Podcast
Questions and Answers
What should be done to centrally manage GCP IAM permissions from on-premises Active Directory by group membership?
What should be done to centrally manage GCP IAM permissions from on-premises Active Directory by group membership?
- Use the Admin SDK to create groups and assign IAM permissions from Active Directory.
- Set up SAML 2.0 Single Sign-On (SSO) and assign IAM permissions to the groups. (correct)
- Set up Cloud Directory Sync to sync users and set IAM permissions on the users.
- Use the Cloud Identity and Access Management API to create users and IAM permissions from Active Directory.
What is a best practice when creating a secure container image?
What is a best practice when creating a secure container image?
- Use public container images as a base image for the app.
- Ensure that the app runs as PID 1.
- Use many container image layers to hide sensitive information. (correct)
- Package multiple apps in a container.
To scan secrets and store them in Cloud SQL, what should be used?
To scan secrets and store them in Cloud SQL, what should be used?
- Run the Cloud Data Loss Prevention API. (correct)
- Use the Cloud Identity and Access Management API.
- Set up SAML 2.0 Single Sign-On (SSO).
- Deploy SCM to a Compute Engine VM with local SSDs.
What is NOT recommended as part of creating a secure container image?
What is NOT recommended as part of creating a secure container image?
How can GCP IAM permissions be managed in relation to an on-premises Active Directory Service?
How can GCP IAM permissions be managed in relation to an on-premises Active Directory Service?
Which approach should be taken when deploying SCM for managing secrets?
Which approach should be taken when deploying SCM for managing secrets?
What is the recommended technique for a financial institution to have maximum control over the encryption process of data stored at rest in BigQuery?
What is the recommended technique for a financial institution to have maximum control over the encryption process of data stored at rest in BigQuery?
Which storage solution is allowed for a company deploying their application on Google Cloud Platform to automatically replicate data over at least two geographic places?
Which storage solution is allowed for a company deploying their application on Google Cloud Platform to automatically replicate data over at least two geographic places?
In the context of Google Cloud Platform, what does configuring Cloud VPN between a private network and GCP help achieve?
In the context of Google Cloud Platform, what does configuring Cloud VPN between a private network and GCP help achieve?
For an e-retailer moving to Google Cloud Platform with an ecommerce website, what is a crucial security measure they should consider?
For an e-retailer moving to Google Cloud Platform with an ecommerce website, what is a crucial security measure they should consider?
What is the purpose of provisioning user passwords using GSuite Password Sync in Google Cloud Platform?
What is the purpose of provisioning user passwords using GSuite Password Sync in Google Cloud Platform?
If a company policy requires long-term data to be stored in multiple geographic locations, which storage solution should they consider on Google Cloud Platform?
If a company policy requires long-term data to be stored in multiple geographic locations, which storage solution should they consider on Google Cloud Platform?
What should the Infrastructure Operations Systems Engineer do to minimize disruption when a domain is already being used by G Suite for setting up Cloud Identity?
What should the Infrastructure Operations Systems Engineer do to minimize disruption when a domain is already being used by G Suite for setting up Cloud Identity?
What access should a team grant to manage permissions and auditing in a Cloud Identity domain with an organizational resource having hundreds of projects?
What access should a team grant to manage permissions and auditing in a Cloud Identity domain with an organizational resource having hundreds of projects?
In the scenario where a business unit at a multinational corporation starts moving workloads into GCP, what type of access should be granted to take over managing permissions and auditing?
In the scenario where a business unit at a multinational corporation starts moving workloads into GCP, what type of access should be granted to take over managing permissions and auditing?
When an application on a Compute Engine instance needs to read data from a Cloud Storage bucket, what is the most suitable course of action?
When an application on a Compute Engine instance needs to read data from a Cloud Storage bucket, what is the most suitable course of action?
In the context of managing permissions and auditing in GCP, what role should be assigned to effectively handle organization resources?
In the context of managing permissions and auditing in GCP, what role should be assigned to effectively handle organization resources?
If faced with a situation where a domain is already being used by G Suite for a Cloud Identity setup, what action should be recommended to avoid disruption?
If faced with a situation where a domain is already being used by G Suite for a Cloud Identity setup, what action should be recommended to avoid disruption?
What should be done to ensure Compute Engine instances in the production project do not have public IP addresses?
What should be done to ensure Compute Engine instances in the production project do not have public IP addresses?
Which action should be taken to enforce the requirement of ensuring Compute Engine instances have public IPs for the frontend application?
Which action should be taken to enforce the requirement of ensuring Compute Engine instances have public IPs for the frontend application?
What security characteristics are associated with VPC peering for connecting two VPC networks?
What security characteristics are associated with VPC peering for connecting two VPC networks?
In VPC peering, what does it mean if the peered networks are non-transitive?
In VPC peering, what does it mean if the peered networks are non-transitive?
How can firewall rules be applied in VPC peering between two networks?
How can firewall rules be applied in VPC peering between two networks?
If two VPC networks belong to different Google Cloud Platform organizations, what still remains possible in terms of VPC peering?
If two VPC networks belong to different Google Cloud Platform organizations, what still remains possible in terms of VPC peering?
What is the primary responsibility of an organization's security and risk management teams when using Google Cloud's App Engine?
What is the primary responsibility of an organization's security and risk management teams when using Google Cloud's App Engine?
To limit users with administrative privileges at the organization level, which roles should be restricted according to the provided information?
To limit users with administrative privileges at the organization level, which roles should be restricted according to the provided information?
For which technology stack area would an organization's security and risk management teams need to focus primarily when using App Engine?
For which technology stack area would an organization's security and risk management teams need to focus primarily when using App Engine?
What is the only account that has a role that can write to BigQuery according to the provided information?
What is the only account that has a role that can write to BigQuery according to the provided information?
Which role should an engineering team restrict to limit users with administrative privileges at the organization level?
Which role should an engineering team restrict to limit users with administrative privileges at the organization level?
What is the main concern of an organization's security and risk management teams regarding their responsibility for production workloads running in Google Cloud Platform?
What is the main concern of an organization's security and risk management teams regarding their responsibility for production workloads running in Google Cloud Platform?
Study Notes
Cloud Data Loss Prevention API
- Scan secrets and store them in Cloud SQL.
IAM Permissions Management
- Centrally manage GCP IAM permissions from on-premises Active Directory Service using SAML 2.0 Single Sign-On (SSO).
- Assign IAM permissions to groups.
Secure Container Image Creation
- Incorporate the following into the build if possible:
- Ensure the app does not run as PID 1.
- Remove any unnecessary tools not needed by the app.
Cloud Identity-Aware Proxy
- Configure Cloud Identity-Aware Proxy for the App Engine Application.
Encryption Techniques
- Use Customer-managed encryption keys (CMEK) for maximum control over encryption process in BigQuery.
- Use Cloud Storage as a federated Data Source for storing long-term data.
Cloud Identity
- Use Cloud Identity to manage permissions and auditing domain resources.
- Grant Organization Role Administrator access to manage permissions and auditing domain resources.
VPC and IAM
- Use Organization Policy Administrator to set up an organization policy to only permit public IPs for front-end Compute Engine instances.
- Use VPC peering to connect two VPC networks with non-transitive peered networks.
- Restrict the Organization Administrator and Super Admin roles to limit users with administrative privileges at the organization level.
Security and Risk Management
- Focus on encrypting all stored data as primary responsibility when using App Engine.
- Ensure the security and risk management teams are responsible for defending against XSS and SQLi attacks in App Engine.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn how to centrally manage Google Cloud Platform IAM permissions from an on-premises Active Directory Service by syncing groups and setting IAM permissions based on group membership. This quiz covers best practices for integrating GCP IAM with Active Directory.
