Google Updated Professional-Cloud-Security-Engineer Exam Questions and Answers by nikolas

To access a user's Google Drive on their behalf without relying on the user's credentials and following Google-recommended practices, you should use a service account with domain-wide delegation.

Create a Service Account:

Go to the Cloud Console, navigate to IAM & Admin > Service Accounts.

Click "Create Service Account" and provide necessary details.

Grant Domain-Wide Delegation:

Edit the service account to enable "G Suite Domain-wide Delegation".

Download the JSON key file.

Configure API Access in G Suite:

Go to the Google Admin Console.

Navigate to Security > API Controls > Domain-wide Delegation.

Add a new API client and use the client ID from the service account.

Authorize the necessary API scopes (e.g., https://www.googleapis.com/auth/drive).

Implement in Application:

Use the Google API Client Library for the desired language.

Load the service account credentials and perform user impersonation to access Google Drive.

Domain-wide Delegation of Authority

Using OAuth 2.0 for Server to Server Applications

To ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS) at the infrastructure-as-a-service (IaaS) level within Google Cloud, it's essential to have continuous monitoring and assessment tools that can detect deviations from compliance requirements.​

Option A: Creating data profiles and configuring Data Discovery jobs in Google Cloud Sensitive Data Protection focuses on identifying and analyzing sensitive data but does not directly address infrastructure compliance monitoring.​

Option B: Downloading the latest PCI DSS report from the Compliance Reports Manager provides a static compliance report but does not offer real-time detection of deviations within your specific environment.​

Option C: Utilizing Assured Workloads helps in creating environments that meet specific compliance requirements, but migrating existing projects into such folders does not actively detect deviations; it primarily ensures that new workloads comply with predefined policies.​

Option D: Activating Security Command Center (SCC) Premium and leveraging its Compliance Monitoring capabilities allows for continuous assessment of your Google Cloud environment against PCI DSS requirements. SCC can identify misconfigurations, vulnerabilities, and compliance violations in real-time, providing actionable insights to address any issues promptly.​

Therefore, Option D is the most effective approach to detect deviations at the IaaS level in preparation for a PCI DSS audit.​

This question combines three security requirements: strong isolation (segmentation), secure remote access, and least privilege.

Strong Isolation: Creating separate VPC networks for each tier (C) provides the strongest network isolation/segmentation, limiting the blast radius compared to a single VPC with subnets (B, D). VPC peering is the standard way to allow controlled communication between these separate VPCs.

Extract: "Isolate sensitive data in its own VPC network." (Source 2.5) Segmentation via separate VPCs is a standard best practice for isolating sensitive workloads.

Secure Remote Access and Least Privilege: Identity-Aware Proxy (IAP) is the recommended Google Cloud service to provide secure remote access to virtual machine instances without requiring a public IP or VPN, which aligns with the zero-trust principle of explicit validation and least privilege by verifying user identity and context. Granting SSH keys and root access (A) or the Network Admin role (B) or Project Ownership (D) violates the principle of least privilege.

Extract: "Access control: Enforce access controls based on user identity and context by using solutions like... Identity-Aware Proxy (IAP). By doing this, you shift security from the network perimeter to individual users and devices. This approach enables granular access control and reduces the attack surface." (Source 2.2)

Extract: "BeyondCorp uses Google Cloud tools, such as... and Identity-Aware Proxy, to push the perimeter from the network to individual devices and users." (Source 2.3)

Extract: "IAP protects GCP-hosted applications by verifying user identity and context before granting access... When you grant a user access to an application or resource by IAP, they're subject to the fine-grained access controls implemented by the product in use without requiring a VPN." (Source 2.3)

Option C is the only one that satisfies all three requirements by using separate VPCs (strong isolation) and IAP (secure remote access with least privilege).

The requirement to ensure the master encryption key material never leaves the on-premises hardware (HSM) and retaining the unilateral ability to revoke access are the defining features of Cloud External Key Manager (Cloud EKM).

Key Residency: Cloud EKM allows you to use encryption keys stored and managed in a supported external key management system, such as an on-premises HSM, for encrypting data in Google Cloud services like BigQuery and Cloud Storage. This ensures the key material remains in your accredited hardware.

Unilateral Control: Since Google Cloud must request the key from the external system for every encryption/decryption operation, revoking access (by disabling the key or revoking Google's access) in the external system immediately renders the data in Google Cloud inaccessible, granting the customer unilateral control.

Extracts:

"Cloud External Key Manager (Cloud EKM) is a cloud service that lets you encrypt data in Google Cloud with keys you manage outside of Google Cloud." (Source 6.1)

"The key material is stored on an external system, such as a Cloud EKM partner or an on-premises HSM, and never leaves that system." (Source 6.1)

"The customer can unilaterally revoke access to the key at the EKM system, making the encrypted data in Google Cloud inaccessible, which is a key requirement for highly regulated industries." (Source 6.2)