
2023 Valid Professional-Cloud-Security-Engineer Real Exam Questions (Updated) 100% Dumps & Practice Exam
[UPDATED 2023] Google Professional-Cloud-Security-Engineer Questions Prepare with Free Demo of PDF
The Google Professional-Cloud-Security-Engineer certification is an excellent way for IT professionals to demonstrate their skills and expertise in cloud security. It is also a valuable credential for organizations that use GCP, as it ensures that their security professionals have the knowledge and skills needed to secure cloud-based infrastructure effectively.
The Google Professional-Cloud-Security-Engineer certification exam covers a wide range of topics related to cloud security, including data protection, network security, identity and access management, compliance, and incident management. Candidates must have a strong understanding of the security features and capabilities of GCP and be able to implement security controls to protect against cyber threats and attacks. The exam consists of multiple-choice and scenario-based questions, and candidates are given two hours to complete it.
The Google Professional-Cloud-Security-Engineer certification is an exam for professionals who are seeking to demonstrate their expertise in securing applications, data, and infrastructure on the Google Cloud Platform. This certification is designed to test the skills and knowledge required to design and implement secure cloud solutions on the Google Cloud platform. The exam covers a wide range of topics such as security management, compliance, data protection, network security, and incident management.
NEW QUESTION # 64
A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?
- A. Mount a Cloud Storage bucket as a local filesystem on every VM.
- B. Provision a NAT Gateway to access the Cloud Storage API endpoint.
- C. Create a firewall rule to block internet traffic from the VM.
- D. Enable Private Google Access on the VPC.
Answer: D
Explanation:
Explanation
https://cloud.google.com/vpc/docs/private-google-access
NEW QUESTION # 65
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE) How should the DevOps team accomplish this?
- A. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
- B. Configure containers to automatically upgrade when the base image is available in Container Registry.
- C. Use Puppet or Chef to push out the patch to the running container.
- D. Update the application code or apply a patch, build a new image, and redeploy it.
Answer: A
Explanation:
Explanation/Reference: https://cloud.google.com/kubernetes-engine/docs/security-bulletins
NEW QUESTION # 66
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?
- A. Compute Engine Persistent Disk
- B. Cloud Bigtable
- C. Cloud BigQuery
- D. Compute Engine SSD Disk
Answer: C
Explanation:
https://cloud.google.com/bigquery/docs/locations
NEW QUESTION # 67
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)
- A. Use many container image layers to hide sensitive information.
- B. Use public container images as a base image for the app.
- C. Ensure that the app does not run as PID 1.
- D. Remove any unnecessary tools not needed by the app.
- E. Package a single app as a container.
Answer: D,E
Explanation:
https://cloud.google.com/solutions/best-practices-for-building-containers
NEW QUESTION # 68
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?
- A. Organization Policy Administrator
- B. Security Reviewer
- C. Organization Role Administrator
- D. Organization Administrator
Answer: A
Explanation:
https://cloud.google.com/resource-manager/docs/access-control-org
NEW QUESTION # 69
A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?
- A. Forseti Security
- B. Google Cloud Audit Logs
- C. Cloud Security Scanner
- D. Cloud Armor
Answer: C
NEW QUESTION # 70
Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.
What should you do?
- A. Configure Cloud VPN between your private network and GCP.
- B. Configure Cloud Identity-Aware Proxy for the App Engine Application.
- C. Provision user passwords using GSuite Password Sync.
- D. Enforce 2-factor authentication in GSuite for all users.
Answer: D
NEW QUESTION # 71
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?
- A. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
- B. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
- C. In Resource Manager, edit the organization permissions. Add the project ID as member with the role:
Compute Image User. - D. In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
Answer: A
Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/images/restricting-image-access
NEW QUESTION # 72
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud.
You want to restrict the use of the default networks in your organization while following Google-recommended best practices.
What should you do?
- A. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
- B. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
- C. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
- D. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
Answer: A
Explanation:
Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.skipDefaultNetworkCreation This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
NEW QUESTION # 73
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?
- A. Compute Network User Role at the subnet level.
- B. Compute Shared VPC Admin Role at the host project level.
- C. Compute Shared VPC Admin Role at the service project level.
- D. Compute Network User Role at the host project level.
Answer: B
Explanation:
Reference:
https://cloud.google.com/vpc/docs/shared-vpc
NEW QUESTION # 74
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?
- A. Use VPN for all connections between your office and cloud environments.
- B. Use multi-factor authentication for admin access to the web application.
- C. Use only applications certified compliant with PA-DSS.
- D. Move the cardholder data environment into a separate GCP project.
Answer: A
Explanation:
Explanation/Reference: https://cloud.google.com/solutions/pci-dss-compliance-in-gcp
NEW QUESTION # 75
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?
- A. ISO 27018
- B. ISO 27017
- C. ISO 27002
- D. ISO 27001
Answer: B
Explanation:
Explanation
Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
https://cloud.google.com/security/compliance/iso-27017
NEW QUESTION # 76
You have defined subnets in a VPC within Google Cloud Platform. You need multiple projects to create Compute Engine instances with IP addresses from these subnets. What should you do?
- A. Set up VPC peering between all related projects.
- B. Use Shared VPC to share the subnets with the other projects.
- C. Change the VPC subnets to enable private Google access.
- D. Configure Cloud VPN between the projects.
Answer: B
Explanation:
A is not correct as Cloud VPN between projects does not provide you the functionality to share a subnet to host resources on.
B is not correct because peering two VPCs does allow traffic between the two shared networks, but it's only bi-directional. Peered VPC networks remain administratively separate.
C is not correct because private Google access allows you to access APIs from a private IP, but it does not have any impact on creating Compute instances on a specific subnet.
D is correct because s Shared VPC allows you to share a VPC into multiple projects, keep administrative oversight in the host project, while restricting the other projects to only create VMs on IPs in the shared VPC.
https://cloud.google.com/vpc/docs/shared-vpc
https://cloud.google.com/vpc/docs/vpc-peering
NEW QUESTION # 77
Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?
- A. Use Cloud External Key Manager to delete specific encryption keys.
- B. Use Google default encryption to delete specific encryption keys.
- C. Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises
- D. Use customer-managed encryption keys to delete specific encryption keys.
Answer: D
NEW QUESTION # 78
A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?
- A. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
- B. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
- C. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
- D. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
Answer: B
Explanation:
Explanation
https://cloud.google.com/storage/docs/encryption/customer-supplied-keys#gsutil
NEW QUESTION # 79
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
- A. Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
- B. Send all logs to the SIEM system via an existing protocol such as syslog.
- C. Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
- D. Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.
Answer: C
Explanation:
Explanation
Scenarios for exporting Cloud Logging data: Splunk This scenario shows how to export selected logs from Cloud Logging to Pub/Sub for ingestion into Splunk. Splunk is a security information and event management (SIEM) solution that supports several ways of ingesting data, such as receiving streaming data out of Google Cloud through Splunk HTTP Event Collector (HEC) or by fetching data from Google Cloud APIs through Splunk Add-on for Google Cloud. Using the Pub/Sub to Splunk Dataflow template, you can natively forward logs and events from a Pub/Sub topic into Splunk HEC. If Splunk HEC is not available in your Splunk deployment, you can use the Add-on to collect the logs and events from the Pub/Sub topic.
https://cloud.google.com/solutions/exporting-stackdriver-logging-for-splunk
NEW QUESTION # 80
A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates.
What should your team do?
- A. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
- B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
- C. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
- D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
Answer: A
NEW QUESTION # 81
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?
- A. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
- B. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
- C. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
- D. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
Answer: A
NEW QUESTION # 82
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?
- A. Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
- B. Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
- C. Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.
- D. Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
Answer: D
Explanation:
Explanation
https://cloud.google.com/iam/docs/understanding-roles#project-roles
NEW QUESTION # 83
You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive dat a. Your solution has the following requirements:
Schedule key rotation for sensitive data.
Control which region the encryption keys for sensitive data are stored in.
Minimize the latency to access encryption keys for both sensitive and non-sensitive data.
What should you do?
- A. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
- B. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
- C. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
- D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
Answer: C
NEW QUESTION # 84
A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?
- A. Use a Cloud Hardware Security Module (Cloud HSM).
- B. Customer-supplied encryption keys (CSEK).
- C. Customer-managed encryption keys (CMEK).
- D. Use Cloud Storage as a federated Data Source.
Answer: C
NEW QUESTION # 85
......
Professional-Cloud-Security-Engineer Deluxe Study Guide with Online Test Engine: https://www.prep4surereview.com/Professional-Cloud-Security-Engineer-latest-braindumps.html
NEW 2023 Certification Sample Questions Professional-Cloud-Security-Engineer Dumps & Practice Exam: https://drive.google.com/open?id=1dF-zbqUSINZ5-kB-YFa18HQbM_-QkH75
