ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 18

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 171

Report
Export
Collapse

You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)

A.
Grant users the compuce.imageUser role in their own projects.
A.
Grant users the compuce.imageUser role in their own projects.
Answers
B.
Grant users the compuce.imageUser role in the OS image project.
B.
Grant users the compuce.imageUser role in the OS image project.
Answers
C.
Store the image in every project that is spun up in your organization.
C.
Store the image in every project that is spun up in your organization.
Answers
D.
Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.
D.
Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.
Answers
E.
Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
E.
Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
Answers
Suggested answer: B, D

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.trustedImageProjects

This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.

Question 172

Report
Export
Collapse

You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:

Least-privilege access must be enforced at all times.

The DevOps team must be able to access the required resources only during the deployment issue.

How should you grant access while following Google-recommended best practices?

A.
Assign the Project Viewer Identity and Access Management (IAM) role to the DevOps team.
A.
Assign the Project Viewer Identity and Access Management (IAM) role to the DevOps team.
Answers
B.
Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.
B.
Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.
Answers
C.
Create a service account, and grant it the Project Owner IAM role. Give the Service Account User Role on this service account to the DevOps team.
C.
Create a service account, and grant it the Project Owner IAM role. Give the Service Account User Role on this service account to the DevOps team.
Answers
D.
Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.
D.
Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.
Answers
Suggested answer: D

Question 173

Report
Export
Collapse

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:

The master key must be rotated at least once every 45days.

The solution that stores the master key must be FIPS 140-2 Level 3 validated.

The master key must be stored in multiple regions within the US for redundancy.

Which solution meets these requirements?

A.
Customer-managed encryption keys with Cloud Key Management Service
A.
Customer-managed encryption keys with Cloud Key Management Service
Answers
B.
Customer-managed encryption keys with Cloud HSM
B.
Customer-managed encryption keys with Cloud HSM
Answers
C.
Customer-supplied encryption keys
C.
Customer-supplied encryption keys
Answers
D.
Google-managed encryption keys
D.
Google-managed encryption keys
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/docs/security/key-management-deep-dive https://cloud.google.com/kms/docs/faq

Question 174

Report
Export
Collapse

You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your VPCs based on network logs. However, you want to explore your environment using network payloads and headers. Which Google Cloud product should you use?

A.
Cloud IDS
A.
Cloud IDS
Answers
B.
VPC Service Controls logs
B.
VPC Service Controls logs
Answers
C.
VPC Flow Logs
C.
VPC Flow Logs
Answers
D.
Google Cloud Armor
D.
Google Cloud Armor
Answers
E.
Packet Mirroring
E.
Packet Mirroring
Answers
Suggested answer: E

Explanation:

https://cloud.google.com/vpc/docs/packet-mirroring

Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.

Question 175

Report
Export
Collapse

You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

A.
External Key Manager
A.
External Key Manager
Answers
B.
Customer-supplied encryption keys
B.
Customer-supplied encryption keys
Answers
C.
Hardware Security Module
C.
Hardware Security Module
Answers
D.
Confidential Computing and Istio
D.
Confidential Computing and Istio
Answers
E.
Client-side encryption
E.
Client-side encryption
Answers
Suggested answer: D, E

Explanation:

Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio. https://cloud.google.com/docs/security/encryption-in-transit

Question 176

Report
Export
Collapse

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

A.
Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.
A.
Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.
Answers
B.
Enable the constraints/storage.publicAccessPrevention constraint at the organization level.
B.
Enable the constraints/storage.publicAccessPrevention constraint at the organization level.
Answers
C.
Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.
C.
Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.
Answers
D.
Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.
D.
Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/storage/docs/public-access-prevention

Public access prevention protects Cloud Storage buckets and objects from being accidentally exposed to the public. If your bucket is contained within an organization, you can enforce public access prevention by using the organization policy constraint storage.publicAccessPrevention at the project, folder, or organization level.

Question 177

Report
Export
Collapse

Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?

A.
Define an organization policy constraint.
A.
Define an organization policy constraint.
Answers
B.
Configure packet mirroring policies.
B.
Configure packet mirroring policies.
Answers
C.
Enable VPC Flow Logs on the subnet.
C.
Enable VPC Flow Logs on the subnet.
Answers
D.
Monitor and analyze Cloud Audit Logs.
D.
Monitor and analyze Cloud Audit Logs.
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/vpc/docs/packet-mirroring

Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.

Question 178

Report
Export
Collapse

Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.

What should you do?

A.
Configure GCDS and use GCDS search rules lo sync these users.
A.
Configure GCDS and use GCDS search rules lo sync these users.
Answers
B.
Use the transfer tool to migrate unmanaged users.
B.
Use the transfer tool to migrate unmanaged users.
Answers
C.
Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API to transfer their account.
C.
Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API to transfer their account.
Answers
D.
Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.
D.
Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.
Answers
Suggested answer: D

Question 179

Report
Export
Collapse

Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way.

What should you do?

A.
Create a service account key and add it to the GitHub pipeline configuration file.
A.
Create a service account key and add it to the GitHub pipeline configuration file.
Answers
B.
Create a service account key and add it to the GitHub repository content.
B.
Create a service account key and add it to the GitHub repository content.
Answers
C.
Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.
C.
Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.
Answers
D.
Configure workload identity federation to use GitHub as an identity pool provider.
D.
Configure workload identity federation to use GitHub as an identity pool provider.
Answers
Suggested answer: D

Question 180

Report
Export
Collapse

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

What command should you execute?

A.
* organization policy: constraints/gcp.restrictStorageNonCraekServices * binding at: orgl * policy type: deny * policy value: storage.gcogleapis.com
A.
* organization policy: constraints/gcp.restrictStorageNonCraekServices * binding at: orgl * policy type: deny * policy value: storage.gcogleapis.com
Answers
B.
* organization policy: constraints/gcp.restrictHonCmekServices * binding at: orgl * policy type: deny * policy value: storage.googleapis.com
B.
* organization policy: constraints/gcp.restrictHonCmekServices * binding at: orgl * policy type: deny * policy value: storage.googleapis.com
Answers
C.
* organization policy:constraints/gcp.restrictStorageNonCraekServices * binding at: orgl * policy type: allow * policy value: all supported services
C.
* organization policy:constraints/gcp.restrictStorageNonCraekServices * binding at: orgl * policy type: allow * policy value: all supported services
Answers
D.
* organization policy: constramts/gcp.restrictNonCmekServices * binding at: orgl * policy type: allow * policy value: storage.googleapis.com
D.
* organization policy: constramts/gcp.restrictNonCmekServices * binding at: orgl * policy type: allow * policy value: storage.googleapis.com
Answers
Suggested answer: A
Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms