Selected Professional-Cloud-Security-Engineer Google Cloud Certified Questions Answers

For "automatic discovery, redaction, or pseudonymization" of sensitive data, the specific product is Sensitive Data Protection (formerly known as Cloud Data Loss Prevention - DLP).10

According to Google Cloud Documentation (Sensitive Data Protection Overview):

"Sensitive Data Protection provides visibility into where PII exists in your organization. It allows you to automatically discover and classify data using over 150 predefined infoTypes (like SSN, Credit Card, etc.). Beyond discovery, it can redact (remove), mask (cover), or pseudonymize (replace with a token) the data so that it can be used for analysis without exposing the raw PII."

Why other options are incorrect:

A is incorrect: Cloud Armor is a WAF; it doesn't scan data contents inside a database for PII.

C is incorrect: Encryption (KMS) protects the data from unauthorized disk access, but once an authorized user opens the database, the PII is still visible. It doesn't perform "redaction" or "pseudonymization."

D is incorrect: While the DLP API is mentioned, this option focuses on Cloud Storage and alerts rather than the "redaction/pseudonymization" for analysis requested in the prompt. Option B is the comprehensive managed service approach.

To investigate and remediate the issue of public access to Cloud Storage buckets, you can follow these steps:

Change Bucket Permissions:

Navigate to the Cloud Storage section in the Google Cloud Console.

For each affected bucket, remove any public access permissions (e.g., removing allUsers or allAuthenticatedUsers from the IAM policy).

Ensure that only authorized users have the necessary permissions to access the buckets.

Query Data Access Audit Logs:

Go to the Logging section in the Google Cloud Console.

Query the audit logs for the affected buckets to identify any unauthorized access. You can use filters to search for access by unauthorized users.

Correct the Misconfiguration:

After correcting the permissions, mute the relevant findings in the Security Command Center to indicate that the issue has been resolved.

This helps in maintaining a clear view of ongoing security issues and ensures the findings are not flagged again unless there's a new occurrence.

By following these steps, you ensure that the buckets are no longer publicly accessible, investigate any potential unauthorized access, and update the Security Command Center status to reflect the resolution of the issue.

Cloud Storage IAM Permissions

Viewing Audit Logs

Security Command Center Documentation

Objective: Ensure private communication between application tiers in different GCP Organizations.

Solution: Use VPC peering to enable private communication without traversing the public internet.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the VPC Network Peering page.

Step 3: Create a new VPC peering connection in the project hosting the application tier.

Step 4: Specify the VPC network in the other organization (hosting the storage tier) to peer with.

Step 5: Accept the peering request in the other project.

Step 6: Configure the necessary routes and firewall rules to allow traffic between the peered VPC networks.

VPC peering allows you to connect two VPC networks privately and directly, ensuring that traffic between them does not traverse the public internet.

Uniform Bucket-Level Access: Enable uniform bucket-level access for all your Cloud Storage buckets. This feature ensures that access control is applied consistently at the bucket level, simplifying management and improving security.

Domain Restricted Sharing: Enforce domain-restricted sharing through an organization policy. This policy ensures that only users within your organization’s domain can access the data in the buckets, preventing public exposure.

Policy Enforcement: Apply the necessary IAM policies and ensure that no buckets are configured to allow public access. This combination of settings ensures that data in Cloud Storage buckets remains private and accessible only to authorized users within your organization. References:

Google Cloud - Uniform Bucket-Level Access

Google Cloud - Organization Policy Service