GCP Professional Cloud Security Engineer Practice Question
Your security team must stop Cloud Run services in the prod project from running container images unless they carry two signed attestations: one for a vulnerability scan and one for end-to-end QA. They will deploy the control in two phases: first, monitor violations without blocking deployments; later, block any new revision that lacks either attestation. All images reside in Artifact Registry, and the CI/CD pipeline already signs images at each gate. Which approach meets these goals using Google-recommended Binary Authorization practices?
Create two attestors (ScanGate and QAGate) and add them to a single project-wide Binary Authorization policy with requireAttestationsBy listing both attestors. Publish the policy in DRYRUN_AUDIT_LOG_ONLY mode for phase 1, monitor violations, then switch to ENFORCED_BLOCK_AND_AUDIT_LOG for phase 2.
Enable Binary Authorization on each Cloud Run service and use an allowlist that includes only the trusted Artifact Registry repository for phase 1; remove the allowlist in phase 2.
Attach an IAM deny policy to the Artifact Registry repository to block pulls of unsigned images, run it in audit-only mode for phase 1, and enforce it for phase 2.
Create two separate Binary Authorization policies-one requiring the vulnerability-scan attestor and another requiring the QA attestor-enabling them in successive phases.
Binary Authorization is enforced at the project level for all Cloud Run services. Create two attestors-one for the vulnerability-scanner gate and one for the QA gate-and reference both in a single requireAttestationsBy rule. Set the policy's enforcementMode to DRYRUN_AUDIT_LOG_ONLY to observe violations during phase 1 without blocking deployments. After confirming compliance, update the same policy to ENFORCED_BLOCK_AND_AUDIT_LOG so Cloud Run rejects any image missing either attestation in phase 2. Alternatives that rely on IAM deny policies, per-service allowlists, or multiple project policies cannot provide the required staged rollout or enforcement fidelity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Binary Authorization in Google Cloud?
Open an interactive chat with Bash
What is the purpose of DRYRUN_AUDIT_LOG_ONLY mode in Binary Authorization?
Open an interactive chat with Bash
What are attestors, and why are they used in Binary Authorization?
Open an interactive chat with Bash
What is Binary Authorization in Google Cloud?
Open an interactive chat with Bash
What is DRYRUN_AUDIT_LOG_ONLY mode in Binary Authorization?
Open an interactive chat with Bash
What are attestors in Binary Authorization, and how are they used?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .