ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 11

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 101

Report
Export
Collapse

Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.

This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?

A.
Deterministic encryption
A.
Deterministic encryption
Answers
B.
Secure, key-based hashes
B.
Secure, key-based hashes
Answers
C.
Format-preserving encryption
C.
Format-preserving encryption
Answers
D.
Cryptographic hashing
D.
Cryptographic hashing
Answers
Suggested answer: A

Explanation:

''This encryption method is reversible, which helps to maintain referential integrity across your database and has no character-set limitations.'' https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy

https://cloud.google.com/dlp/docs/pseudonymization

FPE provides fewer security guarantees compared to other deterministic encryption methods such as AES-SIV. For these reasons, Google strongly recommends using deterministic encryption with AES-SIV instead of FPE for all security sensitive use cases. Other methods like deterministic encryption using AES-SIV provide these stronger security guarantees and are recommended for tokenization use cases unless length and character set preservation are strict requirements---for example, for backward compatibility with a legacy data system.

Question 102

Report
Export
Collapse

An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

A.
Organization Administrator
A.
Organization Administrator
Answers
B.
Project Creator
B.
Project Creator
Answers
C.
Billing Account Viewer
C.
Billing Account Viewer
Answers
D.
Billing Account Costs Manager
D.
Billing Account Costs Manager
Answers
E.
Billing Account User
E.
Billing Account User
Answers
Suggested answer: C, D

Explanation:

https://cloud.google.com/billing/docs/how-to/billing-access#overview-of-cloud-billing-roles-in-cloud-iam

Billing Account Costs Manager (roles/billing.costsManager)

- Manage budgets and view and export cost information of billing accounts (but not pricing information)

Billing Account Viewer (roles/billing.viewer)

- View billing account cost information and transactions.

Question 103

Report
Export
Collapse

You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:

Provide granular access to secrets

Give you control over the rotation schedules for the encryption keys that wrap your secrets

Maintain environment separation

Provide ease of management

Which approach should you take?

A.
1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.
A.
1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.
Answers
B.
1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
B.
1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
Answers
C.
1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
C.
1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
Answers
D.
1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.
D.
1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.
Answers
Suggested answer: A

Explanation:

Provide granular access to secrets: 2.Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. Give you control over the rotation schedules for the encryption keys that wrap your secrets: 3. Use customer-managed encryption keys to encrypt secrets. Maintain environment separation: 1. Use separate Google Cloud projects to store Production and Non-Production secrets.

Question 104

Report
Export
Collapse

You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data Specifically, your company is concerned about internal Google employees' ability to access your company's data on Google Cloud. What solution should you propose?

A.
Use customer-managed encryption keys.
A.
Use customer-managed encryption keys.
Answers
B.
Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.
B.
Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.
Answers
C.
Enable Admin activity logs to monitor access to resources.
C.
Enable Admin activity logs to monitor access to resources.
Answers
D.
Enable Access Transparency logs with Access Approval requests for Google employees.
D.
Enable Access Transparency logs with Access Approval requests for Google employees.
Answers
Suggested answer: D

Explanation:

https://cloud.google.com/access-transparency Access approval Explicitly approve access to your data or configurations on Google Cloud. Access Approval requests, when combined with Access Transparency logs, can be used to audit an end-to-end chain from support ticket to access request to approval, to eventual access.

Question 105

Report
Export
Collapse

You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

A.
SSO SAML as a third-party IdP
A.
SSO SAML as a third-party IdP
Answers
B.
Identity Platform
B.
Identity Platform
Answers
C.
OpenID Connect
C.
OpenID Connect
Answers
D.
Identity-Aware Proxy
D.
Identity-Aware Proxy
Answers
E.
Cloud Identity
E.
Cloud Identity
Answers
Suggested answer: A, C

Explanation:

To provide users with SSO-based access to selected cloud apps, Cloud Identity as your IdP supports the OpenID Connect (OIDC) and Security Assertion Markup Language 2.0 (SAML) protocols. https://cloud.google.com/identity/solutions/enable-sso

Question 106

Report
Export
Collapse

You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:

Each business unit manages access controls for their own projects.

Each business unit manages access control permissions at scale.

Business units cannot access other business units' projects.

Users lose their access if they move to a different business unit or leave the company.

Users and access control permissions are managed by the on-premises directory service.

What should you do? (Choose two.)

A.
Use VPC Service Controls to create perimeters around each business unit's project.
A.
Use VPC Service Controls to create perimeters around each business unit's project.
Answers
B.
Organize projects in folders, and assign permissions to Google groups at the folder level.
B.
Organize projects in folders, and assign permissions to Google groups at the folder level.
Answers
C.
Group business units based on Organization Units (OUs) and manage permissions based on OUs.
C.
Group business units based on Organization Units (OUs) and manage permissions based on OUs.
Answers
D.
Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.
D.
Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.
Answers
E.
Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.
E.
Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.
Answers
Suggested answer: B, E

Question 107

Report
Export
Collapse

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:

Scans must run at least once per week

Must be able to detect cross-site scripting vulnerabilities

Must be able to authenticate using Google accounts

Which solution should you use?

A.
Google Cloud Armor
A.
Google Cloud Armor
Answers
B.
Web Security Scanner
B.
Web Security Scanner
Answers
C.
Security Health Analytics
C.
Security Health Analytics
Answers
D.
Container Threat Detection
D.
Container Threat Detection
Answers
Suggested answer: B

Explanation:

Web Security Scanner identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview

Question 108

Report
Export
Collapse

An organization is moving applications to Google Cloud while maintaining a few mission-critical applications on-premises. The organization must transfer the data at a bandwidth of at least 50 Gbps. What should they use to ensure secure continued connectivity between sites?

A.
Dedicated Interconnect
A.
Dedicated Interconnect
Answers
B.
Cloud Router
B.
Cloud Router
Answers
C.
Cloud VPN
C.
Cloud VPN
Answers
D.
Partner Interconnect
D.
Partner Interconnect
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview

Question 109

Report
Export
Collapse

Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?

A.
Cloud DNS with DNSSEC
A.
Cloud DNS with DNSSEC
Answers
B.
Cloud NAT
B.
Cloud NAT
Answers
C.
HTTP(S) Load Balancing
C.
HTTP(S) Load Balancing
Answers
D.
Google Cloud Armor
D.
Google Cloud Armor
Answers
Suggested answer: A

Explanation:

The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests. https://cloud.google.com/dns/docs/dnssec

Question 110

Report
Export
Collapse

Your Security team believes that a former employee of your company gained unauthorized access to Google Cloud resources some time in the past 2 months by using a service account key. You need to confirm the unauthorized access and determine the user activity. What should you do?

A.
Use Security Health Analytics to determine user activity.
A.
Use Security Health Analytics to determine user activity.
Answers
B.
Use the Cloud Monitoring console to filter audit logs by user.
B.
Use the Cloud Monitoring console to filter audit logs by user.
Answers
C.
Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.
C.
Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.
Answers
D.
Use the Logs Explorer to search for user activity.
D.
Use the Logs Explorer to search for user activity.
Answers
Suggested answer: D

Explanation:

We use audit logs by searching the Service Account and checking activities in the past 2 months. (the user identity will not be seen since he used the SA identity but we can make correlations based on ip address, working hour, etc. )

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms