CrowdStrike CCCS-203b CrowdStrike Certified Cloud Specialist Exam Practice Test

InCrowdStrike Falcon Cloud Security, preventing a container process from altering its expected behavior is achieved throughcontainer drift preventionenforced by theFalcon Linux sensorat runtime.

Container drift occurs when a running container deviates from its original image state, such as when new binaries are written, files are modified, or unexpected processes execute. Drift is a strong indicator of compromise, misconfiguration, or malicious activity.

By enablingcontainer drift prevention on the Linux sensor, Falcon enforcesruntime immutability, ensuring that containers only execute binaries and processes that were present at image build time. Any unauthorized modifications or executions are either detected or actively blocked, depending on policy configuration.

Creating a custom IOA is not the most effective approach because IOAs are reactive and behavior-based rather than enforcing immutability. The Kubernetes Admission Controller operates at deployment time, not runtime, and cannot prevent post-deployment process changes. Image Assessment policies only affect image deployment decisions and do not control runtime behavior.

Therefore,Option Ais correct because container drift prevention is specifically designed toprotect runtime container integrity, ensuring containers behave exactly as expected throughout their lifecycle.

To identifyremediable vulnerabilities in running containers, CrowdStrike Falcon Cloud Security recommends filteringimage vulnerabilities by container running status and remediation. This approach correlates container runtime state with image assessment results, allowing security teams to focus on vulnerabilities that are bothpresent in images and actively impacting running workloads.

Image vulnerability findings include remediation metadata such as fixed versions, patch availability, and upgrade paths. By filtering oncontainer running status, you ensure that attention is limited to vulnerabilities that pose immediate risk rather than those in dormant or unused images. Adding theremediation filterfurther refines results to show only vulnerabilities that can realistically be addressed, helping teams prioritize efficiently.

Other options are incorrect because container assets and detections focus on runtime behavior, not vulnerability remediation context. Image detections relate to malware or suspicious artifacts, not CVEs.

This filtering method aligns with CrowdStrike best practices for vulnerability prioritization by combiningruntime relevance and remediation feasibility, making optionCthe correct answer.

To identify issues related to anoverprivileged cloud identity, CrowdStrike Falcon Cloud Security directs users toCloud Indicators of Misconfiguration (CIM). These indicators focus specifically on risky configurations, including excessive permissions, overly broad IAM roles, and violations of least-privilege principles.

By filtering Cloud Indicators of Misconfiguration for the specific identity, security teams can quickly identify misaligned permissions such as wildcard actions, unused privileges, or access that exceeds the role’s intended function. This view is purpose-built for identifying configuration risk—not active attacks or behavioral anomalies.

Cloud Indicators of Attack (CIA)are used to detect suspicious or malicious activity, not static permission risk.Investigate User Searchfocuses on observed behavior rather than permission design.Falcon Users Roles and Permissionsapplies to Falcon console access, not cloud-provider IAM identities.

Therefore, the correct and CrowdStrike-aligned approach is to reviewCloud Indicators of Misconfigurationfor the identity in question.

When creating an Image Assessment policy exclusion in CrowdStrike Falcon Cloud Security, the recommended and most precise method to temporarily suppress a specific CVE isVulnerability ID & Exclude until 14 days.

This approach allows security teams to explicitly reference a known CVE (for example, CVE-2024-XXXX) and suppress enforcement for a defined time window. The 14-day exclusion period is commonly used to allow development teams time to rebuild images, validate patches, or address dependency constraints without permanently weakening security posture.

Broad exclusions based on recently published vulnerabilities or packages can unintentionally suppress unrelated risk and increase exposure. Indefinite exclusions are discouraged unless there is a strong, documented business justification.

CrowdStrike documentation and best practices emphasizetime-bound, CVE-specific exclusionsto balance operational flexibility with security rigor. Therefore, the correct and recommended option isVulnerability ID & Exclude until 14 days.

According to CrowdStrike Falcon documentation regardingFalcon Cloud Security (FCS)andContainer Security, the method used to deploy sensors significantly impacts how updates are managed. When Linux hosts are part of a Kubernetes cluster and the Falcon sensor is deployed as aDaemonSet, the standard "Sensor Update Policy" configured in the Falcon Console does not automatically trigger a version change in the same way it does for a standard Windows or Linux workstation.

In aDaemonSet deployment, the sensor version is typically tied to the specificcontainer image tagor the version defined in theHelm chartor YAML manifest used during deployment. If the manifest specifies a static version or if the orchestration layer (Kubernetes) is not instructed to pull a newer image and rollout a restart of the DaemonSet pods, the hosts will remain on their current version regardless of the "n-2" policy set in the console.

Furthermore, CrowdStrike documentation notes that forLinux Sensor Update Policies, the "n-2" setting dictates which version isassignedto the host, but the mechanism of delivery must be supported. In containerized environments, the "Auto-update" feature is often bypassed by the immutable nature of the deployment. To resolve this, the administrator must update the DaemonSet configuration to point to the newer sensor image, allowing Kubernetes to perform a rolling update across the nodes.

Drift indicators in the Containers dashboard are used to identify containers performing activity that deviates from their original image configuration. Drift occurs when files, binaries, or processes appear in a running container that were not present in the image at build time.

CrowdStrike Falcon Cloud Security tracks this behavior to help identify compromised containers, unauthorized changes, or violations of immutability principles. Drift indicators are especially valuable in production environments where containers are expected to remain unchanged after deployment.

Alerts and container detections may signal malicious behavior, but drift indicators specifically highlight unexpected changes relative to the image baseline. Therefore, the correct answer is Drift indicators.

A commoncloud-conscious attacker techniqueused to remain hidden in a compromised environment isdisabling CloudTrail logging. AWS CloudTrail records API activity across an account, providing critical visibility into actions taken by users, roles, and services. By disabling or tampering with CloudTrail, attackers significantly reduce the likelihood of detection.

CrowdStrike Falcon Cloud Security classifies this behavior as a high-risk indicator because it directly impacts monitoring, forensics, and incident response. Without CloudTrail logs, security teams lose audit trails that are essential for identifying malicious actions such as privilege escalation, data exfiltration, or persistence mechanisms.

Other options represent misconfigurations or changes that may increase exposure but do not directly suppress visibility. For example, modifying storage networking or security groups increases attack surface, while adding certificates may support persistence—but none are as directly linked to stealth as disabling logging.

Therefore,CloudTrail logging disabledis the correct answer and a well-documented cloud attack tactic used to evade detection.

CrowdStrike recommends enablingDrift Preventionwhen container workloads have beendesigned to be immutable. Immutable infrastructure is a core cloud-native principle where containers are not modified after deployment. Any change to a running container—such as installing packages or modifying files—indicates potential misconfiguration or malicious activity.

Drift Prevention enforces this principle by blocking or alerting on runtime changes that deviate from the original container image. This makes it highly effective for production environments where containers should run exactly as built and deployed.

In development or testing environments, containers often change dynamically, making Drift Prevention impractical due to excessive false positives. Similarly, containers that must download or install packages at startup inherently require runtime modification and are not suitable candidates for Drift Prevention.

Enabling Drift Prevention at the wrong time can disrupt legitimate workloads. Therefore, CrowdStrike guidance clearly states that Drift Prevention should be enabledonly after workloads are intentionally designed to be immutable, making optionCthe correct answer.

CrowdStrike Falcon Cloud Security strongly recommends shifting securityleftin the development lifecycle by integratingimage assessment directly into the CI/CD pipeline. This approach ensures vulnerabilities are detectedduring the build process, before images are deployed into production environments.

By pushing container images to Falcon for assessment as part of CI/CD workflows, Falcon expands image layers, inventories binaries and OS packages, and evaluates vulnerabilities early. This enables development and security teams to remediate issues before deployment, reducing risk exposure and preventing vulnerable images from ever reaching runtime.

Runtime-only analysis and host-based tools are insufficient for proactive security, as they detect issues after exposure has already occurred. Manual inspection does not scale and introduces human error, making it unsuitable for modern DevOps pipelines.

Therefore, integrating automated image assessment into CI/CD pipelines is theCrowdStrike best practicefor secure container deployments.

InCrowdStrike Falcon Cloud Security, theAccount Registrationsection is the authoritative location for monitoring thestatus of onboarded cloud accountsand identifyingdeployment or configuration issues.

FromCloud Security → Settings → Account Registration, security teams can view whether AWS, Azure, or GCP accounts are successfully connected, partially configured, or experiencing errors. This view highlights misconfigurations such as missing permissions, failed integrations, or incomplete setup steps that could prevent posture assessments or detections from functioning correctly.

Other settings areas serve different purposes: Automate focuses on remediation workflows, posture policies define compliance logic, and scan settings control assessment frequency. None provide direct visibility into onboarding health and deployment validation.

Therefore,Cloud security – Settings – Account registrationis the correct and verified answer.

In Falcon Cloud Security, theRegistry assessment statuswidget provides visibility into the current state of container image assessments for connected registries. This widget displaysaggregate totals of assessed and unassessed images, allowing analysts to quickly determine whether images are being successfully scanned.

When investigating unassessed images, this widget is the primary starting point because it reflects real-time assessment coverage across all configured registry connections. It helps identify gaps caused by authentication failures, network restrictions, throttling, or configuration limits such as assessment age thresholds.

Other widgets provide narrower views.Image processingfocuses on images currently being scanned,Assessed imagesonly shows completed scans without highlighting gaps, andConnection statusreflects connectivity health but not assessment coverage.

CrowdStrike documentation and UI design emphasize the Registry assessment status widget as the authoritative summary for image assessment completeness. Therefore, the correct answer isRegistry assessment status.

When CrowdStrike Falcon detects cloud credentials—such as AWS access keys—stored in cleartext within a container image, the finding is classified as aSecretdetection. Secrets include sensitive data such as API keys, access tokens, passwords, and cryptographic material embedded in container images, configuration files, or source code.

Falcon Cloud Security performs deep inspection of container images during image assessment to identify hard-coded secrets before those images are deployed into runtime environments. Storing AWS credentials in cleartext represents a critical security risk because attackers who gain access to the image can easily extract and misuse those credentials to access cloud resources.

Whilemisconfigurationsfocus on insecure cloud settings andsuspicious filesrelate to potentially malicious artifacts, secret detections are specifically intended to highlight exposed sensitive information. TheExposed credentialoption may sound similar, but within CrowdStrike’s detection taxonomy for container and image security, these findings are categorized underSecretdetections.

Investigating Secret detections allows security teams to quickly identify where credentials are embedded, rotate compromised keys, and remediate the issue by using secure alternatives such as cloud-native secrets managers or environment-based injection mechanisms. Therefore, the correct detection type to search for isSecret.

CrowdStrike Falcon Cloud Security supportsscheduled reportingas the preferred mechanism for automatically distributing security findings to stakeholders who may not have direct access to the Falcon console. When container vulnerabilities need to be reviewed on aweekly basis, the correct and most operationally efficient approach is tocreate a scheduled report covering the last 7 days.

Scheduled reports can be configured to run automatically and delivered via email to designated recipients, including users without Falcon console access. This makes them ideal for cross-functional teams, auditors, or management who require regular visibility into container risk without interactive access.

UsingAdvanced Event Searchrequires console access and manual execution, which does not meet the requirement for automatic distribution. Dashboards also require console access and cannot be securely shared externally. A 24-hour report would not align with the stated weekly review cadence and could result in incomplete visibility.

CrowdStrike documentation and best practices recommend scheduled reports for recurring compliance, vulnerability, and risk reporting use cases. Therefore, the correct solution is tocreate a scheduled report to list vulnerable container data from the last 7 days.

In CrowdStrike Falcon Cloud Security, exclusions for cloud scans are designed to be precise and scalable so that organizations can safely reduce noise without weakening overall security coverage. According to CrowdStrike best practices,tagsare the recommended and supported criterion for creating cloud scan exclusions.

Tags are metadata labels applied to cloud resources (such as AWS accounts, instances, or services) and are commonly used for ownership, environment classification (for example, dev, test, or prod), or application grouping. By using tags as exclusion criteria, security teams can dynamically control which resources are excluded from scans without relying on static identifiers. This is especially important in cloud environments where resources are frequently created, modified, or terminated.

Exclusions based onaccounts,regions, orservicesare broader in scope and can unintentionally exclude large portions of the environment, increasing the risk of blind spots. Tag-based exclusions allow CrowdStrike Falcon to maintain least-privilege security principles by excluding only explicitly labeled resources.

Because Falcon continuously evaluates cloud resources, tag-based exclusions automatically apply to newly created assets that inherit the same tag, ensuring consistent policy enforcement. For these reasons, CrowdStrike documentation and operational guidance identifyTagas the correct and most effective criterion for creating cloud scan exclusions.

When deploying theFalcon Kubernetes Admission Controller (KAC)using aHelm chart, access to CrowdStrike-hosted container images is required. These images are stored inCrowdStrike’s private container registry, which requires authentication.

To retrieve the Falcon KAC image, a validCrowdStrike API client key(client ID and secret) must be provided. This API credential allows Helm to authenticate to the Falcon registry and securely pull the required KAC image during deployment. Without valid API credentials, image retrieval fails, and the KAC deployment cannot complete successfully.

Other options listed do not satisfy this requirement. SENSOR_PLATFORM and FALCON_REGION are configuration parameters used during sensor installation but do not authenticate registry access. Docker itself is not sufficient, as authentication to the CrowdStrike registry is still required.

Therefore, anAPI client keyis mandatory to ensure successful retrieval of the Falcon KAC image during Helm-based deployment.

TheCloud Asset InventoryinCrowdStrike Falcon Cloud Securityprovides a centralized, normalized view ofall compute assetsacrossAWS, Azure, and Google Cloud, regardless of whether they aremanaged or unmanagedby the Falcon sensor.

This inventory aggregates metadata from cloud provider APIs and Falcon telemetry to present unified visibility into virtual machines, cloud instances, container hosts, and workloads. Security teams can filter assets by cloud provider, account, region, operating system, sensor status, and risk posture, making it essential for multi-cloud environments.

Other dashboards serve specialized purposes: the Image Assessment Dashboard focuses on container images, the Compliance Dashboard maps findings to regulatory frameworks, and Application Security Posture Inventory focuses on application-level risk. None of these provide thefull compute asset viewrequired for cross-cloud operational awareness.

Therefore,Cloud Asset Inventoryis the correct location for maintaining visibility across complex, multi-cloud environments.

The CrowdStrike Kubernetes Admission Controller is apre-runtime security controldesigned to enforce security policiesbefore workloads are allowed to runin a Kubernetes environment. Its primary purpose is tomonitor and enforce security policies in any containerized environmentby intercepting Kubernetes API requests at admission time.

When a deployment, pod, or container is submitted to the Kubernetes API server, the Admission Controller evaluates the request against Falcon Cloud Security policies. These policies can include rules related to image risk posture, vulnerabilities, malware presence, secrets, or compliance violations. If an image violates defined policies, the Admission Controller can block the deployment, preventing insecure or non-compliant workloads from entering the cluster.

This capability is critical for implementing ashift-left security model, ensuring that threats are stoppedbefore runtime, rather than detected after execution. While Falcon also provides runtime protection and visibility across managed Kubernetes platforms such as EKS and AKS, those capabilities are not the primary function of the Admission Controller itself.

The Admission Controller does not forward Kubernetes logs to SIEM platforms; instead, it acts as an enforcement gate. Therefore, the correct answer isMonitors and enforces security policies in any containerized environment.