GCP Professional Cloud Security Engineer Practice Question
Your company operates several regional managed instance groups (MIGs) that serve a latency-sensitive web application. Security policy requires every VM to be rebuilt from a CIS-hardened image that includes the latest operating-system security patches within 48 hours of release. Operations also needs an immutable, auditable history of all image versions and wants to roll out updates with near-zero user-visible downtime. What is the most effective way to meet these requirements?
Continue deploying public Debian images and add a startup script that executes apt-get update && apt-get upgrade on every boot to pull the latest security fixes.
Provision a temporary bastion host after each patch release, connect via SSH to every VM to apply hardening scripts manually, and terminate the bastion afterward.
Use OS patch management to run an in-place patch job that installs updates and reboots all VMs during a scheduled two-hour weekend maintenance window.
Configure a Cloud Build trigger that runs a Packer template nightly to create CIS-hardened, fully patched Compute Engine images, publish each build as a new version in a dedicated image family, update MIG instance templates to the latest family image, and launch rolling updates with maxSurge at 30 percent and maxUnavailable at 0.
Using an automated image-building pipeline ensures that patched, CIS-hardened "golden" images are produced regularly and tracked. A Cloud Build trigger can invoke a Packer template that starts from the latest base OS image, applies security patches and hardening scripts, and then creates a new Compute Engine custom image in a dedicated image family. Each build produces a new, uniquely versioned image that is retained for audit purposes. Updating the instance template of each managed instance group to reference the most recent image in the family and initiating a rolling update with a non-zero maxSurge and zero maxUnavailable causes new, patched VMs to come online before old ones are terminated, minimizing downtime. In-place patch jobs, startup-time package upgrades, or manual SSH hardening either lack immutable version history, deterministic configuration, or disrupt service availability.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CIS-hardened image?
Open an interactive chat with Bash
How does Cloud Build integrate with Packer templates?
Open an interactive chat with Bash
What are maxSurge and maxUnavailable in a rolling update?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .