ExamGecko
Login
Ask Question

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 16

List of questions

Question 151

Report
Export
Collapse

Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?

Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises
Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises
Use Cloud External Key Manager to delete specific encryption keys.
Use Cloud External Key Manager to delete specific encryption keys.
Use customer-managed encryption keys to delete specific encryption keys.
Use customer-managed encryption keys to delete specific encryption keys.
Use Google default encryption to delete specific encryption keys.
Use Google default encryption to delete specific encryption keys.
Suggested answer: C

Explanation:

https://cloud.google.com/sql/docs/mysql/cmek

'You might have situations where you want to permanently destroy data encrypted with CMEK. To do this, you destroy the customer-managed encryption key version. You can't destroy the keyring or key, but you can destroy key versions of the key.'

asked 18/09/2024
Haider Nassiry
40 questions

Question 152

Report
Export
Collapse

You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?

Enable Cloud Monitoring workspace, and add the production projects to be monitored.
Enable Cloud Monitoring workspace, and add the production projects to be monitored.
Use Logs Explorer at the organization level and filter for production project logs.
Use Logs Explorer at the organization level and filter for production project logs.
Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.
Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.
Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
Suggested answer: D

Explanation:

https://cloud.google.com/logging/docs/export/aggregated_sinks#supported-destinations

You can use aggregated sinks to route logs within or between the same organizations and folders to the following destinations: - Another Cloud Logging bucket: Log entries held in Cloud Logging log buckets.

asked 18/09/2024
Meghan Crofford
39 questions

Question 153

Report
Export
Collapse

You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project. 2. Grant your Google Cloud project access to a supported external key management partner system.
1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project. 2. Grant your Google Cloud project access to a supported external key management partner system.
1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.
1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.
1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
Suggested answer: C

Explanation:

https://cloud.google.com/kms/docs/ekm#how_it_works

- First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.

- Next, you grant your Google Cloud project access to use the key, in the external key management partner system.

- In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally-managed key.

asked 18/09/2024
Fthcx Fgghn
33 questions

Question 154

Report
Export
Collapse

Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

Identity Aware-Proxy
Identity Aware-Proxy
Cloud NAT
Cloud NAT
TCP/UDP Load Balancing
TCP/UDP Load Balancing
Cloud DNS
Cloud DNS
Suggested answer: B

Explanation:

https://cloud.google.com/nat/docs/overview 'Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet.'

asked 18/09/2024
DIGIX srl
32 questions

Question 155

Report
Export
Collapse

You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.
Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.
Suggested answer: C

Explanation:

- Uniform bucket-level access: https://cloud.google.com/storage/docs/uniform-bucket-level-access#should-you-use

- Domain Restricted Sharing: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#public_data_sharing

asked 18/09/2024
Hayat Hassan
44 questions

Question 156

Report
Export
Collapse

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

Use Identity Platform to provision users and groups to Google Cloud.
Use Identity Platform to provision users and groups to Google Cloud.
Use Cloud Identity SAML integration to provision users and groups to Google Cloud.
Use Cloud Identity SAML integration to provision users and groups to Google Cloud.
Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.
Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.
Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.
Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.
Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.
Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.
Suggested answer: C, E

Explanation:

https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-synchronizing-user-accounts?hl=en

https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-synchronizing-user-accounts?hl=en#deciding_where_to_deploy_gcds

asked 18/09/2024
Erik de Bont
39 questions

Question 157

Report
Export
Collapse

You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.
Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.
Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.
Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.
Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).
Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).
Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
Provide non-privileged identities to the super admin users for their day-to-day activities.
Provide non-privileged identities to the super admin users for their day-to-day activities.
Suggested answer: C, E

Explanation:

https://cloud.google.com/resource-manager/docs/super-admin-best-practices#discourage_super_admin_account_usage

- Use a security key or other physical authentication device to enforce two-step verification - Give super admins a separate account that requires a separate login

asked 18/09/2024
khalid Hassan
33 questions

Question 158

Report
Export
Collapse

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.
Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.
Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.
Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.
Suggested answer: B

Explanation:

https://youtu.be/MI4iG2GIZMA

asked 18/09/2024
Massimo Magliocca
37 questions

Question 159

Report
Export
Collapse

You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)

Secret Manager
Secret Manager
Cloud Key Management Service
Cloud Key Management Service
Cloud Data Loss Prevention with cryptographic hashing
Cloud Data Loss Prevention with cryptographic hashing
Cloud Data Loss Prevention with automatic text redaction
Cloud Data Loss Prevention with automatic text redaction
Cloud Data Loss Prevention with deterministic encryption using AES-SIV
Cloud Data Loss Prevention with deterministic encryption using AES-SIV
Suggested answer: B, E

Explanation:

B: you need KMS to store the CryptoKey https://cloud.google.com/dlp/docs/reference/rest/v2/projects.deidentifyTemplates#crypt

E: for the de-identity you need to use CryptoReplaceFfxFpeConfig or CryptoDeterministicConfig https://cloud.google.com/dlp/docs/reference/rest/v2/projects.deidentifyTemplates#cryptodeterministicconfig

https://cloud.google.com/dlp/docs/deidentify-sensitive-data

asked 18/09/2024
Rick van der Slot
40 questions

Question 160

Report
Export
Collapse

You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting. Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)

Customer-supplied encryption keys.
Customer-supplied encryption keys.
Google default encryption
Google default encryption
Secret Manager
Secret Manager
Cloud External Key Manager
Cloud External Key Manager
Customer-managed encryption keys
Customer-managed encryption keys
Suggested answer: A, D
asked 18/09/2024
Jose ESPINOZA
41 questions
Total 235 questions
Go to page: of 24
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?