Free Practice Questions for Google Professional-Cloud-Security-Engineer Exam

The Resource Location Restriction organization policy constraint ensures that business data is stored in specific geographic locations, which is critical for compliance with regulatory requirements.

Organization Level: Setting the constraint at the organization level ensures that all resources within the organization, including those in different folders or projects, adhere to the location restrictions. This provides a unified policy application across the entire organization, ensuring compliance with regulatory requirements.

Policy Application: The policy will propagate down the resource hierarchy, ensuring that all relevant services within the organization comply with the specified data residency requirements.

This approach provides centralized control and simplifies the management of data residency constraints.

References

Organization Policy Service Documentation

To comply with the regulation to keep instance logging data within Europe, specifically in the Netherlands (region europe-west4), you need to configure Cloud Logging to ensure that all logs are stored in a specified region. Here are the steps to achieve this:

Create a Cloud Storage Bucket:

Go to the Google Cloud Console.

Navigate to Cloud Storage and create a new bucket.

Set the location type to "Region" and select "europe-west4" as the region.

Configure Log Sink:

Go to the Logging section in the Google Cloud Console.

Create a new log sink and configure it to export logs to the Cloud Storage bucket you just created.

Ensure the sink includes all logs you want to keep within europe-west4.

Verify Configuration:

Ensure that the logs are being exported to the Cloud Storage bucket by checking the contents of the bucket.

This setup ensures that all your logging data remains within the specified region, adhering to compliance requirements.

References

Creating and Managing Log Sinks

Cloud Storage Locations

Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket:

Configure a Pub/Sub topic to publish notifications when new files are uploaded to the administrator's bucket.

Create a Cloud Function that is triggered by the Pub/Sub topic. This function uses the Cloud Data Loss Prevention (DLP) API to scan the uploaded files for PII.

If the scan does not detect PII, the function moves the file to the shared Cloud Storage bucket. This ensures that only non-sensitive data is accessible to analysts, while PII remains secure in the administrator's bucket.

Cloud Asset Inventory: Using Cloud Asset Inventory allows you to quickly identify all the external assets and resources in your Google Cloud environment. This includes information about your projects, instances, storage buckets, and more. This step is crucial for understanding the scope of your audit. Network Security Scanner: Once you have identified the external assets, you can run a network security scanner to assess the security of these assets. Network security scanners can help identify vulnerabilities and potential security risks quickly.

To enforce access control policies for applications and resources in Google Cloud, the recommended service is Identity-Aware Proxy (IAP).

Identity-Aware Proxy (IAP):

IAP allows you to control access to your applications and resources based on the identity of the user and the context of the request. It integrates with IAM to provide fine-grained access control, ensuring that only authorized users can access specific resources.

IAP helps enforce security policies at the application layer, providing an additional layer of protection beyond traditional network-based security measures.

References

Identity-Aware Proxy documentation

To ensure that data is encrypted while in use by the virtual machines (VMs) and enforce this policy across your organization, you should use Confidential VM instances. Here are the steps:

Enable Confidential VM:

Ensure that Confidential VMs are available in your selected regions and enabled for your project.

Set Organization Policy:

Implement an organization policy to enforce the use of Confidential VM instances for all VMs across your organization.

Use the Google Cloud Console or the gcloud command-line tool to set this policy. Example command:

gcloud resource-manager org-policies set-policy my_policy.yaml

Example my_policy.yaml:

name: organizations/1234567890/policies/compute.requireConfidentialCompute spec: rules: - enforce: true

Verify and Monitor:

Ensure that all newly created VMs across your organization are Confidential VMs.

Regularly monitor compliance through the Google Cloud Console and set up alerts if non-compliant VMs are created.

Benefits:

Data Encryption in Use: Confidential VMs ensure that data is encrypted not just at rest and in transit but also while in use.

Policy Enforcement: Organization policies provide a way to enforce security configurations across all projects under your organization.

References

Confidential Computing Documentation

Creating and Managing Organization Policies

The problem requires restricting the types of Google Cloud services that can be deployed within specific folders to enforce compliance, without affecting other parts of the resource hierarchy, using the most efficient and simple method.

Organization Policies: Organization policies allow you to define centralized, programmatic controls over your Google Cloud resources. They apply hierarchically, meaning a policy set on a folder applies to all projects and resources within that folder and its descendants.

Restrict Resource Service Usage Constraint: This specific organization policy constraint is designed precisely for controlling which Google Cloud services can be used (and thus deployed/created resources for) within a given part of the resource hierarchy. It supports both allowlists and denylists of service API identifiers.

Extract Reference: "The Restrict Resource Service Usage constraint controls the runtime access to all in-scope resources." and "This constraint can be used in two mutually exclusive ways: Denylist - resources of any service that isn't denied are allowed. Allowlist - resources of any service that isn't allowed are denied." (Google Cloud Documentation: "Restricting resource usage | Resource Manager Documentation" - https://cloud.google.com/resource-manager/docs/organization-policy/restricting-resources)

Folder-Level Application: Applying this organization policy at the folder level directly meets the requirement of applying restrictions "only to the designated folders without affecting other parts of the resource hierarchy." This is more efficient and simpler than applying a global policy with numerous exceptions.

Let's evaluate the other options:

B. Implement IAM conditions on service account creation within each folder: IAM conditions control permissions for who can do what. While they can be used for very fine-grained access control, they are not designed to restrict the types of services that can be deployed directly. Controlling service account creation doesn't prevent a user with appropriate permissions from deploying other resources.

C. Create a global organization policy... and apply exceptions: While technically possible, this is less efficient and simple if the goal is to only restrict specific folders. Managing exceptions for the entire rest of the organization would be more complex than simply applying the policy directly where it's needed.

D. Configure VPC Service Controls perimeters around each folder: VPC Service Controls primarily prevent data exfiltration and restrict API access at a network perimeter level. They are not designed to restrict which types of Google Cloud services can be deployed within a project or folder; rather, they control how allowed services interact with each other and with external endpoints.

Therefore, creating an organization policy with the "Restrict Resource Service Usage" constraint at the folder level is the most efficient, simple, and direct method to achieve the stated goal.

The Organization Administrator and Super Admin roles have extensive administrative privileges at the organization level. Restricting these roles is crucial to limit the number of users who have the ability to manage critical resources and configurations within the organization, thereby enhancing security and minimizing potential risks.

Organization Administrator: Has comprehensive permissions to manage all aspects of the Google Cloud organization, including projects, folders, and IAM policies.

Super Admin: In Google Workspace (formerly G Suite), the Super Admin has access to all administrative features and can manage user accounts, services, and settings across the organization.