GCP Professional Cloud Security Engineer Practice Question
Your security team maintains a hardened Ubuntu image that Cloud Build rebuilds weekly and pushes to Artifact Registry with a timestamp tag. Hundreds of stateless front-end VMs run in several zonal managed instance groups (MIGs) that currently reference the previous image version. Compliance requires every VM to run the latest image within 24 hours of its publication, with zero downtime and no human intervention. Which solution best meets these requirements?
Point each managed instance group's instance template to the image's family and set the group's updatePolicy type to OPPORTUNISTIC so that instances automatically refresh when a new family image appears.
Create a Cloud Scheduler job that replaces each VM's boot disk with a snapshot of the new image during low-traffic hours.
Add steps to the Cloud Build pipeline that, after the new image is pushed, create an updated instance template and invoke a managed instance group rolling update with maxSurge set to 25 % and maxUnavailable set to 0.
Configure OS Config patch jobs to run weekly and apply all available security patches in place, forcing a reboot of each VM after patching.
A Cloud Build pipeline can be extended to automate both creation of a new instance template that points at the freshly built image and a rolling update for each managed instance group. When a rolling update is started with a proactive strategy (for example, maxSurge 25 % and maxUnavailable 0), the MIG adds new instances based on the new template before deleting the old ones, providing continuous capacity and no service interruption. In-place OS patch jobs meet patching needs but do not replace VMs with the new golden image. Setting an instance template to an image family does not trigger automatic refresh of existing VMs; a new template or an explicit update is still required. Overwriting boot disks with snapshots is not supported and would cause downtime.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a managed instance group (MIG) in GCP?
Open an interactive chat with Bash
What does maxSurge and maxUnavailable mean during a rolling update?
Open an interactive chat with Bash
How does Cloud Build integrate with instance template updates and rolling updates?
Open an interactive chat with Bash
What is a managed instance group (MIG) in GCP?
Open an interactive chat with Bash
What does maxSurge and maxUnavailable mean in a rolling update?
Open an interactive chat with Bash
Why is a new instance template necessary for a MIG to adopt a new image?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .