Google Professional Cloud Security Engineer Exam Questions

There is mention about simulating in Web Security Scanner. 'Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions.' https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss

To ensure that Vertex AI Workbench Instances are automatically kept up-to-date and that users cannot alter operating system settings, implementing specific organization policies is essential.

Option A: Enabling VM Manager and adding Compute Engine instances assists in managing and monitoring VM instances but does not enforce automatic updates or restrict user modifications to the operating system.

Option B: Enforcing the disableRootAccess organization policy prevents users from gaining root access, thereby restricting unauthorized changes to the operating system. Additionally, the requireAutoUpgradeSchedule policy ensures that instances are automatically updated according to a defined schedule. Together, these policies maintain system integrity and compliance with update requirements.

Option C: Assigning AI Notebooks Runner and AI Notebooks Viewer roles controls user permissions related to running and viewing notebooks but does not directly influence operating system settings or update mechanisms.

Option D: Implementing firewall rules to prevent SSH access limits direct access to instances but does not ensure automatic updates or prevent alterations through other means.

Therefore, Option B is the most appropriate action, as it directly addresses both the enforcement of automatic updates and the prevention of unauthorized operating system modifications.

Organization Policy Constraints

VM Manager Overview

When a vulnerability patch is released for a running container in Google Kubernetes Engine (GKE), the recommended approach is to update the application code or apply the patch directly to the codebase. Then, a new container image should be built incorporating these changes. After building the new image, it should be deployed to replace the running containers. This method ensures that the containers run the updated, secure code.

Steps:

Update Application Code: Modify the application code or dependencies to incorporate the vulnerability patch.

Build New Image: Use a tool like Docker to build a new container image with the updated code.

Push New Image: Push the new container image to the Container Registry.

Update Deployments: Update the Kubernetes deployment to use the new image. This can be done by modifying the image tag in the deployment YAML file.

Redeploy Containers: Apply the updated deployment configuration using kubectl apply -f <deployment-file>.yaml, which will redeploy the containers with the new image.

Google Cloud: Container security

Kubernetes: Updating an application

When using Google Cloud's Platform-as-a-Service (PaaS) offerings like App Engine, Google manages the infrastructure, including the underlying OS, runtime, and scaling. However, securing the application code itself, such as defending against cross-site scripting (XSS) and SQL injection (SQLi) attacks, remains the responsibility of the user. This involves implementing secure coding practices, validating inputs, and employing appropriate security measures within the application.

Google Cloud: Shared responsibility model

App Engine security

To enable developer teams to deploy new applications without the extensive overhead of network and security reviews, it's recommended to mandate the use of infrastructure as code (IaC) and enforce policies through static analysis in CI/CD pipelines. This approach ensures that security and compliance policies are checked automatically during the development process.

Step-by-Step:

Adopt IaC: Use tools like Terraform or Google Cloud Deployment Manager to manage infrastructure as code.

CI/CD Pipeline Integration: Integrate static analysis tools such as TFLint or Checkov in the CI/CD pipeline to enforce security policies.

Policy Definition: Define security policies and best practices that need to be adhered to in the code.

Automated Checks: Configure automated checks in the CI/CD pipeline to review code against these policies before deployment.

Monitor and Audit: Continuously monitor and audit deployed applications to ensure ongoing compliance.

Infrastructure as Code on Google Cloud

Static Analysis for Terraform

Checkov for IaC