Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud Security Engineer

Cloud Identity-Aware Proxy

Cloud Armor

Cloud Endpoints

Cloud VPN

Organization

Resource

Project

Folder

Generalization

Redaction

CryptoHashConfig

CryptoReplaceFfxFpeConfig

Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.

Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Create a Log Sink at the organization level with a Pub/Sub destination.

Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

Enable Data Access audit logs at the organization level to apply to all projects.

Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

1. Enable Container Threat Detection in the Security Command Center Premium tier.

• 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version.

• 3. View and share the results from the Security Command Center

• 1. Use an open source tool in Cloud Build to scan the images.

• 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil

• 3. Share the scan report link with your security department.

• 1. Enable vulnerability scanning in the Artifact Registry settings.

• 2. Use Cloud Build to build the images

• 3. Push the images to the Artifact Registry for automatic scanning.

• 4. View the reports in the Artifact Registry.

• 1. Get a GitHub subscription.

• 2. Build the images in Cloud Build and store them in GitHub for automatic scanning

• 3. Download the report from GitHub and share with the Security Team

Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

Ensure that the app does not run as PID 1.

Package a single app as a container.

Remove any unnecessary tools not needed by the app.

Use public container images as a base image for the app.

Use many container image layers to hide sensitive information.

Network Load Balancing

HTTP(S) Load Balancing

TCP Proxy Load Balancing

SSL Proxy Load Balancing

Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.

Use the Google Admin console to view which managed users are using a personal account for their recovery email.

Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.

Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.

Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.

Make sure that the ERP system can validate the JWT assertion in the HTTP requests.

Make sure that the ERP system can validate the identity headers in the HTTP requests.

Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.

Make sure that the ERP system can validate the user’s unique identifier headers in the HTTP requests.

Configure Secret Manager to manage service account keys.

Enable an organization policy to disable service accounts from being created.

Enable an organization policy to prevent service account keys from being created.

Remove theiam.serviceAccounts.getAccessTokenpermission from users.

•1 Update the perimeter

•2 Configure the egressTo field to set identity Type toany_identity.

•3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

* Allow the external project by using the organizational policy

constraints/compute.trustedlmageProjects.

•1 Update the perimeter

•2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

•3 Configure the egressFrom field to set identity Type toany_idestity.

•1 Update the perimeter

•2 Configure the ingressFrcm field to set identityType toan-y_identity.

•3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

Modify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.

Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application

Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials Modify the VPC firewall to allow access from IAP network range

Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application

Compute Network User Role at the host project level.

Compute Network User Role at the subnet level.

Compute Shared VPC Admin Role at the host project level.

Compute Shared VPC Admin Role at the service project level.

Cloud External Key Manager

Customer-managed encryption keys

Customer-supplied encryption keys

Google default encryption

Event Threat Detection

Container Threat Detection

Security Health Analytics

Cloud Data Loss Prevention

Google Cloud Armor

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.

Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).

Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

Cloud Bigtable

Cloud BigQuery

Compute Engine SSD Disk

Compute Engine Persistent Disk

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.

Register a new domain name, and use that for the new Cloud Identity domain.

Ask Google to provision the data science manager’s account as a Super Administrator in the existing domain.

Ask customer’s management to discover any other uses of Google managed services, and work with the existing Super Administrator.

Set the minimum length for passwords to be 8 characters.

Set the minimum length for passwords to be 10 characters.

Set the minimum length for passwords to be 12 characters.

Set the minimum length for passwords to be 6 characters.

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

Cloud Data Loss Prevention with format-preserving encryption

Cloud Data Loss Prevention with cryptographic hashing

Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

Enable Cloud Monitoring workspace, and add the production projects to be monitored.

Use Logs Explorer at the organization level and filter for production project logs.

Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.

Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.

Configure the project with Cloud VPN.

Configure the project with Shared VPC.

Configure the project with Cloud Interconnect.

Configure the project with VPC peering.

Configure all Compute Engine instances with Private Access.

Secret Manager

Cloud Key Management Service

Cloud Data Loss Prevention with cryptographic hashing

Cloud Data Loss Prevention with automatic text redaction

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

•1 Create a dedicated service account for the CI/CD pipelines

•2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster

•3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

•1 Create service accounts for each deployment pipeline

•2 Generate private keys for the service accounts

•3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

* 1 Create individual service accounts (or each deployment pipeline

•2 Add an identifier for the pipeline in the service account naming convention

•3 Ensure each pipeline runs on dedicated pods

•4 Use workload identity to map a deployment pipeline pod with a service account

•1 Create two service accounts one for the infrastructure and one for the application deployment

•2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts

•3 Run the infrastructure and application pipelines in separate namespaces

Marketplace IDS

VPC Flow Logs

VPC Service Controls logs

Packet Mirroring

Google Cloud Armor Deep Packet Inspection

•organization policy: constraints/gcp.restrictStorageNonCraekServices

•binding at: orgl

•policy type: deny

•policy value:storage.gcogleapis.com

•organization policy: constraints/gcp.restrictHonCmekServices

•binding at: orgl

•policy type: deny

•policy value:storage.googleapis.com

•organization policy:constraints/gcp.restrictStorageNonCraekServices

•binding at: orgl

•policy type: allow

•policy value: all supported services

•organization policy: constramts/gcp.restrictNonCmekServices

•binding at: orgl

•policy type: allow

•policy value:storage.googleapis.com

Customer-managed encryption keys

Customer-Supplied Encryption Keys

Key Access Justifications

Access Transparency and Approval

Cloud External Key Manager

Cloud Armor

Network Load Balancing

SSL Proxy Load Balancing

NAT Gateway

Folder

Resource

Project

Organization

Google Cloud Platform: Customer Responsibility Matrix

PCI DSS Requirements and Security Assessment Procedures

PCI SSC Cloud Computing Guidelines

Product documentation for Compute Engine

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and movesthe files to the archive storage class.

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12months ago and archives them to another Cloud Storage bucket. Delete the original files.

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys ofthe Cloud Storage files containing Pll to de-identify them Delete the original keys.

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are olderthan 12 months Delete the original files.

Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.

Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.

Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.

Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.

Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0 0 0 0/0 with priority 0.

Create a hierarchical firewall policy configured at the organization to deny all connections from 0 0 0 0/0.

Create a Google Cloud Armor security policy to deny traffic from 0 0 0 0/0.

Create a hierarchical firewall policy configured at the organization to allow connections only from internal IPranges

Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance’s IP address and allows the application to read from the bucket without credentials.

Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.

Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.

Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.

Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.

Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours

Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.

Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

•1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

•1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium

•2 Monitor the findings in SCC

* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Activate Confidential Computing

•3 Enforce these actions by using organization policies

•1 Use secure hardened images from the Google Cloud Marketplace

•2 When deploying the images activate the Confidential Computing option

•3 Enforce the use of the correct images and Confidential Computing by using organization policies

Customer-supplied encryption keys.

Google default encryption

Secret Manager

Cloud External Key Manager

Customer-managed encryption keys

Text message or phone call code

Security key

Google Authenticator application

Google prompt

Run each tier in its own Project, and segregate using Project labels.

Run each tier with a different Service Account (SA), and use SA-based firewall rules.

Run each tier in its own subnet, and use subnet-based firewall rules.

Run each tier with its own VM tags, and use tag-based firewall rules.

Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing

Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

roles/logging.privateLogViewer

roles/logging.admin

roles/viewer

roles/logging.viewer

Deploy a Cloud NAT Gateway in the service project for the MIG.

Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.

Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.

Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.

All load balancer types are denied in accordance with the global node’s policy.

INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project’s policies.

Customer-managed encryption keys with Cloud Key Management Service

Customer-managed encryption keys with Cloud HSM

Customer-supplied encryption keys

Google-managed encryption keys

Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based

on location.

Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_secparameter to the specified time interval.

Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests overthe specified time interval.

Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over aspecified time interval.

Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

Create a Folder per department under the Organization. For each department’s Folder, assign the Project Viewer role to the Google Group related to that department.

Create a Folder per department under the Organization. For each department’s Folder, assign the Project Browser role to the Google Group related to that department.

Create a Project per department under the Organization. For each department’s Project, assign the Project Viewer role to the Google Group related to that department.

Create a Project per department under the Organization. For each department’s Project, assign the Project Browser role to the Google Group related to that department.

Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

Enable Private Access on the VPC network in the production project.

Remove the Editor role and grant the Compute Admin IAM role to the engineers.

Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.

Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.

Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.

Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.

Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.

Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.

Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

A rule that allows all outbound connections

A rule that denies all inbound connections

A rule that blocks all inbound port 25 connections

A rule that blocks all outbound connections

A rule that allows all inbound port 80 connections

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.

Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.

Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key ManagementService (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.

Define an organization policy constraint.

Configure packet mirroring policies.

Enable VPC Flow Logs on the subnet.

Monitor and analyze Cloud Audit Logs.

The VM was created with a static external IP address that was reserved in the project before theorganizational policy rule was set.

The organizational policy constraint wasn't properly enforced and is running in "dry run mode.

At project level, the organizational policy control has been overwritten with an 'allow' value.

The policy constraint on the folder level does not have any effect because of an allow" value for thatconstraint on the organizational level.

Limit the physical location of a new resource with the Organization Policy Service resource locations

constraint."

Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.

Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications

Use identity federation to limit access to Google Cloud resources from non-EU entities.

Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure arule to let principals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let allprincipals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure arule to let principals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let allprincipals in the pool impersonate the Google Cloud service account.

External Key Manager

Customer-supplied encryption keys

Hardware Security Module

Confidential Computing and Istio

Client-side encryption

Disable and revoke access to compromised keys.

Enable automatic key version rotation on a regular schedule.

Manually rotate key versions on an ad hoc schedule.

Limit the number of messages encrypted with each key version.

Disable the Cloud KMS API.

BigQuery using a data pipeline job with continuous updates via Cloud VPN

Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN