GCP Professional Cloud Security Engineer Practice Question

Your organization uses Security Command Center (SCC) Premium. Compliance requires that any Cloud Storage bucket in production projects be flagged in Security Health Analytics (SHA) if its IAM policy grants objectViewer or objectReader access to either "allUsers" or "allAuthenticatedUsers." You need an automated, code-reviewable solution that generates a SHA finding whenever such a bucket exists. Which approach satisfies these requirements?

Enable the organization policy constraint constraints/storage.publicAccessPreventionEnforced and rely on SCC to automatically raise SHA findings when the constraint is violated.
Deploy Policy Controller with an OPA Gatekeeper constraint that denies any bucket whose IAM policy contains allUsers or allAuthenticatedUsers, and store the constraint template YAML in the Git repository.
Create a custom Event Threat Detection rule that filters Cloud Audit Logs for storage.buckets.setIamPolicy calls granting public access and send alerts to the security team.
Commit a YAML file defining a Security Health Analytics custom module with a resourceSelector of storage.googleapis.com/Bucket and a CEL predicate that checks the bucket's IAM bindings for allUsers or allAuthenticatedUsers; deploy it organization-wide with gcloud scc custom-modules create.

Report Issue

Answer Description

Security Health Analytics custom modules are written as YAML that is stored in source control and applied with the gcloud scc custom-modules commands (or API). The YAML must include:

name / displayName / severity
resourceSelector listing the Google Cloud resource types to evaluate (storage.googleapis.com/Bucket for Cloud Storage)
customConfig.predicate containing a CEL expression that returns true when a resource is non-compliant. A correct predicate could be: resource.iamPolicy.bindings.exists(b, (b.role.startsWith("roles/storage.objectViewer") || b.role.startsWith("roles/storage.legacyObjectReader")) && b.members.exists(m, m=="allUsers" || m=="allAuthenticatedUsers")) Deploying this module at the organization level causes SHA to evaluate all buckets in production projects and create findings when the predicate is true.

The other options either rely on Event Threat Detection (which does not support custom rules), assume organization policy automatically produces SHA findings, or use Policy Controller (which blocks deployments rather than creating SHA findings).

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.