All Professional-Cloud-Security-Engineer Test Inside Google Questions

The standard and most efficient way to stream logs from Google Cloud (including Workspace logs that are shared with Google Cloud) to an external SIEM is via Cloud Logging Sinks pointing to Pub/Sub.5

According to Google Cloud Documentation (Architecture for exporting Cloud Logging logs):

"To stream logs to a third-party SIEM in real-time, you should create a log sink in Cloud Logging. The sink filters for specific logs (e.g., resource.type="audited_resource" and methodName:"login") and exports them to a Pub/Sub topic. The SIEM can then subscribe to this topic to pull events immediately as they are generated."

Why other options are incorrect:

A is incorrect: Exporting to Cloud Storage is for long-term archiving/compliance and is not real-time (it usually involves batched files every few hours).

C is incorrect: Polling via CLI is not scalable, introduces latency, and is prone to failure in production environments.

D is incorrect: Google Workspace does not have a native "direct push" feature for SIEM endpoints; it typically requires an intermediate step like Pub/Sub or BigQuery.

To protect your web application from threats like malware by implementing TLS interception for incoming traffic, configuring a Secure Web Proxy with TLS offloading at the load balancer is an effective approach.​

Option A: By configuring a Secure Web Proxy, you can offload TLS traffic at the load balancer, inspect the decrypted traffic for threats such as malware, and then forward the inspected traffic to your web application. This approach ensures that encrypted traffic is securely analyzed without compromising the security of the data in transit.​

Option B: An internal proxy load balancer is designed for distributing traffic within a private network and may not support TLS interception capabilities required for inspecting incoming traffic from external sources.​

Option C: Hierarchical firewall policies in Google Cloud are used to enforce security rules across your organization but do not provide TLS interception capabilities.​

Option D: VPC firewall rules control traffic to and from VM instances based on specified rules but do not have the capability to perform TLS interception or traffic inspection.​

Therefore, Option A is the most suitable solution, as it allows for TLS interception through a Secure Web Proxy, enabling the inspection of incoming encrypted traffic to detect and mitigate threats like malware before the traffic reaches your web application.​

"To support common use cases like setting a Time to Live (TTL) for objects, retaining noncurrent versions of objects, or "downgrading" storage classes of objects to help manage costs, Cloud Storage offers the Object Lifecycle Management feature. This page describes the feature as well as the options available when using it. To learn how to enable Object Lifecycle Management, and for examples of lifecycle policies, see Managing Lifecycles."

To connect Compute Engine instances within a Google Cloud Platform project to workloads running in a dedicated server room that can only be accessed from within the private company network, you can use the following approaches:

Cloud VPN: Cloud VPN securely connects your on-premises network to your Google Cloud Virtual Private Cloud (VPC) network through an IPsec VPN connection. This enables secure communication between your GCP instances and your on-premises workloads over the internet.

Cloud Interconnect: Cloud Interconnect provides direct physical connections between your on-premises network and Google's network. It offers higher bandwidth and lower latency compared to Cloud VPN, making it suitable for workloads that require fast and reliable connectivity.

Both Cloud VPN and Cloud Interconnect allow you to securely connect your on-premises environments to Google Cloud, ensuring that the workloads remain within the private company network.

References

Cloud VPN Overview

Cloud Interconnect Overview