Browse Certification Practice Tests by Exam Family

GIAC GCLD Sample Questions & Practice Test

May 1, 2026

Try 12 GIAC Cloud Security Essentials (GCLD) sample questions and practice-test preview prompts on shared responsibility, cloud identity, storage exposure, logging, encryption, workload isolation, and incident response.

On this page

GIAC Cloud Security Essentials (GCLD) is a cloud-security route for candidates who need practical judgment around shared responsibility, identity, logging, encryption, storage exposure, workload controls, and cloud incident response.

Use this page to preview the kind of cloud-security decisions a GCLD practice route should test. The questions below are original IT Mastery sample questions, not official GIAC exam questions.

What this route should test

  • mapping cloud responsibilities to the provider, customer, and shared operating model
  • securing identity, storage, network paths, encryption keys, logs, and workloads
  • using cloud-native evidence during incident response
  • avoiding broad public access or broad administrator rights as default answers

Sample Exam Questions

Question 1

Topic: shared responsibility

A company moves a database to a managed cloud service. Which statement best reflects shared responsibility?

  • A. The cloud provider is responsible for all customer access decisions
  • B. The provider manages parts of the service, but the customer still owns data, identity, configuration, and access decisions within the service
  • C. No logging is needed because the service is managed
  • D. The customer must maintain the provider’s physical data center

Best answer: B

Explanation: Managed services shift some operational duties to the provider, but customers still make critical configuration, identity, data, and monitoring decisions.

Question 2

Topic: cloud identity

A workload needs to read one storage bucket. What access pattern is best?

  • A. Use a scoped role or service identity with only the required bucket permissions
  • B. Embed an administrator key in application code
  • C. Share one root account among developers
  • D. Disable audit logging for the workload

Best answer: A

Explanation: Cloud workloads should use scoped identities and least privilege. Long-lived admin secrets in code create high exposure.

Question 3

Topic: storage exposure

A storage bucket containing internal reports is accidentally public. What should be done first?

  • A. Rename the bucket only
  • B. Ignore the finding until the next quarterly review
  • C. Delete all cloud logs
  • D. Remove public access, preserve access logs, assess exposure, notify stakeholders through the incident process, and fix guardrails

Best answer: D

Explanation: Public storage exposure requires containment, evidence review, impact assessment, and preventive control improvement.

Question 4

Topic: logging

An attacker may have used stolen cloud credentials. Which logs are most relevant?

  • A. Office printer logs only
  • B. Cloud control-plane activity, sign-in events, API calls, resource changes, and data-access logs where enabled
  • C. Marketing email metrics
  • D. User desktop wallpaper history

Best answer: B

Explanation: Credential misuse in cloud environments often appears in API, control-plane, identity, and resource-change evidence.

Question 5

Topic: encryption

Which statement about cloud encryption is most accurate?

  • A. Encryption removes the need for access control
  • B. Key management, access policy, rotation, logging, and data classification still matter
  • C. Encryption should always use a shared personal password
  • D. Encrypted data can never be exposed

Best answer: B

Explanation: Encryption is one layer. Key access, policy, monitoring, classification, and operational controls determine whether encryption reduces risk.

Question 6

Topic: workload isolation

A development workload and production workload share the same broad administrator role. What is the main risk?

  • A. Lower isolation increases the chance that a development compromise can affect production resources
  • B. Role sharing always improves auditability
  • C. Production becomes more secure automatically
  • D. Logs become unnecessary

Best answer: A

Explanation: Separating environments and privileges limits blast radius. Shared broad roles weaken isolation.

Question 7

Topic: incident response

Cloud incident response differs from on-premises response because responders often need to rely on what?

  • A. Physical disk removal only
  • B. A handwritten server room log
  • C. No evidence because cloud systems cannot be investigated
  • D. Control-plane logs, snapshots, cloud-native isolation controls, identity events, and provider-specific evidence sources

Best answer: D

Explanation: Cloud response uses cloud-native evidence and controls. Responders need logs, snapshots, identity context, and platform-specific procedures.

Question 8

Topic: posture management

A security team wants to detect public storage, overly broad roles, and missing logging across accounts. Which capability fits best?

  • A. Manual annual screenshots
  • B. A shared administrator password
  • C. Cloud security posture checks or policy-based configuration monitoring
  • D. A disconnected spreadsheet only

Best answer: C

Explanation: Posture monitoring can continuously detect misconfigurations across cloud environments. Manual snapshots alone miss drift.

Question 9

Topic: serverless permissions

A serverless function needs to write one queue but currently has broad account access. What is the best correction?

  • A. Scope the function’s execution role to the required queue action and monitor usage
  • B. Give every function administrator access
  • C. Store cloud root credentials as environment variables
  • D. Disable all invocation logs

Best answer: A

Explanation: Serverless functions still need least-privilege identities. Execution roles should match the required actions and resources.

Question 10

Topic: container security

An image used in production contains critical known vulnerabilities and hardcoded secrets. What should happen before redeployment?

  • A. Rebuild from a clean source, remove secrets, patch dependencies, scan the image, and rotate exposed credentials
  • B. Change the image name only
  • C. Ignore it because containers are temporary
  • D. Publish the secrets in documentation

Best answer: A

Explanation: Container issues can persist across deployments. Secrets must be removed and rotated, and vulnerable dependencies should be fixed.

Question 11

Topic: network controls

A database should be reachable only from an application tier. Which cloud control pattern is most appropriate?

  • A. Open the database to the internet for easier testing
  • B. Allow all internal networks by default
  • C. Restrict network paths with security groups, routing, private endpoints where appropriate, and monitored access
  • D. Disable authentication because the database is private

Best answer: C

Explanation: Cloud network controls should restrict expected paths and be paired with identity and monitoring. Private placement alone is not enough.

Question 12

Topic: data residency

A regulated data set must stay in approved regions. Which control set best supports that requirement?

  • A. Region restrictions, deployment guardrails, data-classification policy, monitoring, and review of backup or replication settings
  • B. Naming the bucket after the region only
  • C. Trusting developers to remember the rule with no guardrails
  • D. Disabling audit trails

Best answer: A

Explanation: Data residency depends on guardrails, monitoring, and review of replication, backup, and deployment behavior.

Quick readiness checklist

If you miss…Drill this next
shared-responsibility questionsprovider-managed versus customer-controlled duties
identity questionsscoped roles, service identities, MFA, and logging
storage and data questionspublic access, encryption, key management, and residency
incident questionscloud-native logs, snapshots, isolation, and control-plane evidence
Revised on Monday, May 18, 2026
GCIH
GCSA