New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Google > Google Cloud Certified > Professional-Cloud-Security-Engineer

Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Question and Answers

Question # 4

Your organization uses Google Workspace Enterprise Edition tor authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment.

What should you do?

A.

Create a policy that requires employees to not leave their sessions open for long durations.

B.

Review and disable unnecessary Google Cloud APIs.

C.

Require strong passwords and 2SV through a security token or Google authenticate.

D.

Set the session length timeout for Google Cloud services to a shorter duration.

Full Access
Question # 5

An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.

Which Cloud Identity password guidelines can the organization use to inform their new requirements?

A.

Set the minimum length for passwords to be 8 characters.

B.

Set the minimum length for passwords to be 10 characters.

C.

Set the minimum length for passwords to be 12 characters.

D.

Set the minimum length for passwords to be 6 characters.

Full Access
Question # 6

Your organization develops software involved in many open source projects and is concerned about software supply chain threats You need to deliver provenance for the build to demonstrate the software is untampered.

What should you do?

A.

• 1- Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build.

• 2. View the build provenance in the Security insights side panel within the Google Cloud console.

B.

• 1. Review the software process.

• 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact.

• 3. Publish the PGP signed attestation to your public web page.

C.

• 1, Publish the software code on GitHub as open source.

• 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.

D.

• 1. Hire an external auditor to review and provide provenance

• 2. Define the scope and conditions.

• 3. Get support from the Security department or representative.

• 4. Publish the attestation to your public web page.

Full Access
Question # 7

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

A.

Implement Cloud VPN for the region where the bastion host lives.

B.

Implement OS Login with 2-step verification for the bastion host.

C.

Implement Identity-Aware Proxy TCP forwarding for the bastion host.

D.

Implement Google Cloud Armor in front of the bastion host.

Full Access
Question # 8

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.

Which two settings must remain disabled to meet these requirements? (Choose two.)

A.

Public IP

B.

IP Forwarding

C.

Private Google Access

D.

Static routes

E.

IAM Network User Role

Full Access
Question # 9

You are deploying regulated workloads on Google Cloud. The regulation has data residency and data access requirements. It also requires that support is provided from the same geographical location as where the data resides.

What should you do?

A.

Enable Access Transparency Logging.

B.

Deploy resources only to regions permitted by data residency requirements

C.

Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.

D.

Deploy Assured Workloads.

Full Access
Question # 10

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:

Export related logs for all projects in the Google Cloud organization.

Export logs in near real-time to an external SIEM.

What should you do? (Choose two.)

A.

Create a Log Sink at the organization level with a Pub/Sub destination.

B.

Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

C.

Enable Data Access audit logs at the organization level to apply to all projects.

D.

Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

E.

Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Full Access
Question # 11

A customer’s internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).

How should the team complete this task?

A.

Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.

B.

Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

C.

Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.

D.

Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Full Access
Question # 12

You’re developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:

    Least-privilege access must be enforced at all times.

    The DevOps team must be able to access the required resources only during the deployment issue.

How should you grant access while following Google-recommended best practices?

A.

Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.

B.

Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.

C.

Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.

D.

Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

Full Access
Question # 13

Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following:

The services in scope are included in the Google Cloud Data Residency Terms.

The business data remains within specific locations under the same organization.

The folder structure can contain multiple data residency locations.

You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?

A.

Folder

B.

Resource

C.

Project

D.

Organization

Full Access
Question # 14

A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.

Which connectivity option should be implemented?

A.

VPC peering

B.

Cloud VPN

C.

Cloud Interconnect

D.

Shared VPC

Full Access
Question # 15

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate,

and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.

What should you do?

A.

Use the Cloud Key Management Service to manage the data encryption key (DEK).

B.

Use the Cloud Key Management Service to manage the key encryption key (KEK).

C.

Use customer-supplied encryption keys to manage the data encryption key (DEK).

D.

Use customer-supplied encryption keys to manage the key encryption key (KEK).

Full Access
Question # 16

You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.

What should you do?

A.

Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

B.

Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

C.

Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.

D.

Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.

Full Access
Question # 17

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

A.

Use Google default encryption.

B.

Manually add users to Google Cloud.

C.

Provision users with basic roles using Google's Identity and Access Management (1AM) service.

D.

Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

E.

Provide granular access with predefined roles.

Full Access
Question # 18

A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.

What technique should the institution use?

A.

Use Cloud Storage as a federated Data Source.

B.

Use a Cloud Hardware Security Module (Cloud HSM).

C.

Customer-managed encryption keys (CMEK).

D.

Customer-supplied encryption keys (CSEK).

Full Access
Question # 19

An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the “source of truth” directory for identities.

Which solution meets the organization's requirements?

A.

Google Cloud Directory Sync (GCDS)

B.

Cloud Identity

C.

Security Assertion Markup Language (SAML)

D.

Pub/Sub

Full Access
Question # 20

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:

Scans must run at least once per week

Must be able to detect cross-site scripting vulnerabilities

Must be able to authenticate using Google accounts

Which solution should you use?

A.

Google Cloud Armor

B.

Web Security Scanner

C.

Security Health Analytics

D.

Container Threat Detection

Full Access
Question # 21

You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.

What should you do?

A.

Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.

B.

Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.

C.

Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premises destination.

D.

Configure Cloud Interconnect and route traffic through an on-premises firewall.

Full Access
Question # 22

You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

A.

Google Cloud Armor's preconfigured rules in preview mode

B.

Prepopulated VPC firewall rules in monitor mode

C.

The inherent protections of Google Front End (GFE)

D.

Cloud Load Balancing firewall rules

E.

VPC Service Controls in dry run mode

Full Access
Question # 23

An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.

Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

A.

Configuring and monitoring VPC Flow Logs

B.

Defending against XSS and SQLi attacks

C.

Manage the latest updates and security patches for the Guest OS

D.

Encrypting all stored data

Full Access
Question # 24

You have been tasked with configuring Security Command Center for your organization’s Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization’s compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)

A.

Event Threat Detection

B.

Container Threat Detection

C.

Security Health Analytics

D.

Cloud Data Loss Prevention

E.

Google Cloud Armor

Full Access
Question # 25

You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)

A.

Secret Manager

B.

Cloud Key Management Service

C.

Cloud Data Loss Prevention with cryptographic hashing

D.

Cloud Data Loss Prevention with automatic text redaction

E.

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

Full Access
Question # 26

Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.

What should you do?

Choose 2 answers

A.

Configure the Binary Authorization policy with respective attestations for the project.

B.

Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).

C.

Enable Container Threat Detection in the Security Command Center (SCC) for the project.

D.

Configure the trusted image organization policy constraint for the project.

E.

Enable Pod Security standards and set them to Restricted.

Full Access
Question # 27

Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?

A.

Define an organization policy constraint.

B.

Configure packet mirroring policies.

C.

Enable VPC Flow Logs on the subnet.

D.

Monitor and analyze Cloud Audit Logs.

Full Access
Question # 28

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.

What should you do?

A.

Set up an ACL with OWNER permission to a scope of allUsers.

B.

Set up an ACL with READER permission to a scope of allUsers.

C.

Set up a default bucket ACL and manage access for users using IAM.

D.

Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

Full Access
Question # 29

An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.

Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses

Which solution should your team implement to meet these requirements?

A.

Cloud Armor

B.

Network Load Balancing

C.

SSL Proxy Load Balancing

D.

NAT Gateway

Full Access
Question # 30

What are the steps to encrypt data using envelope encryption?

A.

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

B.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

C.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

D.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Full Access
Question # 31

Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

A.

Security Reviewer

B.

lAP-Secured Tunnel User

C.

lAP-Secured Web App User

D.

Service Broker Operator

Full Access
Question # 32

You are migrating an on-premises data warehouse to BigQuery Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse. Your company compliance policies mandate that the data warehouse must:

• Protect data at rest with full lifecycle management on cryptographic keys

• Implement a separate key management provider from data management

• Provide visibility into all encryption key requests

What services should be included in the data warehouse implementation?

Choose 2 answers

A.

Customer-managed encryption keys

B.

Customer-Supplied Encryption Keys

C.

Key Access Justifications

D.

Access Transparency and Approval

E.

Cloud External Key Manager

Full Access
Question # 33

You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization. What should you do?

A.

Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.

B.

Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.

C.

Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.

D.

Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.

Full Access
Question # 34

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

A.

Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

B.

Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

C.

Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

D.

Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

Full Access
Question # 35

You are creating an internal App Engine application that needs to access a user’s Google Drive on the user’s behalf. Your company does not want to rely on the current user’s credentials. It also wants to follow Google- recommended practices.

What should you do?

A.

Create a new Service account, and give all application users the role of Service Account User.

B.

Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.

C.

Use a dedicated G Suite Admin account, and authenticate the application’s operations with these G Suite credentials.

D.

Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

Full Access
Question # 36

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

A.

Generalization

B.

Redaction

C.

CryptoHashConfig

D.

CryptoReplaceFfxFpeConfig

Full Access
Question # 37

A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with

all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.

What should you do to meet these requirements?

A.

Create a Folder per department under the Organization. For each department’s Folder, assign the Project Viewer role to the Google Group related to that department.

B.

Create a Folder per department under the Organization. For each department’s Folder, assign the Project Browser role to the Google Group related to that department.

C.

Create a Project per department under the Organization. For each department’s Project, assign the Project Viewer role to the Google Group related to that department.

D.

Create a Project per department under the Organization. For each department’s Project, assign the Project Browser role to the Google Group related to that department.

Full Access
Question # 38

You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name. How should you manage these consumer user accounts with Cloud Identity?

A.

Use Google Cloud Directory Sync to convert the unmanaged user accounts.

B.

Create a new managed user account for each consumer user account.

C.

Use the transfer tool for unmanaged user accounts.

D.

Configure single sign-on using a customer's third-party provider.

Full Access
Question # 39

An organization’s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.

How should you advise this organization?

A.

Use Forseti with Firewall filters to catch any unwanted configurations in production.

B.

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

C.

Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

D.

All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

Full Access
Question # 40

Your company recently published a security policy to minimize the usage of service account keys. On-premises Windows-based applications are interacting with Google Cloud APIs. You need to implement Workload Identity Federation (WIF) with your identity provider on-premises.

What should you do?

A.

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure a rule to let principals in the pool impersonate the Google Cloud service account.

B.

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let all principals in the pool impersonate the Google Cloud service account.

C.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure a rule to let principals in the pool impersonate the Google Cloud service account.

D.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let all principals in the pool impersonate the Google Cloud service account.

Full Access
Question # 41

Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

A.

ISO 27001

B.

ISO 27002

C.

ISO 27017

D.

ISO 27018

Full Access
Question # 42

You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?

A.

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

B.

Cloud Data Loss Prevention with format-preserving encryption

C.

Cloud Data Loss Prevention with cryptographic hashing

D.

Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys

Full Access
Question # 43

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.

Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

A.

App Engine

B.

Cloud Functions

C.

Compute Engine

D.

Google Kubernetes Engine

E.

Cloud Storage

Full Access
Question # 44

You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects.

What should you do?

Choose 2 answers

A.

Deploy patches with VM Manager by using OS patch management

B.

View patch management data in VM Manager by using OS patch management.

C.

Deploy patches with Security Command Center by using Rapid Vulnerability Detection.

D.

View patch management data in a Security Command Center dashboard.

E.

View patch management data in Artifact Registry.

Full Access
Question # 45

You have created an OS image that is hardened per your organization’s security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)

A.

Grant users the compuce.imageUser role in their own projects.

B.

Grant users the compuce.imageUser role in the OS image project.

C.

Store the image in every project that is spun up in your organization.

D.

Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.

E.

Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

Full Access
Question # 46

You have a highly sensitive BigQuery workload that contains personally identifiable information (Pll) that you want to ensure is not accessible from the internet. To prevent data exfiltration only requests from authorized IP addresses are allowed to query your BigQuery tables.

What should you do?

A.

Use service perimeter and create an access level based on the authorized source IP address as the condition.

B.

Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.

C.

Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).

D.

Use the Restrict Resource service usage organization policy constraint along with Cloud Data Loss Prevention (DLP).

Full Access
Question # 47

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.

What should you do?

A.

• 1 Update the perimeter

• 2 Configure the egressTo field to set identity Type to any_identity.

• 3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

B.

* Allow the external project by using the organizational policy

constraints/compute.trustedlmageProjects.

C.

• 1 Update the perimeter

• 2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

• 3 Configure the egressFrom field to set identity Type to any_idestity.

D.

• 1 Update the perimeter

• 2 Configure the ingressFrcm field to set identityType to an-y_identity.

• 3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

Full Access
Question # 48

While migrating your organization’s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.

What should you do?

A.

Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

B.

Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

C.

Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.

D.

Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Full Access
Question # 49

Employees at your company use their personal computers to access your organization s Google Cloud console. You need to ensure that users can only access the Google Cloud console from their corporate-issued devices and verify that they have a valid enterprise certificate

What should you do?

A.

Implement an Identity and Access Management (1AM) conditional policy to verify the device certificate

B.

Implement a VPC firewall policy Activate packet inspection and create an allow rule to validate and verify the device certificate.

C.

Implement an organization policy to verify the certificate from the access context.

D.

Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate Create an access binding with the access policy just created.

Full Access
Question # 50

Your organization has on-premises hosts that need to access Google Cloud APIs You must enforce private connectivity between these hosts minimize costs and optimize for operational efficiency

What should you do?

A.

Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

B.

Set up VPC peering between the hosts on-premises and the VPC through the internet.

C.

Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.

D.

Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.

Full Access
Question # 51

You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.

What should you do?

A.

Migrate the application into an isolated project using a “Lift & Shift” approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the

application to work properly.

B.

Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.

C.

Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

D.

Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.

Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Full Access
Question # 52

A batch job running on Compute Engine needs temporary write access to a Cloud Storage bucket. You want the batch job to use the minimum permissions necessary to complete the task. What should you do?

A.

Create a service account with full Cloud Storage administrator permissions. Assign the service account to the Compute Engine instance.

B.

Grant the predefined storage.objectcreator role to the Compute Engine instances default service account.

C.

Create a service account and embed a long-lived service account key file that has write permissions specified directly in the batch job

script.

D.

Create a service account with the storage .objectcreator role. Use service account impersonation in the batch job's code.

Full Access
Question # 53

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.

What should they do?

A.

Use Cloud Build to build the container images.

B.

Build small containers using small base images.

C.

Delete non-used versions from Container Registry.

D.

Use a Continuous Delivery tool to deploy the application.

Full Access
Question # 54

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.

Which two steps should the company take to meet these requirements? (Choose two.)

A.

Create a project with multiple VPC networks for each environment.

B.

Create a folder for each development and production environment.

C.

Create a Google Group for the Engineering team, and assign permissions at the folder level.

D.

Create an Organizational Policy constraint for each folder environment.

E.

Create projects for each environment, and grant IAM rights to each engineering user.

Full Access
Question # 55

You want to make sure that your organization’s Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

A.

Remove Owner roles from end users, and configure Cloud Data Loss Prevention.

B.

Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

C.

Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.

D.

Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.

Full Access
Question # 56

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.

How should the company accomplish this?

A.

Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

B.

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based

on location.

C.

Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

D.

Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Full Access
Question # 57

Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements:

    The Cloud Storage bucket in Project A can only be readable from Project B.

    The Cloud Storage bucket in Project A cannot be accessed from outside the network.

    Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket.

What should the security team do?

A.

Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.

B.

Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration.

C.

Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.

D.

Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.

Full Access
Question # 58

You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.

What should you do?

A.

Create a site-to-site VPN from your corporate network to Google Cloud.

B.

Configure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.

C.

Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.

D.

Create a jump host instance with public IP Manage the instances by connecting through the jump host.

Full Access
Question # 59

Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.

What should you do?

A.

Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

B.

Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing

C.

Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

D.

Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

Full Access
Question # 60

You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data Specifically, your

company is concerned about internal Google employees' ability to access your company's data on Google Cloud. What solution should you propose?

A.

Use customer-managed encryption keys.

B.

Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.

C.

Enable Admin activity logs to monitor access to resources.

D.

Enable Access Transparency logs with Access Approval requests for Google employees.

Full Access
Question # 61

Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud You must implement data residency and operational sovereignty in the EU.

What should you do?

Choose 2 answers

A.

Limit the physical location of a new resource with the Organization Policy Service resource locations

constraint."

B.

Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.

C.

Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications

D.

Use identity federation to limit access to Google Cloud resources from non-EU entities.

E.

Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

Full Access
Question # 62

An organization receives an increasing number of phishing emails.

Which method should be used to protect employee credentials in this situation?

A.

Multifactor Authentication

B.

A strict password policy

C.

Captcha on login pages

D.

Encrypted emails

Full Access
Question # 63

You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network dev-vpc." You want to minimize implementation and maintenance effort

What should you do?

A.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Configure a VPC Firewall rule in "dev-vpc" that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

B.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10 58.5.0/24 from network dev-vpc.

C.

• 1. Leave the network configuration of the VMs in scope unchanged.

• 2. Create a new project including a new VPC network "new-vpc."

• 3 Deploy a network appliance in "new-vpc" to filter access requests and only allow egress connections from -dev-vpc" to 10.58.5.0/24.

D.

• 1 Leave the network configuration of the VMs in scope unchanged

• 2 Enable Cloud NAT for dev-vpc" and restrict the target range in Cloud NAT to 10.58.5 0/24.

Full Access
Question # 64

Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud Many teams will use their own instances of the CI/CD workflow It will run on Google Kubernetes Engine (GKE) The CI/CD pipelines must be designed to securely access Google Cloud APIs

What should you do?

A.

• 1 Create a dedicated service account for the CI/CD pipelines

• 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster

• 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

B.

• 1 Create service accounts for each deployment pipeline

• 2 Generate private keys for the service accounts

• 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

C.

* 1 Create individual service accounts (or each deployment pipeline

• 2 Add an identifier for the pipeline in the service account naming convention

• 3 Ensure each pipeline runs on dedicated pods

• 4 Use workload identity to map a deployment pipeline pod with a service account

D.

• 1 Create two service accounts one for the infrastructure and one for the application deployment

• 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts

• 3 Run the infrastructure and application pipelines in separate namespaces

Full Access
Question # 65

Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform’s services and minimizing operational overhead. What should you do?

A.

Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises

B.

Use Cloud External Key Manager to delete specific encryption keys.

C.

Use customer-managed encryption keys to delete specific encryption keys.

D.

Use Google default encryption to delete specific encryption keys.

Full Access
Question # 66

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company’s servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:

    The network connection must be encrypted.

    The communication between servers must be over private IP addresses.

What should you do?

A.

Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

B.

Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

C.

Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

D.

Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

Full Access
Question # 67

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.

What should you do?

A.

Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

B.

Create a custom role with the permission compute.instances.list and grant the Service Account this role.

C.

Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.

D.

Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Full Access
Question # 68

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.

How should your team meet these requirements?

A.

Enable Private Access on the VPC network in the production project.

B.

Remove the Editor role and grant the Compute Admin IAM role to the engineers.

C.

Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.

D.

Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Full Access
Question # 69

A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.

How should this be accomplished?

A.

Create a firewall rule to block internet traffic from the VM.

B.

Provision a NAT Gateway to access the Cloud Storage API endpoint.

C.

Enable Private Google Access on the VPC.

D.

Mount a Cloud Storage bucket as a local filesystem on every VM.

Full Access