Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud Security Engineer

Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint

Titan Security Keys are a physical form of two-step verification (2SV) that provide the highest level of account security by using cryptographic signatures to verify the user and the URL of the login page.

Cryptographic Security: Titan Security Keys use a hardware-based cryptographic method to authenticate users, which is resistant to phishing attacks. This ensures that the authentication process is secure and not susceptible to being intercepted or spoofed.

URL Verification: Titan Security Keys verify the URL of the login page during the authentication process, providing an additional layer of security against phishing attempts that may try to redirect users to malicious websites.

Ease of Use: These keys are easy to use and integrate with Google's 2SV process, providing a seamless and highly secure authentication method for users.

References

Titan Security Keys

The critical requirements are:

De-identify PII (protect individual privacy).

Retain original format and consistency (analytical integrity).

Avoid full irreversible deletion (the process must be reversible/re-identifiable).

Sensitive Data Protection (SDP), also known as Cloud DLP, is Google Cloud's specialized service for discovering, classifying, and de-identifying sensitive data. The specific de-identification technique that meets the need to retain the original format and consistency is Format-Preserving Encryption (FPE).

Extracts:

"Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or 're-identified.'" (Source 5.3)

"Pseudonymization by replacing with cryptographic format preserving token (CryptoReplaceFfxFpeConfig)... Preserves format... Reversible transformations can be reversed to re-identify the sensitive data using the content.reidentify method." (Source 5.3)

"Format Preserving Encryption (FPE) is an encryption algorithm that preserves the format of the original data set, but it replaces it with tokens that have no inherent meaning or value... FPE ensures the ciphertext maintains the same format (length, number of hyphens, etc.) as the original plaintext." (Source 5.1)

FPE is necessary for analytical integrity when the structure/format (e.g., 9-digit SSN, 16-digit credit card number) is required for processing in downstream systems.

To migrate the current data backup and disaster recovery solutions to GCP while keeping the production environment on-premises, the most scalable and cost-efficient solution is using Google Cloud Storage with scheduled tasks and the gsutil command.

Setup Cloud Storage: Create a Cloud Storage bucket to store the backups.

Go to the Cloud Console and navigate to Cloud Storage.

Click "Create bucket" and follow the prompts to configure the storage bucket.

Install gsutil: Ensure gsutil is installed on the on-premises servers.

gsutil is a command-line tool for interacting with Cloud Storage.

Follow the installation guide here.

Create Backup Script: Write a script to upload data to Cloud Storage using gsutil.

#!/bin/bash gsutil -m cp -r /path/to/local/backup gs://your-bucket-name

Schedule Backup Task: Use a scheduling tool like cron on Linux to run the backup script at regular intervals.

Edit the crontab file with crontab -e and add an entry like:

Cloud Storage Documentation

gsutil Documentation

This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google’s Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.

To secure a container supply chain, you need two things: Visibility (Scanning) and Enforcement (Policy). Google Cloud provides Artifact Analysis (integrated with Artifact Registry) and Binary Authorization to solve this.

According to Google Cloud Documentation (Software Supply Chain Security):

"To secure your supply chain, use Artifact Registry with automatic vulnerability scanning to identify risks in your images. Then, use Binary Authorization to define a policy that requires images to be signed by trusted authorities (attestors) before they can be deployed to GKE or Cloud Run. This ensures that only images that have passed your security checks (like vulnerability scans) are allowed to run."

How it works:

Scanning: Every time an image is pushed to Artifact Registry, it is automatically scanned for CVEs.

Attestation: A successful scan (e.g., no 'Critical' vulnerabilities) triggers a CI/CD step to "Sign" the image (create an attestation).

Enforcement: The GKE admission controller (Binary Authorization) checks for this signature. If it's missing or invalid, the deployment is blocked.

Why other options are incorrect:

A is incorrect: Container Threat Detection is for runtime (after it's already running). Supply chain security is about pre-deployment prevention.

B is incorrect: While Grafeas/Kritis are the open-source foundations, Option D represents the managed Google Cloud services which "minimize management overhead."

C is incorrect: Firewalls inspect network traffic, not the integrity or vulnerability status of the container image itself.

Use the org policy constraint "Google Cloud Platform - Resource Location Restriction" on your Google Cloud organization node: This organizational policy constraint allows you to restrict the locations where your resources can be created. By setting this constraint to allow only Europe regions, you can ensure compliance with GDPR and other regional regulations.

Implementation: To implement this, you need to configure the organization policy with the constraint constraints/gcp.resourceLocations. You can specify allowed regions such as europe-west1 and europe-west4 to ensure resources are only created in these locations.

References

Resource Location Restriction documentation

GDPR compliance on Google Cloud

Objective: You want to limit the images that can be used as the source for boot disks to a set of images stored in a dedicated project.

Solution: Use the Organization Policy Service.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Organization Policies page.

Step 3: Create a new policy by clicking on "Create Policy".

Step 4: Select the constraint compute.trustedimageProjects.

Step 5: Set the policy to ALLOW and specify the project ID where the trusted images are stored in the whitelist.

Step 6: Save and apply the policy.

By creating a compute.trustedimageProjects constraint at the organization level and specifying the trusted project in the allow list, you ensure that only images from this project can be used for boot disks across the organization.