ExamGecko
Login
Ask Question

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 8

List of questions

Question 71

Report
Export
Collapse

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.

What should you do?

Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
Create a custom role with the permission compute.instances.list and grant the Service Account this role.
Create a custom role with the permission compute.instances.list and grant the Service Account this role.
Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
Suggested answer: B

Explanation:

https://cloud.google.com/compute/docs/access/iam

asked 18/09/2024
Vidana Weerasinghe
43 questions

Question 72

Report
Export
Collapse

In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

Hardware
Hardware
Network Security
Network Security
Storage Encryption
Storage Encryption
Access Policies
Access Policies
Boot
Boot
Suggested answer: B, D

Explanation:

https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-the-shared-responsibility-model-in-gke-container-security-shared-responsibility-model-gke

asked 18/09/2024
Darin Ambrose
40 questions

Question 73

Report
Export
Collapse

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.

Which GCP solution should the organization use?

BigQuery using a data pipeline job with continuous updates via Cloud VPN
BigQuery using a data pipeline job with continuous updates via Cloud VPN
Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
Suggested answer: B

Explanation:

https://cloud.google.com/solutions/dr-scenarios-for-data#production_environment_is_on-premises

https://medium.com/@pvergadia/cold-disaster-recovery-on-google-cloud-for-applications-running-on-premises-114b31933d02

asked 18/09/2024
Walter van der Heijden
42 questions

Question 74

Report
Export
Collapse

What are the steps to encrypt data using envelope encryption?

Generate a data encryption key (DEK) locally. Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK. Store the encrypted data and the wrapped KEK.
Generate a data encryption key (DEK) locally. Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK. Store the encrypted data and the wrapped KEK.
Generate a key encryption key (KEK) locally. Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK. Store the encrypted data and the wrapped DEK.
Generate a key encryption key (KEK) locally. Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK. Store the encrypted data and the wrapped DEK.
Generate a data encryption key (DEK) locally. Encrypt data with the DEK. Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
Generate a data encryption key (DEK) locally. Encrypt data with the DEK. Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
Generate a key encryption key (KEK) locally. Generate a data encryption key (DEK) locally. Encrypt data with the KEK. Store the encrypted data and the wrapped DEK.
Generate a key encryption key (KEK) locally. Generate a data encryption key (DEK) locally. Encrypt data with the KEK. Store the encrypted data and the wrapped DEK.
Suggested answer: C

Explanation:

The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS. https://cloud.google.com/kms/docs/envelope-encryption#how_to_encrypt_data_using_envelope_encryption

asked 18/09/2024
Miguel Pinar Guruceta
43 questions

Question 75

Report
Export
Collapse

A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication

Which GCP product should the customer implement to meet these requirements?

Cloud Identity-Aware Proxy
Cloud Identity-Aware Proxy
Cloud Armor
Cloud Armor
Cloud Endpoints
Cloud Endpoints
Cloud VPN
Cloud VPN
Suggested answer: A

Explanation:

Cloud IAP is integrated with Google Sign-in which Multi-factor authentication can be enabled. https://cloud.google.com/iap/docs/concepts-overview

asked 18/09/2024
Rahul Chugh
38 questions

Question 76

Report
Export
Collapse

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.

What should you do?

Use the Cloud Key Management Service to manage a data encryption key (DEK).
Use the Cloud Key Management Service to manage a data encryption key (DEK).
Use the Cloud Key Management Service to manage a key encryption key (KEK).
Use the Cloud Key Management Service to manage a key encryption key (KEK).
Use customer-supplied encryption keys to manage the data encryption key (DEK).
Use customer-supplied encryption keys to manage the data encryption key (DEK).
Use customer-supplied encryption keys to manage the key encryption key (KEK).
Use customer-supplied encryption keys to manage the key encryption key (KEK).
Suggested answer: C

Explanation:

This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS.There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest

asked 18/09/2024
Adish Narayan
38 questions

Question 77

Report
Export
Collapse

Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.

What should you do?

1. Use StackDriver Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Hide Matching Entries. 4. Make sure the resulting list is empty.
1. Use StackDriver Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Hide Matching Entries. 4. Make sure the resulting list is empty.
1. Use StackDriver Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Show Matching Entries. 4. Make sure the resulting list is empty.
1. Use StackDriver Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Show Matching Entries. 4. Make sure the resulting list is empty.
1. In BigQuery, select the related dataset. 2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
1. In BigQuery, select the related dataset. 2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
1. Go to the IAM section on the project. 2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.
1. Go to the IAM section on the project. 2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.
Suggested answer: A
asked 18/09/2024
Lina Brown
40 questions

Question 78

Report
Export
Collapse

Your team wants to limit users with administrative privileges at the organization level.

Which two roles should your team restrict? (Choose two.)

Organization Administrator
Organization Administrator
Super Admin
Super Admin
GKE Cluster Admin
GKE Cluster Admin
Compute Admin
Compute Admin
Organization Role Viewer
Organization Role Viewer
Suggested answer: A, B
asked 18/09/2024
Cyrom Meryll Santos
36 questions

Question 79

Report
Export
Collapse

An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.

Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

Configuring and monitoring VPC Flow Logs
Configuring and monitoring VPC Flow Logs
Defending against XSS and SQLi attacks
Defending against XSS and SQLi attacks
Manage the latest updates and security patches for the Guest OS
Manage the latest updates and security patches for the Guest OS
Encrypting all stored data
Encrypting all stored data
Suggested answer: B

Explanation:

in PaaS the customer is responsible for web app security, deployment, usage, access policy, and content. https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate

asked 18/09/2024
Gufran Dalwai
46 questions

Question 80

Report
Export
Collapse

An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.

Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses

Which solution should your team implement to meet these requirements?

Cloud Armor
Cloud Armor
Network Load Balancing
Network Load Balancing
SSL Proxy Load Balancing
SSL Proxy Load Balancing
NAT Gateway
NAT Gateway
Suggested answer: A

Explanation:

https://cloud.google.com/armor/docs/security-policy-overview#edge-security

asked 18/09/2024
Jonathan Correa
45 questions
Total 235 questions
Go to page: of 24
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?