Google Updated Professional-Cloud-Security-Engineer Exam Questions and Answers by minahil

To meet the requirements of rotating the master key every 45 days, achieving FIPS 140-2 Level 3 validation, and ensuring the master key is stored redundantly in multiple US regions, you should use Customer-managed encryption keys with Cloud HSM. Here’s how:

Set Up Cloud HSM:

Deploy Cloud HSM in your Google Cloud environment. Cloud HSM provides a hardware-based key management solution that meets FIPS 140-2 Level 3 compliance.

Create and Manage Keys:

Create your encryption keys in Cloud HSM. These keys can be managed and rotated per your policy requirements.

Key Rotation:

Set up a key rotation schedule to rotate the master key every 45 days. Cloud HSM allows you to automate this process.

Geographic Redundancy:

Ensure that your Cloud HSM configuration spans multiple regions within the US to achieve redundancy. This will ensure that your keys are available even if a particular region experiences an outage.

Compliance:

Cloud HSM’s FIPS 140-2 Level 3 validation ensures that your encryption keys are managed in a secure and compliant manner.

Benefits:

Security and Compliance: Meets stringent compliance requirements.

Automated Management: Simplifies key management and rotation.

Redundancy: Ensures high availability of keys across multiple regions.

References

Cloud HSM Documentation

Key Management with Cloud KMS and Cloud HSM

Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio. https://cloud.google.com/docs/security/encryption-in-transit

Compute Engine doesn't automatically update the OS or the software on your deployed instances. You will need to patch or update your deployed Compute Engine instances when necessary. However, in the cloud it is not recommended that you patch or update individual running instances. Instead it is best to patch the image that was used to launch the instance and then replace each affected instance with a new copy.

To identify all principals who can change firewall rules, you need to determine which users or service accounts have permissions that allow them to modify firewall rules in your Google Cloud project. The correct permissions to check for this are compute.firewalls.create and compute.firewalls.delete. These permissions enable a user to create and delete firewall rules, respectively.

The Policy Analyzer tool in Google Cloud allows you to query and analyze IAM policies to identify which principals have specific permissions. By using Policy Analyzer, you can effectively identify all principals with the compute.firewalls.create and compute.firewalls.delete permissions.

Open Policy Analyzer: Go to the Google Cloud Console, navigate to IAM & Admin, and select Policy Analyzer.

Set Up Query: Create a new query specifying the permissions compute.firewalls.create and compute.firewalls.delete.

Run Query: Execute the query to retrieve a list of principals who have these permissions.

Review Results: Analyze the results to identify all users and service accounts with the capability to modify firewall rules.

This method ensures you have a comprehensive list of all principals who can change firewall rules, enhancing your audit and security posture.

References:

Google Cloud Policy Analyzer Documentation

Google Cloud IAM Documentation