Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Enable Access Transparency Logging.

Deploy resources only to regions permitted by data residency requirements

Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.

Deploy Assured Workloads.

Cloud Bigtable

Cloud BigQuery

Compute Engine SSD Disk

Compute Engine Persistent Disk

ISO 27001

ISO 27002

ISO 27017

ISO 27018

Customer-managed encryption keys with Cloud Key Management Service

Customer-managed encryption keys with Cloud HSM

Customer-supplied encryption keys

Google-managed encryption keys

Disable and revoke access to compromised keys.

Enable automatic key version rotation on a regular schedule.

Manually rotate key versions on an ad hoc schedule.

Limit the number of messages encrypted with each key version.

Disable the Cloud KMS API.

Cloud External Key Manager

Customer-managed encryption keys

Customer-supplied encryption keys

Google default encryption

Set the session duration for the Google session control to one hour.

Set the reauthentication frequency (or the Google Cloud Session Control to one hour.

Set the organization policy constraint

constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.

Set the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one

hour and inheritFromParent to false.

•1 Update the perimeter

•2 Configure the egressTo field to set identity Type toany_identity.

•3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

* Allow the external project by using the organizational policy

constraints/compute.trustedlmageProjects.

•1 Update the perimeter

•2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

•3 Configure the egressFrom field to set identity Type toany_idestity.

•1 Update the perimeter

•2 Configure the ingressFrcm field to set identityType toan-y_identity.

•3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private GoogleAccess enabled.

Set up VPC peering between the hosts on-premises and the VPC through the internet.

Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management.Service (KMS) key before you send it over the network.

Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC withPrivate Google Access enabled.

SSO SAML as a third-party IdP

Identity Platform

OpenID Connect

Identity-Aware Proxy

Cloud Identity

Grant users the compuce.imageUser role in their own projects.

Grant users the compuce.imageUser role in the OS image project.

Store the image in every project that is spun up in your organization.

Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.

Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

Enforce 2-factor authentication in GSuite for all users.

Configure Cloud Identity-Aware Proxy for the App Engine Application.

Provision user passwords using GSuite Password Sync.

Configure Cloud VPN between your private network and GCP.

Use the Cloud Key Management Service to manage the data encryption key (DEK).

Use the Cloud Key Management Service to manage the key encryption key (KEK).

Use customer-supplied encryption keys to manage the data encryption key (DEK).

Use customer-supplied encryption keys to manage the key encryption key (KEK).

Use the org policy constraint "Restrict Resource Service Usage'* on your Google Cloud organization node.

Use Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions

Use the org policy constraint Google Cloud Platform - Resource Location Restriction" on your Google Cloud

organization node.

Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.

Use Puppet or Chef to push out the patch to the running container.

Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.

Update the application code or apply a patch, build a new image, and redeploy it.

Configure containers to automatically upgrade when the base image is available in Container Registry.

EnableBinary Authorization on the existing Kubernetes cluster.

Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to

the list of allowed Binary Authorization policy names.

Set the organization policy constraint constraints/compute.trustedimageProjects to the list of

protects that contain the trusted container images.

Enable Binary Authorization on the existing Cloud Run service.

Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

Upload an .htaccess file containing the customer and employee user accounts to App Engine.

Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.

Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.

Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company’s GCP Virtual Private Cloud (VPC) network.

Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises

Use Cloud External Key Manager to delete specific encryption keys.

Use customer-managed encryption keys to delete specific encryption keys.

Use Google default encryption to delete specific encryption keys.

Use bucketing to shift values to a predetermined date based on the initial value.

Extract the date using TimePartConfig from each date field and append a random month and year

Use date shifting with the context set to the unique ID of the test subject

Use the FFX mode of format preserving encryption (FPE) and maintain data consistency

Cloud Identity-Aware Proxy

Cloud Armor

Cloud Endpoints

Cloud VPN

Implement an organization policy to enforce that boot disks can only be created from images that come fromthe trusted image project.

Create a Cloud Function that is automatically triggered when a new virtual machine is created from thetrusted image repository Verify that the image is not deprecated.

Implement an organization policy constraint that enables the Shielded VM service on all projects to enforcethe trusted image repository usage.

Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are presentin your trusted image repository.

Use Google default encryption.

Manually add users to Google Cloud.

Provision users with basic roles using Google's Identity and Access Management (1AM) service.

Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

Provide granular access with predefined roles.

Temporarily disable authentication on the Cloud Storage bucket.

Use the undelete command to recover the deleted service account.

Create a new service account with the same name as the deleted service account.

Update the permissions of another existing service account and supply those credentials to the applications.

Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a

job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Cloud Run

Native

Enforced

Dry run

•1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

•1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium

•2 Monitor the findings in SCC

* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Activate Confidential Computing

•3 Enforce these actions by using organization policies

•1 Use secure hardened images from the Google Cloud Marketplace

•2 When deploying the images activate the Confidential Computing option

•3 Enforce the use of the correct images and Confidential Computing by using organization policies

Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.

Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.

Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module

(HSM) system from supported vendors.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

Event Threat Detection

Container Threat Detection

Security Health Analytics

Cloud Data Loss Prevention

Google Cloud Armor

Set up an ACL with OWNER permission to a scope of allUsers.

Set up an ACL with READER permission to a scope of allUsers.

Set up a default bucket ACL and manage access for users using IAM.

Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

Security Command Center

Firewall Rules Logging

VPC Flow Logs

Firewall Insights

Ensure that the app does not run as PID 1.

Package a single app as a container.

Remove any unnecessary tools not needed by the app.

Use public container images as a base image for the app.

Use many container image layers to hide sensitive information.

Configure GCDS and use GCDS search rules lo sync these users.

Use the transfer tool to migrate unmanaged users.

Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API totransfer their account.

Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.

Remove Owner roles from end users, and configure Cloud Data Loss Prevention.

Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.

Remove*.setIamPolicypermissions from all roles, and enforce domain restricted sharing in an organization policy.

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

•1 Identify buckets with record data

•2 Apply a retention policy and set it to retain for seven years

•3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs

•1 Identify buckets with record data

•2 Apply a retention policy and set it to retain for seven years

•3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

•1 Identify buckets with record data

•2 Enable the bucket policy only to ensure that data is retained

•3 Enable bucket lock

* 1 Identify buckets with record data

•2 Apply a retention policy and set it to retain for seven years

•3 Enable bucket lock

Create a policy that requires employees to not leave their sessions open for long durations.

Review and disable unnecessary Google Cloud APIs.

Require strong passwords and 2SV through a security token or Google authenticate.

Set the session length timeout for Google Cloud services to a shorter duration.

Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.

Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.

Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours

Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

Use multi-factor authentication for admin access to the web application.

Use only applications certified compliant with PA-DSS.

Move the cardholder data environment into a separate GCP project.

Use VPN for all connections between your office and cloud environments.

Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.

Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.

All load balancer types are denied in accordance with the global node’s policy.

INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project’s policies.

Use Cloud Source Repositories, and store secrets in Cloud SQL.

Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.

Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.

Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.

Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.

Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.

Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

Customer-supplied encryption keys (CSEK)

Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

Encryption by default

Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

Container Threat Detection

Web Security Scanner

Rapid Vulnerability Detection

Virtual Machine Threat Detection

Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.

Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.

Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.

Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).

Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

Create a site-to-site VPN from your corporate network to Google Cloud.

Configure server instances with public IP addresses Create a firewall rule to only allow traffic from yourcorporate IPs.

Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP-secured Tunnel User to the administrators.

Create a jump host instance with public IP Manage the instances by connecting through the jump host.

Central management of routes, firewalls, and VPNs for peered networks

Non-transitive peered networks; where only directly peered networks can communicate

Ability to peer networks that belong to different Google Cloud Platform organizations

Firewall rules that can be created with a tag from one peered network to another peered network

Ability to share specific subnets across peered networks

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data and sensitive data with Cloud Key Management Service

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and movesthe files to the archive storage class.

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12months ago and archives them to another Cloud Storage bucket. Delete the original files.

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys ofthe Cloud Storage files containing Pll to de-identify them Delete the original keys.

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are olderthan 12 months Delete the original files.

•1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets

•2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions

•3 Query the data access logs to report on unauthorized access

•1 Change bucket permissions to limit access

•2 Query the data access audit logs for any unauthorized access to the buckets

•3 After the misconfiguration is corrected mute the finding in the Security Command Center

•1 Change permissions to limit access for authorized users

•2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access

•3 Review the administrator activity audit logs to report on any unauthorized access

•1 Change the bucket permissions to limit access

•2 Query the buckets usage logs to report on unauthorized access to the data

•3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions

■■

Google Cloud Armor

Cloud NAT

Cloud Router

Cloud VPN

Configure an ingress policy for the perimeter in Project A and allow access for the service account in ProjectB to collect messages.

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is locatedin Project A.

Create a perimeter bridge between Project A and Project B to allow the required communication betweenboth projects.

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Define an organization policy constraint.

Configure packet mirroring policies.

Enable VPC Flow Logs on the subnet.

Monitor and analyze Cloud Audit Logs.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Configure a VPC Firewall rule in "dev-vpc" that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10 58.5.0/24 from network dev-vpc.

• 1. Leave the network configuration of the VMs in scope unchanged.

• 2. Create a new project including a new VPC network "new-vpc."

• 3 Deploy a network appliance in "new-vpc" to filter access requests and only allow egress connections from -dev-vpc" to 10.58.5.0/24.

• 1 Leave the network configuration of the VMs in scope unchanged

• 2 Enable Cloud NAT for dev-vpc" and restrict the target range in Cloud NAT to 10.58.5 0/24.

A firewall rule prevents the key from being accessible.

Cloud HSM does not support Cloud Storage

The CMEK is in a different project than the Cloud Storage bucket

The CMEK is in a different region than the Cloud Storage bucket.

Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based

on location.

Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Ensure that firewall rules are in place to meet the required controls.

Set up Cloud Armor to ensure that network security controls can be managed for G Suite.

Network security is a built-in solution and Google’s Cloud responsibility for SaaS products like G Suite.

Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.

Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.

Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.

Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.

Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.

Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

SSL Proxy

TCP Proxy

Internal TCP/UDP

TCP/UDP Network

Cloud Key Management Service

Cloud Data Loss Prevention API

BigQuery

Cloud Security Scanner

Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.

Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.

Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.

Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.