Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Exam Preparation

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

• Question 1:

  Your organization strives to be a market leader in software innovation. You provided a large number of Google Cloud environments so developers can test the integration of Gemini in Vertex AI into their existing applications or create new projects. Your organization has 200 developers and a five-person security team. You must prevent and detect proper security policies across the Google Cloud environments. What should you do? (Choose two.)

  A. Apply organization policy constraints. Detect and monitor drifts by using Security Health Analytics.
  B. Publish internal policies and clear guidelines to securely develop applications.
  C. Use Cloud Logging to create log filters to detect misconfigurations. Trigger Cloud Run functions to remediate misconfigurations.
  D. Apply a predefined AI-recommended security posture template for Gemini in Vertex AI in Security Command Center Enterprise or Premium tiers.
  E. Implement the least privileged access Identity and Access Management roles to prevent misconfigurations.
  A. Apply organization policy constraints. Detect and monitor drifts by using Security Health Analytics.
  C. Use Cloud Logging to create log filters to detect misconfigurations. Trigger Cloud Run functions to remediate misconfigurations.

  ---

  explanation:

  Explanation/Reference:

  In a scenario where you have many developers and a small security team, it's essential to automate as much as possible to prevent and detect security issues across Google Cloud environments. Let's look at both correct choices in detail:

  Apply organization policy constraints. Detect and monitor drifts by using Security Health Analytics:

  1.

  Organization policies allow you to centrally enforce security requirements across all Google Cloud projects. By applying policy constraints, you can restrict what developers can and cannot do, helping to maintain a secure baseline.

  2.

  Security Health Analytics (SHA) continuously scans for security misconfigurations and compliance issues in your cloud environments. Using SHA ensures that policy violations or drifts from security best practices are detected automatically and can be monitored effectively.

  Use Cloud Logging to create log filters to detect misconfigurations. Trigger Cloud Run functions to remediate misconfigurations:

  1.

  Cloud Logging enables the creation of custom log filters that can detect specific misconfigurations or security policy violations. This helps in real-time monitoring of cloud environments.

  2.

  Cloud Run functions can be triggered by log events to automatically remediate misconfigurations, ensuring that any deviations from your security policies are corrected quickly without manual intervention. This approach helps the small security team keep up with the large number of developers.

• Question 2:

  You are developing an application that runs on a Compute Engine VM. The application needs to access data stored in Cloud Storage buckets in other Google Cloud projects. The required access to the buckets is variable. You need to provide access to these resources while following Google- recommended practices. What should you do?

  A. Limit the VMs access to the Cloud Storage buckets by setting the relevant access scope of the VM.
  B. Create IAM bindings for the VM's service account and the required buckets that allow appropriate access to the data stored in the buckets.
  C. Grant the VM's service account access to the required buckets by using domain-wide delegation.
  D. Create a group and assign IAM bindings to the group for each bucket that the application needs to access. Assign the VM's service account to the group.
  B. Create IAM bindings for the VM's service account and the required buckets that allow appropriate access to the data stored in the buckets.

  ---

  explanation:

  Explanation/Reference:

  The best practice for granting access to Google Cloud resources, such as Cloud Storage buckets, is to use IAM roles with service accounts. Compute Engine VMs typically run under a service account, and you can create IAM bindings that grant this service account the necessary permissions to access Cloud Storage buckets in other Google Cloud projects.

  By assigning IAM roles (like roles/storage.objectViewer, roles/storage.objectAdmin, etc.) to the VM's service account, you can ensure that the VM only has the required level of access to the specific Cloud Storage buckets. This follows the principle of least privilege, ensuring that the application has access only to the data it needs.

• Question 3:

  The InfoSec team has mandated that all new Cloud Run jobs and services in production must have Binary Authorization enabled. You need to enforce this requirement. What should you do?

  A. Configure an organization policy to require Binary Authorization enforcement on images deployed to Cloud Run.
  B. Configure a Security Health Analytics (SHA) custom rule that prevents the execution of Cloud Run jobs and services without Binary Authorization.
  C. Ensure the Cloud Run admin role is not assigned to developers.
  D. Configure a Binary Authorization custom policy that is not editable by developers and auto-attaches to all Cloud Run jobs and services.
  A. Configure an organization policy to require Binary Authorization enforcement on images deployed to Cloud Run.

  ---

  explanation:

  Explanation/Reference:

  An organization policy is the best way to enforce company-wide requirements like ensuring Binary Authorization is enabled for all Cloud Run jobs and services in production. By configuring an organization policy, you can centrally enforce the use of Binary Authorization, preventing developers from deploying jobs or services without it.

  Binary Authorization is a security feature that allows you to ensure that only trusted container images, verified by your security policies, are deployed. By setting up an organization policy, you ensure that all Cloud Run deployments across your organization comply with this requirement.

• Question 4:

  Your organization must store highly sensitive data within Google Cloud. You need to design a solution that provides the strongest level of security and control. What should you do?

  A. Use Cloud Storage with customer-supplied encryption keys (CSEK), VPC Service Controls for network isolation, and Cloud DLP for data inspection.
  B. Use Cloud Storage with customer-managed encryption keys (CMEK), Cloud DLP for data classification, and Secret Manager for storing API access tokens.
  C. Use Cloud Storage with client-side encryption, Cloud KMS for key management, and Cloud HSM for cryptographic operations.
  D. Use Cloud Storage with server-side encryption, BigQuery with column-level encryption, and IAM roles for access control.
  C. Use Cloud Storage with client-side encryption, Cloud KMS for key management, and Cloud HSM for cryptographic operations.

  ---

  explanation:

  Explanation/Reference:

  When dealing with highly sensitive data, client-side encryption provides the strongest level of security because the data is encrypted before it is sent to Google Cloud, ensuring that Google cannot access the plaintext data. The use of Cloud KMS (Key Management Service) for managing encryption keys ensures that you maintain control over key management, and Cloud HSM (Hardware Security Module) adds an additional layer of protection by performing cryptographic operations in dedicated, tamper-evident hardware.

  This solution ensures:

  1.

  Client-side encryption: Data is encrypted before reaching Google Cloud, so Google never has access to the unencrypted data.

  2.

  Cloud KMS: You manage the keys that encrypt and decrypt data, giving you control over key lifecycle and policies.

  3.

  Cloud HSM: For highly secure key storage and cryptographic operations, providing hardware-level security for cryptographic keys.

• Question 5:

  You work for a large organization that recently implemented a 100GB Cloud Interconnect connection between your Google Cloud and your on-premises edge router. While routinely checking the connectivity, you noticed that the connection is operational but there is an error message that indicates MACsec is operationally down. You need to resolve this error. What should you do?

  A. Ensure that the Cloud Interconnect connection supports MACsec.
  B. Ensure that the on-premises router is not down.
  C. Ensure that the active pre-shared key created for MACsec is not expired on both the on-premises and Google edge routers.
  D. Ensure that the active pre-shared key matches on both the on-premises and Google edge routers.
  D. Ensure that the active pre-shared key matches on both the on-premises and Google edge routers.

  ---

  explanation:

  Explanation/Reference:

  MACsec (Media Access Control Security) is a Layer 2 security protocol used to provide encryption and secure communication over physical links, such as a Cloud Interconnect connection. For MACsec to work properly, both ends of the connection (on-premises router and Google Cloud edge router) need to have matching pre-shared keys.

  If you receive an error indicating that MACsec is operationally down, one of the most common causes is a mismatch in the pre-shared keys (PSKs). Both sides must use the same PSK for MACsec to establish secure communication. Ensuring that the pre-shared key matches on both ends can resolve the issue.

• Question 6:

  You want to set up a secure, internal network within Google Cloud for database servers. The servers must not have any direct communication with the public internet. What should you do?

  A. Assign a private IP address to each database server. Use a NAT gateway to provide internet connectivity to the database servers.
  B. Assign a static public IP address to each database server. Use firewall rules to restrict external access.
  C. Create a VPC with a private subnet. Assign a private IP address to each database server.
  D. Assign both a private IP address and a public IP address to each database server.
  C. Create a VPC with a private subnet. Assign a private IP address to each database server.

  ---

  explanation:

  Explanation/Reference:

  To set up a secure, internal network for database servers that must not have any direct communication with the public internet, the best approach is to:

  1.

  Create a VPC (Virtual Private Cloud) with a private subnet where the database servers reside. This ensures that the servers only have private IP addresses and cannot directly access or be accessed by the public internet.

  2.

  By assigning private IP addresses to the database servers, they remain isolated within the internal network, and only other resources within the VPC (or those allowed through internal routing) can communicate with them.

  This setup ensures that the database servers are secure and cannot be accessed from the internet, fulfilling your requirement for internal-only communication.

• Question 7:

  Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine, and uses Pub/Sub for message queues. Recent industry news have been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

  A. Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CVCD) pipeline.
  B. Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.
  C. Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.
  D. Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.
  A. Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CVCD) pipeline.

  ---

  explanation:

  Explanation/Reference:

  In response to the growing threat of attacks on the ML model supply chain, the key focus should be securing the entire development and deployment pipeline, especially when deploying models in containers, as well as ensuring that only trusted, vulnerability-free artifacts are deployed.

  Enabling container image vulnerability scanning: This helps detect and mitigate security risks in the containers that host your ML models during the development phase and prior to deployment. Vulnerability scanning checks for known issues in dependencies and libraries, ensuring that any weaknesses are identified and fixed before deployment.

  Enforcing Binary Authorization: This feature ensures that only trusted and verified container images can be deployed. It helps prevent the deployment of compromised images or models that may have been tampered with in the supply chain. By enforcing Binary Authorization, you add an additional layer of security to your deployment process, protecting the integrity of your ML models.

• Question 8:

  Your organization operates in a highly regulated environment and has a stringent set of compliance requirements for protecting customer data. You must encrypt data while in use to meet regulations. What should you do?

  A. Enable the use of customer-supplied encryption keys (CSEK) keys in the Google Compute Engine VMs to give your organization maximum control over their VM disk encryption.
  B. Establish a trusted execution environment with a Confidential VM.
  C. Use a Shielded VM to ensure a secure boot with integrity monitoring for the application environment.
  D. Use customer-managed encryption keys (CMEK) and Cloud KSM to enable your organization to control their keys for data encryption in Cloud SQL.
  B. Establish a trusted execution environment with a Confidential VM.

  ---

  explanation:

  Explanation/Reference:

  In a highly regulated environment with stringent compliance requirements for protecting customer data, encryption of data while in use (i.e., during processing) is a critical aspect of security. Google Cloud's Confidential VMs provide a trusted execution environment by encrypting data while it is being processed, which ensures that even Google Cloud and other external entities cannot access the data during its use. This level of protection is crucial in meeting strict compliance regulations related to data privacy and security.

  Confidential VMs use hardware-based encryption to protect the integrity and confidentiality of data being processed, making it the best solution for scenarios where data must remain encrypted even while in use.

• Question 9:

  Your Google Cloud organization is subdivided into three folders: production, development, and networking, Networking resources for the organization are centrally managed in the networking folder. You discovered that projects in the production folder are attaching to Shared VPCs that are outside of the networking folder which could become a data exfiltration risk. You must resolve the production folder issue without impacting the development folder. You need to use the most efficient and least disruptive approach. What should you do?

  A. Enable the Restrict Shared VPC Host Projects organization policy on the production folder. Create a custom rule and configure the policy type to Allow. In the Custom value section, enter under:folders/networking.
  B. Enable the Restrict Shared VPC Host Projects organization policy on the networking folder only. Create a new custom rule and configure the policy type to Allow. In the Custom value section, enter under:organizations/123456739123.
  C. Enable the Restrict Shared VPC Host Projects organization policy at the project level for each of the production projects. Create a custom rule and configure the policy type to Allow. In the Custom value section, enter under:folders/ networking.
  D. Enable the Restrict Shared VPC Host Projects organization policy at the organization level. Create a custom rule and configure the policy type to Allow. In the Custom value section, enter under:folders/networking.
  A. Enable the Restrict Shared VPC Host Projects organization policy on the production folder. Create a custom rule and configure the policy type to Allow. In the Custom value section, enter under:folders/networking.

  ---

  explanation:

  Explanation/Reference:

  The most efficient and least disruptive way to solve the issue is to apply the Restrict Shared VPC Host Projects organization policy specifically to the production folder. This option directly addresses the issue in the production folder without impacting the development folder, making it the least disruptive and most efficient approach. By enabling the Restrict Shared VPC Host Projects organization policy at the production folder level, you can prevent projects in the production folder from attaching to Shared VPCs that are outside of the networking folder, thereby mitigating the risk of data exfiltration.

  The custom rule ensures that only Shared VPC host projects in the networking folder can be used by the production projects, which achieves the goal while maintaining existing workflows for the development folder.

• Question 10:

  A team at your organization collects logs in an on-premises security information and event management system (SIEM). You must provide a subset of Google Cloud logs for the SIEM, and minimize the risk of data exposure in your cloud environment. What should you do?

  A. Create a new BigQuery dataset. Stream all logs to this dataset. Provide the on-premises SIEM system access to the data in BigQuery by using workload identity federation and let the SIEM team filter for the relevant log data.
  B. Define a log view for the relevant logs. Provide access to the log view to a principal from your on-premises identity provider by using workforce identity federation.
  C. Create a log sink for the relevant logs. Send the logs to Pub/Sub. Retrieve the logs from Pub/Sub and push the logs to the SIEM by using Dataflow.
  D. Filter for the relevant logs. Store the logs in a Cloud Storage bucket. Grant the service account access to the bucket. Provide the service account key to the SIEM team.
  B. Define a log view for the relevant logs. Provide access to the log view to a principal from your on-premises identity provider by using workforce identity federation.

  ---

  explanation:

  Explanation/Reference:

  When sharing logs with an external system like an on-premises SIEM, it's important to limit exposure by providing only the necessary subset of logs and securing access to them. Log views in Google Cloud allow you to define what specific log data can be accessed. By creating a log view, you can filter and control which logs are visible and ensure that only the relevant logs are shared.

  Using workforce identity federation ensures that you can grant access to the log view to principals from your on-premises identity provider without requiring Google Cloud service account keys or other sensitive credentials, minimizing security risks.