Google Professional-Cloud-Security-Engineer Exam With Confidence Using Practice Dumps

The core requirement is to ensure only scanned and verified containers can run in the environment, which is a deployment-time enforcement action.

Binary Authorization is the service designed for this purpose. It is a deployment-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or other supported container platforms. The core mechanism it uses to verify that an image has completed required steps (like a vulnerability scan) is an attestation.

Extracts:

"GCP Binary Authorization is a security feature designed to prevent the deployment of unverified, unauthorized, or potentially malicious container images to Kubernetes clusters." (Source 1.1)

"Binary Authorization ensures that only images that are signed by trusted entities (such as a trusted attestation authority) are allowed to be deployed." (Source 1.1)

"Binary Authorization aims to reduce the risk of deploying defective, vulnerable, or unauthorized software in this type of environment. Using this service, you can prevent images from being deployed unless it satisfies a policy you define." (Source 1.2)

"The most common Binary Authorization use cases involve attestations. An attestation certifies that a specific image has completed a previous stage... Attestations signify that the associated image was built by successfully executing a specific, required process. For example, the attestation might indicate that the image has passed all required end-to-end functional testing in a staging environment." (Source 1.2, 1.4)

"After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test." (Source 1.5)

Option A correctly identifies the two necessary components for this deployment-time enforcement: Binary Authorization for policy enforcement and attestations to certify that the vulnerability scan (or other required check) has been completed and verified.

To allow a large number of users to access the GCP Console while keeping the existing Active Directory or LDAP server for identity management, use Google Cloud Directory Sync (GCDS).

Install GCDS:

Download and install Google Cloud Directory Sync from here.

Configure GCDS:

Set up the synchronization by specifying the LDAP server details and the Google domain.

Map the LDAP attributes to Google attributes to ensure user data is synchronized correctly.

Run Synchronization:

Perform an initial synchronization to populate the Google domain with existing users from the LDAP server.

Schedule regular synchronizations to keep the data up-to-date.

Benefits:

Automated Sync: Ensures that user data is consistently updated without manual intervention.

Secure Access: Users can log in to the GCP Console using their existing credentials, enhancing security and user experience.

Google Cloud Directory Sync Documentation

GCDS Administration Guide

To comply with FIPS 140-2 for the messaging app, you need to ensure that both data at rest and data in transit are encrypted according to the standard. Using customer-managed encryption keys (CMEK) ensures that you have control over the encryption keys, and BoringSSL is a library that meets FIPS 140-2 standards for encrypting data in transit.

Steps:

Encrypt Local SSDs: Modify the instance template for the Managed Instance Group (MIG) to use customer-managed encryption keys (CMEK) for encrypting Local SSDs.

Enable BoringSSL: Update the application to use the BoringSSL library for all instance-to-instance communication to ensure that all data in transit is encrypted according to FIPS 140-2 standards.