PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #81: Real Exam Question with Answer & Explanation

Question

You are building and running client applications in Cloud Run and Cloud Functions. Your client requires that all logs must be available for one year so that the client can import the logs into their logging service. You must minimize required code changes. What should you do?

Options

• ADeploy Falco or Twistlock on GKE to monitor for vulnerabilities on your running Pods.
• BConfigure Identity and Access Management (IAM) policies to create a least privilege model on
• CUse Binary Authorization to attest images during your CI/CD pipeline.
• DEnable Container Analysis in Artifact Registry, and check for common vulnerabilities and

Explanation

To ensure client application logs are available for one year and importable with minimal code changes, leverage platform-level security features like Binary Authorization to guarantee the integrity of deployed application images.

Common mistakes.

• A. Falco or Twistlock on GKE are runtime security tools for Kubernetes, not directly applicable to log retention and import requirements for Cloud Run and Cloud Functions, nor do they minimize code changes related to log management.
• B. Configuring IAM policies primarily controls who can access resources, not how logs are retained or imported over a long period, nor does it address the technical mechanism for log data itself.
• D. Container Analysis in Artifact Registry scans for vulnerabilities in stored images, which is a security step for artifacts, but it does not directly manage the retention, availability, or import of application logs from running services for a year.

Concept tested. Application integrity for auditable logs

Reference. https://cloud.google.com/binary-authorization/docs

No community discussion yet for this question.