Study Guide

Certificate of Cloud Security Knowledge Study Guide

Use the saved domain outline to connect cloud architecture, governance, and risk management, data protection and identity security, infrastructure, network, and workload security, security operations, monitoring, and incident response to scenario-based questions and explanations.

Download App Free Practice Exam Key Terms Glossary

How the Exam Is Structured

Certificate of Cloud Security Knowledge (CCSK) validates cloud architecture, governance, and risk management, data protection and identity security, infrastructure, network, and workload security, security operations, monitoring, and incident response. The ExamPal practice bank includes 194 premium questions and 40 free questions mapped across the official blueprint.

Domain	Weight	Focus
Domain 1: Cloud Architecture, Governance, and Risk Management	24%	Task 1.1: Explain core cloud computing concepts and service/deployment models; Differentiate IaaS, PaaS, and SaaS responsibilities
Domain 2: Data Protection and Identity Security	22%	Task 2.1: Classify and handle data throughout its lifecycle; Apply classification schemes to cloud-hosted data
Domain 3: Infrastructure, Network, and Workload Security	31%	Task 3.1: Secure cloud networking and segmentation; Explain the purpose of VPCs, VNets, subnets, and routing controls
Domain 4: Security Operations, Monitoring, and Incident Response	23%	Task 4.1: Design logging and monitoring for cloud visibility; Collect activity, audit, platform, network, and application logs

24% of exam

Domain 1: Cloud Architecture, Governance, and Risk Management

Covers foundational cloud concepts, governance, organizational management, and risk/compliance considerations. This domain emphasizes understanding cloud service and deployment models, designing secure and resilient architectures, and managing governance, risk, and compliance across the enterprise.

Task 1.1: Explain core cloud computing concepts and service/deployment models

Differentiate IaaS, PaaS, and SaaS responsibilities

Compare public, private, hybrid, and multi-cloud deployment models

Describe essential cloud characteristics

Apply migration concepts

Task 1.2: Apply cloud architecture and design principles

Interpret shared responsibility across service models

22% of exam

Domain 2: Data Protection and Identity Security

Covers data security, identity and access management, and foundational Zero Trust controls. This domain focuses on protecting data across its lifecycle, securing cryptographic material and secrets, and implementing strong identity, authentication, and access controls.

Task 2.1: Classify and handle data throughout its lifecycle

Apply classification schemes to cloud-hosted data

Define handling requirements for storage, use, sharing, and disposal

Determine retention and destruction requirements

Identify ownership and accountability for data protection decisions

Task 2.2: Protect data at rest, in transit, and in use

Select encryption controls appropriate to risk and regulatory requirements

31% of exam

Domain 3: Infrastructure, Network, and Workload Security

Covers infrastructure and networking, workload protection, and related cloud platform security. This domain emphasizes securing networks, compute resources, containers, serverless services, platform controls, applications, APIs, and DevSecOps workflows.

Task 3.1: Secure cloud networking and segmentation

Explain the purpose of VPCs, VNets, subnets, and routing controls

Apply segmentation using security groups, network ACLs, and microsegmentation

Protect ingress and egress paths with layered controls

Evaluate connectivity options for hybrid and multi-cloud architectures

Task 3.2: Protect cloud-hosted workloads and compute resources

Secure virtual machines through hardening, patching, and baseline configuration

23% of exam

Domain 4: Security Operations, Monitoring, and Incident Response

Covers monitoring, detection, resilience, and response in cloud environments. This domain emphasizes logging and visibility, threat detection and investigation, incident response, forensics, backup and disaster recovery, and continuous security improvement.

Task 4.1: Design logging and monitoring for cloud visibility

Collect activity, audit, platform, network, and application logs

Centralize telemetry across accounts, subscriptions, and providers

Ensure timestamps, integrity, and retention support investigations

Balance visibility requirements with cost and operational constraints

Task 4.2: Detect threats and investigate suspicious activity

Analyze administrative actions, API calls, and access events

Key Terms to Know

These terms are loaded from the shared terminology pack and appear across the question explanations.

API security: The discipline of protecting application programming interfaces from abuse, unauthorized access, and data exposure.
Cloud Incident Response Plan: A documented set of roles, responsibilities, and procedures for detecting, responding to, and recovering from cloud security incidents.
Cloud bursting: The use of public cloud resources to handle excess workload demand when private capacity is insufficient.
Comprehensive logging: The collection of detailed records of activities across systems, users, APIs, and networks for monitoring and investigation.
Confidential/Restricted data: A high-sensitivity data classification for information that could cause serious harm if disclosed.
Configuration baseline: An approved standard configuration used as the reference point for secure system settings.
Container escape: An attack in which a process inside a container breaks isolation and gains access to the host or other containers.
Container security: The practices and controls used to protect containerized applications and their runtime environments.
Continuous monitoring: Ongoing observation of systems and controls to detect changes, anomalies, or security issues in near real time.
Data Encryption Key (DEK): A cryptographic key used directly to encrypt and decrypt data.
Data classification: The process of labeling data based on sensitivity, value, and handling requirements.
Data lifecycle management: The governance of data from creation through use, storage, retention, archival, and disposal.
Deterministic encryption: An encryption method that produces the same ciphertext for the same plaintext, enabling exact-match searches.
Elastic scalability: The ability to rapidly increase or decrease computing resources in response to workload changes.
Encryption in transit: Protection of data while it moves across networks, typically using secure transport protocols.
Exact-match search: A query operation that looks for identical values, often supported on deterministically encrypted fields.
Hierarchical key management: A key structure in which higher-level keys protect lower-level keys to support separation and scalability.
Hybrid cloud: A deployment model that combines private cloud or on-premises resources with public cloud services.

Official Materials and Guidance

This page is built from Cloud Security Alliance official materials and ExamPal shared release pack, the shared syllabus, topic tree, terminology pack, free pack, and premium pack.

-Guidance: CSA official guidance, CCSK prep materials saved locally
-Domain outline: No official percent split in saved materials; content follows CSA Security Guidance, Cloud Controls Matrix, and ENISA cloud risk material.

Download App Official source Start Free Practice Exam