GCP Professional Cloud Security Engineer Practice Question
Your security team is deploying Google Cloud Secure Web Proxy (SWP) to inspect outbound HTTPS traffic from VM-based workloads in multiple VPC networks. The goal is to perform full TLS inspection without introducing unmanaged private keys while keeping certificate issuance scalable and centrally governed. Which approach best meets these requirements?
Configure SWP to use Cloud Load Balancing's Google-managed SSL certificates that are automatically provisioned and renewed.
Purchase publicly trusted TLS certificates from a commercial CA, upload the private keys to SWP, and enable automatic certificate rotation.
Create an internal subordinate CA in Certificate Authority Service backed by Google-managed HSM, add it to a dedicated CA pool, and configure Secure Web Proxy to request short-lived inspection certificates from that pool.
Generate a self-signed root certificate on each SWP proxy instance and distribute the public key to clients using a custom OS image.
Secure Web Proxy needs a trusted CA in order to generate on-the-fly leaf certificates when it decrypts and re-encrypts TLS sessions. Creating an internal subordinate CA in Certificate Authority Service (CAS) and placing it in a dedicated CA pool lets you:
keep the private key protected in a Google-managed HSM, eliminating the need for operators to handle or store keys themselves.
issue short-lived, automatically rotated inspection certificates at scale, which SWP retrieves by calling the CAS API. Importing a self-signed root or using per-proxy self-signed certificates does not provide centralized lifecycle management or hardware-backed key protection, and using Public CA is inappropriate because inspection certificates must not be publicly trusted. Therefore, linking SWP to an internal subordinate CA hosted on CAS is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Google-managed HSM and how does it enhance security?
Open an interactive chat with Bash
What is a subordinate CA and how is it different from a root CA?
Open an interactive chat with Bash
Why are short-lived certificates important in TLS inspection?
Open an interactive chat with Bash
What is Google Cloud Secure Web Proxy (SWP)?
Open an interactive chat with Bash
What is Certificate Authority Service (CAS) in Google Cloud?
Open an interactive chat with Bash
Why is using an internal subordinate CA backed by Google-managed HSM better than a self-signed root certificate?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .