GCP Professional Cloud Architect Practice Question

Your organization is preparing its first formal penetration test since migrating a public-facing payment application from an on-premises data center to Google Cloud. The workload now consists of a Cloud Load Balancer in front of Cloud Run services, which in turn access a Cloud SQL database. As the lead cloud architect, you must define the scope and approach of the exercise so that it reveals the most critical weaknesses while complying with Google Cloud policies and minimizing business risk. Which plan best meets these requirements?

Test both the Cloud Run application and the underlying Google Cloud environment by combining dynamic application attacks with reviews of IAM roles, service-account permissions, firewall rules, and Cloud SQL exposure. Use Security Command Center to augment manual testing, and proceed without additional Google approval as long as the tests comply with the Acceptable Use Policy.
Limit the engagement to external network vulnerability scans that probe for open ports on the Cloud Load Balancer, analyze Cloud NAT logs for anomalies, and submit a penetration-testing request to Google at least two weeks in advance for authorization.
Restrict testing to the application's HTTP endpoints only, excluding Google Cloud IAM and network settings, and run an open-source dynamic scanner from the on-premises network to avoid affecting production traffic.
Focus primarily on verifying that GKE node operating systems are fully patched and let Forseti Security perform automated scans; open a separate support case with Google for explicit approval of each individual test scenario before execution.

Report Issue

Answer Description

The most effective and compliant plan is to test both the application layer and the surrounding Google Cloud configuration. Modern cloud-focused penetration tests need to combine traditional web-application techniques (for example, injection and authentication bypass against the Cloud Run services) with attempts to exploit or mis-use cloud-native controls such as IAM roles, service accounts, network segmentation, and Cloud SQL exposure. Google no longer requires customers to obtain pre-approval for penetration testing of their own Google Cloud resources, provided that tests stay within the customer's projects and follow the Acceptable Use Policy. Relying only on external port scans, limiting scope to operating-system patch levels, or requesting unnecessary approvals would either miss key attack vectors or add needless overhead. Therefore, the comprehensive, policy-compliant approach that leverages Security Command Center findings plus targeted manual techniques is the correct choice.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.