Study Online Professional Cloud Security Engineer Exam Dumps to Pass

Category:

Comments:

0 Comments

Post Date:

December 9, 2023

Professional Cloud Security Engineer dumps questions can help you identify areas where you need to focus your studies. As you answer questions, you will be able to see which topics you are comfortable with and which ones you need to spend more time studying. Google Professional Cloud Security Engineer dumps questions provide realistic practice for the certification exam. Professional Cloud Security Engineer dumps are designed to simulate the actual exam environment, and they will give you a chance to practice answering questions under time pressure. Study free Google Professional Cloud Security Engineer online dumps below.

Page 1 of 7

1. A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.

How should the company accomplish this?

Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.

Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

2. Your company’s cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs.

Which service should you use?

Identity Aware-Proxy

Cloud NAT

TCP/UDP Load Balancing

Cloud DNS

3. A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.

How should the customer achieve this using Google Cloud Platform?

Use Cloud Source Repositories, and store secrets in Cloud SQ

Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.

Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQ

Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

4. You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting.

Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)

Customer-supplied encryption keys.

Google default encryption

Secret Manager

Cloud External Key Manager

Customer-managed encryption keys

5. You are migrating an on-premises data warehouse to BigQuery Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse.

Your company compliance policies mandate that the data warehouse must:

• Protect data at rest with full lifecycle management on cryptographic keys

• Implement a separate key management provider from data management

• Provide visibility into all encryption key requests

What services should be included in the data warehouse implementation? Choose 2 answers

Customer-managed encryption keys

Customer-Supplied Encryption Keys

Key Access Justifications

Access Transparency and Approval

Cloud External Key Manager

6. You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.

What should you do?

Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate one-way sync.

Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate bidirectional sync.

Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

7. Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.

What should you do?

Use the Cloud Key Management Service to manage the data encryption key (DEK).

Use the Cloud Key Management Service to manage the key encryption key (KEK).

Use customer-supplied encryption keys to manage the data encryption key (DEK).

Use customer-supplied encryption keys to manage the key encryption key (KEK).

8. A customer’s company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.

Which strategy should you use to meet these needs?

Create an organization node, and assign folders for each business unit.

Establish standalone projects for each business unit, using gmail.com accounts.

Assign GCP resources in a project, with a label identifying which business unit owns the resource.

Assign GCP resources in a VPC for each business unit to separate network access.

9. A company’s application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.

What should you do?

Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-account=IAM_ACCOUN

Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KE

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

10. You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud.

Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

Use Google default encryption.

Manually add users to Google Cloud.

Provision users with basic roles using Google's Identity and Access Management (1AM) service.

Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

Provide granular access with predefined roles.

Page 2 of 7

11. You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.

What could have caused this alert?

The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

The organizational policy constraint wasn't properly enforced and is running in "dry run mode.

At project level, the organizational policy control has been overwritten with an 'allow' value.

The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level.

12. Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

SSL Proxy

TCP Proxy

Internal TCP/UDP

TCP/UDP Network

13. A customer’s data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.

How should you best advise the Systems Engineer to proceed with the least disruption?

Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.

Ask Google to provision the data science manager’s account as a Super Administrator in the existing domain.

Ask customer’s management to discover any other uses of Google managed services, and work with the existing Super Administrator.

14. You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team.

What should you do?

Perform data masking with the DLP API and store that data in BigQuery for later use.

Perform data redaction with the DLP API and store that data in BigQuery for later use.

Perform data inspection with the DLP API and store that data in BigQuery for later use.

Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.

15. Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups.

Which Google Cloud service should you use?

Cloud DNS with DNSSEC

Cloud NAT

HTTP(S) Load Balancing

Google Cloud Armor

16. You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience.

What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

Security Command Center

Firewall Rules Logging

VPC Flow Logs

Firewall Insights

17. A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.

Which Storage solution are they allowed to use?

Cloud Bigtable

Cloud BigQuery

Compute Engine SSD Disk

Compute Engine Persistent Disk

18. A customer wants to deploy a large number of 3-tier web applications on Compute Engine.

How should the customer ensure authenticated network separation between the different tiers of the application?

Run each tier in its own Project, and segregate using Project labels.

Run each tier with a different Service Account (SA), and use SA-based firewall rules.

Run each tier in its own subnet, and use subnet-based firewall rules.

Run each tier with its own VM tags, and use tag-based firewall rules.

19. Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform.

You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way.

What should you do?

Create a service account key and add it to the GitHub pipeline configuration file.

Create a service account key and add it to the GitHub repository content.

Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

Configure workload identity federation to use GitHub as an identity pool provider.

20. You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network dev-vpc." You want to minimize implementation and maintenance effort.

What should you do?

• 1. Attach external IP addresses to the VMs in scope. • 2. Configure a VPC Firewall rule in "dev-vpc" that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

• 1. Attach external IP addresses to the VMs in scope. • 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10 58.5.0/24 from network dev-vpc.

• 1. Leave the network configuration of the VMs in scope unchanged. • 2. Create a new project including a new VPC network "new-vpc." • 3 Deploy a network appliance in "new-vpc" to filter access requests and only allow egress connections from -dev-vpc" to 10.58.5.0/24.

• 1 Leave the network configuration of the VMs in scope unchanged • 2 Enable Cloud NAT for dev-vpc" and restrict the target range in Cloud NAT to 10.58.5 0/24.

Page 3 of 7

21. A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.

What should they do?

Use Cloud Build to build the container images.

Build small containers using small base images.

Delete non-used versions from Container Registry.

Use a Continuous Delivery tool to deploy the application.

22. An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks.

Which two IAM roles should the office manager have? (Choose two.)

Organization Administrator

Project Creator

Billing Account Viewer

Billing Account Costs Manager

Billing Account User

23. You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.

What should you do?

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DE

Store both the encrypted data and the encrypted DE

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DE

Store both the encrypted data and the KE

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DE

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KE

24. A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.

Which Google Cloud Service should be used to achieve this?

Cloud Key Management Service

Cloud Data Loss Prevention API

BigQuery

Cloud Security Scanner

25. You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.

After observing the traffic in your custom network, you notice that all instances can communicate freely C despite tag-based VPC firewall rules in place to segment traffic properly C with a priority of 1000.

What are the most likely reasons for this behavior?

All VM instances are missing the respective network tags.

All VM instances are residing in the same network subnet.

All VM instances are configured with the same network route.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

26. When working with agents in a support center via online chat, an organization’s customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.

Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.

Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.

Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.

Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

27. You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization’s compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries.

Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

Organization Policy Service constraints

Shielded VM instances

Access control lists

Geolocation access controls

Google Cloud Armor

28. You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence.

Which tool should you use?

Policy Troubleshooter

Policy Analyzer

IAM Recommender

Policy Simulator

29. You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter.

What should you do?

Add the host project containing the Shared VPC to the service perimeter.

Add the service project where the Compute Engine instances reside to the service perimeter.

Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VP

Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

30. Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.

What should you do?

Choose 2 answers

Configure the Binary Authorization policy with respective attestations for the project.

Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).

Enable Container Threat Detection in the Security Command Center (SCC) for the project.

Configure the trusted image organization policy constraint for the project.

Enable Pod Security standards and set them to Restricted.

Page 4 of 7

31. You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

32. Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.

This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database.

Which cryptographic token format should you use to meet these requirements?

Deterministic encryption

Secure, key-based hashes

Format-preserving encryption

Cryptographic hashing

33. Applications often require access to “secrets” - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of “who did what, where, and when?” within their GCP projects.

Which two log streams would provide the information that the administrator is looking for? (Choose two.)

Admin Activity logs

System Event logs

Data Access logs

VPC Flow logs

Agent logs

34. A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.

What should you do?

Use Resource Manager on the organization level.

Use Forseti Security to automate inventory snapshots.

Use Stackdriver to create a dashboard across all projects.

Use Security Command Center to view all assets across the organization.

35. You are developing a new application that uses exclusively Compute Engine VMs Once a day. this application will execute five different batch jobs Each of the batch jobs requires a dedicated set of permissions on Google Cloud resources outside of your application. You need to design a secure access concept for the batch jobs that adheres to the least-privilege principle.

What should you do?

1. Create a general service account **g-sa" to execute the batch jobs. • 2. Grant the permissions required to execute the batch jobs to g-sa. • 3. Execute the batch jobs with the permissions granted to g-sa

1. Create a general service account "g-sa" to orchestrate the batch jobs. • 2. Create one service account per batch job Mb-sa-[1-5]," and grant only the permissions required to run the individual batch jobs to the service accounts. • 3. Grant the Service Account Token Creator role to g-sa Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].

1. Create a workload identity pool and configure workload identity pool providers for each batch job • 2. Assign the workload identity user role to each of the identities configured in the providers. • 3. Create one service account per batch job Mb-sa-[1-5]". and grant only the permissions required to run the individual batch jobs to the service accounts • 4. Generate credential configuration files for each of the providers Use these files to execute the batch jobs with the permissions of b-sa-[1-5].

• 1. Create a general service account "g-sa" to orchestrate the batch jobs. • 2. Create one service account per batch job 'b-sa-[1-5) Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts • 3. Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permissions of b-sa-[1-5].

36. A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity- Aware Proxy.

What should the customer do to meet these requirements?

Make sure that the ERP system can validate the JWT assertion in the HTTP requests.

Make sure that the ERP system can validate the identity headers in the HTTP requests.

Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.

Make sure that the ERP system can validate the user’s unique identifier headers in the HTTP requests.

37. Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans.

After working on the details to implement this requirement, you determine the following:

- The services in scope are included in the Google Cloud Data Residency Terms.

- The business data remains within specific locations under the same organization.

- The folder structure can contain multiple data residency locations.

- You plan to use the Resource Location Restriction organization policy constraint.

At which level in the resource hierarchy should you set the constraint?

Folder

Resource

Project

Organization

38. You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations.

What should you recommend to reduce the need for public IP addresses in your customer's VMs?

Google Cloud Armor

Cloud NAT

Cloud Router

Cloud VPN

39. You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with

lack of patching in many VMs. You need to automate regular patching in your VMs and view the

patch management data across multiple projects.

What should you do? Choose 2 answers

Deploy patches with VM Manager by using OS patch management

View patch management data in VM Manager by using OS patch management.

Deploy patches with Security Command Center by using Rapid Vulnerability Detection.

View patch management data in a Security Command Center dashboard.

View patch management data in Artifact Registry.

40. You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.

You want to automate the compliance with this regulation while minimizing storage costs.

What should you do?

Store the data in a persistent disk, and delete the disk at expiration time.

Store the data in a Cloud Bigtable table, and set an expiration time on the column families.

Store the data in a BigQuery table, and set the table's expiration time.

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

Page 5 of 7

41. Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud

(VPC) with internet access through Cloud NAT Everyday, you must patch all VMs with critical OS

updates and provide summary reports

What should you do?

Validate that the egress firewall rules allow any outgoing traffic Log in to each VM and execute OS specific update commands Configure the Cloud Scheduler job to update with critical patches daily for daily updates.

Ensure that VM Manager is installed and running on the VMs. In the OS patch management service. configure the patch jobs to update with critical patches daily.

Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic Log in to each V

and configure a daily cron job to enable for OS updates at night during low activity periods.

Copy the latest patches to the Cloud Storage bucket. Log in to each V

download the patches from the bucket, and install them.

42. You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data.

You need to meet these requirements;

• Manage the data encryption key (DEK) outside the Google Cloud boundary.

• Maintain full control of encryption keys through a third-party provider.

• Encrypt the sensitive data before uploading it to Cloud Storage

• Decrypt the sensitive data during processing in the Compute Engine VMs

• Encrypt the sensitive data in memory while in use in the Compute Engine VMs

What should you do? Choose 2 answers

Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

Create Confidential VMs to access the sensitive data.

Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

43. You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS). in project "pr j -a", and the Cloud Storage bucket will use project "prj-b". The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key. and you need to troubleshoot why.

What has caused the access issue?

A firewall rule prevents the key from being accessible.

Cloud HSM does not support Cloud Storage

The CMEK is in a different project than the Cloud Storage bucket

The CMEK is in a different region than the Cloud Storage bucket.

44. You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.

What should you do?

• 1 Update the perimeter • 2 Configure the egressTo field to set identity Type to any_identity. • 3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

• Allow the external project by using the organizational policy constraints/compute.trustedlmageProjects.

• 1 Update the perimeter • 2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com. • 3 Configure the egressFrom field to set identity Type to any_idestity.

• 1 Update the perimeter • 2 Configure the ingressFrcm field to set identityType to an-y_identity. • 3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

45. Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property.

You attempt to grant access to a project in the Apps folder to the user [email protected].

What is the result of your action and why?

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily.

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.

The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder

The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

46. A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.

How should this be accomplished?

Create a firewall rule to block internet traffic from the V

Provision a NAT Gateway to access the Cloud Storage API endpoint.

Enable Private Google Access on the VP

Mount a Cloud Storage bucket as a local filesystem on every V

47. You are creating an internal App Engine application that needs to access a user’s Google Drive on the user’s behalf. Your company does not want to rely on the current user’s credentials. It also wants to follow Google- recommended practices.

What should you do?

Create a new Service account, and give all application users the role of Service Account User.

Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.

Use a dedicated G Suite Admin account, and authenticate the application’s operations with these G Suite credentials.

Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

48. An organization’s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.

How should you advise this organization?

Use Forseti with Firewall filters to catch any unwanted configurations in production.

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

49. 1.Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.

Which two settings must remain disabled to meet these requirements? (Choose two.)

Public IP

IP Forwarding

Private Google Access

Static routes

IAM Network User Role

50. When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

Ensure that the app does not run as PID 1.

Package a single app as a container.

Remove any unnecessary tools not needed by the app.

Use public container images as a base image for the app.

Use many container image layers to hide sensitive information.

Page 6 of 7

51. You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.

What should you do?

Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.

Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet

Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet

Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

52. Your organization s record data exists in Cloud Storage. You must retain all record data for at least

seven years. This policy must be permanent.

What should you do?

• 1 Identify buckets with record data • 2 Apply a retention policy and set it to retain for seven years • 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs

• 1 Identify buckets with record data • 2 Apply a retention policy and set it to retain for seven years • 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

• 1 Identify buckets with record data • 2 Enable the bucket policy only to ensure that data is retained • 3 Enable bucket lock

• 1 Identify buckets with record data • 2 Apply a retention policy and set it to retain for seven years • 3 Enable bucket lock

53. Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud Many teams will use their own instances of the CI/CD workflow It will run on Google Kubernetes Engine (GKE) The CI/CD pipelines must be designed to securely access Google Cloud APIs

What should you do?

• 1 Create a dedicated service account for the CI/CD pipelines • 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster • 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

• 1 Create service accounts for each deployment pipeline • 2 Generate private keys for the service accounts • 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

* 1 Create individual service accounts (or each deployment pipeline • 2 Add an identifier for the pipeline in the service account naming convention • 3 Ensure each pipeline runs on dedicated pods • 4 Use workload identity to map a deployment pipeline pod with a service account

• 1 Create two service accounts one for the infrastructure and one for the application deployment • 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts • 3 Run the infrastructure and application pipelines in separate namespaces

54. Your organization must comply with the regulation to keep instance logging data within Europe. Your workloads will be hosted in the Netherlands in region europe-west4 in a new project. You must configure Cloud Logging to keep your data in the country.

What should you do?

Configure the organization policy constraint gcp.resourceLocations to europe-west4.

Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.

Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.

Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.

55. You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes.

Which components should you use in your solution? (Choose two.)

Secret Manager

Cloud Key Management Service

Cloud Data Loss Prevention with cryptographic hashing

Cloud Data Loss Prevention with automatic text redaction

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

56. Which Google Cloud service should you use to enforce access control policies for applications and resources?

Identity-Aware Proxy

Cloud NAT

Google Cloud Armor

Shielded VMs

57. Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.

What should your team grant to Engineering Group A to meet this requirement?

Compute Network User Role at the host project level.

Compute Network User Role at the subnet level.

Compute Shared VPC Admin Role at the host project level.

Compute Shared VPC Admin Role at the service project level.

58. An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization’s risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.

What solution would help meet the requirements?

Ensure that firewall rules are in place to meet the required controls.

Set up Cloud Armor to ensure that network security controls can be managed for G Suite.

Network security is a built-in solution and Google’s Cloud responsibility for SaaS products like G Suite.

Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

59. An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.

Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

Configuring and monitoring VPC Flow Logs

Defending against XSS and SQLi attacks

Manage the latest updates and security patches for the Guest OS

Encrypting all stored data

60. You have created an OS image that is hardened per your organization’s security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead.

What should you do? (Choose two.)

Grant users the compuce.imageUser role in their own projects.

Grant users the compuce.imageUser role in the OS image project.

Store the image in every project that is spun up in your organization.

Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.

Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

Page 7 of 7

61. Your organization is moving virtual machines (VMs) to Google Cloud. You must ensure that operating system images that are used across your projects are trusted and meet your security requirements.

What should you do?

Implement an organization policy to enforce that boot disks can only be created from images that come from the trusted image project.

Create a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository Verify that the image is not deprecated.

Implement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.

Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.

62. Your organization uses BigQuery to process highly sensitive, structured datasets.

Following the "need to know" principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users:

• Business user must access curated reports.

• Data engineer: must administrate the data lifecycle in the platform.

• Security operator: must review user activity on the data platform.

What should you do?

Configure data access log for BigQuery services, and grant Project Viewer role to security operators.

Generate a CSV data file based on the business user's needs, and send the data to their email addresses.

Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.

Set row-based access control based on the "region" column, and filter the record from the United States for data engineers.

63. A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer’s browser and GCP when the customers checkout online.

What should they do?

Configure an SSL Certificate on an L7 Load Balancer and require encryption.

Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.

Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.

Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.

64. You have been tasked with configuring Security Command Center for your organization’s Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization’s compute environment and alerts for common Google Cloud misconfigurations that impact security.

Which Security Command Center features should you use to configure these alerts? (Choose two.)

Event Threat Detection

Container Threat Detection

Security Health Analytics

Cloud Data Loss Prevention

Google Cloud Armor

65. You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed.

You have the following requirements for your solution:

- Must be cloud-native

- Must be cost-efficient

- Minimize operational overhead

How should you accomplish this? (Choose two.)

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

66. You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead.

What should you do?

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

67. Your company is concerned about unauthorized parties gaming access to the Google Cloud environment by using a fake login page. You must implement a solution to protect against person-in-the-middle attacks.

Which security measure should you use?

Text message or phone call code

Security key

Google Authenticator application

Google prompt

68. Install external packages from the internet onto the VM.

Your security team just enabled the organizational policy. consrraints/compure.vnExtemallpAccess. to restrict the usage of public IP Addresses on VMs. In response your DevOps team updated their scripts to remove public IP addresses on the Compute Engine VMs however the build pipeline is failing due to connectivity issues.

What should you do? Choose 2 answers

Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM

Provision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound connections from the internet to your V

Update the VPC routes to allow traffic to and from the internet.

Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine V

Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.

69. Your Security team believes that a former employee of your company gained unauthorized access to Google Cloud resources some time in the past 2 months by using a service account key. You need to confirm the unauthorized access and determine the user activity.

What should you do?

Use Security Health Analytics to determine user activity.

Use the Cloud Monitoring console to filter audit logs by user.

Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.

Use the Logs Explorer to search for user activity.

TAGS:

Professional Cloud Security Engineer, Professional Cloud Security Engineer exam dumps

Notify of

Label

Name*

Email*

Website

Label

Name*

Email*

Website

0 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Get Professional Cloud Security Engineer Dumps Full Version

Q&As: 233
Versions: PDF and Software Download Now

About Dumpsinfo

Dumpsinfo is a good platform providing the latest exam information and dumps questions for all IT certification exams. You can study all the latest exam dumps questions online.

[email protected]

Mon - Sat 9:00am - 6:00pm

Study Online Professional Cloud Security Engineer Exam Dumps to Pass

Related

Posts

ChromeOS Administrator Dumps Questions – Effective Way to Get Certified

Professional Cloud Database Engineer Exam Dumps – Reliable Way to Pass and Get Certified

Get Certified Easily with Online Professional Cloud Network Engineer Dumps

Test Online Professional Cloud DevOps Engineer Dumps Questions to Be Certified

About Us

EMAIL

Services

Opening Hours