ExamGecko
Search Search Login
Home Home / Google / Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 8

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices. What should you do?
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

Question 71

Report
Export
Collapse

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.

What should you do?

A.
Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
A.
Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
Answers
B.
Create a custom role with the permission compute.instances.list and grant the Service Account this role.
B.
Create a custom role with the permission compute.instances.list and grant the Service Account this role.
Answers
C.
Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
C.
Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
Answers
D.
Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
D.
Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/compute/docs/access/iam

Question 72

Report
Export
Collapse

In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

A.
Hardware
A.
Hardware
Answers
B.
Network Security
B.
Network Security
Answers
C.
Storage Encryption
C.
Storage Encryption
Answers
D.
Access Policies
D.
Access Policies
Answers
E.
Boot
E.
Boot
Answers
Suggested answer: B, D

Explanation:

https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-the-shared-responsibility-model-in-gke-container-security-shared-responsibility-model-gke

Question 73

Report
Export
Collapse

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.

Which GCP solution should the organization use?

A.
BigQuery using a data pipeline job with continuous updates via Cloud VPN
A.
BigQuery using a data pipeline job with continuous updates via Cloud VPN
Answers
B.
Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
B.
Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
Answers
C.
Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
C.
Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
Answers
D.
Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
D.
Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
Answers
Suggested answer: B

Explanation:

https://cloud.google.com/solutions/dr-scenarios-for-data#production_environment_is_on-premises

https://medium.com/@pvergadia/cold-disaster-recovery-on-google-cloud-for-applications-running-on-premises-114b31933d02

Question 74

Report
Export
Collapse

What are the steps to encrypt data using envelope encryption?

A.
Generate a data encryption key (DEK) locally. Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK. Store the encrypted data and the wrapped KEK.
A.
Generate a data encryption key (DEK) locally. Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK. Store the encrypted data and the wrapped KEK.
Answers
B.
Generate a key encryption key (KEK) locally. Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK. Store the encrypted data and the wrapped DEK.
B.
Generate a key encryption key (KEK) locally. Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK. Store the encrypted data and the wrapped DEK.
Answers
C.
Generate a data encryption key (DEK) locally. Encrypt data with the DEK. Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
C.
Generate a data encryption key (DEK) locally. Encrypt data with the DEK. Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
Answers
D.
Generate a key encryption key (KEK) locally. Generate a data encryption key (DEK) locally. Encrypt data with the KEK. Store the encrypted data and the wrapped DEK.
D.
Generate a key encryption key (KEK) locally. Generate a data encryption key (DEK) locally. Encrypt data with the KEK. Store the encrypted data and the wrapped DEK.
Answers
Suggested answer: C

Explanation:

The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS. https://cloud.google.com/kms/docs/envelope-encryption#how_to_encrypt_data_using_envelope_encryption

Question 75

Report
Export
Collapse

A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication

Which GCP product should the customer implement to meet these requirements?

A.
Cloud Identity-Aware Proxy
A.
Cloud Identity-Aware Proxy
Answers
B.
Cloud Armor
B.
Cloud Armor
Answers
C.
Cloud Endpoints
C.
Cloud Endpoints
Answers
D.
Cloud VPN
D.
Cloud VPN
Answers
Suggested answer: A

Explanation:

Cloud IAP is integrated with Google Sign-in which Multi-factor authentication can be enabled. https://cloud.google.com/iap/docs/concepts-overview

Question 76

Report
Export
Collapse

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.

What should you do?

A.
Use the Cloud Key Management Service to manage a data encryption key (DEK).
A.
Use the Cloud Key Management Service to manage a data encryption key (DEK).
Answers
B.
Use the Cloud Key Management Service to manage a key encryption key (KEK).
B.
Use the Cloud Key Management Service to manage a key encryption key (KEK).
Answers
C.
Use customer-supplied encryption keys to manage the data encryption key (DEK).
C.
Use customer-supplied encryption keys to manage the data encryption key (DEK).
Answers
D.
Use customer-supplied encryption keys to manage the key encryption key (KEK).
D.
Use customer-supplied encryption keys to manage the key encryption key (KEK).
Answers
Suggested answer: C

Explanation:

This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS.There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest

Question 77

Report
Export
Collapse

Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.

What should you do?

A.
1. Use StackDriver Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Hide Matching Entries. 4. Make sure the resulting list is empty.
A.
1. Use StackDriver Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Hide Matching Entries. 4. Make sure the resulting list is empty.
Answers
B.
1. Use StackDriver Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Show Matching Entries. 4. Make sure the resulting list is empty.
B.
1. Use StackDriver Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Show Matching Entries. 4. Make sure the resulting list is empty.
Answers
C.
1. In BigQuery, select the related dataset. 2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
C.
1. In BigQuery, select the related dataset. 2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
Answers
D.
1. Go to the IAM section on the project. 2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.
D.
1. Go to the IAM section on the project. 2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.
Answers
Suggested answer: A

Question 78

Report
Export
Collapse

Your team wants to limit users with administrative privileges at the organization level.

Which two roles should your team restrict? (Choose two.)

A.
Organization Administrator
A.
Organization Administrator
Answers
B.
Super Admin
B.
Super Admin
Answers
C.
GKE Cluster Admin
C.
GKE Cluster Admin
Answers
D.
Compute Admin
D.
Compute Admin
Answers
E.
Organization Role Viewer
E.
Organization Role Viewer
Answers
Suggested answer: A, B

Question 79

Report
Export
Collapse

An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.

Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

A.
Configuring and monitoring VPC Flow Logs
A.
Configuring and monitoring VPC Flow Logs
Answers
B.
Defending against XSS and SQLi attacks
B.
Defending against XSS and SQLi attacks
Answers
C.
Manage the latest updates and security patches for the Guest OS
C.
Manage the latest updates and security patches for the Guest OS
Answers
D.
Encrypting all stored data
D.
Encrypting all stored data
Answers
Suggested answer: B

Explanation:

in PaaS the customer is responsible for web app security, deployment, usage, access policy, and content. https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate

Question 80

Report
Export
Collapse

An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.

Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses

Which solution should your team implement to meet these requirements?

A.
Cloud Armor
A.
Cloud Armor
Answers
B.
Network Load Balancing
B.
Network Load Balancing
Answers
C.
SSL Proxy Load Balancing
C.
SSL Proxy Load Balancing
Answers
D.
NAT Gateway
D.
NAT Gateway
Answers
Suggested answer: A

Explanation:

https://cloud.google.com/armor/docs/security-policy-overview#edge-security

Total 235 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms