ExamGecko
Login
Ask Question

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 6

List of questions

Question 51

Report
Export
Collapse

You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.

What should you do?

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
Suggested answer: B

Explanation:

Reference: https://cloud.google.com/compute/docs/images/restricting-image-access

asked 18/09/2024
DAVIDE MCGARR
37 questions

Question 52

Report
Export
Collapse

Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.

Which two tasks should your team perform to handle this request? (Choose two.)

Remove all users from the Project Creator role at the organizational level.
Remove all users from the Project Creator role at the organizational level.
Create an Organization Policy constraint, and apply it at the organizational level.
Create an Organization Policy constraint, and apply it at the organizational level.
Grant the Project Editor role at the organizational level to a designated group of users.
Grant the Project Editor role at the organizational level to a designated group of users.
Add a designated group of users to the Project Creator role at the organizational level.
Add a designated group of users to the Project Creator role at the organizational level.
Grant the billing account creator role to the designated DevOps team.
Grant the billing account creator role to the designated DevOps team.
Suggested answer: A, D

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints

asked 18/09/2024
Hernan Rojas
48 questions

Question 53

Report
Export
Collapse

A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.

How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
Suggested answer: A

Explanation:

Compute Engine doesn't automatically update the OS or the software on your deployed instances. You will need to patch or update your deployed Compute Engine instances when necessary. However, in the cloud it is not recommended that you patch or update individual running instances. Instead it is best to patch the image that was used to launch the instance and then replace each affected instance with a new copy.

asked 18/09/2024
Nivenl Surnder
33 questions

Question 54

Report
Export
Collapse

Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.

How should your team design this network?

Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
Create a different subnet for the frontend application and database to ensure network isolation.
Create a different subnet for the frontend application and database to ensure network isolation.
Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
Suggested answer: A

Explanation:

'However, even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped'

asked 18/09/2024
Alireza Noura
35 questions

Question 55

Report
Export
Collapse

An organization receives an increasing number of phishing emails.

Which method should be used to protect employee credentials in this situation?

Multifactor Authentication
Multifactor Authentication
A strict password policy
A strict password policy
Captcha on login pages
Captcha on login pages
Encrypted emails
Encrypted emails
Suggested answer: A

Explanation:

https://cloud.google.com/blog/products/g-suite/7-ways-admins-can-help-secure-accounts-against-phishing-g-suite

https://www.duocircle.com/content/email-security-services/email-security-in-cryptography#:~:text=Customer%20Login-,Email%20Security%20In%20Cryptography%20Is%20One%20Of%20The%20Most,Measures%20To%20Prevent%20Phishing%20Attempts&text=Cybercriminals%20love%20emails%20the%20most,networks%20all%20over%20the%20world.

asked 18/09/2024
Issam Boumlic
44 questions

Question 56

Report
Export
Collapse

A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.

Which connectivity option should be implemented?

VPC peering
VPC peering
Cloud VPN
Cloud VPN
Cloud Interconnect
Cloud Interconnect
Shared VPC
Shared VPC
Suggested answer: A

Explanation:

Peering two VPCs does permit traffic to flow between the two shared networks, but it's only bi-directional. Peered VPC networks remain administratively separate.

asked 18/09/2024
Pawel Lenart
34 questions

Question 57

Report
Export
Collapse

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.

How should your team meet these requirements?

Enable Private Access on the VPC network in the production project.
Enable Private Access on the VPC network in the production project.
Remove the Editor role and grant the Compute Admin IAM role to the engineers.
Remove the Editor role and grant the Compute Admin IAM role to the engineers.
Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
Set up a VPC network with two subnets: one with public IPs and one without public IPs.
Set up a VPC network with two subnets: one with public IPs and one without public IPs.
Suggested answer: C

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#constraints-for-specific-services

asked 18/09/2024
Nicklas Magnusson
40 questions

Question 58

Report
Export
Collapse

Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

Central management of routes, firewalls, and VPNs for peered networks
Central management of routes, firewalls, and VPNs for peered networks
Non-transitive peered networks; where only directly peered networks can communicate
Non-transitive peered networks; where only directly peered networks can communicate
Ability to peer networks that belong to different Google Cloud Platform organizations
Ability to peer networks that belong to different Google Cloud Platform organizations
Firewall rules that can be created with a tag from one peered network to another peered network
Firewall rules that can be created with a tag from one peered network to another peered network
Ability to share specific subnets across peered networks
Ability to share specific subnets across peered networks
Suggested answer: B, C

Explanation:

https://cloud.google.com/vpc/docs/vpc-peering#key_properties

asked 18/09/2024
Selim OZIS
32 questions

Question 59

Report
Export
Collapse

A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).

How should the DevOps team accomplish this?

Use Puppet or Chef to push out the patch to the running container.
Use Puppet or Chef to push out the patch to the running container.
Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
Update the application code or apply a patch, build a new image, and redeploy it.
Update the application code or apply a patch, build a new image, and redeploy it.
Configure containers to automatically upgrade when the base image is available in Container Registry.
Configure containers to automatically upgrade when the base image is available in Container Registry.
Suggested answer: C

Explanation:

https://cloud.google.com/containers/security

Containers are meant to be immutable, so you deploy a new image in order to make changes. You can simplify patch management by rebuilding your images regularly, so the patch is picked up the next time a container is deployed. Get the full picture of your environment with regular image security reviews.

asked 18/09/2024
Phillip Roos
49 questions

Question 60

Report
Export
Collapse

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery

What should you do?

Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.
Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.
Suggested answer: B

Explanation:

https://cloud.google.com/bigquery/docs/scan-with-dlp

Cloud Data Loss Prevention API allows to detect and redact or remove sensitive data before the comments or reviews are published. Cloud DLP will read information from BigQuery, Cloud Storage or Datastore and scan it for sensitive data.

asked 18/09/2024
Geoffrey Vd Molen
41 questions
Total 235 questions
Go to page: of 24
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?