Google Updated Professional-Cloud-Security-Engineer Exam Questions and Answers by esmee

Objective: Ensure that the analytics workload on Compute Engine instances accessing Cloud Storage does not interact with the public internet.

Solution:

Private Google Access: This allows Compute Engine instances that only have internal IP addresses to reach Google APIs and services through a private connection without the need for a public IP address.

No Public IP Addresses: By avoiding public IP addresses for the instances, you ensure that they are not accessible from the internet and do not initiate internet connections.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the VPC Network page and select the subnet where the Compute Engine instances are located.

Step 3: Enable Private Google Access for the subnet.

Step 4: Ensure that when launching the Compute Engine instances, no public IP addresses are assigned to them.

To use customer-supplied encryption keys (CSEK) for encrypting data on Cloud Storage, follow these steps:

Generate an Encryption Key: Generate a 256-bit AES encryption key. This key should be base64-encoded.

sh

Copy code

openssl rand -base64 32

Upload Object with CSEK: Use the gsutil command-line tool to upload the object to Cloud Storage, specifying the location of the encryption key using the -o option.

gsutil -o "GSUtil:encryption_key=" cp [LOCAL_OBJECT_PATH] gs://[BUCKET_NAME]/

Verify Encryption: After uploading the object, you can verify that it is encrypted using the provided CSEK by checking the object's metadata.

gsutil stat gs://[BUCKET_NAME]/[OBJECT_NAME]

Key Management: Ensure that the encryption key is securely stored and managed. It should not be hard-coded in scripts or applications.

By using the gsutil tool and specifying the encryption key, you ensure that the object is encrypted using the customer-supplied encryption key during the upload process.

Customer-Supplied Encryption Keys (CSEK) Documentation

gsutil Command Line Tool Documentation