Cloud Security Alliance Updated CCSK Exam Questions and Answers by fynn

Passwordless authentication removes the reliance on traditional passwords and instead relies on strong, cryptographic-based login mechanisms. The primary technology behind passwordless authentication is the use of local tokens or certificates, particularly implemented through protocols like FIDO2 and WebAuthn.

These mechanisms work by storing a private key on the user’s device (like a hardware security module or TPM), while the public key is stored with the cloud service. When a login attempt is made, the system uses asymmetric cryptography to verify the user—without ever transmitting a secret like a password.

“Passwordless authentication is enabled by mechanisms such as biometric verification and secure local credentials like hardware-bound certificates or tokens. The use of cryptographic authenticators (such as FIDO2) is becoming the cornerstone of secure, phishing-resistant authentication.”

— Security Guidance for Critical Areas of Focus in Cloud Computing v4.0, Domain 12: Identity, Entitlement, and Access Management

Also supported by the Cloud Controls Matrix (CCM) under IAM-12:

“Utilize multifactor authentication or strong authentication mechanisms such as cryptographic tokens or certificates for user access to cloud services.”

— Cloud Controls Matrix v3.0.1 (IAM-12)

In serverless computing models, the primary security concern is ensuring that secrets (such as API keys, database credentials, etc.) and configuration settings are handled securely. The principle of least privilege means that these secrets and configurations should only beaccessible by the minimum set of functions or services that truly need them, reducing the attack surface. Proper management of secrets and configurations ensures that unauthorized access or misuse is prevented.

Disabling console access completely or using privileged access management is important for securing any environment, but it is not specifically tied to serverless models. Validating the underlying container security is more relevant to containerized environments rather than serverless computing, which abstracts away infrastructure management. Placing serverless components behind application load balancers is useful for routing traffic but is not specifically critical for securing the serverless model itself. Managing secrets and access controls is a more direct concern for securing serverless environments.

Enforcing the principle of least privilege is the practice of granting users and systems the minimum level of access necessary to perform their tasks. By limiting root or core access and restricting the creation of deployments to onlythose who absolutely need it, the risk of unauthorized access, misuse, or damage is minimized. This helps ensure that critical systems and sensitive data are protected by reducing the number of people or services with high-level access.

Trust and verify on demand is not a standard security practice and could create security gaps. Disabling multi-factor authentication is a poor security practice, as multi-factor authentication (MFA) enhances security by adding an additional layer of verification. Deploying applications with full access) contradicts the principle of least privilege and could expose the system to unnecessary risks.