Important Google Professional Cloud Security Engineer Exam Questions

Answer: C

Explanation:

When a vulnerability patch is released for a running container in Google Kubernetes Engine (GKE), the recommended approach is to update the application code or apply the patch directly to the codebase. Then, a new container image should be built incorporating these changes. After building the new image, it should be deployed to replace the running containers. This method ensures that the containers run the updated, secure code.

Steps:

Update Application Code: Modify the application code or dependencies to incorporate the vulnerability patch.

Build New Image: Use a tool like Docker to build a new container image with the updated code.

Push New Image: Push the new container image to the Container Registry.

Update Deployments: Update the Kubernetes deployment to use the new image. This can be done by modifying the image tag in the deployment YAML file.

Redeploy Containers: Apply the updated deployment configuration using kubectl apply -f <deployment-file>.yaml, which will redeploy the containers with the new image.

Google Cloud: Container security

Kubernetes: Updating an application

Answer: A

Explanation:

To monitor and get notified in case the script causing the Compute Engine instance to crash is executed again, you should create an Alerting Policy in Stackdriver (now known as Google Cloud Monitoring). The Process Health condition can be set to monitor the number of executions of the script and ensure it remains below the desired threshold. By enabling notifications, you will be alerted if this threshold is exceeded.

Step-by-Step:

Log Script Executions: Ensure that the script execution is logged.

Create a User-Defined Metric: Go to Google Cloud Console > Logging > Logs-based Metrics, and create a new user-defined metric that counts the number of times the script executes.

Set Up Alerting Policy:

Navigate to Google Cloud Console > Monitoring > Alerting.

Click on ''Create Policy''.

Add a condition and select ''Logs-based Metric''.

Configure the condition to trigger when the number of script executions exceeds the threshold.

Configure Notifications: Add notification channels (email, SMS, etc.) to the alerting policy.

Save and Test: Save the policy and test to ensure notifications are received when the script is executed beyond the threshold.

Google Cloud Logging User-defined Metrics

Google Cloud Monitoring Alerting Policies

Answer: D

Explanation:

https://cloud.google.com/load-balancing/docs/ssl - SSL Proxy Load Balancing is a reverse proxy load balancer that distributes SSL traffic coming from the internet to virtual machine (VM) instances in your Google Cloud VPC network.

Answer: C

Explanation:

The problem requires exposing a sensitive AI model endpoint internally (strictly isolated from the internet) to a defined list of projects within the organization

Internal Exposure and Isolation: An 'internal Application Load Balancer' is suitable for exposing services within your VPC network, ensuring they are not accessible from the internet

Private Service Connect (PSC): This is the key technology for securely and privately exposing services from one VPC network (the service producer, where the model is) to other VPC networks (the service consumers, the defined list of projects) within the same or different organizations PSC allows consumers to access services using internal IP addresses, with traffic remaining on Google's private network You can configure a service attachment that points to the internal load balancer, and then permit specific consumer projects to connect to this service attachmentExtract Reference: 'Private Service Connect is a capability of Google Cloud networking that allows consumers to access managed services privately from inside their VPC network Similarly, it allows managed service producers to host these services in their own separate VPC networks and offer a private connection to their consumers' (Google Cloud Documentation: 'Private Service Connect | VPC' - https://cloudgooglecom/vpc/docs/private-service-connect)

Extract Reference: 'Private Service Connect endpoints are internal IP addresses in a consumer VPC network that can be directly accessed by clients in that network Endpoints are created by deploying a forwarding rule that references a service attachment or a bundle of Google APIs' (Google Cloud Documentation: 'About Private Service Connect | VPC' - https://cloudgooglecom/vpc/docs/private-service-connect)

Extract Reference: 'Private Service Connect can be used to access managed services that are owned by Google, third-party software as a service (SaaS) companies, or other teams within the consumer's own company Both published services and Google APIs can be targets of Private Service Connect' (Google Cloud Documentation: 'About Private Service Connect | VPC' - https://cloudgooglecom/vpc/docs/private-service-connect)

Let's evaluate the other options:

A Shared VPC and central firewall rules: While Shared VPC centralizes network management, it does not provide a direct managed service exposure mechanism like PSC for a model endpoint to specific projects It's more about sharing subnets and network resources Administering all firewall rules centrally would also not meet the need for exposing only this specific model to a defined list of projects in a managed, private service pattern

B Activate Private Google Access (PGA): Private Google Access allows VMs without external IP addresses to access Google APIs and services (like Cloud Storage, BigQuery, etc) privately from within their VPC network It's for consuming Google services, not for exposing custom services hosted in a Google Cloud project to other projects

D External Application Load Balancer + Cloud Armor: An 'external Application Load Balancer' exposes the service to the internet While Cloud Armor can restrict access based on IP addresses, it still involves internet exposure, which contradicts the 'strictly isolated from the internet' requirement Restricting to 'Google Cloud IP addresses' doesn't guarantee access only to a defined list of projects and still exposes the service externally

Therefore, creating an internal Application Load Balancer and exposing it via Private Service Connect is the most suitable and secure solution for this scenario

Answer: A, C

Explanation:

To keep track of 'who did what, where, and when?' within GCP projects, the administrator should focus on Admin Activity logs and Data Access logs. Here's a detailed explanation of why these two log streams are essential:

Admin Activity Logs:

These logs capture administrative actions performed in your Google Cloud resources. This includes actions like creating, modifying, or deleting resources.

Admin Activity logs provide detailed information about the user who performed the action, the resource that was affected, the action performed, and the timestamp.

Data Access Logs:

These logs capture read and write operations on data within your Google Cloud services. This includes actions like accessing or modifying data stored in databases, storage buckets, etc.

Data Access logs help track the access patterns of users and services to sensitive data, providing insights into who accessed which data and when.

Steps to Enable and Access Logs:

Navigate to the Google Cloud Console.

Go to Logging in the left-hand menu.

Enable Admin Activity and Data Access logs if not already enabled.

Use Logs Explorer to filter and view specific logs based on your requirements.

By monitoring both Admin Activity and Data Access logs, administrators can gain comprehensive visibility into the actions performed on their GCP resources and data, ensuring robust security and compliance tracking.

Google Cloud Logging Documentation

Audit Logs Overview