
In this scenario, the key considerations are:
Granting the function full administrative access to all cloud services is an obvious anti-pattern. It removes protection boundaries, makes lateral movement easier for attackers, and is unnecessary for the described workload. The other options all narrow the function’s permissions or tighten control over its inputs and triggers, which are recommended practices for secure serverless design.
Topic: Security Architecture
An organization configures its VPN to require users to enter a username and password and then approve a time‑limited push notification in an authenticator app on their registered smartphone before a connection is established. Which term BEST describes this authentication approach?
Options:
A. Strong password authentication
B. Multi-factor authentication
C. Single-factor authentication
D. Single sign-on (SSO)
Best answer: B
Explanation: This scenario focuses on identity and access management, specifically the difference between single-factor authentication, multi-factor authentication (MFA), and strong authentication.
Authentication factors fall into broad categories: something you know (password, PIN), something you have (smartphone, token, smart card), and something you are (biometrics). Multi-factor authentication means using at least two different categories, such as a password plus a hardware or software token.
In the scenario, the VPN requires both a username/password and approval of a time-limited push notification in an authenticator app on a registered smartphone. The password is something you know, and the smartphone/app combination is something you have. Because it combines two different factor types, this is clearly multi-factor authentication.
This also illustrates stronger authentication than relying on a password alone. MFA significantly improves resistance to common attacks like credential stuffing, password reuse, and basic phishing, because an attacker who steals only the password still lacks the second factor (the registered device).
Topic: Security Architecture
Which identity governance practice requires managers or data owners to periodically confirm that existing user access rights are still appropriate and revoke any that are no longer needed?
Options:
A. Just-in-time (JIT) privileged access
B. Role-based access control (RBAC)
C. Single sign-on (SSO)
D. Periodic access reviews (access certification)
Best answer: D
Explanation: The question is testing knowledge of identity governance controls, specifically the practice of periodically confirming that users still need the access they already have. Over time, users change roles, projects end, and privileges can accumulate. Without governance, this leads to excessive permissions and higher risk of misuse or compromise.
Periodic access reviews (often implemented as access certification campaigns) directly address this by having managers or data owners regularly review lists of users and their entitlements, approving what is still needed and revoking what is not. This enforces least privilege on an ongoing basis, rather than only at initial provisioning.
Other IAM mechanisms such as RBAC, SSO, and just-in-time privileged access support secure access, but they do not, by themselves, ensure that existing entitlements are periodically revalidated against policy and current job responsibilities.
Topic: Security Architecture
Which TWO statements about attribute-based access control (ABAC) are TRUE? (Select TWO.)
Options:
A. ABAC assigns users to predefined roles, and permissions are granted based only on those roles.
B. ABAC primarily relies on a list of ordered allow/deny rules, similar to a traditional firewall rule set.
C. ABAC evaluates attributes of the user, resource, action, and environment when making access decisions.
D. ABAC policies are static and require changing role definitions whenever a user’s responsibilities change.
E. ABAC is well-suited for fine-grained, context-aware access control in dynamic environments such as cloud applications.
Correct answers: C and E
Explanation: Attribute-based access control (ABAC) makes authorization decisions by evaluating a set of attributes about the subject (user or process), the object (resource), the requested action, and the environment (such as time, location, or device security state). Instead of relying on fixed roles, ABAC uses policies that specify which combinations of attributes are allowed or denied. This makes ABAC particularly powerful for fine-grained, context-aware access control, which is common in modern cloud and enterprise environments.
In contrast, role-based access control (RBAC) centers on roles: users are assigned to roles, and roles are assigned permissions. Rule-based access control typically focuses on ordered rules that allow or deny access based on conditions, similar to firewall rule sets. Understanding these differences helps in choosing the right authorization model for a given use case.
Topic: Security Architecture
A security architect is designing protections for an internet-facing web application hosted in a DMZ. The organization wants to use multiple network-based security devices (IDS/IPS, WAF, DLP, NAC) to implement a layered defense without relying on any single control.
Which of the following design recommendations is INCORRECT and should NOT be implemented?
Options:
A. Deploy an IDS/IPS at the network edge and between the DMZ and internal network to monitor and block suspicious traffic crossing network segments.
B. Place a web application firewall in front of the web servers to inspect HTTP/HTTPS requests for attacks such as SQL injection and cross-site scripting.
C. Disable IDS/IPS inspection to reduce latency, relying solely on the WAF to protect the web application from both network and application attacks.
D. Configure NAC so that only authenticated and compliant endpoints can connect to the internal network, enforcing posture checks such as updated AV and OS patches.
Best answer: C
Explanation: This question focuses on layered defense (defense in depth) using multiple network-based security devices: IDS/IPS, WAF, DLP/NAC. In a secure network design, each device addresses different layers or types of threats, and they should complement rather than replace one another.
A WAF focuses on HTTP/HTTPS application-layer attacks against web applications (for example, SQL injection, XSS). An IDS/IPS monitors and can block suspicious network traffic at various points in the network. NAC controls which endpoints are allowed to connect and under what conditions. In a layered architecture, you keep these controls active together to reduce the chance that a single failure or gap leads to compromise.
The recommendation to disable IDS/IPS inspection because a WAF is present conflicts directly with defense in depth. It removes a network security layer and incorrectly assumes the WAF can fully replace IDS/IPS, which is not true. The other recommendations each add an additional, distinct layer of security and therefore support a robust, layered defense strategy.
Topic: Security Architecture
Which of the following statements about network segmentation and isolation is NOT correct?
Options:
A. All systems that need internet access should be placed in the same flat subnet to simplify firewall rules and improve security.
B. Placing guest Wi-Fi clients on a separate VLAN from internal users helps limit lateral movement if a guest device is compromised.
C. Using a firewall between a web front-end subnet and a database subnet supports the principle of least privilege.
D. Network segmentation can reduce the blast radius of a successful phishing attack that compromises one workstation.
Best answer: A
Explanation: This question targets secure network design principles, focusing on how VLANs, subnets, and firewalls provide segmentation and isolation to limit the spread of attacks.
The main goal of segmentation is to break a network into smaller, controlled zones. When a device is compromised, segmentation and isolation make it harder for an attacker to move laterally to more sensitive systems or broader parts of the environment. VLANs and subnets define logical and IP boundaries, while firewalls and ACLs enforce what traffic is allowed between those boundaries.
Statements that describe using separate VLANs for guest access, firewalls between tiers, and reducing the blast radius of phishing-driven compromises are consistent with these principles. The idea of putting all internet-connected systems into one flat subnet is the opposite of segmentation: it makes lateral movement easier and expands the impact of any compromise, so it is not correct from a security perspective.
Topic: Security Architecture
Which term BEST describes a physical control used to secure a laptop by attaching it to a desk or other fixed object with a steel cable to deter theft in an open office area?
Options:
A. Tamper-evident seal
B. Mantrap
C. Privacy screen filter
D. Cable lock
Best answer: D
Explanation: The scenario describes a physical security control that anchors a laptop to a fixed object using a steel cable to deter theft, especially in open or semi-public spaces. This is the classic use case for a cable lock, which threads through a security slot on the device and then loops around a stationary object, adding a physical barrier against someone quickly grabbing and walking off with the equipment.
Other physical and visual controls in endpoint and device security serve different purposes: privacy filters protect on-screen data from shoulder surfing; mantraps regulate who can enter a secure room like a data center; and tamper-evident seals indicate whether a device or enclosure has been opened. At the Security+ level, it is important to match each physical control to its specific role in protecting confidentiality, integrity, or availability of systems and data.
Topic: Security Architecture
A security architect has configured several internal and SaaS applications to use the organization’s identity provider for single sign-on.
Based on the following exhibit, which statement is BEST supported about the user login experience?
Application Access Configuration
| App name | URL | Auth method |
|--------------|-------------------------|---------------------------------|
| HR Portal | https://hr.example.com | SAML (IdP: id.corp.example.com) |
| CRM | https://crm.vendor.com | SAML (IdP: id.corp.example.com) |
| Legacy Wiki | https://wiki.local | Local username/password only |
Options:
A. Users will enter their corporate password directly on each application’s login page, and the IdP is used only for password synchronization.
B. After authenticating once to id.corp.example.com, users can access both HR Portal and CRM without re-entering credentials, but must still use a separate login for Legacy Wiki.
C. After authenticating once to id.corp.example.com, users will have SSO access to all three applications, including Legacy Wiki.
D. Users must log in separately to HR Portal and CRM because they are hosted on different domains, but they have SSO between CRM and Legacy Wiki.
Best answer: B
Explanation: The exhibit lists three applications and how each authenticates users. HR Portal and CRM both use SAML and reference the same identity provider, id.corp.example.com. This indicates a federated single sign-on setup, where both applications trust the same IdP to authenticate users.
In a typical SAML-based federation, a user authenticates once to the IdP. After that, when accessing other service providers (SPs) that trust that same IdP, the user is issued SAML assertions and does not need to re-enter credentials, achieving SSO across those apps.
Legacy Wiki, on the other hand, is explicitly configured for “Local username/password only”, with no IdP or federation listed. That means it maintains its own user accounts and does not participate in the SAML-based SSO. Users will still have to authenticate separately to the wiki using its local credentials.
Therefore, the only conclusion fully supported by the exhibit is that users get SSO between HR Portal and CRM via the shared SAML IdP, but Legacy Wiki still requires a separate login.
Topic: Security Architecture
A 300‑employee company uses several SaaS applications (email, CRM, HR) from different vendors. Employees complain about managing multiple passwords, and the help desk spends significant time on SaaS password resets. Security leadership also wants a single place to quickly revoke all access for terminated users and to require MFA for remote logins.
Which solution BEST meets these requirements?
Options:
A. Increase password complexity and change frequency for each SaaS application’s local accounts to reduce successful attacks.
B. Deploy a browser‑based password manager so employees can store unique passwords for each SaaS application.
C. Implement SSO using a centralized identity provider integrated with all SaaS apps and require MFA at the identity provider.
D. Install an on‑premises RADIUS server to authenticate users for internal Wi‑Fi and reuse those credentials for SaaS apps.
Best answer: C
Explanation: This scenario is about choosing the most appropriate identity and access management solution for multiple SaaS applications. The organization has three explicit needs:
A centralized identity provider that supports single sign‑on (SSO) and MFA addresses all three needs. With SSO, each user authenticates once to the IdP using a single corporate identity. The IdP then issues tokens or assertions to each SaaS provider, so users do not maintain separate passwords for each application. Because access is mediated by the IdP, disabling a user there effectively cuts off access to all connected SaaS apps. Enforcing MFA at the IdP ensures all SSO‑integrated apps inherit the same strong authentication requirement.
Other options improve one aspect (such as password usability or network access control) but fail to deliver centralized identity, lifecycle management, and MFA enforcement across all SaaS applications, which is why they are not the best fit for this scenario.
Topic: Security Architecture
Which statement BEST describes the primary security purpose of a CSRF (cross-site request forgery) token in a web application?
Options:
A. It limits the number of failed login attempts from a single IP address to slow down brute-force attacks.
B. It ensures that state-changing requests (such as fund transfers) come from a request intentionally made within the legitimate site, not from a malicious third-party site.
C. It prevents attackers from injecting malicious script into web pages viewed by other users.
D. It encrypts cookie contents so attackers cannot read session data if they steal the cookie.
Best answer: B
Explanation: A CSRF (cross-site request forgery) token is an application-layer control used to defend against forged requests that come from another site but are executed in the context of a user’s authenticated session. When a user is logged in, a malicious site can attempt to trick their browser into sending a request (such as changing an email address or transferring money) to the legitimate site. Because the browser automatically includes cookies, the request may appear authenticated.
To counter this, the application issues a unique, unpredictable CSRF token associated with the user’s session and includes it in forms or headers for state-changing operations. The server then verifies that incoming requests contain the correct token. If a malicious site tries to forge a request, it typically cannot know the correct token value, so the server rejects the request. This makes CSRF tokens an important control for protecting integrity of user actions, distinct from controls like secure cookies (which protect cookies in transit or from some client-side access) or XSS defenses (which prevent script injection).
Use the CompTIA Security+ SY0-701 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Security+ SY0-701 on Web View CompTIA Security+ SY0-701 Practice Test
Read the CompTIA Security+ SY0-701 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.