CyberArk CPC-CDE-RECERT CyberArk CDE-CPC Recertification Exam Practice Test

In CyberArk Privilege Cloud / PSM deployments, PSM Health Check is implemented as a dedicated PSM Web Service on each PSM node (typically used by a load balancer to query application-level health). (docs.cyberark.com)

Because the Health Check relies on IIS, CyberArk includes PSM Health Check hardening activities as part of the setup. These hardening activities specifically focus on reducing IIS exposure by removing default/unused IIS components (for example, CyberArk documents that the setup deletes IIS application pools such as “Classic .NET AppPool”, “.NET v2.0”, “.NET v4.5”, etc.). This is a hardening action aimed at minimizing IIS attack surface / insecure defaults—i.e., removing IIS settings/configurations that could be considered security vulnerabilities. (docs.cyberark.com)

Why the other options are not the “purpose”:

B: While Health Check is used for load balancer health probing, “hardening” is not about validating readiness for a load balancer; it’s about tightening IIS-related configuration. (docs.cyberark.com)

C: Service-running checks are part of health determination, but the hardening step is described in docs in terms of IIS hardening activities (like deleting app pools), not just confirming services. (docs.cyberark.com)

D: AppLocker is part of PSM hardening overall, but it’s not the purpose of PSM Health Check hardening (which is IIS-focused). (docs.cyberark.com)

https://docs.cyberark.com/pam-self-hosted/11.4/en/content/pas%20inst/following-central-policy-manager-installation.htm

CyberArk’s Safe creation documentation explains that when you choose “Save the last <number> account versions” (also shown as “Save latest account versions” in some UIs), the Safe retains the most recent password versions indefinitely by keeping a fixed number of versions and rolling off the oldest. It also states that by default, the last five password versions are stored.

During Secure Tunnel deployment, CyberArk’s installation flow includes an “Authenticate to Privilege Cloud” step where you must enter Subdomain or Customer ID (plus the provided username/password). The documentation explicitly says to enter only the subdomain identifier (not the whole URL) or use the Customer ID provided by CyberArk.

The correct description of the authentication differences between CyberArk Privilege Cloud and CyberArk PAM Self-Hosted is that CyberArk Privilege Cloud uses cloud-based methods, integrating with CyberArk Identity for Multi-Factor Authentication (MFA), and supports SAML and OIDC, while CyberArk PAM Self-Hosted relies on on-premises methods such as RADIUS and LDAP, but can adopt SAML or OIDC with additional setups. CyberArk Privilege Cloud is designed to leverage modern cloud-based authentication protocols to enhance security and ease of use, particularly in distributed and diverse IT environments. In contrast, CyberArk PAM Self-Hosted offers flexibility to use traditional on-premises authentication methods but also supports modern protocols if configured to do so.

CyberArk’s PSM hardening procedure for In Domain deployments explicitly recommends linking the hardening GPO to a dedicated OU and ensuring the CyberArk servers are located under that OU so the hardening GPO does not affect any other server.

This directly matches D.

CyberArk’s hardening instructions for SUSE (manual hardening) explicitly require:

Updating the SSH daemon configuration in /etc/ssh/sshd_config (for example, removing SFTP subsystem definitions and setting multiple hardening-related attributes such as disabling forwarding features).

Ensuring the credential file for the PSM for SSH gateway user (psmpgwuser.cred) has the required permissions 640 (default path shown as /etc/opt/CARKpsmp/Vault/psmpgwuser.cred).

Those map directly to A and C.

CyberArk’s Privilege Cloud network requirements state that, to secure the service, CyberArk permits inbound traffic only from specific IP addresses and you must provide CyberArk Support with the public-facing IP addresses for communication between the Privilege Cloud service and the Connectors, including Secrets Manager—so they can add them to the CyberArk allowlist.

That statement maps directly to A.

CyberArk’s hardening guidance is explicitly organized by whether the servers are In Domain or Out of Domain (for example, PSM hardening guidelines and tasks reference both deployment types, and CPM has separate “hardening in domain” guidance). Therefore, the deployment criterion that drives the hardening method/package is In Domain vs Out of Domain.

According to best practice, when considering the location of PSM Connector servers in Privilege Cloud environments, the PSM should be placed near the target devices. This placement minimizes latency and maximizes performance by reducing the distance that data has to travel between the PSM servers and the devices they are managing. This is particularly important for maintaining high efficiency and response times during remote session management and operations, which are critical for the overall effectiveness of the Privilege Cloud environment.

PSM relies on Microsoft Remote Desktop Services capabilities on Windows, and CyberArk documentation/knowledge articles call out RDS CAL considerations for PSM deployments (including guidance on CAL type implications, especially with Windows Server 2019 licensing enforcement behavior).

1-Run the Connector Management Connector installer

2-Install the CPM and PSM

3-When you are prompted to select the components to install, select CPM.

4-When you are prompted to select the CPM mode, select Passive.

https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-cpm-dr-install-config.htm

In Privilege Cloud Shared Services, the System Health dashboard lists component categories that include CPM (and Accounts Discovery) and PSM (and PSM for SSH), along with Web Portal and Secrets Manager Credential Providers. Vault/PVWA/PTA are not listed as monitorable components on this page in the Privilege Cloud Shared Services System Health topic.

CyberArk documents that automatic hardening can be bypassed by setting the Hardening parameter in the PSM for SSH parameters file. The PSM for SSH parameters file used during installation is the psmpparms file (created by copying psmpparms.sample and renaming it to psmpparms).

CyberArk’s “Before you install PSM for SSH (Standard)” prerequisites include:

Verify public access: “Verify that outbound traffic from the PSM for SSH server is always routed through the same public-facing IP.” This directly supports C.

Create the PSM for SSH parameters file: The parameters file is required for the installation process, and the documentation specifies InstallCyberArkSSHD = Integrated as a mandatory parameter value. This supports A (with the corrected value “Integrated”).

Why the other options are not “installation prerequisites” as written:

B: CyberArk documents that after installation, the root user will not be able to authenticate remotely using a password (security behavior), not as a prerequisite step to perform before installation.

D: The docs mention you can use a different administrative/maintenance user, but it is not listed as a required prerequisite in the “Before you install” checklist.

E: Resetting the root password is not listed as a prerequisite in the Privilege Cloud “Before you install PSM for SSH (Standard)” documentation.

4->1->2->3

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-cpm-dr-install-standard.htm

CyberArk’s official guidance for restricting a platform to specific Safes is to set the AllowedSafes platform parameter in the General section of the platform under Automatic Password Management.

AllowedSafes uses a regular expression to match Safe names, which is why a pattern such as (WINDEMEA)|(WINDEMEA_ADMIN) is used to allow exactly those two Safe names.

CyberArk’s Privilege Cloud Standard SAML configuration documentation states that, before using SAML, users must already be defined in Privilege Cloud and provides two supported methods:

Integrate with your LDAP server (recommended) → this provisions users into Privilege Cloud. (Answer A)

Create CyberArk users in Privilege Cloud with identical details as the users who will access via SAML. (Answer D)

The other options are not valid “user definition” methods for this requirement:

SIEM and Email system integrations don’t define users in Privilege Cloud.

E is not a supported/customer method in Privilege Cloud Standard documentation (and Privilege Cloud is a managed service; you don’t create users by directly manipulating the service database).

CyberArk’s official connector guidance (CyberArk Identity / Identity Administration—used with Privilege Cloud Shared Services for AD user authentication) says that for trusted domains in a single forest, you use this model when the domain controllers have a two-way, transitive trust relationship with the domain controller the connector is joined to.

It also clarifies that a single connector can be used for the entire domain tree or forest in that trusted-domain model, and authentication requests are handled according to AD trust relationships within the forest/tree.

https://docs.cyberark.com/identity/latest/en/content/coreservices/connector/userauthmultdomain.htm

CyberArk’s predefined groups documentation describes the Auditors group as having View audit plus Safe viewing-related authorization (documented as View Safe Members, enabling visibility into Safe contents/activity/owners list). This matches the intent of “View Audit + View Safe” in the question better than the other options.

CyberArk’s platform configuration guidance explicitly shows the navigation path to this parameter:

Edit the platform → Expand “Automatic Password Management” → select “General” → set “AllowedSafes”.

In other words, AllowedSafes is located under Automatic Password Management > General, which matches option C.

https://docs.cyberark.com/pam-self-hosted/latest/en/content/pas%20inst/install_psm_harden.htm#HardenInDomaindeployments

CyberArk documents that due to RDS licensing enforcement in Windows 2019/2022, Per-user licensing is not supported for local users, and (when Per-user CALs are required) you should move the built-in PSM application users (PSMConnect / PSMAdminConnect) from local to domain users.

Therefore, to leverage existing Per-user RDS licensing on Windows 2019 PSM servers, you must migrate the local PSM users to domain users → C.

CyberArk’s Privilege Cloud documentation for SIEM integration (Syslog) states that to connect to SIEM in Privilege Cloud, you must first deploy the Secure Tunnel.

That means the Secure Tunnel is the required component that enables the communication path for sending Privilege Cloud audit logs via Syslog (TCP/TLS) to your SIEM.

Why the other options are not correct for this Privilege Cloud Syslog requirement:

A (CyberArk Syslog Writer) is typically referenced in CyberArk Identity / ISP logging contexts, not as the required Privilege Cloud SIEM transport component. (Privilege Cloud SIEM doc calls out Secure Tunnel explicitly.)

C (Privilege Cloud Connector) is not what the SIEM/Syslog doc identifies as the required prerequisite; it specifically calls out Secure Tunnel.

D (CyberArk Identity Connector) is used to integrate directory services (AD/LDAP) with CyberArk Identity/Identity Administration, not as the Privilege Cloud Syslog transport prerequisite.