Practice Free CCCS-203b Exam Online Questions
Question #51
What are the three Image properties that can be selected when editing a Cloud Group?
- A . Tag, Name, and Registry
- B . Name, Repository, and Registry
- C . Repository, Tag, and Name
- D . Registry, Repository, and Tag
Correct Answer: D
D
Explanation:
In CrowdStrike Falcon Cloud Security, Cloud Groups are used to logically group container images so that policies, assessments, and controls can be applied consistently across workloads. When editing or defining a Cloud Group for container images, Falcon allows administrators to select specific image properties to precisely target the desired scope.
The three supported image properties are Registry, Repository, and Tag.
Registry identifies where the container image is hosted, such as Amazon ECR, Azure Container Registry, or Docker Hub.
Repository defines the image namespace or project within the registry.
Tag specifies the image version or variant (for example, latest, v1.2.3, or prod).
Using these three properties together enables highly granular targeting. For example, security teams can apply stricter policies only to production-tagged images from a specific registry and repository, while allowing more flexibility for development images.
Options that include Name are incorrect because CrowdStrike does not use a standalone “image name” field when defining Cloud Group image criteria. Instead, image identity is derived from the combination of registry, repository, and tag.
Therefore, the correct and fully supported selection is Registry, Repository, and Tag, which aligns with CrowdStrike Falcon Cloud Security configuration and documentation.
D
Explanation:
In CrowdStrike Falcon Cloud Security, Cloud Groups are used to logically group container images so that policies, assessments, and controls can be applied consistently across workloads. When editing or defining a Cloud Group for container images, Falcon allows administrators to select specific image properties to precisely target the desired scope.
The three supported image properties are Registry, Repository, and Tag.
Registry identifies where the container image is hosted, such as Amazon ECR, Azure Container Registry, or Docker Hub.
Repository defines the image namespace or project within the registry.
Tag specifies the image version or variant (for example, latest, v1.2.3, or prod).
Using these three properties together enables highly granular targeting. For example, security teams can apply stricter policies only to production-tagged images from a specific registry and repository, while allowing more flexibility for development images.
Options that include Name are incorrect because CrowdStrike does not use a standalone “image name” field when defining Cloud Group image criteria. Instead, image identity is derived from the combination of registry, repository, and tag.
Therefore, the correct and fully supported selection is Registry, Repository, and Tag, which aligns with CrowdStrike Falcon Cloud Security configuration and documentation.
Question #51
What are the three Image properties that can be selected when editing a Cloud Group?
- A . Tag, Name, and Registry
- B . Name, Repository, and Registry
- C . Repository, Tag, and Name
- D . Registry, Repository, and Tag
Correct Answer: D
D
Explanation:
In CrowdStrike Falcon Cloud Security, Cloud Groups are used to logically group container images so that policies, assessments, and controls can be applied consistently across workloads. When editing or defining a Cloud Group for container images, Falcon allows administrators to select specific image properties to precisely target the desired scope.
The three supported image properties are Registry, Repository, and Tag.
Registry identifies where the container image is hosted, such as Amazon ECR, Azure Container Registry, or Docker Hub.
Repository defines the image namespace or project within the registry.
Tag specifies the image version or variant (for example, latest, v1.2.3, or prod).
Using these three properties together enables highly granular targeting. For example, security teams can apply stricter policies only to production-tagged images from a specific registry and repository, while allowing more flexibility for development images.
Options that include Name are incorrect because CrowdStrike does not use a standalone “image name” field when defining Cloud Group image criteria. Instead, image identity is derived from the combination of registry, repository, and tag.
Therefore, the correct and fully supported selection is Registry, Repository, and Tag, which aligns with CrowdStrike Falcon Cloud Security configuration and documentation.
D
Explanation:
In CrowdStrike Falcon Cloud Security, Cloud Groups are used to logically group container images so that policies, assessments, and controls can be applied consistently across workloads. When editing or defining a Cloud Group for container images, Falcon allows administrators to select specific image properties to precisely target the desired scope.
The three supported image properties are Registry, Repository, and Tag.
Registry identifies where the container image is hosted, such as Amazon ECR, Azure Container Registry, or Docker Hub.
Repository defines the image namespace or project within the registry.
Tag specifies the image version or variant (for example, latest, v1.2.3, or prod).
Using these three properties together enables highly granular targeting. For example, security teams can apply stricter policies only to production-tagged images from a specific registry and repository, while allowing more flexibility for development images.
Options that include Name are incorrect because CrowdStrike does not use a standalone “image name” field when defining Cloud Group image criteria. Instead, image identity is derived from the combination of registry, repository, and tag.
Therefore, the correct and fully supported selection is Registry, Repository, and Tag, which aligns with CrowdStrike Falcon Cloud Security configuration and documentation.
Question #53
A security team is conducting an audit of user permissions in their cloud infrastructure monitored by CrowdStrike Falcon.
Which of the following findings would indicate a high-risk security posture that requires immediate action?
- A . An administrator rotates their access keys every 30 days as part of a security policy.
- B . A developer has read-only access to a production environment for debugging purposes.
- C . A service account with limited permissions is used for an automated CI/CD pipeline.
- D . Multiple inactive user accounts retain administrator privileges and have not been used in several months.
Correct Answer: D
D
Explanation:
Option A: Frequent access key rotation improves security and aligns with best practices, reducing exposure to credential compromise.
Option B: Read-only access for developers in production is a controlled permission and does not present a high risk unless misused.
Option C: Service accounts with limited permissions are a best practice for automated processes and do not pose a significant security risk.
Option D: Inactive administrator accounts pose a major security risk because they could be compromised without detection. Attackers often target dormant accounts to escalate privileges and gain unauthorized access.
D
Explanation:
Option A: Frequent access key rotation improves security and aligns with best practices, reducing exposure to credential compromise.
Option B: Read-only access for developers in production is a controlled permission and does not present a high risk unless misused.
Option C: Service accounts with limited permissions are a best practice for automated processes and do not pose a significant security risk.
Option D: Inactive administrator accounts pose a major security risk because they could be compromised without detection. Attackers often target dormant accounts to escalate privileges and gain unauthorized access.
Question #54
Which permissions are required to register an AWS cloud account with CrowdStrike Falcon?
- A . Only access to S3 buckets is needed to enable Falcon’s data collection capabilities.
- B . A custom IAM role with permissions to access EC2, IAM, and CloudTrail services.
- C . Full administrative access to the root user of the AWS account.
- D . Permissions to enable AWS Trusted Advisor to integrate with CrowdStrike Falcon.
Correct Answer: B
B
Explanation:
Option A: S3 permissions alone are insufficient for Falcon to fully monitor and secure the environment.
While S3 access may be part of the overall integration, Falcon requires broader access to key services like EC2 and CloudTrail for comprehensive functionality.
Option B: A custom IAM role with scoped permissions to access critical AWS services, such as EC2 (for workload visibility), IAM (for identity-related monitoring), and CloudTrail (for auditing and activity logs), is essential for proper integration with Falcon.
Option C: Granting full administrative access to the root user is highly discouraged as it violates cloud security best practices. A custom IAM role with limited, scoped permissions ensures Falcon has the access it needs without over privileging.
Option D: AWS Trusted Advisor is not a required service for integrating CrowdStrike Falcon. The focus is on enabling access to core cloud services like EC2, IAM, and CloudTrail, which are directly relevant to Falcon’s capabilities.
B
Explanation:
Option A: S3 permissions alone are insufficient for Falcon to fully monitor and secure the environment.
While S3 access may be part of the overall integration, Falcon requires broader access to key services like EC2 and CloudTrail for comprehensive functionality.
Option B: A custom IAM role with scoped permissions to access critical AWS services, such as EC2 (for workload visibility), IAM (for identity-related monitoring), and CloudTrail (for auditing and activity logs), is essential for proper integration with Falcon.
Option C: Granting full administrative access to the root user is highly discouraged as it violates cloud security best practices. A custom IAM role with limited, scoped permissions ensures Falcon has the access it needs without over privileging.
Option D: AWS Trusted Advisor is not a required service for integrating CrowdStrike Falcon. The focus is on enabling access to core cloud services like EC2, IAM, and CloudTrail, which are directly relevant to Falcon’s capabilities.
Question #55
What is the primary purpose of creating image assessment policies within Falcon Cloud Security?
- A . To automate the deployment of container images across Kubernetes clusters.
- B . To evaluate container images for vulnerabilities and enforce security compliance during the CI/CD pipeline.
- C . To configure runtime monitoring for containerized applications in production environments.
- D . To create firewall rules for restricting network traffic between containers.
Correct Answer: B
B
Explanation:
Option A: Deployment automation is typically handled by CI/CD tools like Jenkins, GitLab CI, or Kubernetes itself, not by Falcon Cloud Security’s image assessment policies.
Option B: Falcon Cloud Security’s image assessment policies are designed to scan container images for vulnerabilities, misconfigurations, and other security risks before deployment. These policies help enforce compliance standards by preventing vulnerable or non-compliant images from being deployed, ensuring a secure container lifecycle from development to production.
Option C: Runtime monitoring is a separate capability that observes live workloads, whereas image assessment policies focus on pre-deployment scanning and compliance.
Option D: Firewall rules are configured at the network or Kubernetes level, typically using tools like Calico, AWS Security Groups, or Azure NSGs, not Falcon Cloud Security image assessment policies.
B
Explanation:
Option A: Deployment automation is typically handled by CI/CD tools like Jenkins, GitLab CI, or Kubernetes itself, not by Falcon Cloud Security’s image assessment policies.
Option B: Falcon Cloud Security’s image assessment policies are designed to scan container images for vulnerabilities, misconfigurations, and other security risks before deployment. These policies help enforce compliance standards by preventing vulnerable or non-compliant images from being deployed, ensuring a secure container lifecycle from development to production.
Option C: Runtime monitoring is a separate capability that observes live workloads, whereas image assessment policies focus on pre-deployment scanning and compliance.
Option D: Firewall rules are configured at the network or Kubernetes level, typically using tools like Calico, AWS Security Groups, or Azure NSGs, not Falcon Cloud Security image assessment policies.
Question #56
Which of the following is the most secure method to authenticate and configure a cloud account integration using the CrowdStrike APIs?
- A . Configure static IP-based allowlisting in the cloud provider for CrowdStrike’s API endpoints.
- B . Use API keys and rotate them monthly using an automated script.
- C . Utilize personal access tokens of an administrator user.
- D . Leverage CrowdStrike-generated API client credentials and assign IAM roles with minimal privileges.
Correct Answer: D
D
Explanation:
Option A: Static IP-based allowlisting adds a layer of security but is not sufficient by itself to authenticate or configure cloud accounts. It should be combined with other security measures, like role-based access and API credentials, for robust security.
Option B: While rotating API keys monthly is a good practice, relying solely on API keys without role-based access controls or additional IAM configurations is insufficient. Security is enhanced by assigning roles with minimal privileges rather than frequent rotations alone.
Option C: Personal access tokens tied to administrator accounts are not recommended for system integrations due to their high level of privilege and lack of automation support. These tokens could pose significant security risks if exposed.
Option D: This is the most secure and recommended method. Using CrowdStrike-generated API client credentials ensures a robust authentication mechanism, while assigning IAM roles with minimal privileges adheres to the principle of least privilege. This minimizes the attack surface while ensuring
necessary functionality.
D
Explanation:
Option A: Static IP-based allowlisting adds a layer of security but is not sufficient by itself to authenticate or configure cloud accounts. It should be combined with other security measures, like role-based access and API credentials, for robust security.
Option B: While rotating API keys monthly is a good practice, relying solely on API keys without role-based access controls or additional IAM configurations is insufficient. Security is enhanced by assigning roles with minimal privileges rather than frequent rotations alone.
Option C: Personal access tokens tied to administrator accounts are not recommended for system integrations due to their high level of privilege and lack of automation support. These tokens could pose significant security risks if exposed.
Option D: This is the most secure and recommended method. Using CrowdStrike-generated API client credentials ensures a robust authentication mechanism, while assigning IAM roles with minimal privileges adheres to the principle of least privilege. This minimizes the attack surface while ensuring
necessary functionality.
Question #57
Which of the following steps is required to successfully integrate the Falcon CWPP Image Scanning Script with a CI/CD pipeline for image assessment?
- A . Modify the pipeline script to execute the Image Scanning Script during the post-deployment phase.
- B . Install the Falcon CWPP agent on all developer machines.
- C . Schedule the script to run daily on the production environment’s container images.
- D . Use the Falcon API to fetch a unique API token and store it in the pipeline configuration file.
Correct Answer: D
D
Explanation:
Option A: Image scanning should occur before deployment to identify vulnerabilities early in the development lifecycle. Running the script post-deployment defeats the purpose of proactive security measures.
Option B: While the Falcon CWPP agent is part of the larger CrowdStrike solution, it is not required for the Image Scanning Script’s integration into a CI/CD pipeline. The scanning process is executed during pipeline stages and doesn’t depend on agents on developer machines.
Option C: Image assessments should be part of the CI/CD pipeline to detect vulnerabilities during development. Running scans on production images introduces unnecessary risk and is not the intended use case of the Image Scanning Script.
Option D: To authenticate the Image Scanning Script with the Falcon platform, a unique API token is required. This token allows secure communication between the CI/CD pipeline and the Falcon API, enabling image assessments to occur seamlessly. Failure to include this step results in authentication issues, causing the script to fail.
D
Explanation:
Option A: Image scanning should occur before deployment to identify vulnerabilities early in the development lifecycle. Running the script post-deployment defeats the purpose of proactive security measures.
Option B: While the Falcon CWPP agent is part of the larger CrowdStrike solution, it is not required for the Image Scanning Script’s integration into a CI/CD pipeline. The scanning process is executed during pipeline stages and doesn’t depend on agents on developer machines.
Option C: Image assessments should be part of the CI/CD pipeline to detect vulnerabilities during development. Running scans on production images introduces unnecessary risk and is not the intended use case of the Image Scanning Script.
Option D: To authenticate the Image Scanning Script with the Falcon platform, a unique API token is required. This token allows secure communication between the CI/CD pipeline and the Falcon API, enabling image assessments to occur seamlessly. Failure to include this step results in authentication issues, causing the script to fail.
Question #58
You are configuring a new assessment schedule in CrowdStrike Falcon to monitor your organization’s cloud security posture.
What is the first step you must take to ensure the schedule is correctly set up and functional?
- A . Enable real-time monitoring for all cloud accounts before setting up the schedule.
- B . Assign permissions to CrowdStrike Falcon for accessing cloud provider APIs.
- C . Manually tag critical resources to be included in the assessment.
- D . Select the frequency of the assessment, such as daily, weekly, or monthly.
Correct Answer: B
B
Explanation:
Option A: Real-time monitoring is complementary to scheduled assessments but is not a prerequisite for setting up an assessment schedule. Scheduled assessments operate independently of real-time monitoring.
Option B: Assigning permissions is the foundational step for CSPM setup. It allows Falcon to retrieve the required telemetry and perform posture assessments effectively.
Option C: Tagging resources may be useful for focused assessments, but it is not mandatory. Falcon automatically evaluates the entire cloud environment by default unless specified otherwise.
Option D: While selecting the frequency is an essential step, it cannot be completed unless the necessary permissions are granted to Falcon for API access. Without these permissions, the assessments cannot run.
B
Explanation:
Option A: Real-time monitoring is complementary to scheduled assessments but is not a prerequisite for setting up an assessment schedule. Scheduled assessments operate independently of real-time monitoring.
Option B: Assigning permissions is the foundational step for CSPM setup. It allows Falcon to retrieve the required telemetry and perform posture assessments effectively.
Option C: Tagging resources may be useful for focused assessments, but it is not mandatory. Falcon automatically evaluates the entire cloud environment by default unless specified otherwise.
Option D: While selecting the frequency is an essential step, it cannot be completed unless the necessary permissions are granted to Falcon for API access. Without these permissions, the assessments cannot run.
Question #59
You are reviewing user accounts in your organization using the CrowdStrike CIEM/Identity Analyzer.
Which of the following scenarios represents the correct method to identify an inactive user?
- A . A user who has no recorded login activity for the past 90 days and has no active API tokens.
- B . A user who recently logged in and modified IAM policies but has minimal activity in other resources.
- C . A user who has logged in twice in the past week but has not used any IAM role or resource permissions.
- D . A user with no logins or API activity in the last 30 days but with active IAM roles assigned.
Correct Answer: A
A
Explanation:
Option A: This scenario aligns with the definition of an inactive user. A lack of login activity combined with the absence of active API tokens indicates that the user account is not currently in use, making it a candidate for review or deactivation. CIEM tools are designed to highlight such accounts to reduce unnecessary exposure.
Option B: Modifying IAM policies is a critical activity, and the recent login further indicates the account is active. Minimal resource usage doesn’t qualify the user as inactive.
Option C: Regular logins indicate activity. Even if IAM roles or resources are not utilized, the login behavior demonstrates some level of engagement, so the user is not considered inactive.
Option D: While the user shows inactivity, the presence of active IAM roles suggests potential risk if roles are misused. This might warrant review but doesn’t definitively qualify the account as inactive until a longer inactivity period is confirmed.
A
Explanation:
Option A: This scenario aligns with the definition of an inactive user. A lack of login activity combined with the absence of active API tokens indicates that the user account is not currently in use, making it a candidate for review or deactivation. CIEM tools are designed to highlight such accounts to reduce unnecessary exposure.
Option B: Modifying IAM policies is a critical activity, and the recent login further indicates the account is active. Minimal resource usage doesn’t qualify the user as inactive.
Option C: Regular logins indicate activity. Even if IAM roles or resources are not utilized, the login behavior demonstrates some level of engagement, so the user is not considered inactive.
Option D: While the user shows inactivity, the presence of active IAM roles suggests potential risk if roles are misused. This might warrant review but doesn’t definitively qualify the account as inactive until a longer inactivity period is confirmed.
Question #60
While auditing a cloud image configured for deployment, which of the following findings represents a deployment misconfiguration?
- A . The image lacks a health check directive in the Dockerfile.
- B . The image uses a private container registry with role-based access control (RBAC).
- C . The image has labels for versioning and maintainability metadata.
- D . The image includes unused software packages.
Correct Answer: D
D
Explanation:
Option A: While missing a health check directive is not ideal for production readiness, it is not a security misconfiguration. Health checks are primarily for operational monitoring and ensuring high availability.
Option B: This is a best practice to ensure only authorized users can access the image. It strengthens the security of the deployment pipeline and does not represent a misconfiguration.
Option C: Adding labels for versioning and maintainability metadata (e.g., LABEL version="1.0") is a best practice. It aids in managing image lifecycles and troubleshooting deployments. This does not constitute a misconfiguration.
Option D: Including unused software packages increases the attack surface and may introduce unnecessary vulnerabilities. Attackers could exploit unmaintained or outdated components, even if they are not actively used by the application. Removing unnecessary packages during the build process is a key security best practice.
D
Explanation:
Option A: While missing a health check directive is not ideal for production readiness, it is not a security misconfiguration. Health checks are primarily for operational monitoring and ensuring high availability.
Option B: This is a best practice to ensure only authorized users can access the image. It strengthens the security of the deployment pipeline and does not represent a misconfiguration.
Option C: Adding labels for versioning and maintainability metadata (e.g., LABEL version="1.0") is a best practice. It aids in managing image lifecycles and troubleshooting deployments. This does not constitute a misconfiguration.
Option D: Including unused software packages increases the attack surface and may introduce unnecessary vulnerabilities. Attackers could exploit unmaintained or outdated components, even if they are not actively used by the application. Removing unnecessary packages during the build process is a key security best practice.