Security Best Practices in Google Cloud
Securing Compute Engine: Techniques and Best Practices
Q1. Which of the following TWO statements about Google Cloud service accounts are TRUE?
- Service accounts are a type of identity
- Virtual Machine (VM) instances use service accounts to run API requests on your behalf.
- Custom service accounts use “scopes” to control API access.
- VMs without service accounts cannot run APIs.
Q2. Which TWO recommendations below ARE considered to be Compute Engine “best practices?”
- Hardened custom images, once added to your Organization’s resources, are then maintained by Google with automatic security patches and other updates.
- Utilize projects and IAM roles to control access to your VMs.
- Always run critical VMs with default, scope-based service accounts.
- Cloud Interconnect or Cloud VPN can be used to securely extend your data center network into Google Cloud projects.
Q3. Which TWO of the following statements is TRUE when discussing the Organization Policy Service?
- To define an Organization Policy, you will choose and then define a constraint against either a Google Cloud service or a group of Google Cloud services.
- Descendants of a targeted resource do not inherit the parent’s Organization Policy.
- Organization Policy Services allow centralized control for how your organization’s resources can be used.
Securing Cloud Data: Techniques and Best Practices
Q1. Which TWO of the following statements are TRUE when discussing Cloud Storage and IAM permissions?
- Access can be granted to Cloud Storage at the organization, folder, project, or bucket levels.
- It is possible to remove a permission from a lower level that was granted at a higher level.
- Using IAM permissions alone gives you control over your projects and buckets, but does not give control over individual objects.
- A user needs permission from both IAM or an ACL in order to access a bucket or object.
Q2. Which TWO of the following statements are TRUE when discussing storage and BigQuery best practices?
- Do not use any personally identifiable information as object names.
- One option to serve content securely to outside users is to use signed URLs.
- In most cases, you should use Access Control Lists (ACLs) instead of IAM permissions.
- BigQuery data can be adequately secured using the default primitive roles available in Google Cloud.
Q3. Which TWO of the following statements is TRUE with regards to security in BigQuery and its datasets?
- A BigQuery Authorized View allows administrators to restrict users to viewing only subsets of a dataset.
- Using IAM, you can grant users granular permissions to BigQuery tables, rows and columns.
- It is always better to assign BigQuery roles to individuals as this will help to lower operational overhead.
- BigQuery has its own list of assignable IAM roles.
Application Security: Techniques and Best Practices
Q1. Which TWO of the following statements about Application Security are TRUE?
- Applications are the most common target of cyberattack.
- Applications in general, including many web applications, do not properly protect sensitive user data.
- Developers are commonly given a requirements document that clearly defines security requirements for the application.
- “Injection Flaws” are the least frequently found application security issue.
Q2. Which TWO of the following vulnerabilities are scanned for when you use Cloud Security Scanner?
- Outdated or insecure libraries.
- Personalized data in object names.
- Mixed content.
- Insecure logins.
- User data in images.
Q3. Which TWO of the following statements are TRUE when discussing the threat of OAuth and Identity Phishing?
- Being “hacked” on a social site can lead to being “hacked” on more critical websites, depending on your social site’s account settings.
- Credit card data is the only information that is useful to cyber hackers.
- Even small, unimportant pieces of personal data need to be secured from phishing attacks.
- Look-alike phishing sites are generally pretty easy to spot.
Securing Kubernetes: Techniques and Best Practices
Q1. “Kubernetes service account” and “Google service account” are different names for the same type of service account.
Q2. Which ONE of the following is NOT a security best practice on Kubernetes.
- Use shielded GKE nodes.
- Restrict access between pods.
- Disable Workload Identity.
- Upgrade your GKE infrastructure.
Q3. GKE has logging and monitoring functions built-in.