GCP Professional Cloud Security Engineer Practice Question
A security assessment of several public-facing Compute Engine VMs shows that the instances still allow access to the legacy metadata endpoints /computeMetadata/v0.1 and /computeMetadata/v1beta1. Firewalls already block all inbound traffic except TCP 443 to the web application. Why does keeping these legacy endpoints enabled remain a serious security risk?
They respond to requests from processes inside the VM without requiring the protective X-Google-Metadata-Request (Metadata-Flavor: Google) header, letting an attacker exploit an SSRF-vulnerable application to steal the VM's service-account access token.
They disable automatic rotation of customer-managed encryption keys for attached persistent disks, increasing the chance of cryptographic compromise.
The legacy endpoints store all imported SSH public keys in plaintext files that are world-readable on the boot disk, exposing administrator access.
Anyone on the internet can reach the metadata server directly if a public firewall rule allows HTTPS, so attackers can download the entire instance metadata.
The primary danger comes from server-side request forgery (SSRF) or remote-code-execution flaws in software running inside the VM. If attacker-supplied input can make the application issue HTTP requests, the attacker can direct the code to query the metadata server. The legacy endpoints reply without requiring the protective header (Metadata-Flavor: Google), so an attacker can retrieve the VM's OAuth access token for its attached service account and use that token to access other Google Cloud resources. Inbound firewall rules do not mitigate this because the metadata server is reached over the VM's loopback interface. The other options describe issues that are either incorrect (user-level SSH keys are not stored on disk in plaintext), already mitigated by the firewall, or unrelated to the metadata server (disk-encryption key rotation).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Server-Side Request Forgery (SSRF)?
Open an interactive chat with Bash
What is the purpose of the X-Google-Metadata-Request header?
Open an interactive chat with Bash
How do service-account access tokens work and why are they important?
Open an interactive chat with Bash
Why are legacy metadata endpoints a security risk?
Open an interactive chat with Bash
What is the purpose of the 'Metadata-Flavor: Google' header?
Open an interactive chat with Bash
How do SSRF vulnerabilities exploit legacy metadata endpoints in VMs?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .