Google Exam Professional Cloud Security Engineer Topic 2 Question 104 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam

Question #: 104
Topic #: 2

[All Professional Cloud Security Engineer Questions]

Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine and uses Pub/Sub for message queues. Recent industry news has been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

ALimit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

BEnable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

CThoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

DDevelop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.

Show Suggested Answer

Suggested Answer: B

To enhance the security of your machine learning (ML) model supply chain within a serverless architecture, it's crucial to implement measures that protect both the development and deployment pipelines.

Option A: While limiting external dependencies and rotating encryption keys are good security practices, they do not directly address the risks associated with the ML model supply chain.

Option B: Implementing container image vulnerability scanning during development and pre-deployment helps identify and mitigate known vulnerabilities in your container images. Enforcing Binary Authorization ensures that only trusted and verified images are deployed in your environment. This combination directly strengthens the security of the ML model supply chain by validating the integrity of container images before deployment.

Option C: Sanitizing training data and applying role-based access controls are important security practices but do not specifically safeguard the deployment pipeline against compromised container images.

Option D: While strict firewall rules and intrusion detection systems enhance network security, they do not specifically address vulnerabilities within the container images or the deployment process.

Therefore, Option B is the most effective approach, as it directly addresses the security of the development and deployment pipeline by ensuring that only vetted and secure container images are used in your environment.

Container Scanning Overview

Binary Authorization Overview

by Olen at Jul 07, 2025, 07:29 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Javier

7 days ago

I agree with Virgie. That sounds like a good security measure.

upvoted 0 times

...

Virgie

11 days ago

I think we should limit external libraries and rotate encryption keys.

upvoted 0 times

...

Quentin

16 days ago

I agree, option B is the most comprehensive solution to address the ML supply chain risks. Limiting dependencies and rotating keys are also good practices.

upvoted 0 times

Kimbery

5 days ago

A) Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

upvoted 0 times

...

Elmira

8 days ago

B) Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

upvoted 0 times

...

Ernest

18 days ago

Option B seems like the way to go. Scanning containers and enforcing authorization on image deployment is crucial for securing the ML pipeline.

upvoted 0 times

Kimi

2 days ago

C) Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

upvoted 0 times

...

Carey

12 days ago

upvoted 0 times

...