GCP Professional Cloud Security Engineer Practice Question

Your company is migrating an on-premises payment processing application to Google Cloud. The workload will run on Linux virtual machines in Compute Engine, and compliance advisors require a clear RACI chart based on the Google Cloud shared responsibility model. To avoid gaps, you need to identify which security operation will still be entirely the customer's duty once the VMs are live on Google's infrastructure. Which task belongs to your team rather than to Google?

Control badge-based entry to the Google data centers that house the servers.
Replace failed disks in the physical storage arrays used by Compute Engine.
Regularly install security and kernel patches on the guest Linux operating systems.
Apply firmware updates to the KVM hypervisor running on Google's host machines.

Report Issue

Answer Description

Under the IaaS model that Compute Engine follows, Google secures the physical facilities, networking, and virtualization layers, including host firmware and hypervisor maintenance. Customers, however, remain fully responsible for anything inside the virtual machine they create. That includes hardening and regularly patching the guest operating system, configuring host-based firewalls, and protecting application data. Hardware maintenance, physical security, and hypervisor updates are handled by Google and are therefore outside the customer's operational scope. Consequently, ensuring that each VM's OS receives timely security and kernel updates is the customer's sole responsibility, while the other listed tasks fall under Google's domain.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.