GCP Professional Cloud Security Engineer Practice Question
A penetration test shows that a server-side request forgery (SSRF) flaw in an internal web service running on several Compute Engine VMs lets an attacker fetch the VM's access token from the metadata endpoint at http://169.254.169.254/computeMetadata/v1beta1/ The application must keep using its current service account to invoke Google APIs, and you need a rapid mitigation that requires no changes to application code. What should you do?
Migrate the backend service to Cloud Run behind a Cloud Load Balancer to eliminate direct VM access.
Set the metadata key enable-legacy-endpoints to FALSE for the project so that only requests containing the required Metadata-Flavor: Google header can reach the v1 metadata server.
Enable OS Login and Shielded VM secure boot on the instances to harden the guest operating system.
Detach the service account from the VMs and re-implement Google API calls with Workload Identity Federation.
Setting the project- or instance-level metadata key enable-legacy-endpoints to FALSE disables the legacy v0.1 and v1beta1 metadata paths. Only the v1 path- which enforces the X-Google-Metadata-Request or Metadata-Flavor: Google header used by Google client libraries-remains accessible. Because the application already relies on those libraries, no code change is required, yet requests originating from an SSRF that lack the header will fail. The other options either do not block access tokens from legacy paths (enabling OS Login and Shielded VMs), require substantial refactoring (Workload Identity Federation), or are unrelated to metadata server exposure (moving to Cloud Run).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the enable-legacy-endpoints metadata key?
Open an interactive chat with Bash
Why does SSRF enable attackers to access the metadata server?
Open an interactive chat with Bash
How does the Metadata-Flavor: Google header improve security?
Open an interactive chat with Bash
What is SSRF and why is it a security concern?
Open an interactive chat with Bash
How does metadata endpoint security work in Google Compute Engine?
Open an interactive chat with Bash
What does setting enable-legacy-endpoints to FALSE accomplish?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .