10 free, exam-style Cloud Plus (Cloud Plus) practice questions with answers and
explanations. No signup required. Work through them below, then take the
full free Cloud Plus practice test to study every exam domain.
These 10 free Cloud Plus questions are organized by exam domain, so you can see how each part of the Cloud Plus blueprint is tested. Reveal the answer and explanation under each question.
Domain 1: Cloud Architecture 23% of exam
Question 1
A company hosts a web application using IaaS virtual machines in a public cloud. After a security breach, the investigation reveals that the operating system had not been patched in six months. Under the shared responsibility model, who is accountable for this failure?
- The cloud provider, because they manage the underlying infrastructure and should push OS patches automatically
- Both parties equally, because the shared responsibility model splits OS management between provider and customer
- The customer, because OS patching is the customer's responsibility in an IaaS model
- The cloud provider, because all security obligations transfer to the provider once workloads are deployed in their environment
Show answer & explanation
Correct answer: C - The customer, because OS patching is the customer's responsibility in an IaaS model
Question 2
A financial services company requires that no more than 15 minutes of transaction data can be lost in the event of a disaster. Which metric defines this requirement?
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
- Mean Time to Repair (MTTR)
- Service Level Objective (SLO)
Show answer & explanation
Correct answer: B - Recovery Point Objective (RPO)
Question 3
A media company needs to store 200 TB of video archives that will be accessed approximately once per year for regulatory audits. Retrieval can take up to 12 hours. Which storage solution is MOST cost-effective?
- Block storage with provisioned IOPS on SSD volumes
- File storage on a network-attached file system with daily snapshots
- Object storage in a hot tier with cross-region replication enabled
- Object storage in an archive tier with lifecycle policies
Show answer & explanation
Correct answer: D - Object storage in an archive tier with lifecycle policies
Domain 2: Deployment 19% of exam
Question 4
A development team deploys a new application version by directing 5% of production traffic to the updated instances while 95% of traffic continues to the existing version. After monitoring error rates and latency for 30 minutes, they gradually increase traffic to the new version. Which deployment strategy is being used?
- Blue-green deployment
- Rolling deployment
- In-place deployment
- Canary deployment
Show answer & explanation
Correct answer: D - Canary deployment
Question 5
A cloud administrator runs a Terraform plan and discovers that the live environment contains three additional security groups that are not defined in any Terraform configuration file. Which IaC concept does this scenario describe?
- Configuration drift
- State file corruption
- Template deprecation
- Idempotency failure
Show answer & explanation
Correct answer: A - Configuration drift
Domain 3: Operations 17% of exam
Question 6
An organization performs a full backup every Sunday night. Incremental backups run Monday through Saturday. A server failure occurs on Thursday morning. Which backups are required to perform a complete restore?
- Sunday's full backup and Wednesday's incremental backup only, since the latest incremental captures everything since Sunday
- Sunday's full backup and the incremental backups from Monday, Tuesday, and Wednesday
- Sunday's full backup only, since it contains all data up to the point of failure
- The most recent incremental backup from Wednesday only
Show answer & explanation
Correct answer: B - Sunday's full backup and the incremental backups from Monday, Tuesday, and Wednesday
Domain 4: Security 19% of exam
Question 7
A company wants to allow a third-party analytics application to read data from its cloud storage on behalf of users, without requiring users to share their passwords with the third party. Which protocol is designed specifically for this use case?
- OAuth 2.0, because it grants delegated authorization via access tokens
- SAML 2.0, because it provides federated authentication across domains
- LDAP, because it stores and retrieves user credentials from a central directory
- OpenID Connect, because it verifies user identity through ID tokens
Show answer & explanation
Correct answer: A - OAuth 2.0, because it grants delegated authorization via access tokens
Question 8
A security team deploys a network device that inspects traffic in real time and automatically drops packets matching known attack signatures. Which security control is this?
- Intrusion Detection System (IDS)
- Security Information and Event Management (SIEM)
- Data Loss Prevention (DLP)
- Intrusion Prevention System (IPS)
Show answer & explanation
Correct answer: D - Intrusion Prevention System (IPS)
Domain 5: DevOps Fundamentals 10% of exam
Question 9
A DevOps engineer needs to automate server configuration across 200 Linux instances without installing any agent software on the target machines. The tool must use SSH and YAML-based playbooks. Which tool meets these requirements?
- Terraform
- Jenkins
- Ansible
- Kubernetes
Show answer & explanation
Correct answer: C - Ansible
Domain 6: Troubleshooting 12% of exam
Question 10
Users report that they can log in to a cloud-hosted application successfully but receive an error when attempting to access the admin dashboard. The application returns HTTP status code 403. What is the MOST likely cause?
- The users' authentication credentials have expired and the identity provider is rejecting their session tokens
- The application server is overloaded and temporarily unavailable
- The users are authenticated but lack authorization for the admin resource
- The DNS records for the admin dashboard are misconfigured
Show answer & explanation
Correct answer: C - The users are authenticated but lack authorization for the admin resource