GCP Professional Cloud Security Engineer Practice Question
Your company uses Cloud Build to build and push container images from multiple microservice repositories. Security policy states that production GKE clusters must never run images that contain any High or Critical CVEs. The enforcement must occur automatically during both image build and cluster deployment, and security administrators need an immutable audit trail for any blocked deployments. Which solution most effectively satisfies these requirements while minimizing custom code?
Enable vulnerability scanning on an Artifact Registry repository and create a Binary Authorization policy that rejects images with High or Critical vulnerabilities; enforce the policy on the production GKE cluster so denied deploy attempts are logged in Cloud Audit Logs.
Add a custom Cloud Build step that parses apt package lists for known CVEs and fails the build; deploy resulting images to GKE with default settings and review Cloud Build logs for problems.
Use Cloud Armor security policies on the ingress to production clusters to block traffic to any pod that reports High or Critical vulnerabilities through Security Health Analytics.
Enable Event Threat Detection to continuously scan running containers for CVEs and configure a GKE admission controller to automatically delete any vulnerable workloads it identifies.
Storing images in Artifact Registry with vulnerability scanning enabled ensures that every image pushed by Cloud Build is automatically scanned, meeting the requirement at build time without extra scripting. Binary Authorization can reference the vulnerability scan results and enforce a policy that blocks any image containing High or Critical vulnerabilities when Kubernetes attempts to deploy it. Because Binary Authorization decisions are written to Cloud Audit Logs, administrators have a permanent, tamper-evident record of any denied deployments. The other approaches either rely on bespoke build-step scripts, misuse products (Cloud Armor, Event Threat Detection) that do not provide CVE-based admission control, or lack deploy-time enforcement and auditable denial records.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Artifact Registry and how does vulnerability scanning work within it?
Open an interactive chat with Bash
What is Binary Authorization and how does it enforce security policies?
Open an interactive chat with Bash
How do Cloud Audit Logs contribute to security and compliance?
Open an interactive chat with Bash
What is Artifact Registry and how does vulnerability scanning work?
Open an interactive chat with Bash
What is Binary Authorization and how does it help enforce security policies?
Open an interactive chat with Bash
How do Cloud Audit Logs contribute to security and compliance?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .