GCP Professional Cloud Security Engineer Practice Question
Your organization operates three GKE clusters in separate projects, all attached to the same VPC network. Only workloads in the production subnet 10.20.0.0/16 located in europe-west1 must be inspected for command-and-control traffic, and the security team wants to query detections with SQL in near real time. You have been asked to design this solution while avoiding any self-managed network-inspection appliances. Which approach should you recommend?
Deploy a fleet of third-party intrusion-detection virtual appliances in a shared VPC service project, mirror all VPC traffic to them, and export VPC Flow Logs to BigQuery for later analysis.
Install an open-source IDS DaemonSet on each GKE cluster for inline inspection and use Pub/Sub with Cloud Functions to batch-export the resulting logs to Cloud Storage for monthly review.
In each project, deploy a Cloud IDS endpoint in europe-west1, configure a Packet Mirroring policy that selects traffic with source subnet 10.20.0.0/16, and create a centralized Log Router sink that streams "networksecurity.googleapis.com/firewall_threat" logs from Cloud Logging to a BigQuery dataset for analysis.
Create a single Cloud IDS endpoint in us-central1, peer each project's VPC to a dedicated security VPC in that region, mirror all VPC traffic to the IDS endpoint, and export only Cloud Audit Logs to BigQuery.
Cloud IDS is Google Cloud's managed network-intrusion detection service. It analyzes traffic copies received from VPC Packet Mirroring and writes its threat detections to Cloud Logging with the log ID "networksecurity.googleapis.com/firewall_threat" (resource type "network_security"). Deploying a dedicated Cloud IDS endpoint in europe-west1 and creating a Packet Mirroring policy that selects only the 10.20.0.0/16 production subnet ensures the required traffic is inspected without introducing self-managed appliances. A centralized log sink can then export the Cloud IDS threat logs to a BigQuery dataset (via Log Router → BigQuery) or to a Log Analytics bucket backed by BigQuery, enabling near real-time SQL analysis. The other options either rely on third-party appliances, inspect traffic in the wrong region, fail to restrict mirroring to the production subnet, or export the wrong log types, so they do not meet the stated constraints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud IDS in GCP?
Open an interactive chat with Bash
How does VPC Packet Mirroring work?
Open an interactive chat with Bash
How does Cloud Logging integrate with BigQuery for analysis?
Open an interactive chat with Bash
How does Cloud IDS integrate with VPC Packet Mirroring?
Open an interactive chat with Bash
What is the 'networksecurity.googleapis.com/firewall_threat' log ID, and how is it utilized?
Open an interactive chat with Bash
How does grouping logs in BigQuery enable near real-time analysis?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .