Question 341
Your application named ecom-web-app is deployed in three GKE clusters: ecom-web-app-dev, ecom-web-app-qa, and ecom-web-app-prod. You need to ensure that only trusted container images are deployed to the ecom-web-app-prod GKE cluster in the production environment while following Google-recommended practices. What should you do?
A. Set up Binary Authorization, and define cluster-specific rules in clusterAdmissionRules nodes in the policy YAML file.
B. Set up Binary Authorization, and exempt any container images that are not deployed to the ecom-web-app-prod GKE cluster.
C. Set up an image verification process that scans the container images in Artifact Registry for vulnerabilities and tags the image versions that fail the scan as untrusted.
D. Set up an image verification process by using Cloud Functions where the function is invoked when a container image is built in Cloud Build and ensures that only trusted container images are stored in Artifact Registry.
Question 342
You are responsible for improving the security of your Cloud Run services to protect these services against supply chain threats. You need to ensure that there are adequate security controls such as SLSA Level 3 builds for container images and non-falsifiable provenance for container images by using Google Cloud tools. What should you do?
A. Ask developers to build container images locally and ensure strict version controls by using Container Registry.
B. Use Cloud Build to build container images. Configure a Binary Authorization policy on the Cloud Run job.
C. Use Cloud Deploy to generate authenticated and non-falsifiable build provenance for container images.
D. Use Cloud Build to build container images. Use Cloud Scheduler to automate delivery of your applications to a series of target environments in a defined sequence.
Question 343
There are three teams developing an ecommerce application in the same Google Cloud project. Team A will build a set of RESTful APIs that exposes some core functionalities for the application. Team B and Team C will make requests to those APIs in their downstream processes running on Cloud Run services. You need to propose a solution for exposing the APIs in a way that maximizes security and minimizes management overhead for the three teams. How should you design this solution?
A. 1. Team A uses service accounts to authorize Cloud API Gateway. Team B and Team C each create a service account, export their service account's key, and store each key in a separate secret in Secret Manager.
2. Team B and Team C use this service account key to create an OAuth token to access the APIs.
B. 1. Team A uses Apigee hybrid to create an API key and shares that key with Team B and Team C.
2. Team B and Team C store the API key in a secret in Secret Manager, and use this API key to access the API endpoint.
C. 1. Team A uses an API key to authorize Cloud API Gateway and shares the key with Team B and Team C.
2. Team B and Team C store the API key in a secret in Secret Manager, and use this API key to access the API endpoint.
D. 1. Team A uses service accounts to authorize Cloud API Gateway. Team B and Team C each create a service account that has access to the APIs.
2. Team B and Team C access the APIs in the Cloud Run service running their processes by using the service accounts attached to their service.
Question 344
Your application team is developing an ecommerce application. Your team has developed a new functionality that has a dependency on a third-party service. This third-party service will be deployed in a few days. However, you have been unable to ensure the reliability of this service. You need to choose a deployment strategy for the ecommerce application that will avoid disruption and can be rolled back quickly if issues are discovered. What should you do?
A. Deploy the new functionality by using an A/B deployment strategy.
B. Deploy the new functionality to all users by using a blue/green deployment strategy.
C. Use a feature flag to enable the new functionality to users on demand. Gradually enable the new functionality to more users.
D. Gradually roll out the new functionality by using a rolling updates deployment strategy. Start with a small subset of users and increase the number of users over time.
Question 345
You work for an organization that manages an ecommerce site. Your application is deployed behind an external Application Load Balancer. You need to test a new product recommendation algorithm. You plan to use A/B testing to determine the new algorithm’s effect on sales in a randomized way. How should you test this feature?
A. Split traffic between versions using weights.
B. Enable the new recommendation feature flag on a single instance.
C. Mirror traffic to the new version of your application.
D. Use HTTP header-based routing.
Question 346
You maintain a CI/CD pipeline for an application running on GKE. You use Cloud Build to create container images and push the images to Artifact Registry. When you build the image, you use the latest tag in your pipeline.
You recently had to roll back a deployment 24 hours after rollout. The rollback process was difficult because the latest tag had been overwritten. You need to prevent this issue in the future. You want to use the most efficient approach. What should you do?
A. Rebuild the Docker image for each environment, and tag it with the specific environment name.
B. Build a separate Docker image for each new version of the application, and tag it with the version number.
C. Implement Helm charts to manage your container deployments.
D. Use a Docker registry to store the container images, and create separate repositories for each version of the application.
Question 347
You are designing a microservices application on GKE that will expose a public API to users. Users will interact with the application by using OAuth 2.0, and illegitimate requests should receive a 403 response code. You need the API to be resilient against distributed denial of service (DDoS) attacks and critical security risks such as SQL injection (SQL) and cross-site scripting (XSS).
You want to design the application's architecture while following Google-recommended practices. What should you do?
A. Install Service Mesh in your GKE cluster. Configure Service Mesh user authentication to integrate the service hosted on GKE by using an OpenID Connect-compliant identity provider. Expose the application externally by using an Istio Ingress Gateway. Use VPC firewall rules to restrict Ingress traffic to the Ingress gateway.
B. Run an Apache HTTP server on Cloud Run to expose a service with a public IP address. Configure the Apache HTTP server as a reverse proxy to only forward valid requests to the API hosted on GKE.
C. Use an external Application Load Balancer with Cloud Armor. Integrate Cloud Armor with reCAPTCHA Enterprise. Configure the load balancer to forward traffic to the application hosted on GKE.
D. Use an external Application Load Balancer with Cloud Armor, and configure the load balancer to forward requests to Apigee to check the validity of the API requests. Configure GKE as the application's backend.
Question 348
You are compiling a compliance report on vulnerability metadata for a specific set of images identified by Artifact Analysis. Metadata from images scanned more than 30 days ago are missing from the compliance report. You need to access the vulnerability metadata for these older images. What should you do?
A. Create a Pub/Sub subscription to pull from Artifact Analysis topics.
B. Check Artifact Analysis storage buckets in Cloud Storage.
C. Push or pull the images from Artifact Registry.
D. Check Cloud Trace logs for Artifact Analysis findings.
Question 349
Your team runs a Python job that reads millions of customer record files stored in a Cloud Storage bucket. To comply with regulatory requirements, you need to ensure that customer data is immediately deleted once the job is completed. You want to minimize the time required to complete this task. What should you do?
A. Add a final step in the job that deletes all the objects in the bucket in bulk by using batch requests to the Cloud Storage API.
B. Configure Object Lifecycle Management on the Cloud Storage bucket that deletes all the objects in the bucket at the end of the job execution.
C. Remove the bucket from the Google Cloud console when the job is completed
D. Use the gcloud CLI to execute the gcloud storage rm --recursive gs://BUCKET_NAME/ command.
Question 350
You are a developer at a regulated financial company and are the lead of a risk calculation application that is running on Cloud Run. Binary Authorization for Cloud Run has been enabled as an organization policy, and there is one attestor. All applications in the company are attested. Each application's image is deployed as part of a CI/CD pipeline during a 1-hour change window at 11 PM local time. There is a new security issue that requires you to deploy a critical fix before the next change window. You have created a new image with the fix, and your manager has approved the image in an email message. What should you do?
A. Add the image to the exempt image patterns in the Binary Authorization policy.
B. Sign the image with your private key and ask the project admin to change the public key in the attestor.
C. Change the organization policy to temporarily disable Binary Authorization, and deploy the image.
D. Use the breakglass approach to deploy the image.
