🃏 Security Engineer Flashcards

Q: What is Cloud Armor?

A: WAF and DDoS protection service. Applied at the HTTP(S) load balancer. Supports preconfigured rules, custom rules, and rate limiting.

Q: What is VPC Service Controls?

A: Creates a security perimeter around Google Cloud APIs. Prevents data exfiltration even by authorized users.

Q: What is the difference between CMEK and CSEK?

A: CMEK: you manage keys in Cloud KMS. CSEK: you supply the encryption key with each API call. CMEK is more practical.

Q: What is Cloud DLP?

A: Data Loss Prevention — discovers, classifies, and de-identifies sensitive data (PII, credit cards, SSN) across GCP and SaaS apps.

Q: What is Security Command Center?

A: Central dashboard for security and risk management. Includes vulnerability scanning, threat detection, and compliance monitoring.

Q: What is Assured Workloads?

A: Creates a controlled environment in GCP for specific compliance needs (FedRAMP, ITAR, etc.) with data residency controls.

Q: What are Organization Policies?

A: Constraints applied at the org/folder/project level. Examples: restrict VM external IPs, enforce uniform bucket-level access.

Q: What is Binary Authorization?

A: Deploy-time security control that ensures only trusted container images are deployed to GKE.

Q: What is BeyondCorp Enterprise?

A: Google's zero-trust solution. Access based on identity + device trust + context. No VPN needed.

Q: What is Access Transparency?

A: Logs that show when Google staff access your data for support purposes. Provides visibility and audit trail.