GCP Professional Cloud Security Engineer Practice Question

Your e-commerce platform is fronted by an external HTTP(S) load balancer protected by Cloud Armor. Logs show credential-stuffing bots sending bursts of more than 50 POST requests per minute to the /login endpoint from the same source IP address. Legitimate customers rarely exceed 10 login attempts per minute, and other paths such as /catalog must not be throttled. You need to block offending IPs for 15 minutes once they exceed the threshold, without affecting normal traffic. Which Cloud Armor configuration best satisfies these requirements?

Populate a Cloud Armor denylist with attacker IP addresses obtained from a daily refreshed threat-intelligence feed targeting the login service.
Create an allow rule that permits only 10 requests per minute to /login and place a lower-priority default deny rule for all other traffic.
Enable Cloud Armor Adaptive Protection in standard mode so that it automatically throttles excessive traffic across all URLs.
Add a Cloud Armor rate-based rule that matches requests where the path starts with /login and the method is POST, sets a threshold of 50 requests per 60 seconds per client IP, and applies a deny action with a 900-second ban.

Report Issue

Answer Description

A rate-based Cloud Armor rule can monitor the request rate coming from each source IP and automatically enforce temporary bans. Matching only POST requests to the /login path ensures that catalog browsing and other application traffic are unaffected. Setting the threshold to 50 requests in a 60-second interval reflects observed malicious behavior, while leaving headroom for legitimate users who stay below 10 requests per minute. Choosing the default enforce-on-key of client IP groups requests per attacker, and specifying a deny action with a 900-second (15-minute) ban blocks further attempts during the cooling-off period.

Adaptive Protection (often tuned for volumetric L7 DDoS) does not provide deterministic per-IP rate bans. Limiting to 10 requests per minute would disrupt legitimate users during peak activity. Manually maintaining a denylist or relying on daily threat-intel updates cannot react quickly enough to stop real-time brute-force bursts.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.