Google Updated Professional-Cloud-Security-Engineer Exam Questions and Answers by ayaat

"Date shifting techniques randomly shift a set of dates but preserve the sequence and duration of a period of time. Shifting dates is usually done in context to an individual or an entity. That is, each individual's dates are shifted by an amount of time that is unique to that individual."

https://cloud.google.co m/load-balancing/docs/tcp

TCP Proxy Load Balancing is implemented on GFEs that are distributed globally. If you choose the Premium Tier of Network Service Tiers, a TCP proxy load balancer is global. In Premium Tier, you can deploy backends in multiple regions, and the load balancer automatically directs user traffic to the closest region that has capacity. If you choose the Standard Tier, a TCP proxy load balancer can only direct traffic among backends in a single region. https://cloud.google.com/load-balancing/docs/load-balancing-overview#tcp-proxy-load-balancing

To ensure that an external user cannot gain access to an internal application on Google App Engine even if an employee’s password is compromised, configure Cloud Identity-Aware Proxy (IAP).

Enable IAP:

Go to the Cloud Console, navigate to the App Engine application, and select "Identity-Aware Proxy".

Enable IAP for the application.

Configure Access Policies:

Set up access policies to restrict who can access the application.

Use IAM roles to grant access only to specific users or groups.

Enforce Authentication:

IAP enforces Google authentication, ensuring that users must log in with their GSuite credentials.

Enable Multi-Factor Authentication (MFA):

Enforce 2FA for all GSuite users to add an extra layer of security.

Advantages:

Protection against Compromised Credentials: Even if passwords are compromised, attackers cannot access the application without passing IAP authentication.

Centralized Access Management: Easily manage and monitor access through IAM and IAP policies.

References:

Identity-Aware Proxy Overview

Setting up IAP

Understanding Organization Policies:

Organization policies are rules that can be set at different levels of the resource hierarchy in GCP to enforce governance and compliance.

These policies can be set at the organization node, folders, and projects, and they are inherited down the hierarchy unless explicitly overridden.

Hierarchy and Policy Inheritance:

The provided resource hierarchy has an organization node (Example.com), folders (Folder 1 and Folder 2), and a project (Project 2) under Folder 2 with a specific VPC (VPC A).

Each node in the hierarchy can have its own policies, and these policies are inherited by child nodes unless overridden.

Analyzing the Policies in the Hierarchy:

Organization Node Policy:

json

Copy code

{ "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "allValues": "DENY" } }

This policy at the organization node denies all load balancer types.

Folder 2 Policy:

json

Copy code

{ "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "deniedValues": ["INTERNAL_TCP_UDP", "INTERNAL_HTTP_HTTPS"] } }

This policy at Folder 2 denies the creation of INTERNAL_TCP_UDP and INTERNAL_HTTP_HTTPS load balancers.

Project 2 Policy:

json

Copy code

{ "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "deniedValues": ["EXTERNAL_TCP_PROXY", "EXTERNAL_SSL_PROXY"] } }

This policy at Project 2 denies the creation of EXTERNAL_TCP_PROXY and EXTERNAL_SSL_PROXY load balancers.

Policy Application to VPC A:

Since policies are inherited, VPC A (which is within Project 2 under Folder 2) will be affected by the policies of both Folder 2 and Project 2.

Combining the denied values from both Folder 2 and Project 2:

From Folder 2: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS

From Project 2: EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY

Conclusion:

VPC A will have the following load balancer types denied: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS, EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY.

References:

GCP Documentation on Organization Policies

GCP Documentation on Constraints and List Policies