ExamGecko
Login
Ask Question

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 5

List of questions

Question 41

Report
Export
Collapse

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.

What should you do?

Store the data in a single Persistent Disk, and delete the disk at expiration time.
Store the data in a single Persistent Disk, and delete the disk at expiration time.
Store the data in a single BigQuery table and set the appropriate table expiration time.
Store the data in a single BigQuery table and set the appropriate table expiration time.
Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
Store the data in a single BigTable table and set an expiration time on the column families.
Store the data in a single BigTable table and set an expiration time on the column families.
Suggested answer: C

Explanation:

'To support common use cases like setting a Time to Live (TTL) for objects, retaining noncurrent versions of objects, or 'downgrading' storage classes of objects to help manage costs, Cloud Storage offers the Object Lifecycle Management feature. This page describes the feature as well as the options available when using it. To learn how to enable Object Lifecycle Management, and for examples of lifecycle policies, see Managing Lifecycles.' https://cloud.google.com/storage/docs/lifecycle

asked 18/09/2024
Andre van Mierlo
37 questions

Question 42

Report
Export
Collapse

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.

What should they do?

Use Cloud Build to build the container images.
Use Cloud Build to build the container images.
Build small containers using small base images.
Build small containers using small base images.
Delete non-used versions from Container Registry.
Delete non-used versions from Container Registry.
Use a Continuous Delivery tool to deploy the application.
Use a Continuous Delivery tool to deploy the application.
Suggested answer: B

Explanation:

Small containers usually have a smaller attack surface as compared to containers that use large base images. https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-how-and-why-to-build-small-container-images

asked 18/09/2024
ALAEDDINE BENMAKHLOUF
46 questions

Question 43

Report
Export
Collapse

While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.

What should you do?

Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
Suggested answer: B

Explanation:

https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-configuring-single-sign-on

asked 18/09/2024
Cheri Brown
33 questions

Question 44

Report
Export
Collapse

Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.

What should you do?

Enforce 2-factor authentication in GSuite for all users.
Enforce 2-factor authentication in GSuite for all users.
Configure Cloud Identity-Aware Proxy for the App Engine Application.
Configure Cloud Identity-Aware Proxy for the App Engine Application.
Provision user passwords using GSuite Password Sync.
Provision user passwords using GSuite Password Sync.
Configure Cloud VPN between your private network and GCP.
Configure Cloud VPN between your private network and GCP.
Suggested answer: A

Explanation:

https://docs.google.com/document/d/11o3e14tyhnT7w45Q8-r9ZmTAfj2WUNUpJPZImrxm_F4/edit?usp=sharing

https://support.google.com/a/answer/175197?hl=en

asked 18/09/2024
andrea rosi
44 questions

Question 45

Report
Export
Collapse

A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.

What technique should the institution use?

Use Cloud Storage as a federated Data Source.
Use Cloud Storage as a federated Data Source.
Use a Cloud Hardware Security Module (Cloud HSM).
Use a Cloud Hardware Security Module (Cloud HSM).
Customer-managed encryption keys (CMEK).
Customer-managed encryption keys (CMEK).
Customer-supplied encryption keys (CSEK).
Customer-supplied encryption keys (CSEK).
Suggested answer: C

Explanation:

If you want to manage the key encryption keys used for your data at rest, instead of having Google manage the keys, use Cloud Key Management Service to manage your keys. This scenario is known as customer-managed encryption keys (CMEK). https://cloud.google.com/bigquery/docs/encryption-at-rest

asked 18/09/2024
Alex Agenjo Fernandez
26 questions

Question 46

Report
Export
Collapse

A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.

Which Storage solution are they allowed to use?

Cloud Bigtable
Cloud Bigtable
Cloud BigQuery
Cloud BigQuery
Compute Engine SSD Disk
Compute Engine SSD Disk
Compute Engine Persistent Disk
Compute Engine Persistent Disk
Suggested answer: B

Explanation:

https://cloud.google.com/bigquery#:~:text=BigQuery%20transparently%20and%20automatically%20provides,charge%20and%20no%20additional%20setup.&text=BigQuery%20also%20provides%20ODBC%20and,interact%20with%20its%20powerful%20engine.

asked 18/09/2024
Ali S Zahedi
40 questions

Question 47

Report
Export
Collapse

A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online.

What should they do?

Configure an SSL Certificate on an L7 Load Balancer and require encryption.
Configure an SSL Certificate on an L7 Load Balancer and require encryption.
Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
Suggested answer: A

Explanation:

https://cloud.google.com/load-balancing/docs/load-balancing-overview#external_versus_internal_load_balancing

asked 18/09/2024
Ian Wilson
45 questions

Question 48

Report
Export
Collapse

Applications often require access to ''secrets'' - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of ''who did what, where, and when?'' within their GCP projects.

Which two log streams would provide the information that the administrator is looking for? (Choose two.)

Admin Activity logs
Admin Activity logs
System Event logs
System Event logs
Data Access logs
Data Access logs
VPC Flow logs
VPC Flow logs
Agent logs
Agent logs
Suggested answer: A, C

Explanation:

https://cloud.google.com/secret-manager/docs/audit-logging

asked 18/09/2024
Fernando Pereira dos Santos
39 questions

Question 49

Report
Export
Collapse

You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.

What should you do?

Migrate the application into an isolated project using a ''Lift & Shift'' approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Migrate the application into an isolated project using a ''Lift & Shift'' approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Migrate the application into an isolated project using a ''Lift & Shift'' approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
Migrate the application into an isolated project using a ''Lift & Shift'' approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Suggested answer: A

Explanation:

Migrate the application into an isolated project using a 'Lift & Shift' approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

asked 18/09/2024
Josef Anwar Panerio
37 questions

Question 50

Report
Export
Collapse

Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.

What type of Load Balancing should you use?

Network Load Balancing
Network Load Balancing
HTTP(S) Load Balancing
HTTP(S) Load Balancing
TCP Proxy Load Balancing
TCP Proxy Load Balancing
SSL Proxy Load Balancing
SSL Proxy Load Balancing
Suggested answer: D

Explanation:

https://cloud.google.com/load-balancing/docs/ssl - SSL Proxy Load Balancing is a reverse proxy load balancer that distributes SSL traffic coming from the internet to virtual machine (VM) instances in your Google Cloud VPC network.

asked 18/09/2024
Johan Benavides
42 questions
Total 235 questions
Go to page: of 24
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?