Professional-Cloud-Security-Engineer Practice Exam Questions with Answers Google Cloud Certified - Professional Cloud Security Engineer Certification

Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.

Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.

Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.

Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

Google Cloud Directory Sync (GCDS)

Cloud Identity

Security Assertion Markup Language (SAML)

Pub/Sub

Use the Cloud Key Management Service to manage a data encryption key (DEK).

Use the Cloud Key Management Service to manage a key encryption key (KEK).

Use customer-supplied encryption keys to manage the data encryption key (DEK).

Use customer-supplied encryption keys to manage the key encryption key (KEK).

BigQuery using a data pipeline job with continuous updates

Cloud Storage using a scheduled task and gsutil

Compute Engine Virtual Machines using Persistent Disk

Cloud Datastore using regularly scheduled batch upload jobs

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure arule to let principals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let allprincipals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure arule to let principals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let allprincipals in the pool impersonate the Google Cloud service account.

Organization Administrator

Super Admin

GKE Cluster Admin

Compute Admin

Organization Role Viewer

Define an organization policy constraint.

Configure packet mirroring policies.

Enable VPC Flow Logs on the subnet.

Monitor and analyze Cloud Audit Logs.

Store the data in a persistent disk, and delete the disk at expiration time.

Store the data in a Cloud Bigtable table, and set an expiration time on the column families.

Store the data in a BigQuery table, and set the table's expiration time.

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Configure a VPC Firewall rule in "dev-vpc" that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10 58.5.0/24 from network dev-vpc.

• 1. Leave the network configuration of the VMs in scope unchanged.

• 2. Create a new project including a new VPC network "new-vpc."

• 3 Deploy a network appliance in "new-vpc" to filter access requests and only allow egress connections from -dev-vpc" to 10.58.5.0/24.

• 1 Leave the network configuration of the VMs in scope unchanged

• 2 Enable Cloud NAT for dev-vpc" and restrict the target range in Cloud NAT to 10.58.5 0/24.

A rule that allows all outbound connections

A rule that denies all inbound connections

A rule that blocks all inbound port 25 connections

A rule that blocks all outbound connections

A rule that allows all inbound port 80 connections

1. Manage SAML profile assignments.

• 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant.

• 3. Verify the domain.

1. Create a new SAML profile.

• 2. Upload the X.509 certificate.

• 3. Enable the change password URL.

• 4. Configure Entity ID and ACS URL in your IdP.

1- Create a new SAML profile.

• 2. Populate the sign-in and sign-out page URLs.

• 3. Upload the X.509 certificate.

• 4. Configure Entity ID and ACS URL in your IdP

1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant

• 2. Verify the AD domain.

• 3. Decide which users should use SAML.

• 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.

Remove all project-level custom Identity and Access Management (1AM) roles.

Disallow inheritance of organization policies.

Identify inherited Identity and Access Management (1AM) roles on projects to be migrated.

Create a new folder for all projects to be migrated.

Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM

Provision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound connectionsfrom the internet to your VM.

Update the VPC routes to allow traffic to and from the internet.

Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.

Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.

Deterministic encryption

Secure, key-based hashes

Format-preserving encryption

Cryptographic hashing

Create a service account key and add it to the GitHub pipeline configuration file.

Create a service account key and add it to the GitHub repository content.

Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

Configure workload identity federation to use GitHub as an identity pool provider.

Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.

Register a new domain name, and use that for the new Cloud Identity domain.

Ask Google to provision the data science manager’s account as a Super Administrator in the existing domain.

Ask customer’s management to discover any other uses of Google managed services, and work with the existing Super Administrator.

Set the minimum length for passwords to be 8 characters.

Set the minimum length for passwords to be 10 characters.

Set the minimum length for passwords to be 12 characters.

Set the minimum length for passwords to be 6 characters.

Cloud Identity-Aware Proxy

Cloud Armor

Cloud Endpoints

Cloud VPN

Admin Activity

System Event

Access Transparency

Data Access

Customer-supplied encryption keys.

Google default encryption

Secret Manager

Cloud External Key Manager

Customer-managed encryption keys

Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate one-way sync.

Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate bidirectional sync.

Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Central management of routes, firewalls, and VPNs for peered networks

Non-transitive peered networks; where only directly peered networks can communicate

Ability to peer networks that belong to different Google Cloud Platform organizations

Firewall rules that can be created with a tag from one peered network to another peered network

Ability to share specific subnets across peered networks

Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module

(HSM) system from supported vendors.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Configuring and monitoring VPC Flow Logs

Defending against XSS and SQLi attacks

Manage the latest updates and security patches for the Guest OS

Encrypting all stored data

Configure data access log for BigQuery services, and grant Project Viewer role to security operators.

Generate a CSV data file based on the business user's needs, and send the data to their email addresses.

Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.

Set row-based access control based on the "region" column, and filter the record from the United States for data engineers.

Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.

Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.

Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours

Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_secparameter to the specified time interval.

Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests overthe specified time interval.

Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over aspecified time interval.

Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

Folder

Resource

Project

Organization

Perform data masking with the DLP API and store that data in BigQuery for later use.

Perform data redaction with the DLP API and store that data in BigQuery for later use.

Perform data inspection with the DLP API and store that data in BigQuery for later use.

Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.

BigQuery using a data pipeline job with continuous updates via Cloud VPN

Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

Store the data in a single Persistent Disk, and delete the disk at expiration time.

Store the data in a single BigQuery table and set the appropriate table expiration time.

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

Store the data in a single BigTable table and set an expiration time on the column families.

Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a

job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Cloud Bigtable

Cloud BigQuery

Compute Engine SSD Disk

Compute Engine Persistent Disk

Create a Log Sink at the organization level with a Pub/Sub destination.

Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

Enable Data Access audit logs at the organization level to apply to all projects.

Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Run each tier in its own Project, and segregate using Project labels.

Run each tier with a different Service Account (SA), and use SA-based firewall rules.

Run each tier in its own subnet, and use subnet-based firewall rules.

Run each tier with its own VM tags, and use tag-based firewall rules.

Mark all security findings that are irrelevant with a tag and a value that indicates a security exception Selectall marked findings and mute them on the console every time they appear Activate Security CommandCenter (SCC) Premium.

Activate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC sothey are not evaluated.

Download all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part ofCIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for thecompany.

Ask an external audit company to provide independent reports including needed CIS benchmarks. In thescope of the audit clarify that some of the controls are not needed and must be disregarded.

Create a project with multiple VPC networks for each environment.

Create a folder for each development and production environment.

Create a Google Group for the Engineering team, and assign permissions at the folder level.

Create an Organizational Policy constraint for each folder environment.

Create projects for each environment, and grant IAM rights to each engineering user.

Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

Create Confidential VMs to access the sensitive data.

Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace “in-scope-pci”.

Configure Private Google Access on the Compute Engine subnet

Avoid assigning public IP addresses to the Compute Engine cluster.

Make sure that the Compute Engine cluster is running on a separate subnet.

Turn off IP forwarding on the Compute Engine instances in the cluster.

Configure a Cloud NAT gateway.

External Key Manager

Customer-supplied encryption keys

Hardware Security Module

Confidential Computing and Istio

Client-side encryption

roles/logging.privateLogViewer

roles/logging.admin

roles/viewer

roles/logging.viewer

Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.

Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.

Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.

Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

Enable Access Transparency Logging.

Deploy resources only to regions permitted by data residency requirements

Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.

Deploy Assured Workloads.

Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."

Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.

Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.

Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing

Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

Create an organization node, and assign folders for each business unit.

Establish standalone projects for each business unit, using gmail.com accounts.

Assign GCP resources in a project, with a label identifying which business unit owns the resource.

Assign GCP resources in a VPC for each business unit to separate network access.

Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the networks.

Set up VPC Network Peering, and allow developers to peer their network with a Shared VPC.

Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.

Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.

Query Data Access logs.

Query Admin Activity logs.

Query Access Transparency logs.

Query Stackdriver Monitoring Workspace.

Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.

Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.

Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Configure the Binary Authorization policy with respective attestations for the project.

Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine(GKE).

Enable Container Threat Detection in the Security Command Center (SCC) for the project.

Configure the trusted image organization policy constraint for the project.

Enable Pod Security standards and set them to Restricted.

•1 Update the perimeter

•2 Configure the egressTo field to set identity Type toany_identity.

•3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

* Allow the external project by using the organizational policy

constraints/compute.trustedlmageProjects.

•1 Update the perimeter

•2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

•3 Configure the egressFrom field to set identity Type toany_idestity.

•1 Update the perimeter

•2 Configure the ingressFrcm field to set identityType toan-y_identity.

•3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

Use Google Cloud Directory Sync to convert the unmanaged user accounts.

Create a new managed user account for each consumer user account.

Use the transfer tool for unmanaged user accounts.

Configure single sign-on using a customer's third-party provider.

Network Load Balancing

HTTP(S) Load Balancing

TCP Proxy Load Balancing

SSL Proxy Load Balancing

Organization Policy Service constraints

Shielded VM instances

Access control lists

Geolocation access controls

Google Cloud Armor

All load balancer types are denied in accordance with the global node’s policy.

INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project’s policies.

Use the Cloud Key Management Service to manage the data encryption key (DEK).

Use the Cloud Key Management Service to manage the key encryption key (KEK).

Use customer-supplied encryption keys to manage the data encryption key (DEK).

Use customer-supplied encryption keys to manage the key encryption key (KEK).

BigQuery datasets

Cloud Storage buckets

StackDriver logging

Cloud Pub/Sub topics

Enable Private Google Access on the regional subnets and global dynamic routing mode.

Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

compute.restrictSharedVpcHostProjects

compute.restrictXpnProjectLienRemoval

compute.restrictSharedVpcSubnetworks

compute.sharedReservationsOwnerProjects