ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 3

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 21

Report
Export
Collapse

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.

Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

A.
App Engine
A.
App Engine
Answers
B.
Cloud Functions
B.
Cloud Functions
Answers
C.
Compute Engine
C.
Compute Engine
Answers
D.
Google Kubernetes Engine
D.
Google Kubernetes Engine
Answers
E.
Cloud Storage
E.
Cloud Storage
Answers
Suggested answer: C, D

Explanation:

App Engine ingress firewall rules are available, but egress rules are not currently available. Per requirements 1.2.1 and 1.3.4, you must ensure that all outbound traffic is authorized. SAQ A-EP and SAQ D--type merchants must provide compensating controls or use a different Google Cloud product. Compute Engine and GKE are the preferred alternatives. https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

Question 22

Report
Export
Collapse

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.

Which solution will restrict access to the in-progress sites?

A.
Upload an .htaccess file containing the customer and employee user accounts to App Engine.
A.
Upload an .htaccess file containing the customer and employee user accounts to App Engine.
Answers
B.
Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
B.
Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
Answers
C.
Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
C.
Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
Answers
D.
Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VPC) network.
D.
Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VPC) network.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/iap/docs/concepts-overview#when_to_use_iap

Question 23

Report
Export
Collapse

When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.

Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

A.
Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
A.
Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
Answers
B.
Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
B.
Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
Answers
C.
Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
C.
Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
Answers
D.
Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.
D.
Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/dlp/docs/concepts-image-redaction

Question 24

Report
Export
Collapse

A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.

What should you do?

A.
Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.
A.
Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.
Answers
B.
Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.
B.
Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.
Answers
C.
Create a new key, and use the new key in the application. Delete the old key from the Service Account.
C.
Create a new key, and use the new key in the application. Delete the old key from the Service Account.
Answers
D.
Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
D.
Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
Answers
Suggested answer: C

Explanation:

You can rotate a key by creating a new key, updating applications to use the new key, and deleting the old key. Use the serviceAccount.keys.create() method and serviceAccount.keys.delete() method together to automate the rotation.

Question 25

Report
Export
Collapse

Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.

Which type of networking design should your team use to meet these requirements?

A.
Shared VPC Network with a host project and service projects
A.
Shared VPC Network with a host project and service projects
Answers
B.
Grant Compute Admin role to the networking team for each engineering project
B.
Grant Compute Admin role to the networking team for each engineering project
Answers
C.
VPC peering between all engineering projects using a hub and spoke model
C.
VPC peering between all engineering projects using a hub and spoke model
Answers
D.
Cloud VPN Gateway between all engineering projects using a hub and spoke model
D.
Cloud VPN Gateway between all engineering projects using a hub and spoke model
Answers
Suggested answer: A

Explanation:

Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.

Question 26

Report
Export
Collapse

An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.

What solution would help meet the requirements?

A.
Ensure that firewall rules are in place to meet the required controls.
A.
Ensure that firewall rules are in place to meet the required controls.
Answers
B.
Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
B.
Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
Answers
C.
Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.
C.
Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.
Answers
D.
Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.
D.
Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.
Answers
Suggested answer: C

Explanation:

https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html

Shared responsibility ''Security of the Cloud'' - GCP is responsible for protecting the infrastructure that runs all of the services offered in the GCP Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run GCP Cloud services.

Question 27

Report
Export
Collapse

A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.

Which strategy should you use to meet these needs?

A.
Create an organization node, and assign folders for each business unit.
A.
Create an organization node, and assign folders for each business unit.
Answers
B.
Establish standalone projects for each business unit, using gmail.com accounts.
B.
Establish standalone projects for each business unit, using gmail.com accounts.
Answers
C.
Assign GCP resources in a project, with a label identifying which business unit owns the resource.
C.
Assign GCP resources in a project, with a label identifying which business unit owns the resource.
Answers
D.
Assign GCP resources in a VPC for each business unit to separate network access.
D.
Assign GCP resources in a VPC for each business unit to separate network access.
Answers
Suggested answer: A

Explanation:

Refer to: https://cloud.google.com/resource-manager/docs/listing-all-resources

Also: https://wideops.com/mapping-your-organization-with-the-google-cloud-platform-resource-hierarchy/

Question 28

Report
Export
Collapse

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.

How should the company accomplish this?

A.
Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
A.
Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
Answers
B.
Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
B.
Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
Answers
C.
Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
C.
Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
Answers
D.
Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.
D.
Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/load-balancing/docs/tcp

TCP Proxy Load Balancing is implemented on GFEs that are distributed globally. If you choose the Premium Tier of Network Service Tiers, a TCP proxy load balancer is global. In Premium Tier, you can deploy backends in multiple regions, and the load balancer automatically directs user traffic to the closest region that has capacity. If you choose the Standard Tier, a TCP proxy load balancer can only direct traffic among backends in a single region. https://cloud.google.com/load-balancing/docs/load-balancing-overview#tcp-proxy-load-balancing

Question 29

Report
Export
Collapse

Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.

What should your team grant to Engineering Group A to meet this requirement?

A.
Compute Network User Role at the host project level.
A.
Compute Network User Role at the host project level.
Answers
B.
Compute Network User Role at the subnet level.
B.
Compute Network User Role at the subnet level.
Answers
C.
Compute Shared VPC Admin Role at the host project level.
C.
Compute Shared VPC Admin Role at the host project level.
Answers
D.
Compute Shared VPC Admin Role at the service project level.
D.
Compute Shared VPC Admin Role at the service project level.
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins

https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins

Question 30

Report
Export
Collapse

A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.

What should you do?

A.
Use Resource Manager on the organization level.
A.
Use Resource Manager on the organization level.
Answers
B.
Use Forseti Security to automate inventory snapshots.
B.
Use Forseti Security to automate inventory snapshots.
Answers
C.
Use Stackdriver to create a dashboard across all projects.
C.
Use Stackdriver to create a dashboard across all projects.
Answers
D.
Use Security Command Center to view all assets across the organization.
D.
Use Security Command Center to view all assets across the organization.
Answers
Suggested answer: B

Explanation:

Only Forseti security can have both 'past' and 'present' (i.e. historical) records of the resources. https://forsetisecurity.org/about/

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms