Crucial Exams

ISC2 Certified Cloud Security Professional (CCSP) Practice Question

A finance startup runs dozens of Linux containers in a managed Kubernetes cluster hosted by a public cloud provider. Management wants an extra layer of defense that will still be effective if an attacker achieves a container breakout at the application layer, but remains confined to the container's user space. The chosen control must explicitly limit which kernel functions the process inside each container can invoke, thereby reducing the blast radius of a compromise. Which hardening action BEST meets this goal?

  • Place all worker nodes in an isolated private subnet with no inbound Internet access.

  • Apply fine-grained seccomp and AppArmor profiles to every container to restrict available system calls and kernel capabilities.

  • Configure an admission controller that rejects any image pulled with the :latest tag.

  • Mount the host's Docker socket inside each pod so a security scanner can inspect running containers.

ISC2 Certified Cloud Security Professional (CCSP)
Cloud Concepts, Architecture and Design
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot