Professional-Cloud-Security-Engineer Exam Dumps : Google Cloud Certified - Professional Cloud Security Engineer

To meet the requirements of rotating the master key every 45 days, achieving FIPS 140-2 Level 3 validation, and ensuring the master key is stored redundantly in multiple US regions, you should use Customer-managed encryption keys with Cloud HSM. Here’s how:

Set Up Cloud HSM:

Deploy Cloud HSM in your Google Cloud environment. Cloud HSM provides a hardware-based key management solution that meets FIPS 140-2 Level 3 compliance.

Create and Manage Keys:

Create your encryption keys in Cloud HSM. These keys can be managed and rotated per your policy requirements.

Key Rotation:

Set up a key rotation schedule to rotate the master key every 45 days. Cloud HSM allows you to automate this process.

Geographic Redundancy:

Ensure that your Cloud HSM configuration spans multiple regions within the US to achieve redundancy. This will ensure that your keys are available even if a particular region experiences an outage.

Compliance:

Cloud HSM’s FIPS 140-2 Level 3 validation ensures that your encryption keys are managed in a secure and compliant manner.

Benefits:

Security and Compliance: Meets stringent compliance requirements.

Automated Management: Simplifies key management and rotation.

Redundancy: Ensures high availability of keys across multiple regions.

References

Cloud HSM Documentation

Key Management with Cloud KMS and Cloud HSM

The Google Cloud Resource Hierarchy is designed to allow inheritance with the ability to override policies at lower levels (Folders or Projects).2 This is the standard way to handle exceptions for specific business units without weakening the security posture of the entire organization.

According to Google Cloud Documentation (Understanding Hierarchy Evaluation):

"By default, organization policies are inherited by the descendants of the resource on which the policy is enforced. However, you can explicitly override a policy on a child resource (Folder or Project) by setting a new policy that either adds to or replaces the inherited values.3 This allows for granular control and exception handling."

Why this is the correct approach:

Isolation: By moving the workload to a specific folder, you isolate the exception.

Least Privilege: Only the resources within that folder gain the exception; the rest of the organization remains protected by the constraints/compute.vmExternalIpAccess constraint.

No "Bypass" Role: There is no standard IAM role that allows a user to "bypass" an Org Policy (Option A). Policies are enforced at the API level regardless of user roles.

Auditability: Having a specific folder with an override makes it easy for auditors to see exactly where and why an exception exists.

The goal is to detect cryptocurrency mining software using Security Command Center (SCC).

Security Command Center Threat Detection Services: SCC Premium and Enterprise tiers offer various specialized threat detection services.

Virtual Machine Threat Detection (VMTD): This service is explicitly designed to scan virtual machines (Compute Engine instances and GKE nodes) for specific threats, including cryptocurrency mining software. It operates at the hypervisor level, performing deep scans of VM memory and disks.Extract Reference: "Virtual Machine Threat Detection (VMTD) helps you detect potential threats, such as cryptocurrency mining and malware, within your Compute Engine instances and GKE nodes." (Google Cloud Documentation: "Virtual Machine Threat Detection overview | Security Command Center" -

Extract Reference: "This service scans virtual machines to detect potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments." (Google Cloud Documentation: "Virtual Machine Threat Detection overview | Security Command Center" -

Let's evaluate the other options:

A. Web Security Scanner: This service scans for common web application vulnerabilities like XSS, Flash injection, and mixed content. It is not designed to detect runtime threats like cryptocurrency mining software.

B. Container Threat Detection: While Container Threat Detection (CTD) also detects cryptocurrency mining, it specifically focuses on runtime threats within GKE containers. The question asks for detection of "cryptocurrency mining software" generally, and VMs are a common target for such activity (and GKE nodes are VMs). VMTD provides a more general detection across Compute Engine VMs and GKE nodes for this specific type of threat. If the context explicitly mentioned containers or Cloud Run, CTD would be the more specific answer. However, for a general detection of "software" on "workloads", and given that VMTD explicitly lists "cryptocurrency mining software" for VMs, it is the most direct and broadly applicable answer among the choices.

C. Rapid Vulnerability Detection: This service actively scans internet-exposed assets for network vulnerabilities and misconfigurations. It focuses on finding known vulnerabilities, not detecting active malicious processes like cryptocurrency mining.

Given the direct and explicit mention of cryptocurrency mining detection for VMs in its documentation, Virtual Machine Threat Detection is the correct SCC service to use.