Limited Time Offer: Use code CERTLABS10Copied! for 10% off your first subscription!
HomeBlog › Free CompTIA Cloud+ Practice Test
Cloud+Free Practice Test By Edward Norton · May 4, 2026 · 11 min read

Free CompTIA Cloud+ Practice Test (CV0-004) 2026

Test your cloud computing knowledge with free Cloud+ practice questions covering architecture, security, deployment, operations, and troubleshooting.

0Max Questions
0Passing Score (/900)
0Minutes
0Years Valid

The CompTIA Cloud+ (CV0-004) validates skills in cloud infrastructure services including deployment, security, networking, and troubleshooting across multi-cloud environments. It is vendor-neutral and covers AWS, Azure, and GCP concepts equally. Download the official CompTIA Cloud+ Exam Objectives for the full domain breakdown.

CompTIA Cloud+ certification badge
CompTIA Cloud+ validates multi-cloud infrastructure and deployment skills

Cloud+ Practice Quiz

Score:0 / 0 (10 questions total)
Cloud Architecture

1. The fixed fleet shown below is dropping requests during peak load while wasting capacity overnight. Which NIST cloud characteristic, when properly implemented, would address BOTH the 99% peak saturation and the off-hours waste?

AWS CloudWatch — EC2 Fleet Utilization (24h)
Time (UTC)Active UsersEC2 InstancesAvg CPU %Cost/hr
02:001201211%$1.44
09:004,8001294%$1.44
13:009,20012ALARM 99%$1.44
22:003401214%$1.44
  • A Measured service
  • B Resource pooling
  • C Rapid elasticity
  • D Broad network access

Right answer (C): Rapid elasticity (NIST SP 800-145) provisions and releases capacity automatically based on demand. An auto-scaling group tied to CPU CloudWatch alarms would scale OUT past 12 instances at 13:00 and scale IN to 2-3 overnight, fixing both saturation and waste.

Wrong answers:

  • A): Measured service is the metering/billing characteristic that produces the cost column - it reports usage but does not change capacity.
  • B): Resource pooling is the multi-tenant abstraction the provider uses internally; it does not adjust your fleet size.
  • D): Broad network access means the service is reachable over standard networks and clients - irrelevant to right-sizing capacity.

2. The diagram below shows production app tiers in AWS while the regulated HRIS database and file shares remain on-premises, connected via Direct Connect. Which deployment model BEST describes this architecture?

Internet Public ALB VPC us-east-1 (AWS) AZ-1a app x3 AZ-1b app x3 Aurora primary Aurora replica Direct Connect On-Prem DC HRIS DB (PII) File Shares
  • A Public cloud only
  • B Hybrid cloud
  • C Community cloud
  • D Multi-cloud

Right answer (B): Hybrid cloud combines on-premises infrastructure with public cloud, bound together by orchestration or dedicated connectivity (Direct Connect / ExpressRoute / Cloud Interconnect). The diagram is textbook hybrid: regulated data stays on-prem, elastic tiers run in AWS.

Wrong answers:

  • A): Public-only would have no on-prem component, but HRIS and file shares are explicitly on-prem.
  • C): Community cloud is shared between organizations with similar compliance needs - there is only one tenant here.
  • D): Multi-cloud requires two or more public providers (e.g., AWS + Azure); only AWS is shown.
Cloud Security

3. The IAM policy below gates access to a sensitive S3 bucket on identity, network location, MFA freshness, and device/session tags - re-validating every request. Which security model does this implementation MOST closely follow?

{ } finance-prod-policy.json
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::finance-prod/*",
    "Condition": {
      "Bool": {"aws:MultiFactorAuthPresent": "true"},
      "IpAddress": {"aws:SourceIp": "10.0.0.0/16"},
      "NumericLessThan": {"aws:MultiFactorAuthAge": "3600"},
      "StringEquals": {"aws:PrincipalTag/dept": "finance"}
    }
  }]
}
  • A Zero Trust
  • B Perimeter-based security
  • C Network segmentation only
  • D Implicit allow inside the VPC

Right answer (A): Zero Trust ("never trust, always verify") evaluates identity, device, location, and session attributes on every request. The conditions block - MFA presence, MFA age, source IP, and principal tag - is a canonical Zero Trust enforcement point.

Wrong answers:

  • B): Perimeter-based security trusts everything inside the boundary; this policy revalidates even from inside 10.0.0.0/16.
  • C): Segmentation alone is the SourceIp condition only - this policy adds identity, MFA, and tags.
  • D): Implicit allow is the opposite of what this policy does; access is denied unless every condition is met.

4. The Terraform shown below configures an S3 bucket holding regulated audit logs. Which protection does the SSE-KMS configuration provide, and what does it NOT protect against by itself?

{} s3_encryption.tf
resource "aws_s3_bucket" "logs" {
  bucket = "acme-audit-logs"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
  bucket = aws_s3_bucket.logs.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.cmk.arn
    }
    bucket_key_enabled = true
  }
}
  • A Encryption in transit between S3 and clients
  • B Tokenization of PII fields inside the log records
  • C Hash-based integrity verification of objects
  • D Encryption at rest using a customer-managed KMS key

Right answer (D): The block configures SSE-KMS with a customer-managed key (CMK), which is encryption at rest. TLS in transit is enforced separately (via bucket policy denying aws:SecureTransport=false), and tokenization/hashing are application-layer concerns.

Wrong answers:

  • A): In-transit encryption requires TLS / aws:SecureTransport conditions, which are not in this resource.
  • B): Tokenization replaces sensitive values with non-sensitive surrogates and is not what SSE-KMS does.
  • C): Object integrity (ETag/MD5/SHA-256) is metadata; SSE encrypts but does not by itself verify integrity.
Cloud Deployment

5. 3 Terraform files like the one shown below define the VPC, subnets, ASG, and ALB for a new environment, version-controlled in Git and applied via CI. Which approach BEST describes this practice?

{} main.tf
resource "aws_vpc" "prod" {
  cidr_block = "10.20.0.0/16"
}

resource "aws_subnet" "app" {
  count             = 3
  vpc_id            = aws_vpc.prod.id
  cidr_block        = cidrsubnet(aws_vpc.prod.cidr_block, 4, count.index)
  availability_zone = data.aws_availability_zones.az.names[count.index]
}

resource "aws_autoscaling_group" "app" {
  min_size            = 3
  max_size            = 30
  vpc_zone_identifier = aws_subnet.app[*].id
  launch_template { id = aws_launch_template.app.id }
}
  • A Configuration management (Ansible/Chef/Puppet)
  • B Infrastructure as Code (IaC)
  • C Continuous integration only
  • D Platform as a Service (PaaS)

Right answer (B): IaC defines infrastructure (VPCs, subnets, ASGs, security groups) declaratively in code that is versioned and applied repeatably. Terraform is the canonical IaC tool; CloudFormation, Bicep, and Pulumi are equivalents.

Wrong answers:

  • A): Configuration management (Ansible, Chef, Puppet) configures inside existing servers; it does not provision VPCs or ASGs.
  • C): CI is the pipeline that runs terraform plan/apply, not the act of defining infrastructure as code.
  • D): PaaS is a service consumption model (App Service, App Engine), not a way of writing infrastructure definitions.

6. Acme migrates 80 legacy Windows VMs from VMware to EC2 by exporting OVAs and importing them with the AWS VM Import/Export service - no OS, app, or architecture changes are made. Which migration strategy from the table below applies?

📊 migration-strategy-6Rs.xlsx
Strategy (Gartner 6 R's)What changesEffortCloud-native benefit
RehostMove VM image as-isLowLow
ReplatformMinor tweaks (managed DB)Low-MedMedium
RefactorRe-architect to microservices/serverlessHighHigh
RepurchaseReplace with SaaSMedVendor-managed
RetireDecommissionLowN/A
RetainKeep on-prem for nowNoneNone
  • A Rehost (lift and shift)
  • B Refactor (re-architect)
  • C Repurchase
  • D Retire

Right answer (A): Rehosting (lift and shift) moves workloads to the cloud with minimal changes - exactly what VM Import/Export of unmodified OVAs accomplishes. It is the fastest path but captures the least cloud-native value.

Wrong answers:

  • B): Refactor would mean rewriting the apps to containers, microservices, or serverless - the scenario explicitly says no app changes.
  • C): Repurchase replaces the workload with SaaS (e.g., on-prem Exchange to M365); the VMs are still VMs here.
  • D): Retire decommissions; nothing is being decommissioned, all 80 VMs are migrated.
Operations & Support

7. The architecture shown below must remain available even if AZ-1a is completely lost. Which design property is providing that guarantee?

AWS Console — Architecture Review (us-east-1)
Region: us-east-1 AZ-1a (subnet) ASG: app x3 AZ-1b (subnet) ASG: app x3 AZ-1c (subnet) ASG: app x3 Application Load Balancer health: HTTP /healthz 200 cross-zone load balancing: ON RDS Multi-AZ primary: AZ-1a • standby: AZ-1b
  • A Vertical scaling within a single AZ
  • B Daily backups stored in the same AZ
  • C Multi-AZ deployment with cross-zone load balancing and Multi-AZ RDS
  • D Larger EC2 instance sizes

Right answer (C): Distributing the ASG across three AZs and using Multi-AZ RDS means the loss of AZ-1a removes 1/3 of the app capacity and triggers an automatic RDS failover to the 1b standby - the service stays up.

Wrong answers:

  • A): Vertical scaling makes a single instance bigger; if its AZ fails, the instance fails with it.
  • B): Same-AZ backups vanish or become unreachable along with the AZ.
  • D): Bigger instances do nothing for AZ-level fault tolerance - they share fate with the AZ they run in.

8. The CloudWatch readings below are from a production RDS instance during business hours. Which signals BEST justify scaling the database vertically (or moving to a larger class)?

AWS CloudWatch — RDS Metrics (prod-db-1, 5-min avg)
Metric (CloudWatch, 5-min avg)ReadingThreshold
CPUUtilization92%<75%
DatabaseConnections180<200
ReadLatency340 ms<25 ms
WriteLatency290 ms<25 ms
FreeableMemory120 MB>1 GB
NetworkRulesCount (SG)14n/a
  • A NetworkRulesCount on the security group
  • B Sustained CPU 92%, ReadLatency 340 ms, FreeableMemory 120 MB
  • C Number of IAM users with rds:Connect
  • D Route 53 DNS resolution time

Right answer (B): Sustained high CPU, latency 10x+ above threshold, and freeable memory near zero are textbook capacity exhaustion - the instance is undersized for the workload and needs more vCPU/RAM (or read replicas to offload reads).

Wrong answers:

  • A): Security-group rule count is a configuration metric and does not indicate compute pressure.
  • C): IAM user count is governance, not capacity.
  • D): DNS lookup time measures Route 53/resolver behavior, not RDS load.
Troubleshooting

9. Users report intermittent 504 Gateway Timeout errors. Application logs are clean, but the ALB logs and target health shown below tell a clear story. What should be checked FIRST?

ops@cloud-shell: ~ — bash 
ALB access log (excerpt)
2026-05-04T13:42:11Z 504 - target_status_code:- target_processing_time:30.001
2026-05-04T13:42:14Z 504 - target_status_code:- target_processing_time:30.000
2026-05-04T13:42:18Z 200 - target_status_code:200 target_processing_time:0.182

ALB target group health:
  i-0a11... AZ-1a healthy
  i-0b22... AZ-1b unhealthy   reason: HTTP 5xx on /healthz
  i-0c33... AZ-1c unhealthy   reason: Request timed out

App container logs: no errors, no exceptions, normal startup messages.
  • A SSL/TLS certificate expiration on the ALB
  • B Public DNS propagation for the ALB hostname
  • C Application source code for logic bugs
  • D Load balancer health checks and the unhealthy backend targets

Right answer (D): 504 means the LB could not get a response from a backend in time. Two of three targets are unhealthy and the 30-second target_processing_time matches the idle timeout - the issue is at the backend / health-check layer, not the app code.

Wrong answers:

  • A): Cert expiration produces 502 / SSL handshake errors, not 504 timeouts.
  • B): DNS issues produce NXDOMAIN or no connection - not intermittent timeouts after a successful connection.
  • C): App logs are clean and a third instance returns 200 successfully - the code path works.

10. The instance shows "running" with 2/2 status checks passing, but SSH times out. Given the security group rules shown below, what is the MOST likely cause?

AWS EC2 — Security Group: sg-0a1b2c (web-app-sg) — Inbound Rules
TypeProtocolPortSource
InboundTCP4430.0.0.0/0
InboundTCP800.0.0.0/0
InboundICMPAll10.0.0.0/16
OutboundAllAll0.0.0.0/0
admin@workstation: ~ — bash 
EC2 console: instance i-0d44... state = running, status checks 2/2 OK
$ ssh ec2-user@54.x.y.z
ssh: connect to host 54.x.y.z port 22: Operation timed out
  • A The security group has no inbound rule for TCP/22, so SSH is blocked
  • B The VM's operating system was deleted
  • C The entire us-east-1 region is offline
  • D The hypervisor's CPU is overheating

Right answer (A): The rule table opens 80, 443, and ICMP, but TCP/22 is missing - so inbound SSH is implicitly denied. Status checks pass because the OS is healthy; only the firewall is the problem. Add an inbound rule allowing TCP/22 from your admin CIDR.

Wrong answers:

  • B): A deleted OS would fail the instance status check (1/2), not pass 2/2.
  • C): If the region were offline, the EC2 console itself would be inaccessible.
  • D): Hypervisor thermal events are extremely rare on managed cloud hardware and would surface as instance retirement or impaired status, not pass 2/2.

Quiz Complete!

0/10

Here's how you performed across Cloud+ domains:

0/2Architecture
0/2Security
0/2Deployment
0/2Operations
0/2Troubleshoot

Pass CompTIA Cloud+ on your first attempt!!

Just $10/month

Get 90+ full-length practice questions, hands-on labs, and PBQs.

Start Practicing Now

Cloud+ Domain Weights (CV0-004)

Cloud Architecture & Design26%
Security22%
Deployment22%
Operations & Support18%
Troubleshooting12%

Pass CompTIA Cloud+ on Your First Attempt!!

Get complete practice with 90+ questions, hands-on cloud labs, PBQs, and detailed domain breakdowns. An investment worth making!

Just $10/month
Get Full Practice Exams

Free Cloud+ Flashcards

1 / 5

What are the five essential characteristics of cloud computing (per NIST)?

Click to flip

On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Defined in NIST SP 800-145.

Frequently Asked Questions

The Cloud+ (CV0-004) passing score is 750 on a 100-900 scale. The exam includes up to 90 questions with a 90-minute time limit.

Cloud+ is valuable for IT professionals managing multi-cloud environments who need a vendor-neutral credential. It is DoD 8140 approved and validates practical cloud infrastructure skills.

Cloud+ is vendor-neutral covering all major providers, while AWS SAA is AWS-specific. Cloud+ focuses on infrastructure operations, while SAA emphasizes architectural design. Many hold both.

CompTIA recommends 2-3 years of IT experience with system administration and networking knowledge. Hands-on experience with at least one cloud platform is strongly recommended.

The Cloud+ exam voucher costs approximately $369 USD. CompTIA offers bundles with retake vouchers and training materials at a discount.

Yes, Cloud+ includes performance-based questions simulating real scenarios like configuring cloud services, troubleshooting connectivity, or analyzing log output.

Cloud+ is valid for three years. Renewal requires 50 CEUs through CompTIA's Continuing Education program or passing a higher-level CompTIA certification.

Cloud+ qualifies you for cloud engineer, cloud administrator, systems administrator, DevOps engineer, and cloud consultant roles. Salaries range from $75,000 to $110,000.

Cloud+ provides vendor-neutral fundamentals that make vendor-specific certs easier. If you work multi-cloud, start with Cloud+. If single-vendor, a vendor cert may be more practical.

Key tools include Terraform for IaC, Ansible for config management, Docker for containers, Kubernetes for orchestration, and cloud-native monitoring like CloudWatch and Azure Monitor.

Yes, no mandatory prerequisites exist. However, networking fundamentals are essential since cloud infrastructure relies heavily on VPCs, subnets, routing, DNS, and load balancing.

CertLabz offers full-length Cloud+ practice exams with 90+ questions, virtual cloud labs, PBQ simulations, domain breakdowns with progress tracking, and flashcards. Plans start at $10/month.

Related Articles

Security+

Free CompTIA Security+ Practice Test (SY0-701)

 Linux+

Free CompTIA Linux+ Practice Test (XK0-005)

 A+

Free CompTIA A+ Practice Test (Core 1 & Core 2)
Start Free Trial See Pricing Free Certificates