WGU Updated Managing-Cloud-Security Exam Questions and Answers by jorgie

Cloudsecurity groupstypically filter traffic based onports and protocols. By allowing or denying specific port/protocol combinations, engineers can control communication between deployments. For example, permitting HTTPS (TCP port 443) while blocking other ports enforces segmentation.

MAC addresses are not used in cloud-level segmentation because they apply to physical networks. Unique identifiers and definitions are not practical mechanisms for traffic filtering.

Using ports and protocols aligns with the principle of least privilege by ensuring that only necessary communication pathways exist. In multi-deployment or hybrid cloud setups, this reduces the attack surface and prevents lateral movement by malicious actors. Security groups thereby provide logical network segmentation without requiring physical infrastructure changes.

Backups are only valuable if they can be successfully restored when needed. Testing backups on a periodic basis is the only reliable way to validate their viability. Simply storing backups without testing may create a false sense of security, because corruption, misconfiguration, or incomplete backup sets can go unnoticed until a disaster occurs.

Industry best practices, such as those recommended by NIST and ISO 27031, emphasize regular backup testing as part of disaster recovery and business continuity planning. Testing involves restoring data to a test environment, verifying its integrity, and ensuring that applications can use the restored data as expected.

Deleting, comparing, or replacing backups might help in managing storage efficiency, but these actions do not confirm whether the backups are usable. Periodic testing ensures alignment with company policy, regulatory requirements, and internal risk management controls. It also provides confidence to management that recovery objectives, such as RTO (Recovery Time Objective) and RPO (Recovery Point Objective), can be met.

TheZero Trustsecurity model assumes that no user, device, or application should be trusted by default, whether inside or outside the network perimeter. Every access request must be continuously verified using strict identity, authorization, and context-based checks.

Unlike traditional perimeter security, Zero Trust emphasizes the principle of “never trust, always verify.” Traffic inspection looks at data packets, intrusion prevention identifies malicious activity, and secret management safeguards sensitive keys and credentials. None of these approaches enforce constant, adaptive identity verification the way Zero Trust does.

By adopting Zero Trust, organizations ensure that access is not granted simply because a user is “inside” the network. Instead, continuous checks evaluate credentials, device posture, location, and other risk factors. This significantly reduces the risk of insider threats, credential theft, and lateral movement within cloud environments.

AnIdentity Provider (IdP)is a system that stores and manages identity information and validates authentication and authorization requests. IdPs are critical in cloud and hybrid environments, supporting protocols such as SAML, OAuth, and OpenID Connect for federated access.

An HSM manages encryption keys, not identities. Zero Trust is a security philosophy requiring continuous verification, but the system that enforces authentication is the IdP. A bastion host provides secure administrative access but does not manage identity.

By using an IdP, organizations centralize credential management, enforce multifactor authentication, and integrate with Single Sign-On (SSO). This reduces password fatigue, increases security, and ensures consistent access control policies across applications and services.