PCSE Ensuring data protection • Complete Question Bank
Complete PCSE Ensuring data protection question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. ``` gcloud kms encrypt \ --location=global \ --keyring=my-keyring \ --key=my-key \ --plaintext-file=secret.txt \ --ciphertext-file=secret.enc ```
Refer to the exhibit.
```
{
"bindings": [
{
"role": "roles/storage.objectViewer",
"members": [
"user:alice@example.com",
"user:bob@example.com"
]
},
{
"role": "roles/storage.objectAdmin",
"members": [
"user:alice@example.com"
]
}
]
}
```Resource: bucket 'my-data-bucket'
IAM policy:
- role: roles/storage.objectViewer
members:
- user:alice@example.com
- domain:example.com
- role: roles/storage.legacyBucketReader
members:
- allUsers
Uniform bucket-level access: disabled
ACLs:
- entity: allUsers
role: READERIAM policy for project my-project:
bindings:
- members:
- user:alice@example.com
- serviceAccount:sa-1@my-project.iam.gserviceaccount.com
role: roles/storage.objectViewer
condition:
expression: resource.name.startsWith("projects/_/buckets/bucket1/objects/reports/")
- members:
- user:bob@example.com
role: roles/storage.objectAdmin
- members:
- user:bob@example.com
role: roles/compute.admin
- members:
- serviceAccount:sa-1@my-project.iam.gserviceaccount.com
role: roles/iam.workloadIdentityUser
- members:
- serviceAccount:my-project@appspot.gserviceaccount.com
role: roles/storage.objectAdminYour company runs a data analytics platform on Google Cloud that processes sensitive financial data. Data is ingested from various sources into a Cloud Storage bucket, then processed by Dataflow jobs, and final results are stored in BigQuery. You have implemented the following security controls: - VPC Service Controls perimeter around the project - Cloud KMS CMEK for all storage services - IAM conditions restricting access based on tags - Cloud Audit Logs enabled for all services
Recently, an auditor discovered that a compromised service account was able to read data from the Cloud Storage bucket even though it was outside the VPC Service Controls perimeter. The auditor reviewed the logs and found that the access came from a Compute Engine instance that was running within the same project. What is the most likely reason the VPC Service Controls perimeter did not block this access?
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Log4j remote code execution vulnerability
Heartbleed OpenSSL vulnerability
Apache Struts2 remote code execution
Windows CryptoAPI spoofing vulnerability
BlueKeep RDP remote code execution
Drag a concept onto its matching description — or click a concept then click the description.
Identity and Access Management for resource-level permissions
Constraints applied at the organization node
Service perimeters to prevent data exfiltration
Network-level allow/deny rules for VMs
Identity-Aware Proxy for application-level access
gsutil iam get gs://my-bucket
Output:
{
"bindings": [
{
"role": "roles/storage.objectViewer",
"members": [
"user:alice@example.com",
"domain:example.com"
]
},
{
"role": "roles/storage.objectAdmin",
"members": [
"serviceAccount:sa@project.iam.gserviceaccount.com"
]
}
],
"etag": "B=XYZ"
}{
"bindings": [
{
"role": "roles/bigquery.dataViewer",
"members": [
"user:analyst@example.com"
]
},
{
"role": "roles/bigquery.dataOwner",
"members": [
"group:data-team@example.com"
]
}
],
"etag": "ABC"
}{
"bindings": [
{
"role": "roles/cloudkms.cryptoKeyEncrypter",
"members": [
"serviceAccount:my-sa@project.iam.gserviceaccount.com"
]
},
{
"role": "roles/cloudkms.cryptoKeyDecrypter",
"members": [
"user:alice@example.com"
]
}
]
}gsutil ls -L gs://my-secure-bucket | grep -E 'Kind|Encryption|Versioning'
{
"kind": "storage#bucket",
"encryption": {
"defaultKmsKeyName": "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"
},
"versioning": {
"enabled": true
}
}$ gcloud storage buckets describe gs://my-bucket --format="json" | jq .encryption
{
"defaultKmsKeyName": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key"
}{
"name": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key",
"primary": {
"name": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/2",
"state": "ENABLED",
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"protectionLevel": "HSM",
"attestation": {
"certChains": [...]
}
},
"versionTemplate": {
"protectionLevel": "HSM",
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION"
}
}{
"protoPayload": {
"methodName": "CloudKms.Decrypt",
"resourceName": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/3",
"authenticationInfo": {
"principalEmail": "service-account@project.iam.gserviceaccount.com"
},
"metadata": {
"key": {
"key_kms_keypath": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key"
},
"decrypt_result": {
"success": true
}
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "cloudkms.googleapis.com",
"method": "Decrypt"
}
}
}Refer to the exhibit.
{
"bindings": [
{
"role": "roles/storage.objectAdmin",
"members": ["user:alice@example.com"],
"condition": {
"title": "restrict_to_uploads",
"expression": "resource.name.startsWith('projects/_/buckets/my-bucket/objects/uploads/')"
}
}
]
}