Month End Special Sales Coupon - 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sbfdisc

Professional-Cloud-Security-Engineer PDF

$44

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

Professional-Cloud-Security-Engineer PDF + Testing Engine

$70.4

$175.99

3 Months Free Update

  • Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
  • Last Update: Jan 29, 2023
  • Questions and Answers: 177
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

Professional-Cloud-Security-Engineer Engine

$52.8

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

Question # 6

A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.

Which connectivity option should be implemented?

A.

VPC peering

B.

Cloud VPN

C.

Cloud Interconnect

D.

Shared VPC

Full Access
Question # 7

A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.

What should you do?

A.

Use Resource Manager on the organization level.

B.

Use Forseti Security to automate inventory snapshots.

C.

Use Stackdriver to create a dashboard across all projects.

D.

Use Security Command Center to view all assets across the organization.

Full Access
Question # 8

Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

A.

Security Reviewer

B.

lAP-Secured Tunnel User

C.

lAP-Secured Web App User

D.

Service Broker Operator

Full Access
Question # 9

Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

A.

Central management of routes, firewalls, and VPNs for peered networks

B.

Non-transitive peered networks; where only directly peered networks can communicate

C.

Ability to peer networks that belong to different Google Cloud Platform organizations

D.

Firewall rules that can be created with a tag from one peered network to another peered network

E.

Ability to share specific subnets across peered networks

Full Access
Question # 10

Which two implied firewall rules are defined on a VPC network? (Choose two.)

A.

A rule that allows all outbound connections

B.

A rule that denies all inbound connections

C.

A rule that blocks all inbound port 25 connections

D.

A rule that blocks all outbound connections

E.

A rule that allows all inbound port 80 connections

Full Access
Question # 11

A customer’s company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.

Which strategy should you use to meet these needs?

A.

Create an organization node, and assign folders for each business unit.

B.

Establish standalone projects for each business unit, using gmail.com accounts.

C.

Assign GCP resources in a project, with a label identifying which business unit owns the resource.

D.

Assign GCP resources in a VPC for each business unit to separate network access.

Full Access
Question # 12

You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

A.

Google Cloud Armor

B.

Cloud NAT

C.

Cloud Router

D.

Cloud VPN

Full Access
Question # 13

You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:

Provide granular access to secrets

Give you control over the rotation schedules for the encryption keys that wrap your secrets

Maintain environment separation

Provide ease of management

Which approach should you take?

A.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.

B.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

C.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

D.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.

Full Access
Question # 14

You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.

What should you do?

A.

Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate one-way sync.

B.

Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate bidirectional sync.

C.

Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

D.

Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Full Access
Question # 15

You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.

What should you do?

A.

Query Data Access logs.

B.

Query Admin Activity logs.

C.

Query Access Transparency logs.

D.

Query Stackdriver Monitoring Workspace.

Full Access
Question # 16

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on “in- scope” Nodes only. These Nodes can only contain the “in-scope” Pods.

How should the organization achieve this objective?

A.

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

B.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

C.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

D.

Run all in-scope Pods in the namespace “in-scope-pci”.

Full Access
Question # 17

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.

Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

A.

App Engine

B.

Cloud Functions

C.

Compute Engine

D.

Google Kubernetes Engine

E.

Cloud Storage

Full Access
Question # 18

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.

What should you do?

A.

Store the data in a single Persistent Disk, and delete the disk at expiration time.

B.

Store the data in a single BigQuery table and set the appropriate table expiration time.

C.

Store the data in a single Cloud Storage bucket and configure the bucket’s Time to Live.

D.

Store the data in a single BigTable table and set an expiration time on the column families.

Full Access
Question # 19

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.

Which logging export strategy should you use to meet the requirements?

A.

1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.

2.Subscribe SIEM to the topic.

B.

1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.

2.Process Cloud Storage objects in SIEM.

C.

1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.

2.Subscribe SIEM to the topic.

D.

1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.

2.Process Cloud Storage objects in SIEM.

Full Access
Question # 20

An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.

Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses

Which solution should your team implement to meet these requirements?

A.

Cloud Armor

B.

Network Load Balancing

C.

SSL Proxy Load Balancing

D.

NAT Gateway

Full Access
Question # 21

You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

A.

SSO SAML as a third-party IdP

B.

Identity Platform

C.

OpenID Connect

D.

Identity-Aware Proxy

E.

Cloud Identity

Full Access
Question # 22

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:

  • The master key must be rotated at least once every 45 days.
  • The solution that stores the master key must be FIPS 140-2 Level 3 validated.
  • The master key must be stored in multiple regions within the US for redundancy.

Which solution meets these requirements?

A.

Customer-managed encryption keys with Cloud Key Management Service

B.

Customer-managed encryption keys with Cloud HSM

C.

Customer-supplied encryption keys

D.

Google-managed encryption keys

Full Access
Question # 23

While migrating your organization’s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.

What should you do?

A.

Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

B.

Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

C.

Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.

D.

Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Full Access
Question # 24

An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

A.

Organization Administrator

B.

Project Creator

C.

Billing Account Viewer

D.

Billing Account Costs Manager

E.

Billing Account User

Full Access
Question # 25

A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.

Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.

Which type of access should your team grant to meet this requirement?

A.

Organization Administrator

B.

Security Reviewer

C.

Organization Role Administrator

D.

Organization Policy Administrator

Full Access
Question # 26

You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.

What should you do?

A.

Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.

B.

Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.

C.

Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.

D.

Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

Full Access