Download Professional Cloud Security Engineer Study Questions To Pass Google Cloud Certified - Professional Cloud Security Engineer

Download Professional Cloud Security Engineer Study Questions To Pass Google Cloud Certified – Professional Cloud Security Engineer

Jonnie Karnath2023-04-23T13:25:53+00:00

To pass the Google Cloud Certified – Professional Cloud Security Engineer exam, candidates need to have a deep understanding of these topics and be able to apply their knowledge to real-world scenarios. Our Professional Cloud Security Engineer study questions will help you develop a strong understanding of the exam’s content and format, giving you the confidence you need to tackle any question that comes your way. Our Professional Cloud Security Engineer study questions will help you identify any knowledge gaps or weak areas in your exam preparation, so you can focus your study efforts on the areas that need improvement. By using our Professional Cloud Security Engineer study questions, you will be fully prepared to pass the exam with flying colors and achieve your certification goals.

Page 1 of 7

1. Your team wants to limit users with administrative privileges at the organization level.

Which two roles should your team restrict? (Choose two.)

Organization Administrator

Super Admin

GKE Cluster Admin

Compute Admin

Organization Role Viewer

2. A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned.

What should the customer do?

Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.

Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.

3. You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider.

Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

SSO SAML as a third-party IdP

Identity Platform

OpenID Connect

Identity-Aware Proxy

Cloud Identity

4. Users are reporting an outage on your public-facing application that is hosted on Compute Engine. You suspect that a recent change to your firewall rules is responsible. You need to test whether your firewall rules are working properly.

What should you do?

Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.

Connect to a bastion host in your VP

Use a network traffic analyzer to determine at which point your requests are being blocked.

In a pre-production environment, disable all firewall rules individually to determine which one is blocking user traffic.

Enable VPC Flow Logs in your VP

Use Logs Explorer to analyze whether the rules are working correctly.

5. Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.

What should your team do to meet these requirements?

Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.

Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.

Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.

Use the Admin SDK to create groups and assign IAM permissions from Active Directory.

6. Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.

What should you do?

Change the load balancer backend configuration to use network endpoint groups instead of instance groups.

Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.

Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.

Create a Cloud VPN connection between the two regions, and enable Google Private Access.

7. You are in charge of creating a new Google Cloud organization for your company.

Which two actions should you take when creating the super administrator accounts? (Choose two.)

Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.

Disable any Identity and Access Management (1AM) roles for super admin at the organization level in the Google Cloud Console.

Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).

Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.

Provide non-privileged identities to the super admin users for their day-to-day activities.

8. A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.

Which service should be used to accomplish this?

Cloud Armor

Google Cloud Audit Logs

Cloud Security Scanner

Forseti Security

9. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.

10. You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.

What should you do?

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.

Page 2 of 7

11. You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations.

Which Google Cloud product should you use?

Marketplace IDS

VPC Flow Logs

VPC Service Controls logs

Packet Mirroring

Google Cloud Armor Deep Packet Inspection

12. You manage your organization’s Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your VPCs based on network logs. However, you want to explore your environment using network payloads and headers.

Which Google Cloud product should you use?

Cloud IDS

VPC Service Controls logs

VPC Flow Logs

Google Cloud Armor

Packet Mirroring

13. You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.

What should you do?

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DE

Store both the encrypted data and the encrypted DE

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DE

Store both the encrypted data and the KE

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DE

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KE

14. A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer’s internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP’s native SYN flood protection.

Which product should be used to meet these requirements?

Cloud Armor

VPC Firewall Rules

Cloud Identity and Access Management

Cloud CDN

15. A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication

Which GCP product should the customer implement to meet these requirements?

Cloud Identity-Aware Proxy

Cloud Armor

Cloud Endpoints

Cloud VPN

16. A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.

What should you do?

Use Resource Manager on the organization level.

Use Forseti Security to automate inventory snapshots.

Use Stackdriver to create a dashboard across all projects.

Use Security Command Center to view all assets across the organization.

17. A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery

What should you do?

Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.

Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.

Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

18. You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.

What should you do?

Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.

Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet

Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet

Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

19. You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend.

What are two requirements for using Google Cloud Armor security policies? (Choose two.)

The load balancer must be an external SSL proxy load balancer.

Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.

The load balancer must use the Premium Network Service Tier.

The backend service's load balancing scheme must be EXTERNA

The load balancer must be an external HTTP(S) load balancer.

20. You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software.

Which SCC service should you use?

Container Threat Detection

Web Security Scanner

Rapid Vulnerability Detection

Virtual Machine Threat Detection

Page 3 of 7

21. For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on “in- scope” Nodes only. These Nodes can only contain the “in-scope” Pods.

How should the organization achieve this objective?

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace “in-scope-pci”.

22. Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket.

Your team has the following requirements:

✑ The Cloud Storage bucket in Project A can only be readable from Project B.

✑ The Cloud Storage bucket in Project A cannot be accessed from outside the network.

✑ Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket.

What should the security team do?

Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.

Enable VPC Service Controls, create a perimeter around Projects A and

and include the Cloud Storage API in the Service Perimeter configuration.

Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.

Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.

23. A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.

What should they do?

Use Cloud Build to build the container images.

Build small containers using small base images.

Delete non-used versions from Container Registry.

Use a Continuous Delivery tool to deploy the application.

24. Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

Security Reviewer

lAP-Secured Tunnel User

lAP-Secured Web App User

Service Broker Operator

25. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.

26. You need to create a VPC that enables your security team to control network resources such as firewall rules.

How should you configure the network to allow for separation of duties for network resources?

Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the networks.

Set up VPC Network Peering, and allow developers to peer their network with a Shared VP

Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.

Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.

27. Which two implied firewall rules are defined on a VPC network? (Choose two.)

A rule that allows all outbound connections

A rule that denies all inbound connections

A rule that blocks all inbound port 25 connections

A rule that blocks all outbound connections

A rule that allows all inbound port 80 connections

28. You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization.

What should you do?

Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.

Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.

Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.

Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.

29. A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.

Which boot disk encryption solution should you use on the cluster to meet this customer’s requirements?

Customer-supplied encryption keys (CSEK)

Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

Encryption by default

Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

30. You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.

What should you do?

Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

Create a custom role with the permission compute.instances.list and grant the Service Account this role.

Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.

Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Page 4 of 7

31. You are auditing all your Google Cloud resources in the production project. You want to identity all principals who can change firewall rules.

What should you do?

Use Policy Analyzer lo query the permissions compute, firewalls, create of compute, firewalls. Create of compute,firewalls.delete.

Reference the Security Health Analytics - Firewall Vulnerability Findings in the Security Command Center.

Use Policy Analyzer to query the permissions compute, firewalls, get of compute, firewalls, list.

Use Firewall Insights to understand your firewall rules usage patterns.

32. You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name.

How should you manage these consumer user accounts with Cloud Identity?

Use Google Cloud Directory Sync to convert the unmanaged user accounts.

Create a new managed user account for each consumer user account.

Use the transfer tool for unmanaged user accounts.

Configure single sign-on using a customer's third-party provider.

33. You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

34. Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization.

How should you enforce this?

Configure Secret Manager to manage service account keys.

Enable an organization policy to disable service accounts from being created.

Enable an organization policy to prevent service account keys from being created.

Remove the iam.serviceAccounts.getAccessToken permission from users.

35. A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.

Which two strategies should your team use to meet these requirements? (Choose two.)

Configure Private Google Access on the Compute Engine subnet

Avoid assigning public IP addresses to the Compute Engine cluster.

Make sure that the Compute Engine cluster is running on a separate subnet.

Turn off IP forwarding on the Compute Engine instances in the cluster.

Configure a Cloud NAT gateway.

36. You want to prevent users from accidentally deleting a Shared VPC host project.

Which organization-level policy constraint should you enable?

compute.restrictSharedVpcHostProjects

compute.restrictXpnProjectLienRemoval

compute.restrictSharedVpcSubnetworks

compute.sharedReservationsOwnerProjects

37. Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes.

What should you do?

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.

38. Your organization recently activated the Security Command Center {SCO standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.

What should you do?

• 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets • 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions • 3 Query the data access logs to report on unauthorized access

• 1 Change bucket permissions to limit access • 2 Query the data access audit logs for any unauthorized access to the buckets • 3 After the misconfiguration is corrected mute the finding in the Security Command Center

• 1 Change permissions to limit access for authorized users • 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access • 3 Review the administrator activity audit logs to report on any unauthorized access

• 1 Change the bucket permissions to limit access • 2 Query the buckets usage logs to report on unauthorized access to the data • 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions

39. A company’s application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.

What should you do?

Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate--iam-account=IAM_ACCOUN

Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT --key=NEW_KE

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

40. A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.

What should you do?

Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention AP

Configure the trigger to delete any files from the shared bucket that contain PI

On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PI

On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Page 5 of 7

41. A manager wants to start retaining security event logs for 2 years while minimizing costs.

You write a filter to select the appropriate log entries.

Where should you export the logs?

BigQuery datasets

Cloud Storage buckets

StackDriver logging

Cloud Pub/Sub topics

42. Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud Many teams will use their own instances of the CI/CD workflow It will run on Google Kubernetes Engine (GKE) The CI/CD pipelines must be designed to securely access Google Cloud APIs

What should you do?

• 1 Create a dedicated service account for the CI/CD pipelines • 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster • 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

• 1 Create service accounts for each deployment pipeline • 2 Generate private keys for the service accounts • 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

* 1 Create individual service accounts (or each deployment pipeline • 2 Add an identifier for the pipeline in the service account naming convention • 3 Ensure each pipeline runs on dedicated pods • 4 Use workload identity to map a deployment pipeline pod with a service account

• 1 Create two service accounts one for the infrastructure and one for the application deployment • 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts • 3 Run the infrastructure and application pipelines in separate namespaces

43. You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources.

Your export must meet the following requirements:

- Export related logs for all projects in the Google Cloud organization.

- Export logs in near real-time to an external SIEM.

What should you do? (Choose two.)

Create a Log Sink at the organization level with a Pub/Sub destination.

Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

Enable Data Access audit logs at the organization level to apply to all projects.

Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

44. As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.

Which cost reduction options should you recommend?

Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.

Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.

Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.

Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

45. Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs.

Which method should you use?

Define an organization policy constraint.

Configure packet mirroring policies.

Enable VPC Flow Logs on the subnet.

Monitor and analyze Cloud Audit Logs.

46. You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization.

Which solution should you implement proactively to achieve this goal with the least operational overhead?

Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

Enable the constraints/storage.publicAccessPrevention constraint at the organization level.

Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.

Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

47. Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).

Which steps should your team take before an incident occurs? (Choose two.)

Disable and revoke access to compromised keys.

Enable automatic key version rotation on a regular schedule.

Manually rotate key versions on an ad hoc schedule.

Limit the number of messages encrypted with each key version.

Disable the Cloud KMS AP

48. Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.

What should your team grant to Engineering Group A to meet this requirement?

Compute Network User Role at the host project level.

Compute Network User Role at the subnet level.

Compute Shared VPC Admin Role at the host project level.

Compute Shared VPC Admin Role at the service project level.

49. An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization’s risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.

What solution would help meet the requirements?

Ensure that firewall rules are in place to meet the required controls.

Set up Cloud Armor to ensure that network security controls can be managed for G Suite.

Network security is a built-in solution and Google’s Cloud responsibility for SaaS products like G Suite.

Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

50. You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.

What should you do?

Use multi-factor authentication for admin access to the web application.

Use only applications certified compliant with PA-DS

Move the cardholder data environment into a separate GCP project.

Use VPN for all connections between your office and cloud environments.

Page 6 of 7

51. Your company’s new CEO recently sold two of the company’s divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node.

Which preparation steps are necessary before this migration occurs? (Choose two.)

Remove all project-level custom Identity and Access Management (1AM) roles.

Disallow inheritance of organization policies.

Identify inherited Identity and Access Management (1AM) roles on projects to be migrated.

Create a new folder for all projects to be migrated.

Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

52. After completing a security vulnerability assessment, you learned that cloud administrators leave Google Cloud CLI sessions open for days. You need to reduce the risk of attackers who might exploit these open sessions by setting these sessions to the minimum duration.

What should you do?

Set the session duration for the Google session control to one hour.

Set the reauthentication frequency (or the Google Cloud Session Control to one hour.

Set the organization policy constraint constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.

Set the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one hour and inheritFromParent to false.

53. You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies.

How should you resolve this error?

Change the access control model for the bucket

Update your sink with the correct bucket destination.

Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

54. When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

Ensure that the app does not run as PID 1.

Package a single app as a container.

Remove any unnecessary tools not needed by the app.

Use public container images as a base image for the app.

Use many container image layers to hide sensitive information.

55. Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.

What should you do? Choose 2 answers

Configure the Binary Authorization policy with respective attestations for the project.

Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).

Enable Container Threat Detection in the Security Command Center (SCC) for the project.

Configure the trusted image organization policy constraint for the project.

Enable Pod Security standards and set them to Restricted.

56. You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead.

What should you do?

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

57. You want to evaluate GCP for PCI compliance. You need to identify Google’s inherent controls.

Which document should you review to find the information?

Google Cloud Platform: Customer Responsibility Matrix

PCI DSS Requirements and Security Assessment Procedures

PCI SSC Cloud Computing Guidelines

Product documentation for Compute Engine

58. You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization’s compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries.

Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

Organization Policy Service constraints

Shielded VM instances

Access control lists

Geolocation access controls

Google Cloud Armor

59. An organization’s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.

How should you advise this organization?

Use Forseti with Firewall filters to catch any unwanted configurations in production.

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

60. Your organization has implemented synchronization and SAML federation between Cloud Identity and Microsoft Active Directory. You want to reduce the risk of Google Cloud user accounts being compromised.

What should you do?

Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.

Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.

Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.

Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.

Page 7 of 7

61. Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application.

The solution has the following requirements:

- Scans must run at least once per week

- Must be able to detect cross-site scripting vulnerabilities

- Must be able to authenticate using Google accounts

Which solution should you use?

Google Cloud Armor

Web Security Scanner

Security Health Analytics

Container Threat Detection

62. A customer’s internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).

How should the team complete this task?

Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.

Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.

Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Facebook Twitter LinkedIn Google + Email

Download Professional Cloud Security Engineer Study Questions To Pass Google Cloud Certified – Professional Cloud Security Engineer

Download Professional Cloud Security Engineer Study Questions To Pass Google Cloud Certified – Professional Cloud Security Engineer

Author

LEAVE A COMMENT Cancel reply

Related Posts