Security Engineer

Question 1

What is a GKE network policy?

Answer 1

While Firewall Rules are a powerful security measure, and Kubernetes enables you to define even finer grained rules via Network Policies. Network Policies are used to limit intra-cluster communication. Network policies do not apply to pods attached to the host’s network namespace.

Question 2

How can you restrict traffic with a GKE network policy?

Answer 2

By pod label or namespace

Question 3

How are IAM and Kubernetes RBAC different?

Answer 3

RBAC is used for restricting access within a GKE cluster. There are no deny rules, only allow rules. IAM is higher level at the node and project level. They are used in conjunction in GKE.

Question 4

What can Binary Authorization do?

Answer 4

With Binary Authorization you can whitelist container registries, require images to be signed by trusted authorities, and centrally enforce those policies

Question 5

What does the Titan security chip do?

Answer 5

Enable trusted server boot

Question 6

Which logs allow you to see if Google has accessed your data?

Answer 6

Access Transparency Logs

Question 7

What can be used for authentication for GCP resources?

Answer 7

Either Google Sign-in or SAML/OIDC

Question 8

Which roles are added when creating an org?

Answer 8

Existing users are granted project creator and billing account creator roles - remove these ASAP for people that don’t need them

Question 9

What is an org policy?

Answer 9

An org policy is a configuration of restrictions, defined by configuring a constraint with restrictions, applied to the org node, folder, or projects

Question 10

What are audit logs?

Answer 10

They are logs that record project-level permission changes

Question 11

What scope do firewall rules have?

Answer 11

Global within a VPC

Question 12

What are the implied firewall rules?

Answer 12

Allow all outgoing traffic, block all incoming traffic

Question 13

What additional rules does the default VPC allow?

Answer 13

the default VPC allows internal, ssh, rdp, and icmp

Question 14

What VPC traffic is always blocked?

Answer 14

Email ports and non-standard protocols

Question 15

What firewall rule can be set to prevent exposing ports and protocols unnecessarily?

Answer 15

Set low priority firewall rule to deny all ports/protocols

Question 16

Does private google API access resolve to a public or private IP address?

Answer 16

It is still resolved to a public IP address, but the traffic is all internal and private, and subnet must still have a route to the default-internet-gateway set

Question 17

What are the Forseti modules?

Answer 17

Inventory, Scanner, Enforcer, Explain, and Notifier

Question 18

What does Forseti Inventory do?

Answer 18

Saves an inventory snapshot of your GCP resources to Cloud SQL

Question 19

What does Forseti Scanner do?

Answer 19

Regularly compares role-based access policies for your GCP resources

Question 20

What does Forseti Enforcer do?

Answer 20

Uses policies you create to compare the current state to the desired state

Question 21

What does Forseti Explain do?

Answer 21

Provides visibility into your cloud IAM policies

Question 22

What does Forseti Notifier do?

Answer 22

Priovides ability to notify inventory summary and violations

Question 23

What controls what a Compute Engine VM can access?

Answer 23

The VM service account or Scope (legacy). Scope is only used with the default service account.

Question 24

What is the Compute Engine default service account?

Answer 24

It’s a project editor, used by default when creating a VM unless you delete the service account or disable it with a policy

Question 25

What does a GCE scope control?

Answer 25

It controls access to APIs when using the default service account.

Question 26

How do you enable SSH to linux VMs

Answer 26

Add ssh public key to project metadata to enable ssh access to all VMs, or to the VM directly. You can configure individual instances to NOT use project-wide keys.

Question 27

How is data encrypted on GCP?

Answer 27

AES-256 with a key per storage block. The keys are then encrypted with AES-256 with a KEK.

Question 28

What is the standard rotation schedule for KEKs?

Answer 28

90 days

Question 29

What do customer managed keys allow you to do?

Answer 29

Allows you to manage the KEKs and generate keys, set rotation periods, and expire keys

Question 30

Where are KEKs stored?

Answer 30

On Google KMS in a keyring. Each keyring can have multiple versions of a key.

Question 31

What is a customer supplied key?

Answer 31

Google will never store your key, but you have to provide your own key when creating or using a storage resource

Question 32

At what levels can you grant access to Cloud Storage with IAM?

Answer 32

Org, folder, project, or bucket level

Question 33

What can ACLs be used for?

Answer 33

Granting access to objects and buckets

Question 34

When should use use IAM vs ACLs for cloud storage access?

Answer 34

Usually use IAM and not ACL, unless you need really fine tuned access of objects

Question 35

What is a signed URL?

Answer 35

Allows access to Cloud Storage without adding a user to an ACL or IAM, has a timeout

Question 36

What is the other way to allow bucket upload without an ACL or IAM?

Answer 36

Signed Policy Documents specify what can uploaded to a bucket with a form POST

Question 37

At what level can you grant BQ access?

Answer 37

Org, folder, project, or dataset through IAM

Question 38

How can you restrict access to only a subset of a dataset?

Answer 38

Create an authorized view and share that

Question 39

How do you configure an authorized view?

Answer 39

Create a second dataset, add a restricted view to the second dataset with access permissions to the first dataset

Question 40

What are the ways to reduce the likelihood or effects of a DDOS attack?

Answer 40

Load balancing, reduce the attack surface, restrict to internal traffic only, manage with APIs, offload to CDN, and use products that protect against DDoS

Question 41

What is the Cloud Security Scanner?

Answer 41

It scans for web security in App Engine and Compute Engine for cross-site scripting, flash injection, mixed content, clear text passwords, and insecure JS libraries

Question 42

What does it scan?

Answer 42

App Engine and Compute Engine - every link it finds except for specifically exluded ones. It can even log in with provided credentials.

Question 43

Where should you run the scanner?

Answer 43

In a test environment because it can generate load and change state

Question 44

What is Cloud Identity-Aware Proxy?

Answer 44

Proxy that controls access to App Engine, GCE, or GKE, does both authn and authz

Question 45

How does GCP protect against ransomware?

Answer 45

Automatically detects and blocks known attacks, scans files in Drive and G Suite tools

Question 46

What is the DLP API?

Answer 46

Finds and redacts sensitive data in text and images

Question 47

Which APIs can be used to detect inappropriate content?

Answer 47

DLP API, Vision API and Video Intelligence API

Question 48

What does DNSSEC provide protection against?

Answer 48

Protects domains from spoofing and poisoning attacks

Question 49

Which 3 places does DNSSEC need to be configured?

Answer 49

DNS zone must serve special DNSSEC records to authenticate the content, the top-level domain registry must have a record to authenticate a DNSKEY records in your zone, and the client must use a DNS resolver that validates DNSSEC-signed domains