2023 Google cloud professional security engineer study guide

This is my 3rd time taking the security engineer exam. The topics have broaden with different focus areas. There were 50 questions and I had 30 minutes left.

• Cloud KMS has 3 types of protection levels creating keys: Software backed, HSM, which is FIPS 140–2 Level 3 validated, and external. Learn the use cases for them such as when to use external, HSM, vs software.
• Organization policy constraints can be inherited but by default, they are not. Look at the following 2 policies. inheritFromParent needs to be specified explicitly. The question is likely to show you any type of list constraints that don’t have inheritFromParent to cause the answers to be the denied or allowed values at the project level.

gcloud resource-manager org-policies describe constraints/compute.restrictLoadBalancerCreationForTypes 
constraint: constraints/compute.restrictLoadBalancerCreationForTypes
etag: *****
listPolicy:
  deniedValues:
  - EXTERNAL_TCP_PROXY
  inheritFromParent: true
updateTime: '2023-03-19T00:51:25.512608Z'
hil@us-threadripper-24cpu-32g:~$ gcloud resource-manager org-policies describe constraints/compute.restrictLoadBalancerCreationForTypes 
constraint: constraints/compute.restrictLoadBalancerCreationForTypes
etag: CJe62aAGEL*****
listPolicy:
  deniedValues:
  - EXTERNAL_TCP_PROXY
updateTime: '2023-03-19T00:53:43.010830Z'

• Learn the difference between iam.disableServiceAccountCreation and iam.disableServiceAccountKeyCreation. The question was to prevent users from creating service account in the organization. I thought not allowing service admin IAM role was good enough as I did not know the existence of iam.disableServiceAccountCreation. I failed.
• Learn about the features in security command center Security Health Analytics such as findings. That term appeared 3 times in answers so it must be important.
• Learn about Security Command Center event threat detection such as how it works using Cloud Logging and the types of threats.
• Laern about how to configure Binary Authorization with container analysis notes and attestations to ensure deployed container images don’t have vulnerabilities. The question asked about the most cloud native solution with least overhead. Jenkins definitely was the wrong answer. Using Cloud Build to create attestions was the right choice.
• Understand how to enable AMD’s confidential computing feature to protect data in use (in memory). Bad news is that developers can’t see what’s in the core dump after the process crashed.
• Understand how to separate network security and DevOps team’s responsibilities by using a shared VPC model in the same organization. Choosing VPC peering or creating 2 VPC networks was wrong.
• Know how VPC service control works and how to use it. Understand the modes: Enforced, Dry run. The question was how to allow accessing the storage bucket in project A from compute instances in project B. VPC service control perimeter would be the right method. Firewall rules were wrong.
• Know the IP ranges between private.googleapis.com and restricted.googleapis.com for configuring Private Google Access for on-premises hosts. The questions would have steps to create A records for the following: A: 199.36.153.8/30 if you chose private.googleapis.com B: 199.36.153.4/30 if you chose restricted.googleapis.com. Remember .4/30 is for restricted.googleapis.com using VPC service control. The question is about forcing hosts on premises to use the interconnect to access BigQuery datasets. Pick restricted over private.googleapis.com. Learn there’s a step to add custom advertised routes. I failed by choosing 199.36.153.8/30 .
• Understand that firewall rules use network tags or service accounts for compute engine instances. When network tags are used, users with compute engine instance admin IAM role can change the network tags. Without service account user IAM role, one with compute engine instance admin IAM role can’t change the instance’s service account.
• Learn how to use Google cloud armor’s security policy preview mode to evaluate preconfigured WAF rules.
• How do you ingest all logs in production projects in a folder to a centralized place for log analytics? Create a logs bucket and create a aggregated log export at the folder that contains production projects.
• Similar to the prior study guide, the same question appeared twice: learn different techniques of using Cloud data loss prevention API such as generalization and bucketing, De-identifying sensitive data, Pseudonymization, especially on the format preserving encryption which is a reversible for those who need to access sensitive data to decrypt the tokens using CryptoReplaceFfxFpeConfig. If the PII data is needed for HR department but not for analysts, Pseudonymization is the right choice, not text redaction, masking, hashing, or Generalization, or bucketing.
• Cloud DLP has a feature to redact sensitive data in images uploaded to chat messages, execute image.redact method to remove PII data in the uploaded chat messages.
• Learn how to use sampling to reduce the cost of executing Cloud DLP scanning jobs: implement bytesLimitPerFile to Limit Cloud Storage scans, implement rowsLimit, rowsLimitPercent to Limit BigQuery scans, implement CloudStorageRegexFileSet to scan only buckets with certain regional suffix. Answers without using the 3 were wrong.
• In identity platform, how do you migrate consumer Google accounts to managed Google accounts? transfer tool for unmanaged users is the answer.
• When a user loses the 2nd step in 2 step verification, how do you help the user regain access to the Google account (account recovery) as the Google workspace super admin? Generate codes for a user if the user does not have backup codes. Disabling 2 step verification for the user or for all users was the wrong answer.
• Web security scanner appeared twice. Learn the targets of web security scanners: App engine, GKE, compute engine. Learn features such as using an authenticated when you create a scan.
• Study the overview of PCI DSS and know that’s the document to review to verify the deploy infrastructure resources are PCI compliant.
• Again, envelope encryption appeared once in the exam. Generate the KEK in Cloud key management service. Generate a KEK close to the data to encrypt and encrypt the data. Use the KEK to encrypt the DEK.
• Learn the types of logs in cloud audit logs: admin logs, data access logs, system event logs. Access Transparency logs are not included.
• Learn how to use Access Transparency logs to control accessing sensitive data from Google employees.
• If you need to grant the security team read only access to view logs and private logs, also called access transparency logs, you’d grant them roles/logging.privateLogViewer: Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.
• The scenario is when a company sells its departments to a different company, how do you migrate GCP projects to a different organization? Learn custom IAM roles used in the project but created at the organization level will cause the failed_condition during migration. What else will cause such condition? VPC service control perimeters, constraints/resourcemanager.allowedExportDestinations.
• How do you upload files to storage buckets and separate them for PII data? The requirement was to grant access to the 2 buckets where one contains PII data and the other does not. The correct answer was: Upload files to the bucket that’s labelled PII, execute a DLP job to de-identify the PII data in the files and write to a separate bucket. Uploading to the bucket labelled “no-pii” first would be bad as the files may contain SSN.
• Remember DLP’s job and job triggers allows actions to a pub/sub topic. Know the DLP template allows resuing the configurations such as infoTypes.