CCCS-203b CrowdStrike Certified Cloud Specialist Question and Answers

InCrowdStrike Falcon Cloud Security, IOAs are categorized usingMITRE ATT&CK-aligned tacticsto help analysts quickly identify attacker objectives. When investigating how a threat actor may havemaintained accessto cloud resources after an initial breach, the appropriate tactic to focus on isPersistence.

Persistence IOAs represent techniques such as creating backdoor IAM roles, modifying access policies, adding API keys, enabling long-lived credentials, or altering cloud configurations to survive reboots or credential rotation. Filtering the IOA dashboard byPersistenceisolates these behaviors, enabling faster root-cause analysis and remediation.

Other filters serve different investigative purposes. Execution focuses on initial code execution, Privilege Escalation highlights elevation of permissions, and Ransomware identifies encryption-related activity. None of these specifically address long-term access maintenance.

Therefore, filtering byPersistenceis the correct and most effective way to identify IOAs related to maintaining access within cloud environments.

When deploying theFalcon Kubernetes Admission Controller (KAC)using aHelm chart, access to CrowdStrike-hosted container images is required. These images are stored inCrowdStrike’s private container registry, which requires authentication.

To retrieve the Falcon KAC image, a validCrowdStrike API client key(client ID and secret) must be provided. This API credential allows Helm to authenticate to the Falcon registry and securely pull the required KAC image during deployment. Without valid API credentials, image retrieval fails, and the KAC deployment cannot complete successfully.

Other options listed do not satisfy this requirement. SENSOR_PLATFORM and FALCON_REGION are configuration parameters used during sensor installation but do not authenticate registry access. Docker itself is not sufficient, as authentication to the CrowdStrike registry is still required.

Therefore, anAPI client keyis mandatory to ensure successful retrieval of the Falcon KAC image during Helm-based deployment.

The CrowdStrike Kubernetes Admission Controller is apre-runtime security controldesigned to enforce security policiesbefore workloads are allowed to runin a Kubernetes environment. Its primary purpose is tomonitor and enforce security policies in any containerized environmentby intercepting Kubernetes API requests at admission time.

When a deployment, pod, or container is submitted to the Kubernetes API server, the Admission Controller evaluates the request against Falcon Cloud Security policies. These policies can include rules related to image risk posture, vulnerabilities, malware presence, secrets, or compliance violations. If an image violates defined policies, the Admission Controller can block the deployment, preventing insecure or non-compliant workloads from entering the cluster.

This capability is critical for implementing ashift-left security model, ensuring that threats are stoppedbefore runtime, rather than detected after execution. While Falcon also provides runtime protection and visibility across managed Kubernetes platforms such as EKS and AKS, those capabilities are not the primary function of the Admission Controller itself.

The Admission Controller does not forward Kubernetes logs to SIEM platforms; instead, it acts as an enforcement gate. Therefore, the correct answer isMonitors and enforces security policies in any containerized environment.

To automate response actions when a vulnerability is discovered in a container image, CrowdStrike Falcon Fusion uses the triggerKubernetes and containers > Image assessment > Vulnerabilities. This trigger activates when Falcon identifies vulnerabilities during container image scanning and assessment.

Image assessment vulnerabilities occurpre-runtime, making this trigger ideal for shift-left security automation. Actions such as sending notifications, opening tickets, tagging images, or blocking deployments via policy enforcement can be automatically initiated before vulnerable images reach production.

TheContainer detectionstrigger applies to runtime events, not image vulnerabilities.Vulnerabilities user actiontriggers depend on manual interaction and are not suitable for automated detection-driven workflows.

By using the image assessment vulnerability trigger, organizations can integrate Falcon Cloud Security findings directly into CI/CD pipelines and remediation workflows, ensuring faster response and reduced risk exposure.

Therefore, the correct Fusion workflow trigger isKubernetes and containers > Image assessment > Vulnerabilities.

When using theFalcon Kubernetes Admission Controller, CrowdStrike allows administrators to precisely scope which Kubernetes assets are evaluated againstIndicators of Misconfiguration (IOMs)andImage Assessment policiesby usingboth namespaces and pod or service labels.

Namespaces provide a logical boundary within Kubernetes clusters, often representing environments such as dev, staging, or production. Labels add further granularity by identifying workloads based on application, team ownership, or deployment tier. By combining namespaces and labels, security teams can enforce policies with fine-grained control while minimizing unintended enforcement.

Using only namespaces or only labels limits flexibility and may lead to over- or under-enforcement. CrowdStrike documentation supports the combined approach as a best practice for scalable and precise policy enforcement in Kubernetes environments.

Therefore, the correct answer isNamespaces and Pod or Service labels.

To identifyremediable vulnerabilities in running containers, CrowdStrike Falcon Cloud Security recommends filteringimage vulnerabilities by container running status and remediation. This approach correlates container runtime state with image assessment results, allowing security teams to focus on vulnerabilities that are bothpresent in images and actively impacting running workloads.

Image vulnerability findings include remediation metadata such as fixed versions, patch availability, and upgrade paths. By filtering oncontainer running status, you ensure that attention is limited to vulnerabilities that pose immediate risk rather than those in dormant or unused images. Adding theremediation filterfurther refines results to show only vulnerabilities that can realistically be addressed, helping teams prioritize efficiently.

Other options are incorrect because container assets and detections focus on runtime behavior, not vulnerability remediation context. Image detections relate to malware or suspicious artifacts, not CVEs.

This filtering method aligns with CrowdStrike best practices for vulnerability prioritization by combiningruntime relevance and remediation feasibility, making optionCthe correct answer.

Drift indicators in the Containers dashboard are used to identify containers performing activity that deviates from their original image configuration. Drift occurs when files, binaries, or processes appear in a running container that were not present in the image at build time.

CrowdStrike Falcon Cloud Security tracks this behavior to help identify compromised containers, unauthorized changes, or violations of immutability principles. Drift indicators are especially valuable in production environments where containers are expected to remain unchanged after deployment.

Alerts and container detections may signal malicious behavior, but drift indicators specifically highlight unexpected changes relative to the image baseline. Therefore, the correct answer is Drift indicators.

CrowdStrike recommends enablingDrift Preventionwhen container workloads have beendesigned to be immutable. Immutable infrastructure is a core cloud-native principle where containers are not modified after deployment. Any change to a running container—such as installing packages or modifying files—indicates potential misconfiguration or malicious activity.

Drift Prevention enforces this principle by blocking or alerting on runtime changes that deviate from the original container image. This makes it highly effective for production environments where containers should run exactly as built and deployed.

In development or testing environments, containers often change dynamically, making Drift Prevention impractical due to excessive false positives. Similarly, containers that must download or install packages at startup inherently require runtime modification and are not suitable candidates for Drift Prevention.

Enabling Drift Prevention at the wrong time can disrupt legitimate workloads. Therefore, CrowdStrike guidance clearly states that Drift Prevention should be enabledonly after workloads are intentionally designed to be immutable, making optionCthe correct answer.

If the primary concern is adversaries obtainingadministrator or elevated privileges, the first Cloud Identity Analyzer category to review isPrivilege Escalation. This category focuses on techniques and misconfigurations that allow attackers to gain higher-level permissions than initially granted.

Privilege escalation in cloud environments often involves overly permissive IAM roles, abuse of service principals, misconfigured trust relationships, or exploitation of identity federation mechanisms. CrowdStrike Cloud Identity Analyzer maps these behaviors to established attack frameworks and highlights identities that could be abused to gain admin-level access.

Other categories address different stages of the attack lifecycle.Executionfocuses on running malicious actions,Persistenceon maintaining access, andDefense Evasionon hiding activity. While all are important, privilege escalation represents the most direct path to full environment compromise.

Therefore, the correct starting point isPrivilege Escalation.

In CrowdStrike Falcon Cloud Security, Cloud Groups are used to logically group container images so that policies, assessments, and controls can be applied consistently across workloads. When editing or defining a Cloud Group for container images, Falcon allows administrators to select specificimage propertiesto precisely target the desired scope.

The three supported image properties areRegistry, Repository, and Tag.

Registryidentifies where the container image is hosted, such as Amazon ECR, Azure Container Registry, or Docker Hub.

Repositorydefines the image namespace or project within the registry.

Tagspecifies the image version or variant (for example, latest, v1.2.3, or prod).

Using these three properties together enables highly granular targeting. For example, security teams can apply stricter policies only to production-tagged images from a specific registry and repository, while allowing more flexibility for development images.

Options that includeNameare incorrect because CrowdStrike does not use a standalone “image name” field when defining Cloud Group image criteria. Instead, image identity is derived from the combination of registry, repository, and tag.

Therefore, the correct and fully supported selection isRegistry, Repository, and Tag, which aligns with CrowdStrike Falcon Cloud Security configuration and documentation.

TheCloud Asset InventoryinCrowdStrike Falcon Cloud Securityprovides a centralized, normalized view ofall compute assetsacrossAWS, Azure, and Google Cloud, regardless of whether they aremanaged or unmanagedby the Falcon sensor.

This inventory aggregates metadata from cloud provider APIs and Falcon telemetry to present unified visibility into virtual machines, cloud instances, container hosts, and workloads. Security teams can filter assets by cloud provider, account, region, operating system, sensor status, and risk posture, making it essential for multi-cloud environments.

Other dashboards serve specialized purposes: the Image Assessment Dashboard focuses on container images, the Compliance Dashboard maps findings to regulatory frameworks, and Application Security Posture Inventory focuses on application-level risk. None of these provide thefull compute asset viewrequired for cross-cloud operational awareness.

Therefore,Cloud Asset Inventoryis the correct location for maintaining visibility across complex, multi-cloud environments.

The secure and recommended way to test whether firewall restrictions are causing CSPM operation failures is to verify that the required CrowdStrike IP addresses are allowlisted. Falcon Cloud Security relies on outbound API communication between CrowdStrike and the cloud provider. If firewall rules block this traffic, asset inventory collection and IOM detection can fail even though registration appears successful.

CrowdStrike publishes a list of IP addresses and endpoints that must be permitted for proper operation. Validating firewall allowlists against this documentation is a low-risk, best-practice troubleshooting step that preserves security controls while testing connectivity assumptions.

Temporarily opening firewalls to all inbound traffic is insecure and strongly discouraged. Dismissing firewall-related causes without validation can delay resolution. Therefore, the correct and secure approach is to check that the CrowdStrike IP addresses are allowlisted.

When configuring a new image registry connection for aprivately hosted container registryin CrowdStrike Falcon Cloud Security, the required and most critical action is toverify the token and secretused for authentication. Private registries require explicit credentials so Falcon can securely access and assess container images for vulnerabilities, malware, and misconfigurations.

CrowdStrike supports multiple private registry types (such as private Docker registries or cloud-native registries with restricted access). In all cases, Falcon relies on valid authentication credentials—typically a token, username/password, or service account secret—to pull image metadata and layers. If these credentials are incorrect, expired, or misconfigured, image assessment will fail even if the registry connection appears configured.

Other options may be relevant in specific environments but are not universally required at creation time. Registry URLs are validated during setup, and allowlisting IP addresses may be necessary only if strict network controls are in place. Secret expiration checks are a maintenance concern, not a mandatory creation step.

Therefore, the required action when creating a private registry connection is toverify the token and secret.

To notify your team when anew executable is downloaded and executed inside a running container, you must use aruntime-focused triggerin Falcon Fusion. The correct selection isContainer detection > Container runtime detection.

Container runtime detections monitor live container behavior, including process execution, file writes, network activity, and binary downloads. When an executable is introduced and run at runtime, this represents potential malicious activity or policy violation that cannot be detected during image assessment.

Image Assessmenttriggers apply only to pre-runtime image scanning and cannot detect runtime execution.Container drift detectionfocuses on changes to container state relative to the original image but does not specifically target execution-based detections.

CrowdStrike Falcon Cloud Security documentation clearly distinguishes runtime detections as the correct signal source for SOAR automation involving live container behavior. Therefore, the correct trigger configuration isContainer detection > Container runtime detection.