nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #330

Your infrastructure team is responsible for creating and managing Compute Engine VMs. Your team uses the Google Cloud console and gcloud CLI to provision resources for the development environment. You

The correct answer is A. Use a Cloud Audit Logs trigger to invoke a Cloud Run function when a Compute Engine VM is. The requirements are: (1) corrective action (auto-remediation), (2) no change to the current deployment process, and (3) most scalable approach. Cloud Audit Logs capture every VM creation/modification event in real time. An Eventarc or Pub/Sub trigger on those logs can invoke a C

Implementing Compliance Policies

Question

Your infrastructure team is responsible for creating and managing Compute Engine VMs. Your team uses the Google Cloud console and gcloud CLI to provision resources for the development environment. You need to ensure that all Compute Engine VMs are labeled correctly for compliance reasons. In case of missing labels, you need to implement corrective actions so the labels are configured accordingly without changing the current deployment process. You want to use the most scalable approach. What should you do?

Options

  • AUse a Cloud Audit Logs trigger to invoke a Cloud Run function when a Compute Engine VM is
  • BDeploy resources with Terraform. Use the gcloud terraform vet command with a policy to ensure
  • CWrite a script to check all Compute Engine VMs for missing labels regularly by using Cloud
  • DCheck all Compute Engine VMs for missing labels regularly. Use the console to assign the labels.

How the community answered

(26 responses)
  • A
    62% (16)
  • B
    12% (3)
  • C
    8% (2)
  • D
    19% (5)

Explanation

The requirements are: (1) corrective action (auto-remediation), (2) no change to the current deployment process, and (3) most scalable approach. Cloud Audit Logs capture every VM creation/modification event in real time. An Eventarc or Pub/Sub trigger on those logs can invoke a Cloud Run function that inspects the new VM's labels and automatically applies any missing ones - this is fully event-driven, serverless, and requires zero changes to how the team currently uses the console or gcloud. Option B (Terraform + vet) changes the deployment process. Option C (scheduled script) is periodic/batch and may leave VMs non-compliant for minutes or hours. Option D is a manual process and completely unscalable.

Topics

#Compliance Enforcement#Event-Driven Automation#Resource Labeling#Compute Engine Management

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice