Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CSA-C01 Practice Questions

Pass your Alibaba Cloud Certified Associate: Cloud Security Engineer (Exam CSA-C01) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What is a customer master key (CMK) in KMS used for?

A
B
C
D
to track
Same family resources

Explore More Alibaba Cloud Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Alibaba Cloud Security Engineer (Associate)

Practice QuestionsStudy GuideCheat SheetFlashcards1 blog

Alibaba Cloud ACA Cloud Business

Practice Questions

Alibaba Cloud ACA Generative AI Engineer

Practice Questions

Alibaba Cloud Certified Associate (ACA) Cloud Computing

Practice Questions

Alibaba Cloud Certified Associate (ACA) Cloud Operator

Practice Questions

Alibaba Cloud Certified Associate Cloud Engineer (CEA-C01)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleFREE Alibaba Cloud Security Associate (CSA-C01) Certification Guide 2026: Exam Format, Blueprint, Study Plan16 min read
2026 Statistics

Key Facts: CSA-C01 Exam

$200

Exam Fee (USD)

Alibaba Cloud

90 min

Exam Duration

Alibaba Cloud

70/100

Passing Score

Alibaba Cloud

50

Number of Questions

Alibaba Cloud

5 domains

Each Weighted 20%

Alibaba Cloud

Replaces ACA Cloud Security

Current Associate Exam

Alibaba Cloud

As of May 2026, Alibaba Cloud lists CSA-C01, the Alibaba Cloud Certified Associate: Cloud Security Engineer exam, as an associate credential costing $200 USD, lasting 90 minutes, with 50 questions and a passing score of 70 out of 100, delivered in English through Pearson VUE. The five equally weighted domains (each 20 percent) are Cloud Security Basics, Identity and Access Management on Alibaba Cloud, Host Security on Alibaba Cloud, Data Security on Alibaba Cloud, and Network Security and Threat Mitigation on Alibaba Cloud. CSA-C01 is the current exam that replaced the retired ACA Cloud Security Associate. The fee and exam-detail figures above follow the values published on the Alibaba Cloud certification page; Alibaba Cloud does not publish a public exam-level pass-rate percentage.

Sample CSA-C01 Practice Questions

Try these sample questions to test your CSA-C01 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under the Alibaba Cloud shared security responsibility model, which task is always the customer's responsibility?
A.Physical security of Alibaba Cloud data centers
B.Patching the underlying hypervisor on ECS hosts
C.Configuring RAM policies and protecting customer data and access keys
D.Maintaining the region's physical network backbone
Explanation: In Alibaba Cloud's shared responsibility model, Alibaba secures the underlying infrastructure (facilities, hypervisor, hardware, backbone network), while the customer secures what they put in the cloud, including RAM policies, identities, data, and access credentials. Managing access and protecting data always belongs to the customer.
2Which security principle recommends granting a RAM user only the permissions required to complete their tasks?
A.Security through obscurity
B.Defense in depth
C.Separation of duties
D.Least privilege
Explanation: Least privilege means granting only the minimum permissions needed for a job. In Alibaba Cloud this is enforced through narrowly scoped RAM policies, conditions, and resource-level grants. It limits the blast radius if a credential is leaked or misused.
3What is the primary purpose of the CIA triad in information security?
A.To list the three cloud regions a workload must run in
B.To define confidentiality, integrity, and availability as core security goals
C.To classify users into three identity tiers
D.To describe three layers of physical data center access
Explanation: The CIA triad stands for Confidentiality, Integrity, and Availability, the three foundational goals of information security. Alibaba Cloud security services map to these goals: encryption protects confidentiality, integrity checks and audit logs protect integrity, and Anti-DDoS protects availability.
4Which Alibaba Cloud service provides a unified console for security posture, vulnerability detection, baseline checks, and threat detection across ECS hosts?
A.Security Center
B.Cloud Firewall
C.ActionTrail
D.Key Management Service
Explanation: Security Center (formerly Cloud Security Center / Server Guard) is Alibaba Cloud's centralized security operations platform. It performs vulnerability detection, baseline checks, intrusion and threat detection, and presents an overall security score across hosts and cloud assets.
5A compliance team needs to demonstrate which administrator made changes to a security group last month. Which Alibaba Cloud service is the correct source of this evidence?
A.Cloud Monitor
B.Security Center
C.ActionTrail
D.Web Application Firewall
Explanation: ActionTrail records management API operations performed in the account, including who made the call, the source IP, the time, and the request parameters. It is the authoritative audit log for tracing configuration changes such as security group edits.
6Which statement best describes 'defense in depth' as applied to an Alibaba Cloud deployment?
A.Relying on a single strong firewall to block all attacks
B.Granting administrators broad permissions to respond faster
C.Encrypting data only at the application layer
D.Layering multiple independent controls such as Anti-DDoS, WAF, Cloud Firewall, and Security Center
Explanation: Defense in depth layers multiple independent security controls so that if one fails, others still protect the workload. On Alibaba Cloud this combines edge protection (Anti-DDoS, WAF), network controls (Cloud Firewall, security groups), and host/posture controls (Security Center).
7Which Alibaba Cloud service helps assess and continuously evaluate resource configurations against compliance rules?
A.Anti-DDoS
B.Bastionhost
C.Cloud Config
D.Object Storage Service
Explanation: Cloud Config records resource configurations and continuously evaluates them against managed or custom compliance rules. It detects non-compliant resources such as public OSS buckets or unencrypted disks and supports remediation, supporting governance and audit goals.
8What does a 'security baseline' check in Security Center evaluate?
A.The minimum bandwidth required for a workload
B.The number of RAM users created in the account
C.Whether host and service configurations meet recommended hardening standards
D.The latency between two availability zones
Explanation: Security baseline checks compare host operating system, database, middleware, and account configurations against recommended hardening standards (such as weak passwords or risky settings). Security Center reports failed baseline items so administrators can remediate them and reduce attack surface.
9Which of the following is a key benefit of using a multi-tier security architecture on Alibaba Cloud?
A.It isolates layers so a breach in one tier does not immediately compromise others
B.It eliminates the need to patch operating systems
C.It removes the need for encryption
D.It guarantees zero downtime during attacks
Explanation: A multi-tier architecture separates web, application, and database tiers with controls between them (security groups, Cloud Firewall, private subnets). Isolation limits lateral movement, so compromising the web tier does not automatically grant access to the database tier.
10Which classification best describes a 'zero-day' vulnerability that Security Center may flag?
A.A vulnerability unknown to the vendor with no available official fix
B.A vulnerability that has been patched for over a year
C.A configuration drift in a security group
D.An expired SSL certificate
Explanation: A zero-day vulnerability is a flaw unknown to the vendor or for which no official patch yet exists, giving defenders 'zero days' to prepare. Security Center prioritizes such high-risk vulnerabilities and may offer virtual patching or detection to reduce exposure until a fix is released.

About the CSA-C01 Exam

Alibaba Cloud's CSA-C01 exam earns the Alibaba Cloud Certified Associate: Cloud Security Engineer credential, validating that you can design and manage secure environments using Alibaba Cloud security services, implement compliance controls, and monitor and audit cloud resources. The skills span Security Center, Resource Access Management (RAM), Web Application Firewall (WAF), Anti-DDoS, Cloud Firewall, Key Management Service (KMS), Bastionhost, and ActionTrail across five equally weighted domains. CSA-C01 is the current associate exam that replaced the retired ACA Cloud Security Associate.

Questions

50 scored questions

Time Limit

90 minutes

Passing Score

70/100

Exam Fee

$200 (Alibaba Cloud)

CSA-C01 Exam Content Outline

20%

Cloud Security Basics

Understand the shared responsibility model, the CIA triad, defense in depth, least privilege, and zero trust. Know core platform security services including Security Center posture and threat detection, ActionTrail auditing, Cloud Config compliance, Cloud Monitor alarms, and Certificate Management Service.

20%

Identity and Access Management on Alibaba Cloud

Manage identities and permissions with Resource Access Management (RAM) users, groups, roles, and policies, use STS temporary credentials, enforce MFA, protect the root account, practice AccessKey hygiene, configure SSO and identity federation, and control privileged access with Bastionhost and secrets management.

20%

Host Security on Alibaba Cloud

Secure ECS hosts with the Security Center agent, vulnerability and baseline management, intrusion and webshell detection, and file integrity monitoring. Apply security groups, ECS disk encryption with KMS, image hardening, brute-force defense, and controls that limit lateral movement.

20%

Data Security on Alibaba Cloud

Protect data with Key Management Service (KMS), customer master keys and envelope encryption, key rotation and Bring Your Own Key, OSS and RDS encryption, Sensitive Data Discovery and classification, data masking, signed URLs, backups, and data residency considerations.

20%

Network Security and Threat Mitigation on Alibaba Cloud

Defend applications and networks with Web Application Firewall (WAF), Anti-DDoS Pro and Premium, Cloud Firewall and intrusion prevention, secure VPC and NAT design, rate limiting, bot management, and Log Service, and execute the incident response lifecycle from containment through lessons learned.

How to Pass the CSA-C01 Exam

What You Need to Know

  • Passing score: 70/100
  • Exam length: 50 questions
  • Time limit: 90 minutes
  • Exam fee: $200

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CSA-C01 Study Tips from Top Performers

1Because all five CSA-C01 domains are weighted equally at about 20 percent, study them in balance rather than over-investing in one area.
2Master Resource Access Management deeply: users versus roles, STS temporary credentials, explicit-deny policy evaluation, conditions such as acs:SourceIp, MFA, and least privilege.
3Know which product solves which problem: Security Center for host posture and threat detection, WAF for web attacks, Anti-DDoS for volumetric floods, Cloud Firewall for boundary and inter-VPC control, KMS for encryption keys, and ActionTrail for API auditing.
4Understand data protection end to end: envelope encryption with customer master keys, key rotation and Bring Your Own Key, OSS and RDS encryption, signed URLs, Sensitive Data Discovery, and data masking.
5Learn host hardening and response: Security Center agent, vulnerability and baseline checks, virtual patching, file integrity monitoring, security groups, and limiting lateral movement.
6Practice the incident response lifecycle and automated response patterns that combine Security Center detection with Cloud Firewall blocking, Cloud Monitor alarms, and ActionTrail or Log Service for audit.

Frequently Asked Questions

What are the current official exam facts for CSA-C01?

Alibaba Cloud lists CSA-C01 as an associate-level Cloud Security Engineer exam costing $200 USD, lasting 90 minutes, with 50 questions and a passing score of 70 out of 100. It is delivered in English through Pearson VUE.

Is CSA-C01 the replacement for the ACA Cloud Security certification?

Yes. CSA-C01 is the current Alibaba Cloud Certified Associate: Cloud Security Engineer exam that replaced the retired ACA Cloud Security Associate. It validates designing and managing secure Alibaba Cloud environments with services such as Security Center, RAM, WAF, KMS, Cloud Firewall, and ActionTrail.

How are the CSA-C01 exam domains weighted?

CSA-C01 has five equally weighted domains, each worth about 20 percent: Cloud Security Basics, Identity and Access Management on Alibaba Cloud, Host Security on Alibaba Cloud, Data Security on Alibaba Cloud, and Network Security and Threat Mitigation on Alibaba Cloud.

Which Alibaba Cloud security products does CSA-C01 cover?

CSA-C01 covers Security Center, Resource Access Management (RAM) with STS, Web Application Firewall (WAF), Anti-DDoS, Cloud Firewall, Key Management Service (KMS), Bastionhost, ActionTrail, Cloud Config, Cloud Monitor, and Sensitive Data Discovery.

What experience does Alibaba Cloud recommend before taking CSA-C01?

Alibaba Cloud recommends hands-on experience securing cloud workloads, including configuring RAM access, encrypting data with KMS, protecting hosts with Security Center, and defending applications with WAF, Anti-DDoS, and Cloud Firewall.

How many questions are on CSA-C01 and how long is the exam?

CSA-C01 has 50 questions and a 90-minute time limit, with a passing score of 70 out of 100 points. The exam is offered in English and scheduled through Pearson VUE.