Free CSA-C01 Cheat Sheet 2026: Exam Quick Reference

Cloud Security Basics

8%of exam

Shared ResponsibilityMLPSThreatsRisk TreatmentIR Lifecycle

Identity + Access

18%of exam

RAMSTSMFASSOResource Directory

Host + Operations

24%of exam

Security CenterBastionhostActionTrailLog ServiceCloud Config

Data Protection

22%of exam

KMSSecrets ManagerOSS EncryptionRDS TDESDDP

Network Security

28%of exam

Security GroupsNetwork ACLsCloud FirewallWAFAnti-DDoS

Quick Facts

Exam: CSA-C01
Credential: Cloud Security Engineer
Questions: 50 MCQ
Time: 90 min
Pass: 70/100
Fee: $200 USD
Language: English
Delivery: Pearson VUE
Retake: 14 days
Replaces: ACA Cloud Security

Exam Basics

CSA-C01: Current security exam
ACA Security: Retired predecessor
Associate: Entry practitioner level
Scenario focus: Choose correct service
No prereq: Cloud basics recommended
Pearson VUE: Online or center
Nonrefundable: Fee not returned
Course: Eight Academy chapters

Security Basics

Shared model: Provider plus customer
Alibaba owns: Facilities hypervisor platform
Customer owns: Data identities config
ECS customer: Guest OS patches
Defense depth: Layered cloud controls
Least privilege: Minimum necessary access
MLPS: China protection levels
ISO 27001: ISMS evidence

Secure Architecture

Private subnets: Hide internal services
WAF entry: Protect web ingress
Firewall egress: Restrict outbound paths
No public DB: Use private access
Tagged assets: Scope policy audits
Central logs: Preserve evidence
Break-glass: Emergency admin path
Pen test notice: Notify before testing

RAM Policy Core

EARC: Effect Action Resource Condition

EffectActionResourceCondition

RAM User vs Role

RAM user

Long-term identity
Human or workload
Can hold AccessKeys

RAM role

Assumed identity
Temporary STS tokens
Cross-account access

Static vs assumed

Identity Picker

Daily human admin→RAM user(MFA required)
Many similar users→User group(Attach policies)
Cross-account access→RAM role(Trust policy)
App needs OSS→STS(Temporary token)
Corporate login→SSO(Federated access)
Many accounts→Resource Directory(Central governance)
Maximum permissions→Control policy(Guardrail)
API secret found→Rotate AccessKey(Check ActionTrail)

RAM Core

Root account: Account-level identity
RAM user: Person or workload
User group: Policy assignment set
RAM role: Assumable identity
System policy: Alibaba-managed policy
Custom policy: Customer-authored policy
Implicit deny: Default no access
Explicit Deny: Overrides any Allow

System vs Custom Policy

System policy

Alibaba managed
Broad common access
Updated by provider

Custom policy

Customer authored
Fine-grained scope
Maintained by customer

Managed vs tailored

RAM Governance

STS: Temporary scoped credentials
AccessKey: Long-lived API secret
MFA: Second login factor
SAML SSO: Corporate identity federation
OIDC: Token-based federation
Resource Directory: Multi-account hierarchy
Control policy: Account permission guardrail
Condition: Context-based restriction

Ops Evidence Chain

Access, events, logs, config

BastionhostActionTrailLog ServiceCloud Config

ActionTrail vs Log Service

ActionTrail

Control-plane events
Console API activity
Audit evidence

Log Service

Log analytics
Dashboards alerts
Multi-source logs

Events vs analytics

Operations Picker

Host risk posture→Security Center
Hardening drift→Baseline check
Admin shell access→Bastionhost
Trace API call→ActionTrail
Search security logs→Log Service
Detect config drift→Cloud Config
Protect object data→OSS SSE-KMS
Rotate app secret→Secrets Manager

Host Operations

Security Center: Host threat posture
Vulnerability scan: Find missing fixes
Baseline check: Hardening drift detection
Webshell detection: Malicious script finding
Malware alert: Suspicious file signal
Ransomware defense: Backup and detection
Image scan: Container risk finding
Proactive defense: Higher edition feature

Audit + Logging

Bastionhost: Privileged access gateway
Session recording: Replay admin activity
Command audit: Track risky commands
ActionTrail: API console events
Event lookup: Who did what
Log Service: Central log analytics
Log alert: Detection notification
Cloud Config: Configuration compliance rules

Data Lock Stack

Keys, secrets, encryption, immutability

KMSSecrets ManagerSSE-KMSWORM

KMS vs Secrets Manager

KMS

Cryptographic keys
Envelope encryption
Service integrations

Secrets Manager

Passwords tokens
Secret rotation
Application retrieval

Keys vs secrets

Data Security

KMS: Managed key service
CMK: Customer master key
Data key: Encrypts actual data
Envelope encryption: CMK wraps data keys
BYOK: Import customer key
Key rotation: Limit key lifetime
HSM: Hardware key protection
Scheduled deletion: Delayed key destruction

Storage + Database

Secrets Manager: Rotate application secrets
OSS SSE: Server-side object encryption
SSE-KMS: KMS-backed OSS encryption
Block Public Access: Prevent public buckets
Bucket policy: Object access rules
OSS WORM: Immutable retention
RDS TDE: Database at-rest encryption
RDS SSL: Encrypted database transport

Edge Defense Triad

Flood, web exploit, traffic policy

Anti-DDoSWAFCloud Firewall

Security Group vs ACL

Security group

Stateful rules
Instance or ENI
Workload firewall

Network ACL

Stateless rules
Subnet boundary
Extra segmentation

Instance vs subnet

WAF vs Anti-DDoS

WAF

HTTP inspection
SQLi XSS bots
Application layer

Anti-DDoS

Traffic scrubbing
Flood protection
Availability defense

Exploit vs flood

Edge Defense

Cloud Firewall: Central traffic control
Internet firewall: North-south policy
VPC firewall: East-west policy
IPS: Inline threat blocking
WAF: HTTP attack defense
Managed rules: OWASP protections
Bot Management: Automated abuse control
Anti-DDoS: Volumetric flood scrubbing

Cloud Firewall vs Security Group

Cloud Firewall

Central policy
IPS intelligence
Cross-boundary logs

Security group

Distributed rules
Port allowlist
No managed IPS

Central vs local

Common Traps

Current vs Retired Exam

CSA-C01 current ≠ ACA Security retired

Customer vs Provider

Guest OS customer ≠ Hypervisor Alibaba

Temporary vs Permanent Credentials

STS temporary ≠ AccessKey long-lived

HTTP Exploit vs Flood

WAF blocks SQLi ≠ Anti-DDoS absorbs floods

Stateful vs Stateless

Security group stateful ≠ Network ACL stateless

Audit vs Access

ActionTrail records events ≠ Bastionhost controls sessions

Keys vs Secrets

KMS manages keys ≠ Secrets Manager rotates secrets

Evidence vs Deletion

Preserve logs first ≠ Do not delete trails

Last Minute

1.Memorize 50 questions format
2.Use CSA-C01 facts only
3.Root account needs MFA
4.Prefer roles plus STS
5.Explicit Deny always wins
6.Security groups are stateful
7.Network ACLs are stateless
8.WAF protects HTTP apps
9.Anti-DDoS handles floods
10.ActionTrail answers who did
11.KMS enables envelope encryption
12.Preserve logs during incidents

Alibaba Cloud Security Engineer (Associate)

Practice Questions100 questions Study Guide Cheat Sheet Flashcards50 cards 1 blog

Same family resources

Explore More Alibaba Cloud Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

More From This Family

Videos and articles for deeper review.

ArticleFREE Alibaba Cloud Security Associate (CSA-C01) Certification Guide 2026: Exam Format, Blueprint, Study Plan16 min read

Alibaba CSA-C01 Cheat Sheet

Cloud Security Basics

Identity + Access

Host + Operations

Data Protection

Network Security

Quick Facts

Exam Basics

Security Basics

Secure Architecture

RAM Policy Core

RAM User vs Role

RAM user

RAM role

Identity Picker

RAM Core

System vs Custom Policy

System policy

Custom policy

RAM Governance

Ops Evidence Chain

ActionTrail vs Log Service

ActionTrail

Log Service

Operations Picker

Host Operations

Audit + Logging

Data Lock Stack

KMS vs Secrets Manager

KMS

Secrets Manager

Data Security

Storage + Database

Edge Defense Triad

Security Group vs ACL

Security group

Network ACL

Network Picker

Network Controls

WAF vs Anti-DDoS

WAF

Anti-DDoS

Edge Defense

Cloud Firewall vs Security Group

Cloud Firewall

Security group

Common Traps

Current vs Retired Exam

Customer vs Provider

Temporary vs Permanent Credentials

HTTP Exploit vs Flood

Stateful vs Stateless

Audit vs Access

Keys vs Secrets

Evidence vs Deletion

Last Minute

Alibaba Cloud Security Engineer (Associate)

Explore More Alibaba Cloud Certifications

Alibaba Cloud ACA Cloud Business

Alibaba Cloud ACA Generative AI Engineer

Alibaba Cloud Certified Associate (ACA) Cloud Computing

Alibaba Cloud Certified Associate (ACA) Cloud Operator

Alibaba Cloud Certified Cloud Architect (Professional)

Alibaba Cloud Certified Professional - Cloud Computing (ACP-Cloud1)

More From This Family