GCP Professional Cloud Architect Practice Question

Your company is standardizing its CI/CD workflows on Cloud Build. Security architects require that every container image pushed to Artifact Registry include verifiable build provenance so that runtime environments can confirm the image's origin before deployment. Which design best meets this requirement while minimizing operational toil?

Use Container-Optimized OS signatures to verify node images; application containers inherit trust from the host so no additional provenance is required.
Configure a Cloud Function trigger that signs each built image with a separately managed KMS key before pushing to Container Registry.
Enable Cloud Build's build provenance feature and push images to Artifact Registry; then configure Binary Authorization to require trusted Cloud Build provenance attestations before allowing deployments.
Export build logs to Cloud Logging and require operations teams to manually verify image digests against the logs prior to deployment.

Report Issue

Answer Description

Cloud Build can automatically generate in-toto build provenance for container images when the Cloud Build provenance feature is enabled. By storing images in Artifact Registry, provenance metadata is published to the linked Container Analysis API as an attestation. Runtime protections such as Binary Authorization can then be configured with an "Build Provenance" policy to admit only images that carry trusted Cloud Build attestations. This approach avoids custom scripting while satisfying the requirement for verifiable artifact integrity. Alternative answers fail because manually signing adds operational overhead, Cloud Functions do not guarantee tamper-proof provenance generation, and COS image signing addresses OS image trust rather than build-time provenance for application containers.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.