Podcast
Questions and Answers
Which IAM member type is designed for applications or virtual machines, rather than individual end users?
Which IAM member type is designed for applications or virtual machines, rather than individual end users?
- Google Group
- Service Account (correct)
- Google Account
- Cloud Identity Domain
Which IAM role provides the necessary permissions to manage networking resources, with the exception of firewall rules and SSL certificates?
Which IAM role provides the necessary permissions to manage networking resources, with the exception of firewall rules and SSL certificates?
- Network Viewer
- Compute Network User
- Network Admin (correct)
- Security Admin
How can you configure two VM instances in separate VPC networks to communicate using internal IP addresses?
How can you configure two VM instances in separate VPC networks to communicate using internal IP addresses?
- Use Cloud DNS to manage DNS records, directing traffic between the VMs' internal IPs.
- Establish a custom static route between the VMs' internal IPs within their respective VPC networks.
- Assign a public IP address to each VM using Cloud DNS for internal traffic routing.
- Configure two network interfaces on each VM, connecting to their respective VPC networks. (correct)
You need to assess the resource consumption of VMs across production, development, and testing environments. What is the most efficient approach?
You need to assess the resource consumption of VMs across production, development, and testing environments. What is the most efficient approach?
A company needs to upload sensitive customer data to Cloud Storage, ensuring it is encrypted and compliant with ISO 27018, using the least amount of computational resources and their own encryption keys. Which encryption method should they use?
A company needs to upload sensitive customer data to Cloud Storage, ensuring it is encrypted and compliant with ISO 27018, using the least amount of computational resources and their own encryption keys. Which encryption method should they use?
As a cloud security engineer, you must provide your CTO with auditing and compliance standards that cover financial reporting controls, as well as public and private security, availability, and confidentiality controls. Which compliance standard best addresses these requirements?
As a cloud security engineer, you must provide your CTO with auditing and compliance standards that cover financial reporting controls, as well as public and private security, availability, and confidentiality controls. Which compliance standard best addresses these requirements?
Which Google Cloud feature can prevent unauthorized container images from being deployed into production environments?
Which Google Cloud feature can prevent unauthorized container images from being deployed into production environments?
A base image needs to be shared with a 'development' Google Group, supporting secure boot for Compute Engine instances. Which approach automates image creation for a Node.js application running on Compute Engine?
A base image needs to be shared with a 'development' Google Group, supporting secure boot for Compute Engine instances. Which approach automates image creation for a Node.js application running on Compute Engine?
An organization needs to automate the pipeline for building Docker containers that interact with PCI-DSS compliant APIs. The Kubernetes environment lacks internet access for downloading packages. How should the pipeline be automated?
An organization needs to automate the pipeline for building Docker containers that interact with PCI-DSS compliant APIs. The Kubernetes environment lacks internet access for downloading packages. How should the pipeline be automated?
After a botnet attack on Compute Engine instances in an isolated project, an external agency needs to analyze admin and system events using their local forensics tool. What is the most cost-effective way to enable this analysis?
After a botnet attack on Compute Engine instances in an isolated project, an external agency needs to analyze admin and system events using their local forensics tool. What is the most cost-effective way to enable this analysis?
An employee with Compute Engine admin permissions has assigned arbitrary permissions to existing users, and you need to find these permissions most efficiently. What should you do?
An employee with Compute Engine admin permissions has assigned arbitrary permissions to existing users, and you need to find these permissions most efficiently. What should you do?
An organization wants to audit Cloud Storage and BigQuery data access activities cost-effectively. How should they use Cloud Audit Logs to enable this analysis?
An organization wants to audit Cloud Storage and BigQuery data access activities cost-effectively. How should they use Cloud Audit Logs to enable this analysis?
Which tool can be used to synchronize identities from an on-premise identity management system to Google Cloud?
Which tool can be used to synchronize identities from an on-premise identity management system to Google Cloud?
Which Google Cloud feature allows an organization to control the source locations and times from which authorized identities can access resources?
Which Google Cloud feature allows an organization to control the source locations and times from which authorized identities can access resources?
How do you enable resources with only internal IP addresses to send requests to the internet?
How do you enable resources with only internal IP addresses to send requests to the internet?
Which tool should you use to enforce authentication and authorization for services deployed on Google Cloud?
Which tool should you use to enforce authentication and authorization for services deployed on Google Cloud?
Which Google Cloud tool helps an organization determine who performed a specific administrative action and when?
Which Google Cloud tool helps an organization determine who performed a specific administrative action and when?
As a cloud security engineer, you need to encrypt a connection from a user on the internet to a VM in your development project at the network/transport layer, allowing user-configurable encryption for in-transit traffic. What architecture best suits this use case?
As a cloud security engineer, you need to encrypt a connection from a user on the internet to a VM in your development project at the network/transport layer, allowing user-configurable encryption for in-transit traffic. What architecture best suits this use case?
A three-tier web application uses App Engine, a Compute Engine-based API, and Cloud SQL for MySQL, running only during business hours. How should the infrastructure access the database when App Engine is disabled and Compute Engine is stopped?
A three-tier web application uses App Engine, a Compute Engine-based API, and Cloud SQL for MySQL, running only during business hours. How should the infrastructure access the database when App Engine is disabled and Compute Engine is stopped?
A Cloud SQL instance must be shared with an external agency for one year. The agency's developers are managed through a Google Group. How should the group's access be configured?
A Cloud SQL instance must be shared with an external agency for one year. The agency's developers are managed through a Google Group. How should the group's access be configured?
Flashcards
Service Account
Service Account
A special Google account used by applications or VMs, not individual users.
Network Admin Role
Network Admin Role
Contains permissions to create, modify, and delete networking resources (excluding firewall rules and SSL certificates).
Multiple Network Interfaces
Multiple Network Interfaces
Allows VM instances in different VPC networks to communicate over internal IP addresses.
Binary Authorization
Binary Authorization
Signup and view all the flashcards
Audit Logs
Audit Logs
Signup and view all the flashcards
IPsec tunnel
IPsec tunnel
Signup and view all the flashcards
Identity-Aware Proxy (IAP)
Identity-Aware Proxy (IAP)
Signup and view all the flashcards
IAM Conditions
IAM Conditions
Signup and view all the flashcards
Cloud NAT
Cloud NAT
Signup and view all the flashcards
Google Cloud Directory Sync (GCDS)
Google Cloud Directory Sync (GCDS)
Signup and view all the flashcards
Event Threat Detection (IAM Anomalous Grant Detector)
Event Threat Detection (IAM Anomalous Grant Detector)
Signup and view all the flashcards
Organizational Policy Constraints (iam.disableServiceAccountKeyCreation, iam.disableCrossProjectServiceAccountUsage)
Organizational Policy Constraints (iam.disableServiceAccountKeyCreation, iam.disableCrossProjectServiceAccountUsage)
Signup and view all the flashcards
Cloud Audit Logs Data Access Logs
Cloud Audit Logs Data Access Logs
Signup and view all the flashcards
Study Notes
IAM Member Types
- A service account belongs to an application or virtual machine, rather than an individual.
IAM Roles for Networking Resources
- The Network Admin role grants permissions to create, modify, and delete networking resources, excluding firewall rules and SSL certificates.
VPC Network Communication
- Internal IP communication between VMs in different VPC networks can be configured using multiple network interfaces on each VM.
VM Resource Utilization Comparison
- Adding a label called “state” to VMs with the values “dev”, “test”, and “prod” and group by that label in your monitoring chart is the best method for supervising resource utilization.
Securing PII in Cloud Storage
- For securing personally identifiable information (PII) in Cloud Storage, generate an AES-256 key as a 32-byte bytestring, decode it as a base-64 string, and use it to upload the blob.
Compliance Standards
- SOX covers auditing and compliance standards over financial reporting, security, availability, and confidentiality controls.
Preventing Unauthorized Container Images
- Binary Authorization prevents unauthorized container images from being deployed into production environments.
Automating Secure Boot Image Creation
- Automate secure boot image creation, start the Compute Engine instance, set up certificates for secure boot, prepare a
cloudbuild.yamlconfiguration file specifying the persistent disk location and the 'development' group, then usegcloud builds submit –tagspecifying the configuration file path and certificates.
Automating Container Pipeline with PCI-DSS Compliance
- Automate the pipeline by creating a Dockerfile and a Cloud Build configuration file, use the Cloud Build configuration file to build and deploy the image from Dockerfile to a Google Container registry. Include the Google Container Registry path and the Google Kubernetes Engine cluster in the configuration file, upload the configuration file to a Git repository, and create a trigger in Cloud Build to automate the deployment using the Git repository.
Investigating Remote Botnet Attacks
- Use Cloud Audit Logs, filter Admin Activity audit logs for the affected project, and use a Pub/Sub topic to stream the logs to the external agency’s forensics tool for a cost-effective solution.
Finding Arbitrary Permissions
- Use Event Threat Detection, trigger the IAM Anomalous Grant detector, publish results to the Security Command Center, select Event Threat Detection as the source, filter by category: iam, sort to find the attack time window, click on Persistence: IAM Anomalous Grant, and view the Source property.
Auditing Data Access Activities
- Enable Data Access Logs for ADMIN_READ, DATA_READ, and DATA_WRITE for Cloud Storage, while all Data Access Logs are enabled for BigQuery by default.
Identity Synchronization
- Google Cloud Directory Sync (GCDS) synchronizes identities from an on-premise identity management system to Google Cloud.
Controlling Resource Access
- IAM Conditions control the source locations and times that authorized identities can access resources.
Enabling Internet Access for Internal IP Addresses
- Cloud NAT enables resources with only internal IP addresses to make requests to the Internet.
Enforcing Authentication and Authorization
- Identity-Aware Proxy enforces authentication and authorization for services deployed to Google Cloud.
Determining Administrative Actions
- Audit logs determine who performed a particular administrative action and when.
Encrypting Internet to VM Connections
- Set up an IPsec tunnel to create L3/L4 encryption between a user and a VM instance.
Enabling Infrastructure Access to Database
- Use VM metadata to read the current machine’s IP address and a startup script to add access to Cloud SQL; store the connection string, username, and password in Secret Manager.
Configuring Group Access to Cloud SQL
- Use Secret Manager and set the expiry period to one year using the duration attribute; add the secretmanager.secretAccessor role for the group containing external developers.
Designing Google Cloud Organization Hierarchy
- Create an Organization node, then Department folders under it, then create a Teams folder under each Department. Under each Team, create Product folders. Add Projects to the Product folders.
Restricting Service Account Usage
- Navigate to Organizational policies in the Google Cloud Console. Select your organization. Select iam.disableServiceAccountKeyCreation. Customize the applied to property, and set Enforcement to ‘On’. Click Save. Repeat the process for iam.disableCrossProjectServiceAccountUsage.
Applying Organizational Structure
- Reset all user permissions in the small bank’s IAM. Use Cloud Identity to create dynamic groups for each of the bank’s teams. Use the dynamic groups’ metadata field for team type to allocate users to their appropriate group with a Python script.
Web Application Latency
- Trace can be used to view the latency of requests for a web application deployed to Cloud Run.
Service Uptime Calculation and Alerts
- Cloud Monitoring calculates service uptime and sends alerts if the value falls below a threshold.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
