Pass the WGU Courses and Certificates Managing-Cloud-Security Questions and answers with ValidTests

A Database Activity Monitor (DAM) is specifically designed to identify and stop attack-based commands from executing on a SQL server. Managing Cloud documentation explains that DAM solutions monitor database traffic in real time, inspecting queries and commands for malicious patterns such as SQL injection, privilege escalation, and unauthorized data access attempts.

Unlike traditional firewalls, which primarily filter network traffic, a DAM understands database-specific protocols and SQL command structures. This allows it to detect abnormal or unauthorized queries that may bypass perimeter defenses. When a suspicious command is identified, the DAM can alert administrators, block the execution, or log the activity for forensic analysis.

The other options do not provide this level of database-specific protection. A host-based firewall controls traffic to and from a server but does not analyze SQL commands. A hardware security module focuses on key management and cryptographic operations. A cloud access and security broker enforces security policies between cloud consumers and providers but does not inspect SQL commands directly. Therefore, the database activity monitor is the correct device for stopping attack-based SQL commands.

Multivendor pathway connectivity refers to a cloud provider’s ability to maintain connections with multiple internet service providers (ISPs). This ensures redundancy and reduces the risk of outages due to a single ISP failure.

Electric providers, fuel vendors, and HVAC contracts support facility resilience, but they are not directly tied to connectivity. The purpose of multivendor pathways is specifically to guarantee uninterrupted network access and resilience for customer workloads.

By maintaining ISP redundancy, cloud providers improve availability and meet SLA commitments. This capability is especially critical for enterprises requiring high uptime or operating in regions where connectivity disruptions are common. It also provides flexibility in bandwidth management and routing optimization.

A cloud service customer is the role that subscribes to a software as a service (SaaS) application. Managing Cloud principles define the cloud service customer as the individual or organization that consumes cloud services provided by a cloud service provider.

In a SaaS model, the customer accesses applications through a subscription-based arrangement, typically via a web interface. The customer does not manage the underlying infrastructure or platform but is responsible for configuring user access and ensuring proper use of the service.

The cloud service provider delivers and manages the application, while “cloud computing” and “cloud application” are not roles. Therefore, the cloud service customer is the correct role.

Archiving and retrieval procedures are the data retention method used for business continuity and disaster recovery (BC/DR) backups. Managing Cloud principles describe BC/DR as a critical operational function that ensures data can be restored following system failures, cyber incidents, or natural disasters.

Archiving involves securely storing backup data in a manner that preserves integrity and availability over time. Retrieval procedures define how quickly and effectively data can be accessed and restored when needed. Together, these procedures ensure that organizations can resume operations with minimal disruption.

The other options do not support BC/DR directly. Data classification categorizes data by sensitivity, local agent checks focus on endpoint health, and monitoring and enforcement apply to security oversight rather than retention. Therefore, archiving and retrieval procedures are essential for BC/DR backups.

The United States lacks a single, comprehensive national law assuring individual personal privacy. Managing Cloud principles explain that U.S. privacy protections are governed by a sector-specific approach, with different laws covering healthcare, finance, education, and children’s data.

Unlike countries with unified privacy legislation, the U.S. relies on a combination of federal, state, and industry-specific regulations. This fragmented framework contrasts with national privacy laws in countries such as Canada, New Zealand, and Israel.

As a result, organizations operating in the U.S. must navigate multiple regulatory requirements depending on data type and jurisdiction. Therefore, the United States is the correct answer.

Access control is the SIEM-related concept that focuses on preventing and detecting account and service hijacking. Managing Cloud guidance explains that access control mechanisms define who can access systems, services, and data, and under what conditions.

SIEM solutions monitor access control events such as failed logins, privilege escalation, and abnormal authentication patterns. By analyzing these events, organizations can detect compromised accounts, stolen credentials, or unauthorized service access.

Digital forensics occurs after an incident, trust is a conceptual principle, and LDAP is a directory protocol rather than a SIEM focus area. Therefore, access control is the correct answer.

Platform as a Service (PaaS) is the recommended option for organizations seeking to simplify application development and management. Managing Cloud guidance explains that PaaS provides a complete development environment, including operating systems, runtime environments, middleware, databases, and development tools.

By abstracting infrastructure and platform management, PaaS allows developers to focus exclusively on building, testing, and deploying applications. Tasks such as patching, scaling, load balancing, and environment configuration are handled by the cloud provider, reducing complexity and administrative effort.

DaaS focuses on delivering virtual desktops, IaaS requires customers to manage operating systems and applications, and SaaS provides fully developed applications rather than development platforms. Therefore, PaaS best meets the requirement of simplifying development and management.

A cloud-based DDoS protection strategy helps mitigate attacks by rerouting traffic to specialized mitigation services. Managing Cloud guidance explains that cloud providers leverage large-scale, distributed infrastructures capable of absorbing and filtering massive volumes of malicious traffic.

When an attack is detected, traffic is redirected to scrubbing centers or mitigation platforms that analyze and filter malicious packets before forwarding legitimate traffic to the target application. This prevents backend systems from becoming overwhelmed and ensures service availability.

The other options provide limited protection. Load balancing and multiple endpoints distribute traffic but do not filter attacks, and scaling applications may still fail under volumetric attacks. Therefore, rerouting traffic to mitigation services is the most effective strategy.

The Data Controller is the role responsible for ensuring that third parties implement adequate technical and organizational security measures to protect data. Managing Cloud principles emphasize that the data controller determines the purpose and means of data processing and remains accountable for how personal or sensitive data is handled, even when third parties are involved.

When data is processed by cloud providers or other external entities, the data controller must ensure that contractual agreements, policies, and controls are in place to maintain data protection standards. This includes verifying that third parties follow approved security practices, comply with legal requirements, and apply appropriate safeguards.

Other roles do not carry this responsibility. A cloud user consumes cloud services but does not define processing requirements. A cloud provider implements security controls but acts under the instructions of the data controller. A data subject is the individual whose data is being processed and has no responsibility for security enforcement. Therefore, the data controller is the correct role.

Cloud security groups typically filter traffic based on ports and protocols. By allowing or denying specific port/protocol combinations, engineers can control communication between deployments. For example, permitting HTTPS (TCP port 443) while blocking other ports enforces segmentation.

MAC addresses are not used in cloud-level segmentation because they apply to physical networks. Unique identifiers and definitions are not practical mechanisms for traffic filtering.

Using ports and protocols aligns with the principle of least privilege by ensuring that only necessary communication pathways exist. In multi-deployment or hybrid cloud setups, this reduces the attack surface and prevents lateral movement by malicious actors. Security groups thereby provide logical network segmentation without requiring physical infrastructure changes.