Labour Day - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpm65

Hot Vendors
  1. Home
  2. Google
  3. Google Cloud Certified
  4. Professional-Cloud-Security-Engineer
  5. Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

Questions 4

Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT Everyday, you must patch all VMs with critical OS updates and provide summary reports

What should you do?

Options:

A.

Validate that the egress firewall rules allow any outgoing traffic Log in to each VM and execute OS specific update commands Configure the Cloud Scheduler job to update with critical patches daily for daily updates.

B.

Ensure that VM Manager is installed and running on the VMs. In the OS patch management service. configure the patch jobs to update with critical patches daily.

C.

Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM. and configure a daily cron job to enable for OS updates at night during low activity periods.

D.

Copy the latest patches to the Cloud Storage bucket. Log in to each VM. download the patches from the bucket, and install them.

Buy Now
Questions 5

In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard

Which options should you recommend to meet the requirements?

Options:

A.

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

B.

Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

C.

Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

D.

Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

Buy Now
Questions 6

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.

Which GCP solution should the organization use?

Options:

A.

BigQuery using a data pipeline job with continuous updates via Cloud VPN

B.

Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

C.

Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

D.

Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

Buy Now
Questions 7

You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.

What should you do?

Options:

A.

Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.

B.

Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.

C.

Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.

D.

Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.

Buy Now
Questions 8

Your company’s chief information security officer (CISO) is requiring business data to be stored in specific locations due to regulatory requirements that affect the company’s global expansion plans. After working on a plan to implement this requirement, you determine the following:

  • The services in scope are included in the Google Cloud data residency requirements.
  • The business data remains within specific locations under the same organization.
  • The folder structure can contain multiple data residency locations.
  • The projects are aligned to specific locations.

You plan to use the Resource Location Restriction organization policy constraint with very granular control. At which level in the hierarchy should you set the constraint?

Options:

A.

Organization

B.

Resource

C.

Project

D.

Folder

Buy Now
Questions 9

You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.

What should you do?

Options:

A.

Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.

B.

Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.

C.

Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premisesdestination.

D.

Configure Cloud Interconnect and route traffic through an on-premises firewall.

Buy Now
Questions 10

Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.

What should you do?

Options:

A.

Change the load balancer backend configuration to use network endpoint groups instead of instance groups.

B.

Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.

C.

Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.

D.

Create a Cloud VPN connection between the two regions, and enable Google Private Access.

Buy Now
Questions 11

A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

Options:

A.

Admin Activity

B.

System Event

C.

Access Transparency

D.

Data Access

Buy Now
Questions 12

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

What command should you execute?

Options:

A.

•organization policy: constraints/gcp.restrictStorageNonCraekServices

•binding at: orgl

•policy type: deny

•policy value:storage.gcogleapis.com

B.

•organization policy: constraints/gcp.restrictHonCmekServices

•binding at: orgl

•policy type: deny

•policy value:storage.googleapis.com

C.

•organization policy:constraints/gcp.restrictStorageNonCraekServices

•binding at: orgl

•policy type: allow

•policy value: all supported services

D.

•organization policy: constramts/gcp.restrictNonCmekServices

•binding at: orgl

•policy type: allow

•policy value:storage.googleapis.com

Buy Now
Questions 13

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements:

  • Schedule key rotation for sensitive data.
  • Control which region the encryption keys for sensitive data are stored in.
  • Minimize the latency to access encryption keys for both sensitive and non-sensitive data.

What should you do?

Options:

A.

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

B.

Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

C.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

D.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Buy Now
Questions 14

Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud You must implement data residency and operational sovereignty in the EU.

What should you do?

Choose 2 answers

Options:

A.

Limit the physical location of a new resource with the Organization Policy Service resource locations

constraint."

B.

Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.

C.

Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications

D.

Use identity federation to limit access to Google Cloud resources from non-EU entities.

E.

Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

Buy Now
Questions 15

You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence. Which tool should you use?

Options:

A.

Policy Troubleshooter

B.

Policy Analyzer

C.

IAM Recommender

D.

Policy Simulator

Buy Now
Questions 16

You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.

After observing the traffic in your custom network, you notice that all instances can communicate freely – despite tag-based VPC firewall rules in place to segment traffic properly – with a priority of 1000. What are the most likely reasons for this behavior?

Options:

A.

All VM instances are missing the respective network tags.

B.

All VM instances are residing in the same network subnet.

C.

All VM instances are configured with the same network route.

D.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.

E.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

Buy Now
Questions 17

Applications often require access to “secrets” - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of “who did what, where, and when?” within their GCP projects.

Which two log streams would provide the information that the administrator is looking for? (Choose two.)

Options:

A.

Admin Activity logs

B.

System Event logs

C.

Data Access logs

D.

VPC Flow logs

E.

Agent logs

Buy Now
Questions 18

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.

Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

Options:

A.

App Engine

B.

Cloud Functions

C.

Compute Engine

D.

Google Kubernetes Engine

E.

Cloud Storage

Buy Now
Questions 19

Your organization must comply with the regulation to keep instance logging data within Europe. Your workloads will be hosted in the Netherlands in region europe-west4 in a new project. You must configure Cloud Logging to keep your data in the country.

What should you do?

Options:

A.

Configure the organization policy constraint gcp.resourceLocations to europe-west4.

B.

Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.

C.

Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.

D.

Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.

Buy Now
Questions 20

You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications anddata processing systems. You want to reduce the scope of systems subject to PCI audit standards.

What should you do?

Options:

A.

Use multi-factor authentication for admin access to the web application.

B.

Use only applications certified compliant with PA-DSS.

C.

Move the cardholder data environment into a separate GCP project.

D.

Use VPN for all connections between your office and cloud environments.

Buy Now
Questions 21

You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

Options:

A.

Cloud Key Management Service

B.

Compute Engine guest attributes

C.

Compute Engine custom metadata

D.

Secret Manager

Buy Now
Questions 22

You are migrating an on-premises data warehouse to BigQuery Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse. Your company compliance policies mandate that the data warehouse must:

•Protect data at rest with full lifecycle management on cryptographic keys

•Implement a separate key management provider from data management

•Provide visibility into all encryption key requests

What services should be included in the data warehouse implementation?

Choose 2 answers

Options:

A.

Customer-managed encryption keys

B.

Customer-Supplied Encryption Keys

C.

Key Access Justifications

D.

Access Transparency and Approval

E.

Cloud External Key Manager

Buy Now
Questions 23

A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.

What technique should the institution use?

Options:

A.

Use Cloud Storage as a federated Data Source.

B.

Use a Cloud Hardware Security Module (Cloud HSM).

C.

Customer-managed encryption keys (CMEK).

D.

Customer-supplied encryption keys (CSEK).

Buy Now
Questions 24

You want to make sure that your organization’s Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

Options:

A.

Remove Owner roles from end users, and configure Cloud Data Loss Prevention.

B.

Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

C.

Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.

D.

Remove*.setIamPolicypermissions from all roles, and enforce domain restricted sharing in an organization policy.

Buy Now
Questions 25

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

Options:

A.

Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

B.

Enable theconstraints/storage.publicAccessPreventionconstraint at the organization level.

C.

Enable theconstraints/storage.uniformBucketLevelAccessconstraint at the organization level.

D.

Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

Buy Now
Questions 26

You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software.

Which SCC service should you use?

Options:

A.

Container Threat Detection

B.

Web Security Scanner

C.

Rapid Vulnerability Detection

D.

Virtual Machine Threat Detection

Buy Now
Questions 27

You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

Options:

A.

External Key Manager

B.

Customer-supplied encryption keys

C.

Hardware Security Module

D.

Confidential Computing and Istio

E.

Client-side encryption

Buy Now
Questions 28

You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

Options:

A.

The load balancer must be an external SSL proxy load balancer.

B.

Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.

C.

The load balancer must use the Premium Network Service Tier.

D.

The backend service's load balancing scheme must be EXTERNAL.

E.

The load balancer must be an external HTTP(S) load balancer.

Buy Now
Questions 29

What are the steps to encrypt data using envelope encryption?

Options:

A.

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

B.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

C.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

D.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Buy Now
Questions 30

A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.

What should you do?

Options:

A.

Use Resource Manager on the organization level.

B.

Use Forseti Security to automate inventory snapshots.

C.

Use Stackdriver to create a dashboard across all projects.

D.

Use Security Command Center to view all assets across the organization.

Buy Now
Questions 31

An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the “source of truth” directory for identities.

Which solution meets the organization's requirements?

Options:

A.

Google Cloud Directory Sync (GCDS)

B.

Cloud Identity

C.

Security Assertion Markup Language (SAML)

D.

Pub/Sub

Buy Now
Questions 32

Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.

How should your team design this network?

Options:

A.

Create an ingress firewall rule to allow access only from the application to the database using firewall tags.

B.

Create a different subnet for the frontend application and database to ensure network isolation.

C.

Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.

D.

Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.

Buy Now
Questions 33

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:

Scans must run at least once per week

Must be able to detect cross-site scripting vulnerabilities

Must be able to authenticate using Google accounts

Which solution should you use?

Options:

A.

Google Cloud Armor

B.

Web Security Scanner

C.

Security Health Analytics

D.

Container Threat Detection

Buy Now
Questions 34

Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way.

What should you do?

Options:

A.

Create a service account key and add it to the GitHub pipeline configuration file.

B.

Create a service account key and add it to the GitHub repository content.

C.

Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

D.

Configure workload identity federation to use GitHub as an identity pool provider.

Buy Now
Questions 35

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery

What should you do?

Options:

A.

Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.

B.

Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

C.

Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.

D.

Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Buy Now
Questions 36

When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

Options:

A.

Ensure that the app does not run as PID 1.

B.

Package a single app as a container.

C.

Remove any unnecessary tools not needed by the app.

D.

Use public container images as a base image for the app.

E.

Use many container image layers to hide sensitive information.

Buy Now
Questions 37

Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).

Which steps should your team take before an incident occurs? (Choose two.)

Options:

A.

Disable and revoke access to compromised keys.

B.

Enable automatic key version rotation on a regular schedule.

C.

Manually rotate key versions on an ad hoc schedule.

D.

Limit the number of messages encrypted with each key version.

E.

Disable the Cloud KMS API.

Buy Now
Questions 38

An organization receives an increasing number of phishing emails.

Which method should be used to protect employee credentials in this situation?

Options:

A.

Multifactor Authentication

B.

A strict password policy

C.

Captcha on login pages

D.

Encrypted emails

Buy Now
Questions 39

Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

Options:

A.

Define an organization policy constraint.

B.

Configure packet mirroring policies.

C.

Enable VPC Flow Logs on the subnet.

D.

Monitor and analyze Cloud Audit Logs.

Buy Now
Questions 40

A company’s application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.

What should you do?

Options:

A.

Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

B.

Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.

C.

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

D.

Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Buy Now
Questions 41

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.

What should you do?

Options:

A.

Store the data in a single Persistent Disk, and delete the disk at expiration time.

B.

Store the data in a single BigQuery table and set the appropriate table expiration time.

C.

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

D.

Store the data in a single BigTable table and set an expiration time on the column families.

Buy Now
Questions 42

When working with agents in a support center via online chat, an organization’s customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for

review by internal or external analysts for customer service trend analysis.

Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

Options:

A.

Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.

B.

Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.

C.

Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.

D.

Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Buy Now
Questions 43

You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

Options:

A.

Cloud External Key Manager

B.

Customer-managed encryption keys

C.

Customer-supplied encryption keys

D.

Google default encryption

Buy Now
Questions 44

Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

Options:

A.

ISO 27001

B.

ISO 27002

C.

ISO 27017

D.

ISO 27018

Buy Now
Questions 45

You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:

Must be cloud-native

Must be cost-efficient

Minimize operational overhead

How should you accomplish this? (Choose two.)

Options:

A.

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

B.

Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

C.

Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

D.

Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

E.

In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Buy Now
Questions 46

Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users. You are required to:

Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity.

Disable any manually created users in Cloud Identity.

You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?

Options:

A.

1. Configure the option to suspend domain users not found in LDAP.

2. Set up a recurring GCDS task.

B.

1. Configure the option to delete domain users not found in LDAP.

2. Run GCDS after user and group lifecycle changes.

C.

1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP.

2. Set up a recurring GCDS task.

D.

1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP.

2. Run GCDS after user and group lifecycle changes.

Buy Now
Questions 47

A customer’s internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).

How should the team complete this task?

Options:

A.

Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.

B.

Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

C.

Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.

D.

Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Buy Now
Questions 48

Your organization wants to be continuously evaluated against CIS Google Cloud Computing Foundations Benchmark v1 3 0 (CIS Google Cloud Foundation 1 3). Some of the controls are irrelevant to your organization and must be disregarded in evaluation. You need to create an automated system or process to ensure that only the relevant controls are evaluated.

What should you do?

Options:

A.

Mark all security findings that are irrelevant with a tag and a value that indicates a security exception Selectall marked findings and mute them on the console every time they appear Activate Security CommandCenter (SCC) Premium.

B.

Activate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC sothey are not evaluated.

C.

Download all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part ofCIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for thecompany.

D.

Ask an external audit company to provide independent reports including needed CIS benchmarks. In thescope of the audit clarify that some of the controls are not needed and must be disregarded.

Buy Now
Questions 49

Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following:

The services in scope are included in the Google Cloud Data Residency Terms.

The business data remains within specific locations under the same organization.

The folder structure can contain multiple data residency locations.

You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?

Options:

A.

Folder

B.

Resource

C.

Project

D.

Organization

Buy Now
Questions 50

You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?

Options:

A.

Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.

B.

Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.

C.

Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.

D.

Configure Google Cloud Armor access logs to perform inspection on the log data.

Buy Now
Questions 51

A customer has an analytics workload running on Compute Engine that should have limited internet access.

Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.

The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?

Options:

A.

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.

B.

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.

C.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

D.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

Buy Now
Questions 52

An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.

Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

Options:

A.

Configuring and monitoring VPC Flow Logs

B.

Defending against XSS and SQLi attacks

C.

Manage the latest updates and security patches for the Guest OS

D.

Encrypting all stored data

Buy Now
Questions 53

Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.

What should you do?

Options:

A.

Configure GCDS and use GCDS search rules lo sync these users.

B.

Use the transfer tool to migrate unmanaged users.

C.

Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API totransfer their account.

D.

Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.

Buy Now
Questions 54

An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.

Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses

Which solution should your team implement to meet these requirements?

Options:

A.

Cloud Armor

B.

Network Load Balancing

C.

SSL Proxy Load Balancing

D.

NAT Gateway

Buy Now
Questions 55

The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements:

Follow the least privilege model by having only view access to logs.

Have access to Admin Activity logs.

Have access to Data Access logs.

Have access to Access Transparency logs.

Which Identity and Access Management (IAM) role should the security operations team be granted?

Options:

A.

roles/logging.privateLogViewer

B.

roles/logging.admin

C.

roles/viewer

D.

roles/logging.viewer

Buy Now
Questions 56

You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS). in project "pr j -a", and the Cloud Storage bucket will use project "prj-b". The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key. and you need to troubleshoot why.

What has caused the access issue?

Options:

A.

A firewall rule prevents the key from being accessible.

B.

Cloud HSM does not support Cloud Storage

C.

The CMEK is in a different project than the Cloud Storage bucket

D.

The CMEK is in a different region than the Cloud Storage bucket.

Buy Now
Questions 57

A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.

How should this be accomplished?

Options:

A.

Create a firewall rule to block internet traffic from the VM.

B.

Provision a NAT Gateway to access the Cloud Storage API endpoint.

C.

Enable Private Google Access on the VPC.

D.

Mount a Cloud Storage bucket as a local filesystem on every VM.

Buy Now
Questions 58

Which Google Cloud service should you use to enforce access control policies for applications and resources?

Options:

A.

Identity-Aware Proxy

B.

Cloud NAT

C.

Google Cloud Armor

D.

Shielded VMs

Buy Now
Questions 59

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run.

What should you do?

Choose 2 answers

Options:

A.

EnableBinary Authorization on the existing Kubernetes cluster.

B.

Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to

the list of allowed Binary Authorization policy names.

C.

Set the organization policy constraint constraints/compute.trustedimageProjects to the list of

protects that contain the trusted container images.

D.

Enable Binary Authorization on the existing Cloud Run service.

E.

Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

Buy Now
Questions 60

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.

Which solution will restrict access to the in-progress sites?

Options:

A.

Upload an .htaccess file containing the customer and employee user accounts to App Engine.

B.

Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.

C.

Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.

D.

Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company’s GCP Virtual Private Cloud (VPC) network.

Buy Now
Questions 61

You want to evaluate GCP for PCI compliance. You need to identify Google’s inherent controls.

Which document should you review to find the information?

Options:

A.

Google Cloud Platform: Customer Responsibility Matrix

B.

PCI DSS Requirements and Security Assessment Procedures

C.

PCI SSC Cloud Computing Guidelines

D.

Product documentation for Compute Engine

Buy Now
Questions 62

A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.

Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.

Which type of access should your team grant to meet this requirement?

Options:

A.

Organization Administrator

B.

Security Reviewer

C.

Organization Role Administrator

D.

Organization Policy Administrator

Buy Now
Questions 63

You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.

You want to automate the compliance with this regulation while minimizing storage costs. What should you do?

Options:

A.

Store the data in a persistent disk, and delete the disk at expiration time.

B.

Store the data in a Cloud Bigtable table, and set an expiration time on the column families.

C.

Store the data in a BigQuery table, and set the table's expiration time.

D.

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

Buy Now
Questions 64

Your company conducts clinical trials and needs to analyze the results of a recent study that are stored in BigQuery. The interval when the medicine was taken contains start and stop dates The interval data is critical to the analysis, but specific dates may identify a particular batch and introduce bias You need to obfuscate the start and end dates for each row and preserve the interval data.

What should you do?

Options:

A.

Use bucketing to shift values to a predetermined date based on the initial value.

B.

Extract the date using TimePartConfig from each date field and append a random month and year

C.

Use date shifting with the context set to the unique ID of the test subject

D.

Use the FFX mode of format preserving encryption (FPE) and maintain data consistency

Buy Now
Questions 65

You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name. How should you manage these consumer user accounts with Cloud Identity?

Options:

A.

Use Google Cloud Directory Sync to convert the unmanaged user accounts.

B.

Create a new managed user account for each consumer user account.

C.

Use the transfer tool for unmanaged user accounts.

D.

Configure single sign-on using a customer's third-party provider.

Buy Now
Questions 66

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.

What could have caused this alert?

Options:

A.

The VM was created with a static external IP address that was reserved in the project before theorganizational policy rule was set.

B.

The organizational policy constraint wasn't properly enforced and is running in "dry run mode.

C.

At project level, the organizational policy control has been overwritten with an 'allow' value.

D.

The policy constraint on the folder level does not have any effect because of an allow" value for thatconstraint on the organizational level.

Buy Now
Questions 67

Employees at your company use their personal computers to access your organization s Google Cloud console. You need to ensure that users can only access the Google Cloud console from their corporate-issued devices and verify that they have a valid enterprise certificate

What should you do?

Options:

A.

Implement an Identity and Access Management (1AM) conditional policy to verify the device certificate

B.

Implement a VPC firewall policy Activate packet inspection and create an allow rule to validate and verify the device certificate.

C.

Implement an organization policy to verify the certificate from the access context.

D.

Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate Create an access binding with the access policy just created.

Buy Now
Questions 68

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

Options:

A.

Enable Private Google Access on the regional subnets and global dynamic routing mode.

B.

Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

C.

Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

D.

Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Buy Now
Questions 69

A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.

Which connectivity option should be implemented?

Options:

A.

VPC peering

B.

Cloud VPN

C.

Cloud Interconnect

D.

Shared VPC

Buy Now
Exam Code: Professional-Cloud-Security-Engineer
Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
Last Update: May 1, 2024
Questions: 233

PDF + Testing Engine

$56  $159.99
buy now Professional-Cloud-Security-Engineer pdf + testing engine

Testing Engine

$42  $119.99
buy now Professional-Cloud-Security-Engineer testing engine

PDF (Q&A)

$35  $99.99
buy now Professional-Cloud-Security-Engineer pdf
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 07 May 2024