CompTIA CompTIA Cloud+ CV0-004 Questions & Answers

• Question 1:

  A company that performs passive vulnerability scanning at its transit VPC has detected a vulnerability related to outdated web-server software on one of its public subnets.

  Which of the following can the use to verify if this is a true positive with the LEAST effort and cost? (Select TWO).

  A. A network-based scan

  B. An agent-based scan

  C. A port scan

  D. A red-team exercise

  E. A credentialed scan

  F. A blue-team exercise

  G. Unknown environment penetration testing

  Correct Answer: BE

  The correct answer is B and E. An agent-based scan and a credentialed scan can help verify if the vulnerability related to outdated web-server software is a true positive with the least effort and cost. An agent-based scan is a type of vulnerability scan that uses software agents installed on the target systems to collect and report data on vulnerabilities. This method can provide more accurate and detailed results than a network-based scan, which relies on network traffic analysis and probes1. An agent-based scan can also reduce the network bandwidth and performance impact of scanning, as well as avoid triggering false alarms from intrusion detection systems2. A credentialed scan is a type of vulnerability scan that uses valid login credentials to access the target systems and perform a more thorough and comprehensive assessment of their configuration, patch level, and vulnerabilities. A credentialed scan can identify vulnerabilities that are not visible or exploitable from the network level, such as missing updates, weak passwords, or misconfigured services3. A credentialed scan can also reduce the risk of false positives and false negatives, as well as avoid causing damage or disruption to the target systems3. A network-based scan, a port scan, a red-team exercise, a blue-team exercise, and unknown environment penetration testing are not the best options to verify if the vulnerability is a true positive with the least effort and cost. A network-based scan and a port scan may not be able to detect the vulnerability if it is not exposed or exploitable from the network level. A red-team exercise, a blue-team exercise, and unknown environment penetration testing are more complex, time-consuming, and costly methods that involve simulating real-world attacks or defending against them. These methods are more suitable for testing the overall security posture and resilience of an organization, rather than verifying a specific vulnerability4.

• Question 2:

  A company is using a method of tests and upgrades in which a small set of end users are exposed to new services before the majority of other users. Which of the following deployment methods is being used?

  A. Blue-green

  B. Canary

  C. Big bang

  D. Rolling

  Correct Answer: B

  A canary deployment is a software deployment technique where a new feature or version is released to a small subset of users in production prior to releasing it to a larger subset or all the users. It is also sometimes termed a phased rollout or incremental release1. A canary deployment allows the developers to test the new service in a real environment and get feedback from the users before making it available to everyone. It also reduces the risk of failures and enables easy rollbacks if something goes wrong. A canary deployment is different from a blue-green deployment, where two identical environments are used to switch between the old and new versions of the service. A big bang deployment is where the new service is released to all the users at once, without any testing or gradual rollout. A rolling deployment is where the new service is installed in batches or stages, replacing the old service gradually until all the users are on the new version.

• Question 3:

  A cloud administrator used a deployment script to recreate a number of servers hosted in a public-cloud provider_ However, after the script completes, the administrator receives the following error when attempting to connect to one of the servers Via SSH from the administrators workstation: CHANGED.

  Which of the following IS the MOST likely cause of the issue?

  A. The DNS records need to be updated

  B. The cloud provider assigned a new IP address to the server.

  C. The fingerprint on the server's RSA key is different

  D. The administrator has not copied the public key to the server.

  Correct Answer: C

  This error indicates that the SSH client has detected a change in the server's RSA key, which is used to authenticate the server and establish a secure connection. The SSH client stores the fingerprints of the servers it has previously connected to in a file called known_hosts, which is usually located in the ~/.ssh directory. When the SSH client tries to connect to a server, it compares the fingerprint of the server's RSA key with the one stored in the known_hosts file. If they match, the connection proceeds. If they do not match, the SSH client warns the user of a possible man-in-the-middle attack or a host key change, and aborts the connection. The most likely cause of this error is that the deployment script has recreated the server with a new RSA key, which does not match the one stored in the known_hosts file. This can happen when a server is reinstalled, cloned, or migrated. To resolve this error, the administrator needs to remove or update the old fingerprint from the known_hosts file, and accept the new fingerprint when connecting to the server again. Alternatively, the administrator can use a tool or service that can synchronize or manage the RSA keys across multiple servers, such as AWS Key Management Service (AWS KMS) 1, Azure Key Vault 2, or HashiCorp Vault 3.

• Question 4:

  An organization's executives would like to allow access to devices that meet the corporate security compliance levels. Which of the following criteria are most important for the organization to consider? (Select two).

  A. Serial number

  B. Firmware

  C. Antivirus version and definition

  D. OS patch level

  E. CPU architecture

  F. Manufacturer

  Correct Answer: CD

  Antivirus version and definition and OS patch level are important criteria for the organization to consider when allowing access to devices that meet the corporate security compliance levels. These criteria can help ensure that the devices are

  protected from malware and vulnerabilities that could compromise the security of the organization's data and systems. Serial number, firmware, CPU architecture, and manufacturer are not directly related to security compliance levels,

  although they may be relevant for other purposes such as inventory management or compatibility.

  References: CompTIA Cloud+ CV0-003 Exam Objectives, Objective 4.2: Given a scenario, apply security configurations and compliance controls1 ; CompTIA Quick Start Guide to Tackling Cloud Security Concerns2

• Question 5:

  A new development team requires workstations hosted in a PaaS to develop a new website. Members of the team also require remote access to the workstations using their corporate email addresses.

  Which of the following solutions will BEST meet these requirements? (Select TWO).

  A. Deploy new virtual machines.

  B. Configure email account replication.

  C. Integrate identity services.

  D. Implement a VDI solution.

  E. Migrate local VHD workstations.

  F. Create a new directory service.

  Correct Answer: AC

  A Platform-as-a-Service (PaaS) is a cloud computing model that provides customers a complete cloud platform--hardware, software, and infrastructure--for developing, running, and managing applications without the cost, complexity, and inflexibility that often comes with building and maintaining that platform on-premises1. To develop a new website using a PaaS, the development team needs to deploy new virtual machines (VMs) on the cloud platform. VMs are software emulations of physical computers that can run different operating systems and applications. By deploying new VMs, the development team can create a scalable and flexible environment for their website project, without having to invest in or manage physical hardware2. To enable remote access to the workstations using their corporate email addresses, the development team needs to integrate identity services on the cloud platform. Identity services are services that provide authentication, authorization, and identity management for users and devices accessing cloud resources. By integrating identity services, the development team can use their corporate email addresses as single sign-on (SSO) credentials to access their workstations from any device and location, while ensuring security and compliance3. The other options are not the best solutions for these requirements: Configuring email account replication is not necessary for remote access to the workstations. Email account replication is a process of synchronizing email accounts across different servers or locations. It can provide backup and redundancy for email services, but it does not provide authentication or identity management for remote access4. Implementing a Virtual Desktop Infrastructure (VDI) solution is not a PaaS solution. VDI is a technology that allows users to access virtual desktops hosted on a centralized server. VDI can provide remote access to desktop environments, but it requires additional hardware, software, and management costs that are not included in a PaaS model5. Migrating local VHD workstations is not a PaaS solution. VHD stands for Virtual Hard Disk, which is a file format that represents a virtual hard disk drive. Migrating local VHD workstations means moving the virtual hard disk files from local storage to cloud storage. This can provide backup and portability for the workstations, but it does not provide a complete cloud platform for developing and running applications6. Creating a new directory service is not necessary for remote access to the workstations. A directory service is a service that stores and organizes information about users, devices, and resources on a network. Creating a new directory service means setting up a new database and schema for storing this information. This can provide identity management and access control for the network, but it does not provide authentication or SSO for remote access.

• Question 6:

  A cloud administrator needs to reduce storage costs. Which of the following would best help the administrator reach that goal?

  A. Enabling compression

  B. Implementing deduplication

  C. Using containers

  D. Rightsizing the VMs

  Correct Answer: B

  Deduplication is a process by which redundant data is eliminated, thus reducing the size of the dataset. Deduplication with cloud storage reduces the storage requirements, along with the amount of data to be transferred over the network, resulting in faster and more efficient data protection operations1. Deduplication can help to shrink the data footprint, lower the storage costs, and improve the performance of backup and recovery processes2. Deduplication can be applied at different levels, such as file-level, block-level, or byte-level, depending on the granularity and efficiency of the technique3. Deduplication can also be performed at different locations, such as source, target, or cloud, depending on the architecture and design of the storage system3. By implementing deduplication, a cloud administrator can achieve significant data savings and optimize the cloud storage costs4. References: Data deduplication techniques for efficient cloud storage management: a systematic review; How Data Deduplication Reduces Cloud Data Costs; How Data Deduplication Can Save Cloud Storage Costs?; Data Deduplication Overview; What is Data Deduplication and How Can it Help Reduce Cloud Costs?.

• Question 7:

  A systems administrator notices the host filesystem is running out of storage space. Which of the following will best reduce the storage space on the system?

  A. Deduplication

  B. Compression

  C. Adaptive optimization

  D. Thin provisioning

  Correct Answer: A

  Deduplication is a technique that reduces the storage space by eliminating duplicate data blocks and replacing them with pointers to the original data. Deduplication can help free up the host filesystem by removing redundant data and increasing the storage efficiency. Deduplication can be performed at the source or the target, and it can be applied at the file or block level. References: [CompTIA Cloud+ CV0-003 Certification Study Guide], Chapter 4, Objective 4.3: Given a scenario, troubleshoot common storage issues.

• Question 8:

  A cloud engineer is deploying a server in a cloud platform. The engineer reviews a security scan report. Which of the following recommended services should be disabled? (Select two).

  A. Telnet

  B. FTP

  C. Remote log-in

  D. DNS

  E. DHCP

  F. LDAP

  Correct Answer: AB

  Telnet and FTP are recommended services to be disabled when deploying a server in a cloud platform, as they are insecure protocols that transmit data in plain text and expose credentials and sensitive information to potential attackers12.

  Remote log-in, DNS, DHCP, and LDAP are not necessarily recommended to be disabled, as they may provide useful functionality for the server and the cloud environment. However, they should be configured properly and secured with

  encryption, authentication, and authorization mechanisms34.

  References: CompTIA Cloud+ CV0-003 Exam Objectives, Objective 4.2: Given a scenario, apply security configurations and compliance controls ; CompTIA Quick Start Guide to Tackling Cloud Security Concerns3

• Question 9:

  A systems administrator is reviewing the logs from a company's IDS and notices a large amount of outgoing traffic from a particular server. The administrator then runs a scan on the server, which detects malware that cannot be removed.

  Which of the following should the administrator do first?

  A. Determine the root cause.

  B. Disconnect the server from the network.

  C. Perform a more intrusive scan.

  D. Restore the server from a backup.

  Correct Answer: B

  The first step in any incident response procedure is to contain the incident and prevent it from spreading or causing more damage. In this scenario, the systems administrator is reviewing the logs from a company's IDS and notices a large amount of outgoing traffic from a particular server. The administrator then runs a scan on the server, which detects malware that cannot be removed. This indicates that the server is compromised and may be sending malicious or sensitive data to an external source. Therefore, the best thing to do first is to disconnect the server from the network, which will isolate it from the rest of the system and stop the data exfiltration. Determining the root cause, performing a more intrusive scan, and restoring the server from a backup are all important steps, but they should be done after the server is disconnected from the network. References: CompTIA Cloud+ CV0-003 Certification Study Guide, Chapter 10, Incident Response Procedures, page 1771.

• Question 10:

  A cloud administrator who is troubleshooting DNS issues discovers zone transfers are not occurring between the primary and secondary name servers due to an error in the serial numbers.

  Which of the following records should the administrator query for the serial number?

  A. PTR

  B. TXT

  C. SOA

  D. SRV

  Correct Answer: C

  SOA stands for Start of Authority, and it is a type of DNS record that contains information about a DNS zone, such as the name of the primary name server, the email address of the zone administrator, the serial number of the zone, and other parameters. The serial number is used to indicate when a zone has been updated, and it is incremented by the primary name server whenever a change is made to the zone data. The secondary name servers use the serial number to determine if they need to request a zone transfer from the primary name server to synchronize their data. References: [CompTIA Cloud+ Study Guide], page 207.