Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

Grant users the compuce.imageUser role in their own projects.

Grant users the compuce.imageUser role in the OS image project.

Store the image in every project that is spun up in your organization.

Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.

Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

App Engine

Cloud Functions

Compute Engine

Google Kubernetes Engine

Cloud Storage

Central management of routes, firewalls, and VPNs for peered networks

Non-transitive peered networks; where only directly peered networks can communicate

Ability to peer networks that belong to different Google Cloud Platform organizations

Firewall rules that can be created with a tag from one peered network to another peered network

Ability to share specific subnets across peered networks

Temporarily disable authentication on the Cloud Storage bucket.

Use the undelete command to recover the deleted service account.

Create a new service account with the same name as the deleted service account.

Update the permissions of another existing service account and supply those credentials to the applications.

Cloud Run

Native

Enforced

Dry run

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

Marketplace IDS

VPC Flow Logs

VPC Service Controls logs

Packet Mirroring

Google Cloud Armor Deep Packet Inspection

Use Forseti with Firewall filters to catch any unwanted configurations in production.

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

Limit the physical location of a new resource with the Organization Policy Service resource locations

constraint."

Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.

Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications

Use identity federation to limit access to Google Cloud resources from non-EU entities.

Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

Upload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain Pll from the shared bucket.

On the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll.

On the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain Pll.

Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect Pll, have the function move the objects into the shared Cloud Storage bucket.

Google Cloud Armor

Web Security Scanner

Security Health Analytics

Container Threat Detection

Configure GCDS and use GCDS search rules lo sync these users.

Use the transfer tool to migrate unmanaged users.

Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API totransfer their account.

Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.

Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a

job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

All load balancer types are denied in accordance with the global node’s policy.

INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project’s policies.

Remove Owner roles from end users, and configure Cloud Data Loss Prevention.

Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.

Remove*.setIamPolicypermissions from all roles, and enforce domain restricted sharing in an organization policy.

Use Cloud Build to build the container images.

Build small containers using small base images.

Delete non-used versions from Container Registry.

Use a Continuous Delivery tool to deploy the application.

Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.

Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration.

Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.

Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.

Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

Create a custom role with the permission compute.instances.list and grant the Service Account this role.

Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.

Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Cloud Identity-Aware Proxy

Cloud Armor

Cloud Endpoints

Cloud VPN

Run a platform security scanner on all instances in the organization.

Notify Google about the pending audit and wait for confirmation before performing the scan.

Contact a Google approved security vendor to perform the audit.

Identify all external assets by using Cloud Asset Inventory and then run a network security scanner againstthem.

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Folder

Resource

Project

Organization

Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.

Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.

Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Identity Aware-Proxy

Cloud NAT

TCP/UDP Load Balancing

Cloud DNS

Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."

Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.

Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.

Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

Customer-managed encryption keys with Cloud Key Management Service

Customer-managed encryption keys with Cloud HSM

Customer-supplied encryption keys

Google-managed encryption keys

Migrate the application into an isolated project using a “Lift & Shift” approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the

application to work properly.

Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.

Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.

Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

EnableBinary Authorization on the existing Kubernetes cluster.

Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to

the list of allowed Binary Authorization policy names.

Set the organization policy constraint constraints/compute.trustedimageProjects to the list of

protects that contain the trusted container images.

Enable Binary Authorization on the existing Cloud Run service.

Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

Implement an organization policy to enforce that boot disks can only be created from images that come fromthe trusted image project.

Create a Cloud Function that is automatically triggered when a new virtual machine is created from thetrusted image repository Verify that the image is not deprecated.

Implement an organization policy constraint that enables the Shielded VM service on all projects to enforcethe trusted image repository usage.

Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are presentin your trusted image repository.

Cloud Armor

Network Load Balancing

SSL Proxy Load Balancing

NAT Gateway

•1 Identify buckets with record data

•2 Apply a retention policy and set it to retain for seven years

•3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs

•1 Identify buckets with record data

•2 Apply a retention policy and set it to retain for seven years

•3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

•1 Identify buckets with record data

•2 Enable the bucket policy only to ensure that data is retained

•3 Enable bucket lock

* 1 Identify buckets with record data

•2 Apply a retention policy and set it to retain for seven years

•3 Enable bucket lock

Security Command Center

Firewall Rules Logging

VPC Flow Logs

Firewall Insights

Use Google Cloud Directory Sync to convert the unmanaged user accounts.

Create a new managed user account for each consumer user account.

Use the transfer tool for unmanaged user accounts.

Configure single sign-on using a customer's third-party provider.

Configure an ingress policy for the perimeter in Project A and allow access for the service account in ProjectB to collect messages.

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is locatedin Project A.

Create a perimeter bridge between Project A and Project B to allow the required communication betweenboth projects.

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Titan Security Keys

Google prompt

Google Authenticator app

Cloud HSM keys

Use multi-factor authentication for admin access to the web application.

Use only applications certified compliant with PA-DSS.

Move the cardholder data environment into a separate GCP project.

Use VPN for all connections between your office and cloud environments.

Hardware

Network Security

Storage Encryption

Access Policies

Boot

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace “in-scope-pci”.

Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises

Use Cloud External Key Manager to delete specific encryption keys.

Use customer-managed encryption keys to delete specific encryption keys.

Use Google default encryption to delete specific encryption keys.

Create a Log Sink at the organization level with a Pub/Sub destination.

Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

Enable Data Access audit logs at the organization level to apply to all projects.

Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.

Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.

Use the org policy constraint "Restrict Resource Service Usage'* on your Google Cloud organization node.

Use Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions

Use the org policy constraint Google Cloud Platform - Resource Location Restriction" on your Google Cloud

organization node.

Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.

Event Threat Detection

Container Threat Detection

Security Health Analytics

Cloud Data Loss Prevention

Google Cloud Armor

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure arule to let principals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let allprincipals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure arule to let principals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let allprincipals in the pool impersonate the Google Cloud service account.

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must

be defined on the current project to deactivate the constraint temporarily.

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.

The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder

The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

Use bucketing to shift values to a predetermined date based on the initial value.

Extract the date using TimePartConfig from each date field and append a random month and year

Use date shifting with the context set to the unique ID of the test subject

Use the FFX mode of format preserving encryption (FPE) and maintain data consistency

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and movesthe files to the archive storage class.

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12months ago and archives them to another Cloud Storage bucket. Delete the original files.

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys ofthe Cloud Storage files containing Pll to de-identify them Delete the original keys.

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are olderthan 12 months Delete the original files.

•1 Create a dedicated service account for the CI/CD pipelines

•2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster

•3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

•1 Create service accounts for each deployment pipeline

•2 Generate private keys for the service accounts

•3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

* 1 Create individual service accounts (or each deployment pipeline

•2 Add an identifier for the pipeline in the service account naming convention

•3 Ensure each pipeline runs on dedicated pods

•4 Use workload identity to map a deployment pipeline pod with a service account

•1 Create two service accounts one for the infrastructure and one for the application deployment

•2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts

•3 Run the infrastructure and application pipelines in separate namespaces

Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.

Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.

Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.

Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

Encrypt the files locally, and then use gsutil to upload the files to a new bucket.

Copy the files to a new bucket with CMEK enabled in a secondary region

Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.

Change the encryption type on the bucket to CMEK, and rewrite the objects

Store the data in a single Persistent Disk, and delete the disk at expiration time.

Store the data in a single BigQuery table and set the appropriate table expiration time.

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

Store the data in a single BigTable table and set an expiration time on the column families.

Cloud Armor

Google Cloud Audit Logs

Cloud Security Scanner

Forseti Security

ISO 27001

ISO 27002

ISO 27017

ISO 27018

Configure the organization policy constraint gcp.resourceLocations to europe-west4.

Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.

Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.

Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.

Create an ingress firewall rule to allow access only from the application to the database using firewall tags.

Create a different subnet for the frontend application and database to ensure network isolation.

Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.

Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.

Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.

Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module

(HSM) system from supported vendors.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

1. Enable Container Threat Detection in the Security Command Center Premium tier.

• 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version.

• 3. View and share the results from the Security Command Center

• 1. Use an open source tool in Cloud Build to scan the images.

• 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil

• 3. Share the scan report link with your security department.

• 1. Enable vulnerability scanning in the Artifact Registry settings.

• 2. Use Cloud Build to build the images

• 3. Push the images to the Artifact Registry for automatic scanning.

• 4. View the reports in the Artifact Registry.

• 1. Get a GitHub subscription.

• 2. Build the images in Cloud Build and store them in GitHub for automatic scanning

• 3. Download the report from GitHub and share with the Security Team

1. Configure the option to suspend domain users not found in LDAP.

2. Set up a recurring GCDS task.

1. Configure the option to delete domain users not found in LDAP.

2. Run GCDS after user and group lifecycle changes.

1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP.

2. Set up a recurring GCDS task.

1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP.

2. Run GCDS after user and group lifecycle changes.

Cloud Armor

VPC Firewall Rules

Cloud Identity and Access Management

Cloud CDN

Customer-managed encryption keys

Customer-Supplied Encryption Keys

Key Access Justifications

Access Transparency and Approval

Cloud External Key Manager

A firewall rule prevents the key from being accessible.

Cloud HSM does not support Cloud Storage

The CMEK is in a different project than the Cloud Storage bucket

The CMEK is in a different region than the Cloud Storage bucket.