ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 1

Report
Export
Collapse

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.

Which two settings must remain disabled to meet these requirements? (Choose two.)

A.
Public IP
A.
Public IP
Answers
B.
IP Forwarding
B.
IP Forwarding
Answers
C.
Private Google Access
C.
Private Google Access
Answers
D.
Static routes
D.
Static routes
Answers
E.
IAM Network User Role
E.
IAM Network User Role
Answers
Suggested answer: A, C

Question 2

Report
Export
Collapse

Which two implied firewall rules are defined on a VPC network? (Choose two.)

A.
A rule that allows all outbound connections
A.
A rule that allows all outbound connections
Answers
B.
A rule that denies all inbound connections
B.
A rule that denies all inbound connections
Answers
C.
A rule that blocks all inbound port 25 connections
C.
A rule that blocks all inbound port 25 connections
Answers
D.
A rule that blocks all outbound connections
D.
A rule that blocks all outbound connections
Answers
E.
A rule that allows all inbound port 80 connections
E.
A rule that allows all inbound port 80 connections
Answers
Suggested answer: A, B

Explanation:

Implied IPv4 allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination

Implied IPv4 deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them.

https://cloud.google.com/vpc/docs/firewalls?hl=en#default_firewall_rules

Question 3

Report
Export
Collapse

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.

How should the customer achieve this using Google Cloud Platform?

A.
Use Cloud Source Repositories, and store secrets in Cloud SQL.
A.
Use Cloud Source Repositories, and store secrets in Cloud SQL.
Answers
B.
Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
B.
Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
Answers
C.
Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
C.
Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
Answers
D.
Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.
D.
Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.
Answers
Suggested answer: B

Question 4

Report
Export
Collapse

Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.

What should your team do to meet these requirements?

A.
Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.
A.
Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.
Answers
B.
Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
B.
Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
Answers
C.
Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
C.
Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
Answers
D.
Use the Admin SDK to create groups and assign IAM permissions from Active Directory.
D.
Use the Admin SDK to create groups and assign IAM permissions from Active Directory.
Answers
Suggested answer: A

Explanation:

'In order to be able to keep using the existing identity management system, identities need to be synchronized between AD and GCPIAM. To do so google provides a tool called Cloud Directory Sync. This tool will read all identities in AD and replicate those within GCP. Once the identities have been replicated then it's possible to apply IAM permissions on the groups. After that you will configure SAML so google can act as a service provider and either you ADFSor other third party tools like Ping or Okta will act as the identity provider. This way you effectively delegate the authentication from Google to something that is under your control.'

Question 5

Report
Export
Collapse

When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

A.
Ensure that the app does not run as PID 1.
A.
Ensure that the app does not run as PID 1.
Answers
B.
Package a single app as a container.
B.
Package a single app as a container.
Answers
C.
Remove any unnecessary tools not needed by the app.
C.
Remove any unnecessary tools not needed by the app.
Answers
D.
Use public container images as a base image for the app.
D.
Use public container images as a base image for the app.
Answers
E.
Use many container image layers to hide sensitive information.
E.
Use many container image layers to hide sensitive information.
Answers
Suggested answer: B, C

Explanation:

https://cloud.google.com/architecture/best-practices-for-building-containers#solution_1_run_as_pid_1_and_register_signal_handlers

Question 6

Report
Export
Collapse

A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.

Which product should be used to meet these requirements?

A.
Cloud Armor
A.
Cloud Armor
Answers
B.
VPC Firewall Rules
B.
VPC Firewall Rules
Answers
C.
Cloud Identity and Access Management
C.
Cloud Identity and Access Management
Answers
D.
Cloud CDN
D.
Cloud CDN
Answers
Suggested answer: A

Question 7

Report
Export
Collapse

A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.

Which two approaches can you take to meet the requirements? (Choose two.)

A.
Configure the project with Cloud VPN.
A.
Configure the project with Cloud VPN.
Answers
B.
Configure the project with Shared VPC.
B.
Configure the project with Shared VPC.
Answers
C.
Configure the project with Cloud Interconnect.
C.
Configure the project with Cloud Interconnect.
Answers
D.
Configure the project with VPC peering.
D.
Configure the project with VPC peering.
Answers
E.
Configure all Compute Engine instances with Private Access.
E.
Configure all Compute Engine instances with Private Access.
Answers
Suggested answer: A, C

Explanation:

A) IPsec VPN tunels: https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview

Interconnect https://cloud.google.com/network-connectivity/docs/interconnect/concepts/dedicated-overview

Question 8

Report
Export
Collapse

A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity- Aware Proxy.

What should the customer do to meet these requirements?

A.
Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
A.
Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
Answers
B.
Make sure that the ERP system can validate the identity headers in the HTTP requests.
B.
Make sure that the ERP system can validate the identity headers in the HTTP requests.
Answers
C.
Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
C.
Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
Answers
D.
Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
D.
Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
Answers
Suggested answer: A

Explanation:

Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed object that also contains the user identity data. Your application can verify the digital signature and use the data provided in this object to be certain that it was provided by IAP without alteration.

Question 9

Report
Export
Collapse

A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.

What should you do?

A.
Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
A.
Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
Answers
B.
Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
B.
Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
Answers
C.
Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
C.
Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
Answers
D.
Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
D.
Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
Answers
Suggested answer: A

Question 10

Report
Export
Collapse

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.

Which logging export strategy should you use to meet the requirements?

A.
1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
A.
1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
Answers
B.
1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
B.
1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
Answers
C.
1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
C.
1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
Answers
D.
1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2. Process Cloud Storage objects in SIEM.
D.
1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2. Process Cloud Storage objects in SIEM.
Answers
Suggested answer: C

Explanation:

'Your team needs to obtain a unified log view of all development cloud projects in your SIEM' - This means we are ONLY interested in development projects. 'The development projects are under the NONPROD organization folder with the test and pre-production projects' - We will need to filter out development from others i.e test and pre-prod. 'The development projects share the ABC-BILLING billing account with the rest of the organization.' - This is unnecessary information.

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms