SecurityNetwork+

Cloud Security for CompTIA Network+ N10-009

Cloud security applies security principles to cloud-hosted infrastructure, applications, and data. CompTIA Network+ N10-009 tests cloud security concepts including the shared responsibility model, cloud-native security controls, and threats specific to cloud environments. As organizations migrate to cloud, network security skills must extend into cloud networking and security architecture.

7 min

2 sections · 7 exam key points

1 practice questions

Shared Responsibility Model

Cloud security is shared between the provider and customer. The provider is always responsible for physical infrastructure, network fabric, and hypervisor security. The customer is always responsible for their data, identity and access management, and client-side configurations. The middle ground shifts by service model: IaaS — customer responsible for OS and above. PaaS — customer responsible for application and data. SaaS — customer responsible for data and user access only.

Common customer mistakes: misconfigured S3 buckets (public read access on private data), overprivileged IAM roles, no MFA on root/admin accounts, unencrypted data at rest, open security groups allowing 0.0.0.0/0 on all ports. Most cloud breaches result from customer misconfiguration, not cloud provider failures.

Cloud Network Security Controls

Security groups (virtual firewalls): control inbound and outbound traffic to cloud instances at the instance level. Stateful — only outbound rules needed for return traffic. Apply least-privilege: only open specific required ports from specific sources. Never use 0.0.0.0/0 (allow all) for sensitive resources.

Network ACLs (cloud): subnet-level stateless filters in cloud VPCs (e.g., AWS NACL). Unlike security groups, NACLs require both inbound and outbound rules for bidirectional traffic. Applied at the subnet level — affect all instances in the subnet.

Cloud WAF and DDoS protection: cloud providers offer WAF services (AWS WAF, Azure WAF, Cloudflare WAF) and DDoS protection (AWS Shield, Azure DDoS Protection). These cloud-native services integrate directly with cloud load balancers and CDNs without requiring dedicated hardware.

Encryption: encrypt data at rest using cloud KMS (Key Management Service) — provider-managed keys or customer-managed keys (CMK). Encrypt data in transit using TLS. Client-side encryption: encrypt before uploading so even the provider cannot access plaintext.

Key exam facts — Network+

Shared responsibility: provider owns physical; customer owns data and IAM
IaaS: customer owns OS+; PaaS: customer owns app+data; SaaS: customer owns data
Misconfigured cloud resources = most common cause of cloud breaches
Security groups: instance-level, stateful; Network ACLs: subnet-level, stateless
Never use 0.0.0.0/0 (allow all) on production cloud security groups
Cloud KMS: manages encryption keys for data at rest
Cloud WAF and DDoS services provide managed protection without hardware

Common exam traps

The cloud provider secures everything in the cloud

The shared responsibility model clearly defines customer responsibilities. Customers must configure IAM, encryption, security groups, and data protection. Cloud provider breaches are rare — customer misconfiguration is the primary cloud security risk

Practice questions — Cloud Security

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A company hosts an application on IaaS cloud VMs. The cloud provider is responsible for which of the following?

A.Operating system patching

B.Application security

C.Physical data center infrastructure security

D.User access management

Explanation: In IaaS, the cloud provider is responsible for physical infrastructure, hypervisors, and the underlying network fabric. The customer is responsible for everything above the hypervisor: OS patching, application security, data, and user access management. This is the IaaS shared responsibility boundary.

Frequently asked questions — Cloud Security

What is CSPM?

CSPM (Cloud Security Posture Management) tools continuously scan cloud environments for misconfigurations, compliance violations, and security risks. They identify issues like publicly accessible S3 buckets, overprivileged IAM roles, security groups with excessive access, and unencrypted storage volumes. Examples: Prisma Cloud, AWS Security Hub, Microsoft Defender for Cloud. CSPM provides visibility into the security posture across multi-cloud environments.

Practice this topic

Network+practice questions

Test yourself on Cloud Security

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime