Free Practice Questions for Google Professional-Cloud-Security-Engineer Exam

Objective: You want to limit the images that can be used as the source for boot disks to a set of images stored in a dedicated project.

Solution: Use the Organization Policy Service.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Organization Policies page.

Step 3: Create a new policy by clicking on "Create Policy".

Step 4: Select the constraint compute.trustedimageProjects.

Step 5: Set the policy to ALLOW and specify the project ID where the trusted images are stored in the whitelist.

Step 6: Save and apply the policy.

By creating a compute.trustedimageProjects constraint at the organization level and specifying the trusted project in the allow list, you ensure that only images from this project can be used for boot disks across the organization.

When creating a secure container image, it is essential to follow best practices to minimize vulnerabilities and ensure the container operates as intended. Here are the two key practices:

Package a Single App as a Container: By packaging only a single application within a container, you reduce complexity and potential attack surfaces. This practice aligns with the principle of single responsibility, ensuring each container has a clear and focused purpose.

Remove Any Unnecessary Tools: Any additional tools or software that are not required by the application should be removed from the container image. This minimizes the number of potential vulnerabilities and reduces the attack surface. A minimal container image also leads to smaller image sizes and faster deployment times.

These practices contribute to creating a more secure and efficient container image.

References

Container Security Best Practices

Securing Container Images

Rewriting the objects in-place within the same bucket, specifying the new CMEK for encryption, allows you to re-encrypt the data without downloading and re-uploading it, thus minimizing costs and time.

https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys

Objective: Ensure VMs can access Cloud Storage without reaching the public internet.

Solution: Enable Private Google Access on the VPC network, allowing VMs with only internal IP addresses to access Google APIs and services privately.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Go to the VPC Network section.

Step 3: Select the relevant VPC network and subnet.

Step 4: Enable Private Google Access for the subnet.

Private Google Access ensures that instances can access Google APIs and services (such as Cloud Storage) over a private network connection, without requiring a public IP address.

For scenarios involving multi-party collaboration or highly sensitive data where even the "Workload Operator" should not see the data, Confidential Space is the specific Google Cloud solution. It builds on Confidential Computing but adds a software framework for "Trustless" data processing.

According to Google Cloud Documentation (Confidential Space Overview):

"Confidential Space provides a secure environment for multiple parties to share sensitive data without any party (including the cloud provider or the project administrator) being able to see the data or the code being executed. It uses attestations to verify the integrity of the workload and Workload Identity Federation to release encryption keys or access only to verified, authorized workloads."

Key components of the solution:

Separation of Duties: Confidential Space explicitly defines roles for the Data Collaborator (owns data), Workload Author (writes code), and Workload Operator (runs infrastructure). The operator can manage the VM but cannot access the memory or the data.

Attestation: The system uses hardware-rooted attestation to ensure that the code running in the environment is exactly what was approved.

Output Protection: The processed results can be written to a bucket where only the authorized "Data Scientist" (Data Collaborator role) can retrieve them.

Why other options are incorrect:

A, C, and D are incorrect: While they use Confidential VMs (which encrypt data in RAM), they do not inherently provide the attestation-based trust framework or the rigorous separation of duties required to prevent a VM administrator (operator) from potentially accessing the data via standard VM management tools or during the ingestion phase. Confidential Space is the only one that mandates a signed "attestation" before granting access to data.

For external applications (outside of Google Cloud) to access resources securely, Workload Identity Federation (WIF) is the modern standard.3 It avoids the use of permanent service account keys and relies on external identity providers (OIDC or SAML) to exchange short-lived Google Cloud tokens.

According to Google Cloud Documentation (Workload Identity Federation):

"You can use Workload Identity Federation to grant on-premises or multi-cloud workloads access to Google Cloud resources without using a service account key. This reduces the risk associated with long-lived service account keys and simplifies the implementation of security best practices."

Key points:

It allows external identities (from AWS, Azure, or OIDC/SAML providers) to assume a Google IAM role.

The access is short-lived and scoped to specifically what the application needs (e.g., storage.objects.create).

Why other options are incorrect:

A is incorrect: Long-lived service account keys are a security liability.

B is incorrect: While a proxy works, it adds architectural complexity and overhead compared to direct federation.

C is incorrect: IP-based ACLs are weak because IPs can be spoofed or changed, and Cloud Storage ACLs do not provide robust identity-based security for public-facing apps.

The key requirements are maintaining a specific set of controls, including data residency and personnel data access controls, specifically to meet a highly regulated industry's compliance program.

Assured Workloads is the specific Google Cloud service designed to help customers meet these stringent regulatory and compliance requirements (e.g., FINRA, FedRAMP, HIPAA, etc.) by enforcing a specific control bundle.

Extracts:

"Assured Workloads helps organizations run their sensitive workloads securely and in a compliant manner... by providing continuous compliance monitoring for specific compliance programs." (Source 4.1)

"When you create an Assured Workloads folder, the platform automatically enforces compliance controls... including: Data residency and location controls... Personnel access controls... Organizational policies..." (Source 4.2)

This service creates a dedicated, compliant environment in a folder, ensuring the necessary configurations and personnel controls are applied automatically and continuously maintained, which is a more complete solution than the posture management in option B (which focuses only on configuration monitoring) or the singular organizational policy in option C.

The Organization Policy Service provides a specific constraint called constraints/gcp.restrictServiceUsage. This is the most direct and efficient way to "Allow" or "Deny" specific Google Cloud APIs (services) at any node in the hierarchy (Org, Folder, or Project).

According to Google Cloud Documentation (Restricting Resource Service Usage):

"The Restrict Resource Service Usage constraint allows enterprise administrators to control which Google Cloud services can be used within their Google Cloud resource hierarchy. This constraint can be enforced on an Organization, Folder, or Project. When applied at the folder level, it restricts service usage for all descendant projects within that folder."

Why Option C is the most efficient:

Targeted: By applying it directly to the folder, you don't need to manage complex "exceptions" at the Org level (as in Option B).

Simple: It is a single policy rule that defines an "Allowlist" of services.

IAM vs. Org Policy: IAM (Option A) controls who can do something, but Org Policy controls what can be done. Even if a user is an Editor, the Org Policy will block them from enabling a restricted API.

VPC-SC (Option D): VPC Service Controls is much more complex and is used for data exfiltration prevention, not for simply restricting which APIs can be enabled/used in a project.

To investigate and remediate the issue of public access to Cloud Storage buckets, you can follow these steps:

Change Bucket Permissions:

Navigate to the Cloud Storage section in the Google Cloud Console.

For each affected bucket, remove any public access permissions (e.g., removing allUsers or allAuthenticatedUsers from the IAM policy).

Ensure that only authorized users have the necessary permissions to access the buckets.

Query Data Access Audit Logs:

Go to the Logging section in the Google Cloud Console.

Query the audit logs for the affected buckets to identify any unauthorized access. You can use filters to search for access by unauthorized users.

Correct the Misconfiguration:

After correcting the permissions, mute the relevant findings in the Security Command Center to indicate that the issue has been resolved.

This helps in maintaining a clear view of ongoing security issues and ensures the findings are not flagged again unless there's a new occurrence.

By following these steps, you ensure that the buckets are no longer publicly accessible, investigate any potential unauthorized access, and update the Security Command Center status to reflect the resolution of the issue.

Cloud Storage IAM Permissions

Viewing Audit Logs

Security Command Center Documentation