You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials. What should you do?
Correct Answer: A
Objective: Ensure that a Cloud Storage bucket in Project A can only be readable from Project B and prevent data access or copying to Cloud Storage buckets outside the network, even with correct credentials. Solution: Use VPC Service Controls to create a security perimeter. Steps: Step 1: Open the Google Cloud Console. Step 2: Navigate to the VPC Service Controls page. Step 3: Create a new service perimeter. Step 4: Add Project A and Project B to the service perimeter. Step 5: Include Cloud Storage service in the perimeter configuration. Step 6: Define access levels to ensure that only resources within the perimeter can access the Cloud Storage bucket. By setting up a VPC Service Controls perimeter, you can enforce security boundaries that restrict data access and movement to within defined projects, providing an extra layer of protection beyond IAM permissions. Reference: VPC Service Controls Overview Configuring VPC Service Controls
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system. How should the customer achieve this using Google Cloud Platform?
Correct Answer: B
Storing secrets securely is crucial for maintaining the integrity and confidentiality of your applications. Here is how you can achieve this using Google Cloud Platform: Encrypt the Secrets: Use Customer-Managed Encryption Keys (CMEK) to encrypt your secrets. CMEK allows you to have greater control over the encryption keys used to protect your data. This ensures that even if the storage medium is compromised, the secrets remain protected by strong encryption. Store in Cloud Storage: Store the encrypted secrets in Google Cloud Storage. Cloud Storage is a secure and scalable object storage service. By using encrypted storage, you can ensure that the secrets are securely stored and can only be accessed by authorized entities. This method provides a secure and managed way to store secrets, ensuring that they are not exposed in plain text within your source code management system. Reference: Customer-Managed Encryption Keys (CMEK) Google Cloud Storage Security
Your company has deployed an artificial intelligence model in a central project As this model has a lot of sensitive intellectual property and must be kept strictly isolated from the internet, you must expose the model endpoint only to a defined list of projects in your organization What should you do?
Correct Answer: C
The problem requires exposing a sensitive AI model endpoint internally (strictly isolated from the internet) to a defined list of projects within the organization Internal Exposure and Isolation: An "internal Application Load Balancer" is suitable for exposing services within your VPC network, ensuring they are not accessible from the internet Private Service Connect (PSC): This is the key technology for securely and privately exposing services from one VPC network (the service producer, where the model is) to other VPC networks (the service consumers, the defined list of projects) within the same or different organizations PSC allows consumers to access services using internal IP addresses, with traffic remaining on Google's private network You can configure a service attachment that points to the internal load balancer, and then permit specific consumer projects to connect to this service attachmentExtract Reference: "Private Service Connect is a capability of Google Cloud networking that allows consumers to access managed services privately from inside their VPC network Similarly, it allows managed service producers to host these services in their own separate VPC networks and offer a private connection to their consumers" (Google Cloud Documentation: "Private Service Connect | VPC" - https://cloudgooglecom/vpc/docs/private-service-connect) Extract Reference: "Private Service Connect endpoints are internal IP addresses in a consumer VPC network that can be directly accessed by clients in that network Endpoints are created by deploying a forwarding rule that references a service attachment or a bundle of Google APIs" (Google Cloud Documentation: "About Private Service Connect | VPC" - https://cloudgooglecom/vpc/docs/private-service-connect) Extract Reference: "Private Service Connect can be used to access managed services that are owned by Google, third-party software as a service (SaaS) companies, or other teams within the consumer's own company Both published services and Google APIs can be targets of Private Service Connect" (Google Cloud Documentation: "About Private Service Connect | VPC" - https://cloudgooglecom/vpc/docs/private-service-connect) Let's evaluate the other options: A Shared VPC and central firewall rules: While Shared VPC centralizes network management, it does not provide a direct managed service exposure mechanism like PSC for a model endpoint to specific projects It's more about sharing subnets and network resources Administering all firewall rules centrally would also not meet the need for exposing only this specific model to a defined list of projects in a managed, private service pattern B Activate Private Google Access (PGA): Private Google Access allows VMs without external IP addresses to access Google APIs and services (like Cloud Storage, BigQuery, etc) privately from within their VPC network It's for consuming Google services, not for exposing custom services hosted in a Google Cloud project to other projects D External Application Load Balancer + Cloud Armor: An "external Application Load Balancer" exposes the service to the internet While Cloud Armor can restrict access based on IP addresses, it still involves internet exposure, which contradicts the "strictly isolated from the internet" requirement Restricting to "Google Cloud IP addresses" doesn't guarantee access only to a defined list of projects and still exposes the service externally Therefore, creating an internal Application Load Balancer and exposing it via Private Service Connect is the most suitable and secure solution for this scenario
Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way. What should you do?
Correct Answer: D
Challenge: Ensuring secure access to Google Cloud resources from GitHub Actions CI/CD pipelines without directly managing service account keys. Workload Identity Federation: Allows for the delegation of access to Google Cloud resources based on federated identities, such as those from GitHub. Benefits: This approach eliminates the need to manage service account keys, reducing the risk of key leakage. It leverages GitHub's identity provider capabilities to authenticate and authorize access. Steps to Configure Workload Identity Federation: Step 1: Create a workload identity pool in Google Cloud. Step 2: Add GitHub as an identity provider within the pool. Step 3: Configure the necessary permissions and bindings for the identity pool to allow GitHub Actions to access Google Cloud resources. Step 4: Update the GitHub Actions workflow to use the identity federation for authentication. Reference: Workload Identity Federation Configuring Workload Identity Federation with GitHub
You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization. What should you do?
Correct Answer: D
Reference: You can use the iam.disableServiceAccountCreation boolean constraint to disable the creation of new service accounts. This allows you to centralize management of service accounts while not restricting the other permissions your developers have on projects. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_creation