GCP Professional Cloud Security Engineer Practice Question

Your organization has activated Security Command Center (SCC) Premium across all production projects. The incident-response playbook states: "When a new HIGH or CRITICAL SCC finding is generated, page the security on-call engineer and immediately tag every affected Compute Engine VM with label environment=quarantine." The entire workflow must complete within 30 seconds, require no per-project agents, and follow least-privilege principles. Which architecture best meets these requirements?

Configure an organization-level SCC Pub/Sub notification for new findings; create a Cloud Function triggered by this topic that labels each listed VM with environment=quarantine using a least-privileged service account; create a log-based metric filtering findings with severity>=HIGH and a Cloud Monitoring alerting policy that pages the on-call team.
Install an agent on every production VM that watches the local serial console for SCC findings, applies the label when needed, and writes a log entry that is relayed to PagerDuty through Pub/Sub.
Enable Eventarc to forward SCC findings to a Cloud Run service that adds the quarantine label and sends pager alerts by calling the Stackdriver Monitoring API.
Deploy a Cloud Scheduler job that polls the SCC API every minute, writes all HIGH or CRITICAL findings to Cloud Storage, and triggers a Cloud Function via a Cloud Storage event to label the affected VMs and send an email alert.

Report Issue

Answer Description

SCC can natively publish every new or updated finding to a Cloud Pub/Sub topic that you create at the organization level. A Cloud Function subscribed to that topic receives the finding payload in near real time (typically a few seconds), uses its minimal, purpose-built service account to call the Compute Engine API and add the quarantine label to the affected instances, and then exits. In parallel, you can create a log-based metric that counts findings with severity ≥ HIGH and an alerting policy that notifies the on-call paging system. This design relies only on managed, organization-level services-Pub/Sub, Cloud Functions, Cloud Logging, and Cloud Monitoring-so nothing has to be deployed inside individual projects, and end-to-end latency easily stays below 30 seconds. Other options either poll the SCC API (adding delay and operational overhead), require deploying extra agents into every project, or misuse services (for example, Eventarc does not accept SCC findings directly), so they do not satisfy the stated constraints.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.