1.1 Exam Format and Outline
Key Takeaways
- CSA-C01 is the current Alibaba Cloud Certified Associate: Cloud Security Engineer exam and replaces the legacy ACA Cloud Security exam retired on May 13, 2025.
- The exam has 50 multiple-choice questions, a 90-minute time limit, and a 70 out of 100 passing score (USD $200 fee).
- CSA-C01 is delivered in English through Pearson VUE test centers and OnVUE online proctoring, with a 14-day wait enforced between any two attempts.
- Network Security and Threat Mitigation is the largest module at 28%, followed by Host Security at 24% and Data Security at 22%.
- Budget your 90 minutes at roughly 1.8 minutes per question and weight study time by the five official modules rather than treating every service equally.
What CSA-C01 Tests
The Alibaba Cloud Certified Associate: Cloud Security Engineer exam, code CSA-C01, is the current associate-level cloud-security credential for Alibaba Cloud. It replaced the legacy ACA (Alibaba Cloud Associate) Cloud Security exam, which Alibaba Cloud retired on May 13, 2025. Do not use old ACA Security outlines as your primary checklist: the service set, console names, and weightings shifted with the rebrand. The certification verifies that you can select and configure the right Alibaba Cloud security service for a given workload, threat, or compliance scenario.
Confirmed Logistics
The official Alibaba Cloud certification page lists exact, verifiable numbers. Memorize them because borderline questions sometimes test the candidate's own awareness of the exam program.
| Attribute | Value |
|---|---|
| Questions | 50 multiple choice (single and multiple answer) |
| Time limit | 90 minutes |
| Passing score | 70 out of 100 points |
| Fee | USD $200.00 (non-refundable) |
| Language | English |
| Delivery | Pearson VUE test center or OnVUE online proctoring |
| Retake policy | 14-day wait between attempts |
A passing score of 70/100 does not map to a fixed number of questions because items are weighted; treat it as roughly 35 of 50 and aim higher in practice. The fee is non-refundable once purchased, so confirm your readiness before scheduling.
Official Module Weights
CSA-C01 is organized into five knowledge modules. Allocate study hours in proportion to weight, then sharpen the decision boundaries between similar services within each module.
| Module | Weight | Study implication |
|---|---|---|
| Cloud Security Basics | 8% | Master the shared responsibility model, compliance vocabulary, and the incident-response flow. |
| Identity and Access Management | 18% | Know RAM users, groups, roles, policies, MFA, SSO, STS, and Resource Directory. |
| Host Security | 24% | Invest heavily in Security Center, Bastionhost, ActionTrail, Log Service, and Cloud Config. |
| Data Security | 22% | Connect KMS, Secrets Manager, OSS encryption, RDS TDE, SDDP, and certificate use cases. |
| Network Security and Threat Mitigation | 28% | Prioritize VPC controls, security groups, network ACLs, Cloud Firewall, WAF, and Anti-DDoS. |
The three largest modules (Network, Host, Data) together account for 74% of the score. A candidate who masters those three and is merely competent on IAM and Basics is already positioned to pass. By contrast, over-investing in the 8% Basics module is a common time sink.
Time Budget and Test-Taking Strategy
With 50 questions in 90 minutes you have about 1.8 minutes per item. A workable plan:
- Pass 1 (0-60 min): Answer everything you know in under 60 seconds; flag anything that needs scratch reasoning.
- Pass 2 (60-85 min): Return to flagged items; eliminate two distractors first, then choose the most specific, least-privilege answer.
- Pass 3 (85-90 min): Confirm no question is left blank — there is no penalty for guessing, so an educated guess always beats an empty answer.
Common Traps
- Treating CSA-C01 as the old ACA exam and studying retired service names.
- Assuming the passing score is a simple 35/50 count — items are point-weighted to 100.
- Skipping multi-select questions that require all correct options; partial credit is not guaranteed.
How the Exam Asks Questions
CSA-C01 is scenario-driven, not a vocabulary quiz. A typical item describes a workload, a threat, or an operations problem and asks which Alibaba Cloud control best fits. The hard part is rarely recalling that a service exists — it is choosing between two services that overlap. Build a mental decision table for the lookalike pairs you will be tested on:
| If the scenario emphasizes... | Choose | Not |
|---|---|---|
| Layer-7 web application attacks (SQL injection, XSS) | Web Application Firewall (WAF) | Cloud Firewall |
| East-west and north-south traffic control with IPS | Cloud Firewall | Security group only |
| Volumetric DDoS flood absorption | Anti-DDoS | WAF |
| Host intrusion detection, vulnerability scanning | Security Center | ActionTrail |
| Recording who called which API and when | ActionTrail | Log Service |
| Centralized log search and retention | Log Service (SLS) | ActionTrail |
| Auditing resource configuration drift | Cloud Config | Security Center |
| Privileged operations/maintenance access to hosts | Bastionhost | RAM alone |
Registration and ID Logistics
Because CSA-C01 runs on Pearson VUE, plan the operational details, not just content. For an OnVUE online-proctored sitting you need a quiet, private room, a clear desk, a government photo ID matching your registration name, and a system check run in advance. For a test center, arrive 15 minutes early with the same ID. The exam is offered in English only. Remember the 14-day waiting period before a retake if you do not pass on the first attempt — failing twice in quick succession is not possible, so a real second-attempt plan matters.
Building Your Study Roadmap
A balanced 4-to-6 week plan: weeks 1-2 cover Network and Host (the two heaviest modules) with hands-on console time in a free-tier account; week 3 covers Data Security and KMS; week 4 covers IAM/RAM and Basics; the final week is full-length timed practice at 50 questions in 90 minutes to calibrate pacing. Reserve at least two timed mock runs so the 1.8-minute-per-question rhythm becomes automatic.
A candidate has two weeks left and has already reviewed every CSA-C01 module once. Which second-pass plan best follows the official outline weights?
Which statement correctly describes the current Alibaba Cloud associate security exam path and logistics?