Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

Create a Log Sink at the organization level with a Pub/Sub destination.

Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

Enable Data Access audit logs at the organization level to apply to all projects.

Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Add the host project containing the Shared VPC to the service perimeter.

Add the service project where the Compute Engine instances reside to the service perimeter.

Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.

Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

Create a site-to-site VPN from your corporate network to Google Cloud.

Configure server instances with public IP addresses Create a firewall rule to only allow traffic from yourcorporate IPs.

Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP-secured Tunnel User to the administrators.

Create a jump host instance with public IP Manage the instances by connecting through the jump host.

Run each tier in its own Project, and segregate using Project labels.

Run each tier with a different Service Account (SA), and use SA-based firewall rules.

Run each tier in its own subnet, and use subnet-based firewall rules.

Run each tier with its own VM tags, and use tag-based firewall rules.

1. Configure the option to suspend domain users not found in LDAP.

2. Set up a recurring GCDS task.

1. Configure the option to delete domain users not found in LDAP.

2. Run GCDS after user and group lifecycle changes.

1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP.

2. Set up a recurring GCDS task.

1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP.

2. Run GCDS after user and group lifecycle changes.

Titan Security Keys

Google prompt

Google Authenticator app

Cloud HSM keys

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

Customer-managed encryption keys

Customer-Supplied Encryption Keys

Key Access Justifications

Access Transparency and Approval

Cloud External Key Manager

Limit the physical location of a new resource with the Organization Policy Service resource locations

constraint."

Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.

Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications

Use identity federation to limit access to Google Cloud resources from non-EU entities.

Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

Deterministic encryption

Secure, key-based hashes

Format-preserving encryption

Cryptographic hashing

Create a project with multiple VPC networks for each environment.

Create a folder for each development and production environment.

Create a Google Group for the Engineering team, and assign permissions at the folder level.

Create an Organizational Policy constraint for each folder environment.

Create projects for each environment, and grant IAM rights to each engineering user.

Enable Private Access on the VPC network in the production project.

Remove the Editor role and grant the Compute Admin IAM role to the engineers.

Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.

Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Use Security Health Analytics to determine user activity.

Use the Cloud Monitoring console to filter audit logs by user.

Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.

Use the Logs Explorer to search for user activity.

Container Threat Detection

Web Security Scanner

Rapid Vulnerability Detection

Virtual Machine Threat Detection

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.

Configure an ingress policy for the perimeter in Project A and allow access for the service account in ProjectB to collect messages.

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is locatedin Project A.

Create a perimeter bridge between Project A and Project B to allow the required communication betweenboth projects.

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Cloud Key Management Service

Cloud Data Loss Prevention API

BigQuery

Cloud Security Scanner

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Deploy patches with VM Manager by using OS patch management

View patch management data in VM Manager by using OS patch management.

Deploy patches with Security Command Center by using Rapid Vulnerability Detection.

View patch management data in a Security Command Center dashboard.

View patch management data in Artifact Registry.

Create a policy that requires employees to not leave their sessions open for long durations.

Review and disable unnecessary Google Cloud APIs.

Require strong passwords and 2SV through a security token or Google authenticate.

Set the session length timeout for Google Cloud services to a shorter duration.

Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing

Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.

Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.

Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.

Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

Encrypt the files locally, and then use gsutil to upload the files to a new bucket.

Copy the files to a new bucket with CMEK enabled in a secondary region

Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.

Change the encryption type on the bucket to CMEK, and rewrite the objects

Admin Activity

System Event

Access Transparency

Data Access

Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.

Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.

Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.

No action is necessary because Google encrypts data while it is in use by default.

Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_secparameter to the specified time interval.

Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests overthe specified time interval.

Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over aspecified time interval.

Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and movesthe files to the archive storage class.

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12months ago and archives them to another Cloud Storage bucket. Delete the original files.

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys ofthe Cloud Storage files containing Pll to de-identify them Delete the original keys.

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are olderthan 12 months Delete the original files.

Change the load balancer backend configuration to use network endpoint groups instead of instance groups.

Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.

Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.

Create a Cloud VPN connection between the two regions, and enable Google Private Access.

BigQuery using a data pipeline job with continuous updates via Cloud VPN

Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

Upload an .htaccess file containing the customer and employee user accounts to App Engine.

Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.

Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.

Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company’s GCP Virtual Private Cloud (VPC) network.

Create a new Service account, and give all application users the role of Service Account User.

Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.

Use a dedicated G Suite Admin account, and authenticate the application’s operations with these G Suite credentials.

Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

Create Confidential VMs to access the sensitive data.

Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Event Threat Detection

Container Threat Detection

Security Health Analytics

Cloud Data Loss Prevention

Google Cloud Armor

Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Google Cloud Directory Sync (GCDS)

Cloud Identity

Security Assertion Markup Language (SAML)

Pub/Sub

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must

be defined on the current project to deactivate the constraint temporarily.

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.

The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder

The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

Configuring and monitoring VPC Flow Logs

Defending against XSS and SQLi attacks

Manage the latest updates and security patches for the Guest OS

Encrypting all stored data

Use the org policy constraint "Restrict Resource Service Usage'* on your Google Cloud organization node.

Use Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions

Use the org policy constraint Google Cloud Platform - Resource Location Restriction" on your Google Cloud

organization node.

Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.

Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.

Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.

Cloud Bigtable

Cloud BigQuery

Compute Engine SSD Disk

Compute Engine Persistent Disk

Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.

Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.

Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.

Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.

Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.

Store the data in a single Persistent Disk, and delete the disk at expiration time.

Store the data in a single BigQuery table and set the appropriate table expiration time.

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

Store the data in a single BigTable table and set an expiration time on the column families.

Cloud DNS with DNSSEC

Cloud NAT

HTTP(S) Load Balancing

Google Cloud Armor

Configure the Binary Authorization policy with respective attestations for the project.

Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine(GKE).

Enable Container Threat Detection in the Security Command Center (SCC) for the project.

Configure the trusted image organization policy constraint for the project.

Enable Pod Security standards and set them to Restricted.

Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0 0 0 0/0 with priority 0.

Create a hierarchical firewall policy configured at the organization to deny all connections from 0 0 0 0/0.

Create a Google Cloud Armor security policy to deny traffic from 0 0 0 0/0.

Create a hierarchical firewall policy configured at the organization to allow connections only from internal IPranges

Create an organization node, and assign folders for each business unit.

Establish standalone projects for each business unit, using gmail.com accounts.

Assign GCP resources in a project, with a label identifying which business unit owns the resource.

Assign GCP resources in a VPC for each business unit to separate network access.

Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

Use Cloud Build to build the container images.

Build small containers using small base images.

Delete non-used versions from Container Registry.

Use a Continuous Delivery tool to deploy the application.

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace “in-scope-pci”.

Enable Private Google Access on the regional subnets and global dynamic routing mode.

Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

1. Enable Container Threat Detection in the Security Command Center Premium tier.

• 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version.

• 3. View and share the results from the Security Command Center

• 1. Use an open source tool in Cloud Build to scan the images.

• 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil

• 3. Share the scan report link with your security department.

• 1. Enable vulnerability scanning in the Artifact Registry settings.

• 2. Use Cloud Build to build the images

• 3. Push the images to the Artifact Registry for automatic scanning.

• 4. View the reports in the Artifact Registry.

• 1. Get a GitHub subscription.

• 2. Build the images in Cloud Build and store them in GitHub for automatic scanning

• 3. Download the report from GitHub and share with the Security Team

Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module

(HSM) system from supported vendors.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.

Register a new domain name, and use that for the new Cloud Identity domain.

Ask Google to provision the data science manager’s account as a Super Administrator in the existing domain.

Ask customer’s management to discover any other uses of Google managed services, and work with the existing Super Administrator.

A rule that allows all outbound connections

A rule that denies all inbound connections

A rule that blocks all inbound port 25 connections

A rule that blocks all outbound connections

A rule that allows all inbound port 80 connections

1. Set up one VPC with two subnets: one trusted and the other untrusted.

2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.

1. Set up one VPC with two subnets: one trusted and the other untrusted.

2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.

1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.

2. Configure a custom route on each network pointed to the virtual appliance.

1. Set up two VPC networks: one trusted and the other untrusted.

2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.

Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.

Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.

Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

Configure Secret Manager to manage service account keys.

Enable an organization policy to disable service accounts from being created.

Enable an organization policy to prevent service account keys from being created.

Remove theiam.serviceAccounts.getAccessTokenpermission from users.

Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private GoogleAccess enabled.

Set up VPC peering between the hosts on-premises and the VPC through the internet.

Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management.Service (KMS) key before you send it over the network.

Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC withPrivate Google Access enabled.

Google Cloud Armor's preconfigured rules in preview mode

Prepopulated VPC firewall rules in monitor mode

The inherent protections of Google Front End (GFE)

Cloud Load Balancing firewall rules

VPC Service Controls in dry run mode

Security Reviewer

lAP-Secured Tunnel User

lAP-Secured Web App User

Service Broker Operator

Use Forseti with Firewall filters to catch any unwanted configurations in production.

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

Hardware

Network Security

Storage Encryption

Access Policies

Boot

Use service perimeter and create an access level based on the authorized source IP address as thecondition.

Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the globalHTTPS load balancer.

Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).

Use the Restrict Resource service usage organization policy constraint along with Cloud Data Loss Prevention (DLP).