CrowdStrike CCCS-203b CrowdStrike Certified Cloud Specialist Exam Practice Test

Falcon Cloud Security categorizes IOAs usingMITRE ATT&CK tactics and techniques, enriched withcloud-provider contextto accurately represent cloud-native attack behavior.

To identifyDefense Evasion via Impair Defenses: Disable or Modify Toolsactivity specifically withinAzure, analysts must filter IOAs usingMITRE Tactic and Techniquewhile also scoping the environment to thecloud provider. This ensures visibility into attacker behaviors such as disabling logging, modifying security services, or impairing monitoring controls at the cloud-provider level.

Filtering by attack type alone lacks the structured MITRE mapping required for accurate investigative workflows. Service-level filters are insufficient because impairment of defenses in cloud environments often impacts provider-managed services rather than individual workloads.

Therefore,MITRE Tactic and Technique – Cloud provideris the correct and most precise filter to identify Azure-specific defense evasion IOAs.

When deploying theFalcon Kubernetes Admission Controller (KAC)using aHelm chart, access to CrowdStrike-hosted container images is required. These images are stored inCrowdStrike’s private container registry, which requires authentication.

To retrieve the Falcon KAC image, a validCrowdStrike API client key(client ID and secret) must be provided. This API credential allows Helm to authenticate to the Falcon registry and securely pull the required KAC image during deployment. Without valid API credentials, image retrieval fails, and the KAC deployment cannot complete successfully.

Other options listed do not satisfy this requirement. SENSOR_PLATFORM and FALCON_REGION are configuration parameters used during sensor installation but do not authenticate registry access. Docker itself is not sufficient, as authentication to the CrowdStrike registry is still required.

Therefore, anAPI client keyis mandatory to ensure successful retrieval of the Falcon KAC image during Helm-based deployment.

TheContainers and Images Compliance dashboardinFalcon Cloud Securityis designed to give security and DevOps teams avisual, aggregated view of compliance postureacross container images and running containers.

This dashboard summarizes compliance status against benchmarks such asCIS, organizational policies, and security best practices. It highlights compliant versus non-compliant images and containers, severity distribution, and trending risk, enabling teams to quickly assess overall posture and prioritize remediation.

The dashboard does not perform network monitoring, automatic patching, or unsupported container enumeration. Those functions are handled by other Falcon modules or operational workflows.

Therefore, itsprimary functionis toprovide a visual summary of compliance across containers and images, makingOption Acorrect.

InFalcon Cloud Security, prevention actions are triggered whenall configured enforcement criteriawithin a policy are met. When customizing theGKE Autopilot policy, enforcement requires alignment across vulnerability intelligence, detection severity, and compliance context.

By setting:

Vulnerability ExPRT.ai severity = Critical

Detection severity = Critical

Detection type = CIS benchmark deviation

you ensure that bothrisk-based vulnerability intelligenceandcompliance deviation severitythresholds are satisfied. This combination confirms that the issue is not only severe but also represents a critical deviation from an accepted security benchmark, justifying prevention.

Omitting the detection type or replacing it with image misconfiguration alone does not meet the enforcement logic required for policy-triggered prevention.

Therefore,Option Cis the correct combination that triggers prevention.

A valid and recommended reason for adding base images into Falcon Cloud Security is toreduce duplicate findings when a base image is used multiple times. Base images are commonly shared across many application images, meaning vulnerabilities, secrets, or detections present in the base layer can appear repeatedly across derived images.

By onboarding base images directly into Falcon Cloud Security, the platform can more efficiently track and correlate vulnerabilities at their source. This allows security teams to remediate issues once at the base image level rather than addressing the same findings across every downstream image. As a result, vulnerability management becomes more accurate, scalable, and operationally efficient.

The other options are incorrect and potentially dangerous assumptions. Base image CVEscan absolutely be exploitedby adversaries, and base image vulnerabilities are not inherently less risky than other CVEs. In many cases, unpatched base images are a primary attack vector in containerized environments.

CrowdStrike’s container image strategy emphasizes reducing noise, improving prioritization, and enabling faster remediation. Adding base images supports these goals by minimizing duplicate alerts and providing clearer insight into risk inheritance across image hierarchies. Therefore, the correct answer isReduce duplicates when a base image is used multiple times.

To allow an analyst to reviewcloud control plane Indicators of Misconfiguration (IOMs)while maintaining least-privilege access, CrowdStrike recommends assigning theCSPM Misconfiguration Viewerrole.

Cloud control plane IOMs focus on identifying insecure configurations across cloud providers, such as overly permissive IAM roles, disabled logging, public exposure of services, or noncompliant security settings. The CSPM Misconfiguration Viewer role grantsread-only accessto these findings, allowing analysts to investigate risks without making configuration changes.

Other roles provide broader access than required.Cloud Security Managerincludes administrative and modification privileges, exceeding least-privilege requirements.Kubernetes and Containers Managerfocuses on container and Kubernetes security, not cloud control plane configurations.Cloud Compliance Vieweris oriented toward compliance frameworks rather than detailed misconfiguration analysis.

By assigning the CSPM Misconfiguration Viewer role, organizations ensure analysts can perform their investigative duties safely and appropriately, aligning with CrowdStrike’s role-based access control (RBAC) best practices.

When protecting a Kubernetes endpoint that hosts container workloadswith access to the Linux kernel, CrowdStrike recommends deploying theFalcon Sensor for Linux as a DaemonSet.

This deployment model installs the full Falcon Linux sensor on each Kubernetes worker node using a DaemonSet, ensuring one sensor runs per node. Because the sensor has kernel-level access, it provides deep visibility into system calls, process execution, network activity, and container behavior—delivering robust runtime protection.

TheFalcon Container Sensor for Linuxis used when kernel access is not available (for example, in managed or restricted environments). TheFalcon Operator Container Imagesimplifies lifecycle management but is not itself the sensor. Deploying the standard Falcon Sensor for Linux outside a DaemonSet would not scale correctly in Kubernetes.

Therefore, for Kubernetes environments with kernel access, the correct and CrowdStrike-recommended installation isFalcon Sensor for Linux deployed as a DaemonSet.

When creating an Image Assessment policy exclusion in CrowdStrike Falcon Cloud Security, the recommended and most precise method to temporarily suppress a specific CVE isVulnerability ID & Exclude until 14 days.

This approach allows security teams to explicitly reference a known CVE (for example, CVE-2024-XXXX) and suppress enforcement for a defined time window. The 14-day exclusion period is commonly used to allow development teams time to rebuild images, validate patches, or address dependency constraints without permanently weakening security posture.

Broad exclusions based on recently published vulnerabilities or packages can unintentionally suppress unrelated risk and increase exposure. Indefinite exclusions are discouraged unless there is a strong, documented business justification.

CrowdStrike documentation and best practices emphasizetime-bound, CVE-specific exclusionsto balance operational flexibility with security rigor. Therefore, the correct and recommended option isVulnerability ID & Exclude until 14 days.

In CrowdStrike Falcon Cloud Security, exclusions for cloud scans are designed to be precise and scalable so that organizations can safely reduce noise without weakening overall security coverage. According to CrowdStrike best practices,tagsare the recommended and supported criterion for creating cloud scan exclusions.

Tags are metadata labels applied to cloud resources (such as AWS accounts, instances, or services) and are commonly used for ownership, environment classification (for example, dev, test, or prod), or application grouping. By using tags as exclusion criteria, security teams can dynamically control which resources are excluded from scans without relying on static identifiers. This is especially important in cloud environments where resources are frequently created, modified, or terminated.

Exclusions based onaccounts,regions, orservicesare broader in scope and can unintentionally exclude large portions of the environment, increasing the risk of blind spots. Tag-based exclusions allow CrowdStrike Falcon to maintain least-privilege security principles by excluding only explicitly labeled resources.

Because Falcon continuously evaluates cloud resources, tag-based exclusions automatically apply to newly created assets that inherit the same tag, ensuring consistent policy enforcement. For these reasons, CrowdStrike documentation and operational guidance identifyTagas the correct and most effective criterion for creating cloud scan exclusions.

In CrowdStrike Falcon Cloud Security, Cloud Groups are used to logically group container images so that policies, assessments, and controls can be applied consistently across workloads. When editing or defining a Cloud Group for container images, Falcon allows administrators to select specificimage propertiesto precisely target the desired scope.

The three supported image properties areRegistry, Repository, and Tag.

Registryidentifies where the container image is hosted, such as Amazon ECR, Azure Container Registry, or Docker Hub.

Repositorydefines the image namespace or project within the registry.

Tagspecifies the image version or variant (for example, latest, v1.2.3, or prod).

Using these three properties together enables highly granular targeting. For example, security teams can apply stricter policies only to production-tagged images from a specific registry and repository, while allowing more flexibility for development images.

Options that includeNameare incorrect because CrowdStrike does not use a standalone “image name” field when defining Cloud Group image criteria. Instead, image identity is derived from the combination of registry, repository, and tag.

Therefore, the correct and fully supported selection isRegistry, Repository, and Tag, which aligns with CrowdStrike Falcon Cloud Security configuration and documentation.

InCrowdStrike Falcon Cloud Security, configuration policy breaches aligned to regulatory and security frameworks such asNISTare tracked asIndicators of Misconfiguration (IOMs). These findings represent deviations from best-practice configurations and compliance benchmarks.

To provide an auditable list of NIST-related configuration violations, the correct location isExport Cloud Posture – Indicators of misconfiguration. This export includes detailed records of misconfigured resources, associated benchmarks (NIST, CIS, etc.), affected cloud accounts, severity, and remediation guidance. It is specifically designed to support internal and external audit requirements.

Cloud Indicators of Attack focus on threat activity, not compliance. Remediation status reports focus on fix progress rather than raw policy violations. The Cloud Posture dashboard provides a high-level summary but does not deliver the detailed, exportable list required for audits.

Therefore,Export Cloud Posture – Indicators of misconfigurationis the correct and documented source.

InCrowdStrike Falcon Cloud Security, preventing a container process from altering its expected behavior is achieved throughcontainer drift preventionenforced by theFalcon Linux sensorat runtime.

Container drift occurs when a running container deviates from its original image state, such as when new binaries are written, files are modified, or unexpected processes execute. Drift is a strong indicator of compromise, misconfiguration, or malicious activity.

By enablingcontainer drift prevention on the Linux sensor, Falcon enforcesruntime immutability, ensuring that containers only execute binaries and processes that were present at image build time. Any unauthorized modifications or executions are either detected or actively blocked, depending on policy configuration.

Creating a custom IOA is not the most effective approach because IOAs are reactive and behavior-based rather than enforcing immutability. The Kubernetes Admission Controller operates at deployment time, not runtime, and cannot prevent post-deployment process changes. Image Assessment policies only affect image deployment decisions and do not control runtime behavior.

Therefore,Option Ais correct because container drift prevention is specifically designed toprotect runtime container integrity, ensuring containers behave exactly as expected throughout their lifecycle.

A commoncloud-conscious attacker techniqueused to remain hidden in a compromised environment isdisabling CloudTrail logging. AWS CloudTrail records API activity across an account, providing critical visibility into actions taken by users, roles, and services. By disabling or tampering with CloudTrail, attackers significantly reduce the likelihood of detection.

CrowdStrike Falcon Cloud Security classifies this behavior as a high-risk indicator because it directly impacts monitoring, forensics, and incident response. Without CloudTrail logs, security teams lose audit trails that are essential for identifying malicious actions such as privilege escalation, data exfiltration, or persistence mechanisms.

Other options represent misconfigurations or changes that may increase exposure but do not directly suppress visibility. For example, modifying storage networking or security groups increases attack surface, while adding certificates may support persistence—but none are as directly linked to stealth as disabling logging.

Therefore,CloudTrail logging disabledis the correct answer and a well-documented cloud attack tactic used to evade detection.

Drift indicators in the Containers dashboard are used to identify containers performing activity that deviates from their original image configuration. Drift occurs when files, binaries, or processes appear in a running container that were not present in the image at build time.

CrowdStrike Falcon Cloud Security tracks this behavior to help identify compromised containers, unauthorized changes, or violations of immutability principles. Drift indicators are especially valuable in production environments where containers are expected to remain unchanged after deployment.

Alerts and container detections may signal malicious behavior, but drift indicators specifically highlight unexpected changes relative to the image baseline. Therefore, the correct answer is Drift indicators.

WhenAWS Systems Manager (SSM)is unavailable,Ansibleis the supported and recommended IT automation tool for generating an inventory of unmanaged workloads and deploying the Falcon sensor using1-click sensor deployment workflows.

CrowdStrike integrates with Ansible to enable discovery, inventory generation, and automated sensor installation across cloud and on-prem environments. Ansible’s agentless architecture makes it especially suitable when native cloud management services are unavailable or restricted.

Other tools listed—Jet, Rudder, and Puppet—are not natively integrated with Falcon’s 1-click deployment workflows for unmanaged workload discovery in cloud environments.

Therefore,Ansibleis the correct answer.

The most efficient and CrowdStrike-recommended way to stop seeing vulnerabilities for older images is to use the“Stop assessing images older than (number) of days”setting in Image Assessment configuration.

This setting prevents Falcon Cloud Security from continuing to assess images beyond a defined age threshold—90 days in this case. By stopping assessment at the source, Falcon reduces noise, conserves assessment capacity, and focuses findings on images that are actively used or likely to be deployed.

Other approaches are inefficient or risky. Fusion workflows and manual hiding add operational overhead and do not stop assessments from occurring. Deleting images from registries may disrupt workflows and is outside Falcon’s control.

CrowdStrike best practices favorassessment-scoping controlsover post-processing suppression. Therefore, the correct answer isUse the Stop assessing images older than (number) of days setting.

A primary benefit of CrowdStrike’s cloud security suite is that it provides a comprehensive security posture by integrating visibility and prevention across cloud workloads, identities, containers, and control planes.

Falcon Cloud Security unifies CSPM, workload protection, container security, identity protection, and detection and response into a single platform. This integration allows organizations to detect misconfigurations, prevent risky deployments, monitor runtime activity, and respond to threats using shared context and intelligence.

Other options describe isolated capabilities or services that are not the core value proposition of the platform. Therefore, the correct answer is Provides a comprehensive security posture by integrating visibility and prevention.