Firewall, IAM, Log, and Risk PBQ Mini-Labs
Key Takeaways
- Firewall PBQs usually test source, destination, protocol, direction, and rule order.
- IAM PBQs reward least privilege, lifecycle cleanup, MFA, PAM, and separation of duties.
- Log PBQs require correlation across identity, endpoint, network, and time fields.
- Risk PBQs require matching likelihood, impact, control choice, owner, and residual risk.
- Mini-lab practice should end with a written reason for each decision, not just an answer.
PBQ Mini-Labs
Use these labs as final-week drills. For each one, write the end state before checking the explanation. The goal is to practice how the exam thinks: apply secure defaults, meet the business need, and avoid unnecessary exposure.
Lab 1: Firewall Rule Cleanup
Scenario: A small retailer has a public web server, an application server, a database server, and an admin jump box.
Required business flows:
| Flow | Requirement |
|---|---|
| Customers | Access the public website over HTTPS |
| Web server | Send application requests to the app server |
| App server | Query the database |
| Administrators | Manage servers only through the jump box |
| Monitoring | Send logs to the SIEM collector |
Candidate rule set:
| Rule | Source | Destination | Service | Action |
|---|---|---|---|---|
| 1 | Internet | Web server | TCP 443 | Allow |
| 2 | Internet | Database server | TCP 3306 | Allow |
| 3 | Admin subnet | Jump box | TCP 22 | Allow |
| 4 | Jump box | Servers | TCP 22, TCP 3389 | Allow |
| 5 | Servers | SIEM | Syslog | Allow |
| 6 | Any | Any | Any | Deny |
Fix: remove or deny rule 2. The database should not be reachable from the Internet. If the application uses MySQL, allow TCP 3306 only from the app server to the database server. Keep the explicit deny at the end.
Lab 2: IAM Least Privilege and Separation of Duties
Scenario: A payroll clerk needs to enter time corrections but must not approve payroll runs. A payroll manager can approve runs but should not change bank account records. A help desk analyst resets passwords but should not grant finance roles.
| Role | Allowed | Not allowed |
|---|---|---|
| Payroll clerk | Create and edit time corrections | Approve payroll run |
| Payroll manager | Approve payroll run | Change employee bank account |
| HR records specialist | Update employee bank account after verification | Approve payroll run |
| Help desk analyst | Reset password after identity verification | Add finance or payroll roles |
Secure PBQ answer: assign users to role-based groups that match job duties, require MFA for payroll access, log privileged actions, and require a ticket or workflow approval for role changes. Do not grant "finance admin" to everyone because it is convenient.
Lab 3: Log Triage
Review the events:
2026-04-29T09:10:03Z idp user=ajones result=success mfa=push source_ip=198.51.100.42 device=new
2026-04-29T09:12:44Z cloud user=ajones action=CreateAccessKey result=success
2026-04-29T09:15:01Z cloud user=ajones action=AttachAdminPolicy target=ajones result=success
2026-04-29T09:17:28Z proxy user=ajones dst=storage-sync-example.net bytes_out=734003200 action=allow
High-confidence findings:
| Finding | Reason |
|---|---|
| New-device login followed by cloud key creation | Possible account compromise or unauthorized persistence |
| Admin policy attachment | Privilege escalation |
| Large outbound transfer | Possible exfiltration |
| Same user across events | Correlation strengthens severity |
Best next actions: contain the account, revoke suspicious access keys and sessions, preserve logs, validate whether the activity was approved, and scope affected resources.
Lab 4: Risk Register PBQ
Scenario: A clinic uses an unsupported imaging workstation because a replacement requires vendor validation. It stores patient images locally and connects to the internal network.
| Risk field | Good entry |
|---|---|
| Asset | Imaging workstation IMG-07 |
| Threat | Malware, unauthorized access, or data loss |
| Vulnerability | Unsupported OS and local sensitive data storage |
| Impact | Patient data exposure and clinical workflow disruption |
| Likelihood | Medium to high if connected broadly |
| Treatment | Mitigate with segmentation, restricted access, backups, monitoring, and replacement plan |
| Owner | Clinical technology manager or assigned system owner |
| Residual risk | Remaining risk after compensating controls until replacement |
Bad PBQ answers ignore ownership, claim the risk is eliminated by one firewall rule, or accept the risk without documented approval.
How to Grade Yourself
After each lab, ask:
- Did I meet the business requirement?
- Did I avoid broad permissions?
- Did I choose secure protocols and paths?
- Did I preserve or use evidence before changing too much?
- Did I assign risk ownership and residual risk when the scenario required governance?
PBQs are practical. If your answer would make an auditor, incident handler, or network engineer ask "who approved this and why is it so broad," tighten it.
In the firewall mini-lab, which rule is the clearest problem?
Which actions are appropriate after the log triage pattern shows new-device login, access key creation, admin policy attachment, and large outbound transfer? Select three.
Select all that apply
A payroll clerk needs to enter time corrections but must not approve payroll runs. Which principle is most directly being applied?