ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 6

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 51

Report
Export
Collapse

You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.

What should you do?

A.
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
A.
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
Answers
B.
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
B.
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
Answers
C.
In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
C.
In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
Answers
D.
In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
D.
In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
Answers
Suggested answer: B

Explanation:

Reference: https://cloud.google.com/compute/docs/images/restricting-image-access

Question 52

Report
Export
Collapse

Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.

Which two tasks should your team perform to handle this request? (Choose two.)

A.
Remove all users from the Project Creator role at the organizational level.
A.
Remove all users from the Project Creator role at the organizational level.
Answers
B.
Create an Organization Policy constraint, and apply it at the organizational level.
B.
Create an Organization Policy constraint, and apply it at the organizational level.
Answers
C.
Grant the Project Editor role at the organizational level to a designated group of users.
C.
Grant the Project Editor role at the organizational level to a designated group of users.
Answers
D.
Add a designated group of users to the Project Creator role at the organizational level.
D.
Add a designated group of users to the Project Creator role at the organizational level.
Answers
E.
Grant the billing account creator role to the designated DevOps team.
E.
Grant the billing account creator role to the designated DevOps team.
Answers
Suggested answer: A, D

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints

Question 53

Report
Export
Collapse

A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.

How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

A.
Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
A.
Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
Answers
B.
Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
B.
Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
Answers
C.
Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
C.
Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
Answers
D.
Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
D.
Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
Answers
Suggested answer: A

Explanation:

Compute Engine doesn't automatically update the OS or the software on your deployed instances. You will need to patch or update your deployed Compute Engine instances when necessary. However, in the cloud it is not recommended that you patch or update individual running instances. Instead it is best to patch the image that was used to launch the instance and then replace each affected instance with a new copy.

Question 54

Report
Export
Collapse

Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.

How should your team design this network?

A.
Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
A.
Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
Answers
B.
Create a different subnet for the frontend application and database to ensure network isolation.
B.
Create a different subnet for the frontend application and database to ensure network isolation.
Answers
C.
Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
C.
Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
Answers
D.
Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
D.
Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
Answers
Suggested answer: A

Explanation:

'However, even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped'

Question 55

Report
Export
Collapse

An organization receives an increasing number of phishing emails.

Which method should be used to protect employee credentials in this situation?

A.
Multifactor Authentication
A.
Multifactor Authentication
Answers
B.
A strict password policy
B.
A strict password policy
Answers
C.
Captcha on login pages
C.
Captcha on login pages
Answers
D.
Encrypted emails
D.
Encrypted emails
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/blog/products/g-suite/7-ways-admins-can-help-secure-accounts-against-phishing-g-suite

https://www.duocircle.com/content/email-security-services/email-security-in-cryptography#:~:text=Customer%20Login-,Email%20Security%20In%20Cryptography%20Is%20One%20Of%20The%20Most,Measures%20To%20Prevent%20Phishing%20Attempts&text=Cybercriminals%20love%20emails%20the%20most,networks%20all%20over%20the%20world.

Question 56

Report
Export
Collapse

A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.

Which connectivity option should be implemented?

A.
VPC peering
A.
VPC peering
Answers
B.
Cloud VPN
B.
Cloud VPN
Answers
C.
Cloud Interconnect
C.
Cloud Interconnect
Answers
D.
Shared VPC
D.
Shared VPC
Answers
Suggested answer: A

Explanation:

Peering two VPCs does permit traffic to flow between the two shared networks, but it's only bi-directional. Peered VPC networks remain administratively separate.

Question 57

Report
Export
Collapse

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.

How should your team meet these requirements?

A.
Enable Private Access on the VPC network in the production project.
A.
Enable Private Access on the VPC network in the production project.
Answers
B.
Remove the Editor role and grant the Compute Admin IAM role to the engineers.
B.
Remove the Editor role and grant the Compute Admin IAM role to the engineers.
Answers
C.
Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
C.
Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
Answers
D.
Set up a VPC network with two subnets: one with public IPs and one without public IPs.
D.
Set up a VPC network with two subnets: one with public IPs and one without public IPs.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#constraints-for-specific-services

Question 58

Report
Export
Collapse

Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

A.
Central management of routes, firewalls, and VPNs for peered networks
A.
Central management of routes, firewalls, and VPNs for peered networks
Answers
B.
Non-transitive peered networks; where only directly peered networks can communicate
B.
Non-transitive peered networks; where only directly peered networks can communicate
Answers
C.
Ability to peer networks that belong to different Google Cloud Platform organizations
C.
Ability to peer networks that belong to different Google Cloud Platform organizations
Answers
D.
Firewall rules that can be created with a tag from one peered network to another peered network
D.
Firewall rules that can be created with a tag from one peered network to another peered network
Answers
E.
Ability to share specific subnets across peered networks
E.
Ability to share specific subnets across peered networks
Answers
Suggested answer: B, C

Explanation:

https://cloud.google.com/vpc/docs/vpc-peering#key_properties

Question 59

Report
Export
Collapse

A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).

How should the DevOps team accomplish this?

A.
Use Puppet or Chef to push out the patch to the running container.
A.
Use Puppet or Chef to push out the patch to the running container.
Answers
B.
Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
B.
Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
Answers
C.
Update the application code or apply a patch, build a new image, and redeploy it.
C.
Update the application code or apply a patch, build a new image, and redeploy it.
Answers
D.
Configure containers to automatically upgrade when the base image is available in Container Registry.
D.
Configure containers to automatically upgrade when the base image is available in Container Registry.
Answers
Suggested answer: C

Explanation:

https://cloud.google.com/containers/security

Containers are meant to be immutable, so you deploy a new image in order to make changes. You can simplify patch management by rebuilding your images regularly, so the patch is picked up the next time a container is deployed. Get the full picture of your environment with regular image security reviews.

Question 60

Report
Export
Collapse

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery

What should you do?

A.
Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
A.
Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
Answers
B.
Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
B.
Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
Answers
C.
Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
C.
Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
Answers
D.
Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.
D.
Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/bigquery/docs/scan-with-dlp

Cloud Data Loss Prevention API allows to detect and redact or remove sensitive data before the comments or reviews are published. Cloud DLP will read information from BigQuery, Cloud Storage or Datastore and scan it for sensitive data.

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms