Professional-Cloud-Security-Engineer Premium Exam Questions

To delegate management of access control permissions to each business unit effectively, organizing projects into folders and assigning permissions to Google groups at the folder level allows for scalable and manageable access control. Using Google Cloud Directory Sync (GCDS) to synchronize users and groups from the on-premises directory service ensures that access controls are maintained and updated automatically as users change roles or leave the company.

Steps:

Organize Projects in Folders: Create a folder structure in the Google Cloud Resource Manager to organize projects by business unit.

Assign Permissions to Google Groups: Use IAM to assign necessary permissions to Google Groups at the folder level, ensuring each business unit can manage access controls for their own projects.

Synchronize Users and Groups: Use GCDS to sync users and group memberships from your on-premises directory service to Google Cloud Identity, ensuring that changes in the on-premises directory are reflected in Google Cloud.

Configure Cloud Interconnect:

Cloud Interconnect provides high-bandwidth, low-latency connectivity between your on-premises network and Google Cloud. You can choose between Dedicated Interconnect or Partner Interconnect depending on your requirements.

Set up the physical connection and establish the interconnect through the Google Cloud Console or by working with a partner.

Set Up HA VPN:

High Availability (HA) VPN provides a robust, reliable VPN connection to Google Cloud with SLA guarantees. This is crucial for ensuring secure and high-bandwidth connectivity.

Configure two VPN tunnels to ensure redundancy and failover capabilities.

Update Default Route:

Replace the default 0.0.0.0/0 route in your Google Cloud VPC to direct traffic to your on-premises network via the Cloud Interconnect and HA VPN setup.

This ensures all internet-facing traffic is securely routed through your on-premises internet connection.

Ensure Proper Security and Routing Policies:

Implement appropriate firewall rules and security policies on both Google Cloud and on-premises environments to control traffic and ensure secure communication.

Monitor the traffic and connectivity status to maintain optimal performance and security.

The core requirement is to ensure only scanned and verified containers can run in the environment, which is a deployment-time enforcement action.

Binary Authorization is the service designed for this purpose. It is a deployment-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or other supported container platforms. The core mechanism it uses to verify that an image has completed required steps (like a vulnerability scan) is an attestation.

Extracts:

"GCP Binary Authorization is a security feature designed to prevent the deployment of unverified, unauthorized, or potentially malicious container images to Kubernetes clusters." (Source 1.1)

"Binary Authorization ensures that only images that are signed by trusted entities (such as a trusted attestation authority) are allowed to be deployed." (Source 1.1)

"Binary Authorization aims to reduce the risk of deploying defective, vulnerable, or unauthorized software in this type of environment. Using this service, you can prevent images from being deployed unless it satisfies a policy you define." (Source 1.2)

"The most common Binary Authorization use cases involve attestations. An attestation certifies that a specific image has completed a previous stage... Attestations signify that the associated image was built by successfully executing a specific, required process. For example, the attestation might indicate that the image has passed all required end-to-end functional testing in a staging environment." (Source 1.2, 1.4)

"After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test." (Source 1.5)

Option A correctly identifies the two necessary components for this deployment-time enforcement: Binary Authorization for policy enforcement and attestations to certify that the vulnerability scan (or other required check) has been completed and verified.

To configure the behavior where each department member automatically has read-only access to all new project resources created by any department member, you should use Google Cloud's folder structure and IAM roles effectively. Here are the steps:

Create Folders for Departments: Create a folder under your Organization for each department. Folders help organize resources and provide a hierarchy for applying policies and permissions.

Assign IAM Roles to Google Groups: Assign the Project Viewer role to the Google Group associated with each department at the folder level. This ensures that all members of the group have the necessary permissions.

Inherited Permissions: When a department member creates a new project under their department's folder, the permissions assigned to the folder are inherited by the new project. Thus, all department members will automatically have read-only access to the project's resources.

Navigate to IAM & Admin in the GCP Console.

Select "Folders" from the left-hand menu.

For each department, create a new folder under the organization.

Select the newly created folder, and then go to the "Permissions" tab.

Click on "Add" to assign a new role.

Enter the email address of the Google Group for the department.

Assign the "Project Viewer" role to the group.

Access Restrictions: Since the permissions are applied at the folder level, only the members of the specific department's Google Group will have read-only access to the projects created in that folder. Other departments will not have access unless explicitly granted.

By following these steps, you ensure that department members have the required access to their respective projects without manual configuration for each new project.

Google Cloud IAM Documentation

Google Cloud Resource Manager Documentation