GCP Professional Cloud Security Engineer Practice Question

Your company uses Security Command Center (SCC) Premium and wants an automated control that raises High-severity findings whenever any Cloud Storage bucket in production projects does not have uniform bucket-level access (UBLA) enabled. The policy definition must be version-controlled as code, first tested in a development project, and then rolled out across the entire organization with minimal ongoing maintenance. What should you do?

Enable the built-in Storage Public Access Prevention detector in Security Health Analytics and change its severity to High so it will also report buckets lacking UBLA.
Apply the constraints/storage.publicAccessPrevention=ENFORCED organization policy and rely on Policy Denied audit logs in SCC to identify any production bucket that lacks UBLA.
Configure an Event Threat Detection (ETD) custom rule that inspects Cloud Audit Logs for storage.setIamPermissions calls without UBLA and export these logs to SCC as High-severity findings.
Create a Security Health Analytics custom module defined in a YAML file that uses a CEL expression to flag buckets where uniformBucketLevelAccess is disabled; test it in a development project, then deploy it organization-wide with gcloud scc custom-modules sha create, setting the severity to High.

Report Issue

Answer Description

Security Health Analytics (SHA) in SCC lets you create custom modules that evaluate assets against rules written in YAML and Common Expression Language (CEL). By authoring a custom module whose CEL condition tests resource.data.iamConfiguration.uniformBucketLevelAccess.enabled == false, you can assign a High severity, store the YAML file in source control, validate it in a development project, and then promote it by running gcloud scc custom-modules sha create (or update) at the organization level. SHA automatically scans all current and new buckets and surfaces non-compliant ones as findings.
The other options do not meet requirements:

Event Threat Detection cannot be configured with ad-hoc rules on Cloud Storage configuration; it analyzes security-relevant log events, not resource state.
No built-in SHA detector checks for UBLA, so simply enabling an existing rule and changing severity will not capture this condition.
Enforcing the constraints/storage.publicAccessPrevention organization policy controls a different setting and blocks future misconfigurations but does not generate High-severity SCC findings for existing buckets or allow rule logic to live in source control.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.