ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 10

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 91

Report
Export
Collapse

You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.

Which two actions should you take? (Choose two.)

A.
Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
A.
Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
Answers
B.
Use the Google Admin console to view which managed users are using a personal account for their recovery email.
B.
Use the Google Admin console to view which managed users are using a personal account for their recovery email.
Answers
C.
Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
C.
Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
Answers
D.
Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
D.
Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
Answers
E.
Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
E.
Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
Answers
Suggested answer: A, D

Explanation:

https://cloud.google.com/architecture/identity/migrating-consumer-accounts#initiating_a_transfer

Question 92

Report
Export
Collapse

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

A.
Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
A.
Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
Answers
B.
Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
B.
Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
Answers
C.
Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
C.
Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
Answers
D.
Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
D.
Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
Answers
Suggested answer: D

Explanation:

There is mention about simulating in Web Security Scanner. 'Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions.' https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss

Question 93

Report
Export
Collapse

You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.

What should you do?

A.
Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
A.
Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
Answers
B.
Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
B.
Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
Answers
C.
Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
C.
Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
Answers
D.
Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
D.
Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/vpc-service-controls/docs/overview#isolate

Question 94

Report
Export
Collapse

You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?

A.
Perform data masking with the DLP API and store that data in BigQuery for later use.
A.
Perform data masking with the DLP API and store that data in BigQuery for later use.
Answers
B.
Perform data redaction with the DLP API and store that data in BigQuery for later use.
B.
Perform data redaction with the DLP API and store that data in BigQuery for later use.
Answers
C.
Perform data inspection with the DLP API and store that data in BigQuery for later use.
C.
Perform data inspection with the DLP API and store that data in BigQuery for later use.
Answers
D.
Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
D.
Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
Answers
Suggested answer: D

Explanation:

Pseudonymization is a de-identification technique that replaces sensitive data values with cryptographically generated tokens. Pseudonymization is widely used in industries like finance and healthcare to help reduce the risk of data in use, narrow compliance scope, and minimize the exposure of sensitive data to systems while preserving data utility and accuracy.

https://cloud.google.com/dlp/docs/pseudonymization

Question 95

Report
Export
Collapse

You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization. What should you do?

A.
Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.
A.
Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.
Answers
B.
Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.
B.
Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.
Answers
C.
Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.
C.
Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.
Answers
D.
Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.
D.
Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.
Answers
Suggested answer: D

Explanation:

You can use the iam.disableServiceAccountCreation boolean constraint to disable the creation of new service accounts. This allows you to centralize management of service accounts while not restricting the other permissions your developers have on projects. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_creation

Question 96

Report
Export
Collapse

You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence. Which tool should you use?

A.
Policy Troubleshooter
A.
Policy Troubleshooter
Answers
B.
Policy Analyzer
B.
Policy Analyzer
Answers
C.
IAM Recommender
C.
IAM Recommender
Answers
D.
Policy Simulator
D.
Policy Simulator
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/policy-intelligence/docs/policy-analyzer-overview

Policy Analyzer lets you find out which principals (for example, users, service accounts, groups, and domains) have what access to which Google Cloud resources based on your IAM allow policies.

Question 97

Report
Export
Collapse

Your organization has implemented synchronization and SAML federation between Cloud Identity and Microsoft Active Directory. You want to reduce the risk of Google Cloud user accounts being compromised. What should you do?

A.
Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.
A.
Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.
Answers
B.
Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.
B.
Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.
Answers
C.
Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.
C.
Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.
Answers
D.
Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.
D.
Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.
Answers
Suggested answer: C

Explanation:

'We recommend against using text messages. The National Institute of Standards and Technology (NIST) no longer recommends SMS-based 2SV due to the hijacking risk from state-sponsored entities.'

Question 98

Report
Export
Collapse

You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

A.
Google Cloud Armor's preconfigured rules in preview mode
A.
Google Cloud Armor's preconfigured rules in preview mode
Answers
B.
Prepopulated VPC firewall rules in monitor mode
B.
Prepopulated VPC firewall rules in monitor mode
Answers
C.
The inherent protections of Google Front End (GFE)
C.
The inherent protections of Google Front End (GFE)
Answers
D.
Cloud Load Balancing firewall rules
D.
Cloud Load Balancing firewall rules
Answers
E.
VPC Service Controls in dry run mode
E.
VPC Service Controls in dry run mode
Answers
Suggested answer: A

Explanation:

You can preview the effects of a rule without enforcing it. In preview mode, actions are noted in Cloud Monitoring. You can choose to preview individual rules in a security policy, or you can preview every rule in the policy. https://cloud.google.com/armor/docs/security-policy-overview#preview_mode

Question 99

Report
Export
Collapse

You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

A.
Cloud Key Management Service
A.
Cloud Key Management Service
Answers
B.
Compute Engine guest attributes
B.
Compute Engine guest attributes
Answers
C.
Compute Engine custom metadata
C.
Compute Engine custom metadata
Answers
D.
Secret Manager
D.
Secret Manager
Answers
Suggested answer: D

Explanation:

Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud. https://cloud.google.com/secret-manager

Question 100

Report
Export
Collapse

You need to implement an encryption at-rest strategy that reduces key management complexity for non-sensitive data and protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule. FIPS 140-2 L1 compliance is required for all data types. What should you do?

A.
Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
A.
Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
Answers
B.
Encrypt non-sensitive data and sensitive data with Cloud Key Management Service
B.
Encrypt non-sensitive data and sensitive data with Cloud Key Management Service
Answers
C.
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
C.
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
Answers
D.
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
D.
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
Answers
Suggested answer: D

Explanation:

Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 Level 1 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. To provideflexibility of controlling the key residency and rotation schedule, use google provided key for non-sensitive and encrypt sensitive data with Cloud Key Management Service

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms