Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

GCP Developer > Security and Identity > Flashcards

Security and Identity Flashcards

1
Q

What is Secret Manager?

A

Secret Manager is a service that stores and manages confidential data like API keys & certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Cloud KMS?

A

Cloud KMS (Key management service) is a service that manages cryptographic keys (asymmetric & symmetric) and controls their use in application and GCP Services.

It integrates with most GCP services that use data encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is asymmetric Key Encryption?

A

Using two different keys to encrypt data.

A private key (kept safe by the application/owner) is used to decrypt the data.

A public key (given anyone who needs it) is used to encrypt the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is symmetric Key Encryption?

A

Using one key to encrypt and decrypt data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the four kinds of key management in Cloud KMS?

A

Google-managed: Created and managed by Google. No config required.

Customer-Managed: Created and managed by you.

Customer-Provided: Import an existing key to manage in Cloud KMS.

Externally-managed key: A key that is stored in an external key manager.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a keyring?

A

A keyring is a store for Cloud KMS keys within a Google Cloud location. They’re used to group and organise keys and control access to groups of keys.

You can’t make a key without a keyring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the two protection levels for keys?

A

Software & Hardware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the difference between the two protection levels for keys?

A

Hardware level keys use hardware security modules for encryption.

Software level keys are generated with software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the three purposes you can assign to a key in Cloud KMS?

A

Symmetric encryption/decryption (only for symmetric keys).

Asymmetric signing (only for asymmetric keys).

Asymmetric decryption (only for asymmetric keys).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the steps to use Secret Manager?

A
  1. Enable the API (once for project)
  2. Assign the Secret Manager Admin role on the project, folder, or Organization
  3. Authenticate to the Secret Mnaager.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How can you authenticate to the Secret Manager?

A

If using client libraries, by setting up Application Default Credentials

If using Google Cloud CLI, using Google Cloud CLI credentials

If using a REST call, either of the above two.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How do you rotate secrets in Secret Manager?

A

There’s no automatic way of rotating keys in Secret Manager.

You must run a GCloud CLI command to define the rotation schedule and which Pub/Sub topic/s will receive the SECRET_ROTATE message. Then every subscriber to the topic must handle the message themselves.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How do you rotate keys in Cloud KMS?

A

To automatically rotate a key, you can specify a key rotation period and start date during and after key creation.

To manually rotate a key, you navigate to the key to rotate and click on the rotate button.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Can you automatically expire secrets?

A

Yes, but doing so is instant and without warning which may lead to important data being deleted without a backup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Can you automatically rotate asymmetric keys in Cloud KMS?

A

No. Google Cloud doesn’t support it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How do you rotate externally-managed keys in Cloud KMS?

A

If the key is externally-coordinated, you can create a new version to rotate the key (and set it as the primary version if it’s symmetric).

If it’s not, then you’d update the key’s key path (managed via VPC Key) or URI (managed via internet key) then confirm the changes.

17
Q

What is Artifact Analysis?

A

Artifact Analysis is a family of services that provide software composition analysis, metadata storage and retrieval.

Source - https://cloud.google.com/artifact-analysis/docs/artifact-analysis

18
Q

What is the prerequisites to rotate a key?

A

To rotate a key, you must have the Cloud KMS Admin and Cloud KMS CryptoKey Encrypter/Decrypter roles, or a role with those permissions.

19
Q

What are the services within Artifact Analysis?

A

Automatic scanning

GKE workload vulnerability scanning - standard tier

On-Demand scanning

Access metadata

Source - https://cloud.google.com/artifact-analysis/docs/artifact-analysis

20
Q

What is Automatic Scanning in Artifact Analysis?

A

A vulnerability scan that is triggered automatically every time a new image is pushed to Artifact Registry.

Artifact Registry includes application language package scanning.

To use it, you need to enable it first.

Source - https://cloud.google.com/artifact-analysis/docs/artifact-analysis

21
Q

What is GKE workload vulnerability scanning - standard tier?

A

GKE workload vulnerability scanning is a service that provides detection of container image OS vulnerabilities.

Scanning is free and can be enabled per cluster.

Source - https://cloud.google.com/artifact-analysis/docs/artifact-analysis

22
Q

What is On-Demand scanning?

A

On-Demand scanning is manually started vulnerability scan that allows you to scan local images (though it can still scan online images).

Scan results are available up to 48 hours after the scan is completed. The vulnerability information is not updated after the scan is finished.

Source - https://cloud.google.com/artifact-analysis/docs/artifact-analysis

23
Q

What is the Access Metadata offering in Artifact Analysis?

A

A Google Cloud infrastructure component that enables you to store and retrieve structured metadata for Google Cloud resources.

Source - https://cloud.google.com/artifact-analysis/docs/artifact-analysis

24
Q

What is Identity Aware Proxy?

A

Identity aware proxy is a service that blocks requests from non-authenticated users.

It can be used for many google cloud offerings such as App engine, Cloud Run and GKE.

25
Q

What is IAM?

A

Identity & Access Management (IAM) provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific.

26
Q

What is Resource Manager API?

A

Resource Manager API allows you to programmatically manage Google Cloud Platform container resources (such as Organizations and Projects), that allow you to group and hierarchically organize other Google Cloud Platform resources.

This hierarchical organization makes it easy to manage common aspects of project resources such as access control and configuration settings.

Source - https://cloud.google.com/terms/services

27
Q

What is Cloud Armour?

A

Cloud Armour is a managed security service that helps you protect your Google Cloud deployments from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).

Source - https://cloud.google.com/armor/docs/cloud-armor-overview

GCP Developer (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions