ExamGecko
Login
Ask Question

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 15

List of questions

Question 141

Report
Export
Collapse

You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)

Event Threat Detection
Event Threat Detection
Container Threat Detection
Container Threat Detection
Security Health Analytics
Security Health Analytics
Cloud Data Loss Prevention
Cloud Data Loss Prevention
Google Cloud Armor
Google Cloud Armor
Suggested answer: A, C

Explanation:

https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview

Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time. https://cloud.google.com/security-command-center/docs/concepts-security-sources#security-health-analytics

asked 18/09/2024
ola adekanbi
38 questions

Question 142

Report
Export
Collapse

You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

Titan Security Keys
Titan Security Keys
Google prompt
Google prompt
Google Authenticator app
Google Authenticator app
Cloud HSM keys
Cloud HSM keys
Suggested answer: A

Explanation:

https://cloud.google.com/titan-security-key

Security keys use public key cryptography to verify a user's identity and URL of the login page ensuring attackers can't access your account even if you are tricked into providing your username and password.

asked 18/09/2024
Oren Dahan
45 questions

Question 143

Report
Export
Collapse

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:

The network connection must be encrypted.

The communication between servers must be over private IP addresses.

What should you do?

Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
Suggested answer: B

Explanation:

Google encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. All VM-to-VM traffic within a VPC network and peered VPC networks is encrypted. https://cloud.google.com/docs/security/encryption-in-transit#cio-level_summary

asked 18/09/2024
Alvin Thomas
46 questions

Question 144

Report
Export
Collapse

Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)

Remove all project-level custom Identity and Access Management (IAM) roles.
Remove all project-level custom Identity and Access Management (IAM) roles.
Disallow inheritance of organization policies.
Disallow inheritance of organization policies.
Identify inherited Identity and Access Management (IAM) roles on projects to be migrated.
Identify inherited Identity and Access Management (IAM) roles on projects to be migrated.
Create a new folder for all projects to be migrated.
Create a new folder for all projects to be migrated.
Remove the specific migration projects from any VPC Service Controls perimeters and bridges.
Remove the specific migration projects from any VPC Service Controls perimeters and bridges.
Suggested answer: C

Explanation:

https://cloud.google.com/resource-manager/docs/project-migration#plan_policy

When you migrate your project, it will no longer inherit the policies from its current place in the resource hierarchy, and will be subject to the effective policy evaluation at its destination. We recommend making sure that the effective policies at the project's destination match as much as possible the policies that the project had in its source location. https://cloud.google.com/resource-manager/docs/project-migration#import_export_folders

Policy inheritance can cause unintended effects when you are migrating a project, both in the source and destination organization resources. You can mitigate this risk by creating specific folders to hold only projects for export and import, and ensuring that the same policies are inherited by the folders in both organization resources. You can also set permissions on these folders that will be inherited to the projects moved within them, helping to accelerate the project migration process.

asked 18/09/2024
André Batista
39 questions

Question 145

Report
Export
Collapse

You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

Organization Policy Service constraints
Organization Policy Service constraints
Shielded VM instances
Shielded VM instances
Access control lists
Access control lists
Geolocation access controls
Geolocation access controls
Google Cloud Armor
Google Cloud Armor
Suggested answer: A

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/using-constraints#list-constraint

asked 18/09/2024
mark anthony sampayan
34 questions

Question 146

Report
Export
Collapse

Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

Configure Secret Manager to manage service account keys.
Configure Secret Manager to manage service account keys.
Enable an organization policy to disable service accounts from being created.
Enable an organization policy to disable service accounts from being created.
Enable an organization policy to prevent service account keys from being created.
Enable an organization policy to prevent service account keys from being created.
Remove the iam.serviceAccounts.getAccessToken permission from users.
Remove the iam.serviceAccounts.getAccessToken permission from users.
Suggested answer: C

Explanation:

https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys

'To prevent unnecessary usage of service account keys, use organization policy constraints: At the root of your organization's resource hierarchy, apply the Disable service account key creation and Disable service account key upload constraints to establish a default where service account keys are disallowed. When needed, override one of the constraints for selected projects to re-enable service account key creation or upload.'

asked 18/09/2024
Keenan Bragg
41 questions

Question 147

Report
Export
Collapse

You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?

On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.
On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.
On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.
On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.
On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.
On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.
On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.
On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.
Suggested answer: A

Explanation:

https://support.google.com/a/answer/9176734

Use backup codes for account recovery If you need to recover an account, use backup codes. Accounts are still protected by 2-Step Verification, and backup codes are easy to generate.

asked 18/09/2024
Jason Evans
47 questions

Question 148

Report
Export
Collapse

Which Google Cloud service should you use to enforce access control policies for applications and resources?

Identity-Aware Proxy
Identity-Aware Proxy
Cloud NAT
Cloud NAT
Google Cloud Armor
Google Cloud Armor
Shielded VMs
Shielded VMs
Suggested answer: A

Explanation:

https://cloud.google.com/iap/docs/concepts-overview 'Use IAP when you want to enforce access control policies for applications and resources.'

asked 18/09/2024
Vasco Ricardo Ribeiro
30 questions

Question 149

Report
Export
Collapse

You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.
Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.
Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
Suggested answer: D

Explanation:

https://cloud.google.com/vpc-service-controls/docs/dry-run-mode

When using VPC Service Controls, it can be difficult to determine the impact to your environment when a service perimeter is created or modified. With dry run mode, you can better understand the impact of enabling VPC Service Controls and changes to perimeters in existing environments.

asked 18/09/2024
Ivan Ramirez
40 questions

Question 150

Report
Export
Collapse

Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

Deploy a Cloud NAT Gateway in the service project for the MIG.
Deploy a Cloud NAT Gateway in the service project for the MIG.
Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.
Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.
Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
Suggested answer: D

Explanation:

https://cloud.google.com/load-balancing/docs/https#shared-vpc

While you can create all the load balancing components and backends in the Shared VPC host project, this model does not separate network administration and service development responsibilities.

asked 18/09/2024
Sushil Karki
38 questions
Total 235 questions
Go to page: of 24
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?