ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 12

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 111

Report
Export
Collapse

Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

A.
Define an organization policy constraint.
A.
Define an organization policy constraint.
Answers
B.
Configure packet mirroring policies.
B.
Configure packet mirroring policies.
Answers
C.
Enable VPC Flow Logs on the subnet.
C.
Enable VPC Flow Logs on the subnet.
Answers
D.
Monitor and analyze Cloud Audit Logs.
D.
Monitor and analyze Cloud Audit Logs.
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/vpc/docs/packet-mirroring#enterprise_security

Security and network engineering teams must ensure that they are catching all anomalies and threats that might indicate security breaches and intrusions. They mirror all traffic so that they can complete a comprehensive inspection of suspicious flows.

Question 112

Report
Export
Collapse

Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users. You are required to:

Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity.

Disable any manually created users in Cloud Identity.

You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?

A.
1. Configure the option to suspend domain users not found in LDAP. 2. Set up a recurring GCDS task.
A.
1. Configure the option to suspend domain users not found in LDAP. 2. Set up a recurring GCDS task.
Answers
B.
1. Configure the option to delete domain users not found in LDAP. 2. Run GCDS after user and group lifecycle changes.
B.
1. Configure the option to delete domain users not found in LDAP. 2. Run GCDS after user and group lifecycle changes.
Answers
C.
1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP. 2. Set up a recurring GCDS task.
C.
1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP. 2. Set up a recurring GCDS task.
Answers
D.
1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP. 2. Run GCDS after user and group lifecycle changes.
D.
1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP. 2. Run GCDS after user and group lifecycle changes.
Answers
Suggested answer: A

Explanation:

To achieve the requirement 'Disable any manually created users in Cloud Identity', configure GCDS to suspend rather than delete accounts if user accounts are not found in the LDAP directory in GCDS. Ref: https://support.google.com/a/answer/7177267

Question 113

Report
Export
Collapse

You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

A.
Add the host project containing the Shared VPC to the service perimeter.
A.
Add the host project containing the Shared VPC to the service perimeter.
Answers
B.
Add the service project where the Compute Engine instances reside to the service perimeter.
B.
Add the service project where the Compute Engine instances reside to the service perimeter.
Answers
C.
Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
C.
Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
Answers
D.
Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.
D.
Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/vpc-service-controls/docs/service-perimeters#secure-google-managed-resources

If you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC.

Question 114

Report
Export
Collapse

You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

A.
Security Command Center
A.
Security Command Center
Answers
B.
Firewall Rules Logging
B.
Firewall Rules Logging
Answers
C.
VPC Flow Logs
C.
VPC Flow Logs
Answers
D.
Firewall Insights
D.
Firewall Insights
Answers
Suggested answer: D

Explanation:

https://cloud.google.com/network-intelligence-center/docs/firewall-insights/concepts/overview#shadowed-firewall-rules

Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.

Question 115

Report
Export
Collapse

The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements:

Follow the least privilege model by having only view access to logs.

Have access to Admin Activity logs.

Have access to Data Access logs.

Have access to Access Transparency logs.

Which Identity and Access Management (IAM) role should the security operations team be granted?

A.
roles/logging.privateLogViewer
A.
roles/logging.privateLogViewer
Answers
B.
roles/logging.admin
B.
roles/logging.admin
Answers
C.
roles/viewer
C.
roles/viewer
Answers
D.
roles/logging.viewer
D.
roles/logging.viewer
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/logging/docs/access-control#considerations roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.

Question 116

Report
Export
Collapse

You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

A.
Change the access control model for the bucket
A.
Change the access control model for the bucket
Answers
B.
Update your sink with the correct bucket destination.
B.
Update your sink with the correct bucket destination.
Answers
C.
Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
C.
Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
Answers
D.
Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
D.
Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/logging/docs/export/troubleshoot#errors_exporting_to_cloud_storage

https://cloud.google.com/logging/docs/export/troubleshoot

Unable to grant correct permissions to the destination: Even if the sink was successfully created with the correct service account permissions, this error message displays if the access control model for the Cloud Storage bucket was set to uniform access when the bucket was created. For existing Cloud Storage buckets, you can change the access control model for the first 90 days after bucket creation by using the Permissions tab. For new buckets, select the Fine-grained access control model during bucket creation. For details, see Creating Cloud Storage buckets.

Question 117

Report
Export
Collapse

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

A.
Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
A.
Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
Answers
B.
Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
B.
Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
Answers
C.
Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.
C.
Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.
Answers
D.
Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.
D.
Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.
Answers
Suggested answer: C

Explanation:

Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint

Question 118

Report
Export
Collapse

You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?

A.
1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
A.
1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
Answers
B.
1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
B.
1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
Answers
C.
1. Set up two VPC networks: one trusted and the other untrusted, and peer them together. 2. Configure a custom route on each network pointed to the virtual appliance.
C.
1. Set up two VPC networks: one trusted and the other untrusted, and peer them together. 2. Configure a custom route on each network pointed to the virtual appliance.
Answers
D.
1. Set up two VPC networks: one trusted and the other untrusted. 2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.
D.
1. Set up two VPC networks: one trusted and the other untrusted. 2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.
Answers
Suggested answer: D

Explanation:

Multiple network interfaces. The simplest way to connect multiple VPC networks through a virtual appliance is by using multiple network interfaces, with each interface connecting to one of the VPC networks. Internet and on-premises connectivity is provided over one or two separate network interfaces. With many NGFW products, internet connectivity is connected through an interface marked as untrusted in the NGFW software.

https://cloud.google.com/architecture/best-practices-vpc-design#l7

This architecture has multiple VPC networks that are bridged by an L7 next-generation firewall (NGFW) appliance, which functions as a multi-NIC bridge between VPC networks. An untrusted, outside VPC network is introduced to terminate hybrid interconnects and internet-based connections that terminate on the outside leg of the L7 NGFW for inspection. There are many variations on this design, but the key principle is to filter traffic through the firewall before the traffic reaches trusted VPC networks.

Question 119

Report
Export
Collapse

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

A.
Implement Cloud VPN for the region where the bastion host lives.
A.
Implement Cloud VPN for the region where the bastion host lives.
Answers
B.
Implement OS Login with 2-step verification for the bastion host.
B.
Implement OS Login with 2-step verification for the bastion host.
Answers
C.
Implement Identity-Aware Proxy TCP forwarding for the bastion host.
C.
Implement Identity-Aware Proxy TCP forwarding for the bastion host.
Answers
D.
Implement Google Cloud Armor in front of the bastion host.
D.
Implement Google Cloud Armor in front of the bastion host.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/architecture/building-internet-connectivity-for-private-vms#configuring_iap_tunnels_for_interacting_with_instances

Question 120

Report
Export
Collapse

You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service Controls mode should you use?

A.
Cloud Run
A.
Cloud Run
Answers
B.
Native
B.
Native
Answers
C.
Enforced
C.
Enforced
Answers
D.
Dry run
D.
Dry run
Answers
Suggested answer: D

Explanation:

In dry run mode, requests that violate the perimeter policy are not denied, only logged. Dry run mode is used to test perimeter configuration and to monitor usage of services without preventing access to resources. https://cloud.google.com/vpc-service-controls/docs/dry-run-mode

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms