PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #217: Real Exam Question with Answer & Explanation

Question

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run. What should you do? (Choose two.)

Options

• AEnable Binary Authorization on the existing Cloud Run service.
• BSet the organization policy constraint constraints/run.allowedBinaryAuthorizationPolicies to the list
• CEnable Binary Authorization on the existing Kubernetes cluster.
• DUse Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by
• ESet the organization policy constraint constraints/compute.trustedImageProjects to the list of

Explanation

Binary Authorization enforces a deploy-time security control that requires container images to meet attestation policies before they can be deployed. Option A (enable Binary Authorization on the Cloud Run service) activates the enforcement on the specific service. Option B (set the org policy constraint constraints/run.allowedBinaryAuthorizationPolicies) enforces approved Binary Authorization policies at the organization level, ensuring all Cloud Run services across teams comply. Option C is incorrect because Binary Authorization on a Kubernetes cluster applies to GKE, not Cloud Run. Option D (breakglass) is a mechanism to bypass Binary Authorization for emergencies - the opposite of enforcement. Option E (constraints/compute.trustedImageProjects) applies to Compute Engine, not Cloud Run containers.

No community discussion yet for this question.