Google Cloud Professional Security Operations Engineer — Question 6

You work for a large international company that has several Compute Engine instances running in production. You need to configure monitoring and alerting for Compute Engine instances tagged with compliance=pci that have an external IP address assigned. What should you do?

Answer options

• A. Create a custom Event Threat Detection module that alerts when a Compute Engine instance with the compliance=pci tag is assigned an external IP address.
• B. Deploy the compute.vmExternalIpAccess organization policy constraint to prevent specific projects or folders with the compliance=pci tag from creating Compute Engine instances with external IP addresses.
• C. Create a custom Security Health Analytics (SHA) module. Configure the detection logic to scan Cloud Asset Inventory data for compute.googleapis.com/Instance assets, and Search for the compliance=pci tag.
• D. Use the PUBLIC_IP_ADDRESS Security Health Analytics (SHA) detector to identify Compute Engine instances with external IP addresses. Determine whether the compliance=pci tag exists on the instances.

Correct answer: C

Explanation

The correct answer is C because creating a custom Security Health Analytics (SHA) module allows you to specifically look for instances with the compliance=pci tag within Cloud Asset Inventory. Option A does not provide a direct method to monitor the instances, while B focuses on preventing external IP assignment rather than monitoring. Option D identifies instances with external IPs but does not actively monitor for the compliance tag.