Pass the Google Google Cloud Certified Professional-Cloud-Security-Engineer Questions and answers with CertsForce

To protect your web application from threats like malware by implementing TLS interception for incoming traffic, configuring a Secure Web Proxy with TLS offloading at the load balancer is an effective approach.​

Option A: By configuring a Secure Web Proxy, you can offload TLS traffic at the load balancer, inspect the decrypted traffic for threats such as malware, and then forward the inspected traffic to your web application. This approach ensures that encrypted traffic is securely analyzed without compromising the security of the data in transit.​

Option B: An internal proxy load balancer is designed for distributing traffic within a private network and may not support TLS interception capabilities required for inspecting incoming traffic from external sources.​

Option C: Hierarchical firewall policies in Google Cloud are used to enforce security rules across your organization but do not provide TLS interception capabilities.​

Option D: VPC firewall rules control traffic to and from VM instances based on specified rules but do not have the capability to perform TLS interception or traffic inspection.​

Therefore, Option A is the most suitable solution, as it allows for TLS interception through a Secure Web Proxy, enabling the inspection of incoming encrypted traffic to detect and mitigate threats like malware before the traffic reaches your web application.​

Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio. https://cloud.google.com/docs/security/encryption-in-transit

The requirement is to protect data while in use (meaning data in memory or CPU registers, during processing). This is a concept addressed by Confidential Computing using Trusted Execution Environments (TEEs).

Extracts:

"Confidential VMs are an IaaS solution... Confidential VMs offer: Encryption for 'data in use', including the processor state and the virtual machine's memory." (Source 4.1)

"Confidential computing protects data during processing by isolating workloads inside hardware-based trusted execution environments (TEEs), ensuring even cloud operators cannot access them." (Source 4.3)

"Confidential VMs extend the standard virtual machine concept by adding hardware-enforced confidentiality controls... they ensure data remains encrypted not only at rest and in transit, but also while in use." (Source 4.4)

Options A (CMEK) and B (CSEK) protect data at rest (disk encryption). Option D (Shielded VM) protects integrity and prevents rootkit compromise but does not encrypt memory while the data is actively being processed. Only Confidential VM (or TEE) protects data in use.

App Engine ingress firewall rules are available, but egress rules are not currently available. Per requirements 1.2.1 and 1.3.4, you must ensure that all outbound traffic is authorized. SAQ A-EP and SAQ D–type merchants must provide compensating controls or use a different Google Cloud product. Compute Engine and GKE are the preferred alternatives. https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

To enforce Data Residency at a platform level, Google Cloud provides the Resource Locations Organization Policy (constraints/gcp.resourceLocations).6 This is the authoritative way to prevent resources (like GKE clusters, Persistent Disks, or Cloud Storage buckets) from being created outside of a specific region.

According to Google Cloud Documentation (Organization Policy - Resource Locations):

"The Resource Locations constraint allows you to define the allowed locations (regions or multi-regions) for all supported Google Cloud services.7 By setting this policy at the project or folder level, you ensure that no user—regardless of their IAM permissions—can create resources in any region other than the one specified (e.g., europe-west4)."

Why this is the best solution:

Preventative: It blocks the API call itself if a user tries to deploy elsewhere.

Efficient: It applies to all services within the project without needing custom code (like Option D) or manual reviews (Option B).

Compliance-focused: It provides a clear audit trail and hard guarantee for compliance officers.

https://cloud.google.com/vpc/docs/packet-mirroring

Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.

To enforce access control policies for applications and resources in Google Cloud, the recommended service is Identity-Aware Proxy (IAP).

Identity-Aware Proxy (IAP):

IAP allows you to control access to your applications and resources based on the identity of the user and the context of the request. It integrates with IAM to provide fine-grained access control, ensuring that only authorized users can access specific resources.

IAP helps enforce security policies at the application layer, providing an additional layer of protection beyond traditional network-based security measures.

References

Identity-Aware Proxy documentation

https://cloud.google.com/network-intelligence-center/docs/firewall-insights/concepts/overview#shadowed-firewall-rules

Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.

To ensure that Vertex AI Workbench Instances (formerly AI Platform Notebooks) are automatically updated and that users cannot modify operating system settings, it's crucial to implement organizational policies that enforce these requirements.

disableRootAccess Organization Policy:This policy prevents users from obtaining root access on virtual machines. By enforcing this policy, you ensure that users cannot make unauthorized changes to the operating system settings, maintaining the integrity and security of the instances.

requireAutoUpgradeSchedule Organization Policy:This policy mandates that virtual machines have an auto-upgrade schedule for their operating systems. By enforcing this policy, you ensure that instances are automatically kept up-to-date with the latest security patches and updates, reducing the risk of vulnerabilities.

Given the options:

Option A: Enabling VM Manager helps in managing updates and configurations but does not inherently prevent users from altering OS settings.

Option B: Enforcing the disableRootAccess and requireAutoUpgradeSchedule organization policies directly addresses both requirements: preventing unauthorized OS modifications and ensuring automatic updates.

Option C: Assigning specific roles controls user permissions but does not enforce OS-level restrictions or automatic updates.

Option D: Implementing firewall rules to prevent SSH access adds a layer of security but does not ensure automatic updates or prevent OS modifications through other means.

Therefore, Option B is the most effective approach, as it directly enforces the necessary policies to meet both requirements.