You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project. What should you do?
Correct Answer: A
Objective: You want to limit the images that can be used as the source for boot disks to a set of images stored in a dedicated project. Solution: Use the Organization Policy Service. Steps: Step 1: Open the Google Cloud Console. Step 2: Navigate to the Organization Policies page. Step 3: Create a new policy by clicking on "Create Policy". Step 4: Select the constraint compute.trustedimageProjects. Step 5: Set the policy to ALLOW and specify the project ID where the trusted images are stored in the whitelist. Step 6: Save and apply the policy. By creating a compute.trustedimageProjects constraint at the organization level and specifying the trusted project in the allow list, you ensure that only images from this project can be used for boot disks across the organization. Reference: GCP Organization Policy Service Documentation Compute Trusted Image Projects Constraint
Your financial services company has an audit requirement under a strict regulatory framework that requires comprehensive, immutable audit trails for all administrative and data access activity that ensures that data is kept for seven years Your current logging is fragmented across individual projects You need to establish a centralized, tamper-proof, long-term logging solution accessible for audits What should you do?
Correct Answer: B
The core requirements are: centralized, tamper-proof, long-term (seven years) immutable audit trails for administrative and data access activity Centralization: The current logging is fragmented To centralize, you need to collect logs from across the organization Cloud Logging sinks configured at the organization level are designed for this purpose They allow you to route logs from all projects within an organization to a single destinationExtract Reference: "Aggregated exports allow you to export logs from multiple Google Cloud projects, folders, or your entire organization An aggregated export can include all logs from all included resources, or you can use queries to include only specific logs" (Google Cloud documentation: https://cloudgooglecom/logging/docs/export/aggregated_exports) Long-Term Storage (Seven Years): Cloud Logging buckets have default retention periods (eg, 30 days for Data Access logs, 400 days for Admin Activity logs) which are not sufficient for a seven-year requirement Cloud Storage is ideal for long-term archivalExtract Reference: "Cloud Storage is a highly scalable and durable object storage service suitable for archiving large volumes of data for extended periods" (Google Cloud documentation, general overview of Cloud Storage features) Tamper-Proof / Immutability: This is a critical requirement for audit trails in financial services under strict regulatory frameworks Cloud Storage's "object retention lock" feature provides immutability Once an object retention lock is set on a bucket, objects within that bucket cannot be deleted or overwritten for a specified duration, ensuring data integrity for compliance purposesExtract Reference: "Object Retention Lock helps you meet compliance requirements by preventing data from being deleted or modified for a fixed amount of time or indefinitely This feature satisfies SEC Rule 17a-4(f), FINRA Rule 4511(c), and CFTC Regulation 131(c)-(d) requirements" (Google Cloud documentation: https://cloudgooglecom/storage/docs/bucket-lock) Let's evaluate the other options: A Implement Pub/Sub to stream all audit logs from each project in real-time to an external SIEM: While Pub/Sub can centralize real-time streaming to a SIEM, the solution described does not inherently guarantee tamper-proof storage or 7-year immutability within Google Cloud The SIEM itself would need to provide those capabilities, which is outside the scope of Google Cloud's direct offering for this specific requirement C Enable Security Command Center across the organization: Security Command Center (SCC) provides centralized visibility into security posture, threats, and compliance However, SCC is a security management and monitoring platform; it does not serve as the primary long-term, immutable storage for raw audit logs It consumes information from logs but doesn't store them in a way that meets the 7-year immutable archival requirement D Individually configure Cloud Audit Logs for all Google Cloud services in each project Store the logs in regional Cloud Logging buckets with 30-day retention policies: This fails on multiple counts: it's not centralized (requires individual configuration), and the 30-day retention in Cloud Logging buckets is far short of the seven-year requirement It also doesn't explicitly guarantee tamper-proof storage beyond the default logging immutability Therefore, option B directly addresses all aspects of the requirement: centralization via organization-level sinks, long-term storage with Cloud Storage, and immutability/tamper-proofing with object retention lock
A security audit uncovered several inconsistencies in your project's Identity and Access Management (IAM) configuration. Some service accounts have overly permissive roles, and a few external collaborators have more access than necessary. You need to gain detailed visibility into changes to IAM policies, user activity, service account behavior, and access to sensitive projects. What should you do?
Correct Answer: B
To address inconsistencies in your project's Identity and Access Management (IAM) configuration and gain comprehensive visibility into IAM policy changes, user activity, service account behavior, and access to sensitive projects, leveraging Google Cloud's auditing capabilities is essential. Option A: While Cloud Monitoring's metrics explorer can track certain metrics, it is not designed to provide detailed logs of IAM policy changes or user activities. Option B: Cloud Audit Logs offer detailed records of administrative activities, including IAM policy changes and authentications. By creating log export sinks, you can forward these logs to a Security Information and Event Management (SIEM) solution, enabling correlation with other event sources and comprehensive analysis. This approach provides the necessary visibility into IAM configurations and user activities. Option C: Triggering Cloud Functions based on IAM policy changes and analyzing them with a policy simulator is a proactive approach. However, it may not provide the depth of historical data and comprehensive analysis capabilities that a SIEM solution offers. Option D: Deploying the OS Config Management agent focuses on VM configuration and patch management, which does not directly address IAM policy monitoring or user activity tracking. Therefore, Option B is the most effective solution to gain detailed visibility into IAM-related activities and address the identified inconsistencies. Reference: Cloud Audit Logs Overview Exporting Logs to a SIEM
Your organization needs to restrict the types of Google Cloud services that can be deployed within specific folders to enforce compliance requirements You must apply these restrictions only to the designated folders without affecting other parts of the resource hierarchy You want to use the most efficient and simple method What should you do?
Correct Answer: A
The problem requires restricting the types of Google Cloud services that can be deployed within specific folders to enforce compliance, without affecting other parts of the resource hierarchy, using the most efficient and simple method Organization Policies: Organization policies allow you to define centralized, programmatic controls over your Google Cloud resources They apply hierarchically, meaning a policy set on a folder applies to all projects and resources within that folder and its descendants Restrict Resource Service Usage Constraint: This specific organization policy constraint is designed precisely for controlling which Google Cloud services can be used (and thus deployed/created resources for) within a given part of the resource hierarchy It supports both allowlists and denylists of service API identifiers Extract Reference: "The Restrict Resource Service Usage constraint controls the runtime access to all in-scope resources" and "This constraint can be used in two mutually exclusive ways: Denylist - resources of any service that isn't denied are allowed Allowlist - resources of any service that isn't allowed are denied" (Google Cloud Documentation: "Restricting resource usage | Resource Manager Documentation" - https://cloudgooglecom/resource-manager/docs/organization-policy/restricting-resources) Folder-Level Application: Applying this organization policy at the folder level directly meets the requirement of applying restrictions "only to the designated folders without affecting other parts of the resource hierarchy" This is more efficient and simpler than applying a global policy with numerous exceptions Let's evaluate the other options: B Implement IAM conditions on service account creation within each folder: IAM conditions control permissions for who can do what While they can be used for very fine-grained access control, they are not designed to restrict the types of services that can be deployed directly Controlling service account creation doesn't prevent a user with appropriate permissions from deploying other resources C Create a global organization policy and apply exceptions: While technically possible, this is less efficient and simple if the goal is to only restrict specific folders Managing exceptions for the entire rest of the organization would be more complex than simply applying the policy directly where it's needed D Configure VPC Service Controls perimeters around each folder: VPC Service Controls primarily prevent data exfiltration and restrict API access at a network perimeter level They are not designed to restrict which types of Google Cloud services can be deployed within a project or folder; rather, they control how allowed services interact with each other and with external endpoints
A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online. What should they do?
Correct Answer: A
To ensure that payment information is encrypted between the customer's browser and Google Cloud Platform during checkout, the company should configure an SSL certificate on an L7 (Layer 7) Load Balancer. Here's why this is the best solution: SSL/TLS Termination: An L7 Load Balancer can handle SSL/TLS termination, which means it can decrypt HTTPS traffic, offloading the work from the backend servers. This is essential for handling encrypted connections securely. HTTPS Configuration: By configuring an SSL certificate, the load balancer ensures that all traffic between the customer's browser and the application is encrypted using HTTPS. Security Best Practices: Using an L7 Load Balancer with an SSL certificate aligns with best practices for securing web applications, particularly for e-commerce sites handling sensitive payment information. Managed Certificates: Google Cloud offers managed SSL certificates, which simplifies the process of obtaining, deploying, and renewing SSL certificates. Implementation Steps: Obtain an SSL certificate. Configure the L7 Load Balancer in the GCP Console. Associate the SSL certificate with the load balancer. Ensure that the backend services are configured to handle HTTPS traffic. Reference: Google Cloud Load Balancing Documentation Setting up HTTPS Load Balancing