Firewall, IAM, Log, and Risk PBQ Mini-Labs
Key Takeaways
- Firewall PBQs test source, destination, protocol, direction, and rule order, ending in an implicit deny.
- IAM PBQs reward least privilege, separation of duties, MFA, PAM, and joiner-mover-leaver lifecycle cleanup.
- Log PBQs require correlation across identity, endpoint, network, and time fields before choosing an action.
- Risk PBQs require matching asset, threat, vulnerability, likelihood, impact, treatment, owner, and residual risk.
- End every mini-lab by writing the secure end state and the reason before checking the answer.
How to Use These Labs
Run these as final-week drills. For each one, write the end state and your reasoning before reading the fix. The goal is to rehearse how the exam thinks: apply secure defaults, meet the stated business need, preserve evidence, and avoid unnecessary exposure.
Lab 1: Firewall Rule Cleanup
Scenario: a small retailer runs a public web server, an application server, a database server, and an admin jump box.
Required business flows: customers reach the website over HTTPS; the web server reaches the app server; the app server queries the database; administrators manage servers only through the jump box; monitoring sends logs to the SIEM collector.
Candidate rule set:
| Rule | Source | Destination | Service | Action |
|---|---|---|---|---|
| 1 | Internet | Web server | TCP 443 | Allow |
| 2 | Internet | Database server | TCP 3306 | Allow |
| 3 | Admin subnet | Jump box | TCP 22 | Allow |
| 4 | Jump box | Servers | TCP 22, 3389 | Allow |
| 5 | Servers | SIEM | Syslog 514 | Allow |
| 6 | Any | Any | Any | Deny |
Fix: delete or deny rule 2. The database must not be Internet-reachable. The intended flow is app server to database on TCP 3306 only, so replace rule 2 with App server -> Database, TCP 3306, Allow. Keep the explicit deny at the bottom and ensure specific allows sit above it; firewalls evaluate top-down and stop at the first match.
Lab 2: IAM Least Privilege and Separation of Duties
Scenario: a payroll clerk enters time corrections but must not approve payroll runs; a payroll manager approves runs but should not change bank records; a help desk analyst resets passwords but should not grant finance roles.
| Role | Allowed | Not allowed |
|---|---|---|
| Payroll clerk | Create/edit time corrections | Approve payroll run |
| Payroll manager | Approve payroll run | Change employee bank account |
| HR records specialist | Update bank account after verification | Approve payroll run |
| Help desk analyst | Reset password after identity check | Add finance or payroll roles |
Secure PBQ answer: assign users to role-based groups matching job duties, require MFA (multi-factor authentication) for payroll access, log privileged actions, and require a ticket or workflow approval for role changes. Splitting entry from approval is separation of duties; it prevents one person from both creating and authorizing a fraudulent payment. Do not grant a blanket "finance admin" role for convenience.
Lab 3: Cloud Log Triage
Review the events:
2026-04-29T09:10:03Z idp user=ajones result=success mfa=push source_ip=198.51.100.42 device=new
2026-04-29T09:12:44Z cloud user=ajones action=CreateAccessKey result=success
2026-04-29T09:15:01Z cloud user=ajones action=AttachAdminPolicy target=ajones result=success
2026-04-29T09:17:28Z proxy user=ajones dst=storage-sync-example.net bytes_out=734003200 action=allow
| Finding | Reason |
|---|---|
| New-device login then access-key creation | Possible compromise and persistence setup |
| Self-attached admin policy | Privilege escalation |
| ~700 MB outbound transfer | Possible data exfiltration |
| Same user across all events | Correlation raises severity |
Best next actions: contain the account, revoke the new access key and active sessions, preserve the logs, validate whether the activity was approved (change ticket?), then scope affected resources. MFA succeeding does not clear the account: push fatigue, phishing-relay, or coercion can produce a legitimate-looking approval.
Lab 4: Risk Register PBQ
Scenario: a clinic keeps an unsupported imaging workstation because replacing it requires vendor revalidation. It stores patient images locally and connects to the internal network.
| Risk field | Good entry |
|---|---|
| Asset | Imaging workstation IMG-07 |
| Threat | Malware, unauthorized access, data loss |
| Vulnerability | Unsupported OS, local sensitive data |
| Impact | Patient data exposure, clinical disruption |
| Likelihood | Medium-to-high if broadly connected |
| Treatment | Mitigate: segment, restrict access, back up, monitor, plan replacement |
| Owner | Clinical technology manager or named system owner |
| Residual risk | Risk remaining after compensating controls until replacement |
Because replacement is blocked, the correct treatment is mitigation with compensating controls (network segmentation, access restriction, monitoring) plus a documented replacement plan, not risk acceptance. Risk acceptance requires documented approval from the asset owner; a single firewall rule does not eliminate the risk.
How to Grade Yourself
After each lab, ask:
- Did I meet the business requirement without over-permitting?
- Did I choose secure protocols and controlled paths?
- Did I preserve or use evidence before destructive change?
- Did I assign an owner and residual risk where governance was required?
If your answer would make an auditor, incident handler, or network engineer ask "who approved this and why is it so broad," tighten it.
Why These Four Lab Types Cover the Exam
These four labs are not random; they map to the highest-yield PBQ formats CompTIA reuses. Firewall labs test Domain 3 (Architecture) and Domain 4 (Operations) by checking whether you can read source, destination, protocol, direction, and rule order, and whether you remember that firewalls match top-down and stop at the first hit. IAM labs test access control depth: role-based access control (RBAC), separation of duties, least privilege, and the joiner-mover-leaver lifecycle. Log labs test correlation, the core analyst skill in Domain 4, where the trick is joining four ordinary-looking lines into one attack narrative.
Risk labs test Domain 5 (Program Management) governance vocabulary, where the trap is treating risk as eliminated rather than mitigated, or accepting risk with no documented owner.
A good final-week rhythm is to run one of each lab type per session, write the end state from memory, then check against the explanation. Score yourself on the reasoning, not just the final selection: a correct answer reached by the wrong logic will not transfer to a slightly different stem on exam day. If you find yourself opening broad any-any rules, granting blanket admin roles, deleting logs, or accepting risk without approval, those are the exact reflexes the PBQs are built to punish.
In the firewall mini-lab, which rule is the clearest problem?
The log triage shows a new-device login, access-key creation, a self-attached admin policy, and a ~700 MB outbound transfer. Which actions are appropriate? Select three.
Select all that apply
A payroll clerk may enter time corrections but may not approve payroll runs. Which principle is most directly applied?