You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?
Correct Answer: B
To comply with GDPR requirements and manage encryption keys for workloads across multiple Google Cloud services, customer-managed encryption keys (CMEK) offer a suitable solution. Customer-managed encryption keys (B): CMEK allows you to create and manage encryption keys using Google Cloud Key Management Service (KMS). You maintain full control over the key lifecycle, including key rotation and destruction. CMEK can be used with various Google Cloud services, such as Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub, ensuring consistent and compliant encryption across your environment. Using CMEK, you can implement data protection by design, aligning with GDPR requirements by ensuring that encryption keys are appropriately managed and secured. Reference: Customer-Managed Encryption Keys Documentation Encryption at Rest in Google Cloud
Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK). but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost. What should you do?
Correct Answer: D
Rewriting the objects in-place within the same bucket, specifying the new CMEK for encryption, allows you to re-encrypt the data without downloading and re-uploading it, thus minimizing costs and time. https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys
Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?
Correct Answer: A
Cloud DNS with DNSSEC (Domain Name System Security Extensions) provides authentication for DNS responses, ensuring that they are legitimate and have not been tampered with. DNSSEC helps protect against DNS spoofing and cache poisoning attacks, which are common techniques used in DDoS attacks. Steps: Enable DNSSEC: In the Google Cloud Console, navigate to Cloud DNS and enable DNSSEC for your managed zones. Configure Key Signing: Set up key signing keys (KSK) and zone signing keys (ZSK) to sign your DNS records. Monitor DNSSEC Status: Regularly monitor the DNSSEC status and logs to ensure it is functioning correctly. Reference: Cloud DNS documentation
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM. What should you do?
Correct Answer: A
Objective: Synchronize security groups with email addresses from an LDAP directory to Cloud IAM. Solution: Use Google Cloud Directory Sync (GCDS) to perform one-way synchronization based on LDAP search rules. Steps: Step 1: Download and install Google Cloud Directory Sync (GCDS) on a secure server. Step 2: Configure GCDS with the LDAP server details and authentication. Step 3: Define LDAP search rules to filter security groups based on the "user email address" attribute. Step 4: Map LDAP security groups to Google Cloud IAM roles. Step 5: Set up a synchronization schedule to keep the groups in sync. Step 6: Perform a test sync to ensure that the configuration is correct. Step 7: Activate the synchronization to keep the LDAP directory and Cloud IAM in sync. Using GCDS for one-way synchronization ensures that the security groups in Cloud IAM are consistently updated based on the LDAP directory, maintaining alignment with the organization's security policies. Reference: Google Cloud Directory Sync Documentation Setting Up Google Cloud Directory Sync
You are implementing a new web application on Google Cloud that will be accessed from your on-premises network. To provide protection from threats like malware, you must implement transport layer security (TLS) interception for incoming traffic to your application. What should you do?
Correct Answer: A
To protect your web application from threats like malware by implementing TLS interception for incoming traffic, configuring a Secure Web Proxy with TLS offloading at the load balancer is an effective approach. Option A: By configuring a Secure Web Proxy, you can offload TLS traffic at the load balancer, inspect the decrypted traffic for threats such as malware, and then forward the inspected traffic to your web application. This approach ensures that encrypted traffic is securely analyzed without compromising the security of the data in transit. Option B: An internal proxy load balancer is designed for distributing traffic within a private network and may not support TLS interception capabilities required for inspecting incoming traffic from external sources. Option C: Hierarchical firewall policies in Google Cloud are used to enforce security rules across your organization but do not provide TLS interception capabilities. Option D: VPC firewall rules control traffic to and from VM instances based on specified rules but do not have the capability to perform TLS interception or traffic inspection. Therefore, Option A is the most suitable solution, as it allows for TLS interception through a Secure Web Proxy, enabling the inspection of incoming encrypted traffic to detect and mitigate threats like malware before the traffic reaches your web application. Reference: Secure Web Proxy Overview Cloud Load Balancing Overview