Professional-Cloud-Security-Engineer Leak Questions

To ensure compliance with GDPR and implement data residency and operational sovereignty in the EU, the following steps can be taken:

Limit Physical Location of Resources: Use the Organization Policy Service to enforce the resource locations constraint. This ensures that all new resources are created within the specified regions (EU in this case).

Configure Organization Policy: Set up an organization policy that restricts the locations where new resources can be created. This is done through the Google Cloud Console or via the gcloud command-line tool.

Example:

gcloud resource-manager org-policies allow constraints/gcp.resourceLocations [europe-west1,europe-west2] --organization=YOUR_ORG_ID

Key Access Justifications (KAJ): Use Key Access Justifications to limit Google personnel's access to encryption keys based on attributes like their geographic location or citizenship.

Set Up KAJ: Implement KAJ policies to ensure that only authorized personnel within the EU can access encryption keys.

References

Organization Policy Service

Key Access Justifications

Google Cloud Logging supports Field-level access control, which allows you to hide specific sensitive fields within a log entry from certain users while still allowing them to see the rest of the log entry.5 This is achieved using Log Views and IAM.

According to Google Cloud Documentation (Configuring field-level access):

"Field-level access control allows you to restrict access to specific fields of LogEntry objects. You can define which fields are sensitive (such as principalEmail) and then grant the logging.fieldAccessor role to specific users or groups.6 Users without this role will see the log entry, but the sensitive fields will be redacted or omitted from their view."

Key Implementation Steps:

Identify Fields: Determine which paths in the JSON payload are sensitive.

Define Access: Use a Log View to define the scope of logs and apply field-level restrictions.7

Grant Permissions: Grant the standard logging.viewer role for general access and the logging.fieldAccessor role ONLY to the security team for the specific sensitive fields.

Why other options are incorrect:

B is incorrect: IAM conditions cannot natively parse and redact specific JSON fields within a log entry at the platform level; they are typically used for resource-level access.

C is incorrect: While excluding fields via a sink works, it is "all or nothing." If you exclude it at the sink, no one (including the security team) will see that data in the destination.

D is incorrect: This is a workaround that only works if the team uses BigQuery for logs. It doesn't solve the problem within the Cloud Logging Logs Explorer itself.

MACsec (Media Access Control Security) relies on a shared secret (a pre-shared key, made up of a Connectivity Key Name, CKN, and Connectivity Association Key, CAK) to establish a secure session between the two endpoints. If the session is "operationally down," it indicates a cryptographic mismatch.

Extracts:

"MACsec is operationally down on my Cloud Interconnect connection... The issue could be caused by one of the following: The active keys on your on-premises router and Google's edge routers don't match." (Source 3.1)

The troubleshooting guide further specifies checking that the "active CKN, CAK, and start times on your on-premises router match the values that MACsec for Cloud Interconnect displays." (Source 3.1)

Therefore, the primary and most common step to resolve a "MACsec is operationally down" status is to verify that the cryptographic keys (the pre-shared key) are correctly configured and match on both the on-premises and Google Cloud routers.

To ensure that payment information is encrypted between the customer’s browser and Google Cloud Platform during checkout, the company should configure an SSL certificate on an L7 (Layer 7) Load Balancer. Here’s why this is the best solution:

SSL/TLS Termination: An L7 Load Balancer can handle SSL/TLS termination, which means it can decrypt HTTPS traffic, offloading the work from the backend servers. This is essential for handling encrypted connections securely.

HTTPS Configuration: By configuring an SSL certificate, the load balancer ensures that all traffic between the customer’s browser and the application is encrypted using HTTPS.

Security Best Practices: Using an L7 Load Balancer with an SSL certificate aligns with best practices for securing web applications, particularly for e-commerce sites handling sensitive payment information.

Managed Certificates: Google Cloud offers managed SSL certificates, which simplifies the process of obtaining, deploying, and renewing SSL certificates.

Implementation Steps:

Obtain an SSL certificate.

Configure the L7 Load Balancer in the GCP Console.

Associate the SSL certificate with the load balancer.

Ensure that the backend services are configured to handle HTTPS traffic.

Google Cloud Load Balancing Documentation

Setting up HTTPS Load Balancing