Question 20
Domain 6: Monitoring, Logging and Runtime SecurityAn analyst sees an exec into a Pod, a read of mounted credentials, and then outbound API calls to cloud services. What is the best interpretation?
Correct answer: B
Explanation
An exec into a Pod followed by a read of mounted credentials matches initial access to secrets inside the container. Outbound API calls to cloud services indicate those credentials may have been used externally, fitting a sequence of "credential theft followed by external abuse."
Why each option is right or wrong
A. Likely a benign health check
Health checks are automated probes, not typically interactive execs plus credential reads and external API usage.
B. A possible sequence of credential theft followed by external abuse
The sequence is consistent with a compromise chain rather than a benign admin action: an exec into a Pod provides interactive access to the container, and reading mounted credentials indicates exposure of secrets available inside that workload. The subsequent outbound API calls to cloud services are the telltale post-exposure step, suggesting those credentials were then used outside the Pod to access external resources, which fits a credential-theft-then-abuse interpretation.
C. Evidence that NetworkPolicy is working perfectly
Outbound cloud API calls suggest egress occurred; that alone does not prove NetworkPolicy enforcement success.
D. A normal rolling update sequence
Rolling updates replace Pods and containers; they do not normally involve credential harvesting behavior.