Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud Security Engineer

"The service evaluates all changes and remote access attempts to detect runtime attacks in near-real time." : https://cloud.google.com/security-command-center/docs/concepts-container-threat-detection-overview This has nothing to do with KNOWN security Vulns in images

App Engine ingress firewall rules are available, but egress rules are not currently available. Per requirements 1.2.1 and 1.3.4, you must ensure that all outbound traffic is authorized. SAQ A-EP and SAQ D–type merchants must provide compensating controls or use a different Google Cloud product. Compute Engine and GKE are the preferred alternatives. https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build: SLSA is a framework for ensuring the integrity of software artifacts. By using Cloud Build, you can automate the build process and generate SLSA level 3 compliance, which includes verifiable build steps and provenance.

View the build provenance in the Security insights side panel within the Google Cloud console: The build provenance provides a detailed history of how the software was built, including the source code, build process, and any dependencies. This information is accessible through the Security insights side panel in the Google Cloud console, allowing you to verify the integrity and authenticity of your software artifacts.

References

Supply Chain Levels for Software Artifacts (SLSA) documentation

Cloud Build documentation

Security insights in Google Cloud console

https://cloud.google.com/billing/docs/how-to/billing-access#overview-of-cloud-billing-roles-in-cloud-iam

Billing Account Costs Manager (roles/billing.costsManager)

- Manage budgets and view and export cost information of billing accounts (but not pricing information)

Billing Account Viewer (roles/billing.viewer)

- View billing account cost information and transactions.

Cloud Identity-Aware Proxy (Cloud IAP) provides a way to control access to your web applications and resources running on Google Cloud. It works by verifying the identity of a user trying to access the application and supports multi-factor authentication (MFA). Cloud IAP can restrict access to users on the corporate network and also supports access over the internet securely.

Steps:

Enable Cloud IAP: In the Google Cloud Console, navigate to the IAP section and enable IAP for your web application.

Configure OAuth Consent Screen: Set up the OAuth consent screen to manage how users grant access.

Set Up Authentication: Use Google Identity Platform to manage users and enable two-factor authentication.

Add Users: Grant users access to the application by adding their identities in the IAP settings.

References:

Google Cloud: Identity-Aware Proxy

Setting up IAP

External HTTP(S) Load Balancer: Deploy an external HTTP(S) load balancer to manage traffic to your VMs. This load balancer will handle incoming traffic from the internet while the VMs themselves do not have public IP addresses.

Host (VPC) Project Deployment: Deploy the load balancer in the host (VPC) project. This allows for centralized management of network resources and maintains the integrity of your shared VPC configuration.

Backend Configuration: Configure the MIG as the backend for the load balancer. This setup ensures that the VMs can still serve external users while reducing their direct exposure to the internet. This solution provides the required access to external users through the load balancer, enhancing security by not exposing individual VM IP addresses. References:

Google Cloud - External HTTP(S) Load Balancer Overview

Google Cloud - Shared VPC Overview