Google Cloud Certified Professional-Cloud-Security-Engineer Book

When integrating applications that require access to sensitive data stored in Cloud Storage, managing service account keys securely is crucial to prevent unauthorized access or data loss.​

Option A: Defining a VPC Service Controls perimeter enhances security by restricting access to Google Cloud services. However, configuring ingress rules to allow external access for the service account may introduce complexities and potential security gaps, especially if the partner's infrastructure is outside the defined perimeter.​

Option B: Scanning and masking customer data addresses data sensitivity but does not mitigate risks associated with compromised service account keys. This approach focuses on data content rather than access control mechanisms.​

Option C: Encrypting data at rest using customer-managed encryption keys (CMEK) ensures data confidentiality but does not directly address the security of service account keys or access controls.​

Option D: Implementing a secret management service to handle service account keys is a best practice. By configuring the service to frequently rotate keys, you reduce the window of opportunity for malicious actors to exploit compromised keys. Additionally, enforcing strict access controls ensures that only authorized personnel can create or manage service account keys, minimizing the risk of unauthorized access. This approach directly addresses the security concerns related to service account key management.​

Therefore, Option D is the most appropriate recommendation, as it focuses on securely managing service account keys through rotation and access controls, thereby minimizing the risk of data loss due to compromised keys.​

The goal is to deploy 2SV with a phased rollout to control the number of individuals affected at once, minimizing disruption, and keeping management simple.

While OU structure can be used, managing policy exceptions based on Configuration Groups is the recommended and less complex way to handle phased rollouts of security settings like 2SV in Google's Admin console.

Extracts:

"When rolling out 2SV, it is highly recommended to use a phased deployment approach to manage the impact on user access and support resources." (Source 2.1)

"You can use configuration groups to select a subset of users within an OU structure and apply specific settings, such as 2SV enforcement, to them. This allows for a gradual, controlled rollout without needing to alter your primary organizational unit structure." (Source 2.2)

Groups allow you to easily add/remove users from the enforcement scope without moving their identity within the OU hierarchy (Option A), which keeps management complexity low. Options C and D do not allow for the necessary phased control of enforcement.

Access approval Explicitly approve access to your data or configurations on Google Cloud. Access Approval requests, when combined with Access Transparency logs, can be used to audit an end-to-end chain from support ticket to access request to approval, to eventual access.

Objective: Ensure only front-end Compute Engine instances have public IPs, while others do not.

Solution: Use an organization policy to enforce this requirement.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Organization Policies page.

Step 3: Create a new policy with the constraint constraints/compute.requireOsLogin (or similar constraint to manage public IPs).

Step 4: Define the conditions to allow public IPs only for the front-end instances.

Step 5: Apply the policy to the organization or specific projects as necessary.

By setting up an organization policy with specific conditions, you can control which instances are allowed to have public IPs based on their role or other attributes.