GCP Professional Cloud Security Engineer Practice Question
Your company hosts a public web application behind an external HTTP(S) load balancer on Google Cloud. A new compliance mandate requires that every client connection negotiate TLS 1.2 or later and that only ciphers providing perfect-forward-secrecy-explicitly excluding RC4, 3DES, and CBC suites-are offered. Backend services and Google-managed TLS certificates must remain unchanged. As the security engineer, what is the most operationally efficient way to enforce these requirements on every front-end listener of the load balancer?
Enable a Cloud Armor policy that blocks connections using disallowed ciphers or protocol versions before they reach the load balancer.
Configure each back-end VM to accept only TLS 1.2; the load balancer will automatically propagate the same restriction to clients.
Create a custom SSL policy (or use the built-in MODERN profile) with the minimum TLS version set to TLS_1_2 and apply it to the HTTPS target proxy used by the load balancer.
Upload a new custom certificate that lists only the approved cipher suites and enable mutual TLS on the back-end service.
For external HTTP(S) and SSL Proxy load balancers, the set of TLS protocol versions and cipher suites that clients can negotiate is controlled by an SSL policy attached to the target HTTPS (or SSL) proxy. Google Cloud provides predefined SSL policy profiles (COMPATIBLE, MODERN, and RESTRICTED) and also allows fully custom policies. Both the MODERN predefined profile and any custom policy whose minimum TLS version is set to TLS_1_2 (or higher) meet the mandate because they disable older protocol versions and allow only forward-secret ciphers while excluding RC4, 3DES, and CBC-mode suites. Attaching such a policy to the target HTTPS proxy immediately applies the constraints to every listener that uses that proxy, without modifying back-end services or certificates. Replacing certificates or adjusting back-end VM TLS settings does not influence the client-to-load-balancer negotiation, and Cloud Armor cannot enforce TLS versions because it operates at layer 7 after TLS termination. Therefore, creating and attaching an appropriate SSL policy is the correct and most efficient solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an SSL policy in Google Cloud?
Open an interactive chat with Bash
What is perfect forward secrecy, and why is it important?
Open an interactive chat with Bash
Why can't Cloud Armor enforce TLS versions?
Open an interactive chat with Bash
What is an SSL policy in Google Cloud?
Open an interactive chat with Bash
What is perfect forward secrecy and why is it important in TLS?
Open an interactive chat with Bash
Why is Cloud Armor not suitable for enforcing TLS versions or ciphers?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .