GCP Professional Cloud Security Engineer Practice Question
During a penetration test, consultants demonstrate that an untrusted workload running inside one of your Compute Engine VMs can exfiltrate the VM's service-account token by sending a forged HTTP request to http://169.254.169.254/computeMetadata/v1beta1/… via a vulnerable locally-running proxy. You need to mitigate this risk across hundreds of existing Linux VMs without modifying any application code. Which action most effectively prevents this attack strategy while preserving access to the metadata server for legitimate in-guest agents?
Disable the legacy v0.1 and v1beta1 metadata endpoints for every VM using the project-wide metadata setting enable-legacy-endpoints = false.
Remove the VM's service account or restrict it to read-only scopes.
Periodically rotate the default service-account's access token using Cloud IAM Conditions.
Send the header Metadata-Flavor: Google from all trusted processes when calling the metadata server.
For requests to the legacy v0.1 and v1beta1 endpoints, the metadata server does not require the special request header Metadata-Flavor: Google. This makes those paths susceptible to SSRF from software that blindly forwards HTTP traffic. Disabling legacy endpoints at the project or instance level forces all metadata access to occur through the current v1 endpoint, which rejects requests lacking the header and therefore blocks the attacker's forged request. Merely limiting scopes, rotating service-account keys, or adding IMDSv2 headers from the guest do not stop the proxy from continuing to reach the unprotected legacy paths.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the legacy metadata endpoints in GCP?
Open an interactive chat with Bash
What is SSRF and how does it impact security?
Open an interactive chat with Bash
Why is the `Metadata-Flavor: Google` header important?
Open an interactive chat with Bash
What is SSRF in the context of this attack?
Open an interactive chat with Bash
What is the difference between legacy metadata endpoints and the v1 metadata endpoint?
Open an interactive chat with Bash
How do you disable legacy endpoints at the project-wide level?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .