A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end- user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?
Correct Answer: B
To satisfy the customer's specific requirement that end-user access be allowed only if traffic originates from a specific known good CIDR, VPC Firewall Rules should be used. VPC Firewall Rules are designed to control network traffic to and from instances based on IP ranges, making them suitable for enforcing CIDR-based access restrictions. Additionally, the GCP native SYN flood protection can be handled by the standard load balancer, which is sufficient as per the customer's acceptance of the risk. Cloud Armor, while providing advanced DDoS protection, is not the most appropriate tool for enforcing CIDR-based access control in this internal application scenario.
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)
Correct Answer: AC
To connect to workloads in a dedicated server room from Compute Engine instances within a Google Cloud Platform project while ensuring access only from within the private company network, you can use Cloud VPN and Cloud Interconnect. Cloud VPN allows you to set up a secure, encrypted connection between your Google Cloud project and your on-premises network, ensuring private network connectivity. Cloud Interconnect offers a dedicated, high-performance connection between your Google Cloud project and your on-premises data center, providing low-latency and reliable connectivity for scenarios where high bandwidth and performance are critical.
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the
ERP systems only accept traffic from Cloud Identity-Aware Proxy.
What should the customer do to meet these requirements?
Correct Answer: A
The correct way to ensure that the ERP system only accepts traffic from Cloud Identity-Aware Proxy (IAP) is to validate the JWT assertion in the HTTP requests. JWT assertions are cryptographically signed tokens that confirm the identity of the sender. By validating these tokens, the ERP system can ensure that the requests have been routed through the Cloud Identity-Aware Proxy, which manages authentication and identity verification. This method provides a robust security layer by preventing unauthorized traffic from reaching the ERP system.
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?
Correct Answer: A
To effectively get notified in case the hack re-occurs, the best approach would be to create an Alerting Policy in Stackdriver using a Process Health condition. This involves setting up a threshold to monitor the number of executions of the script, and enabling notifications to alert you when the threshold is breached. This method not only tracks the crucial metric directly associated with the hack but also ensures you receive real-time notifications, thereby enabling quick response to potential threats.
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?
Correct Answer: A
The requirement is to obtain a unified log view of all development cloud projects under the NONPROD organization folder. Exporting logs to a Cloud Pub/Sub topic with folders/NONPROD as the parent and setting the includeChildren property to True will ensure that logs from all child projects, including development projects, are captured. This approach facilitates a centralized and scalable way to stream logs to your SIEM, ensuring you meet the requirements for a unified log view.