Cloud Security Alliance Updated CCSK Exam Questions and Answers by sunny

Using IAM roles/identities provided by cloud providers instead of static secrets (like passwords or API keys) significantly reduces the risk of credential leakage. IAM roles enable dynamic and temporary credentials, meaning that they are automatically rotated and do not need to be manually stored or managed. This eliminates the need for hardcoding sensitive credentials into code or configuration files, which can often lead to accidental exposure or misuse if not properly secured.

Lowering storage costs is not a direct benefit of using IAM roles over static secrets. Facilitating data encryption is important for security, but IAM roles are not specifically focused on data encryption. Improving system performance is not a primary benefit of using IAM roles over static secrets. The main advantage is security-related, specifically the reduction in credential leakage risks.

Secrets management focuses on securely storing and managing sensitive information, such as API keys and passwords, to prevent unauthorized access. Reference: [Security Guidance v5, Domain 8 - Secrets Management]

Correct Option: A. Virtual Private Network (VPN)

A Virtual Private Network (VPN) is a widely used technology that enables secure communication over untrusted networks like the public Internet. It works by creating an encrypted tunnel between the user's device and the internal private network, thereby ensuring data confidentiality, integrity, and authentication.

From CSA Security Guidance v4.0 – Domain 7: Infrastructure Security:

“Remote access solutions, such as VPNs, are commonly used to provide users with secure access to cloud or on-premises resources. VPNs create encrypted tunnels that protect data in transit, preventing unauthorized disclosure or tampering over public networks.”

— Domain 7: Infrastructure Security, CSA Security Guidance v4.0

This makes VPNs a fundamental security control when users are working remotely and need access to sensitive or internal systems.

Why the Other Options Are Incorrect:

B. Domain Name System (DNS)➤ DNS translates domain names to IP addresses. It does not provide encryption or secure tunneling.

C. Network Address Translation (NAT)➤ NAT modifies IP address information but does not encrypt data or create tunnels.

D. Virtual Local Area Network (VLAN)➤ VLANs segment network traffic within a LAN. They do not secure remote communications over the Internet.