Pass the Google Google Cloud Certified Professional-Cloud-Security-Engineer Questions and answers with CertsForce

To ensure that PII data is separated from non-PII data, using Cloud Pub/Sub and Cloud Functions to trigger a scan by the Data Loss Prevention (DLP) API is an effective approach. This method allows for automated detection and handling of PII.

Steps:

Set Up Cloud Pub/Sub: Configure a Cloud Pub/Sub topic to receive notifications whenever a file is uploaded to the shared Cloud Storage bucket.

Deploy Cloud Functions: Create a Cloud Function that is triggered by the Pub/Sub topic. This function will invoke the DLP API to scan the uploaded file for PII.

Move Detected PII Files: If the scan detects PII, the Cloud Function will move the file to a secure Cloud Storage bucket accessible only by the administrator.

Set Permissions: Ensure that appropriate permissions are set on the Cloud Storage buckets to restrict access to files containing PII.

"In order to be able to keep using the existing identity management system, identities need to be synchronized between AD and GCP IAM. To do so google provides a tool called Cloud Directory Sync. This tool will read all identities in AD and replicate those within GCP. Once the identities have been replicated then it's possible to apply IAM permissions on the groups. After that you will configure SAML so google can act as a service provider and either you ADFS or other third party tools like Ping or Okta will act as the identity provider. This way you effectively delegate the authentication from Google to something that is under your control."

Cloud Asset Inventory: Using Cloud Asset Inventory allows you to quickly identify all the external assets and resources in your Google Cloud environment. This includes information about your projects, instances, storage buckets, and more. This step is crucial for understanding the scope of your audit. Network Security Scanner: Once you have identified the external assets, you can run a network security scanner to assess the security of these assets. Network security scanners can help identify vulnerabilities and potential security risks quickly.

Objective: Provide evidence of access reviews for an upcoming audit.

Solution: Use Policy Analyzer to review and report on IAM policies.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Policy Analyzer tool.

Step 3: Select the project for which you need to review access policies.

Step 4: Use the tool to generate reports on IAM roles and permissions.

Step 5: Export the reports as evidence for the audit.

Policy Analyzer provides detailed insights into IAM policies, helping you to review access configurations and generate necessary reports for compliance and auditing purposes.

Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.

https://cloud.google.com/security/compliance/iso-27017

To centrally govern and restrict which AI models (from the Model Garden) can be used within an organization, Google Cloud provides a specific Organization Policy Constraint.9

According to Google Cloud Documentation (Vertex AI Organization Policy Constraints):

"The constraints/vertexai.allowedModels constraint allows you to define a list of allowed models that can be deployed or used within your organization. This includes Google first-party models, open-source models, and third-party models available in the Model Garden.10 By using this policy, you can prevent users from using unvetted or non-compliant models even if they have IAM permissions to use Vertex AI."

How it works:

You define an "Allowlist" of model IDs.

When a user attempts to deploy a model or call an API for a model not on the list, the request is blocked.

This is the most scalable and compliant way to manage AI governance.

Why other options are incorrect:

A is incorrect: Model Garden is a catalog; you cannot apply granular IAM permissions to individual entries within the public catalog itself in the same way you can restrict API usage via Org Policy.

B is incorrect: Auditing is reactive. The requirement is to ensure users can only access approved models (prevention).

When integrating applications that require access to sensitive data stored in Cloud Storage, managing service account keys securely is crucial to prevent unauthorized access or data loss.​

Option A: Defining a VPC Service Controls perimeter enhances security by restricting access to Google Cloud services. However, configuring ingress rules to allow external access for the service account may introduce complexities and potential security gaps, especially if the partner's infrastructure is outside the defined perimeter.​

Option B: Scanning and masking customer data addresses data sensitivity but does not mitigate risks associated with compromised service account keys. This approach focuses on data content rather than access control mechanisms.​

Option C: Encrypting data at rest using customer-managed encryption keys (CMEK) ensures data confidentiality but does not directly address the security of service account keys or access controls.​

Option D: Implementing a secret management service to handle service account keys is a best practice. By configuring the service to frequently rotate keys, you reduce the window of opportunity for malicious actors to exploit compromised keys. Additionally, enforcing strict access controls ensures that only authorized personnel can create or manage service account keys, minimizing the risk of unauthorized access. This approach directly addresses the security concerns related to service account key management.​

Therefore, Option D is the most appropriate recommendation, as it focuses on securely managing service account keys through rotation and access controls, thereby minimizing the risk of data loss due to compromised keys.​

VPC Peering is between organizations not between Projects in an organization. That is Shared VPC. In this case, both projects are in same organization so having VPC Service Controls around both projects with necessary rules should be fine.

https://cloud.google.com/vpc-service-controls/docs/overview

https://cloud.google.com/bigquery/docs/scan-with-dlp

Cloud Data Loss Prevention API allows to detect and redact or remove sensitive data before the comments or reviews are published. Cloud DLP will read information from BigQuery, Cloud Storage or Datastore and scan it for sensitive data.

To comply with FIPS 140-2 for the messaging app, you need to ensure that both data at rest and data in transit are encrypted according to the standard. Using customer-managed encryption keys (CMEK) ensures that you have control over the encryption keys, and BoringSSL is a library that meets FIPS 140-2 standards for encrypting data in transit.

Steps:

Encrypt Local SSDs: Modify the instance template for the Managed Instance Group (MIG) to use customer-managed encryption keys (CMEK) for encrypting Local SSDs.

Enable BoringSSL: Update the application to use the BoringSSL library for all instance-to-instance communication to ensure that all data in transit is encrypted according to FIPS 140-2 standards.