Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud Security Engineer

Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket:

Configure a Pub/Sub topic to publish notifications when new files are uploaded to the administrator's bucket.

Create a Cloud Function that is triggered by the Pub/Sub topic. This function uses the Cloud Data Loss Prevention (DLP) API to scan the uploaded files for PII.

If the scan does not detect PII, the function moves the file to the shared Cloud Storage bucket. This ensures that only non-sensitive data is accessible to analysts, while PII remains secure in the administrator's bucket.

Requirement:

Enforce the use of Customer-Managed Encryption Keys (CMEK) for all new Cloud Storage resources in the organization.

Policy Constraint:

Use the constraints/gcp.restrictNonCmekServices constraint to enforce CMEK usage.

Policy Type and Value:

Set the policy type to allow to specify which services must use CMEK.

In this case, the policy value should be storage.googleapis.com to target Cloud Storage.

Command:

Applying the organization policy with the appropriate binding ensures that all new Cloud Storage resources under the organization will require CMEK.

Steps:

Step 1: Go to the Google Cloud Console.

Step 2: Navigate to the Organization Policies page.

Step 3: Apply the policy constraint constraints/gcp.restrictNonCmekServices with the allow policy type and storage.googleapis.com as the policy value.

Objective: Provide evidence of access reviews for an upcoming audit.

Solution: Use Policy Analyzer to review and report on IAM policies.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Policy Analyzer tool.

Step 3: Select the project for which you need to review access policies.

Step 4: Use the tool to generate reports on IAM roles and permissions.

Step 5: Export the reports as evidence for the audit.

Policy Analyzer provides detailed insights into IAM policies, helping you to review access configurations and generate necessary reports for compliance and auditing purposes.

Setting up a Shared VPC allows you to create a centrally managed network that spans multiple projects. Here's how you can achieve this while ensuring separation of duties:

Create a Host Project:

Create a project that will act as the host project for your Shared VPC.

Configure Shared VPC:

In the host project, enable the Shared VPC feature.

Create Service Projects:

Create separate service projects for different teams, such as developers and other stakeholders.

Assign Roles:

Security Team: Grant the Compute Network Admin role. This allows the security team to manage network resources, such as firewall rules, subnets, and routes.

Developers: Share the host project’s network with the service projects. Assign roles like Compute Instance Admin to developers in the service projects, enabling them to create and manage VM instances without altering network configurations.

Firewall Management:

The security team will define and manage firewall rules within the host project, ensuring consistent and secure network policies.

Benefits:

Separation of Duties: Security teams handle networking, and developers focus on application deployment and management.

Centralized Control: Network policies are centrally managed, ensuring compliance and security.

Scalability: Easy to add new projects and teams without compromising the overall network security.

References

Google Cloud VPC Documentation

Managing Resources with Shared VPC

Google Cloud Armor helps to protect applications from DDoS attacks and web application firewall (WAF) threats like XSS and SQLi. To use Google Cloud Armor security policies, certain requirements must be met:

External Load Balancers: Google Cloud Armor is specifically designed to work with external HTTP(S) load balancers, which handle traffic at the edge of the Google Cloud network. This type of load balancer provides a global frontend that can distribute traffic to various backends.

Load Balancing Scheme: The backend service associated with the Google Cloud Armor policy must have an EXTERNAL load balancing scheme. This scheme allows the service to accept traffic from outside the Google Cloud network, which is necessary for applying security policies effectively at the network edge.

These requirements ensure that Google Cloud Armor can inspect and filter incoming traffic before it reaches your web application's backend services, providing an additional layer of security against common web vulnerabilities.

References

Google Cloud Armor Documentation

External HTTP(S) Load Balancing Overview

To share a service (like an AI model) across project boundaries privately and securely—without complex VPC peering or exposing it to the internet—Private Service Connect (PSC) is the recommended solution.14

According to Google Cloud Documentation (Private Service Connect for Vertex AI/Custom Services):

"Private Service Connect allows a service producer to expose a service (via an Internal Load Balancer) to service consumers in other VPC networks or projects.15 The producer creates a Service Attachment that points to the load balancer.16 The consumer creates a PSC Endpoint in their own VPC. Traffic stays entirely within the Google backbone, and the producer can maintain an 'Allowlist' of Project IDs that are permitted to connect."

Why this fits the requirements:

Isolation: The model remains in its own project and is not reachable via the internet (Option C is out).

Granular Control: PSC allows you to explicitly list which Project IDs can access the service attachment (Option A).17

Scalability: It avoids the "transitive peering" and "IP overlap" limitations often found in Shared VPC or Peering architectures (Option B).

Activate Security Command Center (SCC) Premium: Security Command Center (SCC) Premium provides advanced security analytics and best practice recommendations for your Google Cloud environment. It includes functionalities such as asset discovery, vulnerability scanning, and security findings.

Create a Custom Rule to Mute Irrelevant Security Findings:

Navigate to the Security Command Center (SCC) in the Google Cloud Console.

Go to the "Settings" tab and find the "Mute findings" section.

Create a new mute rule by specifying the conditions that match the irrelevant controls you want to disregard. These conditions can be based on attributes such as resource type, finding type, and other metadata.

Apply this mute rule, which will ensure that the specified findings are not evaluated in your security posture assessments.

Ensure Continuous Compliance Monitoring:

The mute rules will automatically filter out the irrelevant findings, ensuring that only relevant controls from the CIS Google Cloud Computing Foundations Benchmark v1.3.0 are evaluated.

Regularly review and update the mute rules to adapt to any changes in your compliance requirements or security posture.

Google Cloud Armor provides protection against DDoS attacks and allows you to define security policies to control access to your application. It enables you to block traffic from specific IP addresses or ranges, making it suitable for denying traffic from a list of malicious IP addresses while protecting your application from being directly exposed to the internet.

Steps:

Set Up Cloud Armor: Enable Cloud Armor in your Google Cloud Console.

Create Security Policies: Define security policies that specify the rules for allowing or denying traffic based on IP addresses.

Attach Policies to Backend Services: Apply these security policies to the backend services of your web application.