You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software. Which SCC service should you use?
Correct Answer: D
The goal is to detect cryptocurrency mining software using Security Command Center (SCC). Security Command Center Threat Detection Services: SCC Premium and Enterprise tiers offer various specialized threat detection services. Virtual Machine Threat Detection (VMTD): This service is explicitly designed to scan virtual machines (Compute Engine instances and GKE nodes) for specific threats, including cryptocurrency mining software. It operates at the hypervisor level, performing deep scans of VM memory and disks.Extract Reference: "Virtual Machine Threat Detection (VMTD) helps you detect potential threats, such as cryptocurrency mining and malware, within your Compute Engine instances and GKE nodes." (Google Cloud Documentation: "Virtual Machine Threat Detection overview | Security Command Center" - https://cloud.google.com/security- command-center/docs/concepts-vm-threat-detection-overview) Extract Reference: "This service scans virtual machines to detect potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments." (Google Cloud Documentation: "Virtual Machine Threat Detection overview | Security Command Center" - https://cloud.google.com/security-command-center/docs/concepts-vm-threat-detection- overview) Let's evaluate the other options: A). Web Security Scanner: This service scans for common web application vulnerabilities like XSS, Flash injection, and mixed content. It is not designed to detect runtime threats like cryptocurrency mining software. B). Container Threat Detection: While Container Threat Detection (CTD) also detects cryptocurrency mining, it specifically focuses on runtime threats within GKE containers. The question asks for detection of "cryptocurrency mining software" generally, and VMs are a common target for such activity (and GKE nodes are VMs). VMTD provides a more general detection across Compute Engine VMs and GKE nodes for this specific type of threat. If the context explicitly mentioned containers or Cloud Run, CTD would be the more specific answer. However, for a general detection of "software" on "workloads", and given that VMTD explicitly lists "cryptocurrency mining software" for VMs, it is the most direct and broadly applicable answer among the choices. C). Rapid Vulnerability Detection: This service actively scans internet-exposed assets for network vulnerabilities and misconfigurations. It focuses on finding known vulnerabilities, not detecting active malicious processes like cryptocurrency mining. Given the direct and explicit mention of cryptocurrency mining detection for VMs in its documentation, Virtual Machine Threat Detection is the correct SCC service to use.
You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?
Correct Answer: D
* Understanding Organization Policies: * Organization policies are rules that can be set at different levels of the resource hierarchy in GCP to enforce governance and compliance. * These policies can be set at the organization node, folders, and projects, and they are inherited down the hierarchy unless explicitly overridden. * Hierarchy and Policy Inheritance: * The provided resource hierarchy has an organization node (Example.com), folders (Folder 1 and Folder 2), and a project (Project 2) under Folder 2 with a specific VPC (VPC A). * Each node in the hierarchy can have its own policies, and these policies are inherited by child nodes unless overridden. * Analyzing the Policies in the Hierarchy: * Organization Node Policy: json Copy code { "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "allValues": "DENY" } } * This policy at the organization node denies all load balancer types. * Folder 2 Policy: json Copy code { "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "deniedValues": ["INTERNAL_TCP_UDP", "INTERNAL_HTTP_HTTPS"] } } * This policy at Folder 2 denies the creation of INTERNAL_TCP_UDP and INTERNAL_HTTP_HTTPS load balancers. * Project 2 Policy: json Copy code { "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "deniedValues": ["EXTERNAL_TCP_PROXY", "EXTERNAL_SSL_PROXY"] } } * This policy at Project 2 denies the creation of EXTERNAL_TCP_PROXY and EXTERNAL_SSL_PROXY load balancers. * Policy Application to VPC A: * Since policies are inherited, VPC A (which is within Project 2 under Folder 2) will be affected by the policies of both Folder 2 and Project 2. * Combining the denied values from both Folder 2 and Project 2: * From Folder 2: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS * From Project 2: EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY * Conclusion: * VPC A will have the following load balancer types denied: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS, EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY. References: GCP Documentation on Organization Policies GCP Documentation on Constraints and List Policies
You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS). in project "pr j -a", and the Cloud Storage bucket will use project "prj-b". The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key. and you need to troubleshoot why. What has caused the access issue?
Correct Answer: D
When you use a customer-managed encryption key (CMEK) to secure a Cloud Storage bucket, the key and the bucket must be located in the same region. In this case, the key is in europe-west3 and the bucket is in europe-west1, which is why you're unable to access the key.
Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/ owner). The organization contains thousands of Google Cloud Projects Security Command Center Premium has surfaced multiple cpen_myscl_port findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations. What should you do?
Correct Answer: D
* Challenge: * Prevent common misconfigurations that expose services (e.g., MYSQL) to the public internet. * Hierarchical Firewall Policies: * These policies can be applied at the organization level to enforce consistent network security rules across all projects. * Solution: * Create a hierarchical firewall policy that allows connections only from internal IP ranges. * This policy ensures that services like MySQL are not exposed to 0.0.0.0/0 (the entire internet). * Steps: * Step 1: Define the hierarchical firewall policy at the organization level. * Step 2: Set the rule to allow traffic only from internal IP ranges. * Step 3: Apply the policy to all projects under the organization. * Benefits: * Centralized management of network security. * Prevents accidental exposure of services to the public internet, enhancing security. References: * Hierarchical Firewall Policies * Securing MySQL on GCP
Your organization uses Google Workspace Enterprise Edition tor authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment. What should you do?
Correct Answer: D
* Access Google Cloud Console: * Log in to the Google Cloud Console with administrative privileges. * Navigate to the "IAM & Admin" section. * Set Session Length Timeout: * Go to the "Settings" page within IAM & Admin. * Locate the "Session control" settings. * Configure the session length timeout to a shorter duration, such as 15 or 30 minutes. This ensures that user sessions expire automatically after the specified time of inactivity. * Apply and Enforce the Policy: * Save the changes and ensure the new session timeout policy is applied across all users and services. * Communicate the new policy to employees, highlighting the importance of session security and the rationale behind the change. * Additional Security Measures: * Consider implementing additional measures such as automatic screen locks and secure session management practices. * Educate employees on the importance of logging out of their sessions and securing their devices when not in use. References: * Google Cloud IAM Documentation * Session Management Best Practices
