Exam Professional Cloud Security Engineer topic 1 question 53 discussion

Answer is A. Compute Engine doesn't automatically update the OS or the software on your deployed instances. You will need to patch or update your deployed Compute Engine instances when necessary. However, in the cloud it is not recommended that you patch or update individual running instances. Instead it is best to patch the image that was used to launch the instance and then replace each affected instance with a new copy.

Seems this is an old question, now Deployment Manager is able to update base images: https://cloud.google.com/deployment-manager/docs/reference/latest/deployments/patch

VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine. VM Manager helps drive efficiency through automation and reduces the operational burden of maintaining these VM fleets. https://cloud.google.com/compute/docs/vm-manager

Question is outdated, Since 2020 Google has VM Manager for updating VMs (Linux and Windows)

A. Use a tool like HashiCorp Packer to package the VM images using CI/CD

"A" Applying an OS level patch typically requires a reboot. Rebooting a VM that is actively serving live traffic will have a negative impact on the availability of the service and the user experience and therefore the business. Out of all the options, only option A emphasises the rolling/gradual deployment of the patch through base images. References: https://cloud.google.com/compute/docs/os-patch-management#scheduled_patching

The answer is definitely D. You would build new base images or deploy new vm's because then you'd have a base OS server with no application on it. You'd have to re-install the app, configure and it as well. You'd have to find a maintenance window that allows you to patch the server, not re-build it! Even the OS patch management doc link below mentions scheduling a time or doing it on demand. You schedule prod systems and patch the dev/test/staging server on demand bc it's not production. Think practically here. D is the obvious answer.

A. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

C is obviouly the answer, MIGs help you make sure mahcines deployed are latest image if you want, what's more, its meant to be an elastic system, nothing doesthat better than MIGs.

The answer is A, we are using this in practice as a solution from Google in one of the top 5 banks for managing windows image patching.

Definitely it will be A. The solution must take the advantage of elasticity of compute engine, so you create a template with patched OS base and redeploy images.

Answer should be A, C talks about MIG which may not be always needed

Ans : A

The correct anwser is C. https://cloud.google.com/deployment-manager/docs/reference/latest/deployments/patch

Given the options here Answer D seems practical

B seems the only possible answer. Windows patches are configured using Group Policies on the Windows Domain Controller. All other windows machines should be part of the same domain.

The answer is A. This is referring to VMs in an instance group which has built in roll out deployment of new images that can easily be integrated into a CI/CD pipeline. The people mentioning the patch management tool are considering these to be long running VMs, but that makes little sense in an instance group.