2023 Valid Professional-Cloud-Security-Engineer test answers & Google Exam PDF
Free Google Professional-Cloud-Security-Engineer Exam Questions and Answer from Training Expert DumpsFree
Exam Details
The Google Professional Cloud Security Engineer exam has a length of 2 hours. It costs $200 plus additional taxes where applicable. At the moment, this test is only available in the English language, and questions in it come in multiple-choice and multiple select formats. When scheduling the exam, you can either opt for the online proctored option and take it from a remote location or select the onsite proctored form if you have a nearby testing center. Of course, pricing remains the same regardless of the chosen option.
While Google does not highlight any mandatory requirements for taking this test, they strongly recommend that candidates should have at least 3 years of working experience, with a minimum of one year specifically dedicated to designing or managing solutions using GCP. Also, the applicants should have a good understanding of all the topics included in the syllabus.
NEW QUESTION 101
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements:
The Cloud Storage bucket in Project A can only be readable from Project B.
The Cloud Storage bucket in Project A cannot be accessed from outside the network.
Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket.
What should the security team do?
- A. Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration.
- B. Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.
- C. Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.
- D. Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.
Answer: B
NEW QUESTION 102
A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.
What should you do?
- A. Create a new key, and use the new key in the application. Delete the old key from the Service Account.
- B. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.
- C. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT
--key=NEW_KEY. - D. Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
Answer: A
Explanation:
Explanation
You can rotate a key by creating a new key, updating applications to use the new key, and deleting the old key.
Use the serviceAccount.keys.create() method and serviceAccount.keys.delete() method together to automate the rotation.
NEW QUESTION 103
You want to protect the default VPC network from all inbound and outbound internet traffic. What action should you take?
- A. Create a Deny All outbound internet firewall rule.
- B. Create a Deny All inbound internet firewall rule.
- C. Create instances without external IP addresses only.
- D. Create a new subnet in the VPC network with private Google access enabled.
Answer: A
Explanation:
A is not correct because a Deny All inbound firewall is already part of the standard configuration and does not need to be added.
B is correct because all inbound traffic is already blocked, but all egress traffic is allowed by default. To prevent any outbound traffic an extra rule needs to be added.
C is not correct because private Google allows calls to Google managed APIs from private IP addresses, but it does neither prevent you from providing external IPs or any other outgoing traffic from your instances.
D is not correct because as outbound traffic can still be coming from instances with private IPs if Cloud NAT is used.
https://cloud.google.com/nat/docs/overview
https://cloud.google.com/vpc/docs/private-access-options
https://cloud.google.com/vpc/docs/using-firewalls
NEW QUESTION 104
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?
- A. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
- B. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
- C. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
- D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
Answer: C
Explanation:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management- system-with-google-cloud-platform
NEW QUESTION 105
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?
- A. Compute Engine Persistent Disk
- B. Compute Engine SSD Disk
- C. Cloud Bigtable
- D. Cloud BigQuery
Answer: D
NEW QUESTION 106
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?
- A. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
- B. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
- C. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
- D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
Answer: C
Explanation:
Explanation
Explanation/Reference: https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management- system-with-google-cloud-platform
NEW QUESTION 107
You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?
- A. Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
- B. Add the host project containing the Shared VPC to the service perimeter.
- C. Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.
- D. Add the service project where the Compute Engine instances reside to the service perimeter.
Answer: B
Explanation:
Explanation
https://cloud.google.com/vpc-service-controls/docs/service-perimeters#secure-google-managed-resources If you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC.
NEW QUESTION 108
You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.
After observing the traffic in your custom network, you notice that all instances can communicate freely - despite tag-based VPC firewall rules in place to segment traffic properly - with a priority of 1000. What are the most likely reasons for this behavior?
- A. All VM instances are missing the respective network tags.
- B. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.
- C. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
- D. All VM instances are configured with the same network route.
- E. All VM instances are residing in the same network subnet.
Answer: A,C
NEW QUESTION 109
You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?
- A. Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.
- B. Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
- C. Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
- D. Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
Answer: D
Explanation:
Explanation
- Uniform bucket-level access:
https://cloud.google.com/storage/docs/uniform-bucket-level-access#should-you-use
- Domain Restricted Sharing:
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#public_data_sharing
NEW QUESTION 110
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?
- A. Use only applications certified compliant with PA-DSS.
- B. Move the cardholder data environment into a separate GCP project.
- C. Use VPN for all connections between your office and cloud environments.
- D. Use multi-factor authentication for admin access to the web application.
Answer: C
Explanation:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp
NEW QUESTION 111
An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.
Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses Which solution should your team implement to meet these requirements?
- A. SSL Proxy Load Balancing
- B. Network Load Balancing
- C. Cloud Armor
- D. NAT Gateway
Answer: C
Explanation:
Explanation
https://cloud.google.com/armor/docs/security-policy-overview#edge-security
NEW QUESTION 112
What are the steps to encrypt data using envelope encryption?
* A. Generate a data encryption key (DEK) locally.
* Use a key encryption key (KEK) to wrap the DEK.
* Encrypt data with the KEK.
* Store the encrypted data and the wrapped KEK.
* B. Generate a key encryption key (KEK) locally.
* Use the KEK to generate a data encryption key (DEK).
* Encrypt data with the DEK.
* Store the encrypted data and the wrapped DEK.
* C. Generate a data encryption key (DEK) locally.
* Encrypt data with the DEK.
* Use a key encryption key (KEK) to wrap the DEK.
* Store the encrypted data and the wrapped DEK.
* D. Generate a key encryption key (KEK) locally.
* Generate a data encryption key (DEK) locally.
* Encrypt data with the KEK
Answer:
Explanation:
C
Explanation/Reference: https://cloud.google.com/kms/docs/envelope-encryption
NEW QUESTION 113
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?
- A. In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
- B. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
- C. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
- D. In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
Answer: C
NEW QUESTION 114
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?
- A. Configure containers to automatically upgrade when the base image is available in Container Registry.
- B. Update the application code or apply a patch, build a new image, and redeploy it.
- C. Use Puppet or Chef to push out the patch to the running container.
- D. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
Answer: D
Explanation:
Explanation/Reference: https://cloud.google.com/kubernetes-engine/docs/security-bulletins
NEW QUESTION 115
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?
- A. Set the minimum length for passwords to be 12 characters.
- B. Set the minimum length for passwords to be 8 characters.
- C. Set the minimum length for passwords to be 6 characters.
- D. Set the minimum length for passwords to be 10 characters.
Answer: B
Explanation:
Default password length is 8 characters. https://support.google.com/cloudidentity/answer/33319?hl=en
NEW QUESTION 116
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?
- A. Set up an ACL with OWNER permission to a scope of allUsers.
- B. Set up a default bucket ACL and manage access for users using IAM.
- C. Set up an ACL with READER permission to a scope of allUsers.
- D. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
Answer: A
Explanation:
https://cloud.google.com/storage/docs/access-control/lists
NEW QUESTION 117
......
Skills Measured
A Google certified cloud security specialist should have a high-level mastery of all the essential components of cloud security, covering identity and access management, organizational policies and structures, the concepts of incident response, knowledge of the regulatory concerns, and providing data protection with Google technologies. In summary, the Google Professional Cloud Security Engineer exam will validate one’s understanding of the following themes that form the current exam syllabus:
- Ensuring the protection of data as well as compliance
- The management of operations and configuration of access in a cloud solution infrastructure
- Setting up network security
Top Google Professional-Cloud-Security-Engineer Courses Online: https://www.dumpsfree.com/Professional-Cloud-Security-Engineer-valid-exam.html
Professional-Cloud-Security-Engineer Practice Dumps - Verified By DumpsFree Updated 178 Questions: https://drive.google.com/open?id=1OuLFl2c492RknUQ7UefNchr2rbnHAbZR