Professional-Cloud-DevOps-Engineer Exam Dumps : Google Cloud Certified - Professional Cloud DevOps Engineer Exam

The correct answer is B. Create an attestation for the builds that pass the load test by using a private key stored in Cloud Key Management Service (Cloud KMS) authenticated through Workload Identity.

According to the Google Cloud documentation, Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run1.Binary Authorization uses attestations to certify that a specific image has completed a previous stage in the CI/CD pipeline, such as passing a load test2.Attestations are signed by private keys that are associated with attestors, which are entities that verify the attestations3.To follow Google-recommended practices, you should store your private keys in Cloud Key ManagementService (Cloud KMS), which is a secure and scalable service for managing cryptographic keys4.You should also use Workload Identity, which is a feature that allows Kubernetes service accounts to act as Google service accounts, to authenticate to Cloud KMS and sign attestations without having to manage or expose service account keys5.

The other options are incorrect because they do not follow Google-recommended practices. Option A and option D require human intervention to sign the attestations, which is not scalable or automated. Option C exposes the service account JSON key as a Kubernetes Secret, which is less secure than using Workload Identity.

Comprehensive and Detailed 150 to 200 words of Explanation From Google Cloud DevOps guides documents:

In incident management, the primary goal during the "Mitigation" phase is to restore service levels as quickly as possible, often referred to as "stopping the bleeding." Google Cloud’s SRE principles emphasize that during a high-priority incident, you should prioritize actions that have an immediate impact over long-term fixes or deep-dive forensics. While a rollback (Option C) is a standard procedure, the 15-minute CI/CD overhead is too slow when a critical payment service is failing. Using Cloud Profiler (Option A) is a diagnostic step that should be reserved for the post-mortem phase, not the heat of the outage.

Canceling the active Dataflow job (Option D) is the fastest way to alleviate the pressure on the shared Memorystore instance. Since the Dataflow pipeline is "non-critical" and "batch-based," stopping it has a low business impact compared to the payment service outage. Once the job is canceled, the write pressure on Redis drops instantly, reducing read latency and restoring the payment service to health. This aligns with the SRE practice of "shedding load" to protect critical system components. Once the immediate crisis is resolved, the team can then investigate the root cause and implement long-term fixes like rate limiting or resource isolation.