Special Summer Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Google > Google Cloud Certified > Professional-Cloud-Security-Engineer

Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Question and Answers

Question # 4

An organization is moving applications to Google Cloud while maintaining a few mission-critical applications on-premises. The organization must transfer the data at a bandwidth of at least 50 Gbps. What should they use to ensure secure continued connectivity between sites?

A.

Dedicated Interconnect

B.

Cloud Router

C.

Cloud VPN

D.

Partner Interconnect

Full Access
Question # 5

Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery.

What should you do?

A.

Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

B.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

C.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module

(HSM) system from supported vendors.

D.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

Full Access
Question # 6

A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned.

What should the customer do?

A.

Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.

B.

Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.

C.

Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.

D.

Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.

Full Access
Question # 7

You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

A.

Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.

B.

Disable any Identity and Access Management (1AM) roles for super admin at the organization level in the Google Cloud Console.

C.

Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).

D.

Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.

E.

Provide non-privileged identities to the super admin users for their day-to-day activities.

Full Access
Question # 8

Your organization must follow the Payment Card Industry Data Security Standard (PCI DSS). To prepare for an audit, you must detect deviations at an infrastructure-as-a-service level in your Google Cloud landing zone. What should you do?

A.

Create a data profile covering all payment-relevant data types. Configure Data Discovery and a risk analysis job in Google Cloud Sensitive Data Protection to analyze findings.​

B.

Use the Google Cloud Compliance Reports Manager to download the latest version of the PCI DSS report. Analyze the report to detect deviations.​

C.

Create an Assured Workloads folder in your Google Cloud organization. Migrate existing projects into the folder and monitor for deviations in the PCI DSS.​

D.

Activate Security Command Center Premium. Use the Compliance Monitoring product to filter findings that may not be PCI DSS compliant.​

Full Access
Question # 9

A customer’s company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.

Which strategy should you use to meet these needs?

A.

Create an organization node, and assign folders for each business unit.

B.

Establish standalone projects for each business unit, using gmail.com accounts.

C.

Assign GCP resources in a project, with a label identifying which business unit owns the resource.

D.

Assign GCP resources in a VPC for each business unit to separate network access.

Full Access
Question # 10

A company’s application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.

What should you do?

A.

Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

B.

Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.

C.

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

D.

Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Full Access
Question # 11

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

A.

Use Google default encryption.

B.

Manually add users to Google Cloud.

C.

Provision users with basic roles using Google's Identity and Access Management (1AM) service.

D.

Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

E.

Provide granular access with predefined roles.

Full Access
Question # 12

Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

A.

ISO 27001

B.

ISO 27002

C.

ISO 27017

D.

ISO 27018

Full Access
Question # 13

A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.

Which two approaches can you take to meet the requirements? (Choose two.)

A.

Configure the project with Cloud VPN.

B.

Configure the project with Shared VPC.

C.

Configure the project with Cloud Interconnect.

D.

Configure the project with VPC peering.

E.

Configure all Compute Engine instances with Private Access.

Full Access
Question # 14

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.

What should they do?

A.

Use Cloud Build to build the container images.

B.

Build small containers using small base images.

C.

Delete non-used versions from Container Registry.

D.

Use a Continuous Delivery tool to deploy the application.

Full Access
Question # 15

Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.

What should you do?

A.

Configure GCDS and use GCDS search rules lo sync these users.

B.

Use the transfer tool to migrate unmanaged users.

C.

Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API to transfer their account.

D.

Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.

Full Access
Question # 16

You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software.

Which SCC service should you use?

A.

Container Threat Detection

B.

Web Security Scanner

C.

Rapid Vulnerability Detection

D.

Virtual Machine Threat Detection

Full Access
Question # 17

How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

A.

Send all logs to the SIEM system via an existing protocol such as syslog.

B.

Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.

C.

Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.

D.

Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.

Full Access
Question # 18

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.

How should your team meet these requirements?

A.

Enable Private Access on the VPC network in the production project.

B.

Remove the Editor role and grant the Compute Admin IAM role to the engineers.

C.

Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.

D.

Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Full Access
Question # 19

You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.

After observing the traffic in your custom network, you notice that all instances can communicate freely – despite tag-based VPC firewall rules in place to segment traffic properly – with a priority of 1000. What are the most likely reasons for this behavior?

A.

All VM instances are missing the respective network tags.

B.

All VM instances are residing in the same network subnet.

C.

All VM instances are configured with the same network route.

D.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.

E.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

Full Access
Question # 20

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.

Which option meets the requirement of your team?

A.

Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance’s IP address and allows the application to read from the bucket without credentials.

B.

Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.

C.

Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

D.

Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.

Full Access
Question # 21

Your organization processes sensitive health information. You want to ensure that data is encrypted while in use by the virtual machines (VMs). You must create a policy that is enforced across the entire organization.

What should you do?

A.

Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.

B.

Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.

C.

Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.

D.

No action is necessary because Google encrypts data while it is in use by default.

Full Access
Question # 22

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on “in- scope” Nodes only. These Nodes can only contain the “in-scope” Pods.

How should the organization achieve this objective?

A.

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

B.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

C.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

D.

Run all in-scope Pods in the namespace “in-scope-pci”.

Full Access
Question # 23

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.

What should you do?

A.

Set up an ACL with OWNER permission to a scope of allUsers.

B.

Set up an ACL with READER permission to a scope of allUsers.

C.

Set up a default bucket ACL and manage access for users using IAM.

D.

Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

Full Access
Question # 24

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company’s on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A.

Use Identity Platform to provision users and groups to Google Cloud.

B.

Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

C.

Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

D.

Create Identity and Access Management (1AM) roles with permissions corresponding to each Active Directory group.

E.

Create Identity and Access Management (1AM) groups with permissions corresponding to each Active Directory group.

Full Access
Question # 25

You must ensure that the keys used for at-rest encryption of your data are compliant with your organization's security controls. One security control mandates that keys get rotated every 90 days. You must implement an effective detection strategy to validate if keys are rotated as required. What should you do?​

A.

Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.​

B.

Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.​

C.

Assess the keys in the Cloud Key Management Service by implementing code in Cloud Run. If a key is not rotated after 90 days, raise a finding in Security Command Center.​

D.

Define a metric that checks for timely key updates by using Cloud Logging. If a key is not rotated after 90 days, send an alert message through your incident notification channel.​

Full Access
Question # 26

Your company is concerned about unauthorized parties gaming access to the Google Cloud environment by using a fake login page. You must implement a solution to protect against person-in-the-middle attacks.

Which security measure should you use?

A.

Text message or phone call code

B.

Security key

C.

Google Authenticator application

D.

Google prompt

Full Access
Question # 27

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

A.

Generalization

B.

Redaction

C.

CryptoHashConfig

D.

CryptoReplaceFfxFpeConfig

Full Access
Question # 28

What are the steps to encrypt data using envelope encryption?

A.

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

B.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

C.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

D.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Full Access
Question # 29

You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

A.

Cloud Key Management Service

B.

Compute Engine guest attributes

C.

Compute Engine custom metadata

D.

Secret Manager

Full Access
Question # 30

Your company’s chief information security officer (CISO) is requiring business data to be stored in specific locations due to regulatory requirements that affect the company’s global expansion plans. After working on a plan to implement this requirement, you determine the following:

    The services in scope are included in the Google Cloud data residency requirements.

    The business data remains within specific locations under the same organization.

    The folder structure can contain multiple data residency locations.

    The projects are aligned to specific locations.

You plan to use the Resource Location Restriction organization policy constraint with very granular control. At which level in the hierarchy should you set the constraint?

A.

Organization

B.

Resource

C.

Project

D.

Folder

Full Access
Question # 31

An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.

Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses

Which solution should your team implement to meet these requirements?

A.

Cloud Armor

B.

Network Load Balancing

C.

SSL Proxy Load Balancing

D.

NAT Gateway

Full Access
Question # 32

Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

A.

Configure Secret Manager to manage service account keys.

B.

Enable an organization policy to disable service accounts from being created.

C.

Enable an organization policy to prevent service account keys from being created.

D.

Remove the iam.serviceAccounts.getAccessToken permission from users.

Full Access
Question # 33

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:

Scans must run at least once per week

Must be able to detect cross-site scripting vulnerabilities

Must be able to authenticate using Google accounts

Which solution should you use?

A.

Google Cloud Armor

B.

Web Security Scanner

C.

Security Health Analytics

D.

Container Threat Detection

Full Access
Question # 34

You are migrating an on-premises data warehouse to BigQuery Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse. Your company compliance policies mandate that the data warehouse must:

• Protect data at rest with full lifecycle management on cryptographic keys

• Implement a separate key management provider from data management

• Provide visibility into all encryption key requests

What services should be included in the data warehouse implementation?

Choose 2 answers

A.

Customer-managed encryption keys

B.

Customer-Supplied Encryption Keys

C.

Key Access Justifications

D.

Access Transparency and Approval

E.

Cloud External Key Manager

Full Access
Question # 35

Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users.

What should you do?

A.

1. Manage SAML profile assignments.

• 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant.

• 3. Verify the domain.

B.

1. Create a new SAML profile.

• 2. Upload the X.509 certificate.

• 3. Enable the change password URL.

• 4. Configure Entity ID and ACS URL in your IdP.

C.

1- Create a new SAML profile.

• 2. Populate the sign-in and sign-out page URLs.

• 3. Upload the X.509 certificate.

• 4. Configure Entity ID and ACS URL in your IdP

D.

1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant

• 2. Verify the AD domain.

• 3. Decide which users should use SAML.

• 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.

Full Access
Question # 36

Applications often require access to “secrets” - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of “who did what, where, and when?” within their GCP projects.

Which two log streams would provide the information that the administrator is looking for? (Choose two.)

A.

Admin Activity logs

B.

System Event logs

C.

Data Access logs

D.

VPC Flow logs

E.

Agent logs

Full Access
Question # 37

You work for a healthcare provider that is expanding into the cloud to store and process sensitive patient data. You must ensure the chosen Google Cloud configuration meets these strict regulatory requirements:​

    Data must reside within specific geographic regions.​

    Certain administrative actions on patient data require explicit approval from designated compliance officers.​

    Access to patient data must be auditable.​

What should you do?

A.

Select multiple standard Google Cloud regions for high availability. Implement Access Control Lists (ACLs) on individual storage objects containing patient data. Enable Cloud Audit Logs.​

B.

Deploy an Assured Workloads environment in multiple regions for redundancy. Utilize custom IAM roles with granular permissions. Isolate network-level data by using VPC Service Controls.​

C.

Deploy an Assured Workloads environment in an approved region. Configure Access Approval for sensitive operations on patient data. Enable both Cloud Audit Logs and Access Transparency.​

D.

Select a standard Google Cloud region. Restrict access to patient data based on user location and job function by using Access Context Manager. Enable both Cloud Audit Logging and Access Transparency.​

Full Access
Question # 38

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.

Which logging export strategy should you use to meet the requirements?

A.

1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.

2.Subscribe SIEM to the topic.

B.

1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.

2.Process Cloud Storage objects in SIEM.

C.

1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.

2.Subscribe SIEM to the topic.

D.

1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.

2.Process Cloud Storage objects in SIEM.

Full Access
Question # 39

Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.

How should your team design this network?

A.

Create an ingress firewall rule to allow access only from the application to the database using firewall tags.

B.

Create a different subnet for the frontend application and database to ensure network isolation.

C.

Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.

D.

Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.

Full Access
Question # 40

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

What command should you execute?

A.

• organization policy: constraints/gcp.restrictStorageNonCraekServices

• binding at: orgl

• policy type: deny

• policy value: storage.gcogleapis.com

B.

• organization policy: constraints/gcp.restrictHonCmekServices

• binding at: orgl

• policy type: deny

• policy value: storage.googleapis.com

C.

• organization policy:constraints/gcp.restrictStorageNonCraekServices

• binding at: orgl

• policy type: allow

• policy value: all supported services

D.

• organization policy: constramts/gcp.restrictNonCmekServices

• binding at: orgl

• policy type: allow

• policy value: storage.googleapis.com

Full Access
Question # 41

Your organization strives to be a market leader in software innovation. You provided a large number of Google Cloud environments so developers can test the integration of Gemini in Vertex AI into their existing applications or create new projects. Your organization has 200 developers and a five-person security team. You must prevent and detect proper security policies across the Google Cloud environments. What should you do? (Choose 2 answers)​

A.

Apply a predefined AI-recommended security posture template for Gemini in Vertex AI in Security Command Center Enterprise or Premium tiers.​

B.

Publish internal policies and clear guidelines to securely develop applications.​

C.

Implement the least privileged access Identity and Access Management roles to prevent misconfigurations.​

D.

Apply organization policy constraints. Detect and monitor drifts by using Security Health Analytics.​

E.

Use Cloud Logging to create log filters to detect misconfigurations. Trigger Cloud Run functions to remediate misconfigurations.​

Full Access
Question # 42

You manage your organization’s Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your VPCs based on network logs. However, you want to explore your environment using network payloads and headers. Which Google Cloud product should you use?

A.

Cloud IDS

B.

VPC Service Controls logs

C.

VPC Flow Logs

D.

Google Cloud Armor

E.

Packet Mirroring

Full Access
Question # 43

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.

Which two settings must remain disabled to meet these requirements? (Choose two.)

A.

Public IP

B.

IP Forwarding

C.

Private Google Access

D.

Static routes

E.

IAM Network User Role

Full Access
Question # 44

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

A.

Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

B.

Enable the constraints/storage.publicAccessPrevention constraint at the organization level.

C.

Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.

D.

Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

Full Access
Question # 45

You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

A.

Add the host project containing the Shared VPC to the service perimeter.

B.

Add the service project where the Compute Engine instances reside to the service perimeter.

C.

Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.

D.

Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

Full Access
Question # 46

A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.

Where should you export the logs?

A.

BigQuery datasets

B.

Cloud Storage buckets

C.

StackDriver logging

D.

Cloud Pub/Sub topics

Full Access
Question # 47

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.

Which solution should this customer use?

A.

VPC Flow Logs

B.

Cloud Armor

C.

DNS Security Extensions

D.

Cloud Identity-Aware Proxy

Full Access
Question # 48

You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data Specifically, your

company is concerned about internal Google employees' ability to access your company's data on Google Cloud. What solution should you propose?

A.

Use customer-managed encryption keys.

B.

Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.

C.

Enable Admin activity logs to monitor access to resources.

D.

Enable Access Transparency logs with Access Approval requests for Google employees.

Full Access
Question # 49

Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes.

What should you do?

A.

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.

B.

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.

C.

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.

D.

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.

Full Access
Question # 50

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.

Which two steps should the company take to meet these requirements? (Choose two.)

A.

Create a project with multiple VPC networks for each environment.

B.

Create a folder for each development and production environment.

C.

Create a Google Group for the Engineering team, and assign permissions at the folder level.

D.

Create an Organizational Policy constraint for each folder environment.

E.

Create projects for each environment, and grant IAM rights to each engineering user.

Full Access
Question # 51

Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.

What should you do?

A.

Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

B.

Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing

C.

Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

D.

Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

Full Access
Question # 52

Which two implied firewall rules are defined on a VPC network? (Choose two.)

A.

A rule that allows all outbound connections

B.

A rule that denies all inbound connections

C.

A rule that blocks all inbound port 25 connections

D.

A rule that blocks all outbound connections

E.

A rule that allows all inbound port 80 connections

Full Access
Question # 53

Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?

A.

Cloud DNS with DNSSEC

B.

Cloud NAT

C.

HTTP(S) Load Balancing

D.

Google Cloud Armor

Full Access
Question # 54

Which Google Cloud service should you use to enforce access control policies for applications and resources?

A.

Identity-Aware Proxy

B.

Cloud NAT

C.

Google Cloud Armor

D.

Shielded VMs

Full Access
Question # 55

Your company conducts clinical trials and needs to analyze the results of a recent study that are stored in BigQuery. The interval when the medicine was taken contains start and stop dates The interval data is critical to the analysis, but specific dates may identify a particular batch and introduce bias You need to obfuscate the start and end dates for each row and preserve the interval data.

What should you do?

A.

Use bucketing to shift values to a predetermined date based on the initial value.

B.

Extract the date using TimePartConfig from each date field and append a random month and year

C.

Use date shifting with the context set to the unique ID of the test subject

D.

Use the FFX mode of format preserving encryption (FPE) and maintain data consistency

Full Access
Question # 56

You are creating an internal App Engine application that needs to access a user’s Google Drive on the user’s behalf. Your company does not want to rely on the current user’s credentials. It also wants to follow Google- recommended practices.

What should you do?

A.

Create a new Service account, and give all application users the role of Service Account User.

B.

Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.

C.

Use a dedicated G Suite Admin account, and authenticate the application’s operations with these G Suite credentials.

D.

Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

Full Access
Question # 57

You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?

A.

All load balancer types are denied in accordance with the global node’s policy.

B.

INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder’s policy.

C.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project’s policy.

D.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project’s policies.

Full Access
Question # 58

Your application is deployed as a highly available cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.

What should you do?

A.

Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.

B.

Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.

C.

Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.

D.

Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

Full Access
Question # 59

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery

What should you do?

A.

Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.

B.

Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

C.

Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.

D.

Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Full Access
Question # 60

A batch job running on Compute Engine needs temporary write access to a Cloud Storage bucket. You want the batch job to use the minimum permissions necessary to complete the task. What should you do?

A.

Create a service account with full Cloud Storage administrator permissions. Assign the service account to the Compute Engine instance.

B.

Grant the predefined storage.objectcreator role to the Compute Engine instances default service account.

C.

Create a service account and embed a long-lived service account key file that has write permissions specified directly in the batch job

script.

D.

Create a service account with the storage .objectcreator role. Use service account impersonation in the batch job's code.

Full Access
Question # 61

Your organization wants to publish yearly reports of your website usage analytics. You must ensure that no data with personally identifiable information (PII) is published by using the Cloud Data Loss Prevention (Cloud DLP) API. Data integrity must be preserved. What should you do?​

A.

Encrypt the PII from the report by using the Cloud DLP API.​

B.

Discover and transform PII data in your reports by using the Cloud DLP API.​

C.

Detect all PII in storage by using the Cloud DLP API. Create a cloud function to delete the PII.​

D.

Discover and quarantine your PII data in your storage by using the Cloud DLP API.​

Full Access
Question # 62

You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.

What should you do?

A.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

B.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

C.

In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

D.

In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.

Full Access
Question # 63

You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network dev-vpc." You want to minimize implementation and maintenance effort

What should you do?

A.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Configure a VPC Firewall rule in "dev-vpc" that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

B.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10 58.5.0/24 from network dev-vpc.

C.

• 1. Leave the network configuration of the VMs in scope unchanged.

• 2. Create a new project including a new VPC network "new-vpc."

• 3 Deploy a network appliance in "new-vpc" to filter access requests and only allow egress connections from -dev-vpc" to 10.58.5.0/24.

D.

• 1 Leave the network configuration of the VMs in scope unchanged

• 2 Enable Cloud NAT for dev-vpc" and restrict the target range in Cloud NAT to 10.58.5 0/24.

Full Access
Question # 64

You’re developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:

    Least-privilege access must be enforced at all times.

    The DevOps team must be able to access the required resources only during the deployment issue.

How should you grant access while following Google-recommended best practices?

A.

Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.

B.

Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.

C.

Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.

D.

Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

Full Access
Question # 65

Your organization uses Google Workspace Enterprise Edition tor authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment.

What should you do?

A.

Create a policy that requires employees to not leave their sessions open for long durations.

B.

Review and disable unnecessary Google Cloud APIs.

C.

Require strong passwords and 2SV through a security token or Google authenticate.

D.

Set the session length timeout for Google Cloud services to a shorter duration.

Full Access
Question # 66

Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/ owner). The organization contains thousands of Google Cloud Projects Security Command Center Premium has surfaced multiple cpen_myscl_port findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations.

What should you do?

A.

Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0 0 0 0/0 with priority 0.

B.

Create a hierarchical firewall policy configured at the organization to deny all connections from 0 0 0 0/0.

C.

Create a Google Cloud Armor security policy to deny traffic from 0 0 0 0/0.

D.

Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges

Full Access
Question # 67

Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.

Which type of networking design should your team use to meet these requirements?

A.

Shared VPC Network with a host project and service projects

B.

Grant Compute Admin role to the networking team for each engineering project

C.

VPC peering between all engineering projects using a hub and spoke model

D.

Cloud VPN Gateway between all engineering projects using a hub and spoke model

Full Access
Question # 68

You are deploying regulated workloads on Google Cloud. The regulation has data residency and data access requirements. It also requires that support is provided from the same geographical location as where the data resides.

What should you do?

A.

Enable Access Transparency Logging.

B.

Deploy resources only to regions permitted by data residency requirements

C.

Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.

D.

Deploy Assured Workloads.

Full Access
Question # 69

You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:

Must be cloud-native

Must be cost-efficient

Minimize operational overhead

How should you accomplish this? (Choose two.)

A.

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

B.

Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

C.

Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

D.

Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

E.

In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Full Access
Question # 70

Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (1AM) roles at the right resource level tor the developers and security team while you ensure least privilege.

What should you do?

A.

• 1 Grant logging, viewer rote to the security team at the organization resource level.

• 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.

B.

• 1 Grant logging. viewer rote to the security team at the organization resource level.

• 2 Grant logging. admin role to the developer team at the organization resource level.

C.

• 1 Grant logging.admin role to the security team at the organization resource level.

• 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.

D.

• 1 Grant logging.admin role to the security team at the organization resource level.

• 2 Grant logging.admin role to the developer team at the organization resource level.

Full Access
Question # 71

You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

A.

The load balancer must be an external SSL proxy load balancer.

B.

Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.

C.

The load balancer must use the Premium Network Service Tier.

D.

The backend service's load balancing scheme must be EXTERNAL.

E.

The load balancer must be an external HTTP(S) load balancer.

Full Access
Question # 72

Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform’s services and minimizing operational overhead. What should you do?

A.

Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises

B.

Use Cloud External Key Manager to delete specific encryption keys.

C.

Use customer-managed encryption keys to delete specific encryption keys.

D.

Use Google default encryption to delete specific encryption keys.

Full Access
Question # 73

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization’s production environment will remain on- premises for an indefinite time. The organization wants a scalable and cost-efficient solution.

Which GCP solution should the organization use?

A.

BigQuery using a data pipeline job with continuous updates

B.

Cloud Storage using a scheduled task and gsutil

C.

Compute Engine Virtual Machines using Persistent Disk

D.

Cloud Datastore using regularly scheduled batch upload jobs

Full Access
Question # 74

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.

What should you do?

A.

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

B.

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

C.

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.

D.

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Full Access