ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 13

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 121

Report
Export
Collapse

You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

A.
Marketplace IDS
A.
Marketplace IDS
Answers
B.
VPC Flow Logs
B.
VPC Flow Logs
Answers
C.
VPC Service Controls logs
C.
VPC Service Controls logs
Answers
D.
Packet Mirroring
D.
Packet Mirroring
Answers
E.
Google Cloud Armor Deep Packet Inspection
E.
Google Cloud Armor Deep Packet Inspection
Answers
Suggested answer: D

Explanation:

Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers. https://cloud.google.com/vpc/docs/packet-mirroring

Question 122

Report
Export
Collapse

Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:

Only allows communication between the Web and App tiers.

Enforces consistent network security when autoscaling the Web and App tiers.

Prevents Compute Engine Instance Admins from altering network traffic.

What should you do?

A.
1. Configure all running Web and App servers with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
A.
1. Configure all running Web and App servers with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
Answers
B.
1. Configure all running Web and App servers with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
B.
1. Configure all running Web and App servers with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
Answers
C.
1. Re-deploy the Web and App servers with instance templates configured with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
C.
1. Re-deploy the Web and App servers with instance templates configured with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
Answers
D.
1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
D.
1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
Answers
Suggested answer: D

Explanation:

https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags

https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags

A service account represents an identity associated with an instance. Only one service account can be associated with an instance. You control access to the service account by controlling the grant of the Service Account User role for other IAM principals. For an IAM principal to start an instance by using a service account, that principal must have the Service Account User role to at least use that service account and appropriate permissions to create instances (for example, having the Compute Engine Instance Admin role to the project).

Question 123

Report
Export
Collapse

You need to connect your organization's on-premises network with an existing Google Cloud environment that includes one Shared VPC with two subnets named Production and Non-Production. You are required to:

Use a private transport link.

Configure access to Google Cloud APIs through private API endpoints originating from on-premises environments.

Ensure that Google Cloud APIs are only consumed via VPC Service Controls.

What should you do?

A.
1. Set up a Cloud VPN link between the on-premises environment and Google Cloud. 2. Configure private access using the restricted googleapis.com domains in on-premises DNS configurations.
A.
1. Set up a Cloud VPN link between the on-premises environment and Google Cloud. 2. Configure private access using the restricted googleapis.com domains in on-premises DNS configurations.
Answers
B.
1. Set up a Partner Interconnect link between the on-premises environment and Google Cloud. 2. Configure private access using the private.googleapis.com domains in on-premises DNS configurations.
B.
1. Set up a Partner Interconnect link between the on-premises environment and Google Cloud. 2. Configure private access using the private.googleapis.com domains in on-premises DNS configurations.
Answers
C.
1. Set up a Direct Peering link between the on-premises environment and Google Cloud. 2. Configure private access for both VPC subnets.
C.
1. Set up a Direct Peering link between the on-premises environment and Google Cloud. 2. Configure private access for both VPC subnets.
Answers
D.
1. Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud. 2. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.
D.
1. Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud. 2. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.
Answers
Suggested answer: D

Explanation:

restricted.googleapis.com (199.36.153.4/30) only provides access to Cloud and Developer APIs that support VPC Service Controls. VPC Service Controls are enforced for these services https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid

Question 124

Report
Export
Collapse

You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?

A.
Cloud Data Loss Prevention with deterministic encryption using AES-SIV
A.
Cloud Data Loss Prevention with deterministic encryption using AES-SIV
Answers
B.
Cloud Data Loss Prevention with format-preserving encryption
B.
Cloud Data Loss Prevention with format-preserving encryption
Answers
C.
Cloud Data Loss Prevention with cryptographic hashing
C.
Cloud Data Loss Prevention with cryptographic hashing
Answers
D.
Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys
D.
Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/dlp/docs/pseudonymization?hl=JA&skip_cache=true#supported-methods

Question 125

Report
Export
Collapse

You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:

Must be cloud-native

Must be cost-efficient

Minimize operational overhead

How should you accomplish this? (Choose two.)

A.
Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
A.
Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
Answers
B.
Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
B.
Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
Answers
C.
Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
C.
Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
Answers
D.
Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
D.
Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
Answers
E.
In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.
E.
In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.
Answers
Suggested answer: A, E

Explanation:

https://cloud.google.com/container-analysis/docs/container-analysis

Container Analysis is a service that provides vulnerability scanning and metadata storage for containers. The scanning service performs vulnerability scans on images in Container Registry and Artifact Registry, then stores the resulting metadata and makes it available for consumption through an API.

https://cloud.google.com/binary-authorization/docs/attestations

After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test. The attestation is created by signing the image's unique digest.

During deployment, instead of repeating the activities, Binary Authorization verifies the attestations using an attestor. If all of the attestations for an image are verified, Binary Authorization allows the image to be deployed.

Question 126

Report
Export
Collapse

Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

A.
SSL Proxy
A.
SSL Proxy
Answers
B.
TCP Proxy
B.
TCP Proxy
Answers
C.
Internal TCP/UDP
C.
Internal TCP/UDP
Answers
D.
TCP/UDP Network
D.
TCP/UDP Network
Answers
Suggested answer: D

Explanation:

https://cloud.google.com/load-balancing/docs/load-balancing-overview

https://cloud.google.com/load-balancing/docs/load-balancing-overview#choosing_a_load_balancer

Question 127

Report
Export
Collapse

You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?

A.
compute.restrictSharedVpcHostProjects
A.
compute.restrictSharedVpcHostProjects
Answers
B.
compute.restrictXpnProjectLienRemoval
B.
compute.restrictXpnProjectLienRemoval
Answers
C.
compute.restrictSharedVpcSubnetworks
C.
compute.restrictSharedVpcSubnetworks
Answers
D.
compute.sharedReservationsOwnerProjects
D.
compute.sharedReservationsOwnerProjects
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#constraints-for-specific-services

- constraints/compute.restrictXpnProjectLienRemoval

- Restrict shared VPC project lien removal

This boolean constraint restricts the set of users that can remove a Shared VPC host project lien without organization-level permission where this constraint is set to True.

By default, any user with the permission to update liens can remove a Shared VPC host project lien. Enforcing this constraint requires that permission be granted at the organization level.

Question 128

Report
Export
Collapse

Users are reporting an outage on your public-facing application that is hosted on Compute Engine. You suspect that a recent change to your firewall rules is responsible. You need to test whether your firewall rules are working properly. What should you do?

A.
Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.
A.
Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.
Answers
B.
Connect to a bastion host in your VPC. Use a network traffic analyzer to determine at which point your requests are being blocked.
B.
Connect to a bastion host in your VPC. Use a network traffic analyzer to determine at which point your requests are being blocked.
Answers
C.
In a pre-production environment, disable all firewall rules individually to determine which one is blocking user traffic.
C.
In a pre-production environment, disable all firewall rules individually to determine which one is blocking user traffic.
Answers
D.
Enable VPC Flow Logs in your VPC. Use Logs Explorer to analyze whether the rules are working correctly.
D.
Enable VPC Flow Logs in your VPC. Use Logs Explorer to analyze whether the rules are working correctly.
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/vpc/docs/firewall-rules-logging

Question 129

Report
Export
Collapse

You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

A.
Turn off the domain restriction sharing organization policy. Set the policy value to 'Allow All.'
A.
Turn off the domain restriction sharing organization policy. Set the policy value to 'Allow All.'
Answers
B.
Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
B.
Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
Answers
C.
Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
C.
Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
Answers
D.
Turn off the domain restricted sharing organization policy. Set the policy value to 'Custom.' Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.
D.
Turn off the domain restricted sharing organization policy. Set the policy value to 'Custom.' Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.
Answers
Suggested answer: D

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy

The domain restriction constraint is a type of list constraint. Google Workspace customer IDs can be added and removed from the allowed_values list of a domain restriction constraint. The domain restriction constraint does not support denying values, and an organization policy can't be saved with IDs in the denied_values list. All domains associated with a Google Workspace account listed in the allowed_values will be allowed by the organization policy. All other domains will be denied by the organization policy.

Question 130

Report
Export
Collapse

You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

A.
The load balancer must be an external SSL proxy load balancer.
A.
The load balancer must be an external SSL proxy load balancer.
Answers
B.
Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.
B.
Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.
Answers
C.
The load balancer must use the Premium Network Service Tier.
C.
The load balancer must use the Premium Network Service Tier.
Answers
D.
The backend service's load balancing scheme must be EXTERNAL.
D.
The backend service's load balancing scheme must be EXTERNAL.
Answers
E.
The load balancer must be an external HTTP(S) load balancer.
E.
The load balancer must be an external HTTP(S) load balancer.
Answers
Suggested answer: D, E

Explanation:

https://cloud.google.com/armor/docs/security-policy-overview#requirements says: The backend service's load balancing scheme must be EXTERNAL, or EXTERNAL_MANAGED *** if you are using global external HTTP(S) load balancer ***.

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms