ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 4

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?

Question 31

Report
Export
Collapse

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on- premises for an indefinite time. The organization wants a scalable and cost-efficient solution.

Which GCP solution should the organization use?

A.
BigQuery using a data pipeline job with continuous updates
A.
BigQuery using a data pipeline job with continuous updates
Answers
B.
Cloud Storage using a scheduled task and gsutil
B.
Cloud Storage using a scheduled task and gsutil
Answers
C.
Compute Engine Virtual Machines using Persistent Disk
C.
Compute Engine Virtual Machines using Persistent Disk
Answers
D.
Cloud Datastore using regularly scheduled batch upload jobs
D.
Cloud Datastore using regularly scheduled batch upload jobs
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/solutions/dr-scenarios-planning-guide#use-cloud-storage-as-part-of-your-daily-backup-routine

Question 32

Report
Export
Collapse

You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices.

What should you do?

A.
Create a new Service account, and give all application users the role of Service Account User.
A.
Create a new Service account, and give all application users the role of Service Account User.
Answers
B.
Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
B.
Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
Answers
C.
Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.
C.
Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.
Answers
D.
Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
D.
Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
Answers
Suggested answer: D

Explanation:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation

Question 33

Report
Export
Collapse

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.

Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

A.
Customer-supplied encryption keys (CSEK)
A.
Customer-supplied encryption keys (CSEK)
Answers
B.
Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
B.
Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
Answers
C.
Encryption by default
C.
Encryption by default
Answers
D.
Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis
D.
Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis
Answers
Suggested answer: B

Explanation:

Reference https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek

Question 34

Report
Export
Collapse

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate,

and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.

What should you do?

A.
Use the Cloud Key Management Service to manage the data encryption key (DEK).
A.
Use the Cloud Key Management Service to manage the data encryption key (DEK).
Answers
B.
Use the Cloud Key Management Service to manage the key encryption key (KEK).
B.
Use the Cloud Key Management Service to manage the key encryption key (KEK).
Answers
C.
Use customer-supplied encryption keys to manage the data encryption key (DEK).
C.
Use customer-supplied encryption keys to manage the data encryption key (DEK).
Answers
D.
Use customer-supplied encryption keys to manage the key encryption key (KEK).
D.
Use customer-supplied encryption keys to manage the key encryption key (KEK).
Answers
Suggested answer: B

Explanation:

This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest. https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption

https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms#0

Question 35

Report
Export
Collapse

You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.

What should you do?

A.
Use multi-factor authentication for admin access to the web application.
A.
Use multi-factor authentication for admin access to the web application.
Answers
B.
Use only applications certified compliant with PA-DSS.
B.
Use only applications certified compliant with PA-DSS.
Answers
C.
Move the cardholder data environment into a separate GCP project.
C.
Move the cardholder data environment into a separate GCP project.
Answers
D.
Use VPN for all connections between your office and cloud environments.
D.
Use VPN for all connections between your office and cloud environments.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/solutions/best-practices-vpc-design

'Setting up your payment-processing environment' section in https://cloud.google.com/solutions/pci-dss-compliance-in-gcp.

Question 36

Report
Export
Collapse

A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.

Which Google Cloud Service should be used to achieve this?

A.
Cloud Key Management Service
A.
Cloud Key Management Service
Answers
B.
Cloud Data Loss Prevention API
B.
Cloud Data Loss Prevention API
Answers
C.
BigQuery
C.
BigQuery
Answers
D.
Cloud Security Scanner
D.
Cloud Security Scanner
Answers
Suggested answer: B

Question 37

Report
Export
Collapse

A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.

What should you do to meet these requirements?

A.
Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
A.
Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
Answers
B.
Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
B.
Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
Answers
C.
Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
C.
Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
Answers
D.
Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.
D.
Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/iam/docs/understanding-roles#project-roles

Question 38

Report
Export
Collapse

A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).

How should the team complete this task?

A.
Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
A.
Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
Answers
B.
Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
B.
Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
Answers
C.
Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
C.
Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
Answers
D.
Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
D.
Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/storage/docs/encryption/customer-supplied-keys#gsutil

Question 39

Report
Export
Collapse

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.

Which two steps should the company take to meet these requirements? (Choose two.)

A.
Create a project with multiple VPC networks for each environment.
A.
Create a project with multiple VPC networks for each environment.
Answers
B.
Create a folder for each development and production environment.
B.
Create a folder for each development and production environment.
Answers
C.
Create a Google Group for the Engineering team, and assign permissions at the folder level.
C.
Create a Google Group for the Engineering team, and assign permissions at the folder level.
Answers
D.
Create an Organizational Policy constraint for each folder environment.
D.
Create an Organizational Policy constraint for each folder environment.
Answers
E.
Create projects for each environment, and grant IAM rights to each engineering user.
E.
Create projects for each environment, and grant IAM rights to each engineering user.
Answers
Suggested answer: B, C

Question 40

Report
Export
Collapse

You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.

Which document should you review to find the information?

A.
Google Cloud Platform: Customer Responsibility Matrix
A.
Google Cloud Platform: Customer Responsibility Matrix
Answers
B.
PCI DSS Requirements and Security Assessment Procedures
B.
PCI DSS Requirements and Security Assessment Procedures
Answers
C.
PCI SSC Cloud Computing Guidelines
C.
PCI SSC Cloud Computing Guidelines
Answers
D.
Product documentation for Compute Engine
D.
Product documentation for Compute Engine
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/files/PCI_DSS_Shared_Responsibility_GCP_v32.pdf

https://services.google.com/fh/files/misc/gcp_pci_shared_responsibility_matrix_aug_2021.pdf

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms