Question 7 - ISC2 CCSP Real Exam Questions [Feb 2026 Update]

Q: 7

Your company is moving its critical business applications to a public cloud platform. As part of the security design, you need to implement controls that ensure only authorized personnel can access sensitive resources within the cloud environment. Which of the following approaches is most effective for ensuring that users are properly authorized to access sensitive resources in the cloud?

Options

Discussion

Owen R. Jan 16, 2026 7:09 pm

Option C

Priya N. Jan 21, 2026 3:24 am

C . Allowing users to self-assign (A) is the classic trap here, seen it pop up a lot on practice sets.

Priya W. Jan 24, 2026 4:49 pm

C is the way to go here. Official study guides and most sample tests hammer RBAC as the best approach for mapping access to user roles in cloud. It ties right into least privilege and auditability, so I'm pretty sure this is what exam wants. Agree or any other sources say different?

Neha K. Jan 18, 2026 11:54 am

C is what I'd pick too. Practice exams and the official guide both really stress RBAC for this scenario.

Grace T. Jan 30, 2026 5:53 am

D . If all admins share a single account, they all have the same access and there's no risk of assigning the wrong permissions to just one person accidentally. It saves time since you don't manage individual credentials. I think it covers authorization, but not totally sure if I'm missing an obvious risk here. Agree?

Liam U. Jan 31, 2026 7:35 am

C tbh. Had a super similar question in a mock and RBAC was the right move since it enforces least privilege and maps access to job roles. Letting users self-assign or using shared accounts is a security nightmare. Anyone see it done differently on their exam?

Jordan Z. Jan 20, 2026 11:10 pm

Sara Jan 18, 2026 9:48 am

C, not A. Self-assigning permissions (A) is risky and usually a trap on these questions. RBAC in C controls access based on roles, which is best for authorization in cloud setups imo. Anyone disagree?

Cameron X. Jan 25, 2026 12:53 am

Option C

Be respectful. No spam.

Correct Answer:

Explanation

Role-Based Access Control (RBAC) is the most effective and widely adopted approach for managing authorization in complex environments like the public cloud. RBAC aligns access permissions with the specific job functions and responsibilities of personnel. By assigning users to predefined roles (e.g., database administrator, network engineer, auditor), organizations can systematically enforce the principle of least privilege. This ensures that individuals only have the minimum level of access necessary to perform their duties, significantly reducing the risk of unauthorized access to sensitive resources, data breaches, and accidental misconfigurations. It also simplifies access management and auditing processes.

Why Incorrect

A. Allowing users to self-assign permissions as needed violates the principle of least privilege and separation of duties, creating a high risk of privilege escalation and unauthorized access.

B. Granting all users the same level of access regardless of their role directly contradicts the principle of least privilege and exposes sensitive resources to unnecessary risk from a larger pool of users.

D. Using a single, shared admin account for all cloud administrators eliminates individual accountability and non-repudiation, making it impossible to trace actions back to a specific person.

References

1. Cloud Security Alliance (CSA). (2017). Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Domain 6: Identity

Entitlement

and Access Management

Section 6.2

page 79

states

"Role-based access control (RBAC) is the most common model for managing entitlements. In this model

entitlements are grouped into roles

and users are assigned to those roles."

2. National Institute of Standards and Technology (NIST). (2020). Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations. Control AC-2 (Account Management) and its enhancement AC-2(1) emphasize assigning access authorizations based on "formal

documented organizational mission/business functions

" which is the foundational concept of RBAC.

3. Microsoft Azure Documentation. (2023). What is Azure role-based access control (Azure RBAC)?. In its official documentation

Microsoft states

"Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources... To grant access

you assign roles to users

groups

service principals

or managed identities at a particular scope." This exemplifies the standard implementation of RBAC by a major cloud provider.

4. Ferraiolo

D. F.

& Kuhn

D. R. (1992). Role-Based Access Control. 15th National Computer Security Conference. This foundational academic paper introduced the RBAC model

defining its core principles of assigning permissions to roles rather than directly to users to enforce organizational security policies. (Available via NIST CSRC publications).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE