ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 22

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 211

Report
Export
Collapse

Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users.

What should you do?

A.
1. Manage SAML profile assignments. * 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant. * 3. Verify the domain.
A.
1. Manage SAML profile assignments. * 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant. * 3. Verify the domain.
Answers
B.
1. Create a new SAML profile. * 2. Upload the X.509 certificate. * 3. Enable the change password URL. * 4. Configure Entity ID and ACS URL in your IdP.
B.
1. Create a new SAML profile. * 2. Upload the X.509 certificate. * 3. Enable the change password URL. * 4. Configure Entity ID and ACS URL in your IdP.
Answers
C.
1- Create a new SAML profile. * 2. Populate the sign-in and sign-out page URLs. * 3. Upload the X.509 certificate. * 4. Configure Entity ID and ACS URL in your IdP
C.
1- Create a new SAML profile. * 2. Populate the sign-in and sign-out page URLs. * 3. Upload the X.509 certificate. * 4. Configure Entity ID and ACS URL in your IdP
Answers
D.
1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant * 2. Verify the AD domain. * 3. Decide which users should use SAML. * 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.
D.
1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant * 2. Verify the AD domain. * 3. Decide which users should use SAML. * 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.
Answers
Suggested answer: C

Explanation:

When configuring SAML-based Single Sign-On (SSO) in an organization that's using Active Directory, the general steps would involve setting up a SAML profile, specifying the necessary URLs for sign-in and sign-out processes, uploading an X.509 certificate for secure communication, and setting up the Entity ID and Assertion Consumer Service (ACS) URL in the Identity Provider (which in this case would be Active Directory).

Question 212

Report
Export
Collapse

Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.

What should you do?

A.
Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).
A.
Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).
Answers
B.
Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing
B.
Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing
Answers
C.
Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
C.
Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
Answers
D.
Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.
D.
Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.
Answers
Suggested answer: C

Explanation:

This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google's Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.

Question 213

Report
Export
Collapse

Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery.

What should you do?

A.
Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.
A.
Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.
Answers
B.
Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.
B.
Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.
Answers
C.
Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
C.
Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
Answers
D.
Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.
D.
Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.
Answers
Suggested answer: C

Explanation:

Cloud EKM allows you to use encryption keys that are stored and managed in a third-party key management system deployed outside of Google's infrastructure. This gives your organization full control over the keys used to encrypt data at rest in Google Cloud environments, including BigQuery.

Question 214

Report
Export
Collapse

Your organization wants to be General Data Protection Regulation (GDPR) compliant You want to ensure that your DevOps teams can only create Google Cloud resources in the Europe regions.

What should you do?

A.
Use the org policy constraint 'Restrict Resource Service Usage'* on your Google Cloud organization node.
A.
Use the org policy constraint 'Restrict Resource Service Usage'* on your Google Cloud organization node.
Answers
B.
Use Identity and Access Management (IAM) custom roles to ensure that your DevOps team can only create resources in the Europe regions
B.
Use Identity and Access Management (IAM) custom roles to ensure that your DevOps team can only create resources in the Europe regions
Answers
C.
Use the org policy constraint Google Cloud Platform - Resource Location Restriction' on your Google Cloud organization node.
C.
Use the org policy constraint Google Cloud Platform - Resource Location Restriction' on your Google Cloud organization node.
Answers
D.
Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.
D.
Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations

Question 215

Report
Export
Collapse

Your organization uses BigQuery to process highly sensitive, structured datasets. Following the 'need to know' principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users:

* Business user must access curated reports.

* Data engineer: must administrate the data lifecycle in the platform.

* Security operator: must review user activity on the data platform.

What should you do?

A.
Configure data access log for BigQuery services, and grant Project Viewer role to security operators.
A.
Configure data access log for BigQuery services, and grant Project Viewer role to security operators.
Answers
B.
Generate a CSV data file based on the business user's needs, and send the data to their email addresses.
B.
Generate a CSV data file based on the business user's needs, and send the data to their email addresses.
Answers
C.
Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.
C.
Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.
Answers
D.
Set row-based access control based on the 'region' column, and filter the record from the United States for data engineers.
D.
Set row-based access control based on the 'region' column, and filter the record from the United States for data engineers.
Answers
Suggested answer: C

Explanation:

This option directly addresses the needs of the business user who must access curated reports. By creating curated tables in a separate dataset, you can control access to specific data. Assigning the roles/bigquery.dataViewer role allows the business user to view the data in BigQuery.

Question 216

Report
Export
Collapse

Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT Everyday, you must patch all VMs with critical OS updates and provide summary reports

What should you do?

A.
Validate that the egress firewall rules allow any outgoing traffic Log in to each VM and execute OS specific update commands Configure the Cloud Scheduler job to update with critical patches daily for daily updates.
A.
Validate that the egress firewall rules allow any outgoing traffic Log in to each VM and execute OS specific update commands Configure the Cloud Scheduler job to update with critical patches daily for daily updates.
Answers
B.
Ensure that VM Manager is installed and running on the VMs. In the OS patch management service. configure the patch jobs to update with critical patches daily.
B.
Ensure that VM Manager is installed and running on the VMs. In the OS patch management service. configure the patch jobs to update with critical patches daily.
Answers
C.
Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM. and configure a daily cron job to enable for OS updates at night during low activity periods.
C.
Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM. and configure a daily cron job to enable for OS updates at night during low activity periods.
Answers
D.
Copy the latest patches to the Cloud Storage bucket. Log in to each VM. download the patches from the bucket, and install them.
D.
Copy the latest patches to the Cloud Storage bucket. Log in to each VM. download the patches from the bucket, and install them.
Answers
Suggested answer: B

Explanation:

VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine. It helps drive efficiency through automation and reduces the operational burden of maintaining these VM fleets. VM Manager includes several services such as OS patch management, OS inventory management, and OS configuration management. By using VM Manager, you can apply patches, collect operating system information, and install, remove, or auto-update software packages. The suite provides a high level of control and automation for managing large VM fleets on Google Cloud.

https://cloud.google.com/compute/docs/vm-manager

Question 217

Report
Export
Collapse

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud.

What should you do?

A.
1. Enable Container Threat Detection in the Security Command Center Premium tier. * 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version. * 3. View and share the results from the Security Command Center
A.
1. Enable Container Threat Detection in the Security Command Center Premium tier. * 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version. * 3. View and share the results from the Security Command Center
Answers
B.
* 1. Use an open source tool in Cloud Build to scan the images. * 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil * 3. Share the scan report link with your security department.
B.
* 1. Use an open source tool in Cloud Build to scan the images. * 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil * 3. Share the scan report link with your security department.
Answers
C.
* 1. Enable vulnerability scanning in the Artifact Registry settings. * 2. Use Cloud Build to build the images * 3. Push the images to the Artifact Registry for automatic scanning. * 4. View the reports in the Artifact Registry.
C.
* 1. Enable vulnerability scanning in the Artifact Registry settings. * 2. Use Cloud Build to build the images * 3. Push the images to the Artifact Registry for automatic scanning. * 4. View the reports in the Artifact Registry.
Answers
D.
* 1. Get a GitHub subscription. * 2. Build the images in Cloud Build and store them in GitHub for automatic scanning * 3. Download the report from GitHub and share with the Security Team
D.
* 1. Get a GitHub subscription. * 2. Build the images in Cloud Build and store them in GitHub for automatic scanning * 3. Download the report from GitHub and share with the Security Team
Answers
Suggested answer: C

Explanation:

'The service evaluates all changes and remote access attempts to detect runtime attacks in near-real time.' : https://cloud.google.com/security-command-center/docs/concepts-container-threat-detection-overview This has nothing to do with KNOWN security Vulns in images

Question 218

Report
Export
Collapse

An administrative application is running on a virtual machine (VM) in a managed group at port 5601 inside a Virtual Private Cloud (VPC) instance without access to the internet currently. You want to expose the web interface at port 5601 to users and enforce authentication and authorization Google credentials

What should you do?

A.
Modify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.
A.
Modify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.
Answers
B.
Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application
B.
Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application
Answers
C.
Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials Modify the VPC firewall to allow access from IAP network range
C.
Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials Modify the VPC firewall to allow access from IAP network range
Answers
D.
Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application
D.
Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application
Answers
Suggested answer: C

Explanation:

This approach allows you to expose the web interface securely by using Identity-Aware Proxy (IAP), which provides authentication and authorization with Google credentials. The HTTP Load Balancer can distribute traffic to the VMs in the managed group, and the VPC firewall rule ensures that access is allowed from the IAP network range.

Question 219

Report
Export
Collapse

Your company is concerned about unauthorized parties gaming access to the Google Cloud environment by using a fake login page. You must implement a solution to protect against person-in-the-middle attacks.

Which security measure should you use?

A.
Text message or phone call code
A.
Text message or phone call code
Answers
B.
Security key
B.
Security key
Answers
C.
Google Authenticator application
C.
Google Authenticator application
Answers
D.
Google prompt
D.
Google prompt
Answers
Suggested answer: B

Explanation:

A security key is a physical device that you can use for two-step verification, providing an additional layer of security for your Google Account. Security keys can defend against phishing and man-in-the-middle attacks, making your login process more secure.

Question 220

Report
Export
Collapse

Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK). but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.

What should you do?

A.
Encrypt the files locally, and then use gsutil to upload the files to a new bucket.
A.
Encrypt the files locally, and then use gsutil to upload the files to a new bucket.
Answers
B.
Copy the files to a new bucket with CMEK enabled in a secondary region
B.
Copy the files to a new bucket with CMEK enabled in a secondary region
Answers
C.
Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.
C.
Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.
Answers
D.
Change the encryption type on the bucket to CMEK, and rewrite the objects
D.
Change the encryption type on the bucket to CMEK, and rewrite the objects
Answers
Suggested answer: D

Explanation:

Rewriting the objects in-place within the same bucket, specifying the new CMEK for encryption, allows you to re-encrypt the data without downloading and re-uploading it, thus minimizing costs and time.

https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms