ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 17

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 161

Report
Export
Collapse

You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

A.
Cloud External Key Manager
A.
Cloud External Key Manager
Answers
B.
Customer-managed encryption keys
B.
Customer-managed encryption keys
Answers
C.
Customer-supplied encryption keys
C.
Customer-supplied encryption keys
Answers
D.
Google default encryption
D.
Google default encryption
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/kms/docs/using-other-products#cmek_integrations https://cloud.google.com/kms/docs/using-other-products#cmek_integrations CMEK is supported for all the listed google services.

Question 162

Report
Export
Collapse

Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

A.
Security Reviewer
A.
Security Reviewer
Answers
B.
lAP-Secured Tunnel User
B.
lAP-Secured Tunnel User
Answers
C.
lAP-Secured Web App User
C.
lAP-Secured Web App User
Answers
D.
Service Broker Operator
D.
Service Broker Operator
Answers
Suggested answer: C

Explanation:

IAP-Secured Tunnel User: Grants access to tunnel resources that use IAP. IAP-Secured Web App User: Access HTTPS resources which use Identity-Aware Proxy, Grants access to App Engine, Cloud Run, and Compute Engine resources.

https://cloud.google.com/iap/docs/managing-access#roles

Question 163

Report
Export
Collapse

You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.

After observing the traffic in your custom network, you notice that all instances can communicate freely -- despite tag-based VPC firewall rules in place to segment traffic properly -- with a priority of 1000. What are the most likely reasons for this behavior?

A.
All VM instances are missing the respective network tags.
A.
All VM instances are missing the respective network tags.
Answers
B.
All VM instances are residing in the same network subnet.
B.
All VM instances are residing in the same network subnet.
Answers
C.
All VM instances are configured with the same network route.
C.
All VM instances are configured with the same network route.
Answers
D.
A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
D.
A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
Answers
E.
A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.
E.
A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.
Answers
Suggested answer: A, D

Question 164

Report
Export
Collapse

You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?

A.
Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
A.
Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
Answers
B.
Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
B.
Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
Answers
C.
Grant your users the IAM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
C.
Grant your users the IAM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
Answers
D.
Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
D.
Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
Answers
Suggested answer: A

Explanation:

Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.skipDefaultNetworkCreation This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.

Question 165

Report
Export
Collapse

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

A.
Use Google default encryption.
A.
Use Google default encryption.
Answers
B.
Manually add users to Google Cloud.
B.
Manually add users to Google Cloud.
Answers
C.
Provision users with basic roles using Google's Identity and Access Management (IAM) service.
C.
Provision users with basic roles using Google's Identity and Access Management (IAM) service.
Answers
D.
Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.
D.
Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.
Answers
E.
Provide granular access with predefined roles.
E.
Provide granular access with predefined roles.
Answers
Suggested answer: D, E

Explanation:

https://cloud.google.com/iam/docs/using-iam-securely#least_privilege Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.

Question 166

Report
Export
Collapse

You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?

A.
Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.
A.
Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.
Answers
B.
Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.
B.
Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.
Answers
C.
Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.
C.
Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.
Answers
D.
Configure Google Cloud Armor access logs to perform inspection on the log data.
D.
Configure Google Cloud Armor access logs to perform inspection on the log data.
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/vpc/docs/packet-mirroring

Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.

Question 167

Report
Export
Collapse

You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?

A.
All load balancer types are denied in accordance with the global node's policy.
A.
All load balancer types are denied in accordance with the global node's policy.
Answers
B.
INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.
B.
INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.
Answers
C.
EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.
C.
EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.
Answers
D.
EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.
D.
EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.
Answers
Suggested answer: D

Question 168

Report
Export
Collapse

Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements:

The Cloud Storage bucket in Project A can only be readable from Project B.

The Cloud Storage bucket in Project A cannot be accessed from outside the network.

Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket.

What should the security team do?

A.
Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.
A.
Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.
Answers
B.
Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration.
B.
Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration.
Answers
C.
Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.
C.
Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.
Answers
D.
Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.
D.
Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.
Answers
Suggested answer: B

Explanation:

VPC Peering is between organizations not between Projects in an organization. That is Shared VPC. In this case, both projects are in same organization so having VPC Service Controls around both projects with necessary rules should be fine.

https://cloud.google.com/vpc-service-controls/docs/overview

Question 169

Report
Export
Collapse

You need to create a VPC that enables your security team to control network resources such as firewall rules. How should you configure the network to allow for separation of duties for network resources?

A.
Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the networks.
A.
Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the networks.
Answers
B.
Set up VPC Network Peering, and allow developers to peer their network with a Shared VPC.
B.
Set up VPC Network Peering, and allow developers to peer their network with a Shared VPC.
Answers
C.
Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.
C.
Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.
Answers
D.
Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.
D.
Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.
Answers
Suggested answer: D

Question 170

Report
Export
Collapse

You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name. How should you manage these consumer user accounts with Cloud Identity?

A.
Use Google Cloud Directory Sync to convert the unmanaged user accounts.
A.
Use Google Cloud Directory Sync to convert the unmanaged user accounts.
Answers
B.
Create a new managed user account for each consumer user account.
B.
Create a new managed user account for each consumer user account.
Answers
C.
Use the transfer tool for unmanaged user accounts.
C.
Use the transfer tool for unmanaged user accounts.
Answers
D.
Configure single sign-on using a customer's third-party provider.
D.
Configure single sign-on using a customer's third-party provider.
Answers
Suggested answer: C

Explanation:

https://support.google.com/a/answer/6178640?hl=en

The transfer tool enables you to see what unmanaged users exist, and then invite those unmanaged users to the domain.

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms