Pass the CyberArk Sentry CPC-CDE-RECERT Questions and answers with CertsForce

In CyberArk Privilege Cloud / PSM deployments, PSM Health Check is implemented as a dedicated PSM Web Service on each PSM node (typically used by a load balancer to query application-level health). (docs.cyberark.com)

Because the Health Check relies on IIS, CyberArk includes PSM Health Check hardening activities as part of the setup. These hardening activities specifically focus on reducing IIS exposure by removing default/unused IIS components (for example, CyberArk documents that the setup deletes IIS application pools such as “Classic .NET AppPool”, “.NET v2.0”, “.NET v4.5”, etc.). This is a hardening action aimed at minimizing IIS attack surface / insecure defaults—i.e., removing IIS settings/configurations that could be considered security vulnerabilities. (docs.cyberark.com)

Why the other options are not the “purpose”:

B: While Health Check is used for load balancer health probing, “hardening” is not about validating readiness for a load balancer; it’s about tightening IIS-related configuration. (docs.cyberark.com)

C: Service-running checks are part of health determination, but the hardening step is described in docs in terms of IIS hardening activities (like deleting app pools), not just confirming services. (docs.cyberark.com)

D: AppLocker is part of PSM hardening overall, but it’s not the purpose of PSM Health Check hardening (which is IIS-focused). (docs.cyberark.com)

CyberArk’s official outbound traffic/network requirements explicitly list the two Privilege Cloud cloud-side endpoints that are required for Secure Tunnel communications (for REST/API calls over HTTPS/443):

Backend service management (Required for Secure Tunnel): https://console.privilegecloud.cyberark.com

Connector (Required for Secure Tunnel): https://connector- .privilegecloud.cyberark.com

These map directly to answer choices A (console) and B (connector-).

Note: Your options use the .cyberark.cloud domain, while CyberArk’s network requirements documentation shows these endpoints in the .cyberark.com domain for Privilege Cloud. The service roles (Console + Connector endpoint) are what Secure Tunnel must reach, and those are the two “Required for Secure Tunnel” services in the official requirements.

Why the other options are not selected (based on what’s “required for Secure Tunnel” in the official allowlist guidance):

C (backend-services…): Not listed in CyberArk’s published “Required for Secure Tunnel” FQDN allowlist entries (console + connector are).

D (telemetry…): Telemetry is a separate capability (dashboards / utilization tracking) and is not documented as the required Secure Tunnel service endpoint.

E (update…): Secure Tunnel upgrade/download processes are documented, but “update.*” is not listed as a required Secure Tunnel cloud endpoint in the outbound allowlist table.

https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Security/PSM-hardening-configuration.htm?Highlight=disable%20support%20for%20browsers

The correct statement about using the AllowedSafes platform parameter is that it prevents the Central Policy Manager (CPM) from scanning all safes, restricting it to scan only safes that match the AllowedSafes configuration. This parameter is crucial in large-scale deployments where efficiency and resource management are key. By specifying which safes the CPM should manage, unnecessary scanning of irrelevant safes is avoided, thus optimizing the CPM's performance and reducing the load on the CyberArk environment. This configuration can be found in the platform management section of the CyberArk documentation.

When deploying a CyberArk Identity Connector to integrate Privilege Cloud Shared Services with an Active Directory environment, the server hosting the Identity Connector must meet specific requirements to ensure proper integration and functionality. The necessary condition is:

The Identity Connector Server must be joined to the Active Directory (Option A). This requirement ensures that the server can communicate effectively with the Active Directory services and manage identity data securely and efficiently. Being part of the Active Directory domain facilitates authentication and authorization processes required for the connector to function correctly.

In large-scale environments, to enable the Central Policy Manager (CPM) to focus its search operations on specific Safes instead of scanning all Safes it sees in the Vault, the AllowedSafes parameter on each platform policy is used. This parameter can be configured within the platform settings in the CyberArk administration interface. By specifying safes in the AllowedSafes parameter, the CPM will only manage credentials within those designated safes, thereby optimizing performance and managing resources more efficiently by not scanning unnecessary safes. This setting is crucial for large environments where the CPM needs to be as efficient as possible due to the volume of managed accounts.

CyberArk’s PSM for SSH administration documentation explains how to create maintenance access by updating the SSH daemon configuration:

In /etc/ssh/sshd_config, add an AllowGroups entry that includes the maintenance group(s):AllowGroups PSMConnectUsers ..

This matches option C exactly: you enable the additional maintenance user by placing them in the group(s) referenced by AllowGroups in sshd_config.

CyberArk’s Privilege Cloud SAML configuration documentation explicitly states: Privilege Cloud supports only one assertion and instructs you to ensure only one assertion is configured in the IdP.