nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #367

You are a developer at a regulated financial company and are the lead of a risk calculation application that is running on Cloud Run. Binary Authorization for Cloud Run has been enabled as an organiza

The correct answer is D. Use the breakglass approach to deploy the image.. Binary Authorization's 'breakglass' mechanism is the Google-recommended way to handle emergency deployments that need to bypass attestation outside a normal change window. It allows an authorized user to override the policy for a single deployment while automatically generating a

Manage application security

Question

You are a developer at a regulated financial company and are the lead of a risk calculation application that is running on Cloud Run. Binary Authorization for Cloud Run has been enabled as an organization policy, and there is one attestor. All applications in the company are attested. Each application's image is deployed as part of a CI/CD pipeline during a 1-hour change window at 11 PM local time. There is a new security issue that requires you to deploy a critical fix before the next change window. You have created a new image with the fix, and your manager has approved the image in an email message. What should you do?

Options

  • AAdd the image to the exempt image patterns in the Binary Authorization policy.
  • BSign the image with your private key and ask the project admin to change the public key in the
  • CChange the organization policy to temporarily disable Binary Authorization, and deploy the image.
  • DUse the breakglass approach to deploy the image.

How the community answered

(60 responses)
  • A
    17% (10)
  • B
    32% (19)
  • C
    8% (5)
  • D
    43% (26)

Explanation

Binary Authorization's 'breakglass' mechanism is the Google-recommended way to handle emergency deployments that need to bypass attestation outside a normal change window. It allows an authorized user to override the policy for a single deployment while automatically generating an audit log entry, preserving accountability. Option A (exempt image patterns) would permanently weaken the policy beyond the immediate fix. Option B (re-signing with a different key) is not how attestors work and doesn't resolve the authorization path. Option C (disabling the org policy entirely) is overly broad and risky - it affects all applications across the organization, not just the one needing the fix.

Topics

#Binary Authorization#Cloud Run#Security Policies#Emergency Deployment

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice