ExamGecko
Login
Ask Question

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 14

List of questions

Question 131

Report
Export
Collapse

You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

Google Cloud Armor
Google Cloud Armor
Cloud NAT
Cloud NAT
Cloud Router
Cloud Router
Cloud VPN
Cloud VPN
Suggested answer: B

Explanation:

https://cloud.google.com/nat/docs/overview

asked 18/09/2024
Jozsef Stelly
47 questions

Question 132

Report
Export
Collapse

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:

Export related logs for all projects in the Google Cloud organization.

Export logs in near real-time to an external SIEM.

What should you do? (Choose two.)

Create a Log Sink at the organization level with a Pub/Sub destination.
Create a Log Sink at the organization level with a Pub/Sub destination.
Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.
Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.
Enable Data Access audit logs at the organization level to apply to all projects.
Enable Data Access audit logs at the organization level to apply to all projects.
Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.
Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.
Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.
Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.
Suggested answer: B, D

Explanation:

'Google Workspace Login Audit: Login Audit logs track user sign-ins to your domain. These logs only record the login event. They don't record which system was used to perform the login action.' https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#services

asked 18/09/2024
Thijs van Ham
36 questions

Question 133

Report
Export
Collapse

Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following:

The services in scope are included in the Google Cloud Data Residency Terms.

The business data remains within specific locations under the same organization.

The folder structure can contain multiple data residency locations.

You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?

Folder
Folder
Resource
Resource
Project
Project
Organization
Organization
Suggested answer: C

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations

asked 18/09/2024
Jendoubi moez
36 questions

Question 134

Report
Export
Collapse

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

Enable Private Google Access on the regional subnets and global dynamic routing mode.
Enable Private Google Access on the regional subnets and global dynamic routing mode.
Set up a Private Service Connect endpoint IP address with the API bundle of 'all-apis', which is advertised as a route over the Cloud interconnect connection.
Set up a Private Service Connect endpoint IP address with the API bundle of 'all-apis', which is advertised as a route over the Cloud interconnect connection.
Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.
Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.
Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.
Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.
Suggested answer: D

Explanation:

https://cloud.google.com/vpc/docs/private-service-connect

An API bundle:

All APIs (all-apis): most Google APIs

(same as private.googleapis.com).

VPC-SC (vpc-sc): APIs that VPC Service Controls supports

(same as restricted.googleapis.com).

VMs in the same VPC network as the endpoint (all regions)

On-premises systems that are connected to the VPC network that contains the endpoint

asked 18/09/2024
Mauro Daniele
37 questions

Question 135

Report
Export
Collapse

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements:

Schedule key rotation for sensitive data.

Control which region the encryption keys for sensitive data are stored in.

Minimize the latency to access encryption keys for both sensitive and non-sensitive data.

What should you do?

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
Suggested answer: D

Explanation:

Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 Level 1 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. To provideflexibility of controlling the key residency and rotation schedule, use google provided key for non-sensitive and encrypt sensitive data with Cloud Key Management Service

asked 18/09/2024
Giulia Alberghi
43 questions

Question 136

Report
Export
Collapse

Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).

Which steps should your team take before an incident occurs? (Choose two.)

Disable and revoke access to compromised keys.
Disable and revoke access to compromised keys.
Enable automatic key version rotation on a regular schedule.
Enable automatic key version rotation on a regular schedule.
Manually rotate key versions on an ad hoc schedule.
Manually rotate key versions on an ad hoc schedule.
Limit the number of messages encrypted with each key version.
Limit the number of messages encrypted with each key version.
Disable the Cloud KMS API.
Disable the Cloud KMS API.
Suggested answer: B, D

Explanation:

As per document 'Limiting the number of messages encrypted with the same key version helps prevent attacks enabled by cryptanalysis.' https://cloud.google.com/kms/docs/key-rotation

asked 18/09/2024
Herr Eylem Bulut
46 questions

Question 137

Report
Export
Collapse

Your company's chief information security officer (CISO) is requiring business data to be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on a plan to implement this requirement, you determine the following:

The services in scope are included in the Google Cloud data residency requirements.

The business data remains within specific locations under the same organization.

The folder structure can contain multiple data residency locations.

The projects are aligned to specific locations.

You plan to use the Resource Location Restriction organization policy constraint with very granular control. At which level in the hierarchy should you set the constraint?

Organization
Organization
Resource
Resource
Project
Project
Folder
Folder
Suggested answer: C
asked 18/09/2024
CHEUNG KA FAI
41 questions

Question 138

Report
Export
Collapse

A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

Admin Activity
Admin Activity
System Event
System Event
Access Transparency
Access Transparency
Data Access
Data Access
Suggested answer: D

Explanation:

https://cloud.google.com/logging/docs/audit/#data-access 'Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.'

asked 18/09/2024
Kostiantyn Lazurenko
44 questions

Question 139

Report
Export
Collapse

You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?

Upload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain Pll from the shared bucket.
Upload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain Pll from the shared bucket.
On the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll.
On the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll.
On the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain Pll.
On the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain Pll.
Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect Pll, have the function move the objects into the shared Cloud Storage bucket.
Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect Pll, have the function move the objects into the shared Cloud Storage bucket.
Suggested answer: B
asked 18/09/2024
Robert Petty
52 questions

Question 140

Report
Export
Collapse

You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.

You want to automate the compliance with this regulation while minimizing storage costs. What should you do?

Store the data in a persistent disk, and delete the disk at expiration time.
Store the data in a persistent disk, and delete the disk at expiration time.
Store the data in a Cloud Bigtable table, and set an expiration time on the column families.
Store the data in a Cloud Bigtable table, and set an expiration time on the column families.
Store the data in a BigQuery table, and set the table's expiration time.
Store the data in a BigQuery table, and set the table's expiration time.
Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
Suggested answer: D

Explanation:

To miminize costs, it's always GCS even though BQ comes as a close 2nd. But, since the question did not specify what kind of data it is (raw files vs tabular data), it is safe to assume GCS is the preferred option with LifeCycle enablement.

asked 18/09/2024
Faria Sah
37 questions
Total 235 questions
Go to page: of 24
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?