ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 19

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 181

Report
Export
Collapse

Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/ owner). The organization contains thousands of Google Cloud Projects Security Command Center Premium has surfaced multiple cpen_myscl_port findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations.

What should you do?

A.
Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0 0 0 0/0 with priority 0.
A.
Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0 0 0 0/0 with priority 0.
Answers
B.
Create a hierarchical firewall policy configured at the organization to deny all connections from 0 0 0 0/0.
B.
Create a hierarchical firewall policy configured at the organization to deny all connections from 0 0 0 0/0.
Answers
C.
Create a Google Cloud Armor security policy to deny traffic from 0 0 0 0/0.
C.
Create a Google Cloud Armor security policy to deny traffic from 0 0 0 0/0.
Answers
D.
Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges
D.
Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges
Answers
Suggested answer: B

Question 182

Report
Export
Collapse

Your organization must comply with the regulation to keep instance logging data within Europe. Your workloads will be hosted in the Netherlands in region europe-west4 in a new project. You must configure Cloud Logging to keep your data in the country.

What should you do?

A.
Configure the organization policy constraint gcp.resourceLocations to europe-west4.
A.
Configure the organization policy constraint gcp.resourceLocations to europe-west4.
Answers
B.
Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.
B.
Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.
Answers
C.
Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.
C.
Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.
Answers
D.
Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.
D.
Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.
Answers
Suggested answer: C

Question 183

Report
Export
Collapse

Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud Many teams will use their own instances of the CI/CD workflow It will run on Google Kubernetes Engine (GKE) The CI/CD pipelines must be designed to securely access Google Cloud APIs

What should you do?

A.
* 1 Create a dedicated service account for the CI/CD pipelines * 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster * 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs
A.
* 1 Create a dedicated service account for the CI/CD pipelines * 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster * 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs
Answers
B.
* 1 Create service accounts for each deployment pipeline * 2 Generate private keys for the service accounts * 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline
B.
* 1 Create service accounts for each deployment pipeline * 2 Generate private keys for the service accounts * 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline
Answers
C.
* 1 Create individual service accounts (or each deployment pipeline * 2 Add an identifier for the pipeline in the service account naming convention * 3 Ensure each pipeline runs on dedicated pods * 4 Use workload identity to map a deployment pipeline pod with a service account
C.
* 1 Create individual service accounts (or each deployment pipeline * 2 Add an identifier for the pipeline in the service account naming convention * 3 Ensure each pipeline runs on dedicated pods * 4 Use workload identity to map a deployment pipeline pod with a service account
Answers
D.
* 1 Create two service accounts one for the infrastructure and one for the application deployment * 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts * 3 Run the infrastructure and application pipelines in separate namespaces
D.
* 1 Create two service accounts one for the infrastructure and one for the application deployment * 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts * 3 Run the infrastructure and application pipelines in separate namespaces
Answers
Suggested answer: C

Question 184

Report
Export
Collapse

Your organization processes sensitive health information. You want to ensure that data is encrypted while in use by the virtual machines (VMs). You must create a policy that is enforced across the entire organization.

What should you do?

A.
Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.
A.
Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.
Answers
B.
Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.
B.
Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.
Answers
C.
Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.
C.
Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.
Answers
D.
No action is necessary because Google encrypts data while it is in use by default.
D.
No action is necessary because Google encrypts data while it is in use by default.
Answers
Suggested answer: A

Question 185

Report
Export
Collapse

You are a Cloud Identity administrator for your organization. In your Google Cloud environment groups are used to manage user permissions. Each application team has a dedicated group Your team is responsible for creating these groups and the application teams can manage the team members on their own through the Google Cloud console. You must ensure that the application teams can only add users from within your organization to their groups.

What should you do?

A.
Change the configuration of the relevant groups in the Google Workspace Admin console to prevent external users from being added to the group.
A.
Change the configuration of the relevant groups in the Google Workspace Admin console to prevent external users from being added to the group.
Answers
B.
Set an Identity and Access Management (IAM) policy that includes a condition that restricts group membership to user principals that belong to your organization.
B.
Set an Identity and Access Management (IAM) policy that includes a condition that restricts group membership to user principals that belong to your organization.
Answers
C.
Define an Identity and Access Management (IAM) deny policy that denies the assignment of principals that are outside your organization to the groups in scope.
C.
Define an Identity and Access Management (IAM) deny policy that denies the assignment of principals that are outside your organization to the groups in scope.
Answers
D.
Export the Cloud Identity logs to BigQuery Configure an alert for external members added to groups Have the alert trigger a Cloud Function instance that removes the external members from the group.
D.
Export the Cloud Identity logs to BigQuery Configure an alert for external members added to groups Have the alert trigger a Cloud Function instance that removes the external members from the group.
Answers
Suggested answer: B

Question 186

Report
Export
Collapse

Your organization wants to be continuously evaluated against CIS Google Cloud Computing Foundations Benchmark v1 3 0 (CIS Google Cloud Foundation 1 3). Some of the controls are irrelevant to your organization and must be disregarded in evaluation. You need to create an automated system or process to ensure that only the relevant controls are evaluated.

What should you do?

A.
Mark all security findings that are irrelevant with a tag and a value that indicates a security exception Select all marked findings and mute them on the console every time they appear Activate Security Command Center (SCC) Premium.
A.
Mark all security findings that are irrelevant with a tag and a value that indicates a security exception Select all marked findings and mute them on the console every time they appear Activate Security Command Center (SCC) Premium.
Answers
B.
Activate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC so they are not evaluated.
B.
Activate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC so they are not evaluated.
Answers
C.
Download all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part of CIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for the company.
C.
Download all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part of CIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for the company.
Answers
D.
Ask an external audit company to provide independent reports including needed CIS benchmarks. In the scope of the audit clarify that some of the controls are not needed and must be disregarded.
D.
Ask an external audit company to provide independent reports including needed CIS benchmarks. In the scope of the audit clarify that some of the controls are not needed and must be disregarded.
Answers
Suggested answer: B

Question 187

Report
Export
Collapse

You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.

What should you do?

A.
Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.
A.
Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.
Answers
B.
Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.
B.
Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.
Answers
C.
Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premises destination.
C.
Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premises destination.
Answers
D.
Configure Cloud Interconnect and route traffic through an on-premises firewall.
D.
Configure Cloud Interconnect and route traffic through an on-premises firewall.
Answers
Suggested answer: D

Question 188

Report
Export
Collapse

Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.

What should you do?

Choose 2 answers

A.
Configure the Binary Authorization policy with respective attestations for the project.
A.
Configure the Binary Authorization policy with respective attestations for the project.
Answers
B.
Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).
B.
Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).
Answers
C.
Enable Container Threat Detection in the Security Command Center (SCC) for the project.
C.
Enable Container Threat Detection in the Security Command Center (SCC) for the project.
Answers
D.
Configure the trusted image organization policy constraint for the project.
D.
Configure the trusted image organization policy constraint for the project.
Answers
E.
Enable Pod Security standards and set them to Restricted.
E.
Enable Pod Security standards and set them to Restricted.
Answers
Suggested answer: A, D

Question 189

Report
Export
Collapse

Your organization uses Google Workspace Enterprise Edition tor authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment.

What should you do?

A.
Create a policy that requires employees to not leave their sessions open for long durations.
A.
Create a policy that requires employees to not leave their sessions open for long durations.
Answers
B.
Review and disable unnecessary Google Cloud APIs.
B.
Review and disable unnecessary Google Cloud APIs.
Answers
C.
Require strong passwords and 2SV through a security token or Google authenticate.
C.
Require strong passwords and 2SV through a security token or Google authenticate.
Answers
D.
Set the session length timeout for Google Cloud services to a shorter duration.
D.
Set the session length timeout for Google Cloud services to a shorter duration.
Answers
Suggested answer: D

Question 190

Report
Export
Collapse

You are migrating an on-premises data warehouse to BigQuery Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse. Your company compliance policies mandate that the data warehouse must:

* Protect data at rest with full lifecycle management on cryptographic keys

* Implement a separate key management provider from data management

* Provide visibility into all encryption key requests

What services should be included in the data warehouse implementation?

Choose 2 answers

A.
Customer-managed encryption keys
A.
Customer-managed encryption keys
Answers
B.
Customer-Supplied Encryption Keys
B.
Customer-Supplied Encryption Keys
Answers
C.
Key Access Justifications
C.
Key Access Justifications
Answers
D.
Access Transparency and Approval
D.
Access Transparency and Approval
Answers
E.
Cloud External Key Manager
E.
Cloud External Key Manager
Answers
Suggested answer: C, E
Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms