Exam Professional Cloud Security Engineer topic 1 question 42 discussion

Ans is B Small containers usually have a smaller attack surface as compared to containers that use large base images. https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-how-and-why-to-build-small-container-images

Building small containers using minimal and well-maintained base images directly reduces the attack surface and improves the security posture of your containers when they are deployed on GKE.

the correct answer is having as few tools in your image as possible, Source: Remove unnecessary tools https://cloud.google.com/architecture/best-practices-for-building-containers?hl=en I guess it can be achieved by option "B" building a small container from a small source image.

A. Use Cloud Build to build the container images. Will give you the tools to build an image but not ensure any risk reduction B. Build small containers using small base images. Images with a smaller footprint, stripped of all binaries/libraries/functions that are not used will make it harder for an attacker to find leverage to move laterally or vertically, hence >>reducing the attack/risk surface<< for the image. C. Delete non-used versions from Container Registry. Non-used images are not running live and hence are not exploitable. Removing non-used images from the registry will not reduce the attack surface of the running application. D. Use a Continuous Delivery tool to deploy the application. Same as A.

To minimize the attack surface of a container that will run on Google Kubernetes Engine and be internet-facing, the DevOps team should: B. Build small containers using small base images. Building small containers using minimal base images reduces the attack surface by eliminating unnecessary software and dependencies, which can potentially contain vulnerabilities. This approach enhances security and reduces the risk of potential attacks. Using small base images, such as Alpine Linux or distroless images, is a best practice for container security.

Answer is B, because this GCP exam, the GCP docs are always source of truth even though you might not be agree with them occasionally but even if you are not agree you need to choose the answer proposed in GCP docs as the best practice. Here is the link to google official best practices for building containers. and here is the snippet regarding this particular question: https://cloud.google.com/architecture/best-practices-for-building-containers#build-the-smallest-image-possible Build the smallest image possible Building a smaller image offers advantages such as faster upload and download times, which is especially important for the cold start time of a pod in Kubernetes: the smaller the image, the faster the node can download it. However, building a small image can be difficult because you might inadvertently include build dependencies or unoptimized layers in your final image.

"B" For smaller attacker surface, use smaller images by removing any unnecessary tools/software from the image. https://cloud.google.com/solutions/best-practices-for-building-containers

Importance: MEDIUM To protect your apps from attackers, try to reduce the attack surface of your app by removing any unnecessary tools. https://cloud.google.com/architecture/best-practices-for-building-containers

it is viable

B definitely

B is the correct answer.

B is the answer.

Ans is B - https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-how-and-why-to-build-small-container-images Security and vulnerabilities Aside from performance, there are significant security benefits from using smaller containers. Small containers usually have a smaller attack surface as compared to containers that use large base images.

the only answer that will really reduce attack surface while exposing apps to internet is B, small containers (e.g. single web page?)

B. Because you will have less programs in the image thus less vulnerabilities

A. Use Cloud Build to build the container images. If you build a container using Cloud Build or not the surface is the same B. Build small containers using small base images. It is indeed best practice, but I doubt if small base images can reduce the surface. It is still the same app version with the same vulnerabilities etc. C. Delete non-used versions from Container Registry. Unused, historical versions are additional attack surface. attacker can exploit old, unpatched image which indeed the surface extention. D. Use a Continuous Delivery tool to deploy the application. This is just a method of image delivery. The app is the same.

Ans : B. Small the base image there is less vulnerability and less chance of attack.