Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

To prepare for migrating Google Cloud projects to a new organization node, it ' s crucial to ensure that the projects ' current configurations and dependencies are appropriately managed. The two necessary preparation steps are:

Identify inherited Identity and Access Management (IAM) roles on projects to be migrated (C):

Projects inherit IAM roles from their parent resources. Identifying these roles is essential to understand the permissions and access levels that users have on the projects. This will help in ensuring that after migration, the appropriate roles and permissions are applied correctly.

Remove the specific migration projects from any VPC Service Controls perimeters and bridges (E):

VPC Service Controls provide security boundaries around your Google Cloud resources to mitigate data exfiltration risks. Before migrating the projects, they need to be removed from any existing VPC Service Controls perimeters and bridges to prevent any disruption in access or network communication. After migration, the projects can be added back to the necessary perimeters.

References

Google Cloud IAM documentation

VPC Service Controls documentation

When dealing with VPC Service Controls (VPC SC), it ' s important to ensure that only authorized resources can access sensitive data and services. To allow a resource in Project B to access Pub/Sub in Project A without compromising security, you should configure an ingress policy for the service perimeter in Project A.

Identify the Service Account: Determine the service account in Project B that requires access to the Pub/Sub topic in Project A.

Configure Ingress Policy:

Go to the Google Cloud Console.

Navigate to Security > VPC Service Controls.

Select the service perimeter for Project A.

Add an ingress rule specifying the service account from Project B and allowing it access to the necessary Pub/Sub resources.

Define Conditions: Ensure that the ingress policy adheres to the principle of least privilege, granting only the necessary permissions to collect messages from the Pub/Sub topic.

Save and Apply: Save the policy and apply the changes to enforce the new access controls.

This approach maintains the security boundaries set by VPC SC while enabling the required access from Project B to Project A.

VPC Service Controls Documentation

Configuring Ingress Policies

To ensure that your organization’s record data is retained for at least seven years in Cloud Storage, you need to apply a retention policy and enable bucket lock. This prevents the policy from being altered or the data from being deleted before the retention period ends.

Identify Buckets: Determine which Cloud Storage buckets contain the record data that needs to be retained.

Apply Retention Policy:

Go to the Google Cloud Console and navigate to " Cloud Storage " .

Select the bucket you identified.

Go to the " Retention " tab and set a retention policy to retain objects for seven years.

Enable Bucket Lock:

Once the retention policy is set, you need to lock the bucket to make the retention policy permanent.

This is done by enabling the bucket lock. Go to the " Retention " tab and click " Lock " .

Confirm and Monitor:

Confirm that the bucket lock is applied.

Monitor the bucket using log-based alerts to ensure compliance.

To grant read access to a third-party disk image stored in an external Google Cloud organization so it can be deployed into a VPC Service Controls perimeter, you need to update the service perimeter to allow egress traffic from your projects to the external project.

Update the Service Perimeter:

Go to the Google Cloud Console, navigate to Security > VPC Service Controls.

Select the appropriate service perimeter that includes your image repository project.

Configure Egress Policy:

Within the perimeter settings, configure the egressTo field to allow traffic to the external project.

Set the identityType to ANY_IDENTITY to permit any principal to access the external project for this specific egress rule.

Specify External Project and Service:

In the egressFrom field, include the external Google Cloud project number as an allowed resource.

Set the serviceName to compute.googleapis.com to specifically allow access to the Compute Engine service in the external project.

This configuration permits your internal projects to read the disk image from the external project while maintaining the security boundaries established by the service perimeter.

VPC Service Controls Documentation

Configuring Service Perimeters

To ensure that Vertex AI Workbench Instances are automatically kept up-to-date and that users cannot alter operating system settings, implementing specific organization policies is essential.​

Option A: Enabling VM Manager and adding Compute Engine instances assists in managing and monitoring VM instances but does not enforce automatic updates or restrict user modifications to the operating system.​

Option B: Enforcing the disableRootAccess organization policy prevents users from gaining root access, thereby restricting unauthorized changes to the operating system. Additionally, the requireAutoUpgradeSchedule policy ensures that instances are automatically updated according to a defined schedule. Together, these policies maintain system integrity and compliance with update requirements.​

Option C: Assigning AI Notebooks Runner and AI Notebooks Viewer roles controls user permissions related to running and viewing notebooks but does not directly influence operating system settings or update mechanisms.​

Option D: Implementing firewall rules to prevent SSH access limits direct access to instances but does not ensure automatic updates or prevent alterations through other means.​

Therefore, Option B is the most appropriate action, as it directly addresses both the enforcement of automatic updates and the prevention of unauthorized operating system modifications.​

To ensure servers do not have any direct communication with the public internet, they must be configured without a public IP address.

VPC and Private Subnet: A Virtual Private Cloud (VPC) network provides the isolated, internal network structure. A subnet is the logical partition within the VPC.

Private IP Address: Assigning only a private IP address to the database servers ensures they can only communicate internally within the VPC (or connected on-premises networks) and cannot directly connect to or be connected from the public internet.

Extracts:

" Resources in a VPC network can be assigned two types of IP addresses: internal (private) and external (public). If a VM is not assigned an external IP address, it can only communicate internally with other resources in the VPC network... " (Source 6.1)

Option A and C involve assigning a public IP address, which violates the " no direct communication with the public internet " rule. Option D uses NAT to provide outbound internet connectivity, which also violates the requirement.

" Date shifting techniques randomly shift a set of dates but preserve the sequence and duration of a period of time. Shifting dates is usually done in context to an individual or an entity. That is, each individual ' s dates are shifted by an amount of time that is unique to that individual. "

The problem requires restricting admin access to Google Cloud APIs based on geographic location (Canada and Germany) and environment (development and production projects).

VPC Service Controls (VPC SC): VPC Service Controls is designed to create security perimeters around Google Cloud resources and services. Its primary purpose is to prevent data exfiltration and control access to Google Cloud APIs based on the context of the request, which includes the source IP address.

Extract Reference: " VPC Service Controls provides an extra layer of security defense for Google Cloud services that is independent of Identity and Access Management (IAM). While IAM enables granular identity-based access control, VPC Service Controls enables broader context-based perimeter security, including controlling data egress across the perimeter. " (Google Cloud Documentation: " Overview of VPC Service Controls " - https://cloud.google.com/vpc-service-controls/docs/overview)

Service Perimeters for Environments: Creating dedicated perimeters for development and production projects allows for logical separation of environments, which aligns with the " dedicated projects for development and production " structure.

Ingress Policies with Geographic Restrictions: VPC Service Controls uses " ingress rules " to define who and from where requests can enter a service perimeter. These ingress rules can be configured to allow access based on various attributes, including the source IP address of the request. By allowing access from specific IP ranges corresponding to Canada and Germany, you effectively restrict administrative access to APIs from those countries. You can define " access levels " (which can include IP subnets or geographical origins) and attach them to ingress policies.

Extract Reference: " To allow ingress to resources, VPC Service Controls evaluates sources and identityType attributes as an AND condition... You must specify an accessLevel or a resource (Google Cloud project or VPC network), or set accessLevel attribute to *. " (Google Cloud Documentation: " Ingress and egress rules | VPC Service Controls " - https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules)

Extract Reference (for Context-Aware Access which underpins access levels): " You can create different types of Context-Aware Access policies for accessing apps: IP, device, geographic origin, and custom access-level attributes. " (Google Workspace Admin Help: " Protect your business with Context-Aware Access " - https://support.google.com/a/answer/9275380) - While this references Workspace apps, the underlying mechanism of Access Context Manager (used by VPC SC) supports geographic restrictions.

Let ' s evaluate the other options:

A. Create dedicated firewall policies... restrict access based on geolocations: VPC firewall rules operate at the network level (Layers 3/4) within a VPC. They control traffic between VM instances or to/from the internet for network services. They do not directly control admin access to Google Cloud APIs (e.g., via the console or gcloud CLI calls) originating from outside the VPC.

B. Activate the organization policy on the folders to restrict resource location: The Resource Location Restriction organization policy constraint restricts where new resources can be created or stored (e.g., data residency requirements). It does not restrict where administrators can connect from to manage these resources or access APIs.

D. Create dedicated IAM Groups... Grant access: IAM (Identity and Access Management) controls who can access what resources and what actions they can perform. It does not natively provide control over where the access originates from (e.g., country-specific IP addresses).

Therefore, VPC Service Controls with properly configured ingress policies based on source IP/Access Levels is the recommended and most effective method for restricting admin access to Google Cloud APIs by geographic location and environment.

Assured Workloads for Google Cloud allows you to deploy regulated workloads with data residency, access, and support requirements. It helps you configure your environment in a manner that aligns with specific compliance frameworks and standards.

To ensure end-user access is only allowed if the traffic originates from a specific known good CIDR and to utilize GCP ' s native SYN flood protection, you can use the following product:

VPC Firewall Rules: By configuring VPC firewall rules, you can control traffic to and from your instances based on IP address, protocol, and port. You can set rules to only allow traffic from a specific CIDR block, ensuring that only authorized traffic can reach your application.

Additionally, Google Cloud Platform provides built-in protections against SYN flood attacks, which are a type of DDoS attack. These protections are part of the underlying infrastructure and do not require additional configuration.

Using VPC firewall rules will help you comply with the internal requirement of allowing access only from a specific CIDR and provide the necessary SYN flood DDoS protection.

References

Google Cloud VPC Firewall Rules

Google Cloud DDoS Protection

This question requires implementing fine-grained data access control across multiple services based on the Principle of Least Privilege.

Project/Service Access (IAM): Granting project-level group permissions with specific Cloud IAM roles (e.g., BigQuery Data Viewer) is the primary way to control who has access to which project ' s resources.

Data Isolation (Service-Specific): To ensure only relevant data is accessed and to protect sensitive information within the datasets, you must use the most granular control mechanism available for each service:

BigQuery: Authorized Views allow access to specific query results (subsets of data) without granting access to the underlying table.

Cloud Storage: Uniform bucket-level access simplifies and tightens security by forcing all access to be controlled by IAM, preventing accidental object-level exposure.

Cloud SQL: Database Roles are the native, most granular way to control access within the database itself (e.g., read-only access to specific tables).

Extracts (Conceptual Basis):

" The principle of least privilege dictates that users should only have the permissions necessary to perform their jobs. Granular access is enforced using a combination of IAM roles and service-native access controls. " (Source 5.1)

" For BigQuery, using authorized views is the standard way to limit data exposure to users who should only see a subset of data. " (Source 5.2)

Cloud NAT (Network Address Translation) enables instances in a private network to connect to external services while not exposing their internal IP addresses to the public internet. This solution helps in situations where VMs need to initiate outbound connections without having a public IP address:

Cloud NAT Setup: Configure Cloud NAT for the subnet where your VMs are located. This allows these VMs to use the NAT gateway to communicate with external services securely.

Network Security: By using Cloud NAT, the internal IP addresses of VMs remain private, reducing the attack surface and enhancing security.

Operational Continuity: VMs can continue to communicate with external sites as needed for operations without requiring public IP addresses, meeting both security and functional requirements.

References

Cloud NAT Documentation

Use Cloud Data Loss Prevention (DLP) with cryptographic hashing:

Cloud DLP allows you to de-identify sensitive data using several techniques, including cryptographic hashing.

Choose a suitable hashing algorithm like SHA-256 for non-reversible anonymization.

This method converts the original data into a fixed-length hash that does not preserve the original data ' s format or character set.

Set up a Cloud DLP job to scan your data sources, identify PHI, and apply the cryptographic hashing transformation.

https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance#considerations

Confidential VM does not support live migration. You can only enable Confidential Computing on a VM when you first create the instance. https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance

To use customer-supplied encryption keys (CSEK) for encrypting data on Cloud Storage, follow these steps:

Generate an Encryption Key: Generate a 256-bit AES encryption key. This key should be base64-encoded.

sh

Copy code

openssl rand -base64 32

Upload Object with CSEK: Use the gsutil command-line tool to upload the object to Cloud Storage, specifying the location of the encryption key using the -o option.

gsutil -o " GSUtil:encryption_key= < base64-encoded-key > " cp [LOCAL_OBJECT_PATH] gs://[BUCKET_NAME] /

Verify Encryption: After uploading the object, you can verify that it is encrypted using the provided CSEK by checking the object ' s metadata.

gsutil stat gs://[BUCKET_NAME]/[OBJECT_NAME]

Key Management: Ensure that the encryption key is securely stored and managed. It should not be hard-coded in scripts or applications.

By using the gsutil tool and specifying the encryption key, you ensure that the object is encrypted using the customer-supplied encryption key during the upload process.

Customer-Supplied Encryption Keys (CSEK) Documentation

gsutil Command Line Tool Documentation

Enable VPC Service Controls:

VPC Service Controls help mitigate the risk of data exfiltration by allowing you to define a security perimeter around GCP resources.

Set up a service perimeter around your BigQuery project to restrict data access to within the defined perimeter.

Create Access Levels:

In the Google Cloud Console, navigate to the Access Context Manager.

Define access levels based on IP address conditions, specifying the authorized source IP addresses that are allowed to access your BigQuery resources.

These access levels are used to enforce policies that restrict who can access your sensitive data based on their IP addresses.

Apply Service Perimeter with Access Levels:

Apply the created access levels to the service perimeter to ensure that only requests originating from the specified IP addresses are able to access BigQuery tables.

This setup ensures that the sensitive PII data is not accessible from unauthorized IP addresses, reducing the risk of data exfiltration.

Security Command Center (SCC) in Google Cloud provides several features to help organizations detect and respond to security threats and misconfigurations.

Event Threat Detection: This feature continuously monitors and analyzes system logs to detect potential threats such as crypto mining. It uses machine learning and threat intelligence to identify suspicious activities and generate alerts.

Security Health Analytics: This feature helps identify common misconfigurations and compliance violations that could impact security. It provides visibility into security posture and helps remediate issues related to misconfigurations in your Google Cloud environment.

By using both Event Threat Detection and Security Health Analytics, you can effectively monitor for crypto mining activities and detect common misconfigurations that could compromise security.

References

Security Command Center Documentation

Event Threat Detection

Security Health Analytics

The problem states that Google Cloud applications need to access external web services and requires the ability to monitor, control, and log this access.

Monitoring, Controlling, and Logging external web access: This specifically points to a proxy solution, which can intercept, inspect, and log HTTP/S traffic.

Secure Web Proxy (SWP): Google Cloud ' s Secure Web Proxy is designed for exactly this use case. It acts as an explicit forward proxy for HTTP(S) traffic, allowing organizations to implement granular access controls, inspect traffic for security threats, and log all outbound web requests from their Google Cloud environment.Extract Reference: " Secure Web Proxy is a managed service that lets you deploy and manage an explicit forward proxy to protect your organization ' s internal resources from web-based threats and to control access to external web applications. " and " With Secure Web Proxy, you can: Enforce granular access policies based on different attributes, Log all HTTP(S) requests that are handled by the proxy, and Monitor web traffic for threats. " (Google Cloud documentation: https://cloud.google.com/secure-web-proxy)

Let ' s evaluate the other options:

A. Configure VPC firewall rules to allow the services to access the IP addresses of required external web services: VPC firewall rules operate at Layer 4 (TCP/UDP) and Layer 3 (IP). While they can allow or deny traffic to specific IP addresses and ports, they cannot monitor, control, or log HTTP/S requests at the application layer. They don ' t provide granular control over which web services are accessed or inspect the content of the requests.

C. Configure Google Cloud Armor to monitor and protect your applications by checking incoming traffic patterns for attack patterns: Google Cloud Armor is primarily a Distributed Denial of Service (DDoS) protection and Web Application Firewall (WAF) service. It focuses on protecting applications from incoming threats (ingress traffic), not controlling and logging outgoing access to external web services.

D. Set up a Cloud NAT instance to allow egress traffic from your VPC: Cloud NAT allows instances without external IP addresses to connect to the internet. While it enables egress, it does not provide monitoring, control, or logging capabilities for specific web services at the application layer. It ' s a network address translation service, not an application-layer proxy.

Therefore, setting up a Secure Web Proxy is the most appropriate solution to meet the requirements of monitoring, controlling, and logging access to external web services from Google Cloud applications.

Packet Mirroring Setup: Configure Packet Mirroring in your Google Cloud VPC to capture traffic to and from specific VM instances. This allows you to analyze the traffic for security and compliance purposes.

Security Software: Use specialized security software to inspect the mirrored traffic. This software can detect invalid or malicious content in the IP packets.

Mirroring Configuration: Specify the instances, network, and traffic direction (ingress, egress, or both) to be mirrored. Ensure that the mirrored traffic is directed to an appropriate analysis destination.

Traffic Analysis: Continuously monitor and analyze the mirrored traffic for any signs of malicious activity or anomalies. Use the findings to enhance your security posture and respond to potential threats. References:

Google Cloud - Packet Mirroring

Google Cloud - Packet Mirroring Best Practices

The requirement to ensure the master encryption key material never leaves the on-premises hardware (HSM) and retaining the unilateral ability to revoke access are the defining features of Cloud External Key Manager (Cloud EKM).

Key Residency: Cloud EKM allows you to use encryption keys stored and managed in a supported external key management system, such as an on-premises HSM, for encrypting data in Google Cloud services like BigQuery and Cloud Storage. This ensures the key material remains in your accredited hardware.

Unilateral Control: Since Google Cloud must request the key from the external system for every encryption/decryption operation, revoking access (by disabling the key or revoking Google ' s access) in the external system immediately renders the data in Google Cloud inaccessible, granting the customer unilateral control.

Extracts:

" Cloud External Key Manager (Cloud EKM) is a cloud service that lets you encrypt data in Google Cloud with keys you manage outside of Google Cloud. " (Source 6.1)

" The key material is stored on an external system, such as a Cloud EKM partner or an on-premises HSM, and never leaves that system. " (Source 6.1)

" The customer can unilaterally revoke access to the key at the EKM system, making the encrypted data in Google Cloud inaccessible, which is a key requirement for highly regulated industries. " (Source 6.2)

Google Cloud Logging supports Field-level access control, which allows you to hide specific sensitive fields within a log entry from certain users while still allowing them to see the rest of the log entry.5 This is achieved using Log Views and IAM.

According to Google Cloud Documentation (Configuring field-level access):

" Field-level access control allows you to restrict access to specific fields of LogEntry objects. You can define which fields are sensitive (such as principalEmail) and then grant the logging.fieldAccessor role to specific users or groups.6 Users without this role will see the log entry, but the sensitive fields will be redacted or omitted from their view. "

Key Implementation Steps:

Identify Fields: Determine which paths in the JSON payload are sensitive.

Define Access: Use a Log View to define the scope of logs and apply field-level restrictions.7

Grant Permissions: Grant the standard logging.viewer role for general access and the logging.fieldAccessor role ONLY to the security team for the specific sensitive fields.

Why other options are incorrect:

B is incorrect: IAM conditions cannot natively parse and redact specific JSON fields within a log entry at the platform level; they are typically used for resource-level access.

C is incorrect: While excluding fields via a sink works, it is " all or nothing. " If you exclude it at the sink, no one (including the security team) will see that data in the destination.

D is incorrect: This is a workaround that only works if the team uses BigQuery for logs. It doesn ' t solve the problem within the Cloud Logging Logs Explorer itself.

To enhance the security of your microservices architecture on Google Kubernetes Engine (GKE) and ensure that only approved container images are deployed, implementing Binary Authorization is a robust solution.​

Option A: Enforcing Binary Authorization in your GKE clusters ensures that only container images that meet your organization ' s security policies are deployed. By integrating container image vulnerability scanning into your Continuous Integration/Continuous Deployment (CI/CD) pipeline, you can assess images for known vulnerabilities before they are deployed. Binary Authorization can be configured to use these vulnerability scan results to make policy decisions, effectively preventing the deployment of insecure images. This approach leverages managed services provided by Google Cloud, ensuring scalability and compliance with security standards.​

Option B: Developing custom organization policies to restrict deployments to images within a specific Artifact Registry project helps in controlling the source of images but does not inherently assess the security posture of those images. Without integrated vulnerability scanning and enforcement mechanisms, this approach may not fully mitigate the risk of deploying vulnerable images.​

Option C: Building a system using third-party vulnerability databases and custom scripts requires significant maintenance and may not integrate seamlessly with GKE. This approach can be error-prone and lacks the efficiency of managed services designed for this purpose.​

Option D: Automatically deploying new images upon successful CI/CD builds ensures rapid deployment but does not address the need for security assessments of the images. While setting up firewall rules is good practice, it does not prevent the deployment of potentially vulnerable images.​

Therefore, Option A is the most effective approach, as it utilizes Google Cloud ' s managed services to enforce security policies and integrate vulnerability assessments directly into the deployment process, ensuring that only approved and secure container images are deployed to your GKE clusters.​

Challenge:

Prevent common misconfigurations that expose services (e.g., MYSQL) to the public internet.

Hierarchical Firewall Policies:

These policies can be applied at the organization level to enforce consistent network security rules across all projects.

Solution:

Create a hierarchical firewall policy that allows connections only from internal IP ranges.

This policy ensures that services like MySQL are not exposed to 0.0.0.0/0 (the entire internet).

Steps:

Step 1: Define the hierarchical firewall policy at the organization level.

Step 2: Set the rule to allow traffic only from internal IP ranges.

Step 3: Apply the policy to all projects under the organization.

Benefits:

Centralized management of network security.

Prevents accidental exposure of services to the public internet, enhancing security.

To maintain proper security policies across numerous Google Cloud environments, especially with a large developer base and a small security team, it ' s crucial to implement automated and scalable security measures.​

Option A: While applying AI-recommended security posture templates can be beneficial, as of now, there isn ' t a specific predefined template for Gemini in Vertex AI within the Security Command Center.​

Option B: Publishing internal policies and guidelines is essential for promoting secure development practices but may not be sufficient alone to enforce or detect security policies.​

Option C: Implementing the principle of least privilege through Identity and Access Management (IAM) roles minimizes the risk of misconfigurations and unauthorized access by ensuring users have only the permissions necessary for their tasks.​

Option D: Applying organization policy constraints enforces specific configurations and restrictions across projects. Utilizing Security Health Analytics helps in detecting and monitoring deviations from these policies, providing automated insights into potential security issues.​

Option E: Using Cloud Logging to detect misconfigurations and triggering Cloud Run functions for remediation introduces complexity and may require significant maintenance, making it less practical for a small security team.​

Therefore, Options C and D are the most effective strategies. They provide automated enforcement and monitoring of security policies, aligning with the need for scalable solutions given the organization ' s size and resources.​

To ensure that only trusted container images are deployed on Cloud Run, you can implement Binary Authorization, which is a deploy-time security control that ensures only trusted images are used.

Set Up Binary Authorization:

Navigate to the Google Cloud Console.

Go to Security > Binary Authorization.

Configure the policy to include attestors that verify your trusted images.

Enable Binary Authorization on Cloud Run:

Go to the Cloud Run service.

Enable Binary Authorization on your existing Cloud Run services by selecting the appropriate Binary Authorization policy.

Set Organization Policy:

Go to the Organization Policies page in the Google Cloud Console.

Add a constraint for constraints/run.allowedBinaryAuthorizationPolicies.

Specify the list of allowed Binary Authorization policy names to enforce across your organization.

These steps ensure that any container image deployed on Cloud Run is validated against the specified Binary Authorization policies, preventing untrusted images from being deployed.

Binary Authorization Documentation

Enabling Binary Authorization on Cloud Run

Understanding Organization Policies:

Organization policies are rules that can be set at different levels of the resource hierarchy in GCP to enforce governance and compliance.

These policies can be set at the organization node, folders, and projects, and they are inherited down the hierarchy unless explicitly overridden.

Hierarchy and Policy Inheritance:

The provided resource hierarchy has an organization node (Example.com), folders (Folder 1 and Folder 2), and a project (Project 2) under Folder 2 with a specific VPC (VPC A).

Each node in the hierarchy can have its own policies, and these policies are inherited by child nodes unless overridden.

Analyzing the Policies in the Hierarchy:

Organization Node Policy:

json

Copy code

{ " constraint " : " constraints/compute.restrictLoadBalancerCreationForTypes " , " listPolicy " : { " allValues " : " DENY " } }

This policy at the organization node denies all load balancer types.

Folder 2 Policy:

json

Copy code

{ " constraint " : " constraints/compute.restrictLoadBalancerCreationForTypes " , " listPolicy " : { " deniedValues " : [ " INTERNAL_TCP_UDP " , " INTERNAL_HTTP_HTTPS " ] } }

This policy at Folder 2 denies the creation of INTERNAL_TCP_UDP and INTERNAL_HTTP_HTTPS load balancers.

Project 2 Policy:

json

Copy code

{ " constraint " : " constraints/compute.restrictLoadBalancerCreationForTypes " , " listPolicy " : { " deniedValues " : [ " EXTERNAL_TCP_PROXY " , " EXTERNAL_SSL_PROXY " ] } }

This policy at Project 2 denies the creation of EXTERNAL_TCP_PROXY and EXTERNAL_SSL_PROXY load balancers.

Policy Application to VPC A:

Since policies are inherited, VPC A (which is within Project 2 under Folder 2) will be affected by the policies of both Folder 2 and Project 2.

Combining the denied values from both Folder 2 and Project 2:

From Folder 2: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS

From Project 2: EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY

Conclusion:

VPC A will have the following load balancer types denied: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS, EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY.

The requirement to log access by Google personnel (e.g., Google administrators or support) is the specific function of Access Transparency.

Access Transparency logs provide records of actions taken by Google staff when they interact with your content, which is a requirement for many regulated industries. It is typically enabled at the Organization level to ensure consistent coverage, though it can be configured lower.

Extracts:

" Access Transparency logs provide records of actions taken by Google employees when accessing your data or configuration... Access Transparency allows you to monitor compliance with vendor access rules, including those for security and privacy. " (Source 9.1)

" Access Transparency is enabled for all supported Google Cloud services across your organization when enabled at the organization level. " (Source 9.2)

Option A and C (Data Access logs) record customer/user access to data, but do not record actions taken by Google personnel.

To ensure compliance with strict regulatory requirements for storing and processing sensitive patient data in the cloud, the following measures should be implemented:​

Assured Workloads: Deploying an Assured Workloads environment in an approved region ensures that data residency requirements are met by restricting data storage and processing to specific geographic locations. Assured Workloads provide predefined controls and configurations tailored to meet regulatory compliance needs.​

Access Approval: Configuring Access Approval ensures that certain administrative actions on patient data require explicit approval from designated compliance officers. This adds a layer of control over sensitive operations, aligning with the need for explicit approvals.​

Cloud Audit Logs and Access Transparency: Enabling Cloud Audit Logs provides a detailed record of actions taken on your data, supporting the requirement for auditability. Access Transparency logs offer visibility into Google ' s administrative access to your content, enhancing transparency and compliance.​

Therefore, Option C is the most appropriate choice, as it comprehensively addresses data residency, administrative control, and auditability requirements.​

Objective: Ensure private communication between application tiers in different GCP Organizations.

Solution: Use VPC peering to enable private communication without traversing the public internet.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the VPC Network Peering page.

Step 3: Create a new VPC peering connection in the project hosting the application tier.

Step 4: Specify the VPC network in the other organization (hosting the storage tier) to peer with.

Step 5: Accept the peering request in the other project.

Step 6: Configure the necessary routes and firewall rules to allow traffic between the peered VPC networks.

VPC peering allows you to connect two VPC networks privately and directly, ensuring that traffic between them does not traverse the public internet.

Titan Security Keys are a physical form of two-step verification (2SV) that provide the highest level of account security by using cryptographic signatures to verify the user and the URL of the login page.

Cryptographic Security: Titan Security Keys use a hardware-based cryptographic method to authenticate users, which is resistant to phishing attacks. This ensures that the authentication process is secure and not susceptible to being intercepted or spoofed.

URL Verification: Titan Security Keys verify the URL of the login page during the authentication process, providing an additional layer of security against phishing attempts that may try to redirect users to malicious websites.

Ease of Use: These keys are easy to use and integrate with Google ' s 2SV process, providing a seamless and highly secure authentication method for users.

References

Titan Security Keys

Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed object that also contains the user identity data. Your application can verify the digital signature and use the data provided in this object to be certain that it was provided by IAP without alteration.

Access Google Cloud Console:

Log in to the Google Cloud Console with administrative privileges.

Navigate to the " IAM & Admin " section.

Set Session Length Timeout:

Go to the " Settings " page within IAM & Admin.

Locate the " Session control " settings.

Configure the session length timeout to a shorter duration, such as 15 or 30 minutes. This ensures that user sessions expire automatically after the specified time of inactivity.

Apply and Enforce the Policy:

Save the changes and ensure the new session timeout policy is applied across all users and services.

Communicate the new policy to employees, highlighting the importance of session security and the rationale behind the change.

Additional Security Measures:

Consider implementing additional measures such as automatic screen locks and secure session management practices.

Educate employees on the importance of logging out of their sessions and securing their devices when not in use.

Customer-Managed Encryption Keys (CMEK):

CMEK allows you to manage encryption keys using Cloud Key Management Service (KMS). This gives you control over the lifecycle of the keys, including rotation, destruction, and auditing.

Set up a Cloud KMS key ring and create encryption keys that will be used to protect your data in BigQuery, Cloud SQL, and Cloud Storage.

Configure the services to use CMEK for encrypting data at rest, ensuring compliance with your organization ' s security policies.

Cloud External Key Manager (EKM):

Cloud EKM allows you to use keys managed by an external key management provider to encrypt data in Google Cloud services.

Integrate your external key management system with Google Cloud using supported protocols and APIs.

Configure your data warehouse services to use the external keys for encryption, ensuring that key management is handled outside of the Google Cloud environment.

Key Access Justifications:

Enable Key Access Justifications to provide visibility into why encryption keys are being accessed. This helps in monitoring and auditing key usage to ensure compliance and security.

Set up policies and logging to capture and review key access requests, providing insights into how and why keys are used.

Access Transparency and Approval:

Implement Access Transparency to gain visibility into Google’s access to your data and encryption keys.

Configure Access Approval to require explicit approval for Google support or engineering access to your data, adding an additional layer of security and control.

To handle images containing personally identifiable information (PII) in chat logs while maintaining data utility, you can use Google Cloud ' s Data Loss Prevention (DLP) API. The DLP API provides capabilities to inspect and redact sensitive information from images. Here’s how you can use it:

Inspect Images: Use the DLP API to inspect images shared by customers for PII. This involves configuring the API to detect various types of sensitive information, such as names, social security numbers, and other PII.

Redact PII: Apply the redaction actions provided by the DLP API to remove or mask the PII in the images. The redaction can blur, mask, or replace sensitive information with placeholders, ensuring that the PII is not stored in the databases.

Store Redacted Images: Store the redacted images in your database for further analysis. This ensures that the sensitive information is not retained, addressing privacy concerns while still preserving the utility of the data for analysis.

By using the DLP API, the organization can effectively manage PII in customer-provided images, ensuring compliance with privacy regulations.

References

Cloud DLP Documentation

Redacting Sensitive Data with DLP API

This question combines two powerful security features: VPC Service Controls (VPC SC) for data exfiltration prevention and Context-Aware Access (CAA) for fine-grained user access based on context.

Contextual Requirement: Requiring a " company-managed device, " " specific location, " etc., is the function of Context-Aware Access (CAA), implemented via an Access Level.

Combining VPC SC and CAA: CAA policies can be integrated with VPC SC perimeters to enforce the context for access into the perimeter.

Evaluating Impact: To evaluate changes without blocking access, the entire VPC SC perimeter (including the new CAA rule) should be configured in dry run mode.

Extracts:

" Context-Aware Access (CAA) allows you to define and enforce granular access to Google Cloud resources based on user attributes like device security status, IP address (location), and identity. " (Source 3.1)

" When implementing a new security policy... it is best practice to initially configure the VPC Service Controls perimeter (including any associated Access Levels/Context-Aware Access) in dry run mode. Dry run mode allows you to test the perimeter ' s effect on services without blocking any access. " (Source 3.2)

" You can use an Access Level (the core component of CAA) to define the conditions for accessing resources protected by a Service Perimeter. " (Source 3.3)

To meet the requirements of encrypted communication over private IP addresses between Compute Engine instances in different Google Cloud organizations, a Cloud VPN connection is appropriate:

Cloud VPN: Cloud VPN creates a secure, encrypted tunnel between your organization ' s VPC network and the third party ' s VPC network. This ensures that data transmitted over the network is encrypted and secure.

Private IP Communication: Cloud VPN allows communication over private IP addresses, which helps maintain security by keeping traffic within the Google Cloud network and not exposing it to the public internet.

Firewall Rules: VPC firewall rules can be configured to control the traffic that flows through the VPN, ensuring that only authorized traffic is allowed, further enhancing security.

By setting up a Cloud VPN connection, you can achieve secure, encrypted communication over private IP addresses between different Google Cloud organizations.

References

Cloud VPN Overview

The requirement is to protect data while in use (meaning data in memory or CPU registers, during processing). This is a concept addressed by Confidential Computing using Trusted Execution Environments (TEEs).

Extracts:

" Confidential VMs are an IaaS solution... Confidential VMs offer: Encryption for ' data in use ' , including the processor state and the virtual machine ' s memory. " (Source 4.1)

" Confidential computing protects data during processing by isolating workloads inside hardware-based trusted execution environments (TEEs), ensuring even cloud operators cannot access them. " (Source 4.3)

" Confidential VMs extend the standard virtual machine concept by adding hardware-enforced confidentiality controls... they ensure data remains encrypted not only at rest and in transit, but also while in use. " (Source 4.4)

Options A (CMEK) and B (CSEK) protect data at rest (disk encryption). Option D (Shielded VM) protects integrity and prevents rootkit compromise but does not encrypt memory while the data is actively being processed. Only Confidential VM (or TEE) protects data in use.

To mitigate the risk posed by long-running Google Cloud CLI sessions, it is essential to enforce a reauthentication frequency. This ensures that users must periodically reauthenticate, reducing the window of opportunity for an attacker to exploit an open session. Setting the reauthentication frequency to one hour forces users to reauthenticate after this period, thereby limiting the duration an attacker can use a compromised session.

Access Google Cloud Console: Log in to your Google Cloud Console using your admin credentials.

Navigate to Security Settings: Go to the " Security " section of the Cloud Console.

Set Session Control: Under the session management settings, locate the " Reauthentication frequency " setting. This controls how often users must reauthenticate.

Configure Reauthentication Frequency: Set the reauthentication frequency to " 1 hour " . This configuration will force users to reauthenticate every hour, thus limiting the duration of each session.

Save Changes: Confirm and save your changes. This setting will now apply to all users, ensuring that open sessions are minimized to a duration of one hour.

To migrate the current data backup and disaster recovery solutions to GCP while keeping the production environment on-premises, the most scalable and cost-efficient solution is using Google Cloud Storage with scheduled tasks and the gsutil command.

Setup Cloud Storage: Create a Cloud Storage bucket to store the backups.

Go to the Cloud Console and navigate to Cloud Storage.

Click " Create bucket " and follow the prompts to configure the storage bucket.

Install gsutil: Ensure gsutil is installed on the on-premises servers.

gsutil is a command-line tool for interacting with Cloud Storage.

Follow the installation guide here.

Create Backup Script: Write a script to upload data to Cloud Storage using gsutil.

#!/bin/bash gsutil -m cp -r /path/to/local/backup gs://your-bucket-name

Schedule Backup Task: Use a scheduling tool like cron on Linux to run the backup script at regular intervals.

Edit the crontab file with crontab -e and add an entry like:

Cloud Storage Documentation

gsutil Documentation

Using Identity-Aware Proxy (IAP) for managing SSH access to private VMs ensures secure access control and avoids the need for public IPs. IAP allows you to enforce identity-based access control policies.

Enable IAP: Ensure that IAP is enabled for your project. This can be done via the Google Cloud Console under " Security " - > " Identity-Aware Proxy " .

Set Up Firewall Rule: Create a firewall rule to allow SSH traffic from the IAP IP ranges.

Navigate to " VPC network " - > " Firewall " .

Create a new rule allowing ingress traffic on port 22 (SSH) from the IAP IP ranges.

Assign IAP-Secured Tunnel User Role: Grant the roles/iap.tunnelResourceAccessor role to the administrators who need SSH access.

Go to " IAM & Admin " - > " IAM " .

Assign the IAP-Secured Tunnel User role to the relevant users or groups.

SSH Using IAP: Administrators can now use IAP to SSH into the instances. This can be done using the gcloud command:

gcloud compute ssh [INSTANCE_NAME] --tunnel-through-iap

https://cloud.google.com/kms/docs/ekm#how_it_works

- First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.

- Next, you grant your Google Cloud project access to use the key, in the external key management partner system.

- In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally-managed key.

Objective: You want to limit the images that can be used as the source for boot disks to a set of images stored in a dedicated project.

Solution: Use the Organization Policy Service.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Organization Policies page.

Step 3: Create a new policy by clicking on " Create Policy " .

Step 4: Select the constraint compute.trustedimageProjects.

Step 5: Set the policy to ALLOW and specify the project ID where the trusted images are stored in the whitelist.

Step 6: Save and apply the policy.

By creating a compute.trustedimageProjects constraint at the organization level and specifying the trusted project in the allow list, you ensure that only images from this project can be used for boot disks across the organization.

The requirements necessitate a private, cross-project service-to-service connection with explicit authorization—a capability perfectly addressed by Private Service Connect (PSC).

Internal Load Balancer: Ensures the service is isolated from the internet (Layer 7 Load Balancer for HTTP/S ML endpoint).

Private Service Connect (PSC): Allows a service (the model endpoint, exposed via the internal load balancer) in one VPC/project (producer) to be securely consumed by other VPCs/projects (consumers) using an internal IP address.

Defined List of Projects: PSC enables Explicit authorization, allowing the producer to define the allowed list of consumers that can establish a connection, directly meeting the granular restriction requirement.

Extracts:

" Private Service Connect provides... Explicit authorization. Private Service Connect provides an authorization model that gives consumers and producers granular control. " (Source 2.4)

" Private Service Connect backends let Google Cloud load balancers send traffic through Private Service Connect to reach published services... Placing a load balancer in front of a managed service provides the consumer with more visibility and control... " (Source 2.4)

" Publish services by using Private Service Connect... Select the internal load balancer that hosts the service that you want to publish. " (Source 2.3)

https://cloud.google.com/vpc/docs/private-service-connect

An API bundle:

All APIs (all-apis): most Google APIs

(same as private.googleapis.com).

VPC-SC (vpc-sc): APIs that VPC Service Controls supports

(same as restricted.googleapis.com).

VMs in the same VPC network as the endpoint (all regions)

On-premises systems that are connected to the VPC network that contains the endpoint

Objective: Prevent users from creating projects while allowing only the DevOps team to create projects.

Solution: Modify IAM roles and permissions.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the IAM & Admin page.

Step 3: At the organizational level, find and remove all users from the Project Creator role.

Step 4: Create or identify a group for the DevOps team.

Step 5: Assign the Project Creator role to the DevOps team group at the organizational level.

By removing all users from the Project Creator role and granting it only to the DevOps team, you ensure that only the designated team can create projects.

Admin activity logs are always created to log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.

https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html

Shared responsibility “Security of the Cloud” - GCP is responsible for protecting the infrastructure that runs all of the services offered in the GCP Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run GCP Cloud services.

To ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS) at the infrastructure-as-a-service (IaaS) level within Google Cloud, it ' s essential to have continuous monitoring and assessment tools that can detect deviations from compliance requirements.​

Option A: Creating data profiles and configuring Data Discovery jobs in Google Cloud Sensitive Data Protection focuses on identifying and analyzing sensitive data but does not directly address infrastructure compliance monitoring.​

Option B: Downloading the latest PCI DSS report from the Compliance Reports Manager provides a static compliance report but does not offer real-time detection of deviations within your specific environment.​

Option C: Utilizing Assured Workloads helps in creating environments that meet specific compliance requirements, but migrating existing projects into such folders does not actively detect deviations; it primarily ensures that new workloads comply with predefined policies.​

Option D: Activating Security Command Center (SCC) Premium and leveraging its Compliance Monitoring capabilities allows for continuous assessment of your Google Cloud environment against PCI DSS requirements. SCC can identify misconfigurations, vulnerabilities, and compliance violations in real-time, providing actionable insights to address any issues promptly.​

Therefore, Option D is the most effective approach to detect deviations at the IaaS level in preparation for a PCI DSS audit.​

To validate that all data written to BigQuery was done using the App Engine Default Service Account, you can use StackDriver Logging (now known as Cloud Logging) to filter and inspect the logs for BigQuery insert jobs. By hiding the entries matching the App Engine Default Service Account, you can ensure that no other service account has written to BigQuery if the resulting list is empty.

Steps:

Open Cloud Logging: Navigate to Cloud Logging in the Google Cloud Console.

Filter Logs: Apply a filter to display logs for BigQuery insert jobs.

Inspect Entries: Click on the email address that corresponds to the App Engine Default Service Account in the authentication field.

Hide Matching Entries: Select the option to hide matching entries.

Validate: Check if the resulting list is empty, confirming that no other service account has performed write operations to BigQuery.

By default, Vertex AI uses a " Service Agent " (a Google-managed service account) which often has broad permissions across the project. To achieve isolation and least privilege, you must use Custom Service Accounts for each training job.

According to Google Cloud Documentation (Use a custom service account for Vertex AI):

" When you perform custom training, you can configure Vertex AI to use a custom service account. This allows you to grant the job only the specific permissions it needs (e.g., access to a specific Cloud Storage bucket) rather than using the default service agent which may have broader access. This is the recommended practice for multi-tenant or highly regulated environments. "

Implementation Strategy:

Identity: Create a unique User-Managed Service Account (UMSA) for each specific training workload or team.

Permissions: Grant that UMSA the roles/storage.objectViewer (or Legacy Reader) only on the specific bucket containing the training data.

Job Config: When submitting the Vertex AI job, specify the serviceAccount field in the job request.

Why other options are incorrect:

A is incorrect: Using one custom service account for all jobs still doesn ' t provide isolation between the jobs themselves.

B and C are incorrect: These use the default service agent, which is shared across the project. If one job is compromised or misconfigured, it could potentially access data intended for other jobs because they share the same identity.

The problem ' s critical requirements are: centralized collection of all audit logs (including Data Access logs) from a production folder to a central BigQuery dataset, with long-term retention, and most importantly, the ability to intercept and override any project-level log sinks to prevent duplicate storage or misrouting.

Aggregated Log Sink at Folder Level: To centralize logs from all current and future projects within the " production folder, " an aggregated sink configured at the folder level is the correct approach. Logs generated in child projects will flow up to the folder level and be matched by this sink.

Extract Reference: " Aggregated exports allow you to export logs from multiple Google Cloud projects, folders, or your entire organization. An aggregated export can include all logs from all included resources, or you can use queries to include only specific logs. " (Google Cloud Documentation: " Route logs to supported destinations | Cloud Logging " - https://cloud.google.com/logging/docs/export/aggregated_exports)

Intercepting Sink (--intercept-logs / overrideDestinations): This is the crucial feature to meet the " intercept and override " requirement. When an aggregated sink is configured as an " intercepting " sink, any log entries that match its filter are immediately routed to its destination and are not processed by any lower-level sinks (e.g., project-level sinks). This ensures that logs are not inadvertently routed elsewhere and prevents duplicate storage.

Extract Reference: " An intercepting sink is an aggregated sink that, if it includes the overrideDestinations field set to true, stops matched log entries from propagating to lower-level sinks in the Cloud Logging resource hierarchy. " (Google Cloud Documentation: " Route logs to supported destinations | Cloud Logging " - https://cloud.google.com/logging/docs/export/aggregated_exports)

BigQuery Destination and IAM Permissions: BigQuery is specified as the long-term retention destination. The sink ' s writer_identity (a service account automatically created for the sink) needs appropriate IAM permissions (e.g., BigQuery Data Editor or BigQuery User) on the target BigQuery dataset to write logs.

Inclusion Filter for Audit Logs: An inclusion filter is necessary to ensure only the required audit logs, including Data Access logs (logName: " cloudaudit.googleapis.com " OR logName: " data_access " ), are routed.

Let ' s evaluate the other options:

A. Standard aggregated log sink... Logs Bucket Writer: A standard aggregated sink does not intercept or override lower-level sinks. Also, Logs Bucket Writer role is for Cloud Logging buckets, not BigQuery. The correct role would be for BigQuery.

B. Log sink in each production project: This is not a centralized solution and would require manual configuration for every project, which is inefficient and error-prone for " all current and future projects. " It also doesn ' t provide any override mechanism.

C. Aggregated log sink at the organization level... configure a log view: While an organization-level sink offers broad centralization, if the requirement is specifically for a production folder and not the entire organization, a folder-level intercepting sink is more targeted. A log view is for displaying logs, not for routing or overriding. The --include-children flag is implied for aggregated sinks but doesn ' t provide the intercepting behavior.

Therefore, creating an intercepting aggregated log sink at the production folder level, configured to send audit logs to BigQuery, is the precise solution to meet all the stated requirements, especially the crucial " intercept and override " condition.

To comply with GDPR requirements and manage encryption keys for workloads across multiple Google Cloud services, customer-managed encryption keys (CMEK) offer a suitable solution.

Customer-managed encryption keys (B):

CMEK allows you to create and manage encryption keys using Google Cloud Key Management Service (KMS). You maintain full control over the key lifecycle, including key rotation and destruction.

CMEK can be used with various Google Cloud services, such as Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub, ensuring consistent and compliant encryption across your environment.

Using CMEK, you can implement data protection by design, aligning with GDPR requirements by ensuring that encryption keys are appropriately managed and secured.

References

Customer-Managed Encryption Keys Documentation

Encryption at Rest in Google Cloud

For massive daily data transfers (250 TB) between cloud providers, traditional VPNs or routing through on-premises " hairpinning " are inefficient and costly. Cross-Cloud Interconnect is the architecturally correct solution for high-bandwidth, low-latency, and secure cloud-to-cloud connectivity.

According to Google Cloud Documentation (Cross-Cloud Interconnect Overview):

" Cross-Cloud Interconnect helps you establish high-bandwidth dedicated connectivity between Google Cloud and another cloud service provider (CSP) such as Microsoft Azure... It simplifies multi-cloud setup by providing a direct physical connection between Google ' s network and the other CSP ' s network. "

Calculation of Requirement:

Data Volume: 250 TB per day.

Time: 86,400 seconds (1 day).

Required Bandwidth: $250 \times 10^{12} \text{ bytes} \times 8 \text{ bits/byte} / 86,400 \text{ seconds} \approx 23.1 \text{ Gbps}$.

A standard VPN (Option B) typically caps out at 3 Gbps per tunnel, making it insufficient.

The existing 20Gbps Interconnect (Option C) is already used for on-premises data and would be overwhelmed by an additional 23.1 Gbps requirement, not to mention the latency of routing Azure traffic through an on-premises data center.

Why other options are incorrect:

B is incorrect: VPN throughput is insufficient for 250 TB/day and lacks the reliability of a dedicated circuit.

C is incorrect: Routing through on-premises (hairpinning) introduces unnecessary latency and would exceed the 20Gbps capacity of the existing Interconnect.

D is incorrect: SFTP over the public internet is neither efficient for petabyte-scale data nor as secure as a private interconnect.

The immediate goal is to improve password security and enforce the change due to a recent event. This is done through the Google Workspace Admin console, which controls the identity provider for Google Cloud users.

Improve Password Security: The most effective control is to Enforce strong password policy, which requires users to use long, complex, and unguessable passwords, addressing the core security weakness.

Immediate Enforcement: Checking the option to Enforce password policy at the next sign-in ensures that all current users are immediately prompted to change their weak passwords to ones that meet the new strong policy requirements.

Option C is based on the outdated security practice of frequent password expiration, which often leads to users choosing weaker, predictable passwords (e.g., Spring2025 - > Summer2025). The modern recommendation is strong passwords and multi-factor authentication, not frequent expiration.

Option A is a detective control, not a preventative measure to improve password strength.

Extracts:

" In the Google Workspace Admin console, you can require users to use passwords that meet a strong password policy. A strong password must meet minimum complexity requirements, such as a minimum length and a mix of characters. " (Source 6.1)

" After changing the password policy, you can select the option to Require all users to change their password at the next sign-in. This is the fastest way to enforce the new policy immediately across the organization. " (Source 6.2)

" Google Cloud ' s recommended security best practice for identity is to prioritize strong passwords and Multi-Factor Authentication (MFA) over frequent password expiry. " (Source 6.3)

The problem requires ensuring that only images that have passed vulnerability scanning and meet corporate policies are allowed to be deployed to GKE, with the process being automated and integrated into the existing CI/CD pipeline.

Binary Authorization: This Google Cloud service is purpose-built to enforce deployment policies on images before they are run on Google Kubernetes Engine (GKE), Cloud Run, and other deployable platforms. It acts as a policy gate that prevents the deployment of non-compliant images.

Extract Reference: " Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE), Cloud Run, and Anthos clusters. " and " With Binary Authorization, you can require images to be signed by trusted authorities and enforce validation policies during deployment. " (Google Cloud Documentation: " Binary Authorization overview " - https://cloud.google.com/binary-authorization/docs/overview)

Artifact Analysis (part of Container Analysis): Artifact Analysis (which includes Container Analysis) provides vulnerability scanning capabilities for container images stored in Artifact Registry. It generates findings and metadata about vulnerabilities.

Extract Reference: " Container Analysis is a service that scans your images for known vulnerabilities and provides metadata about them. " (Google Cloud Documentation: " Overview | Container Analysis " - https://cloud.google.com/container-analysis/docs/overview)

Binary Authorization can be configured to integrate with Artifact Analysis (or other attestors) to check for vulnerability scan results as part of its deployment policy.

Integration and Automation: Binary Authorization policies can require attestations before deployment. An attestation confirms that an image meets specific criteria (e.g., it has passed a vulnerability scan, it was signed by an approved CI/CD process, it adheres to corporate policies). Cloud Build can be configured to generate these attestations after a successful vulnerability scan (using Artifact Analysis). This fully automates the process and integrates directly into the CI/CD pipeline.

Extract Reference: " With Binary Authorization, you create a policy that enforces your requirements. The policy defines rules that govern deployment. For example, a policy can require all images to be signed by a trusted authority before deployment. " (Google Cloud Documentation: " Binary Authorization overview " - https://cloud.google.com/binary-authorization/docs/overview)

Let ' s evaluate the other options:

A. Custom script in Cloud Build... Fail the build: While scanning during the build is good practice (shift-left security), failing the build only prevents the image from being pushed. It doesn ' t prevent a developer or an automated process from manually deploying an old or non-compliant image that might already exist in Artifact Registry, or from bypassing the build system. The enforcement needs to happen at deployment time.

B. Configure GKE to use only images from a specific... trusted Artifact Registry repository. Manually inspect all images: Manually inspecting images is not automated and does not scale for a " large number of containerized applications. " It also doesn ' t programmatically enforce vulnerability scan results or corporate policies.

D. Enable Artifact Analysis vulnerability scanning and regularly scan images... Remove any images that do not meet... before deployment: This describes scanning and remediation, which are important. However, it ' s a reactive approach ( " remove any images " ) rather than a proactive enforcement ( " only images that... are allowed to be deployed " ). There ' s still a window where a non-compliant image could be deployed before it ' s removed. Binary Authorization is the enforcement gate.

Therefore, configuring Binary Authorization with a policy that integrates with Artifact Analysis (or requires attestations based on its findings) is the most robust, automated, and Google-recommended solution for enforcing deployment policies based on vulnerability scanning and corporate compliance.

To secure a container supply chain, you need two things: Visibility (Scanning) and Enforcement (Policy). Google Cloud provides Artifact Analysis (integrated with Artifact Registry) and Binary Authorization to solve this.

According to Google Cloud Documentation (Software Supply Chain Security):

" To secure your supply chain, use Artifact Registry with automatic vulnerability scanning to identify risks in your images. Then, use Binary Authorization to define a policy that requires images to be signed by trusted authorities (attestors) before they can be deployed to GKE or Cloud Run. This ensures that only images that have passed your security checks (like vulnerability scans) are allowed to run. "

How it works:

Scanning: Every time an image is pushed to Artifact Registry, it is automatically scanned for CVEs.

Attestation: A successful scan (e.g., no ' Critical ' vulnerabilities) triggers a CI/CD step to " Sign " the image (create an attestation).

Enforcement: The GKE admission controller (Binary Authorization) checks for this signature. If it ' s missing or invalid, the deployment is blocked.

Why other options are incorrect:

A is incorrect: Container Threat Detection is for runtime (after it ' s already running). Supply chain security is about pre-deployment prevention.

B is incorrect: While Grafeas/Kritis are the open-source foundations, Option D represents the managed Google Cloud services which " minimize management overhead. "

C is incorrect: Firewalls inspect network traffic, not the integrity or vulnerability status of the container image itself.

For " automatic discovery, redaction, or pseudonymization " of sensitive data, the specific product is Sensitive Data Protection (formerly known as Cloud Data Loss Prevention - DLP).10

According to Google Cloud Documentation (Sensitive Data Protection Overview):

" Sensitive Data Protection provides visibility into where PII exists in your organization. It allows you to automatically discover and classify data using over 150 predefined infoTypes (like SSN, Credit Card, etc.). Beyond discovery, it can redact (remove), mask (cover), or pseudonymize (replace with a token) the data so that it can be used for analysis without exposing the raw PII. "

Why other options are incorrect:

A is incorrect: Cloud Armor is a WAF; it doesn ' t scan data contents inside a database for PII.

C is incorrect: Encryption (KMS) protects the data from unauthorized disk access, but once an authorized user opens the database, the PII is still visible. It doesn ' t perform " redaction " or " pseudonymization. "

D is incorrect: While the DLP API is mentioned, this option focuses on Cloud Storage and alerts rather than the " redaction/pseudonymization " for analysis requested in the prompt. Option B is the comprehensive managed service approach.

To fulfill the requirements of preserving logs for 12 years and ensuring data residency within European boundaries, the best approach is to use Google Cloud ' s operations suite (formerly Stackdriver) with a custom log bucket configured in the desired region.

Configure Cloud Logging Agent:

Install and configure the Cloud Logging agent on your Compute Engine instances. This agent collects logs from your application and system and sends them to Google Cloud ' s operations suite.

Create a Custom Log Bucket:

In the Cloud Logging interface, create a custom log bucket in the EUROPE-WEST1 region. This bucket will store your logs and can be configured with a custom retention period.

Set Custom Retention Policy:

Configure the retention policy for the custom log bucket to 12 years. This ensures that all logs are preserved for the required duration.

Ship Logs to the Custom Log Bucket:

Modify the logging configuration to direct logs from the Cloud Logging agent to the custom log bucket. This can be done through the logging configuration settings in the Cloud Console or by updating the agent configuration files.

This solution minimizes overhead by using managed services and ensures cost-effectiveness by leveraging Cloud Logging ' s built-in capabilities for log storage and retention management.

References

Cloud Logging Documentation

Creating and Managing Logs Buckets

To allow a large number of users to access the GCP Console while keeping the existing Active Directory or LDAP server for identity management, use Google Cloud Directory Sync (GCDS).

Install GCDS:

Download and install Google Cloud Directory Sync from here.

Configure GCDS:

Set up the synchronization by specifying the LDAP server details and the Google domain.

Map the LDAP attributes to Google attributes to ensure user data is synchronized correctly.

Run Synchronization:

Perform an initial synchronization to populate the Google domain with existing users from the LDAP server.

Schedule regular synchronizations to keep the data up-to-date.

Benefits:

Automated Sync: Ensures that user data is consistently updated without manual intervention.

Secure Access: Users can log in to the GCP Console using their existing credentials, enhancing security and user experience.

Google Cloud Directory Sync Documentation

GCDS Administration Guide

To identify all principals who can change firewall rules, you need to determine which users or service accounts have permissions that allow them to modify firewall rules in your Google Cloud project. The correct permissions to check for this are compute.firewalls.create and compute.firewalls.delete. These permissions enable a user to create and delete firewall rules, respectively.

The Policy Analyzer tool in Google Cloud allows you to query and analyze IAM policies to identify which principals have specific permissions. By using Policy Analyzer, you can effectively identify all principals with the compute.firewalls.create and compute.firewalls.delete permissions.

Open Policy Analyzer: Go to the Google Cloud Console, navigate to IAM & Admin, and select Policy Analyzer.

Set Up Query: Create a new query specifying the permissions compute.firewalls.create and compute.firewalls.delete.

Run Query: Execute the query to retrieve a list of principals who have these permissions.

Review Results: Analyze the results to identify all users and service accounts with the capability to modify firewall rules.

This method ensures you have a comprehensive list of all principals who can change firewall rules, enhancing your audit and security posture.

Google Cloud Policy Analyzer Documentation

Google Cloud IAM Documentation

To delegate management of access control permissions to each business unit effectively, organizing projects into folders and assigning permissions to Google groups at the folder level allows for scalable and manageable access control. Using Google Cloud Directory Sync (GCDS) to synchronize users and groups from the on-premises directory service ensures that access controls are maintained and updated automatically as users change roles or leave the company.

Steps:

Organize Projects in Folders: Create a folder structure in the Google Cloud Resource Manager to organize projects by business unit.

Assign Permissions to Google Groups: Use IAM to assign necessary permissions to Google Groups at the folder level, ensuring each business unit can manage access controls for their own projects.

Synchronize Users and Groups: Use GCDS to sync users and group memberships from your on-premises directory service to Google Cloud Identity, ensuring that changes in the on-premises directory are reflected in Google Cloud.

Objective: Implement an encryption at-rest strategy that balances key management complexity and control for sensitive and non-sensitive data, ensuring FIPS 140-2 L1 compliance.

Solution: Use Google default encryption for non-sensitive data and Cloud Key Management Service (KMS) for sensitive data.

Steps:

Step 1: Store non-sensitive data using Google Cloud’s default encryption, which automatically encrypts data at rest without additional configuration.

Step 2: For sensitive data, use Cloud KMS to create and manage encryption keys.

Step 3: Configure key rotation policies for the keys managed by Cloud KMS to meet compliance requirements.

Step 4: Ensure that all data encryption keys used by Cloud KMS comply with FIPS 140-2 Level 1 standards.

By using Google default encryption for non-sensitive data and Cloud KMS for sensitive data, you can manage encryption efficiently while maintaining control over key residency and rotation for sensitive data.

The critical requirements are:

De-identify PII (protect individual privacy).

Retain original format and consistency (analytical integrity).

Avoid full irreversible deletion (the process must be reversible/re-identifiable).

Sensitive Data Protection (SDP), also known as Cloud DLP, is Google Cloud ' s specialized service for discovering, classifying, and de-identifying sensitive data. The specific de-identification technique that meets the need to retain the original format and consistency is Format-Preserving Encryption (FPE).

Extracts:

" Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or ' re-identified. ' " (Source 5.3)

" Pseudonymization by replacing with cryptographic format preserving token (CryptoReplaceFfxFpeConfig)... Preserves format... Reversible transformations can be reversed to re-identify the sensitive data using the content.reidentify method. " (Source 5.3)

" Format Preserving Encryption (FPE) is an encryption algorithm that preserves the format of the original data set, but it replaces it with tokens that have no inherent meaning or value... FPE ensures the ciphertext maintains the same format (length, number of hyphens, etc.) as the original plaintext. " (Source 5.1)

FPE is necessary for analytical integrity when the structure/format (e.g., 9-digit SSN, 16-digit credit card number) is required for processing in downstream systems.

Cloud Identity-Aware Proxy (IAP) allows you to control access to your web applications running on Google Cloud. It ensures that only authenticated users who are part of a specified Google Group can access the application. Here’s how you can restrict access to in-progress sites using IAP:

Enable IAP: First, you need to enable Cloud IAP for your App Engine application. This will require configuring OAuth consent and setting up necessary permissions.

Create a Google Group: Create a Google Group that includes all the customers and company employees who should have access to the in-progress sites.

Configure Access: Configure IAP to allow access only to members of the created Google Group. This involves setting up the necessary IAP policies and ensuring that only authenticated users in the group can access the application.

By using IAP, you ensure that the access control is centrally managed and only authorized users can view the in-progress sites from any location.

References

Cloud Identity-Aware Proxy Documentation

Setting up IAP

Cloud NAT Service: Use Cloud NAT (Network Address Translation) to allow VM instances without external IP addresses to access the internet securely.

Configuration: Configure Cloud NAT for the subnets containing your VM instances. This setup allows the VMs to initiate outbound connections to the internet for updates and other necessary communications.

Security Compliance: By using Cloud NAT, you adhere to the security policy of not assigning external IP addresses to VMs while still enabling necessary internet connectivity. Cloud NAT provides a secure method for outbound internet traffic without exposing VMs directly to the public internet. References:

Google Cloud - Cloud NAT Overview

Google Cloud - Configuring Cloud NAT

The problem requires gaining " detailed visibility into changes to IAM policies, user activity, service account behavior, and access to sensitive projects " due to security inconsistencies.

Cloud Audit Logs: Cloud Audit Logs records administrative activities, data access, and system events across Google Cloud. These logs are the primary source of truth for tracking " who did what, where, and when " in your Google Cloud environment.

Extract Reference: " Cloud Audit Logs maintains the following audit logs for each project, folder, and organization: Admin Activity audit logs, Data Access audit logs, System Event audit logs, Policy Denied audit logs. "

Extract Reference: " Admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources. Data Access audit logs record API calls that read the configuration or metadata of resources, as well as user-provided data. " (Google Cloud Documentation: " Cloud Audit Logs overview " - https://cloud.google.com/logging/docs/audit)

These logs directly capture:Changes to IAM policies: Recorded in Admin Activity logs.

User activity: Recorded in Admin Activity and Data Access logs.

Service account behavior: Actions performed by service accounts are logged in the same way as user actions.

Access to sensitive projects: Data Access logs, especially for sensitive data services, record access events.

Log Export Sinks: To gain " detailed visibility " and enable " correlation with other event sources, " these audit logs should be exported to a centralized Security Information and Event Management (SIEM) solution. Log sinks allow you to route logs from Cloud Logging to various destinations, including BigQuery, Cloud Storage, or Pub/Sub (which can then feed into a SIEM).

Extract Reference: " You can use sinks to route some or all of your logs to supported destinations. " and " Many security information and event management (SIEM) systems can ingest logs through Cloud Pub/Sub. " (Google Cloud Documentation: " Routing and storage overview | Cloud Logging " - https://cloud.google.com/logging/docs/routing-overview)

Let ' s evaluate the other options:

A. OS Config Management agent: This service manages operating system configurations, patching, and inventory on VMs. It is not designed to monitor or log IAM policy changes, user activity, or service account behavior within Google Cloud ' s IAM system.

B. Metrics Explorer in Cloud Monitoring: While Cloud Monitoring can provide some metrics related to service account authentication, it focuses on time-series data and operational health metrics. It does not provide the detailed, event-level audit records necessary for forensic analysis of IAM policy changes, specific user actions, or granular access events to sensitive data that Cloud Audit Logs offer.

D. Cloud Functions triggered by IAM policy changes + Policy Simulator: This describes a reactive automation pattern for some IAM changes. While useful for immediate alerting on risky modifications, it ' s a custom solution for a subset of the requirements. It doesn ' t inherently provide " detailed visibility " into all user activity or comprehensive service account behavior across all projects, nor does it replace the robust logging and correlation capabilities of a SIEM solution ingesting raw audit logs. Cloud Audit Logs are the fundamental data source this approach would rely on.

Therefore, leveraging Cloud Audit Logs and exporting them to a SIEM is the most comprehensive and recommended approach for gaining detailed visibility into IAM-related changes and activities across your Google Cloud organization.

The most effective way to address VM sprawl while enforcing consistent security baselines at the VM creation stage (VM lifecycle management) is through the use of immutable, hardened images built via an automated pipeline.

Centralized Image Management and Hardening: A Cloud Build pipeline is the standard way to automate the creation of " golden images. " The pipeline can install OS/packages, apply hardening scripts (e.g., CIS benchmarks), run vulnerability scans, and then store only the verified, secure images in a central registry. This centralizes control over the security baseline.

Enforcement: Instance Templates are the mechanism to standardize VM deployment. By configuring the templates to only point to the central registry of approved, hardened images, you ensure that every new VM spun up automatically adheres to the security baseline. This prevents teams from deploying unhardened or insecure images, solving the " VM sprawl " and " consistent security hardening " problem at its source.

Option A (SCC Posture Management) is a detective control that monitors after the VM is deployed; it does not prevent unhardened VMs from being created, which is the goal of lifecycle management.

Option D (VM Manager) is excellent for ongoing patching and updating of existing VMs, but it doesn ' t solve the initial problem of ensuring a secure, centralized, hardened image is used for creation (which is where the baseline is enforced).

Extracts:

" Golden images that are configured and used to create servers play a key role in allowing companies to scale securely. " (Source 1.2)

" Using an automated tool eradicates this issue. When engineers use images produced by [automated tools], the evidence is clear, as everything needed is pre-baked into the image. " (Source 1.2)

" An instance template is a convenient way to save a virtual machine (VM) instance ' s configuration that includes machine type, boot disk image... You can use an instance template to... Create individual VMs. " (Source 3.3)

The overall strategy described in Option B—automate hardening, scan, store, and enforce usage via templates—is the best practice for secure and compliant VM deployment at scale.

To ensure that Vertex AI Workbench Instances (formerly AI Platform Notebooks) are automatically updated and that users cannot modify operating system settings, it ' s crucial to implement organizational policies that enforce these requirements.

disableRootAccess Organization Policy:This policy prevents users from obtaining root access on virtual machines. By enforcing this policy, you ensure that users cannot make unauthorized changes to the operating system settings, maintaining the integrity and security of the instances.

requireAutoUpgradeSchedule Organization Policy:This policy mandates that virtual machines have an auto-upgrade schedule for their operating systems. By enforcing this policy, you ensure that instances are automatically kept up-to-date with the latest security patches and updates, reducing the risk of vulnerabilities.

Given the options:

Option A: Enabling VM Manager helps in managing updates and configurations but does not inherently prevent users from altering OS settings.

Option B: Enforcing the disableRootAccess and requireAutoUpgradeSchedule organization policies directly addresses both requirements: preventing unauthorized OS modifications and ensuring automatic updates.

Option C: Assigning specific roles controls user permissions but does not enforce OS-level restrictions or automatic updates.

Option D: Implementing firewall rules to prevent SSH access adds a layer of security but does not ensure automatic updates or prevent OS modifications through other means.

Therefore, Option B is the most effective approach, as it directly enforces the necessary policies to meet both requirements.

To restrict access to the MySQL instance to only the frontend application while other VMs are present in the subnets, creating an ingress firewall rule is the most appropriate approach. This rule will specifically allow traffic from subnet A (where the frontend application resides) to the MySQL instance in subnet B on port 3306, using network tags to target the specific MySQL VM.

Steps:

Create Network Tags: Apply a network tag (e.g., " data-tag " ) to the MySQL VM in subnet B.

Create Ingress Firewall Rule: Configure an ingress firewall rule with the following settings:

Source IP Range: Subnet A ' s IP range.

Target Tag: " data-tag " .

Allowed Protocol/Ports: TCP:3306 (for MySQL).

This setup ensures that only instances in subnet A can communicate with the MySQL instance on port 3306.

A. Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue:

Use Cloud Build to automate your CI/CD pipeline.

Integrate Container Analysis to scan container images for vulnerabilities during the build process.

If vulnerabilities are found, configure the build to fail, preventing deployment of insecure containers.

E. In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster:

Use Binary Authorization to enforce deploy-time security policies.

Configure your CI/CD pipeline to generate attestations for container images that pass vulnerability scans.

Binary Authorization will then block deployments of any containers without valid attestations, ensuring only secure images are deployed.

When using Google Cloud ' s Platform-as-a-Service (PaaS) offerings like App Engine, Google manages the infrastructure, including the underlying OS, runtime, and scaling. However, securing the application code itself, such as defending against cross-site scripting (XSS) and SQL injection (SQLi) attacks, remains the responsibility of the user. This involves implementing secure coding practices, validating inputs, and employing appropriate security measures within the application.

In Google Cloud ' s Logging service, log entries are automatically routed to the _Default log bucket unless configured otherwise. When you create a new log bucket and intend to redirect all log entries from the _Default bucket to this new bucket, the most efficient approach is to modify the existing _Default sink to point to the new log bucket.​

Option A: Creating a new user-defined sink with filters replicated from the _Default sink is redundant and may lead to configuration complexities.​

Option B: Implementing exclusion filters on the _Default sink and then creating a new sink introduces unnecessary steps and potential for misconfiguration.​

Option C: Disabling the _Default sink would stop all log routing to it, but creating a new sink to replicate its functionality is inefficient.​

Option D: Editing the _Default sink to change its destination to the new log bucket ensures a seamless transition of log routing without additional configurations.​

Therefore, Option D is the most efficient and straightforward method to achieve the desired log routing.​

Workforce Identity Federation is the modern, Google-recommended way to grant external partners access to Google Cloud resources using their own identity provider (IdP). This avoids the " Identity Lifecycle Management " burden of creating guest accounts in your own directory.

According to Google Cloud Documentation (Workforce Identity Federation Overview):

" Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce—a group of users, such as employees, partners, and contractors—so that the users can access Google Cloud services. With Workforce Identity Federation, you don ' t need to synchronize user identities from your existing IdP to Google Cloud identities. "

Advantages of this approach:

Syncless: You don ' t create or manage partner accounts in your Cloud Identity/Workspace (eliminating Option C).

Security: If a partner employee leaves their company, their access to your Google Cloud database is automatically revoked when their home IdP account is disabled.

Scoped Access: You grant IAM roles (like roles/cloudsql.client) specifically to the Workforce Pool or specific groups within that pool, ensuring they can ' t touch other resources.

Why other options are incorrect:

A is incorrect: Public IPs are a major security risk and don ' t provide centralized identity governance.

B is incorrect: You cannot " grant access " to accounts in another organization ' s Cloud Identity directly in a secure, manageable way for production databases without federation.

https://cloud.google.com/logging/docs/access-control#considerations roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.

Enable the compute.restrictXpnProjectLienRemoval organization-level policy constraint:

This constraint prevents users from removing liens from Shared VPC host projects.

By enabling this constraint, you ensure that the Shared VPC host project cannot be accidentally deleted, as liens prevent deletion without proper authorization.

Apply this constraint via the Google Cloud Console or using the gcloud command-line tool.

Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.

https://cloud.google.com/security/compliance/iso-27017

To implement a Zero Trust architecture that evaluates device posture (OS version, encryption, etc.) for access to data in Cloud Storage, you must use Context-Aware Access (CAA). CAA relies on Access Context Manager to define " Access Levels " and VPC Service Controls (VPC-SC) to enforce those levels for managed services like Cloud Storage.

According to Google Cloud Documentation (Context-Aware Access with VPC Service Controls):

" VPC Service Controls can use Access Context Manager access levels to restrict access based on a variety of attributes, including user identity, device security status (device policy), and IP address.2 By applying an access level to a service perimeter, you can ensure that only requests meeting those specific contextual requirements can access the resources within that perimeter. "

Implementation Steps:

Access Context Manager: Create an access level that checks for device management status, minimum OS version, and other posture requirements (verified by the Chrome Enterprise/Endpoint Verification agent).

VPC Service Controls: Create a service perimeter around the project containing the Cloud Storage buckets.

Policy Binding: Associate the Access Level with the VPC-SC perimeter. Any request that doesn ' t meet the device policy (e.g., outdated OS) will be blocked at the API layer, even if the user has the correct IAM roles.

The requirement is to establish a network security boundary around a specific service (BigQuery) for resources in a Folder, while allowing the team to manage that boundary. This is the definition of using VPC Service Controls (VPC SC) with scoped policies.

VPC Service Controls (VPC SC): Used to create a service perimeter (a security boundary) around BigQuery and other Google Cloud services, which restricts API access.

Scoped Policy on the Folder: This enforces the boundary exactly at the required Folder level, as opposed to the organization level.

Access Context Manager Editor Role: Access Context Manager is the service that manages VPC SC policies (Service Perimeters and Access Levels). Granting this role on the scoped policy allows the data analytics team to fulfill the requirement to " control the restrictions. "

Extracts (Conceptual Basis for VPC SC and Scoped Policies):

" Private Service Connect provides... Explicit authorization. Private Service Connect provides an authorization model that gives consumers and producers granular control, ensuring that only the intended service endpoints and no other resources can connect to a service. " (Source 2.4 - VPC SC and PSC share a core architectural concept of explicit, service-oriented boundaries)

Option B is the technical implementation that matches the requirements: using a VPC SC service perimeter (for service restriction) applied as a scoped policy on the folder (for resource hierarchy scope) with Access Context Manager Editor (for team management/control).

To comply with FIPS 140-2 for the messaging app, you need to ensure that both data at rest and data in transit are encrypted according to the standard. Using customer-managed encryption keys (CMEK) ensures that you have control over the encryption keys, and BoringSSL is a library that meets FIPS 140-2 standards for encrypting data in transit.

Steps:

Encrypt Local SSDs: Modify the instance template for the Managed Instance Group (MIG) to use customer-managed encryption keys (CMEK) for encrypting Local SSDs.

Enable BoringSSL: Update the application to use the BoringSSL library for all instance-to-instance communication to ensure that all data in transit is encrypted according to FIPS 140-2 standards.

To monitor and get notified in case the script causing the Compute Engine instance to crash is executed again, you should create an Alerting Policy in Stackdriver (now known as Google Cloud Monitoring). The Process Health condition can be set to monitor the number of executions of the script and ensure it remains below the desired threshold. By enabling notifications, you will be alerted if this threshold is exceeded.

Step-by-Step:

Log Script Executions: Ensure that the script execution is logged.

Create a User-Defined Metric: Go to Google Cloud Console > Logging > Logs-based Metrics, and create a new user-defined metric that counts the number of times the script executes.

Set Up Alerting Policy:

Navigate to Google Cloud Console > Monitoring > Alerting.

Click on “Create Policy”.

Add a condition and select “Logs-based Metric”.

Configure the condition to trigger when the number of script executions exceeds the threshold.

Configure Notifications: Add notification channels (email, SMS, etc.) to the alerting policy.

Save and Test: Save the policy and test to ensure notifications are received when the script is executed beyond the threshold.

Google Cloud Logging User-defined Metrics

Google Cloud Monitoring Alerting Policies

The problem requires restricting the types of Google Cloud services that can be deployed within specific folders to enforce compliance, without affecting other parts of the resource hierarchy, using the most efficient and simple method.

Organization Policies: Organization policies allow you to define centralized, programmatic controls over your Google Cloud resources. They apply hierarchically, meaning a policy set on a folder applies to all projects and resources within that folder and its descendants.

Restrict Resource Service Usage Constraint: This specific organization policy constraint is designed precisely for controlling which Google Cloud services can be used (and thus deployed/created resources for) within a given part of the resource hierarchy. It supports both allowlists and denylists of service API identifiers.

Extract Reference: " The Restrict Resource Service Usage constraint controls the runtime access to all in-scope resources. " and " This constraint can be used in two mutually exclusive ways: Denylist - resources of any service that isn ' t denied are allowed. Allowlist - resources of any service that isn ' t allowed are denied. " (Google Cloud Documentation: " Restricting resource usage | Resource Manager Documentation " - https://cloud.google.com/resource-manager/docs/organization-policy/restricting-resources)

Folder-Level Application: Applying this organization policy at the folder level directly meets the requirement of applying restrictions " only to the designated folders without affecting other parts of the resource hierarchy. " This is more efficient and simpler than applying a global policy with numerous exceptions.

Let ' s evaluate the other options:

B. Implement IAM conditions on service account creation within each folder: IAM conditions control permissions for who can do what. While they can be used for very fine-grained access control, they are not designed to restrict the types of services that can be deployed directly. Controlling service account creation doesn ' t prevent a user with appropriate permissions from deploying other resources.

C. Create a global organization policy... and apply exceptions: While technically possible, this is less efficient and simple if the goal is to only restrict specific folders. Managing exceptions for the entire rest of the organization would be more complex than simply applying the policy directly where it ' s needed.

D. Configure VPC Service Controls perimeters around each folder: VPC Service Controls primarily prevent data exfiltration and restrict API access at a network perimeter level. They are not designed to restrict which types of Google Cloud services can be deployed within a project or folder; rather, they control how allowed services interact with each other and with external endpoints.

Therefore, creating an organization policy with the " Restrict Resource Service Usage " constraint at the folder level is the most efficient, simple, and direct method to achieve the stated goal.

To ensure that a Compute Engine instance does not have access to the internet or to any Google APIs or services, you need to disable the following settings:

Public IP: Disabling the public IP address ensures that the instance does not have a direct connection to the internet. Without a public IP address, the instance cannot be accessed from or communicate with the internet directly.

Private Google Access: Disabling Private Google Access ensures that the instance does not have access to Google APIs and services through the internal Google network. Private Google Access allows instances without a public IP to reach Google APIs and services using private IP addresses, but disabling it will block this path.

Disabling these settings will effectively isolate the instance from both the public internet and Google ' s internal API services.

References

Google Cloud VPC Documentation - Overview

Configuring Private Google Access

Compute Engine Network Overview

To meet data residency requirements on Google Cloud, the recommended option is to use Organization Policy Service constraints. This service allows you to define and enforce specific constraints across your organization, including constraints related to the geographical location where data is stored.

Organization Policy Service constraints allow administrators to enforce policies that restrict resources to specific locations. For instance, you can set policies to ensure that all storage buckets, databases, and other data resources reside within specific geographic boundaries. This helps in complying with data residency requirements.

References

Organization Policy Service documentation

Google Cloud Data Residency

Managing IAM permissions at the KeyRing level is more efficient and scalable compared to managing them at the individual Key level. By creating a single KeyRing and placing all encryption keys within it, you can apply uniform IAM permissions to the entire KeyRing, simplifying the management of permissions.

Steps:

Create a KeyRing: Set up a single KeyRing in Cloud KMS for all the encryption keys required for the persistent disks.

Create Encryption Keys: Generate the necessary encryption keys within this KeyRing.

Set IAM Permissions: Assign IAM roles and permissions to the KeyRing to manage access control at this level, ensuring that all keys within the KeyRing inherit these permissions.

To handle significant traffic spikes and potentially malicious IPs, you can use Google Cloud Armor to configure rate-based bans. This approach allows you to automatically ban clients that exceed a predefined request rate, protecting your application from potential denial-of-service attacks.

Access Google Cloud Console: Log in to your Google Cloud Console.

Navigate to Google Cloud Armor: Go to the " Security " section and select " Google Cloud Armor " .

Create Security Policy: Create a new security policy or edit an existing one. Add a new rule to the policy.

Configure Rate-Based Ban: Set the action to rate_based_ban. Define the rate limit (e.g., requests per second) and set the ban_duration_sec parameter to the desired time interval.

Apply the Policy: Apply the security policy to your backend service or load balancer.

Monitor and Adjust: Monitor the traffic patterns and adjust the rate limits and ban durations as necessary to balance security and availability.

Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint