Google Cloud Professional Cloud Security Engineer Practice Exam

What is the best approach for ensuring Windows Compute Engine VMs are up to date with OS patches?

• A. Manually update each VM as patches become available
• B. Build new base images and use CI/CD to incrementally deploy updates
• C. Utilize third-party patch management tools
• D. Only apply patches to VMs that are experiencing issues

The correct answer is: Build new base images and use CI/CD to incrementally deploy updates

The best approach for ensuring Windows Compute Engine VMs are up to date with OS patches is to build new base images and use CI/CD to incrementally deploy updates. This method leverages automation, which is crucial for maintaining a secure and efficient environment. By creating a base image that includes the latest patches and updates, organizations can ensure that all newly deployed VMs start from a secure state. Using Continuous Integration and Continuous Deployment (CI/CD) practices allows for the automated rollout of these images across the environment. This approach not only saves time but also minimizes human error, which can occur during manual updates. Incremental deployment ensures that existing VMs can be efficiently updated to the latest version of the base image. This can be done without significant downtime or disruption to services, as updates can be tested and deployed in a controlled manner. Additionally, maintaining consistency across VMs improves security and compliance, as all instances run the same software versions and patches. This strategy also helps in scaling the deployment process, making it easier to manage a large number of VMs. In contrast, manual updates can be labor-intensive and prone to oversight, while relying only on third-party tools or patching selectively based on issues may not ensure that all vulnerabilities are addressed promptly.