GCP Professional Cloud Security Engineer Practice Question

Your financial institution operates hundreds of Google Cloud projects under a single organization where Security Command Center (Premium) and Security Health Analytics are already enabled. Compliance now mandates that every Cloud Storage bucket created anywhere in the hierarchy carries a label key named "data-classification." The security team wants to define this control as code, manage it centrally at the organization level, assign a custom severity, and have any violations automatically surface on the Security Command Center Findings page. Which solution best satisfies these requirements while minimizing ongoing operational overhead?

Deploy Forseti Security with Config Validator in a central security project and write a Rego policy that detects buckets missing the label; forward Forseti findings to Pub/Sub and build a Cloud Monitoring dashboard for visibility.
Enable VPC Service Controls for Cloud Storage, add an access level rule that blocks bucket creation without the required label, and alert on Policy Denied audit logs when users attempt to create non-compliant buckets.
Configure a Cloud Asset Inventory feed to BigQuery for all bucket updates, schedule a SQL job that flags unlabeled buckets, and send Pub/Sub notifications that appear on a custom dashboard.
Create a Security Health Analytics custom module in YAML that uses a CEL condition to verify that resource.data.labels["data-classification"] exists, deploy the module at the organization level with gcloud scc custom-modules create, set an appropriate severity, and rely on SHA to generate findings in Security Command Center.

Report Issue

Answer Description

Defining a Security Health Analytics (SHA) custom module in YAML and deploying it at the organization level directly meets every stated requirement. SHA custom modules are written as YAML files that contain one or more CEL-based conditions (for example, checking resource.data.labels["data-classification"] != ""). They can be created at the organization, folder, or project level with gcloud scc custom-modules create, and you can set fields such as severity and recommendation. Once enabled, SHA evaluates all relevant resources continuously and publishes any violations as new findings in the Security Command Center Findings page, giving the security team a single, centralized view without extra infrastructure.

The other options add complexity or fail to meet requirements:

Enforcing access with VPC Service Controls and alerting on Policy Denied logs does not check for labels and does not create SHA findings.
Exporting Cloud Asset Inventory to BigQuery and building queries requires separate data pipelines and dashboards and does not automatically surface results in SCC Findings.
Deploying Forseti with Config Validator adds infrastructure to manage and still needs additional integration to push findings into SCC; it is heavier operationally than using the built-in SHA custom module capability.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.