Google Updated Professional-Cloud-Security-Engineer Exam Questions and Answers by kaia

To enhance the security of your microservices architecture on Google Kubernetes Engine (GKE) and ensure that only approved container images are deployed, implementing Binary Authorization is a robust solution.​

Option A: Enforcing Binary Authorization in your GKE clusters ensures that only container images that meet your organization's security policies are deployed. By integrating container image vulnerability scanning into your Continuous Integration/Continuous Deployment (CI/CD) pipeline, you can assess images for known vulnerabilities before they are deployed. Binary Authorization can be configured to use these vulnerability scan results to make policy decisions, effectively preventing the deployment of insecure images. This approach leverages managed services provided by Google Cloud, ensuring scalability and compliance with security standards.​

Option B: Developing custom organization policies to restrict deployments to images within a specific Artifact Registry project helps in controlling the source of images but does not inherently assess the security posture of those images. Without integrated vulnerability scanning and enforcement mechanisms, this approach may not fully mitigate the risk of deploying vulnerable images.​

Option C: Building a system using third-party vulnerability databases and custom scripts requires significant maintenance and may not integrate seamlessly with GKE. This approach can be error-prone and lacks the efficiency of managed services designed for this purpose.​

Option D: Automatically deploying new images upon successful CI/CD builds ensures rapid deployment but does not address the need for security assessments of the images. While setting up firewall rules is good practice, it does not prevent the deployment of potentially vulnerable images.​

Therefore, Option A is the most effective approach, as it utilizes Google Cloud's managed services to enforce security policies and integrate vulnerability assessments directly into the deployment process, ensuring that only approved and secure container images are deployed to your GKE clusters.​

References:

Binary Authorization Documentation

Container Analysis Documentation

Use the org policy constraint "Google Cloud Platform - Resource Location Restriction" on your Google Cloud organization node: This organizational policy constraint allows you to restrict the locations where your resources can be created. By setting this constraint to allow only Europe regions, you can ensure compliance with GDPR and other regional regulations.

Implementation: To implement this, you need to configure the organization policy with the constraint constraints/gcp.resourceLocations. You can specify allowed regions such as europe-west1 and europe-west4 to ensure resources are only created in these locations.

References

Resource Location Restriction documentation

GDPR compliance on Google Cloud

To ensure that PII data is separated from non-PII data, using Cloud Pub/Sub and Cloud Functions to trigger a scan by the Data Loss Prevention (DLP) API is an effective approach. This method allows for automated detection and handling of PII.

Steps:

Set Up Cloud Pub/Sub: Configure a Cloud Pub/Sub topic to receive notifications whenever a file is uploaded to the shared Cloud Storage bucket.

Deploy Cloud Functions: Create a Cloud Function that is triggered by the Pub/Sub topic. This function will invoke the DLP API to scan the uploaded file for PII.

Move Detected PII Files: If the scan detects PII, the Cloud Function will move the file to a secure Cloud Storage bucket accessible only by the administrator.

Set Permissions: Ensure that appropriate permissions are set on the Cloud Storage buckets to restrict access to files containing PII.

References:

Google Cloud: Data Loss Prevention

Cloud Functions documentation