ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 2

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?

Question 11

Report
Export
Collapse

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.

Which solution should this customer use?

A.
VPC Flow Logs
A.
VPC Flow Logs
Answers
B.
Cloud Armor
B.
Cloud Armor
Answers
C.
DNS Security Extensions
C.
DNS Security Extensions
Answers
D.
Cloud Identity-Aware Proxy
D.
Cloud Identity-Aware Proxy
Answers
Suggested answer: C

Explanation:

DNSSEC --- use a DNS registrar that supports DNSSEC, and enable it. DNSSEC digitally signs DNS communication, making it more difficult (but not impossible) for hackers to intercept and spoof. Domain Name System Security Extensions (DNSSEC) adds security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Having a trustworthy Domain Name System (DNS) that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites. https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns

Question 12

Report
Export
Collapse

A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.

Which service should be used to accomplish this?

A.
Cloud Armor
A.
Cloud Armor
Answers
B.
Google Cloud Audit Logs
B.
Google Cloud Audit Logs
Answers
C.
Cloud Security Scanner
C.
Cloud Security Scanner
Answers
D.
Forseti Security
D.
Forseti Security
Answers
Suggested answer: C

Explanation:

Web Security Scanner supports categories in the OWASP Top Ten, a document that ranks and provides remediation guidance for the top 10 most critical web application security risks, as determined by the Open Web Application Security Project (OWASP). https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview#detectors_and_compliance

Question 13

Report
Export
Collapse

A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.

How should you best advise the Systems Engineer to proceed with the least disruption?

A.
Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
A.
Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
Answers
B.
Register a new domain name, and use that for the new Cloud Identity domain.
B.
Register a new domain name, and use that for the new Cloud Identity domain.
Answers
C.
Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.
C.
Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.
Answers
D.
Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
D.
Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
Answers
Suggested answer: D

Explanation:

https://support.google.com/cloudidentity/answer/7389973

Question 14

Report
Export
Collapse

A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.

Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.

Which type of access should your team grant to meet this requirement?

A.
Organization Administrator
A.
Organization Administrator
Answers
B.
Security Reviewer
B.
Security Reviewer
Answers
C.
Organization Role Administrator
C.
Organization Role Administrator
Answers
D.
Organization Policy Administrator
D.
Organization Policy Administrator
Answers
Suggested answer: C

Explanation:

Here are the permissions available to organizationRoleAdmin

iam.roles.create

iam.roles.delete

iam.roles.undelete

iam.roles.get

iam.roles.list

iam.roles.update

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

There are sufficient as per least privilege policy. You can do user management as well as auditing.

https://cloud.google.com/iam/docs/understanding-custom-roles

Question 15

Report
Export
Collapse

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.

Which option meets the requirement of your team?

A.
Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
A.
Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
Answers
B.
Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
B.
Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
Answers
C.
Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
C.
Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
Answers
D.
Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
D.
Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
Answers
Suggested answer: C

Explanation:

If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code. https://cloud.google.com/docs/authentication/production#passing_the_path_to_the_service_account_key_in_code

Question 16

Report
Export
Collapse

An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.

How should you advise this organization?

A.
Use Forseti with Firewall filters to catch any unwanted configurations in production.
A.
Use Forseti with Firewall filters to catch any unwanted configurations in production.
Answers
B.
Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.
B.
Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.
Answers
C.
Route all VPC traffic through customer-managed routers to detect malicious patterns in production.
C.
Route all VPC traffic through customer-managed routers to detect malicious patterns in production.
Answers
D.
All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.
D.
All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/recommender/docs/tutorial-iac

Question 17

Report
Export
Collapse

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

A.
Generalization
A.
Generalization
Answers
B.
Redaction
B.
Redaction
Answers
C.
CryptoHashConfig
C.
CryptoHashConfig
Answers
D.
CryptoReplaceFfxFpeConfig
D.
CryptoReplaceFfxFpeConfig
Answers
Suggested answer: D

Explanation:

De-identifying sensitive data Cloud Data Loss Prevention (DLP) can de-identify sensitive data in text content, including text stored in container structures such as tables. De-identification is the process of removing identifying information from data. The API detects sensitive data such as personally identifiable information (PII), and then uses a de-identification transformation to mask, delete, or otherwise obscure the data. For example, de-identification techniques can include any of the following: Masking sensitive data by partially or fully replacing characters with a symbol, such as an asterisk (*) or hash (#). Replacing each instance of sensitive data with a token, or surrogate, string. Encrypting and replacing sensitive data using a randomly generated or pre-determined key. When you de-identify data using the CryptoReplaceFfxFpeConfig or CryptoDeterministicConfig infoType transformations, you can re-identify that data, as long as you have the CryptoKey used to originally de-identify the data. https://cloud.google.com/dlp/docs/deidentify-sensitive-data

Question 18

Report
Export
Collapse

An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.

Which Cloud Identity password guidelines can the organization use to inform their new requirements?

A.
Set the minimum length for passwords to be 8 characters.
A.
Set the minimum length for passwords to be 8 characters.
Answers
B.
Set the minimum length for passwords to be 10 characters.
B.
Set the minimum length for passwords to be 10 characters.
Answers
C.
Set the minimum length for passwords to be 12 characters.
C.
Set the minimum length for passwords to be 12 characters.
Answers
D.
Set the minimum length for passwords to be 6 characters.
D.
Set the minimum length for passwords to be 6 characters.
Answers
Suggested answer: A

Explanation:

Default password length is 8 characters. https://support.google.com/cloudidentity/answer/33319?hl=en

https://support.google.com/cloudidentity/answer/139399?hl=en#:~:text=It%20can%20be%20between%208,decide%20to%20change%20their%20password.

Question 19

Report
Export
Collapse

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.

What should you do?

A.
Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
A.
Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
Answers
B.
Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
B.
Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
Answers
C.
Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
C.
Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
Answers
D.
Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
D.
Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
Answers
Suggested answer: A

Explanation:

Envelope Encryption: https://cloud.google.com/kms/docs/envelope-encryption

Here are best practices for managing DEKs:

-Generate DEKs locally.

-When stored, always ensure DEKs are encrypted at rest.

- For easy access, store the DEK near the data that it encrypts.

The DEK is encrypted (also known as wrapped) by a key encryption key (KEK). The process of encrypting a key with another key is known as envelope encryption.

Here are best practices for managing KEKs:

-Store KEKs centrally. (KMS )

-Set the granularity of the DEKs they encrypt based on their use case. For example, consider a workload that requires multiple DEKs to encrypt the workload's data chunks. You could use a single KEK to wrap all DEKs that are responsible for that workload's encryption.

-Rotate keys regularly, and also after a suspected incident.

Question 20

Report
Export
Collapse

How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

A.
Send all logs to the SIEM system via an existing protocol such as syslog.
A.
Send all logs to the SIEM system via an existing protocol such as syslog.
Answers
B.
Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
B.
Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
Answers
C.
Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
C.
Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
Answers
D.
Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.
D.
Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.
Answers
Suggested answer: C

Explanation:

Scenarios for exporting Cloud Logging data: Splunk This scenario shows how to export selected logs from Cloud Logging to Pub/Sub for ingestion into Splunk. Splunk is a security information and event management (SIEM) solution that supports several ways of ingesting data, such as receiving streaming data out of Google Cloud through Splunk HTTP Event Collector (HEC) or by fetching data from Google Cloud APIs through Splunk Add-on for Google Cloud. Using the Pub/Sub to Splunk Dataflow template, you can natively forward logs and events from a Pub/Sub topic into Splunk HEC. If Splunk HEC is not available in your Splunk deployment, you can use the Add-on to collect the logs and events from the Pub/Sub topic. https://cloud.google.com/solutions/exporting-stackdriver-logging-for-splunk

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms