Google Updated Professional-Cloud-Security-Engineer Exam Questions and Answers by aliyah

Objective: Ensure that a Cloud Storage bucket in Project A can only be readable from Project B and prevent data access or copying to Cloud Storage buckets outside the network, even with correct credentials.

Solution: Use VPC Service Controls to create a security perimeter.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the VPC Service Controls page.

Step 3: Create a new service perimeter.

Step 4: Add Project A and Project B to the service perimeter.

Step 5: Include Cloud Storage service in the perimeter configuration.

Step 6: Define access levels to ensure that only resources within the perimeter can access the Cloud Storage bucket.

By setting up a VPC Service Controls perimeter, you can enforce security boundaries that restrict data access and movement to within defined projects, providing an extra layer of protection beyond IAM permissions.

References:

VPC Service Controls Overview

Configuring VPC Service Controls

If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code. https://cloud.google.com/docs/authentication/production#passing_the_path_to_the_service_account_key_in_code

Provision a Cloud NAT Instance:

Cloud NAT (Network Address Translation) allows instances without external IP addresses to access the internet securely.

In the Google Cloud Console, navigate to the VPC Network section and select Cloud NAT.

Create a new Cloud NAT configuration, specifying the VPC and region where your Compute Engine VMs are deployed.

Configure Cloud NAT:

Ensure that the Cloud NAT instance is configured to provide outbound internet connectivity for the VMs in your specified subnet.

This setup allows the VMs to access the internet for package updates and external installations without requiring public IP addresses.

Enable Private Google Access:

Private Google Access allows VMs in a subnet to reach Google APIs and services using internal IP addresses.

In the Google Cloud Console, navigate to the VPC Network section and select Subnets.

Edit the subnet used by your Compute Engine VMs and enable Private Google Access.

Update DevOps Scripts:

Ensure that your DevOps scripts are updated to work with the new network configuration.

Test the build process to confirm that the VMs can access necessary resources and complete the build pipeline successfully.

References:

Cloud NAT Documentation

Private Google Access

Dedicated Interconnect provides a high-bandwidth (up to 80 Gbps per connection) and secure connection between your on-premises network and Google Cloud. It ensures reliable and high-speed data transfer, meeting the requirement of at least 50 Gbps bandwidth.

Steps:

Set Up Dedicated Interconnect: Order a Dedicated Interconnect connection through the Google Cloud Console.

Configure VLAN Attachments: Set up VLAN attachments to segment traffic between your on-premises network and Google Cloud.

Establish BGP Sessions: Configure BGP sessions for dynamic routing and failover.

References:

Dedicated Interconnect documentation