Google Professional Cloud Security Engineer Exam - Topic 4 Question 44 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam

Question #: 44
Topic #: 4

[All Professional Cloud Security Engineer Questions]

You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:

Must be cloud-native

Must be cost-efficient

Minimize operational overhead

How should you accomplish this? (Choose two.)

ACreate a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

BUse a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

CUse a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

DDeploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

EIn your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Show Suggested Answer

Suggested Answer: C, E

by Lorean at May 08, 2022, 06:36 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Brock

4 months ago

I’m surprised they didn’t mention using GKE's built-in security features.

upvoted 0 times

...

Willodean

4 months ago

E is definitely the way to go for security!

upvoted 0 times

...

Brett

4 months ago

Wait, a cron job on Compute Engine? That sounds outdated.

upvoted 0 times

...

Chau

4 months ago

I disagree, B could work too if you want automation.

upvoted 0 times

...

Meaghan

5 months ago

A and E seem like solid choices for this!

upvoted 0 times

...

Marcelle

5 months ago

I feel like using a cron job on Compute Engine might not be the best option since it adds more operational overhead. We should stick to cloud-native solutions.

upvoted 0 times

...

Crista

5 months ago

I'm not entirely sure, but I think using a Cloud Function to scan images could add some overhead. We need to keep it cost-efficient, right?

upvoted 0 times

...

Amie

5 months ago

I remember we discussed using Cloud Build to analyze Container Analysis results. It seems like a good fit for ensuring no vulnerabilities before deployment.

upvoted 0 times

...

Yong

5 months ago

I practiced a similar question where we had to use Binary Authorization. Adding an attestation sounds like a solid way to block vulnerable containers.

upvoted 0 times

...

Gwenn

5 months ago

I'm a bit confused by the terminology and configuration details in this question. I'll need to take my time and make sure I understand the requirements before selecting the right changes.

upvoted 0 times

...

Aaron

5 months ago

Hmm, I'm a bit unsure about this one. Is it a physical security measure or could it also be considered a logical security measure since it's using a pass reader? I'll have to think this through carefully.

upvoted 0 times

...

Elenore

5 months ago

Hmm, this one seems tricky. I'll have to think about the different front-end optimization techniques and which one specifically reduces the number of files to be downloaded.

upvoted 0 times

...