🎓 CISSP Practice - Domain 5 - Identity and Access Management

Correct Answer: C

A federated-linking table isolates the vendor’s internal UUID from every customer’s external identifier, supporting multiple IdPs, mergers, and email changes without altering core tables. Per-customer schemas explode operational cost, DN storage ties the app to LDAP specifics, and email hashing collides when employees change employers.

Correct Answer: A

GCDS populates Google with the HR-mastered identities, while SAML SSO moves authentication to the conglomerate’s IdP, ensuring that termination in HR disables login. CSV (B) is manual and error-prone; disabling 2FA (C) weakens security; UPN alignment (D) does not establish authoritative identity or termination.

Correct Answer: B

A pepper (secret key) stored outside the authentication DB (ideally in an HSM) means the attacker cannot perform an offline brute-force attack even with the hash and salt. 15-char passphrases (A) help but are not as strong as a secret parameter unknown to the attacker; doubling iterations (C) only linearly increases cost; 30-day expiry (D) increases friction and does little against offline attacks.

Correct Answer: C

Option C layers biometric (“something you are”) on top of the existing PIV (“something you have”) and PIN (“something you know”) without ripping out cards or buying new hardware beyond fingerprint readers. Windows Hello (A) does not integrate natively with PIV for all scenarios (e.g., SSH, mainframe). FIDO2 keys (B) require new readers and new certificate chain. Dual-person (D) is not accepted by most regulators as a substitute for individual multi-factor authentication.

Correct Answer: C

Regional AS clusters horizontalize the issuance load while still enforcing the same policy set synchronized through consensus. Five-minute JWTs keep the revocation window small, satisfying zero-trust principles. Self-signed JWTs (A) eliminate centralized control and allow any microservice to mint unlimited tokens. Long-lived bulk JWTs (B) create a large blast radius if compromised. CDN key caching (D) does not reduce AS load and allows stale tokens.

Correct Answer: B

ADFS provides true federation—Azure AD trusts the hospital’s ADFS to vouch for the user, so no password hashes leave the hospital, satisfying healthcare-sector resistance to cloud password stores. Pass-through still proxies the password, which some risk committees reject, Password Hash Sync replicates hashes (unwanted), and replacing LDAP wholesale is disruptive and unnecessary.

Correct Answer: B

Mapping certificates to a single identity store (LDAP/AD) allows the same account to be used everywhere while the relying systems enforce authentication strength appropriate to the zone. RADIUS only handles network admission, not application logins. Shadow accounts and trusts double the attack surface, and hourly sync creates windows of inconsistency.

Correct Answer: B

PKINIT binds the Kerberos authentication to the PIV private key, ensuring that any network authentication (SMB, HTTP, RDP) uses the PIV-derived credential rather than a password hash. Smart-card logon alone (A) only affects interactive logon. Credential Guard (C) protects hashes but does not replace them with PIV-derived credentials. Option D still relies on a memorized or stored password.

Correct Answer: A

OPA Gatekeeper (or Conftest) can evaluate rego policies that call cosign or notation to verify the signed digest. RBAC blocks who can create pods, not what image is used. ImagePullPolicy and Docker Content Trust rely on the node’s local configuration and do not provide centralized, attestable enforcement. PodSecurityPolicy governs runtime privileges, not image provenance.

Correct Answer: D

AWS SSO (now Identity Center) issues short-lived STS tokens via the `aws sso login` CLI command; no keys are stored. SCIM ensures that only active Azure AD accounts get SSO access. Option A is acceptable but AWS SSO CLI v2 is more seamless. AD FS (B) still requires SAML assertions that the CLI must handle manually. Long-lived keys (C) violate PCI Req. 8.

Correct Answer: B

ADCS can push delta-CRLs to each workstation’s cache before disconnection, allowing the LSA to verify non-revocation offline. Credential Guard (A) protects against pass-the-hash but does not evaluate revocation. OCSP (C) requires online connectivity. Hello for Business (D) is a different modality and does not use PIV.

Correct Answer: B

SCIM is the only option that provides automated, near-real-time provisioning and de-provisioning of both users and groups. A five-minute pull interval keeps the lag under the 15-minute requirement, and continuing to use AD groups preserves the existing RBAC model without manual duplication. CSV imports (A) are too slow and error-prone. LDAP replication (C) still leaves the SaaS performing authentication, which does not meet the de-provisioning objective unless the SaaS also supports LDAP compares—something not stated. Just-in-time tickets (D) abandon RBAC entirely and create operational overhead.

Correct Answer: A

IAM Identity Center permission sets can be configured with 2-hour session duration and no persistent credentials; upon console/CLI expiry the access is gone, eliminating standing privileges. Config rule (C) is reactive and race-prone; individual IAM users (B) and root (D) create permanent attack surface.

Correct Answer: C

Edge-based, token-based storage means the biometric never exists in a central repository, eliminating the privacy risk of mass surveillance while still preventing tailgating. Hashed templates (A) are not feasible for facial recognition because matching is fuzzy, not exact. Encryption (B) still leaves raw images under central control. Blockchain (D) is immutable, worsening privacy.

Correct Answer: D

One-way non-transitive prevents a compromise in the larger realm from propagating further, and namespacing (via authZ plugin or KDB ACL) restricts which campus users can even request a CS service ticket, limiting attacker usefulness of any forged TGT. Short lifetime (B) helps but does not stop issuance; two-way transitive (A) maximizes blast-radius; shared secret (C) breaks SSO.

Correct Answer: A

AWS SSO (now IAM Identity Center) issues temporary, automatically rotating credentials to the AWS CLI v2; denying iam:CreateAccessKey via SCP prevents anyone from creating long-term keys. Nightly deletion (B) is reactive and still leaves a 90-day window. AssumeRoleWithSAML (C) works but is more complex for CLI than SSO’s built-in token refresh. Hardware tokens for access keys (D) do not exist; hardware tokens provide TOTP for MFA, not rotating access keys.

Correct Answer: C

The VLAN ID is an environment attribute that the PEP (Policy Enforcement Point) must assert. Because the user’s device—not the user—must be on the VLAN, the most reliable method is for the network switch or 802.1X service to embed that fact in a security assertion consumed by the PEP. GPS (A) is spoofable and privacy-invasive. Resource classification (B) is irrelevant to the scenario’s constraints. Action “read” (D) is already known by the PEP and does not solve the trust problem.

Correct Answer: A

The broker must consume whatever token the customer IdP issues and translate it into the one format the app understands (SAML). OpenID Connect is the modern, widely supported protocol for browser-based SSO from customer IdPs, while the app still expects SAML. The broker performs the protocol translation. Option B’s OAuth client-credentials is for service-to-service, not browser SSO; C’s WS-Federation is legacy and LDAPS is not an SSO protocol; D’s RADIUS cannot carry rich attributes for SSO.

Correct Answer: B

Pass-through authentication keeps the on-prem AD as the sole credential validator; password write-back forces password changes made on-prem to be pushed immediately to Azure AD, which in turn invalidates existing SAML tokens and refresh tokens at the SaaS providers. Password hash sync (A) would still allow cached passwords to live for up to 10 min. AD FS (C) does not shorten SaaS-side caches. Device write-back (D) is irrelevant to password lifetime.

Correct Answer: C

Vault’s SSH CA produces certificates that automatically expire; no cleanup agents or cron jobs are needed. Students authenticate to Vault with their existing SAML session, so no AWS IAM user proliferation occurs. Parameter Store (A) requires continual Lambda scanning and still leaves the public key on disk until the next scan. AWS SSO (B) forces students into the AWS console/API, which is excessive for simple SSH. Local “expire” (D) can be circumvented by changing the instance clock or editing /etc/shadow.

Correct Answer: B

SAML federation allows each region to keep its directory sovereign; pseudonymous NameIDs prevent the US site from seeing GDPR-protected attributes, while still recognizing returning users. No bulk data cross-border transfer occurs. A single cluster (A) still replicates configuration and logs that may contain EU PII. Migrating to a US AD (C) is exactly what GDPR seeks to prevent. Blockchain/IPFS (D) is immature, leaks metadata, and offers no erasure capability required by GDPR “right to be forgotten.”

Correct Answer: B

XACML obligations let the PEP enforce the “approve within 24 h or deny” rule in real time, while the PIP can consult a database timestamped with NTP to handle clock skew. All decisions are logged centrally for audit. Device-code flow (A) is designed for input-constrained devices, not document COIs, and offers no built-in approval hook. Blockchain (C) is overkill and cannot guarantee block time accuracy. Attribute certificates (D) require a heavyweight PKI and frequent CRL updates that still leave a window where revoked certs are considered valid.

Correct Answer: C

Storing only non-sensitive account metadata in LDAP while keeping password hashes in local /etc/shadow prevents bulk hash exposure if LDAP is breached. SSSD’s cache_credentials = yes allows sudo to succeed during an LDAP outage. Option A caches hashes on every host, re-creating the original problem at scale. Option B fails the availability requirement because sudo will break if Kerberos or LDAP is down. Option D is manual, error-prone, and offers no central revocation.

Correct Answer: B

Match-on-card biometrics tie the authentication to the live presence of the legitimate user; even if the PIN is observed and the card is stolen, the attacker cannot satisfy the biometric challenge. PUK (A) is for unlocking, key length (C) is irrelevant, and PIN rotation (D) does not stop immediate abuse.

Correct Answer: A

Kerberos authentication ensures the student’s principal is recorded in the sudo audit log (log_input/log_output or pam_krb5), providing non-repudiation without rewriting sudoers. Setuid wrappers are brittle and hard to maintain. pam_tty_audit captures too much noise and may include passwords. A centralized AAA (e.g., FreeIPA sudo rules) is ideal but “migrate” implies a large project, whereas Kerberos is a configuration change.

Correct Answer: A

The root failure was the instantaneous, irreversible elevation of a synced on-prem account to Global Administrator. PIM would have converted the role to “eligible” instead of “active,” forcing the attacker to request activation, which can be denied or challenged with MFA/approval workflow. Filtering (C) would not block an attacker who simply changes group membership, and FIDO2 (B) or risk policies (D) still allow the role to be active once the identity is in the cloud.

Correct Answer: A

Turning the refresh token into a self-contained encrypted JWT (a “stateless” token) whose validity is determined by the presence of its hash in a fast key-value store allows instant server-side revocation by deleting the hash—no change to the EMR’s OAuth semantics. Option D would prevent replay on another device but does not allow remote revocation once the token is stolen on the legitimate device.

Correct Answer: B

OpenSSH supports PKCS#11, allowing the SSH client to invoke the private key on the smart card without exporting it. This preserves non-repudiation and FIPS compliance. A exports the key; C abandons PIV; D misplaces the user’s private key on a server-side HSM, which does not help client authentication.

Correct Answer: A

A short grace period (jti replay cache) allows the client to receive the new pair while safely invalidating the old one, closing the concurrency window. Binding (C) mitigates theft but not replay from the same device; hourly login (B) hurts UX; implicit grant (D) is deprecated and removes refresh entirely.

Correct Answer: C

The clinicians authenticate with X.509 to the OIDC IdP; the IdP then mints an OIDC ID token that the EPR accepts. Option A is half-right but OAuth alone cannot produce an ID token. FIDO2 (B) is a different PKI stack. SAML bearer (D) is for exchanging SAML assertions for OAuth tokens, not for browser SSO to an OIDC RP.

Correct Answer: B

By setting the sts:SourceIdentity attribute (introduced 2021) in the SAML assertion and enforcing its presence in the role trust policy, AWS CloudTrail logs every privileged call under the human identity that originated the chain, even through role assumption and automation. AWS SSO (A) does not automatically propagate the human identity into assumed-role logs; C provides accountability only to the last role, not the human; D violates the principle of no long-lived credentials.

Correct Answer: B

Device-binding of the refresh token ties the OAuth grant to a single, un-exportable hardware key (e.g., Android Keystore or iOS Secure Enclave). Friends borrowing the device cannot export or replay the token on another device, stopping collateral use while preserving silent SSO for the owner. SAML (A) is irrelevant in an OAuth PKCE world. Longer authorization codes (C) do nothing once the code is exchanged. Step-up MFA (D) helps for high-value transactions but still allows low-value abuse and adds friction.

Correct Answer: B

Break-glass envelopes stored under dual-control provide two-person integrity, immediate availability, and an auditable paper trail (who broke the seal, when). Pre-provisioned smartcards (A) violate least-functionality because they carry all roles regardless of current need. Override buttons (C) lack two-person control and create excessive privilege. Sponsor-based RBAC (D) is too slow for true emergencies and may fail if no sponsor is reachable.

Correct Answer: A

Vein pattern is privacy-friendly (does not leave latent prints), has low false-accept rates, and central encryption allows revocation when a temp leaves. Re-enrolling each shift guarantees that a terminated temp cannot authenticate later with leftover credentials, satisfying both FDA assurance and HIPAA minimum-necessary principles. On-device match (B) complicates revocation across thousands of shared workstations. Cloud iris (C) violates HIPAA data-residency and third-party disclosure rules. Voiceprint (D) is too susceptible to environmental noise in hospitals and still requires a directory copy that may outlive employment.

Correct Answer: C

An Identity Hub (or “federation proxy”) that speaks both SAML and OIDC can perform Home Realm Discovery (HRD) based on email domain or user choice, routing each user to the correct upstream IdP while the SaaS only needs to trust the hub’s single token. Option A forces the SaaS to build and maintain a full IdP. Option B still requires three separate SAML endpoints and does not natively handle Google’s OIDC. Option D defeats the “no internal passwords” goal for Azure AD and Google users.

Correct Answer: B

Timestamps in the element (NotBefore / NotOnOrAfter) create a short validity window that makes replay attacks impractical even if the assertion is intercepted. Encryption (A) provides confidentiality but not anti-replay. Signing (C) proves integrity and source authenticity but does not stop replay by itself. Including the certificate (D) is necessary for signature validation but again does not prevent replay.

Correct Answer: D

RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) defines the “x5t#S256” confirmation key placed inside the token by the authorization server after validating the client’s mTLS connection. The client simply connects to the mTLS-enabled token endpoint; no extra parameter is needed in the POST body. The cnf/jwk is for sender-constrained JWTs, not certificate-bound tokens.

Correct Answer: B

The system is enforcing context constraints (location, threat intel) before activating roles. This is dynamic role activation, a form of context-aware authorization. Role explosion (A) is about too many roles; static SOD (C) is about mutually exclusive roles regardless of context; permission inheritance (D) does not explain location-based denial.

Correct Answer: A

An IdP proxy (e.g., Shibboleth, SimpleSAMLphp) can front-end the existing LDAP directory, convert the successful bind into a SAML assertion, and then a second gateway (or the same proxy) can translate that SAML assertion into an OIDC token for the portal. This preserves the investment in LDAP, requires no code changes to the EHR, and achieves SSO. B introduces password sync latency and security issues; C does not solve the protocol mismatch; D duplicates sensitive credentials and violates least privilege.

Correct Answer: C

Short-lived SSH certificates remove the need for a persistent root password while the PAM appliance retains full session recording. Option A still exposes the password. Option B does not solve for engineers who need actual root shells. Option D blocks exploits but does not grant audited root access.

Correct Answer: B

A salted, one-way transformation of the raw image into a feature vector irreversibly removes the ability to reconstruct the original face, yet the vector can still be used for comparison. AES (A) is reversible if the key is compromised. Tokenisation (C) does not change the biometric data itself. Homomorphic encryption (D) is still largely experimental and slow for 1:N.

Correct Answer: A

WORM guarantees that the reference template cannot be altered once written, while an HSM-backed hash provides tamper detection without exposing the biometric data itself. Keeping the HSM on a separate management VLAN ensures that even if the log server is compromised, the integrity check remains trustworthy. Encrypting with the user’s public key (B) prevents disclosure but not insider tampering. Threshold scheme (C) adds complexity but does not stop an attacker who compromises one share-holder and the log server. Moving data to the corporate LAN (D) violates air-gap policy.

Correct Answer: A

RFID + PIN is fast, survives high turnover (only badge and PIN resets), and keeps the kiosk free of passwords. Facial recognition (B) is costly, needs camera hardware, and raises privacy/consent issues. Central fingerprint DB (C) requires enrollment at every kiosk and creates PII liability. QR-to-phone (D) introduces BYOD risk and VPN overhead, and MAC addresses are easily spoofed.

Correct Answer: B

contains name, email, department, etc. that the SP uses to provision the account. SP-initiated profile is the usual route for JIT because the SP can also create a local session after receiving the assertion. AuthnContext (A) only conveys assurance level. SLO profiles (C, D) are for logout, not provisioning.

Correct Answer: A

Only an on-prem HSM (or cloud HSM) provides FIPS 140-2 Level 3 key storage; m-of-n split-knowledge enforces dual control for key usage, while CA workflow enforces separation of duties for certificate issuance. Software keys (B) fail Level 3, cloud KMS (C) is usually Level 2, and ACME (D) does not govern key generation.

Correct Answer: A

Near-real-time message queue + low-code connector (Logic App) allows HR’s event to trigger SCIM “POST /Users” or “PATCH /Users (active=false)” within seconds, meeting the 15-min SLA. Nightly batch (B) or email (C) misses the window, and AD polling (D) does not reflect HR’s authoritative status.

Correct Answer: C

ABAC engines evaluate a policy such as “grant if Subject.Country == Object.Country AND …”. Because Country=US does not equal Country=DE, the rule engine denies. This is the essence of strict ABAC, not DAC (A), which relies on owner discretion, nor SOD (B), which is about conflicting roles, nor transitive trust (D).

Correct Answer: B

With MFA enforced, knowledge of the password alone (from cracked hashes) is insufficient to complete authentication. Conditional Access (A) still allows password as a primary factor. PTA (C) changes the transport but still accepts the same password. SSPR (D) is unrelated to authentication strength.

Correct Answer: A

SAML with SP-initiated flow and email-domain-driven IdP discovery allows each customer to keep using its existing IdP (Okta, AD FS, Google) without exposing passwords to the SaaS and without pre-shared secrets. ROPC (B) requires the SaaS to handle passwords, violating the goal. LDAPS (C) and RADIUS (D) both need network-level trust and shared secrets, which the scenario forbids.

Correct Answer: B

B2C custom policies can federate to the on-prem LDAP via SAML and also to social IdPs. Domain hint (e.g., login_hint=john@corp.com) triggers home-realm discovery so internal users are redirected to the LDAP IdP while external users stay on the B2C login page. ROPC (C) is deprecated and disables SSO. Implicit flow (D) does not solve realm discovery.

Correct Answer: B

Push-based out-of-band OTP plus transaction signing (e.g., signing a hash of the transaction details) achieves strong, possession-based authentication and non-repudiation without storing or transmitting biometric data that could be mis-used for national ID. Option A still uses biometrics that could be exported; C relies on national schemes that may use prohibited biometrics; D keeps the biometric in the cloud, violating the “no biometrics usable by law-enforcement” rule.

Correct Answer: B

Option B is the only design that simultaneously satisfies the “single enterprise identity” requirement, preserves logical isolation between tenants, supports existing federation agreements, and avoids the operational overhead of maintaining legacy LDAP infrastructure. A cloud-native, multi-tenant IdP uses a shared physical directory but enforces tenant isolation through realm/organization constructs, thereby reducing data duplication and attack surface. AD FS (A) perpetuates on-prem dependencies and transitive trusts, increasing complexity and risk. Option C creates massive data sprawl and offers no runtime federation, while D pushes authorization data into an immutable token, making role revocation slow and insecure.

Correct Answer: A

DESFire EV3 operates at 13.56 MHz and is backward-compatible with most existing prox reader wiring; by simply updating firmware and adding a key diversification scheme, the reader can perform a challenge-response that proves the badge holds a secret, not just a UID. Cloned UIDs without the key will fail. Adding a PIN (B) helps but does not bind the badge to the user and is subject to tailgating. BLE (C) and facial recognition (D) are forklift upgrades that scrap the existing badge investment.

Correct Answer: B

OpenID Connect with PKCE allows password-less, short-lived ID tokens signed by the internal OIDC provider (e.g., Dex or Keycloak) while the provider itself binds to LDAP for verification. The API server natively maps ID-token claims to Kubernetes RBAC, satisfying “no passwords in cluster” and fine-grained access control. Basic-auth (C) and PAM (A) expose passwords; SPNEGO (D) is browser-oriented and does not integrate with kubectl’s token flow.

Correct Answer: B

Option B keeps the biometric template inside the tamper-resistant secure element of the smart-card, eliminating the need to store or synchronize biometric data in a central repository. This design sharply reduces the breach-impact surface and satisfies HIPAA/PCI-DSS data-minimization principles. The FIDO2 attestation proves to the IdP that the biometric check succeeded, allowing the system to treat the transaction as a genuine multi-factor event without ever exporting raw or template biometric data. Option A centralizes biometric data, creating a high-value target. Option C still requires sharing biometric attributes across systems and increases integration complexity. Option D is technically flawed because cryptographic hashes are sensitive to minute variations in fingerprint scans, yielding unacceptable false-reject rates.

Correct Answer: C

IRSA is the AWS-native, officially supported way to federate Kubernetes service accounts to IAM roles using OIDC. Each pod assumes its own role, achieving least privilege without shared node-role credentials or third-party daemons. A resurrects long-lived keys; B violates least privilege; D is legacy and introduces iptables manipulation risk.

Correct Answer: D

Azure AD supports certificate-based authentication (CBA) as a first-factor or multi-factor method. By marking the MDM CA as a trusted issuer and creating a Conditional Access rule that requires “multi-factor” with CBA, the native iOS Mail client must present the MDM certificate or it is blocked. Compliant-device rules rely on device-state signals, not the certificate itself, and approved-client rules would force Outlook.

Correct Answer: B

Keystone emits a CADF event when the federated SAML assertion expires or the SCIM feed disables the user. Aodh can trigger a workflow that calls Nova to stop the user’s instances. SCIM provides near-real-time provisioning state, meeting the five-minute SLA. Heat (A) is for orchestration, not identity revocation. Celery (C) introduces polling latency. Barbican (D) handles secrets, not compute lifecycle.

Correct Answer: B

OAuth 2.0 with mutual-TLS (RFC 8705) binds a client certificate to the client_id issued to the TPP. The bank’s authorization server issues access tokens that are scoped to the TPP’s regulated role, eliminating the need for customer passwords or directory lookups and meeting PSD2’s SCA requirement. SAML would force the bank to become an IdP for every TPP, Kerberos cannot scale across organizational boundaries, and XACML is for fine-grained policy evaluation, not credential issuance.

Correct Answer: A

BLE badges can be configured to transmit a rotating credential only while the phone is in an unlocked state (biometric or PIN), creating a possession (prox card) + inherence/knowledge (phone unlock) model without new hardware. Adding NFC readers violates the “no new reader” constraint, SMS OTP introduces usability issues at a turnstile, and DESFire EV3 cards require 13.56 MHz readers, which are incompatible with 125 kHz prox infrastructure.

Correct Answer: A

Cognito Streams emits user-attribute deltas in real time; Firehose can invoke a Lambda to strip credentials, convert to columnar format, and land in an S3 bucket that the analytics vendor can read. SigV4 on the bucket provides non-repudiation and auditability. AdminGetUser is throttled and exposes credentials if mis-coded, EventBridge streams are not batched for “nightly,” and email is unscalable and insecure.

Correct Answer: B

RFC 8693 lets the endpoint-management system exchange a device token for an access token that contains both user and device claims. The ERP can validate the embedded JWT device security token to enforce the 24-hour freshness rule. SAML holder-of-key (A) is browser-centric and lacks standard device claims. WS-Federation (C) is legacy Windows-only. Kerberos (D) does not work over the Internet and has no standardised health-token slot.