ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 15

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 141

Report
Export
Collapse

You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)

A.
Event Threat Detection
A.
Event Threat Detection
Answers
B.
Container Threat Detection
B.
Container Threat Detection
Answers
C.
Security Health Analytics
C.
Security Health Analytics
Answers
D.
Cloud Data Loss Prevention
D.
Cloud Data Loss Prevention
Answers
E.
Google Cloud Armor
E.
Google Cloud Armor
Answers
Suggested answer: A, C

Explanation:

https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview

Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time. https://cloud.google.com/security-command-center/docs/concepts-security-sources#security-health-analytics

Question 142

Report
Export
Collapse

You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

A.
Titan Security Keys
A.
Titan Security Keys
Answers
B.
Google prompt
B.
Google prompt
Answers
C.
Google Authenticator app
C.
Google Authenticator app
Answers
D.
Cloud HSM keys
D.
Cloud HSM keys
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/titan-security-key

Security keys use public key cryptography to verify a user's identity and URL of the login page ensuring attackers can't access your account even if you are tricked into providing your username and password.

Question 143

Report
Export
Collapse

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:

The network connection must be encrypted.

The communication between servers must be over private IP addresses.

What should you do?

A.
Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
A.
Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
Answers
B.
Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
B.
Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
Answers
C.
Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
C.
Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
Answers
D.
Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
D.
Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
Answers
Suggested answer: B

Explanation:

Google encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. All VM-to-VM traffic within a VPC network and peered VPC networks is encrypted. https://cloud.google.com/docs/security/encryption-in-transit#cio-level_summary

Question 144

Report
Export
Collapse

Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)

A.
Remove all project-level custom Identity and Access Management (IAM) roles.
A.
Remove all project-level custom Identity and Access Management (IAM) roles.
Answers
B.
Disallow inheritance of organization policies.
B.
Disallow inheritance of organization policies.
Answers
C.
Identify inherited Identity and Access Management (IAM) roles on projects to be migrated.
C.
Identify inherited Identity and Access Management (IAM) roles on projects to be migrated.
Answers
D.
Create a new folder for all projects to be migrated.
D.
Create a new folder for all projects to be migrated.
Answers
E.
Remove the specific migration projects from any VPC Service Controls perimeters and bridges.
E.
Remove the specific migration projects from any VPC Service Controls perimeters and bridges.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/resource-manager/docs/project-migration#plan_policy

When you migrate your project, it will no longer inherit the policies from its current place in the resource hierarchy, and will be subject to the effective policy evaluation at its destination. We recommend making sure that the effective policies at the project's destination match as much as possible the policies that the project had in its source location. https://cloud.google.com/resource-manager/docs/project-migration#import_export_folders

Policy inheritance can cause unintended effects when you are migrating a project, both in the source and destination organization resources. You can mitigate this risk by creating specific folders to hold only projects for export and import, and ensuring that the same policies are inherited by the folders in both organization resources. You can also set permissions on these folders that will be inherited to the projects moved within them, helping to accelerate the project migration process.

Question 145

Report
Export
Collapse

You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

A.
Organization Policy Service constraints
A.
Organization Policy Service constraints
Answers
B.
Shielded VM instances
B.
Shielded VM instances
Answers
C.
Access control lists
C.
Access control lists
Answers
D.
Geolocation access controls
D.
Geolocation access controls
Answers
E.
Google Cloud Armor
E.
Google Cloud Armor
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/using-constraints#list-constraint

Question 146

Report
Export
Collapse

Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

A.
Configure Secret Manager to manage service account keys.
A.
Configure Secret Manager to manage service account keys.
Answers
B.
Enable an organization policy to disable service accounts from being created.
B.
Enable an organization policy to disable service accounts from being created.
Answers
C.
Enable an organization policy to prevent service account keys from being created.
C.
Enable an organization policy to prevent service account keys from being created.
Answers
D.
Remove the iam.serviceAccounts.getAccessToken permission from users.
D.
Remove the iam.serviceAccounts.getAccessToken permission from users.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys

'To prevent unnecessary usage of service account keys, use organization policy constraints: At the root of your organization's resource hierarchy, apply the Disable service account key creation and Disable service account key upload constraints to establish a default where service account keys are disallowed. When needed, override one of the constraints for selected projects to re-enable service account key creation or upload.'

Question 147

Report
Export
Collapse

You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?

A.
On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.
A.
On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.
Answers
B.
On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.
B.
On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.
Answers
C.
On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.
C.
On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.
Answers
D.
On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.
D.
On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.
Answers
Suggested answer: A

Explanation:

https://support.google.com/a/answer/9176734

Use backup codes for account recovery If you need to recover an account, use backup codes. Accounts are still protected by 2-Step Verification, and backup codes are easy to generate.

Question 148

Report
Export
Collapse

Which Google Cloud service should you use to enforce access control policies for applications and resources?

A.
Identity-Aware Proxy
A.
Identity-Aware Proxy
Answers
B.
Cloud NAT
B.
Cloud NAT
Answers
C.
Google Cloud Armor
C.
Google Cloud Armor
Answers
D.
Shielded VMs
D.
Shielded VMs
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/iap/docs/concepts-overview 'Use IAP when you want to enforce access control policies for applications and resources.'

Question 149

Report
Export
Collapse

You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

A.
Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
A.
Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
Answers
B.
Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
B.
Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
Answers
C.
Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.
C.
Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.
Answers
D.
Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
D.
Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
Answers
Suggested answer: D

Explanation:

https://cloud.google.com/vpc-service-controls/docs/dry-run-mode

When using VPC Service Controls, it can be difficult to determine the impact to your environment when a service perimeter is created or modified. With dry run mode, you can better understand the impact of enabling VPC Service Controls and changes to perimeters in existing environments.

Question 150

Report
Export
Collapse

Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

A.
Deploy a Cloud NAT Gateway in the service project for the MIG.
A.
Deploy a Cloud NAT Gateway in the service project for the MIG.
Answers
B.
Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.
B.
Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.
Answers
C.
Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
C.
Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
Answers
D.
Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
D.
Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
Answers
Suggested answer: D

Explanation:

https://cloud.google.com/load-balancing/docs/https#shared-vpc

While you can create all the load balancing components and backends in the Shared VPC host project, this model does not separate network administration and service development responsibilities.

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms