GCP Professional Cloud Security Engineer Practice Question
Your security team mandates that all Compute Engine instances in several regional managed instance groups use a hardened custom image that is rebuilt weekly with the latest OS patches. You have a Cloud Build pipeline that produces a new image each week. You need to roll out each image safely, run canary tests first, and allow fast rollback while minimizing custom scripting. Which approach should you take?
Enable automatic patch rollout on the custom image family so that Compute Engine transparently replaces disk blocks on running VMs when a newer family image becomes available.
Publish each weekly image to a staging image family that is referenced by a canary managed instance group. After tests pass, promote the same image to a production image family referenced by the main instance template and start a managed rolling update, allowing rollback by re-promoting the previous image.
Run a weekly OS Config patch job that installs updates in place on every VM in the production managed instance group, eliminating the need to rebuild or roll out new images.
Push the weekly build as a privileged container to Artifact Registry and deploy a DaemonSet that mounts each node's root filesystem and overwrites binaries with the contents of the container after smoke tests.
Publishing each weekly build into a custom image family lets you take advantage of Google-managed mechanics instead of bespoke scripts. Cloud Build can set the new image as the latest in a staging family that is referenced by a canary managed instance group; only those test VMs pick up the build. When tests succeed you promote the image to a production family, update or refresh the production managed instance group, and let its rolling-update policy (maxSurge / maxUnavailable) gradually replace instances. Because you are referencing an immutable image by its family, reverting simply means re-promoting the previous image and starting another rolling update. OS Config patch jobs update running VMs but do not refresh your golden image and leave configuration drift (choice B). Compute Engine cannot live-patch running disks when a family is updated (choice C). Using privileged containers to overwrite host binaries (choice D) is unsupported and risky, adding more operational burden instead of reducing it.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a managed instance group in GCP?
Open an interactive chat with Bash
How does publishing images to an image family help in GCP?
Open an interactive chat with Bash
What is canary testing and how is it used in managed instance groups?
Open an interactive chat with Bash
What are image families in GCP, and how do they help with managing updates?
Open an interactive chat with Bash
How do managed instance groups support rolling updates in GCP?
Open an interactive chat with Bash
What is the significance of canary testing in this approach?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .