ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 125 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 125
Topic #: 1
[All Professional Cloud Security Engineer Questions]

You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:

Must be cloud-native -

✑ Must be cost-efficient
✑ Minimize operational overhead
How should you accomplish this? (Choose two.)

  • A. Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
  • B. Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
  • C. Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
  • D. Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
  • E. In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.
Show Suggested Answer Hide Answer
Suggested Answer: AE 🗳️
by ExamQnA at May 20, 2022, 6:54 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mikesp
Highly Voted 1 year, 8 months ago
Selected Answer: AE
On-demand container analysis can be integrated into a Cloud Build Pipeline: https://cloud.google.com/container-analysis/docs/ods-cloudbuild Also binary attestation is a complementary mechanism "cloud-native".
upvoted 9 times
[Removed]
6 months, 2 weeks ago
Side note - Container Analysis is now known as Artifact Analysis https://cloud.google.com/artifact-analysis/docs/artifact-analysis#ca-ods
upvoted 4 times
...
...
Xoxoo
Most Recent 4 months, 3 weeks ago
Selected Answer: AE
A. Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue. This approach integrates vulnerability scanning into your CI/CD pipeline using native Google Cloud services. E. In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster. This approach enforces security policies through Binary Authorization, ensuring only images with proper attestations (i.e., no known vulnerabilities) are deployed.
upvoted 2 times
...
zellck
1 year, 4 months ago
Selected Answer: AE
AE is the answer. https://cloud.google.com/container-analysis/docs/container-analysis Container Analysis is a service that provides vulnerability scanning and metadata storage for containers. The scanning service performs vulnerability scans on images in Container Registry and Artifact Registry, then stores the resulting metadata and makes it available for consumption through an API. https://cloud.google.com/binary-authorization/docs/attestations After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test. The attestation is created by signing the image's unique digest. During deployment, instead of repeating the activities, Binary Authorization verifies the attestations using an attestor. If all of the attestations for an image are verified, Binary Authorization allows the image to be deployed.
upvoted 4 times
AzureDP900
1 year, 3 months ago
Agreed
upvoted 1 times
...
...
szl0144
1 year, 8 months ago
AE is the answer, C has too much manual operations
upvoted 1 times
...
ExamQnA
1 year, 8 months ago
Ans: A,E https://cloud.google.com/architecture/binary-auth-with-cloud-build-and-gke#setting_the_binary_authorization_policy
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago