Learn how to configure Binary Authorization and Cloud Build to ensure only secure, compliant container images built by your CI/CD pipeline are deployed in your Google Cloud environment.
Table of Contents
Question
Your organization heavily utilizes serverless applications while prioritizing security best practices. You are responsible for enforcing image provenance and compliance with security standards before deployment. You leverage Cloud Build as your continuous integration and continuous deployment (CI/CD) tool for building container images. You must configure Binary Authorization to ensure that only images built by your Cloud Build pipeline are deployed and that the images pass security standard compliance checks. What should you do?
A. Create a Binary Authorization attestor that uses a scanner to assess source code management repositories. Deploy images only if the attestor validates results against a security policy.
B. Create a Binary Authorization attestor that utilizes a scanner to evaluate container image build processes. Define a policy that requires deployment of images only if this attestation is present.
C. Create a Binary Authorization attestor that retrieves the Cloud Build build ID of the container image. Configure a policy to allow deployment only if there’s a matching build ID attestation.
D. Utilize a custom Security Health Analytics module to create a policy. Enforce the policy through Binary Authorization to prevent deployment of images that do not meet predefined security standards.
Answer
B. Create a Binary Authorization attestor that utilizes a scanner to evaluate container image build processes. Define a policy that requires deployment of images only if this attestation is present.
Explanation
To enforce image provenance and compliance with security standards for your serverless applications built using Cloud Build as your CI/CD tool, the recommended approach is:
Create a Binary Authorization attestor that utilizes a scanner to evaluate the container image build processes. The scanner assesses the build pipeline to ensure it follows secure practices and complies with your organization’s security standards.
Then, define a Binary Authorization policy that requires deployment of container images only if they have an attestation present from this attestor. This ensures that only images that have passed the evaluation by the attestor and met the required security criteria can be deployed.
By tying deployment authorization to attestations that vouch for the security of the build process, you can enforce that only properly built images from your approved Cloud Build pipeline are allowed to be deployed, preventing deployment of potentially insecure or non-compliant images.
The other options are not as suitable because:
A) Scanning source code repos doesn’t assess the actual build process and resulting container images
C) Matching just the build ID doesn’t evaluate the security of the build process itself
D) Using Security Health Analytics is more relevant for monitoring/alerting than enforcing deploy-time security controls via attestations
So in summary, creating an attestor that scans builds and defining a policy to require this attestation is the best practice for enforcing secure, approved container image deployments when using Cloud Build with Binary Authorization.
Google Professional Cloud Security Engineer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Security Engineer exam and earn Google Professional Cloud Security Engineer certification.