An organization uses Security Command Center (SCC) premium tier and wants to automatically remediate a specific finding type by disabling public access to Cloud Storage buckets. What is the recommended approach?
SCC can publish findings to Pub/Sub, which triggers a Cloud Function to remediate.
Why this answer
Option C is correct because Security Command Center (SCC) premium tier can publish findings to Cloud Pub/Sub, which can trigger a Cloud Function via a push subscription. The Cloud Function can then use the Google Cloud Storage API (specifically, the `storage.buckets.setIamPolicy` method) to remove the `allUsers` or `allAuthenticatedUsers` bindings that grant public access, enabling automated, event-driven remediation without manual intervention.
Exam trap
Google Cloud often tests the distinction between event-driven automation (Cloud Functions + Pub/Sub) and scheduled or manual approaches, so candidates mistakenly choose Cloud Scheduler or IAM deny policies because they think 'automation' means periodic checks or preventive controls, rather than reactive, real-time remediation.
How to eliminate wrong answers
Option A is wrong because using Cloud Pub/Sub alone only delivers the finding notification; it does not perform any remediation action, so manual steps are still required, which defeats the goal of automation. Option B is wrong because IAM deny policies cannot retroactively remove public access from buckets that already have public bindings; they only prevent future grants, and they do not automatically remediate existing public buckets. Option D is wrong because Cloud Scheduler runs on a fixed schedule, not in response to SCC findings, so it introduces latency and cannot provide real-time remediation when a finding is generated.