ExamGecko
Login
Ask Question

Google Professional Cloud Security Engineer Practice Test - Questions Answers, Page 18

List of questions

Question 171

Report
Export
Collapse

You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)

Grant users the compuce.imageUser role in their own projects.
Grant users the compuce.imageUser role in their own projects.
Grant users the compuce.imageUser role in the OS image project.
Grant users the compuce.imageUser role in the OS image project.
Store the image in every project that is spun up in your organization.
Store the image in every project that is spun up in your organization.
Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.
Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.
Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
Suggested answer: B, D

Explanation:

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.trustedImageProjects

This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.

asked 18/09/2024
Alexandru adrian Blaga
22 questions

Question 172

Report
Export
Collapse

You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:

Least-privilege access must be enforced at all times.

The DevOps team must be able to access the required resources only during the deployment issue.

How should you grant access while following Google-recommended best practices?

Assign the Project Viewer Identity and Access Management (IAM) role to the DevOps team.
Assign the Project Viewer Identity and Access Management (IAM) role to the DevOps team.
Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.
Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.
Create a service account, and grant it the Project Owner IAM role. Give the Service Account User Role on this service account to the DevOps team.
Create a service account, and grant it the Project Owner IAM role. Give the Service Account User Role on this service account to the DevOps team.
Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.
Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.
Suggested answer: D
asked 18/09/2024
Steven Reyes
37 questions

Question 173

Report
Export
Collapse

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:

The master key must be rotated at least once every 45days.

The solution that stores the master key must be FIPS 140-2 Level 3 validated.

The master key must be stored in multiple regions within the US for redundancy.

Which solution meets these requirements?

Customer-managed encryption keys with Cloud Key Management Service
Customer-managed encryption keys with Cloud Key Management Service
Customer-managed encryption keys with Cloud HSM
Customer-managed encryption keys with Cloud HSM
Customer-supplied encryption keys
Customer-supplied encryption keys
Google-managed encryption keys
Google-managed encryption keys
Suggested answer: B

Explanation:

https://cloud.google.com/docs/security/key-management-deep-dive https://cloud.google.com/kms/docs/faq

asked 18/09/2024
Kr Sk
33 questions

Question 174

Report
Export
Collapse

You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your VPCs based on network logs. However, you want to explore your environment using network payloads and headers. Which Google Cloud product should you use?

Cloud IDS
Cloud IDS
VPC Service Controls logs
VPC Service Controls logs
VPC Flow Logs
VPC Flow Logs
Google Cloud Armor
Google Cloud Armor
Packet Mirroring
Packet Mirroring
Suggested answer: E

Explanation:

https://cloud.google.com/vpc/docs/packet-mirroring

Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.

asked 18/09/2024
Lin Joel
23 questions

Question 175

Report
Export
Collapse

You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

External Key Manager
External Key Manager
Customer-supplied encryption keys
Customer-supplied encryption keys
Hardware Security Module
Hardware Security Module
Confidential Computing and Istio
Confidential Computing and Istio
Client-side encryption
Client-side encryption
Suggested answer: D, E

Explanation:

Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio. https://cloud.google.com/docs/security/encryption-in-transit

asked 18/09/2024
Justin Kim
37 questions

Question 176

Report
Export
Collapse

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

Become a Premium Member for full access
  Unlock Premium Member

Question 177

Report
Export
Collapse

Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?

Become a Premium Member for full access
  Unlock Premium Member

Question 178

Report
Export
Collapse

Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.

What should you do?

Become a Premium Member for full access
  Unlock Premium Member

Question 179

Report
Export
Collapse

Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way.

What should you do?

Become a Premium Member for full access
  Unlock Premium Member

Question 180

Report
Export
Collapse

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

What command should you execute?

Become a Premium Member for full access
  Unlock Premium Member
Total 235 questions
Go to page: of 24
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods. How should the organization achieve this objective?
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?