GCP Professional Cloud Security Engineer Practice Question

Your company detects malware on a production Compute Engine VM that successfully retrieves a service-account access token from the instance metadata server and then tries to upload it to random public IP addresses. The VM must remain online until the next maintenance window and still needs to reach Google Cloud APIs over Private Google Access (199.36.153.8/30). Which action provides an immediate, least-disruptive mitigation using only VPC firewall rules?

Create an egress deny rule that blocks traffic to 169.254.169.254/32 from the VM.
Apply two high-priority egress rules to the VM's network tag: first allow traffic to 199.36.153.8/30, then deny all remaining egress to 0.0.0.0/0.
Enable VPC Service Controls on the project to restrict data exfiltration for the VM.
Add an ingress deny rule on TCP port 80 for the VM to stop internet hosts from connecting.

Report Issue

Answer Description

VPC firewall rules filter traffic that leaves or enters a VM's virtual NIC. They cannot block the link-local metadata address (169.254.169.254), which is reached over the NIC's loopback path and therefore never evaluated by VPC firewalls. The practical control point is egress to external networks: prevent any destination except the Private Google Access IP range that the workload legitimately needs. Creating a very high-priority egress rule that allows traffic to 199.36.153.8/30 for the affected VM, followed by another high-priority rule that denies all remaining egress (0.0.0.0/0), stops the stolen token from leaving the VM while keeping calls to Google APIs functional. The other options either target traffic paths the firewall cannot control (metadata server), address inbound rather than outbound flows, or require additional services instead of the requested firewall-only fix.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.