ExamGecko
Login
Ask Question

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 9

List of questions

Question 81

Report
Export
Collapse

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.

Which two strategies should your team use to meet these requirements? (Choose two.)

Configure Private Google Access on the Compute Engine subnet
Configure Private Google Access on the Compute Engine subnet
Avoid assigning public IP addresses to the Compute Engine cluster.
Avoid assigning public IP addresses to the Compute Engine cluster.
Make sure that the Compute Engine cluster is running on a separate subnet.
Make sure that the Compute Engine cluster is running on a separate subnet.
Turn off IP forwarding on the Compute Engine instances in the cluster.
Turn off IP forwarding on the Compute Engine instances in the cluster.
Configure a Cloud NAT gateway.
Configure a Cloud NAT gateway.
Suggested answer: A, B
asked 18/09/2024
Susanne Hughes
35 questions

Question 82

Report
Export
Collapse

A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.

How should this be accomplished?

Create a firewall rule to block internet traffic from the VM.
Create a firewall rule to block internet traffic from the VM.
Provision a NAT Gateway to access the Cloud Storage API endpoint.
Provision a NAT Gateway to access the Cloud Storage API endpoint.
Enable Private Google Access on the VPC.
Enable Private Google Access on the VPC.
Mount a Cloud Storage bucket as a local filesystem on every VM.
Mount a Cloud Storage bucket as a local filesystem on every VM.
Suggested answer: C

Explanation:

https://cloud.google.com/vpc/docs/private-google-access

asked 18/09/2024
Noor Amy
35 questions

Question 83

Report
Export
Collapse

As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.

Which cost reduction options should you recommend?

Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
Suggested answer: C

Explanation:

https://cloud.google.com/dlp/docs/inspecting-storage#sampling https://cloud.google.com/dlp/docs/best-practices-costs#limit_scans_of_files_in_to_only_relevant_files

asked 18/09/2024
Omar Solomon
33 questions

Question 84

Report
Export
Collapse

Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.

What should you do?

Temporarily disable authentication on the Cloud Storage bucket.
Temporarily disable authentication on the Cloud Storage bucket.
Use the undelete command to recover the deleted service account.
Use the undelete command to recover the deleted service account.
Create a new service account with the same name as the deleted service account.
Create a new service account with the same name as the deleted service account.
Update the permissions of another existing service account and supply those credentials to the applications.
Update the permissions of another existing service account and supply those credentials to the applications.
Suggested answer: B

Explanation:

https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/undelete

asked 18/09/2024
Ida Aasvistad
35 questions

Question 85

Report
Export
Collapse

You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.

What should you do?

Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate one-way sync.
Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate one-way sync.
Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate bidirectional sync.
Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate bidirectional sync.
Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
Suggested answer: A

Explanation:

search rules that have 'user email address' as the attribute to facilitate one-way sync. Reference Links: https://support.google.com/a/answer/6126589?hl=en

asked 18/09/2024
cristian vargas
42 questions

Question 86

Report
Export
Collapse

You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.

What should you do?

Query Data Access logs.
Query Data Access logs.
Query Admin Activity logs.
Query Admin Activity logs.
Query Access Transparency logs.
Query Access Transparency logs.
Query Stackdriver Monitoring Workspace.
Query Stackdriver Monitoring Workspace.
Suggested answer: B

Explanation:

Admin activity logs are always created to log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.

asked 18/09/2024
Michael Whitehouse
43 questions

Question 87

Report
Export
Collapse

You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.

What should you do?

Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag 'data-tag' that is applied to the mysql Compute Engine VM on port 3306.
Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag 'data-tag' that is applied to the mysql Compute Engine VM on port 3306.
Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.
Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.
Configure a network tag 'fe-tag' to be applied to all instances in subnet A and a network tag 'data-tag' to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.
Configure a network tag 'fe-tag' to be applied to all instances in subnet A and a network tag 'data-tag' to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.
Configure a network tag 'fe-tag' to be applied to all instances in subnet A and a network tag 'data-tag' to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.
Configure a network tag 'fe-tag' to be applied to all instances in subnet A and a network tag 'data-tag' to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.
Suggested answer: B

Explanation:

https://cloud.google.com/sql/docs/mysql/sql-proxy#using-a-service-account

asked 18/09/2024
James Brion
37 questions

Question 88

Report
Export
Collapse

Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.

What should you do?

Change the load balancer backend configuration to use network endpoint groups instead of instance groups.
Change the load balancer backend configuration to use network endpoint groups instead of instance groups.
Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.
Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.
Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.
Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.
Create a Cloud VPN connection between the two regions, and enable Google Private Access.
Create a Cloud VPN connection between the two regions, and enable Google Private Access.
Suggested answer: B

Explanation:

https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional

asked 18/09/2024
Mario Herrera González
46 questions

Question 89

Report
Export
Collapse

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.

What should you do?

Set up an ACL with OWNER permission to a scope of allUsers.
Set up an ACL with OWNER permission to a scope of allUsers.
Set up an ACL with READER permission to a scope of allUsers.
Set up an ACL with READER permission to a scope of allUsers.
Set up a default bucket ACL and manage access for users using IAM.
Set up a default bucket ACL and manage access for users using IAM.
Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
Suggested answer: D

Explanation:

https://cloud.google.com/storage/docs/uniform-bucket-level-access#enabled

asked 18/09/2024
Memo Albah
24 questions

Question 90

Report
Export
Collapse

You are the security admin of your company. Your development team creates multiple GCP projects under the 'implementation' folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.

What should you do?

Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.
Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.
Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the 'implementation' folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the 'implementation' folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the 'implementation' folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the 'implementation' folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
Suggested answer: C

Explanation:

https://cloud.google.com/vpc-service-controls/docs/overview#benefits

https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/tree/master/examples/automatic_folder

asked 18/09/2024
Antoine CHEA
26 questions
Total 235 questions
Go to page: of 24
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?