GCP Professional Cloud Security Engineer Practice Question
Your security operations team must be notified whenever someone attempts to deploy a container image to any Google Kubernetes Engine (GKE) cluster in your organization and Binary Authorization blocks the deployment because the image lacks a required attestation. You have already enabled Binary Authorization in enforce mode on all clusters and have aggregated all Cloud Audit Logs into a central security project. Which log filter will reliably identify every such policy-violation event so you can create an alert or export to your SIEM?
resource.type="k8s_cluster" AND logName:"/logs/cloudaudit.googleapis.com%2Fdata_access" AND protoPayload.serviceName="binaryauthorization.googleapis.com"
severity="HIGH" AND jsonPayload.detectionCategory="Malware" AND resource.type="security_center_event"
resource.type="k8s_cluster" AND logName:"/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceName="binaryauthorization.googleapis.com" AND protoPayload.methodName="google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence" AND protoPayload.status.code=7
resource.type="k8s_cluster" AND logName:"/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceName="container.googleapis.com" AND protoPayload.status.code=7
When Binary Authorization denies a container deployment, GKE's control plane calls the Binary Authorization API, which returns a DENIED decision. This is recorded as an Admin Activity entry in Cloud Audit Logs with the service name binaryauthorization.googleapis.com and the method google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence. The log entry also contains a PERMISSION_DENIED status. Therefore, filtering on the Binary Authorization service's Admin Activity logs and the ValidateAttestationOccurrence method (option 2) uniquely captures every enforcement-time denial.
The other options are incorrect:
Audit logs from container.googleapis.com (the Kubernetes Engine API) do not contain the Binary Authorization decision; they only show that a deployment was attempted.
Data Access logs for binaryauthorization.googleapis.com are not generated by default and do not record policy evaluation results.
Event Threat Detection findings are separate Security Command Center detections; Binary Authorization denials are not surfaced there automatically. They are logged only in Cloud Audit Logs under the Binary Authorization service.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Binary Authorization in GCP?
Open an interactive chat with Bash
Why is 'PERMISSION_DENIED' status important in Binary Authorization logging?
Open an interactive chat with Bash
What are Cloud Audit Logs, and how are they used for security monitoring?
Open an interactive chat with Bash
What is Binary Authorization in GKE?
Open an interactive chat with Bash
What does `protoPayload.methodName` represent in the filter?
Open an interactive chat with Bash
Why are Admin Activity logs used for Binary Authorization monitoring?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .