Your company's users access data in a BigQuery table. You want to ensure they can only access the data during working hours.
What should you do?
A. Assign a BigQuery Data Viewer role along with an IAM condition that limits the access to specified working hours.
B. Run a gsutil script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.
C. Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours.
D. Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraint for BigQuery during the specified working hours.
An administrative application is running on a virtual machine (VM) in a managed group at port 5601 inside a Virtual Private Cloud (VPC) instance without access to the internet currently. You want to expose the web interface at port 5601 to users and enforce authentication and authorization Google credentials.
What should you do?
A. Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall. Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application.
B. Modify the VPC routing with the default route point to the default internet gateway. Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.
C. Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application.
D. Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials. Modify the VPC firewall to allow access from IAP network range.
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?
A. Migrate the application into an isolated project using a "Lift and Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
B. Migrate the application into an isolated project using a "Lift and Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
C. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
D. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
A. Google Cloud Armor's preconfigured rules in preview mode
B. Prepopulated VPC firewall rules in monitor mode
C. The inherent protections of Google Front End (GFE)
D. Cloud Load Balancing firewall rules
E. VPC Service Controls in dry run mode
You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.
What should you do?
A. Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.
B. Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.
C. Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premises destination.
D. Configure Cloud Interconnect and route traffic through an on-premises firewall.
Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud Many teams will use their own instances of the CI/CD workflow It will run on Google Kubernetes Engine (GKE)
The CI/CD pipelines must be designed to securely access Google Cloud APIs
What should you do?
A. 1 Create a dedicated service account for the CI/CD pipelines 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs
B. 1 Create service accounts for each deployment pipeline 2 Generate private keys for the service accounts 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline
C. 1 Create individual service accounts (or each deployment pipeline 2 Add an identifier for the pipeline in the service account naming convention 3 Ensure each pipeline runs on dedicated pods 4 Use workload identity to map a deployment pipeline pod with a service account
D. 1 Create two service accounts one for the infrastructure and one for the application deployment 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts 3 Run the infrastructure and application pipelines in separate namespaces
Your organization s record data exists in Cloud Storage. You must retain all record data for at least seven years This policy must be permanent. What should you do?
A. 1 Identify buckets with record data 2 Apply a retention policy and set it to retain for seven years 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs
B. 1 Identify buckets with record data 2 Apply a retention policy and set it to retain for seven years 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission
C. 1 Identify buckets with record data 2 Enable the bucket policy only to ensure that data is retained 3 Enable bucket lock
D. 1 Identify buckets with record data 2 Apply a retention policy and set it to retain for seven years 3 Enable bucket lock
You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.
After observing the traffic in your custom network, you notice that all instances can communicate freely ? despite tag-based VPC firewall rules in place to segment traffic properly ?with a priority of 1000. What are the most likely reasons for this behavior?
A. All VM instances are missing the respective network tags.
B. All VM instances are residing in the same network subnet.
C. All VM instances are configured with the same network route.
D. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
E. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?
A. Use Puppet or Chef to push out the patch to the running container.
B. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
C. Update the application code or apply a patch, build a new image, and redeploy it.
D. Configure containers to automatically upgrade when the base image is available in Container Registry.
You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)
A. Use Google default encryption.
B. Manually add users to Google Cloud.
C. Provision users with basic roles using Google's Identity and Access Management (1AM) service.
D. Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.
E. Provide granular access with predefined roles.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.