Weekend Special - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: spcl70

Professional-Cloud-Security-Engineer PDF

$33

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

Professional-Cloud-Security-Engineer PDF + Testing Engine

$52.8

$175.99

3 Months Free Update

  • Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
  • Last Update: Dec 8, 2024
  • Questions and Answers: 234
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

Professional-Cloud-Security-Engineer Engine

$39.6

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

Professional-Cloud-Security-Engineer Practice Exam Questions with Answers Google Cloud Certified - Professional Cloud Security Engineer Certification

Question # 6

A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.

How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

A.

Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

B.

Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.

C.

Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).

D.

Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

Full Access
Question # 7

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company’s servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:

    The network connection must be encrypted.

    The communication between servers must be over private IP addresses.

What should you do?

A.

Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

B.

Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

C.

Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

D.

Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

Full Access
Question # 8

Your organization s record data exists in Cloud Storage. You must retain all record data for at least seven years This policy must be permanent.

What should you do?

A.

• 1 Identify buckets with record data

• 2 Apply a retention policy and set it to retain for seven years

• 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs

B.

• 1 Identify buckets with record data

• 2 Apply a retention policy and set it to retain for seven years

• 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

C.

• 1 Identify buckets with record data

• 2 Enable the bucket policy only to ensure that data is retained

• 3 Enable bucket lock

D.

* 1 Identify buckets with record data

• 2 Apply a retention policy and set it to retain for seven years

• 3 Enable bucket lock

Full Access
Question # 9

You need to centralize your team’s logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?

A.

Enable Cloud Monitoring workspace, and add the production projects to be monitored.

B.

Use Logs Explorer at the organization level and filter for production project logs.

C.

Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.

D.

Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.

Full Access
Question # 10

A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.

How should this be accomplished?

A.

Create a firewall rule to block internet traffic from the VM.

B.

Provision a NAT Gateway to access the Cloud Storage API endpoint.

C.

Enable Private Google Access on the VPC.

D.

Mount a Cloud Storage bucket as a local filesystem on every VM.

Full Access
Question # 11

Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (1AM) roles at the right resource level tor the developers and security team while you ensure least privilege.

What should you do?

A.

• 1 Grant logging, viewer rote to the security team at the organization resource level.

• 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.

B.

• 1 Grant logging. viewer rote to the security team at the organization resource level.

• 2 Grant logging. admin role to the developer team at the organization resource level.

C.

• 1 Grant logging.admin role to the security team at the organization resource level.

• 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.

D.

• 1 Grant logging.admin role to the security team at the organization resource level.

• 2 Grant logging.admin role to the developer team at the organization resource level.

Full Access
Question # 12

You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects.

What should you do?

Choose 2 answers

A.

Deploy patches with VM Manager by using OS patch management

B.

View patch management data in VM Manager by using OS patch management.

C.

Deploy patches with Security Command Center by using Rapid Vulnerability Detection.

D.

View patch management data in a Security Command Center dashboard.

E.

View patch management data in Artifact Registry.

Full Access
Question # 13

In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard

Which options should you recommend to meet the requirements?

A.

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

B.

Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

C.

Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

D.

Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

Full Access
Question # 14

You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

A.

Google Cloud Armor's preconfigured rules in preview mode

B.

Prepopulated VPC firewall rules in monitor mode

C.

The inherent protections of Google Front End (GFE)

D.

Cloud Load Balancing firewall rules

E.

VPC Service Controls in dry run mode

Full Access
Question # 15

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

A.

Generalization

B.

Redaction

C.

CryptoHashConfig

D.

CryptoReplaceFfxFpeConfig

Full Access
Question # 16

A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.

Where should you export the logs?

A.

BigQuery datasets

B.

Cloud Storage buckets

C.

StackDriver logging

D.

Cloud Pub/Sub topics

Full Access
Question # 17

You are creating an internal App Engine application that needs to access a user’s Google Drive on the user’s behalf. Your company does not want to rely on the current user’s credentials. It also wants to follow Google- recommended practices.

What should you do?

A.

Create a new Service account, and give all application users the role of Service Account User.

B.

Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.

C.

Use a dedicated G Suite Admin account, and authenticate the application’s operations with these G Suite credentials.

D.

Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

Full Access
Question # 18

You manage one of your organization's Google Cloud projects (Project A). AVPC Service Control (SC) perimeter is blocking API access requests to this project including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least

Privilege.

What should you do?

A.

Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.

B.

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.

C.

Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.

D.

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Full Access
Question # 19

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

A.

Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

B.

Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

C.

Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

D.

Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

Full Access
Question # 20

You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

A.

Add the host project containing the Shared VPC to the service perimeter.

B.

Add the service project where the Compute Engine instances reside to the service perimeter.

C.

Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.

D.

Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

Full Access
Question # 21

Employees at your company use their personal computers to access your organization s Google Cloud console. You need to ensure that users can only access the Google Cloud console from their corporate-issued devices and verify that they have a valid enterprise certificate

What should you do?

A.

Implement an Identity and Access Management (1AM) conditional policy to verify the device certificate

B.

Implement a VPC firewall policy Activate packet inspection and create an allow rule to validate and verify the device certificate.

C.

Implement an organization policy to verify the certificate from the access context.

D.

Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate Create an access binding with the access policy just created.

Full Access
Question # 22

In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

A.

Hardware

B.

Network Security

C.

Storage Encryption

D.

Access Policies

E.

Boot

Full Access
Question # 23

You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

A.

Marketplace IDS

B.

VPC Flow Logs

C.

VPC Service Controls logs

D.

Packet Mirroring

E.

Google Cloud Armor Deep Packet Inspection

Full Access
Question # 24

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

What command should you execute?

A.

• organization policy: constraints/gcp.restrictStorageNonCraekServices

• binding at: orgl

• policy type: deny

• policy value: storage.gcogleapis.com

B.

• organization policy: constraints/gcp.restrictHonCmekServices

• binding at: orgl

• policy type: deny

• policy value: storage.googleapis.com

C.

• organization policy:constraints/gcp.restrictStorageNonCraekServices

• binding at: orgl

• policy type: allow

• policy value: all supported services

D.

• organization policy: constramts/gcp.restrictNonCmekServices

• binding at: orgl

• policy type: allow

• policy value: storage.googleapis.com

Full Access
Question # 25

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

A.

Enable Private Google Access on the regional subnets and global dynamic routing mode.

B.

Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

C.

Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

D.

Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Full Access
Question # 26

Your organization uses Google Workspace Enterprise Edition tor authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment.

What should you do?

A.

Create a policy that requires employees to not leave their sessions open for long durations.

B.

Review and disable unnecessary Google Cloud APIs.

C.

Require strong passwords and 2SV through a security token or Google authenticate.

D.

Set the session length timeout for Google Cloud services to a shorter duration.

Full Access
Question # 27

You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization’s compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

A.

Organization Policy Service constraints

B.

Shielded VM instances

C.

Access control lists

D.

Geolocation access controls

E.

Google Cloud Armor

Full Access
Question # 28

Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

A.

ISO 27001

B.

ISO 27002

C.

ISO 27017

D.

ISO 27018

Full Access
Question # 29

Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.

Which type of networking design should your team use to meet these requirements?

A.

Shared VPC Network with a host project and service projects

B.

Grant Compute Admin role to the networking team for each engineering project

C.

VPC peering between all engineering projects using a hub and spoke model

D.

Cloud VPN Gateway between all engineering projects using a hub and spoke model

Full Access
Question # 30

You want to evaluate GCP for PCI compliance. You need to identify Google’s inherent controls.

Which document should you review to find the information?

A.

Google Cloud Platform: Customer Responsibility Matrix

B.

PCI DSS Requirements and Security Assessment Procedures

C.

PCI SSC Cloud Computing Guidelines

D.

Product documentation for Compute Engine

Full Access
Question # 31

Your organization wants to be General Data Protection Regulation (GDPR) compliant You want to ensure that your DevOps teams can only create Google Cloud resources in the Europe regions.

What should you do?

A.

Use the org policy constraint "Restrict Resource Service Usage'* on your Google Cloud organization node.

B.

Use Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions

C.

Use the org policy constraint Google Cloud Platform - Resource Location Restriction" on your Google Cloud

organization node.

D.

Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.

Full Access
Question # 32

A batch job running on Compute Engine needs temporary write access to a Cloud Storage bucket. You want the batch job to use the minimum permissions necessary to complete the task. What should you do?

A.

Create a service account with full Cloud Storage administrator permissions. Assign the service account to the Compute Engine instance.

B.

Grant the predefined storage.objectcreator role to the Compute Engine instances default service account.

C.

Create a service account and embed a long-lived service account key file that has write permissions specified directly in the batch job

script.

D.

Create a service account with the storage .objectcreator role. Use service account impersonation in the batch job's code.

Full Access
Question # 33

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

A.

Use Google default encryption.

B.

Manually add users to Google Cloud.

C.

Provision users with basic roles using Google's Identity and Access Management (1AM) service.

D.

Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

E.

Provide granular access with predefined roles.

Full Access
Question # 34

You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?

A.

1. Set up one VPC with two subnets: one trusted and the other untrusted.

2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.

B.

1. Set up one VPC with two subnets: one trusted and the other untrusted.

2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.

C.

1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.

2. Configure a custom route on each network pointed to the virtual appliance.

D.

1. Set up two VPC networks: one trusted and the other untrusted.

2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

Full Access
Question # 35

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

A.

Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.

B.

Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.

C.

Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.

D.

Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

Full Access
Question # 36

While migrating your organization’s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.

What should you do?

A.

Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

B.

Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

C.

Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.

D.

Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Full Access
Question # 37

Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes.

What should you do?

A.

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.

B.

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.

C.

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.

D.

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.

Full Access
Question # 38

Your organization wants to be continuously evaluated against CIS Google Cloud Computing Foundations Benchmark v1 3 0 (CIS Google Cloud Foundation 1 3). Some of the controls are irrelevant to your organization and must be disregarded in evaluation. You need to create an automated system or process to ensure that only the relevant controls are evaluated.

What should you do?

A.

Mark all security findings that are irrelevant with a tag and a value that indicates a security exception Select all marked findings and mute them on the console every time they appear Activate Security Command Center (SCC) Premium.

B.

Activate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC so they are not evaluated.

C.

Download all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part of CIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for the company.

D.

Ask an external audit company to provide independent reports including needed CIS benchmarks. In the scope of the audit clarify that some of the controls are not needed and must be disregarded.

Full Access
Question # 39

What are the steps to encrypt data using envelope encryption?

A.

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

B.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

C.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

D.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Full Access
Question # 40

You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data. You need to meet these requirements;

• Manage the data encryption key (DEK) outside the Google Cloud boundary.

• Maintain full control of encryption keys through a third-party provider.

• Encrypt the sensitive data before uploading it to Cloud Storage

• Decrypt the sensitive data during processing in the Compute Engine VMs

• Encrypt the sensitive data in memory while in use in the Compute Engine VMs

What should you do?

Choose 2 answers

A.

Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

B.

Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

C.

Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

D.

Create Confidential VMs to access the sensitive data.

E.

Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Full Access
Question # 41

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.

What should you do?

A.

• 1 Update the perimeter

• 2 Configure the egressTo field to set identity Type to any_identity.

• 3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

B.

* Allow the external project by using the organizational policy

constraints/compute.trustedlmageProjects.

C.

• 1 Update the perimeter

• 2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

• 3 Configure the egressFrom field to set identity Type to any_idestity.

D.

• 1 Update the perimeter

• 2 Configure the ingressFrcm field to set identityType to an-y_identity.

• 3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

Full Access
Question # 42

You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network dev-vpc." You want to minimize implementation and maintenance effort

What should you do?

A.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Configure a VPC Firewall rule in "dev-vpc" that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

B.

• 1. Attach external IP addresses to the VMs in scope.

• 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10 58.5.0/24 from network dev-vpc.

C.

• 1. Leave the network configuration of the VMs in scope unchanged.

• 2. Create a new project including a new VPC network "new-vpc."

• 3 Deploy a network appliance in "new-vpc" to filter access requests and only allow egress connections from -dev-vpc" to 10.58.5.0/24.

D.

• 1 Leave the network configuration of the VMs in scope unchanged

• 2 Enable Cloud NAT for dev-vpc" and restrict the target range in Cloud NAT to 10.58.5 0/24.

Full Access
Question # 43

You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:

Provide granular access to secrets

Give you control over the rotation schedules for the encryption keys that wrap your secrets

Maintain environment separation

Provide ease of management

Which approach should you take?

A.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.

B.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

C.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

D.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.

Full Access
Question # 44

Applications often require access to “secrets” - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of “who did what, where, and when?” within their GCP projects.

Which two log streams would provide the information that the administrator is looking for? (Choose two.)

A.

Admin Activity logs

B.

System Event logs

C.

Data Access logs

D.

VPC Flow logs

E.

Agent logs

Full Access
Question # 45

You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.

Which two actions should you take? (Choose two.)

A.

Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.

B.

Use the Google Admin console to view which managed users are using a personal account for their recovery email.

C.

Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.

D.

Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.

E.

Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.

Full Access
Question # 46

You have been tasked with configuring Security Command Center for your organization’s Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization’s compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)

A.

Event Threat Detection

B.

Container Threat Detection

C.

Security Health Analytics

D.

Cloud Data Loss Prevention

E.

Google Cloud Armor

Full Access
Question # 47

You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data Specifically, your

company is concerned about internal Google employees' ability to access your company's data on Google Cloud. What solution should you propose?

A.

Use customer-managed encryption keys.

B.

Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.

C.

Enable Admin activity logs to monitor access to resources.

D.

Enable Access Transparency logs with Access Approval requests for Google employees.

Full Access
Question # 48

You are a Cloud Identity administrator for your organization. In your Google Cloud environment groups are used to manage user permissions. Each application team has a dedicated group Your team is responsible for creating these groups and the application teams can manage the team members on their own through the Google Cloud console. You must ensure that the application teams can only add users from within your organization to their groups.

What should you do?

A.

Change the configuration of the relevant groups in the Google Workspace Admin console to prevent external users from being added to the group.

B.

Set an Identity and Access Management (1AM) policy that includes a condition that restricts group membership to user principals that belong to your organization.

C.

Define an Identity and Access Management (IAM) deny policy that denies the assignment of principals that are outside your organization to the groups in scope.

D.

Export the Cloud Identity logs to BigQuery Configure an alert for external members added to groups Have the alert trigger a Cloud Function instance that removes the external members from the group.

Full Access
Question # 49

You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

A.

Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."

B.

Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.

C.

Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.

D.

Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

Full Access
Question # 50

Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT Everyday, you must patch all VMs with critical OS updates and provide summary reports

What should you do?

A.

Validate that the egress firewall rules allow any outgoing traffic Log in to each VM and execute OS specific update commands Configure the Cloud Scheduler job to update with critical patches daily for daily updates.

B.

Ensure that VM Manager is installed and running on the VMs. In the OS patch management service. configure the patch jobs to update with critical patches daily.

C.

Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM. and configure a daily cron job to enable for OS updates at night during low activity periods.

D.

Copy the latest patches to the Cloud Storage bucket. Log in to each VM. download the patches from the bucket, and install them.

Full Access
Question # 51

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

A.

Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

B.

Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

C.

Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

D.

Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Full Access
Question # 52

Your company’s new CEO recently sold two of the company’s divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)

A.

Remove all project-level custom Identity and Access Management (1AM) roles.

B.

Disallow inheritance of organization policies.

C.

Identify inherited Identity and Access Management (1AM) roles on projects to be migrated.

D.

Create a new folder for all projects to be migrated.

E.

Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

Full Access
Question # 53

Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way.

What should you do?

A.

Create a service account key and add it to the GitHub pipeline configuration file.

B.

Create a service account key and add it to the GitHub repository content.

C.

Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

D.

Configure workload identity federation to use GitHub as an identity pool provider.

Full Access
Question # 54

You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software.

Which SCC service should you use?

A.

Container Threat Detection

B.

Web Security Scanner

C.

Rapid Vulnerability Detection

D.

Virtual Machine Threat Detection

Full Access
Question # 55

You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.

What should you do?

A.

Create a site-to-site VPN from your corporate network to Google Cloud.

B.

Configure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.

C.

Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.

D.

Create a jump host instance with public IP Manage the instances by connecting through the jump host.

Full Access
Question # 56

You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

A.

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

B.

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

C.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

D.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

Full Access
Question # 57

You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

A.

External Key Manager

B.

Customer-supplied encryption keys

C.

Hardware Security Module

D.

Confidential Computing and Istio

E.

Client-side encryption

Full Access
Question # 58

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate,

and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.

What should you do?

A.

Use the Cloud Key Management Service to manage the data encryption key (DEK).

B.

Use the Cloud Key Management Service to manage the key encryption key (KEK).

C.

Use customer-supplied encryption keys to manage the data encryption key (DEK).

D.

Use customer-supplied encryption keys to manage the key encryption key (KEK).

Full Access
Question # 59

Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property.

You attempt to grant access to a project in the Apps folder to the user testuser@terramearth.com.

What is the result of your action and why?

A.

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must

be defined on the current project to deactivate the constraint temporarily.

B.

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.

C.

The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder

D.

The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

Full Access
Question # 60

Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

A.

Central management of routes, firewalls, and VPNs for peered networks

B.

Non-transitive peered networks; where only directly peered networks can communicate

C.

Ability to peer networks that belong to different Google Cloud Platform organizations

D.

Firewall rules that can be created with a tag from one peered network to another peered network

E.

Ability to share specific subnets across peered networks

Full Access
Question # 61

You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

A.

The load balancer must be an external SSL proxy load balancer.

B.

Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.

C.

The load balancer must use the Premium Network Service Tier.

D.

The backend service's load balancing scheme must be EXTERNAL.

E.

The load balancer must be an external HTTP(S) load balancer.

Full Access
Question # 62

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:

Scans must run at least once per week

Must be able to detect cross-site scripting vulnerabilities

Must be able to authenticate using Google accounts

Which solution should you use?

A.

Google Cloud Armor

B.

Web Security Scanner

C.

Security Health Analytics

D.

Container Threat Detection

Full Access
Question # 63

You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

A.

Cloud External Key Manager

B.

Customer-managed encryption keys

C.

Customer-supplied encryption keys

D.

Google default encryption

Full Access
Question # 64

Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.

What should you do?

A.

Temporarily disable authentication on the Cloud Storage bucket.

B.

Use the undelete command to recover the deleted service account.

C.

Create a new service account with the same name as the deleted service account.

D.

Update the permissions of another existing service account and supply those credentials to the applications.

Full Access
Question # 65

Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?

A.

Define an organization policy constraint.

B.

Configure packet mirroring policies.

C.

Enable VPC Flow Logs on the subnet.

D.

Monitor and analyze Cloud Audit Logs.

Full Access
Question # 66

You manage your organization’s Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your VPCs based on network logs. However, you want to explore your environment using network payloads and headers. Which Google Cloud product should you use?

A.

Cloud IDS

B.

VPC Service Controls logs

C.

VPC Flow Logs

D.

Google Cloud Armor

E.

Packet Mirroring

Full Access
Question # 67

Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.

What should you do?

Choose 2 answers

A.

Configure the Binary Authorization policy with respective attestations for the project.

B.

Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).

C.

Enable Container Threat Detection in the Security Command Center (SCC) for the project.

D.

Configure the trusted image organization policy constraint for the project.

E.

Enable Pod Security standards and set them to Restricted.

Full Access
Question # 68

You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.

After observing the traffic in your custom network, you notice that all instances can communicate freely – despite tag-based VPC firewall rules in place to segment traffic properly – with a priority of 1000. What are the most likely reasons for this behavior?

A.

All VM instances are missing the respective network tags.

B.

All VM instances are residing in the same network subnet.

C.

All VM instances are configured with the same network route.

D.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.

E.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

Full Access
Question # 69

Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.

What should you do?

A.

Change the load balancer backend configuration to use network endpoint groups instead of instance groups.

B.

Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.

C.

Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.

D.

Create a Cloud VPN connection between the two regions, and enable Google Private Access.

Full Access
Question # 70

You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:

Each business unit manages access controls for their own projects.

Each business unit manages access control permissions at scale.

Business units cannot access other business units' projects.

Users lose their access if they move to a different business unit or leave the company.

Users and access control permissions are managed by the on-premises directory service.

What should you do? (Choose two.)

A.

Use VPC Service Controls to create perimeters around each business unit's project.

B.

Organize projects in folders, and assign permissions to Google groups at the folder level.

C.

Group business units based on Organization Units (OUs) and manage permissions based on OUs.

D.

Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.

E.

Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

Full Access