Security

Question 1

Cloud Armor

Answer 1

WAF - web application firewall
Layer 7 web app firewall
Prevents DDoS, cross site scripting, SQL injections attacks

Question 2

Service account email format

Answer 2

[name]@[project_id].[service name].gserviceaccount.com

[name]@appspot.gserviceaccount.com

Question 3

IAM Conditions

• Definition
• Language conditions expressed in

Answer 3

Access control based on attributes of a resource

Common Expression Language (CEL)

Question 4

Network Tags

Answer 4

User level annotation for Compute Engine resources

Used to define security groups, network segment, firewall rules

Question 5

Resource Tags

Answer 5

Key value pairs that can be attached to an org, folder, project

Can be used to conditionally allow or deny policies based on whether a resource has a specific tag

Question 6

Security Marks

Answer 6

Security Command Center annotations for findings and assets for searching, selecting, filtering
Can group marks for policy, integration with workflow, flag for priority, access level, sensitivity classification

Question 7

Labels

Answer 7

User level annotation, metadata for resources
Used for billing and admin
Not inherited by children resources

Question 8

IAM policies written in what format

Answer 8

JSON

Question 9

Clou IAM API functions (3)

Answer 9

Set policies on resources
Read policies on resources
Test whether an identity has a permission on a resource

Question 10

IAM Conditions resource attributes (3)

Answer 10

Type of resource
Resource name
Tags attached to resource

Question 11

IAM conditions request attributes (3)

Answer 11

Access level
Date and time
Destination IP and port

Question 12

Identity Aware Proxy

Answer 12

Layer 7 based access control for HTTP requests
IAP protected resources can only be accessed via proxy by principal with correct IAM role
Allows fine grained access control and user grouping without requiring VPN

Question 13

Organization policy constraint

Answer 13

Rule that prevents action or configuration on service or group of services
Implemented across an org

Question 14

Data at rest encryption occurs at which levels (3)

Answer 14

Platform - database and file data

Infrastructure - data grouped into data chunks in storage system

Hardware - storage device itself

Question 15

Infrastructure level encryption

• keys used
• encryption type

Answer 15

DEK
KEK
AES256

Question 16

Data in transit encryption

• Data outside Google network (1)
• Data inside Google network (2)

Answer 16

Data outside Google network - authenticated but not necessarily encrypted

Data inside Google network

• HTTP/HTTPS to GFE - TLS or QUIC
• Within GCP infrastructure - ALTS for authentication and encryption

Question 17

Default encryption keys used

Answer 17

Google issued and managed DEK and KEK

Question 18

Cloud KMS

• Definition
• Key type
• Keys from
• Key managed by
• Key rotation

Answer 18

Hosted key management
AES, RSA, EC
Customer generated or imported keys
Customer managed by Google hosted
Auto key rotation

Question 19

Cloud HSM

• Definition
• Key type supported

Answer 19

GCP hosted HSM to host keys and perform cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs
Cloud KMS as frontend

Question 20

CMEK

Answer 20

Cloud managed encryption keys

Keys managed by customers using Cloud KMS

Question 21

Cloud EKM

Answer 21

Cloud External Key Manager

Allows customers to manage keys outside GCP and use Cloud KMS to use keys

Question 22

OS Login

Answer 22

Enabled through VM instance custom metadata
For SSH access to VM
Ties Linux accounts to Google identities and Cloud IAM

Question 23

Common uses for Organization Policy constraints (3)

Answer 23

Limit resources sharing based on domain
Limit usage of IAM service accounts
Restrict physical location of newly created resources

Question 24

Ways to restrict access to resources (4)`

Answer 24

Organization Policy Services
Tags
IAM Conditions
VPC Service Controls

Question 25

VPC Service Control

Answer 25

Clients within perimeter do not have access to resources outside
Data can’t be copied to unauthorized resources
Data exchanged between clients and resources separated by perimeter secured via ingress and egress rules

Question 26

Confidential computing services (3)

Answer 26

Confidential VMs
Confidential GKE Nodes
Dataproc Confidential Compute

Question 27

Confidential VM

Answer 27

Encrypts memory to protect data in use
Isolates guests and hypervisor
Provides vTPM attestation everytime AMD SEV boots

Question 28

K8 Role Based Access Control

Answer 28

K8 mechanism for fine grained access control to any object or type of object in cluster, or in specific Namespace in cluster

Question 29

BeyondCorp Enterprise

Answer 29

Google’s zero trust solution

Context based user and device authorization and authentication

Question 30

Cloud IDS

Answer 30

Creates Google managed peered network that has mirrored VMs
Palo Alto Networks threat protection technology to mirror and inspect traffic
For detecting network intrusions and app performance

Question 31

Workload Identity

Answer 31

Allows K8 service account in GKE cluster to act as an IAM service account.

Pods authenticate as IAM service account when accessing Google Cloud APIs

Question 32

Which services support CSEK

Answer 32

Compute Engine

Cloud Storage

Question 33

Acccess Transparency Log

Answer 33

Logs of actions by Google staff when accessing customer content

Question 34

CMEK and CSEK used to encrypt what for Cloud Storage objects (3)

Answer 34

Object data
Object’s CRC32C checksum
Object’s MD5 hash

Question 35

reCAPTCHA Enterprise

Answer 35

Finds Bots

provides risk score for progressive action based on risk

Question 36

Web App and API Protection solution components (3)

Answer 36

Cloud Armor
reCAPTCHA Enterprise
API Security with Apigee

Question 37

Secure Software Development Lifecycle with GCP - End to End Policy Services

Answer 37

Cloud Code
Cloud Build
Artifact Registry

Question 38

Secure Software Development Lifecycle with GCP - Binary Auth Services

Answer 38

Cloud Deploy

Run - cloud run, cloud functions, GKE

Question 39

Container Analysis service

Answer 39

Provides vulnerability scanning for containers in Artifact Registry and Container Registry

Continual analysis

Question 40

Binary Authorization works for which GCP platforms (4)

Answer 40

Cloud Run
GKE
Anthos Service Mesh
Anthos clusters on VMware

Question 41

Shielded VM

Answer 41

VMs with firmware that secures boot

Question 42

Security Command Center

Answer 42

Cloud Asset Inventory - find, monitor, analyze GCP assets
Security Health Analytics - Identifies misconfigurations and baselines
Web Security Scanner - Finds web app vulnerabilities
Event Threat Detection - Finds threats via platform logs
Container Threat Detection - Finds top suspicious activity in container deployments

Question 43

Open Source Insights

Answer 43

Tool to see dependencies, security advisory, license across open source code

Question 44

Device Management

Answer 44

API to manage corporate devices and control corporate data on devices

Question 45

Safe Browsing / Web Risk API

Answer 45

Lets client apps check URLs against Google’s list of unsafe web resources

Question 46

Titan C

Answer 46

Chip to protect users against phishing attacks
Enables 2 factor auth
Protects OS from tampering
**Chrome devices

Question 47

Web Security Scanner

Answer 47

Crawls app following all links and URLs and attempts to exercise user inputs and event handlers to look for vulnerabilities