Google Updated Professional-Cloud-Security-Engineer Exam Questions and Answers by blake

This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest. https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption

https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms#0

Objective: Prevent users from creating projects while allowing only the DevOps team to create projects.

Solution: Modify IAM roles and permissions.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the IAM & Admin page.

Step 3: At the organizational level, find and remove all users from the Project Creator role.

Step 4: Create or identify a group for the DevOps team.

Step 5: Assign the Project Creator role to the DevOps team group at the organizational level.

By removing all users from the Project Creator role and granting it only to the DevOps team, you ensure that only the designated team can create projects.

"Date shifting techniques randomly shift a set of dates but preserve the sequence and duration of a period of time. Shifting dates is usually done in context to an individual or an entity. That is, each individual's dates are shifted by an amount of time that is unique to that individual."

To keep track of "who did what, where, and when?" within GCP projects, the administrator should focus on Admin Activity logs and Data Access logs. Here’s a detailed explanation of why these two log streams are essential:

Admin Activity Logs:

These logs capture administrative actions performed in your Google Cloud resources. This includes actions like creating, modifying, or deleting resources.

Admin Activity logs provide detailed information about the user who performed the action, the resource that was affected, the action performed, and the timestamp.

Data Access Logs:

These logs capture read and write operations on data within your Google Cloud services. This includes actions like accessing or modifying data stored in databases, storage buckets, etc.

Data Access logs help track the access patterns of users and services to sensitive data, providing insights into who accessed which data and when.

Steps to Enable and Access Logs:

Navigate to the Google Cloud Console.

Go to Logging in the left-hand menu.

Enable Admin Activity and Data Access logs if not already enabled.

Use Logs Explorer to filter and view specific logs based on your requirements.

By monitoring both Admin Activity and Data Access logs, administrators can gain comprehensive visibility into the actions performed on their GCP resources and data, ensuring robust security and compliance tracking.

Google Cloud Logging Documentation

Audit Logs Overview