The security logs of the software web application show patterns that are typical of an SQL injection attack. This is evidenced by the inclusion of SQL syntax in the user input fields in an attempt to manipulate the database. References: CompTIA Cloud+ Study Guide (Exam CV0-004) - Chapter on Cloud Security Threats

When backing up data that will traverse a third-party, untrusted network, encryption is the most important feature to ensure the confidentiality and integrity of the data. Encryption will protect the data from potential interception or tampering during transit to the backup data center. References: CompTIA Cloud+ Guide to Cloud Computing (ISBN: 978-1-64274-282-2)

A Software-Defined Network (SDN) is a network approach that allows the addition of new features through software configurations rather than hardware updates, making use of network function virtualization (NFV). NFV decouples network functions from proprietary hardware appliances, so they can run in software, which aligns with the flexibility offered by SDN. References: CompTIA Cloud+ Study Guide (Exam CV0-004) - Chapter on Network Management

CompTIA Cloud+ (CV0-004) security objectives emphasize that traditional perimeter defenses alone are no longer sufficient because modern attacks frequently bypass the border via stolen credentials, phishing, misconfigurations, lateral movement, and compromised endpoints. When an organization already has strong next-generation firewall (NGFW) and IPS controls but still experiences breaches, the best strategic improvement is to adopt a Zero Trust approach that assumes no implicit trust based on network location. Zero Trust shifts enforcement to identity, device posture, least privilege, and continuous verification, limiting blast radius even when attackers get inside. This includes strong IAM policies, conditional access, micro-segmentation, and tighter authorization decisions for each request.

Option A (CIS benchmarking) and option B (port scanning/closure) are useful hardening steps, but they are incremental and still largely perimeter-centric. Option D (adding a WAF) improves protection for web applications, yet it remains another border control and won’t address identity-based compromises across internal and cloud services. Therefore, moving to identity-centric Zero Trust is the most effective way to reduce recurring incidents.

For volumetric DDoS, the primary goal is to absorb and disperse massive traffic floods before they overwhelm bandwidth, edge links, or the application entry point. Placing a CDN in front of the web server is highly effective because CDN edge nodes distribute traffic globally, cache static content, and reduce direct requests reaching the origin. This improves resilience and keeps origin capacity available for legitimate users. A WAF complements this by filtering malicious HTTP/S traffic patterns and enforcing rules (rate limiting, bot filtering, request validation) at the edge or in front of the service. Together, CDN + WAF align with Cloud+ CV0-004 objectives around designing secure, highly available architectures, implementing layered defenses, and using cloud-native services to mitigate attacks.

DLP focuses on preventing data exfiltration, not DDoS. Hardening reduces compromise risk but does not stop traffic floods. ACLs can restrict known bad sources but are limited against distributed botnets and may not scale fast enough for large attacks. Inline IDS is typically detection-focused and can become a bottleneck during volumetric events.

Load scaling is the most appropriate approach when a system surpasses 75% to 80% of resource consumption. This method involves adjusting resources dynamically in response to the current load, ensuring the system can handle increased demand without performance degradation. Load scaling can be automatic, allowing systems to scale up or down based on predefined metrics like CPU usage, memory, or network traffic, providing an efficient way to manage resources and maintain optimal performance.

The CompTIA Cloud+ exam objectives include understanding cloud management and technical operations, which encompass knowledge of various scaling approaches, including load scaling, to ensure efficient resource utilization in cloud environments.

Adding a redundant web server behind a load balancer is the solution that will ensure high availability. If one server goes down for maintenance, the other can take over, ensuring that the web service remains available without interruption.

High availability concepts, including the use of load balancers and redundant servers, are part of cloud infrastructure design as per CompTIA Cloud+.

Ansible can be used to harden the operating system once the VM is running. It is an automation tool that can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.

Ansible and other configuration management tools are part of the cloud management strategies discussed in the CompTIA Cloud+ certification material.

To allow subnets on different VPCs to communicate with each other over private channels, the cloud engineer should create peering connections between all the VPCs. VPC Peering allows networks to connect and route traffic using private IP addresses without the need for gateways, VPN connections, or separate physical hardware. References: CompTIA Cloud+ Study Guide (Exam CV0-004) by Todd Montgomery and Stephen Olson

For a government agency considering cloud migration, compliance and regulatory considerations are of utmost importance. The agency must ensure that the migration aligns with legal requirements, industry standards, and government regulations specific to the public sector.

Compliance and regulatory considerations are crucial factors in the cloud migration process for government entities, as emphasized in the CompTIA Cloud+ certification.