Pass the Google Cloud Certified Professional-Cloud-Security-Engineer Questions and answers with ValidTests

Objective: You want to limit the images that can be used as the source for boot disks to a set of images stored in a dedicated project.

Solution: Use the Organization Policy Service.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Organization Policies page.

Step 3: Create a new policy by clicking on "Create Policy".

Step 4: Select the constraint compute.trustedimageProjects.

Step 5: Set the policy to ALLOW and specify the project ID where the trusted images are stored in the whitelist.

Step 6: Save and apply the policy.

By creating a compute.trustedimageProjects constraint at the organization level and specifying the trusted project in the allow list, you ensure that only images from this project can be used for boot disks across the organization.

To maintain a historical record of what was running in Google Cloud Platform at any point in time, you should use Forseti Security to automate inventory snapshots. Forseti Security is an open-source toolkit that helps to automate security and compliance in GCP by taking inventory snapshots of GCP resources.

Step-by-Step:

Install Forseti Security:

Follow the installation guide to deploy Forseti Security on your GCP environment.

Configure Inventory:

Set up the inventory module in Forseti to capture and store snapshots of GCP resources.

Schedule Snapshots:

Use Forseti’s configuration to schedule regular inventory snapshots.

Access Historical Data:

Review and access historical records through Forseti’s dashboard or by querying the Forseti database.

Compliance and Monitoring: Use Forseti to ensure compliance and monitor changes over time.

By generating a key in your on-premises environment and storing it in an HSM that you manage, you're ensuring that the key material is fully under your control. Using the key as an external key in Cloud KMS allows you to use the key with Google Cloud services without having the key stored on Google Cloud. Activating Key Access Justifications (KAJ) provides a reason every time the key is accessed, and you can configure the external key system to reject unauthorized access attempts.

Comprehensive and Detailed Explanation From Exact Extract:

The requirements are a combination of preventative and detective controls (prevent and detect misconfigurations) applied at the Folder level to meet both industry-specific (predefined standards) and internal/custom policies. The dedicated Google Cloud feature for this is Security Posture Management in Security Command Center (SCC).

Postures and Enforcement: A Security Posture is a feature within SCC Premium/Enterprise that allows you to define, deploy, and monitor the security status of your cloud assets. You can deploy postures at the organization, folder, or project level to enforce standards.

Custom and Predefined Policies: A posture combines both:

Predefined Policies: Using Security Health Analytics (SHA) detectors and mapped standards (like CIS, ISO 27001, PCI DSS) covers the industry-specific compliance requirements (detection).

Custom Policies: Using custom Organization Policy constraints and custom SHA modules allows you to enforce and detect your internal company policies (prevention and detection).

Extracts:

"In Google Cloud, you can use the security posture service in Security Command Center to define and deploy a security posture, monitor the security status of your Google Cloud resources..." (Source 2.3)

"You can deploy postures at the organization level, folder level, or project level." (Source 2.3)

"The security posture service includes the following components: Posture. One or more policy sets that enforce the preventative and detective controls that your organization requires to meet its security standard... Supported policies are the following: Organization Policy constraints, including custom constraints [Preventative]. Security Health Analytics detectors, including custom modules [Detective]." (Source 2.3, 8.2)

Option C correctly identifies the comprehensive solution for both prevention and detection using a Posture file, which supports custom and predefined policies enforced at the required scope (folder).

Since the domain is already being used by G Suite, the best course of action is to minimize disruption by discovering any existing uses of Google-managed services. Collaborate with the existing Super Administrator to align the setup with the company's requirements.

Step-by-Step:

Identify Existing Usage: Have the customer's management identify all current uses of the domain within Google-managed services.

Collaboration: Work closely with the existing Super Administrator of the domain.

Provision Required Accounts: Ask the Super Administrator to provision necessary accounts and permissions for the data science manager or other relevant personnel.

Integrate SAML IdP: Ensure that the existing domain integrates with the company’s SAML 2.0 IdP for user authentication.

Set Up Cloud Identity: Configure Cloud Identity under the guidance of the Super Administrator without disrupting current services.

Google Cloud Identity Administration

Google Support for Domain Issues

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors: Cloud EKM allows you to use encryption keys that are managed externally to Google Cloud. This means you can generate and store your keys in an on-premises HSM or another supported external HSM service, and integrate these keys with various Google Cloud services.

Integration with Google Services: Cloud EKM integrates seamlessly with many Google Cloud services, including BigQuery, Cloud Storage, Compute Engine, and more. This provides you with full control over your encryption keys while still taking advantage of Google Cloud's powerful services.

References

Cloud External Key Management (EKM) documentation

External Key Management overview

https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html

Shared responsibility “Security of the Cloud” - GCP is responsible for protecting the infrastructure that runs all of the services offered in the GCP Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run GCP Cloud services.

VPC Peering is between organizations not between Projects in an organization. That is Shared VPC. In this case, both projects are in same organization so having VPC Service Controls around both projects with necessary rules should be fine.

https://cloud.google.com/vpc-service-controls/docs/overview

Objective: Understand the security characteristics of VPC peering.

Security Characteristics:

Non-transitive Peering: VPC peering connections are non-transitive. This means that peering is strictly between two VPC networks. If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot communicate with VPC C unless a direct peering connection is established.

Inter-Organization Peering: VPC peering allows you to connect VPC networks across different Google Cloud Platform organizations, facilitating private communication between distinct organizational units.

These characteristics ensure controlled and secure connectivity between VPC networks while preventing unintended data exposure.

Rotating a user-managed Service Account key involves creating a new key, updating your application to use the new key, and then deleting the old key to maintain security. Here’s the step-by-step process:

Create a New Key: Use the Google Cloud Console or gcloud command-line tool to create a new key for the service account. This generates a new key pair and provides you with the private key.

gcloud iam service-accounts keys create new-key-file.json --iam-account=YOUR_SERVICE_ACCOUNT_EMAIL

Update Application: Update your application configuration to use the new key. This might involve replacing the old key file with the new one or updating the environment variables or configurations that point to the key file.

Delete the Old Key: Once you have confirmed that the application is working correctly with the new key, delete the old key from the service account to ensure it cannot be used for unauthorized access.

gcloud iam service-accounts keys delete OLD_KEY_ID --iam-account=YOUR_SERVICE_ACCOUNT_EMAIL

This process ensures that your service account keys are regularly rotated, reducing the risk of key compromise.

References

Managing Service Account Keys

Service Account Key Rotation