Google Updated Professional-Cloud-Security-Engineer Exam Questions and Answers by amos

Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint

Enable Dry Run Mode: Start by enabling the dry run mode for your VPC Service Controls perimeter. This mode allows you to test changes without actually enforcing them, thus preventing any disruption to your current setup.

Add Access Level: Add your new access level to the dry run configuration. This way, you can monitor how the new access level would behave and interact with your existing setup without any real impact.

Vetting Process: Carefully vet the new access level by analyzing logs and monitoring the behavior in the dry run mode. Ensure that the new configuration meets your security and operational requirements.

Update Perimeter: Once you are confident that the new access level will not disrupt existing services and meets all requirements, update the actual perimeter configuration with the new access level. This approach minimizes risk by allowing you to test changes before they take effect, ensuring seamless updates with minimal disruption. References:

Google Cloud - Configuring VPC Service Controls

Google Cloud - Using Dry Run Mode

Web Security Scanner is designed to scan your web applications deployed on Google Cloud for common vulnerabilities, including cross-site scripting (XSS). It can authenticate using Google accounts and can be scheduled to run scans regularly.

Steps:

Enable Web Security Scanner: In the Google Cloud Console, enable Web Security Scanner for your project.

Configure Scan: Set up the scan configuration, specifying the target URLs, authentication details (Google accounts), and scan frequency (at least once per week).

Run and Monitor Scans: Run the scans and monitor the results for vulnerabilities, addressing any issues found.

To enforce private connectivity between on-premises hosts and Google Cloud APIs while optimizing for cost and operational efficiency, using a dedicated or Partner Interconnect is the best solution. This setup ensures a reliable, high-bandwidth connection with private IP addressing.

Choose Interconnect Type: Decide between Dedicated Interconnect and Partner Interconnect based on your bandwidth needs and proximity to Google Cloud locations.

Set Up Interconnect:

For Dedicated Interconnect, order circuits through the Google Cloud Console.

For Partner Interconnect, select a supported service provider and order the connection through them.

Configure VPC and Private Google Access:

In your VPC, enable Private Google Access to allow on-premises hosts to access Google APIs privately.

Go to "VPC network" -> "Private Google Access" and enable it for your subnets.

Establish Connectivity: Work with your network team and (if applicable) your Partner Interconnect provider to set up the physical and logical connections.

Test Connectivity: Verify that on-premises hosts can reach Google Cloud services using private IP addresses.