For this question, refer to the EHR Healthcare case study. You need to define the technical architecture for securely deploying workloads to Google Cloud. You also need to ensure that only verified containers are deployed using Google Cloud services. What should you do? (Choose two.)
A comprehensive technical architecture for securely deploying workloads to Google Cloud and ensuring only verified containers are deployed should include enabling Binary Authorization, which ensures only verified containers are accepted, and setting up vulnerability scanning in Container Registry. This combination ensures that containers are not only verified through signing but also scanned for vulnerabilities, thereby addressing both the verification and security scanning aspects.
A & D Binary Authorization to ensure only verified containers are deployed To ensure deployment are secure and and consistent, automatically scan images for vulnerabilities with container analysis (https://cloud.google.com/docs/ci-cd/overview?hl=en&skip_cache=true)
Also see references to the combination of using binary authorization and vulnerability scanning here: https://cloud.google.com/binary-authorization/docs/overview
IMHO its A&C
I see a lot of people answered D but I don't see how it answers the question. I can securely deploy complete junk code. There is no contradiction in this phrase even if one obviously should avoid doing this.
Dude the same applies to C. Trusted service accounts can deploy junk too.
But that's the goal: secure the deployment process.
Just got out of the exam. You only need to specify one answer, hence I chose A.
I think A&B Kritis is an admission controller webhook for Kubernetes that enforces deploy-time security policies. By configuring Jenkins to use Kritis, you can cryptographically sign containers as part of the CI/CD pipeline, ensuring only signed containers are deployed. https://cloud.google.com/binary-authorization/docs/creating-attestations-kritis
Checked with standard process for this. I found the below. Image Building and Scanning: Developers build container images locally or using Cloud Build. Images are scanned for vulnerabilities using integrated tools or third-party services. Clean images are pushed to GCR. Image Verification: Binary Authorization enforces policies for image acceptance. Attestations from Cloud Security Scanner or third-party tools can be used.
Option C is incorrect because while limiting access to trusted service accounts enhances security, it doesn't ensure that only verified containers are deployed.
Answer should be A & C, as the ask is to ensure only verified containers to be deployed. With just Binary Authorisation and signing images, you can't fulfil the requirement, you would need to also restrict it at the IAM level, so that no bad actor can create an image in the registry and bypass Binary Authorization to deploy an image.
A&D. C is incorrect because you configuring Container Registry doesn't only allow trusted service accounts to create/deploy containers. With IAM permissions, anyone can create non-trusted service accounts to deploy containers, or users can still deploy containers not in Container Registry.
who deploy is not an issue, the question is 'only verified containers' ....kritis can do that.
A & D - sounds more native to Google Cloud services and must required.
Who has untrsuted service accounts that can deploy stuff and is doing nothing about it?. That is bad architecture. Following good architecture design, D is a given, we will already have a limited number of trusted accounts that can deploy. So A and C.
a and c are ok
A & C correct
For surę AC
https://cloud.google.com/docs/ci-cd/overview?hl=en&skip_cache=true https://cloud.google.com/binary-authorization/docs/overview
ad for me
A : use binary authorization then D check vulnerabilities before being able to deploy