← KCSA hub

KCSA — Overview of Cloud Native Security

14% of the KCSA exam. Sample questions below; the full library has 16 questions tagged to this domain.

Sample questions on Overview of Cloud Native Security

Overview of Cloud Native Security

Q1. What is the primary security concern when using artifact repositories without proper access controls?

Reveal answer and explanations
  1. A Container pods cannot be scheduled on cluster nodes

    Incorrect. Repository access control issues do not affect pod scheduling.

  2. B Increased container runtime memory usage

    Incorrect. Repository access controls do not affect container runtime memory.

  3. C Network latency increases when pulling images

    Incorrect. Access controls do not directly impact network latency.

  4. D Unauthorized users can access, modify, or inject malicious versions of images and artifacts

    Correct. Unsecured artifact repositories allow attackers to access sensitive images, push malicious versions, or steal proprietary code, making them a critical supply chain vulnerability.

Overview of Cloud Native Security

Q2. How does the External Secrets Operator (ESO) improve security in Kubernetes compared to directly storing secrets in etcd?

Reveal answer and explanations
  1. A It compresses secrets to reduce storage size

    Incorrect. Compression is not a security benefit and is unrelated to secret management.

  2. B It encrypts secrets using a hardware security module (HSM) inside the cluster

    Incorrect. ESO does not directly manage HSM integration; that would be configured in the external vault.

  3. C It automatically backup secrets to AWS S3

    Incorrect. While backup is useful, it does not improve the primary security posture of secret management.

  4. D It syncs secrets from external vaults into Kubernetes, allowing centralized management and rotation without modifying pod specifications

    Correct. ESO fetches secrets from external vaults (Vault, AWS Secrets Manager, etc.) and syncs them into Kubernetes, enabling centralized management, automatic rotation, and audit logging without embedding secrets in etcd.

Overview of Cloud Native Security

Q3. What is the primary distinction between the shared responsibility model in cloud providers and traditional on-premises infrastructure?

Reveal answer and explanations
  1. A There is no meaningful difference in responsibility allocation

    Incorrect. The shared responsibility model creates significant and important distinctions.

  2. B Cloud providers assume all security responsibility while customers manage only their applications

    Incorrect. Cloud providers do not assume all responsibility; they handle infrastructure but not application-level security.

  3. C Security responsibility is shared—the provider handles infrastructure while the customer handles application and data security

    Correct. The shared responsibility model divides duties: providers secure the platform (compute, network, storage) while customers secure their applications, data, and access controls.

  4. D Customers assume all security responsibility for infrastructure in the cloud

    Incorrect. Customers do not assume all responsibility; the provider maintains infrastructure security.

Overview of Cloud Native Security

Q4. What is SPIFFE primarily designed to solve in cloud native security?

Reveal answer and explanations
  1. A Encrypting container images during the build process

    Incorrect. Container image encryption is handled by image registry tools, not SPIFFE.

  2. B Managing and rotating TLS certificates for service-to-service authentication in a unified way

    Correct. SPIFFE (Secure Production Identity Framework for Everyone) provides a standardized way to issue, distribute, and rotate service identities and TLS certificates automatically.

  3. C Monitoring and alerting on privilege escalation attempts

    Incorrect. Privilege escalation monitoring is a runtime security concern, separate from SPIFFE's identity management purpose.

  4. D Enforcing network policies at the ingress controller level

    Incorrect. Network policies are Kubernetes-native resources; SPIFFE focuses on workload identity.

Overview of Cloud Native Security

Q5. In the context of the 4Cs of cloud native security, at which level are you responsible for patching the operating system kernel?

Reveal answer and explanations
  1. A Container level

    Incorrect. Container level addresses container runtime and image security, not the host OS kernel.

  2. B Cloud level

    Correct. At the Cloud level, you are responsible for infrastructure security including OS kernel patching, though your cloud provider may handle the underlying hardware.

  3. C Cluster level

    Incorrect. Cluster level concerns Kubernetes configuration and component security, not OS patching.

  4. D Code level

    Incorrect. Code level focuses on application source code security, not OS kernel management.

Drill Overview of Cloud Native Security with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Overview of Cloud Native Security accounts for 14% of the KCSA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 16-question domain bank will close those gaps.