Pass Professional-Cloud-Security-Engineer Exam Guide

Configure Binary Authorization:

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on GKE. It uses attestations to verify the authenticity and integrity of the images.

Enable Binary Authorization in your project through the Google Cloud Console or using the gcloud command-line tool.

Define attestation policies that specify which attestors (trusted entities) must sign off on container images before deployment.

Set Up Attestors:

Create and configure attestors that will sign the container images. This involves generating cryptographic keys and setting up trusted authorities.

Attestors can be configured to sign images based on criteria such as vulnerability scanning results, compliance checks, and other security policies.

Create a Custom Organization Policy Constraint:

Define an organization policy constraint that enforces Binary Authorization across your GKE clusters.

This custom constraint ensures that all clusters in the organization must adhere to the Binary Authorization policy, preventing the deployment of unsigned or unauthorized container images.

Implement and Enforce the Policies:

Apply the Binary Authorization policy and the organization policy constraint to your GKE clusters.

Regularly review and update the policies and attestation rules to align with your security and compliance requirements.

References:

Binary Authorization Documentation

Creating Attestors

Organization Policy Constraints

The minimum length for passwords in Cloud Identity can be set to 8 characters. This aligns with common security best practices for password policies, ensuring a basic level of complexity and security.

Step-by-Step:

Access Admin Console: Log in to the Google Admin console.

Navigate to Security Settings: Go to Security > Password Management.

Set Minimum Length: Set the minimum length for passwords to 8 characters.

Save Changes: Save the settings and ensure that all user accounts adhere to the new policy.

References:

Google Cloud Identity Security Settings

Password Policy Best Practices

"Isolate VMs using service accounts when possible" "even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped." https://cloud.google.com/solutions/best-practices-vpc-design#isolate-vms-service-accounts

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors: Cloud EKM allows you to use encryption keys that are managed externally to Google Cloud. This means you can generate and store your keys in an on-premises HSM or another supported external HSM service, and integrate these keys with various Google Cloud services.

Integration with Google Services: Cloud EKM integrates seamlessly with many Google Cloud services, including BigQuery, Cloud Storage, Compute Engine, and more. This provides you with full control over your encryption keys while still taking advantage of Google Cloud's powerful services.

References

Cloud External Key Management (EKM) documentation

External Key Management overview