Test Your Knowledge

Questions and Answers

Which setting can be used to prevent a Compute Engine instance from accessing the internet or Google APIs/services?

• Disabling Public IP
• Enabling Public IP
• Enabling Private Google Access
• Disabling Private Google Access (correct)

Which type of firewall rules are implied in a VPC network?

• Both inbound and outbound connections allowed
• Both inbound and outbound connections denied
• Inbound connections allowed, outbound connections denied
• Inbound connections denied, outbound connections allowed (correct)

How can plain text secrets be securely stored in Cloud Storage?

• By storing them in an encrypted form using a CMEK (correct)
• By storing them in a plain text file in Cloud Storage
• By storing them in a SCM system
• By storing them in a database in Cloud Storage

Flashcards are hidden until you start studying

Study Notes

• Compute Engine instance can be configured to not have access to internet or Google APIs/services by disabling Public IP and Private Google Access settings.
• VPC network has implied firewall rules that deny all inbound connections and allow all outbound connections.
• Storing plain text secrets in SCM system can be avoided by encrypting them with a CMEK and storing them in Cloud Storage.
• Cloud Directory Sync can be set up to sync groups and manage IAM permissions from on-premises Active Directory Service.
• Secure container images should incorporate only necessary tools and a single app.
• PID 1 should not be used to run the app in a secure container image.
• Cloud Source Repositories can be used to store code.
• IAM Network User Role and Static routes settings should remain disabled for Compute Engine instance with no internet access.
• Cloud Data Loss Prevention API can be used to scan secrets.
• SAML 2.0 Single Sign-On can be set up to manage IAM permissions.