GCP Professional Cloud Architect Practice Question

Your company operates dozens of GKE clusters spread across multiple projects. Security requires that:

Only container images built in the central prod-build project may be deployed anywhere.
Each image must pass Artifact Registry's built-in vulnerability scanning before deployment.
Signing keys have to be centrally managed in a separate security project, rotated automatically every 90 days, and never handled directly by cluster operators. Which approach best enforces these requirements while minimizing manual effort?

Configure Cloud Build in the prod-build project to generate Container Analysis attestations signed with a Cloud KMS key stored in a dedicated security project that rotates every 90 days, and enforce an organization-level Binary Authorization policy requiring that attestor and passing vulnerability scans on all GKE clusters.
Publish images from Cloud Build to Artifact Registry, then deploy Anthos Policy Controller with custom OPA Gatekeeper constraints that verify image digests; store rotating signing secrets in Secret Manager for operators to apply during deployments.
Place Artifact Registry and all GKE clusters inside the same VPC Service Controls perimeter, enforce PodSecurityPolicies that allow only images from that registry, and configure automatic rotation on project-level KMS keys without using Binary Authorization.
Grant the prod-build Cloud Build service account exclusive push access to Artifact Registry and enable vulnerability scanning; use image path whitelists in cluster-level Binary Authorization policies and manage signing keys manually when needed.

Report Issue

Answer Description

Integrating Cloud Build with Binary Authorization lets Cloud Build automatically generate Container Analysis provenance and create an attestation each time it finishes a build. If Cloud Build is configured to sign those attestations with a Cloud KMS key that resides in a dedicated security project, operators never handle the private key material. Enabling automatic rotation on that key satisfies the 90-day rotation mandate. An organization-level Binary Authorization policy that requires an attestor backed by the same key-and enforces that images have no high-severity vulnerabilities-prevents any GKE cluster from running images that are not built and signed in the prod-build project or whose scans fail. The remaining options rely on access controls, custom admission controllers, or network boundaries but do not provide cryptographic attestations tied to centralized, auto-rotated keys, so they cannot guarantee both provenance and scanning compliance with minimal ongoing effort.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.