[Apr 14, 2024] Ultimate Professional-Cloud-Security-Engineer Guide to Prepare Free Latest Google Practice Tests Dumps [Q19-Q44]

Share

[Apr 14, 2024] Ultimate Professional-Cloud-Security-Engineer Guide to Prepare Free Latest Google Practice Tests Dumps

Get Top-Rated Google Professional-Cloud-Security-Engineer Exam Dumps Now

NEW QUESTION # 19
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?

  • A. Update the application code or apply a patch, build a new image, and redeploy it.
  • B. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
  • C. Use Puppet or Chef to push out the patch to the running container.
  • D. Configure containers to automatically upgrade when the base image is available in Container Registry.

Answer: A

Explanation:
https://cloud.google.com/containers/security
Containers are meant to be immutable, so you deploy a new image in order to make changes. You can simplify patch management by rebuilding your images regularly, so the patch is picked up the next time a container is deployed. Get the full picture of your environment with regular image security reviews.


NEW QUESTION # 20
You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B.
You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?

  • A. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
  • B. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
  • C. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
  • D. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.

Answer: D


NEW QUESTION # 21
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?

  • A. Grant Compute Admin role to the networking team for each engineering project
  • B. VPC peering between all engineering projects using a hub and spoke model
  • C. Shared VPC Network with a host project and service projects
  • D. Cloud VPN Gateway between all engineering projects using a hub and spoke model

Answer: C

Explanation:
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise- organizations#centralize_network_control


NEW QUESTION # 22
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects.
The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

  • A. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
    2.Subscribe SIEM to the topic.
  • B. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
    2.Process Cloud Storage objects in SIEM.
  • C. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
    2.Process Cloud Storage objects in SIEM.
  • D. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
    2.Subscribe SIEM to the topic.

Answer: D

Explanation:
Explanation
"Your team needs to obtain a unified log view of all development cloud projects in your SIEM" - This means we are ONLY interested in development projects. "The development projects are under the NONPROD organization folder with the test and pre-production projects" - We will need to filter out development from others i.e test and pre-prod. "The development projects share the ABC-BILLING billing account with the rest of the organization." - This is unnecessary information.


NEW QUESTION # 23
A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.
What should you do?

  • A. Create a new key, and use the new key in the application. Delete the old key from the Service Account.
  • B. Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
  • C. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT
    --key=NEW_KEY.
  • D. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

Answer: A

Explanation:
Explanation
You can rotate a key by creating a new key, updating applications to use the new key, and deleting the old key.
Use the serviceAccount.keys.create() method and serviceAccount.keys.delete() method together to automate the rotation.


NEW QUESTION # 24
Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way.
What should you do?

  • A. Create a service account key and add it to the GitHub pipeline configuration file.
  • B. Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.
  • C. Create a service account key and add it to the GitHub repository content.
  • D. Configure workload identity federation to use GitHub as an identity pool provider.

Answer: D


NEW QUESTION # 25
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

  • A. VPC Flow Logs
  • B. Cloud Identity-Aware Proxy
  • C. DNS Security Extensions
  • D. Cloud Armor

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns


NEW QUESTION # 26
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)

  • A. Configure the project with Shared VPC.
  • B. Configure the project with Cloud Interconnect.
  • C. Configure all Compute Engine instances with Private Access.
  • D. Configure the project with Cloud VPN.
  • E. Configure the project with VPC peering.

Answer: C,E

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/secure-data-workloads-use-cases


NEW QUESTION # 27
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

  • A. ISO 27001
  • B. ISO 27017
  • C. ISO 27018
  • D. ISO 27002

Answer: B


NEW QUESTION # 28
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)

  • A. Configure the project with Cloud Interconnect.
  • B. Configure the project with Shared VPC.
  • C. Configure the project with VPC peering.
  • D. Configure all Compute Engine instances with Private Access.
  • E. Configure the project with Cloud VPN.

Answer: A,E

Explanation:
Explanation
A) IPsec VPN tunels: https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview Interconnect https://cloud.google.com/network-connectivity/docs/interconnect/concepts/dedicated-overview


NEW QUESTION # 29
A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.
Where should you export the logs?

  • A. StackDriver logging
  • B. BigQuery datasets
  • C. Cloud Storage buckets
  • D. Cloud Pub/Sub topics

Answer: A

Explanation:
Reference:
https://cloud.google.com/logging/docs/exclusions


NEW QUESTION # 30
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud.
You want to restrict the use of the default networks in your organization while following Google-recommended best practices.
What should you do?

  • A. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
  • B. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
  • C. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
  • D. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.

Answer: B

Explanation:
Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.skipDefaultNetworkCreation This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.


NEW QUESTION # 31
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?

  • A. Set up a default bucket ACL and manage access for users using IAM.
  • B. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
  • C. Set up an ACL with OWNER permission to a scope of allUsers.
  • D. Set up an ACL with READER permission to a scope of allUsers.

Answer: C

Explanation:
Reference:
https://cloud.google.com/storage/docs/access-control/lists


NEW QUESTION # 32
Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users.
What should you do?

  • A. 1. Create a new SAML profile.
    * 2. Upload the X.509 certificate.
    * 3. Enable the change password URL.
    * 4. Configure Entity ID and ACS URL in your IdP.
  • B. 1. Manage SAML profile assignments.
    * 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant.
    * 3. Verify the domain.
  • C. 1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant
    * 2. Verify the AD domain.
    * 3. Decide which users should use SAML.
    * 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.
  • D. 1- Create a new SAML profile.
    * 2. Populate the sign-in and sign-out page URLs.
    * 3. Upload the X.509 certificate.
    * 4. Configure Entity ID and ACS URL in your IdP

Answer: D

Explanation:
When configuring SAML-based Single Sign-On (SSO) in an organization that's using Active Directory, the general steps would involve setting up a SAML profile, specifying the necessary URLs for sign-in and sign-out processes, uploading an X.509 certificate for secure communication, and setting up the Entity ID and Assertion Consumer Service (ACS) URL in the Identity Provider (which in this case would be Active Directory).


NEW QUESTION # 33
Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK). but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.
What should you do?

  • A. Copy the files to a new bucket with CMEK enabled in a secondary region
  • B. Change the encryption type on the bucket to CMEK, and rewrite the objects
  • C. Encrypt the files locally, and then use gsutil to upload the files to a new bucket.
  • D. Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.

Answer: B

Explanation:
Explanation
Rewriting the objects in-place within the same bucket, specifying the new CMEK for encryption, allows you to re-encrypt the data without downloading and re-uploading it, thus minimizing costs and time.
https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys


NEW QUESTION # 34
You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

  • A. VPC Flow Logs
  • B. Marketplace IDS
  • C. VPC Service Controls logs
  • D. Packet Mirroring
  • E. Google Cloud Armor Deep Packet Inspection

Answer: D


NEW QUESTION # 35
You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.
What should you do?

  • A. * Allow the external project by using the organizational policy
    constraints/compute.trustedlmageProjects.
  • B. *1 Update the perimeter
    *2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.
    *3 Configure the egressFrom field to set identity Type toany_idestity.
  • C. *1 Update the perimeter
    *2 Configure the ingressFrcm field to set identityType toan-y_identity.
    *3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.
  • D. *1 Update the perimeter
    *2 Configure the egressTo field to set identity Type toany_identity.
    *3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

Answer: D


NEW QUESTION # 36
Your organization uses BigQuery to process highly sensitive, structured datasets. Following the "need to know" principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users:
* Business user must access curated reports.
* Data engineer: must administrate the data lifecycle in the platform.
* Security operator: must review user activity on the data platform.
What should you do?

  • A. Configure data access log for BigQuery services, and grant Project Viewer role to security operators.
  • B. Set row-based access control based on the "region" column, and filter the record from the United States for data engineers.
  • C. Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.
  • D. Generate a CSV data file based on the business user's needs, and send the data to their email addresses.

Answer: C

Explanation:
This option directly addresses the needs of the business user who must access curated reports. By creating curated tables in a separate dataset, you can control access to specific data. Assigning the roles/bigquery.dataViewer role allows the business user to view the data in BigQuery.


NEW QUESTION # 37
A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?

  • A. Register a new domain name, and use that for the new Cloud Identity domain.
  • B. Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
  • C. Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
  • D. Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.

Answer: B

Explanation:
https://support.google.com/cloudidentity/answer/7389973


NEW QUESTION # 38
An application log's data, including customer identifiers such as email addresses, needs to be redacted. However, these logs also include the email addresses of internal developers from company.com, and these should NOT be redacted. Which solution should you use to meet these requirements?

  • A. Create a regular custom dictionary detector to match all email addresses listed in Cloud Identity.
  • B. Create a custom infoType called COMPANY_EMAIL to match @company.com.
  • C. Create a regular expression (regex) custom infoType detector to match on @company.com.
  • D. Create a regular custom dictionary detector that lists a subset of the developers' email addresses.

Answer: C

Explanation:
A is not correct because as all company.com email addresses are sensitive and should be filtered, a static list is hard to maintain and can easily miss sensitive data.
B is correct because the regex will detect all company.com email addresses that need to be protected and written to the log file.
C is not correct because as the user base in Cloud Identity might only be a subset of all emails that need to be protected.
D is not correct because you need to specify a detector within the custom infoType and the detector should be a regular expression to match all @company.com email addresses.
https://cloud.google.com/dlp/docs/infotypes-reference
https://cloud.google.com/dlp/docs/creating-custom-infotypes


NEW QUESTION # 39
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?

  • A. Set up a default bucket ACL and manage access for users using IAM.
  • B. Set up an ACL with OWNER permission to a scope of allUsers.
  • C. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
  • D. Set up an ACL with READER permission to a scope of allUsers.

Answer: C

Explanation:
Explanation
https://cloud.google.com/storage/docs/uniform-bucket-level-access#enabled


NEW QUESTION # 40
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

  • A. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
  • B. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
  • C. BigQuery using a data pipeline job with continuous updates via Cloud VPN
  • D. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/migration-to-google-cloud-building-your-foundation


NEW QUESTION # 41
You have a highly sensitive BigQuery workload that contains personally identifiable information (Pll) that you want to ensure is not accessible from the internet. To prevent data exfiltration only requests from authorized IP addresses are allowed to query your BigQuery tables.
What should you do?

  • A. Use the Restrict Resource service usage organization policy constraint along with Cloud Data Loss Prevention (DLP).
  • B. Use service perimeter and create an access level based on the authorized source IP address as the condition.
  • C. Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.
  • D. Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).

Answer: B


NEW QUESTION # 42
A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to control the key lifecycle.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

  • A. Customer-supplied encryption keys (CSEK)
  • B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
  • C. Encryption by default
  • D. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

Answer: B

Explanation:
Explanation/Reference:
Reference https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek


NEW QUESTION # 43
The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements:
Follow the least privilege model by having only view access to logs.
Have access to Admin Activity logs.
Have access to Data Access logs.
Have access to Access Transparency logs.
Which Identity and Access Management (IAM) role should the security operations team be granted?

  • A. roles/viewer
  • B. roles/logging.privateLogViewer
  • C. roles/logging.viewer
  • D. roles/logging.admin

Answer: B

Explanation:
https://cloud.google.com/logging/docs/access-control#considerations roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.


NEW QUESTION # 44
......


The Google Professional-Cloud-Security-Engineer exam covers a wide range of topics, including security management, data protection, network security, and compliance. Professionals who pass Professional-Cloud-Security-Engineer exam will have demonstrated their ability to implement security controls to protect data, secure network infrastructure, and manage security operations in Google Cloud environments.


Google Professional-Cloud-Security-Engineer certification is an exam for professionals who are seeking to demonstrate their expertise in securing applications, data, and infrastructure on the Google Cloud Platform. Google Cloud Certified - Professional Cloud Security Engineer Exam certification is designed to test the skills and knowledge required to design and implement secure cloud solutions on the Google Cloud platform. Professional-Cloud-Security-Engineer exam covers a wide range of topics such as security management, compliance, data protection, network security, and incident management.

 

Passing Key To Getting Professional-Cloud-Security-Engineer Certified Exam Engine PDF: https://www.suretorrent.com/Professional-Cloud-Security-Engineer-exam-guide-torrent.html

Professional-Cloud-Security-Engineer Exam Dumps Pass with Updated Tests Dumps: https://drive.google.com/open?id=1_IxvrMxkztSsJfNeAc7VvPPFS50f4jIc