ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 20

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 191

Report
Export
Collapse

You are auditing all your Google Cloud resources in the production project. You want to identity all principals who can change firewall rules.

What should you do?

A.
Use Policy Analyzer lo query the permissions compute, firewalls, create of compute, firewalls. Create of compute,firewalls.delete.
A.
Use Policy Analyzer lo query the permissions compute, firewalls, create of compute, firewalls. Create of compute,firewalls.delete.
Answers
B.
Reference the Security Health Analytics - Firewall Vulnerability Findings in the Security Command Center.
B.
Reference the Security Health Analytics - Firewall Vulnerability Findings in the Security Command Center.
Answers
C.
Use Policy Analyzer to query the permissions compute, firewalls, get of compute, firewalls, list.
C.
Use Policy Analyzer to query the permissions compute, firewalls, get of compute, firewalls, list.
Answers
D.
Use Firewall Insights to understand your firewall rules usage patterns.
D.
Use Firewall Insights to understand your firewall rules usage patterns.
Answers
Suggested answer: A

Question 192

Report
Export
Collapse

You manage one of your organization's Google Cloud projects (Project A). AVPC Service Control (SC) perimeter is blocking API access requests to this project including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least

Privilege.

What should you do?

A.
Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.
A.
Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.
Answers
B.
Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.
B.
Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.
Answers
C.
Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.
C.
Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.
Answers
D.
Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.
D.
Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.
Answers
Suggested answer: A

Question 193

Report
Export
Collapse

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run.

What should you do?

Choose 2 answers

A.
Enable Binary Authorization on the existing Kubernetes cluster.
A.
Enable Binary Authorization on the existing Kubernetes cluster.
Answers
B.
Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to the list of allowed Binary Authorization policy names.
B.
Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to the list of allowed Binary Authorization policy names.
Answers
C.
Set the organization policy constraint constraints/compute.trustedimageProjects to the list of protects that contain the trusted container images.
C.
Set the organization policy constraint constraints/compute.trustedimageProjects to the list of protects that contain the trusted container images.
Answers
D.
Enable Binary Authorization on the existing Cloud Run service.
D.
Enable Binary Authorization on the existing Cloud Run service.
Answers
E.
Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.
E.
Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.
Answers
Suggested answer: B, D

Question 194

Report
Export
Collapse

You have a highly sensitive BigQuery workload that contains personally identifiable information (Pll) that you want to ensure is not accessible from the internet. To prevent data exfiltration only requests from authorized IP addresses are allowed to query your BigQuery tables.

What should you do?

A.
Use service perimeter and create an access level based on the authorized source IP address as the condition.
A.
Use service perimeter and create an access level based on the authorized source IP address as the condition.
Answers
B.
Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.
B.
Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.
Answers
C.
Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).
C.
Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).
Answers
D.
Use the Restrict Resource service usage organization policy constraint along with Cloud Data Loss Prevention (DLP).
D.
Use the Restrict Resource service usage organization policy constraint along with Cloud Data Loss Prevention (DLP).
Answers
Suggested answer: A

Question 195

Report
Export
Collapse

Your organization is moving virtual machines (VMs) to Google Cloud. You must ensure that operating system images that are used across your projects are trusted and meet your security requirements.

What should you do?

A.
Implement an organization policy to enforce that boot disks can only be created from images that come from the trusted image project.
A.
Implement an organization policy to enforce that boot disks can only be created from images that come from the trusted image project.
Answers
B.
Create a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository Verify that the image is not deprecated.
B.
Create a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository Verify that the image is not deprecated.
Answers
C.
Implement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.
C.
Implement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.
Answers
D.
Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.
D.
Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.
Answers
Suggested answer: D

Question 196

Report
Export
Collapse

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.

What could have caused this alert?

A.
The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.
A.
The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.
Answers
B.
The organizational policy constraint wasn't properly enforced and is running in 'dry run mode.
B.
The organizational policy constraint wasn't properly enforced and is running in 'dry run mode.
Answers
C.
At project level, the organizational policy control has been overwritten with an 'allow' value.
C.
At project level, the organizational policy control has been overwritten with an 'allow' value.
Answers
D.
The policy constraint on the folder level does not have any effect because of an allow' value for that constraint on the organizational level.
D.
The policy constraint on the folder level does not have any effect because of an allow' value for that constraint on the organizational level.
Answers
Suggested answer: A

Question 197

Report
Export
Collapse

You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software.

Which SCC service should you use?

A.
Container Threat Detection
A.
Container Threat Detection
Answers
B.
Web Security Scanner
B.
Web Security Scanner
Answers
C.
Rapid Vulnerability Detection
C.
Rapid Vulnerability Detection
Answers
D.
Virtual Machine Threat Detection
D.
Virtual Machine Threat Detection
Answers
Suggested answer: D

Question 198

Report
Export
Collapse

Your DevOps team uses Packer to build Compute Engine images by using this process:

1 Create an ephemeral Compute Engine VM.

2 Copy a binary from a Cloud Storage bucket to the VM's file system.

3 Update the VM's package manager.

4 Install external packages from the internet onto the VM.

Your security team just enabled the organizational policy. consrraints/compure.vnExtemallpAccess. to restrict the usage of public IP Addresses on VMs. In response your DevOps team updated their scripts to remove public IP addresses on the Compute Engine VMs however the build pipeline is failing due to connectivity issues.

What should you do?

Choose 2 answers

A.
Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM
A.
Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM
Answers
B.
Provision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound connections from the internet to your VM.
B.
Provision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound connections from the internet to your VM.
Answers
C.
Update the VPC routes to allow traffic to and from the internet.
C.
Update the VPC routes to allow traffic to and from the internet.
Answers
D.
Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.
D.
Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.
Answers
E.
Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.
E.
Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.
Answers
Suggested answer: A, E

Question 199

Report
Export
Collapse

Your company recently published a security policy to minimize the usage of service account keys. On-premises Windows-based applications are interacting with Google Cloud APIs. You need to implement Workload Identity Federation (WIF) with your identity provider on-premises.

What should you do?

A.
Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure a rule to let principals in the pool impersonate the Google Cloud service account.
A.
Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure a rule to let principals in the pool impersonate the Google Cloud service account.
Answers
B.
Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let all principals in the pool impersonate the Google Cloud service account.
B.
Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let all principals in the pool impersonate the Google Cloud service account.
Answers
C.
Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure a rule to let principals in the pool impersonate the Google Cloud service account.
C.
Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure a rule to let principals in the pool impersonate the Google Cloud service account.
Answers
D.
Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let all principals in the pool impersonate the Google Cloud service account.
D.
Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let all principals in the pool impersonate the Google Cloud service account.
Answers
Suggested answer: A

Question 200

Report
Export
Collapse

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.

What should you do?

A.
* 1 Update the perimeter * 2 Configure the egressTo field to set identity Type to any_identity. * 3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.
A.
* 1 Update the perimeter * 2 Configure the egressTo field to set identity Type to any_identity. * 3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.
Answers
B.
* Allow the external project by using the organizational policy constraints/compute.trustedlmageProjects.
B.
* Allow the external project by using the organizational policy constraints/compute.trustedlmageProjects.
Answers
C.
* 1 Update the perimeter * 2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com. * 3 Configure the egressFrom field to set identity Type to any_idestity.
C.
* 1 Update the perimeter * 2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com. * 3 Configure the egressFrom field to set identity Type to any_idestity.
Answers
D.
* 1 Update the perimeter * 2 Configure the ingressFrcm field to set identityType to an-y_identity. * 3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.
D.
* 1 Update the perimeter * 2 Configure the ingressFrcm field to set identityType to an-y_identity. * 3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.
Answers
Suggested answer: A
Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms