GCP Professional Cloud Security Engineer Practice Question
Your security team mandates that every Compute Engine VM start from a CIS-hardened custom image that is automatically rebuilt when either (1) Google posts a new debian-11 base image or (2) approved hardening scripts change in Cloud Source Repositories. The pipeline must apply the scripts, install the latest patches, halt on any high-severity CVEs, and keep only the three newest compliant images. Which design delivers this with the least manual effort?
Create two Cloud Build triggers: a Cloud Source Repositories trigger for the hardening branch and a Cloud Scheduler-initiated Pub/Sub trigger that runs daily. Both invoke a Cloud Build YAML file that runs Packer to build a shielded image from the latest debian-11 family, applies the hardening scripts, updates all packages, executes an in-pipeline vulnerability scanner that fails the build on any high or critical CVE, publishes the image to a custom family, and then deletes images in that family beyond the three newest.
Deploy VMs with Deployment Manager that reference the publicly available debian-11-csi-hardened image family, attach Cloud Armor policies, and enable Shielded VM integrity monitoring to detect vulnerabilities. Allow teams to select any version within that family.
When Google releases a new debian-11 image, manually create a local VM, run the hardening scripts, export the disk to Cloud Storage, and import it as a custom image. Mark the image as deprecated after three newer images exist.
Enable OS patch management in VM Manager to run a weekly patch job and store the hardening scripts in a Cloud Storage bucket. Have each VM execute the scripts from startup-script metadata and rely on rolling updates in managed instance groups to phase in patched VMs.
Using Cloud Build triggers backed by Cloud Source Repositories and Cloud Scheduler meets the automation requirement. The pipeline invokes Packer to create a new image from the latest debian-11 base, applies the hardening scripts, updates packages, and runs a vulnerability-scanner container that exits non-zero if any high or critical CVEs are detected, stopping the build. On success, the build publishes the image to a custom family and a final step deletes older images so that only the three most recent remain. Approaches that rely on VM-side patch jobs, manual procedures, or simply referencing a public hardened family fail to satisfy one or more stated constraints (such as creating a gated golden image or enforcing retention).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Packer, and why is it used in this design?
Open an interactive chat with Bash
How do Cloud Build triggers work in this solution?
Open an interactive chat with Bash
What is the role of the vulnerability scanner in the pipeline?
Open an interactive chat with Bash
What is Packer, and how does it help in creating custom images?
Open an interactive chat with Bash
What is a Cloud Build trigger, and how does it work?
Open an interactive chat with Bash
How does the vulnerability scanner ensure image compliance?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .