ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 21

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 201

Report
Export
Collapse

Your organization recently activated the Security Command Center {SCO standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.

What should you do?

A.
* 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets * 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions * 3 Query the data access logs to report on unauthorized access
A.
* 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets * 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions * 3 Query the data access logs to report on unauthorized access
Answers
B.
* 1 Change bucket permissions to limit access * 2 Query the data access audit logs for any unauthorized access to the buckets * 3 After the misconfiguration is corrected mute the finding in the Security Command Center
B.
* 1 Change bucket permissions to limit access * 2 Query the data access audit logs for any unauthorized access to the buckets * 3 After the misconfiguration is corrected mute the finding in the Security Command Center
Answers
C.
* 1 Change permissions to limit access for authorized users * 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access * 3 Review the administrator activity audit logs to report on any unauthorized access
C.
* 1 Change permissions to limit access for authorized users * 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access * 3 Review the administrator activity audit logs to report on any unauthorized access
Answers
D.
* 1 Change the bucket permissions to limit access * 2 Query the buckets usage logs to report on unauthorized access to the data * 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions
D.
* 1 Change the bucket permissions to limit access * 2 Query the buckets usage logs to report on unauthorized access to the data * 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions
Answers
Suggested answer: B

Question 202

Report
Export
Collapse

Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (IAM) roles at the right resource level tor the developers and security team while you ensure least privilege.

What should you do?

A.
* 1 Grant logging, viewer rote to the security team at the organization resource level. * 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.
A.
* 1 Grant logging, viewer rote to the security team at the organization resource level. * 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.
Answers
B.
* 1 Grant logging. viewer rote to the security team at the organization resource level. * 2 Grant logging. admin role to the developer team at the organization resource level.
B.
* 1 Grant logging. viewer rote to the security team at the organization resource level. * 2 Grant logging. admin role to the developer team at the organization resource level.
Answers
C.
* 1 Grant logging.admin role to the security team at the organization resource level. * 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.
C.
* 1 Grant logging.admin role to the security team at the organization resource level. * 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.
Answers
D.
* 1 Grant logging.admin role to the security team at the organization resource level. * 2 Grant logging.admin role to the developer team at the organization resource level.
D.
* 1 Grant logging.admin role to the security team at the organization resource level. * 2 Grant logging.admin role to the developer team at the organization resource level.
Answers
Suggested answer: A

Question 203

Report
Export
Collapse

Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes.

What should you do?

A.
Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.
A.
Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.
Answers
B.
Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.
B.
Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.
Answers
C.
Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.
C.
Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.
Answers
D.
Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.
D.
Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.
Answers
Suggested answer: B

Question 204

Report
Export
Collapse

After completing a security vulnerability assessment, you learned that cloud administrators leave Google Cloud CLI sessions open for days. You need to reduce the risk of attackers who might exploit these open sessions by setting these sessions to the minimum duration.

What should you do?

A.
Set the session duration for the Google session control to one hour.
A.
Set the session duration for the Google session control to one hour.
Answers
B.
Set the reauthentication frequency (or the Google Cloud Session Control to one hour.
B.
Set the reauthentication frequency (or the Google Cloud Session Control to one hour.
Answers
C.
Set the organization policy constraint constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.
C.
Set the organization policy constraint constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.
Answers
D.
Set the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one hour and inheritFromParent to false.
D.
Set the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one hour and inheritFromParent to false.
Answers
Suggested answer: B

Question 205

Report
Export
Collapse

Your application is deployed as a highly available cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.

What should you do?

A.
Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.
A.
Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.
Answers
B.
Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.
B.
Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.
Answers
C.
Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.
C.
Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.
Answers
D.
Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.
D.
Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.
Answers
Suggested answer: C

Question 206

Report
Export
Collapse

You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.

What should you do?

A.
Create a site-to-site VPN from your corporate network to Google Cloud.
A.
Create a site-to-site VPN from your corporate network to Google Cloud.
Answers
B.
Configure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.
B.
Configure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.
Answers
C.
Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.
C.
Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.
Answers
D.
Create a jump host instance with public IP Manage the instances by connecting through the jump host.
D.
Create a jump host instance with public IP Manage the instances by connecting through the jump host.
Answers
Suggested answer: C

Question 207

Report
Export
Collapse

Your organization has on-premises hosts that need to access Google Cloud APIs You must enforce private connectivity between these hosts minimize costs and optimize for operational efficiency

What should you do?

A.
Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.
A.
Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.
Answers
B.
Set up VPC peering between the hosts on-premises and the VPC through the internet.
B.
Set up VPC peering between the hosts on-premises and the VPC through the internet.
Answers
C.
Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.
C.
Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.
Answers
D.
Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.
D.
Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.
Answers
Suggested answer: D

Question 208

Report
Export
Collapse

Your organization s record data exists in Cloud Storage. You must retain all record data for at least seven years This policy must be permanent.

What should you do?

A.
* 1 Identify buckets with record data * 2 Apply a retention policy and set it to retain for seven years * 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs
A.
* 1 Identify buckets with record data * 2 Apply a retention policy and set it to retain for seven years * 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs
Answers
B.
* 1 Identify buckets with record data * 2 Apply a retention policy and set it to retain for seven years * 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission
B.
* 1 Identify buckets with record data * 2 Apply a retention policy and set it to retain for seven years * 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission
Answers
C.
* 1 Identify buckets with record data * 2 Enable the bucket policy only to ensure that data is retained * 3 Enable bucket lock
C.
* 1 Identify buckets with record data * 2 Enable the bucket policy only to ensure that data is retained * 3 Enable bucket lock
Answers
D.
* 1 Identify buckets with record data * 2 Apply a retention policy and set it to retain for seven years * 3 Enable bucket lock
D.
* 1 Identify buckets with record data * 2 Apply a retention policy and set it to retain for seven years * 3 Enable bucket lock
Answers
Suggested answer: D

Question 209

Report
Export
Collapse

Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution.

What should you do?

A.
* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring * 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly
A.
* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring * 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly
Answers
B.
* 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium * 2 Monitor the findings in SCC
B.
* 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium * 2 Monitor the findings in SCC
Answers
C.
* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring * 2 Activate Confidential Computing * 3 Enforce these actions by using organization policies
C.
* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring * 2 Activate Confidential Computing * 3 Enforce these actions by using organization policies
Answers
D.
* 1 Use secure hardened images from the Google Cloud Marketplace * 2 When deploying the images activate the Confidential Computing option * 3 Enforce the use of the correct images and Confidential Computing by using organization policies
D.
* 1 Use secure hardened images from the Google Cloud Marketplace * 2 When deploying the images activate the Confidential Computing option * 3 Enforce the use of the correct images and Confidential Computing by using organization policies
Answers
Suggested answer: C

Question 210

Report
Export
Collapse

Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time.

What should you do?

A.
Run a platform security scanner on all instances in the organization.
A.
Run a platform security scanner on all instances in the organization.
Answers
B.
Notify Google about the pending audit and wait for confirmation before performing the scan.
B.
Notify Google about the pending audit and wait for confirmation before performing the scan.
Answers
C.
Contact a Google approved security vendor to perform the audit.
C.
Contact a Google approved security vendor to perform the audit.
Answers
D.
Identify all external assets by using Cloud Asset Inventory and then run a network security scanner against them.
D.
Identify all external assets by using Cloud Asset Inventory and then run a network security scanner against them.
Answers
Suggested answer: D

Explanation:

Cloud Asset Inventory: Using Cloud Asset Inventory allows you to quickly identify all the external assets and resources in your Google Cloud environment. This includes information about your projects, instances, storage buckets, and more. This step is crucial for understanding the scope of your audit. Network Security Scanner: Once you have identified the external assets, you can run a network security scanner to assess the security of these assets. Network security scanners can help identify vulnerabilities and potential security risks quickly.

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms