Google Cloud Professional Cloud Security Engineer — Question 260

In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and
UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard
Which options should you recommend to meet the requirements?

Answer options

• A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.
• B. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.
• C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.
• D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

Correct answer: A

Explanation

Option A is correct because it directly addresses the need for encryption, utilizing the BoringCrypto module, which is essential for FIPS 140-2 compliance. Options B, C, and D do not fully comply with the encryption requirements or do not leverage the most suitable cryptographic libraries, thus failing to meet the necessary standards.