Google Updated Professional-Cloud-Security-Engineer Exam Questions and Answers by arwen

To meet the requirements of encrypted communication over private IP addresses between Compute Engine instances in different Google Cloud organizations, a Cloud VPN connection is appropriate:

Cloud VPN: Cloud VPN creates a secure, encrypted tunnel between your organization's VPC network and the third party's VPC network. This ensures that data transmitted over the network is encrypted and secure.

Private IP Communication: Cloud VPN allows communication over private IP addresses, which helps maintain security by keeping traffic within the Google Cloud network and not exposing it to the public internet.

Firewall Rules: VPC firewall rules can be configured to control the traffic that flows through the VPN, ensuring that only authorized traffic is allowed, further enhancing security.

By setting up a Cloud VPN connection, you can achieve secure, encrypted communication over private IP addresses between different Google Cloud organizations.

References

Cloud VPN Overview

To maintain a historical record of what was running in Google Cloud Platform at any point in time, you should use Forseti Security to automate inventory snapshots. Forseti Security is an open-source toolkit that helps to automate security and compliance in GCP by taking inventory snapshots of GCP resources.

Step-by-Step:

Install Forseti Security:

Follow the installation guide to deploy Forseti Security on your GCP environment.

Configure Inventory:

Set up the inventory module in Forseti to capture and store snapshots of GCP resources.

Schedule Snapshots:

Use Forseti’s configuration to schedule regular inventory snapshots.

Access Historical Data:

Review and access historical records through Forseti’s dashboard or by querying the Forseti database.

Compliance and Monitoring: Use Forseti to ensure compliance and monitor changes over time.

References:

Forseti Security Overview

Inventory Module

If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code. https://cloud.google.com/docs/authentication/production#passing_the_path_to_the_service_account_key_in_code

To keep track of "who did what, where, and when?" within GCP projects, the administrator should focus on Admin Activity logs and Data Access logs. Here’s a detailed explanation of why these two log streams are essential:

Admin Activity Logs:

These logs capture administrative actions performed in your Google Cloud resources. This includes actions like creating, modifying, or deleting resources.

Admin Activity logs provide detailed information about the user who performed the action, the resource that was affected, the action performed, and the timestamp.

Data Access Logs:

These logs capture read and write operations on data within your Google Cloud services. This includes actions like accessing or modifying data stored in databases, storage buckets, etc.

Data Access logs help track the access patterns of users and services to sensitive data, providing insights into who accessed which data and when.

Steps to Enable and Access Logs:

Navigate to the Google Cloud Console.

Go to Logging in the left-hand menu.

Enable Admin Activity and Data Access logs if not already enabled.

Use Logs Explorer to filter and view specific logs based on your requirements.

By monitoring both Admin Activity and Data Access logs, administrators can gain comprehensive visibility into the actions performed on their GCP resources and data, ensuring robust security and compliance tracking.

References:

Google Cloud Logging Documentation

Audit Logs Overview