CCCS-203b Online Practice Questions

Explanation:
CrowdStrike recommends enabling Drift Prevention when container workloads have been designed to be immutable. Immutable infrastructure is a core cloud-native principle where containers are not modified after deployment. Any change to a running container―such as installing packages or modifying files―indicates potential misconfiguration or malicious activity.
Drift Prevention enforces this principle by blocking or alerting on runtime changes that deviate from the original container image. This makes it highly effective for production environments where containers should run exactly as built and deployed.
In development or testing environments, containers often change dynamically, making Drift Prevention impractical due to excessive false positives. Similarly, containers that must download or install packages at startup inherently require runtime modification and are not suitable candidates for Drift Prevention.
Enabling Drift Prevention at the wrong time can disrupt legitimate workloads. Therefore, CrowdStrike guidance clearly states that Drift Prevention should be enabled only after workloads are intentionally designed to be immutable, making option C the correct answer.

Explanation:
A common cloud-conscious attacker technique used to remain hidden in a compromised environment is disabling CloudTrail logging. AWS CloudTrail records API activity across an account, providing critical visibility into actions taken by users, roles, and services. By disabling or tampering
with CloudTrail, attackers significantly reduce the likelihood of detection.
CrowdStrike Falcon Cloud Security classifies this behavior as a high-risk indicator because it directly impacts monitoring, forensics, and incident response. Without CloudTrail logs, security teams lose audit trails that are essential for identifying malicious actions such as privilege escalation, data exfiltration, or persistence mechanisms.
Other options represent misconfigurations or changes that may increase exposure but do not directly suppress visibility. For example, modifying storage networking or security groups increases attack surface, while adding certificates may support persistence―but none are as directly linked to stealth as disabling logging.
Therefore, CloudTrail logging disabled is the correct answer and a well-documented cloud attack tactic used to evade detection.

Explanation:
Option A: Configuring policies directly in the cloud provider's IAM service bypasses CIEM's centralized management capabilities, reducing visibility and control over entitlements. Synchronization with CIEM is typically used for monitoring, not primary configuration.
Option B: Deactivating all other policies is not a scalable or secure approach. It can inadvertently disrupt other users' workflows and does not utilize CIEM's ability to manage entitlements effectively.
Option C: CIEM enables you to define and assign policies targeting specific groups, such as "Finance," and map them to roles and permissions for services like cloud storage. This approach ensures policies are aligned with organizational requirements and avoids over-provisioning.
Option D: While assigning policies at the cloud provider level is possible, it is not the recommended approach when using CIEM. CIEM provides granular control, allowing you to manage permissions based on groups or roles rather than applying blanket policies.

Explanation:
Option A: The CrowdStrike Kubernetes Admission Controller uses the Mutating Admission Webhook to intercept and modify requests to the Kubernetes API server. This webhook allows the controller to enforce security policies and inject the required sensor configurations into pods at creation time. Ensuring the Mutating Admission Webhook configuration is enabled is a critical setup step for proper functionality.
Option B: The Admission Controller does not require root-level or privileged permissions. It relies on webhook functionality to perform its operations and does not interact directly with host-level resources.
Option C: While namespaces are often used for logical organization, the Admission Controller does not necessarily require a dedicated namespace. It can be deployed in any namespace, depending on the user’s configuration preferences.
Option D: The Admission Controller is not deployed as a DaemonSet; instead, it operates as a webhook server integrated with the Kubernetes API server. DaemonSets are typically used for agents that need to run on every node, such as logging or monitoring tools.

Explanation:
Option A: Restricting permissions to "read-only" does not address the core issue of MFA enforcement.
These accounts remain vulnerable to unauthorized access, especially if they are compromised.
Option B: Monitoring unusual activity is a reactive measure and does not mitigate the risk posed by non-MFA accounts. Proactively enforcing MFA policies is a better strategy for reducing exposure.
Option C: Using CIEM to enforce MFA policies ensures a consistent and automated approach to improving account security. This method reduces the likelihood of human error and applies a scalable solution to protect all accounts, aligning with best practices for cloud identity management.
Option D: While disabling non-MFA accounts might reduce risk temporarily, it can disrupt business operations. A more measured approach, such as enforcing MFA, is preferable to balance security and functionality.