Last Attempt Professional-Cloud-Security-Engineer Questions

Objective: Ensure that a Cloud Storage bucket in Project A can only be readable from Project B and prevent data access or copying to Cloud Storage buckets outside the network, even with correct credentials.

Solution: Use VPC Service Controls to create a security perimeter.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the VPC Service Controls page.

Step 3: Create a new service perimeter.

Step 4: Add Project A and Project B to the service perimeter.

Step 5: Include Cloud Storage service in the perimeter configuration.

Step 6: Define access levels to ensure that only resources within the perimeter can access the Cloud Storage bucket.

By setting up a VPC Service Controls perimeter, you can enforce security boundaries that restrict data access and movement to within defined projects, providing an extra layer of protection beyond IAM permissions.

The Organization Policy Service provides a specific constraint called constraints/gcp.restrictServiceUsage. This is the most direct and efficient way to "Allow" or "Deny" specific Google Cloud APIs (services) at any node in the hierarchy (Org, Folder, or Project).

According to Google Cloud Documentation (Restricting Resource Service Usage):

"The Restrict Resource Service Usage constraint allows enterprise administrators to control which Google Cloud services can be used within their Google Cloud resource hierarchy. This constraint can be enforced on an Organization, Folder, or Project. When applied at the folder level, it restricts service usage for all descendant projects within that folder."

Why Option C is the most efficient:

Targeted: By applying it directly to the folder, you don't need to manage complex "exceptions" at the Org level (as in Option B).

Simple: It is a single policy rule that defines an "Allowlist" of services.

IAM vs. Org Policy: IAM (Option A) controls who can do something, but Org Policy controls what can be done. Even if a user is an Editor, the Org Policy will block them from enabling a restricted API.

VPC-SC (Option D): VPC Service Controls is much more complex and is used for data exfiltration prevention, not for simply restricting which APIs can be enabled/used in a project.

Objective: Store and retrieve sensitive configuration data for an application running on Compute Engine.

Solution: Use Secret Manager to securely store and manage access to sensitive configuration data.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Secret Manager section.

Step 3: Create a new secret and add the sensitive configuration data.

Step 4: Set appropriate IAM policies to control access to the secret.

Step 5: Update the application to retrieve the secret from Secret Manager using the appropriate client libraries or APIs.

Secret Manager provides a secure and centralized way to manage sensitive information, with fine-grained access control and audit logging capabilities.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors: Cloud EKM allows you to use encryption keys that are managed externally to Google Cloud. This means you can generate and store your keys in an on-premises HSM or another supported external HSM service, and integrate these keys with various Google Cloud services.

Integration with Google Services: Cloud EKM integrates seamlessly with many Google Cloud services, including BigQuery, Cloud Storage, Compute Engine, and more. This provides you with full control over your encryption keys while still taking advantage of Google Cloud's powerful services.

References

Cloud External Key Management (EKM) documentation

External Key Management overview