ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 16

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 151

Report
Export
Collapse

Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?

A.
Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises
A.
Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises
Answers
B.
Use Cloud External Key Manager to delete specific encryption keys.
B.
Use Cloud External Key Manager to delete specific encryption keys.
Answers
C.
Use customer-managed encryption keys to delete specific encryption keys.
C.
Use customer-managed encryption keys to delete specific encryption keys.
Answers
D.
Use Google default encryption to delete specific encryption keys.
D.
Use Google default encryption to delete specific encryption keys.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/sql/docs/mysql/cmek

'You might have situations where you want to permanently destroy data encrypted with CMEK. To do this, you destroy the customer-managed encryption key version. You can't destroy the keyring or key, but you can destroy key versions of the key.'

Question 152

Report
Export
Collapse

You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?

A.
Enable Cloud Monitoring workspace, and add the production projects to be monitored.
A.
Enable Cloud Monitoring workspace, and add the production projects to be monitored.
Answers
B.
Use Logs Explorer at the organization level and filter for production project logs.
B.
Use Logs Explorer at the organization level and filter for production project logs.
Answers
C.
Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.
C.
Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.
Answers
D.
Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
D.
Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
Answers
Suggested answer: D

Explanation:

https://cloud.google.com/logging/docs/export/aggregated_sinks#supported-destinations

You can use aggregated sinks to route logs within or between the same organizations and folders to the following destinations: - Another Cloud Logging bucket: Log entries held in Cloud Logging log buckets.

Question 153

Report
Export
Collapse

You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

A.
1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project. 2. Grant your Google Cloud project access to a supported external key management partner system.
A.
1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project. 2. Grant your Google Cloud project access to a supported external key management partner system.
Answers
B.
1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
B.
1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
Answers
C.
1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.
C.
1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.
Answers
D.
1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
D.
1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/kms/docs/ekm#how_it_works

- First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.

- Next, you grant your Google Cloud project access to use the key, in the external key management partner system.

- In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally-managed key.

Question 154

Report
Export
Collapse

Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

A.
Identity Aware-Proxy
A.
Identity Aware-Proxy
Answers
B.
Cloud NAT
B.
Cloud NAT
Answers
C.
TCP/UDP Load Balancing
C.
TCP/UDP Load Balancing
Answers
D.
Cloud DNS
D.
Cloud DNS
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/nat/docs/overview 'Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet.'

Question 155

Report
Export
Collapse

You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

A.
Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
A.
Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
Answers
B.
Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
B.
Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
Answers
C.
Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
C.
Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
Answers
D.
Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.
D.
Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.
Answers
Suggested answer: C

Explanation:

- Uniform bucket-level access: https://cloud.google.com/storage/docs/uniform-bucket-level-access#should-you-use

- Domain Restricted Sharing: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#public_data_sharing

Question 156

Report
Export
Collapse

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A.
Use Identity Platform to provision users and groups to Google Cloud.
A.
Use Identity Platform to provision users and groups to Google Cloud.
Answers
B.
Use Cloud Identity SAML integration to provision users and groups to Google Cloud.
B.
Use Cloud Identity SAML integration to provision users and groups to Google Cloud.
Answers
C.
Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.
C.
Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.
Answers
D.
Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.
D.
Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.
Answers
E.
Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.
E.
Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.
Answers
Suggested answer: C, E

Explanation:

https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-synchronizing-user-accounts?hl=en

https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-synchronizing-user-accounts?hl=en#deciding_where_to_deploy_gcds

Question 157

Report
Export
Collapse

You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

A.
Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.
A.
Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.
Answers
B.
Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.
B.
Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.
Answers
C.
Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).
C.
Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).
Answers
D.
Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
D.
Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
Answers
E.
Provide non-privileged identities to the super admin users for their day-to-day activities.
E.
Provide non-privileged identities to the super admin users for their day-to-day activities.
Answers
Suggested answer: C, E

Explanation:

https://cloud.google.com/resource-manager/docs/super-admin-best-practices#discourage_super_admin_account_usage

- Use a security key or other physical authentication device to enforce two-step verification - Give super admins a separate account that requires a separate login

Question 158

Report
Export
Collapse

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

A.
Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.
A.
Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.
Answers
B.
Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
B.
Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
Answers
C.
Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
C.
Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
Answers
D.
Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.
D.
Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.
Answers
Suggested answer: B

Explanation:

https://youtu.be/MI4iG2GIZMA

Question 159

Report
Export
Collapse

You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)

A.
Secret Manager
A.
Secret Manager
Answers
B.
Cloud Key Management Service
B.
Cloud Key Management Service
Answers
C.
Cloud Data Loss Prevention with cryptographic hashing
C.
Cloud Data Loss Prevention with cryptographic hashing
Answers
D.
Cloud Data Loss Prevention with automatic text redaction
D.
Cloud Data Loss Prevention with automatic text redaction
Answers
E.
Cloud Data Loss Prevention with deterministic encryption using AES-SIV
E.
Cloud Data Loss Prevention with deterministic encryption using AES-SIV
Answers
Suggested answer: B, E

Explanation:

B: you need KMS to store the CryptoKey https://cloud.google.com/dlp/docs/reference/rest/v2/projects.deidentifyTemplates#crypt

E: for the de-identity you need to use CryptoReplaceFfxFpeConfig or CryptoDeterministicConfig https://cloud.google.com/dlp/docs/reference/rest/v2/projects.deidentifyTemplates#cryptodeterministicconfig

https://cloud.google.com/dlp/docs/deidentify-sensitive-data

Question 160

Report
Export
Collapse

You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting. Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)

A.
Customer-supplied encryption keys.
A.
Customer-supplied encryption keys.
Answers
B.
Google default encryption
B.
Google default encryption
Answers
C.
Secret Manager
C.
Secret Manager
Answers
D.
Cloud External Key Manager
D.
Cloud External Key Manager
Answers
E.
Customer-managed encryption keys
E.
Customer-managed encryption keys
Answers
Suggested answer: A, D
Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms