CCNA Pcse Managing Operations Questions

5 of 80 questions · Page 2/2 · Pcse Managing Operations topic · Answers revealed

76
MCQmedium

A security engineer needs to ensure that all container images deployed to a GKE cluster are signed by a trusted authority. The organization uses Cloud KMS for key management and wants to enforce the policy at admission time. Which two components are essential to implement this requirement? (Choose two.)

A.Cloud Audit Logs enabled for GKE
B.Container Analysis vulnerability scanning
C.Attestor created in Binary Authorization with Cloud KMS key
D.Binary Authorization policy set to 'Require Attestation'
E.Web Security Scanner configured to scan the GKE cluster
AnswerC, D

Attestors are used to verify signatures; Cloud KMS keys provide cryptographic signing.

Why this answer

Binary Authorization requires attestors to verify image signatures and a policy that requires at least one attestation. Attestors use Cloud KMS keys for signing, and the policy is enforced at GKE admission time.

77
Multi-Selecthard

A security engineer is investigating a potential data exfiltration incident. They suspect that a compromised VM is sending sensitive data to an external IP. Which three data sources should they examine to trace the exfiltration? (Choose three.)

Select 3 answers
A.Cloud NAT logs
B.VPC Flow Logs
C.Compute Engine serial port output
D.Cloud Audit Logs (Data Access)
E.Cloud DNS logging
AnswersB, D, E

Shows source/destination IPs, ports, protocols for all network flows.

Why this answer

VPC Flow Logs capture network metadata, DNS queries can show domain lookups, and Cloud Audit Logs (Data Access) can log data access events. Cloud NAT logs show outbound connections but are not as detailed for exfiltration. Compute Engine serial port output shows console logs but not network traffic.

78
MCQmedium

An organization needs to centralize audit logs from multiple Google Cloud projects into a BigQuery dataset for long-term analysis. They also want to retain raw logs in Cloud Storage for archival purposes. What is the most efficient way to accomplish this?

A.Create a single log sink that exports to both BigQuery and Cloud Storage.
B.Enable Data Access logs for all services and configure BigQuery as the default log destination.
C.Use Cloud Functions to copy logs from Cloud Logging to BigQuery and Cloud Storage.
D.Create two log sinks: one exporting to BigQuery, one to Cloud Storage, using an aggregated sink at the organization level.
AnswerD

This allows centralized collection of logs from all projects to both destinations.

Why this answer

Log sinks can route logs to multiple destinations by creating separate sinks for each destination. One sink can export logs to BigQuery, and another sink can export logs to Cloud Storage. Aggregated sinks at the organization or folder level allow collecting logs from all projects.

79
MCQhard

You need to configure automated remediation for high-severity SCC findings. When a finding of type 'VULNERABILITY' with severity 'HIGH' is created, a Cloud Function should execute a script to patch the vulnerable VM. Which architecture is correct?

A.Configure SCC to publish findings to a Pub/Sub topic, and set up a Cloud Function subscribed to that topic
B.Configure SCC to send findings to Cloud Storage, then use Cloud Functions on object change
C.Use Cloud Scheduler to poll SCC API every minute and trigger Cloud Function
D.Configure SCC to send notifications to Cloud Logging, then create a log-based metric and alert to trigger Cloud Function
AnswerA

This is the direct and recommended integration for automated response.

Why this answer

SCC can publish findings to a Pub/Sub topic. A Cloud Function subscribed to that topic can then trigger remediation actions. The Cloud Function must filter findings by severity and type.

80
MCQhard

A company enforces Binary Authorization on a GKE cluster. They want to require that all container images be signed by a specific attestor located in a different project. What must be configured?

A.A Binary Authorization policy that allows all images, and an attestor with the same name in both projects.
B.A Cloud KMS key for the attestor in the same project as the cluster, and a policy that requires attestation.
C.A policy that requires attestation, an attestor in the same or different project, and a service account on the GKE node with the appropriate IAM permissions to access the attestor.
D.A policy that denies all images, and a separate attestor for each project.
AnswerC

Binary Authorization supports cross-project attestors. The GKE nodes need IAM permissions (roles/binaryauthorization.attestorsVerifier) to verify the attestation.

Why this answer

Binary Authorization allows attestors in different projects. The key requirement is the proper IAM role (roles/binaryauthorization.attestorsVerifier) on the GKE service account.

← PreviousPage 2 of 2 · 80 questions total

Ready to test yourself?

Try a timed practice session using only Pcse Managing Operations questions.