GCP Professional Cloud Security Engineer Practice Question
Your security team maintains a Git repository containing CIS benchmark hardening scripts for Debian-based workloads. They require that every new Compute Engine VM and every GKE node pool boot from an image that was built with those scripts. Other projects across the organization must be able to consume, but not modify, the images, and the newest patch level should be selected automatically at instance creation time. With minimal operational overhead, which architecture best satisfies these requirements?
Maintain Deployment Manager templates that embed the hardening scripts as startup scripts; give each consumer project deploymentmanager.editor to deploy the templates when creating resources.
Schedule weekly OS Config patch jobs in every project; at boot time VMs download the CIS scripts from Cloud Storage and run them through startup scripts.
Trigger Cloud Build on repository changes to run a Packer template that applies the hardening scripts, creates a custom image in a dedicated "golden-images" project, assigns the image to an image family, and grants consumer projects the compute.imageUser role on that project.
Build hardened container images with Cloud Build, store them in Artifact Registry, and use Container-Optimized OS nodes so that GKE pulls the images for node pools.
The most efficient approach is to automate image creation in a central "golden-images" project. A Cloud Build trigger that runs a Packer template can apply the CIS scripts and produce a hardened custom image. By adding the image to an image family, Compute Engine and GKE will always resolve the latest, most recently patched image when the family is referenced. Granting consumer projects the compute.imageUser role on the golden-images project gives them permission to use, but not change, the images. The other options either leave hardening to post-boot processes, do not deliver VM images, or require each project to maintain its own infrastructure, violating the minimal-overhead and central-control requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Packer template in the context of creating custom images?
Open an interactive chat with Bash
What is an image family in GCP, and how does it help with image management?
Open an interactive chat with Bash
What is the compute.imageUser role, and why is it granted to consumer projects?
Open an interactive chat with Bash
What is a Packer template and how does it help in creating custom images?
Open an interactive chat with Bash
What is an image family and why is it important in this solution?
Open an interactive chat with Bash
What is the compute.imageUser role and how does it work?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .