Online Professional-Cloud-Security-Engineer Questions Video

To prevent developers from creating user-managed service account keys and reduce the risk of key mismanagement, you should enable an organization policy that specifically prohibits the creation of these keys.

Enable an organization policy to prevent service account keys from being created (C):

Google Cloud provides the capability to enforce organizational policies that restrict various actions, including the creation of service account keys. By enabling this policy, you ensure that developers cannot create new user-managed service account keys, thus minimizing the risk of key mismanagement and potential security breaches.

References

Service Accounts documentation

Organization Policy Service documentation

Using Identity-Aware Proxy (IAP) for managing SSH access to private VMs ensures secure access control and avoids the need for public IPs. IAP allows you to enforce identity-based access control policies.

Enable IAP: Ensure that IAP is enabled for your project. This can be done via the Google Cloud Console under "Security" -> "Identity-Aware Proxy".

Set Up Firewall Rule: Create a firewall rule to allow SSH traffic from the IAP IP ranges.

Navigate to "VPC network" -> "Firewall".

Create a new rule allowing ingress traffic on port 22 (SSH) from the IAP IP ranges.

Assign IAP-Secured Tunnel User Role: Grant the roles/iap.tunnelResourceAccessor role to the administrators who need SSH access.

Go to "IAM & Admin" -> "IAM".

Assign the IAP-Secured Tunnel User role to the relevant users or groups.

SSH Using IAP: Administrators can now use IAP to SSH into the instances. This can be done using the gcloud command:

gcloud compute ssh [INSTANCE_NAME] --tunnel-through-iap

Workload Identity is the Google-recommended method for GKE workloads to access Google Cloud services. It eliminates the need for manual management of service account keys (JSON files), which are a major security risk if leaked.1

According to Google Cloud Documentation (Workload Identity Federation for GKE):

"Workload Identity is the recommended way for your workloads running on GKE to access Google Cloud services in a secure and manageable way. It allows a Kubernetes service account in your GKE cluster to act as a Google IAM service account.2 When you use Workload Identity, you don't need to manage service account keys or store them as Kubernetes secrets."

Why other options are incorrect:

A is incorrect: Service account keys are long-lived and difficult to rotate. Using them increases the risk of credential theft.

C & D are incorrect: Attaching a service account to a Node gives every pod running on that node the same permissions. This violates the Principle of Least Privilege because different workloads on the same node should have different permissions.

Use Cloud Data Loss Prevention (DLP) with cryptographic hashing:

Cloud DLP allows you to de-identify sensitive data using several techniques, including cryptographic hashing.

Choose a suitable hashing algorithm like SHA-256 for non-reversible anonymization.

This method converts the original data into a fixed-length hash that does not preserve the original data's format or character set.

Set up a Cloud DLP job to scan your data sources, identify PHI, and apply the cryptographic hashing transformation.