Digital Forensics: Cloud Security and Cloud Forensics Advanced

Advanced FACT-style drill on cloud security and cloud forensics, calibrated to the hardest band of the syllabus. Thirty single-best-answer items on IAM evaluation precedence with explicit Deny, AWS condition keys including aws:PrincipalArn, aws:SourceArn, aws:SourceAccount, kms:ViaService and kms:GrantOperations, the iam:PassRole + iam:CreatePolicyVersion + iam:SetDefaultPolicyVersion privilege escalation chain, sts:AssumeRole session principal ARN parsing, CloudTrail ConsoleLogin mfaUsed and eventCategory filters, VPC Flow Log version 5 pkt-srcaddr and tcp-flags bitmask reading, KMS GenerateDataKey family selection and KeyUsage SIGN_VERIFY vs ENCRYPT_DECRYPT, S3 server-side encryption header values including aws:kms:dsse for DSSE-KMS, S3 Object Lock GOVERNANCE vs COMPLIANCE retention, Azure RBAC scope inheritance and Diagnostic Settings AuditEvent, GCP Audit Logs Admin Activity vs Data Access defaults, EKS IRSA AssumeRoleWithWebIdentity flow, Kubernetes audit policy stages RequestReceived to ResponseComplete, NIST SP 800-61 Rev 2 IR phases, CLOUD Act 2018 Section 103 extra-territorial reach, India-US MLAT routing with DPDP Act 2023 Section 16, IT Rules 2021 Rule 4(2) SSMI traceability, SAML 2.0 Subject vs OIDC sub claim and SAML AuthnContextClassRef vs OIDC acr, mTLS at NLB passthrough vs ALB vs API Gateway, CloudTrail log file validation digest schema, and BYOK vs HYOK vs AWS KMS External Key Store.

Built for FACT aspirants, NFSU MSc Digital Forensics candidates, GCFA cloud-evidence pathways, SANS FOR509 prep, and AWS Certified Security Specialty candidates who want the hard-band differentiation between near-twin AWS, Azure, and GCP concepts. Every option set differs from the correct answer on a single parameter, so partial recall of the topic will not be enough to score well.

Topics covered:

• IAM policy evaluation: explicit Deny, cross-account two-way grant, condition keys
• Privilege escalation chains via iam:PassRole and IAM policy versioning
• CloudTrail event reading: AssumeRole session principal, ConsoleLogin, eventCategory
• VPC Flow Log version 5 fields: pkt-srcaddr, pkt-dstaddr, tcp-flags bitmask
• KMS API family, KeyUsage values, condition keys, grant tokens, XKS
• S3 SSE header values, DSSE-KMS, Object Lock COMPLIANCE vs GOVERNANCE
• Azure RBAC inheritance, GCP Audit Log defaults, EKS IRSA, Kubernetes audit stages
• Indian and cross-border law: CLOUD Act 2018, DPDP Act 2023 Section 16, IT Rules 2021 Rule 4(2)

This hard-band mock is calibrated for one-parameter discrimination, which is why every option in every item sits at the same level of abstraction and the same canonical form. Allow 30 minutes.