Google Cloud Professional Cloud Security Engineer — Question 137

Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution.

What should you do?

Answer options

• A. 1. Use Google Shielded VM including secure boot, Virtual Trusted Platform Module (vTPM), and integrity monitoring. 2. Create a Cloud Run function to check for the VM settings, generate metrics, and run the function regularly.
• B. 1. Activate Virtual Machine Threat Detection in Security Command Center (SCC) Premium. 2. Monitor the findings in SCC.
• C. 1. Use Google Shielded VM including secure boot, Virtual Trusted Platform Module (vTPM), and integrity monitoring. 2. Activate Confidential Computing. 3. Enforce these actions by using organization policies.
• D. 1. Use secure hardened images from the Google Cloud Marketplace. 2. When deploying the images, activate the Confidential Computing option. 3. Enforce the use of the correct images and Confidential Computing by using organization policies.

Correct answer: C

Explanation

The correct answer is C because it combines the protective features of Google Shielded VM, which includes secure boot and vTPM, with Confidential Computing, ensuring data in use is protected from the host. Option A lacks the Confidential Computing aspect, while option B does not provide sufficient protection at the hardware level. Option D, while it mentions secure images and Confidential Computing, does not include the essential elements of Shielded VMs for comprehensive security.