GCP Professional Cloud Security Engineer Practice Question
Your security team must detect any Cloud Storage buckets across hundreds of projects in your organization that do not have uniform bucket-level access (UBLA) enabled. The built-in Security Health Analytics (SHA) detectors do not cover this control. Security Command Center Premium is already activated at the organization level. What should you do to implement this control in a way that runs automatically and produces findings centrally for all projects?
Set the Organization Policy constraint constraints/storage.uniformBucketLevelAccess to enforced: TRUE; SHA will automatically generate findings when this policy is violated.
In the Security Command Center console, enable the built-in Legacy Storage IAM Binding detector and add a custom condition for UBLA.
Author a Security Health Analytics custom module in YAML that selects the asset type storage.googleapis.com/Bucket and contains a CEL rule flagging buckets where resource.uniformBucketLevelAccess.enabled == false, then deploy the module at the organization level with gcloud scc custom-modules create.
Create an Event Threat Detection custom alert policy that evaluates Cloud Storage bucket metadata with a CEL rule and enable it in each project.
The requirement is to extend Security Health Analytics with organization-specific logic. SHA supports custom modules that you define in YAML. A custom module lets you specify which Cloud Asset Inventory resource types to scan through a resourceSelector (in this case storage.googleapis.com/Bucket) and express compliance logic in a CEL rule (here, resource.uniformBucketLevelAccess.enabled == false). Deploying the module at the organization's custom-module source (for example with gcloud scc custom-modules create --organization [ORG_ID] --config-from-file=ubla.yaml) enables the detector to run during SHA's nightly scan and surface findings in Security Command Center. The other answers are incorrect because:
Enabling or modifying a legacy SHA detector through the console cannot add a new rule that SHA does not already support.
Event Threat Detection custom modules are unrelated to configuration-drift checks on buckets.
An Organization Policy enforces UBLA but does not create SHA findings unless a detector exists; merely setting the constraint will not satisfy the detection requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Security Health Analytics (SHA) in GCP?
Open an interactive chat with Bash
What is a custom module in Security Health Analytics?
Open an interactive chat with Bash
What is Cloud Expression Language (CEL) and how is it used here?
Open an interactive chat with Bash
What is a CEL rule in GCP, and how does it work?
Open an interactive chat with Bash
What is Security Health Analytics (SHA) and how are custom modules beneficial?
Open an interactive chat with Bash
How does Security Command Center Premium centralize findings across GCP projects?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .