Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Question and Answers

Perform data masking with the DLP API and store that data in BigQuery for later use.

Perform data redaction with the DLP API and store that data in BigQuery for later use.

Perform data inspection with the DLP API and store that data in BigQuery for later use.

Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.

1. Set up a Cloud VPN link between the on-premises environment and Google Cloud.

2. Configure private access using the restricted googleapis.com domains in on-premises DNS configurations.

1. Set up a Partner Interconnect link between the on-premises environment and Google Cloud.

2. Configure private access using the private.googleapis.com domains in on-premises DNS configurations.

1. Set up a Direct Peering link between the on-premises environment and Google Cloud.

2. Configure private access for both VPC subnets.

1. Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud.

2. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.

Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.

Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.

Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premisesdestination.

Configure Cloud Interconnect and route traffic through an on-premises firewall.

SSO SAML as a third-party IdP

Identity Platform

OpenID Connect

Identity-Aware Proxy

Cloud Identity

On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.

On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.

On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.

On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.

•1 Identify buckets with record data

•2 Apply a retention policy and set it to retain for seven years

•3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs

•1 Identify buckets with record data

•2 Apply a retention policy and set it to retain for seven years

•3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

•1 Identify buckets with record data

•2 Enable the bucket policy only to ensure that data is retained

•3 Enable bucket lock

* 1 Identify buckets with record data

•2 Apply a retention policy and set it to retain for seven years

•3 Enable bucket lock

Use bucketing to shift values to a predetermined date based on the initial value.

Extract the date using TimePartConfig from each date field and append a random month and year

Use date shifting with the context set to the unique ID of the test subject

Use the FFX mode of format preserving encryption (FPE) and maintain data consistency

Run each tier in its own Project, and segregate using Project labels.

Run each tier with a different Service Account (SA), and use SA-based firewall rules.

Run each tier in its own subnet, and use subnet-based firewall rules.

Run each tier with its own VM tags, and use tag-based firewall rules.

Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a

job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Use Forseti with Firewall filters to catch any unwanted configurations in production.

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

•1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

•1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium

•2 Monitor the findings in SCC

* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Activate Confidential Computing

•3 Enforce these actions by using organization policies

•1 Use secure hardened images from the Google Cloud Marketplace

•2 When deploying the images activate the Confidential Computing option

•3 Enforce the use of the correct images and Confidential Computing by using organization policies

Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate one-way sync.

Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate bidirectional sync.

Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Migrate the application into an isolated project using a “Lift & Shift” approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the

application to work properly.

Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.

Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.

Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Cloud Run

Native

Enforced

Dry run

Google Cloud Armor

Web Security Scanner

Security Health Analytics

Container Threat Detection

• 1- Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build.

• 2. View the build provenance in the Security insights side panel within the Google Cloud console.

• 1. Review the software process.

• 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact.

• 3. Publish the PGP signed attestation to your public web page.

• 1, Publish the software code on GitHub as open source.

• 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.

• 1. Hire an external auditor to review and provide provenance

• 2. Define the scope and conditions.

• 3. Get support from the Security department or representative.

• 4. Publish the attestation to your public web page.

Set the minimum length for passwords to be 8 characters.

Set the minimum length for passwords to be 10 characters.

Set the minimum length for passwords to be 12 characters.

Set the minimum length for passwords to be 6 characters.

Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_secparameter to the specified time interval.

Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests overthe specified time interval.

Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over aspecified time interval.

Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

Policy Troubleshooter

Policy Analyzer

IAM Recommender

Policy Simulator

Organization Administrator

Super Admin

GKE Cluster Admin

Compute Admin

Organization Role Viewer

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Use Identity Platform to provision users and groups to Google Cloud.

Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

Create Identity and Access Management (1AM) roles with permissions corresponding to each Active Directory group.

Create Identity and Access Management (1AM) groups with permissions corresponding to each Active Directory group.

Configure an ingress policy for the perimeter in Project A and allow access for the service account in ProjectB to collect messages.

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is locatedin Project A.

Create a perimeter bridge between Project A and Project B to allow the required communication betweenboth projects.

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Use the Cloud Key Management Service to manage a data encryption key (DEK).

Use the Cloud Key Management Service to manage a key encryption key (KEK).

Use customer-supplied encryption keys to manage the data encryption key (DEK).

Use customer-supplied encryption keys to manage the key encryption key (KEK).

Customer-supplied encryption keys (CSEK)

Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

Encryption by default

Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises

Use Cloud External Key Manager to delete specific encryption keys.

Use customer-managed encryption keys to delete specific encryption keys.

Use Google default encryption to delete specific encryption keys.

VPC Flow Logs

Cloud Armor

DNS Security Extensions

Cloud Identity-Aware Proxy

•1 Create a dedicated service account for the CI/CD pipelines

•2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster

•3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

•1 Create service accounts for each deployment pipeline

•2 Generate private keys for the service accounts

•3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

* 1 Create individual service accounts (or each deployment pipeline

•2 Add an identifier for the pipeline in the service account naming convention

•3 Ensure each pipeline runs on dedicated pods

•4 Use workload identity to map a deployment pipeline pod with a service account

•1 Create two service accounts one for the infrastructure and one for the application deployment

•2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts

•3 Run the infrastructure and application pipelines in separate namespaces

Public IP

IP Forwarding

Private Google Access

Static routes

IAM Network User Role

Implement an organization policy to enforce that boot disks can only be created from images that come fromthe trusted image project.

Create a Cloud Function that is automatically triggered when a new virtual machine is created from thetrusted image repository Verify that the image is not deprecated.

Implement an organization policy constraint that enables the Shielded VM service on all projects to enforcethe trusted image repository usage.

Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are presentin your trusted image repository.

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace “in-scope-pci”.

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and movesthe files to the archive storage class.

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12months ago and archives them to another Cloud Storage bucket. Delete the original files.

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys ofthe Cloud Storage files containing Pll to de-identify them Delete the original keys.

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are olderthan 12 months Delete the original files.

Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based

on location.

Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.

Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

BigQuery using a data pipeline job with continuous updates via Cloud VPN

Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

Hardware

Network Security

Storage Encryption

Access Policies

Boot

Remove Owner roles from end users, and configure Cloud Data Loss Prevention.

Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.

Remove*.setIamPolicypermissions from all roles, and enforce domain restricted sharing in an organization policy.

Make sure that the ERP system can validate the JWT assertion in the HTTP requests.

Make sure that the ERP system can validate the identity headers in the HTTP requests.

Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.

Make sure that the ERP system can validate the user’s unique identifier headers in the HTTP requests.

Add the host project containing the Shared VPC to the service perimeter.

Add the service project where the Compute Engine instances reside to the service perimeter.

Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.

Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

Google Cloud Armor's preconfigured rules in preview mode

Prepopulated VPC firewall rules in monitor mode

The inherent protections of Google Front End (GFE)

Cloud Load Balancing firewall rules

VPC Service Controls in dry run mode

Secret Manager

Cloud Key Management Service

Cloud Data Loss Prevention with cryptographic hashing

Cloud Data Loss Prevention with automatic text redaction

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

compute.restrictSharedVpcHostProjects

compute.restrictXpnProjectLienRemoval

compute.restrictSharedVpcSubnetworks

compute.sharedReservationsOwnerProjects

Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.

Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.

Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.

Use the Admin SDK to create groups and assign IAM permissions from Active Directory.

Cloud IDS

VPC Service Controls logs

VPC Flow Logs

Google Cloud Armor

Packet Mirroring

Text message or phone call code

Security key

Google Authenticator application

Google prompt

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

1. Set up one VPC with two subnets: one trusted and the other untrusted.

2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.

1. Set up one VPC with two subnets: one trusted and the other untrusted.

2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.

1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.

2. Configure a custom route on each network pointed to the virtual appliance.

1. Set up two VPC networks: one trusted and the other untrusted.

2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

Google Cloud Armor

Cloud NAT

Cloud Router

Cloud VPN

Modify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.

Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application

Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials Modify the VPC firewall to allow access from IAP network range

Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application

Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.

Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.

Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.

No action is necessary because Google encrypts data while it is in use by default.

Customer-supplied encryption keys.

Google default encryption

Secret Manager

Cloud External Key Manager

Customer-managed encryption keys

A firewall rule prevents the key from being accessible.

Cloud HSM does not support Cloud Storage

The CMEK is in a different project than the Cloud Storage bucket

The CMEK is in a different region than the Cloud Storage bucket.

BigQuery using a data pipeline job with continuous updates

Cloud Storage using a scheduled task and gsutil

Compute Engine Virtual Machines using Persistent Disk

Cloud Datastore using regularly scheduled batch upload jobs

All VM instances are missing the respective network tags.

All VM instances are residing in the same network subnet.

All VM instances are configured with the same network route.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

Configure Private Google Access on the Compute Engine subnet

Avoid assigning public IP addresses to the Compute Engine cluster.

Make sure that the Compute Engine cluster is running on a separate subnet.

Turn off IP forwarding on the Compute Engine instances in the cluster.

Configure a Cloud NAT gateway.

Central management of routes, firewalls, and VPNs for peered networks

Non-transitive peered networks; where only directly peered networks can communicate

Ability to peer networks that belong to different Google Cloud Platform organizations

Firewall rules that can be created with a tag from one peered network to another peered network

Ability to share specific subnets across peered networks

Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.

Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.

Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.

Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

Enable Cloud Monitoring workspace, and add the production projects to be monitored.

Use Logs Explorer at the organization level and filter for production project logs.

Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.

Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.

SSL Proxy

TCP Proxy

Internal TCP/UDP

TCP/UDP Network

Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.

Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.

Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.

Connect to a bastion host in your VPC. Use a network traffic analyzer to determine at which point your requests are being blocked.

In a pre-production environment, disable all firewall rules individually to determine which one is blocking user traffic.

Enable VPC Flow Logs in your VPC. Use Logs Explorer to analyze whether the rules are working correctly.

1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.

2. Grant your Google Cloud project access to a supported external key management partner system.

1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).

2. In Cloud KMS, grant your Google Cloud project access to use the key.

1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.

2. In the external key management partner system, grant access for this key to use your Google Cloud project.

1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).

2. In Cloud KMS, grant your Google Cloud project access to use the key.

Configure GCDS and use GCDS search rules lo sync these users.

Use the transfer tool to migrate unmanaged users.

Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API totransfer their account.

Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.