• Home
  • Articles
  • Latest Professional-Cloud-Security-Engineer Actual Free Exam Updated 212 Questions [Q20-Q42]

Latest Professional-Cloud-Security-Engineer Actual Free Exam Updated 212 Questions [Q20-Q42]

Share

Latest Professional-Cloud-Security-Engineer Actual Free Exam Updated 212 Questions

Online Questions - Valid Practice Professional-Cloud-Security-Engineer Exam Dumps Test Questions

NEW QUESTION # 20
Your organization uses Google Workspace Enterprise Edition tor authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment.
What should you do?

  • A. Require strong passwords and 2SV through a security token or Google authenticate.
  • B. Set the session length timeout for Google Cloud services to a shorter duration.
  • C. Review and disable unnecessary Google Cloud APIs.
  • D. Create a policy that requires employees to not leave their sessions open for long durations.

Answer: B


NEW QUESTION # 21
You need to create a VPC that enables your security team to control network resources such as firewall rules.
How should you configure the network to allow for separation of duties for network resources?

  • A. Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the networks.
  • B. Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.
  • C. Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.
  • D. Set up VPC Network Peering, and allow developers to peer their network with a Shared VPC.

Answer: C


NEW QUESTION # 22
An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

  • A. Billing Account User
  • B. Project Creator
  • C. Billing Account Viewer
  • D. Billing Account Costs Manager
  • E. Organization Administrator

Answer: C,D

Explanation:
https://cloud.google.com/billing/docs/how-to/billing-access#overview-of-cloud-billing-roles-in-cloud-iam Billing Account Costs Manager (roles/billing.costsManager)
- Manage budgets and view and export cost information of billing accounts (but not pricing information) Billing Account Viewer (roles/billing.viewer)
- View billing account cost information and transactions.


NEW QUESTION # 23
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?

  • A. Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
  • B. Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
  • C. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
  • D. Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Answer: B

Explanation:
Explanation
https://cloud.google.com/bigquery/docs/scan-with-dlp
Cloud Data Loss Prevention API allows to detect and redact or remove sensitive data before the comments or reviews are published. Cloud DLP will read information from BigQuery, Cloud Storage or Datastore and scan it for sensitive data.


NEW QUESTION # 24
A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online.
What should they do?

  • A. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
  • B. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
  • C. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
  • D. Configure an SSL Certificate on an L7 Load Balancer and require encryption.

Answer: D

Explanation:
Explanation
https://cloud.google.com/load-balancing/docs/load-balancing-overview#external_versus_internal_load_balancing


NEW QUESTION # 25
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in- scope" Nodes only. These Nodes can only contain the "in-scope" Pods.
How should the organization achieve this objective?

  • A. Run all in-scope Pods in the namespace "in-scope-pci".
  • B. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
  • C. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
  • D. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Answer: C

Explanation:
nodeSelector is the simplest recommended form of node selection constraint. You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have. Kubernetes only schedules the Pod onto nodes that have each of the labels you specify. => https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don't guarantee scheduling: the scheduler also evaluates other parameters as part of its function. => https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/


NEW QUESTION # 26
Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?

  • A. SSL Proxy Load Balancing
  • B. Network Load Balancing
  • C. HTTP(S) Load Balancing
  • D. TCP Proxy Load Balancing

Answer: A

Explanation:
Explanation/Reference: https://cloud.google.com/load-balancing/docs/ssl/


NEW QUESTION # 27
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted dat a. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • B. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
  • C. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D


NEW QUESTION # 28
Which Google Cloud service should you use to enforce access control policies for applications and resources?

  • A. Google Cloud Armor
  • B. Cloud NAT
  • C. Identity-Aware Proxy
  • D. Shielded VMs

Answer: C

Explanation:
Explanation
https://cloud.google.com/iap/docs/concepts-overview "Use IAP when you want to enforce access control policies for applications and resources."


NEW QUESTION # 29
Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.
What should you do?

  • A. Configure Cloud Identity-Aware Proxy for the App Engine Application.
  • B. Enforce 2-factor authentication in GSuite for all users.
  • C. Provision user passwords using GSuite Password Sync.
  • D. Configure Cloud VPN between your private network and GCP.

Answer: B


NEW QUESTION # 30
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices.
What should you do?

  • A. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
  • B. Create a new Service account, and give all application users the role of Service Account User.
  • C. Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.
  • D. Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.

Answer: A

Explanation:
Explanation
https://developers.google.com/admin-sdk/directory/v1/guides/delegation


NEW QUESTION # 31
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on- premises for an indefinite time. The organization wants a scalable and cost-efficient solution.
Which GCP solution should the organization use?

  • A. BigQuery using a data pipeline job with continuous updates
  • B. Compute Engine Virtual Machines using Persistent Disk
  • C. Cloud Datastore using regularly scheduled batch upload jobs
  • D. Cloud Storage using a scheduled task and gsutil

Answer: D

Explanation:
https://cloud.google.com/solutions/dr-scenarios-planning-guide#use-cloud-storage-as-part-of-your-daily-backup-routine


NEW QUESTION # 32
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?

  • A. Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.
  • B. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.
  • C. Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.
  • D. Configure Google Cloud Armor access logs to perform inspection on the log data.

Answer: A

Explanation:
https://cloud.google.com/vpc/docs/packet-mirroring
Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.


NEW QUESTION # 33
You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

  • A. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
  • B. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."
  • C. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.
  • D. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.

Answer: C

Explanation:
Explanation
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organizati The domain restriction constraint is a type of list constraint. Google Workspace customer IDs can be added and removed from the allowed_values list of a domain restriction constraint. The domain restriction constraint does not support denying values, and an organization policy can't be saved with IDs in the denied_values list.
All domains associated with a Google Workspace account listed in the allowed_values will be allowed by the organization policy. All other domains will be denied by the organization policy.


NEW QUESTION # 34
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

  • A. Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
  • B. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
  • C. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
  • D. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Answer: B

Explanation:
https://codelabs.developers.google.com/codelabs/cloud-storage-dlp-functions#0 https://www.youtube.com/watch?v=0TmO1f-Ox40


NEW QUESTION # 35
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

  • A. Use only applications certified compliant with PA-DSS.
  • B. Use multi-factor authentication for admin access to the web application.
  • C. Use VPN for all connections between your office and cloud environments.
  • D. Move the cardholder data environment into a separate GCP project.

Answer: D

Explanation:
Explanation
https://cloud.google.com/solutions/best-practices-vpc-design
"Setting up your payment-processing environment" section in
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp.


NEW QUESTION # 36
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?

  • A. Shared VPC
  • B. Cloud VPN
  • C. VPC peering
  • D. Cloud Interconnect

Answer: C

Explanation:
Explanation
Peering two VPCs does permit traffic to flow between the two shared networks, but it's only bi-directional.
Peered VPC networks remain administratively separate.


NEW QUESTION # 37
You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your VPCs based on network logs. However, you want to explore your environment using network payloads and headers. Which Google Cloud product should you use?

  • A. Google Cloud Armor
  • B. VPC Service Controls logs
  • C. Packet Mirroring
  • D. Cloud IDS
  • E. VPC Flow Logs

Answer: C


NEW QUESTION # 38
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

  • A. ISO 27017
  • B. ISO 27002
  • C. ISO 27018
  • D. ISO 27001

Answer: A

Explanation:
Explanation
Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
https://cloud.google.com/security/compliance/iso-27017


NEW QUESTION # 39
You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

  • A. Update your sink with the correct bucket destination.
  • B. Change the access control model for the bucket
  • C. Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
  • D. Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

Answer: B

Explanation:
Explanation
https://cloud.google.com/logging/docs/export/troubleshoot#errors_exporting_to_cloud_storage
https://cloud.google.com/logging/docs/export/troubleshoot
Unable to grant correct permissions to the destination: Even if the sink was successfully created with the correct service account permissions, this error message displays if the access control model for the Cloud Storage bucket was set to uniform access when the bucket was created. For existing Cloud Storage buckets, you can change the access control model for the first 90 days after bucket creation by using the Permissions tab. For new buckets, select the Fine-grained access control model during bucket creation. For details, see Creating Cloud Storage buckets.


NEW QUESTION # 40
Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

  • A. Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
  • B. Deploy a Cloud NAT Gateway in the service project for the MIG.
  • C. Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
  • D. Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.

Answer: A

Explanation:
https://cloud.google.com/load-balancing/docs/https#shared-vpc
While you can create all the load balancing components and backends in the Shared VPC host project, this model does not separate network administration and service development responsibilities.


NEW QUESTION # 41
You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:
Provide granular access to secrets
Give you control over the rotation schedules for the encryption keys that wrap your secrets Maintain environment separation Provide ease of management Which approach should you take?

  • A. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
    2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
    3. Use Google-managed encryption keys to encrypt secrets.
  • B. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
    2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.
    3. Use customer-managed encryption keys to encrypt secrets.
  • C. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
    2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
    3. Use Google-managed encryption keys to encrypt secrets.
  • D. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
    2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.
    3. Use customer-managed encryption keys to encrypt secrets.

Answer: D

Explanation:
Provide granular access to secrets: 2.Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. Give you control over the rotation schedules for the encryption keys that wrap your secrets: 3. Use customer-managed encryption keys to encrypt secrets. Maintain environment separation: 1. Use separate Google Cloud projects to store Production and Non-Production secrets.


NEW QUESTION # 42
......

Professional-Cloud-Security-Engineer Exam PDF [2023] Tests Free Updated Today with Correct 212 Questions: https://www.lead2passed.com/Google/Professional-Cloud-Security-Engineer-practice-exam-dumps.html

100% Real Professional-Cloud-Security-Engineer dumps  - Brilliant Professional-Cloud-Security-Engineer Exam Questions PDF: https://drive.google.com/open?id=1x9Y8GRMbvSvhislP9RSRJquVME5wLTS-

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam