PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 1:

    You manage a mission-critical workload for your organization, which is in a highly regulated industry. The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpoint computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data. You need to meet these requirements:

    1.

    Manage the data encryption key (DEK) outside the Google Cloud boundary.

    2.

    Maintain full control of encryption keys through a third-party provider.

    3.

    Encrypt the sensitive data before uploading it to Cloud Storage.

    4.

    Decrypt the sensitive data during processing in the Compute Engine VMs.

    5.

    Encrypt the sensitive data in memory while in use in the Compute Engine VMs.

    What should you do? (Choose two.)

    A. Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
    B. Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
    C. Create Confidential VMs to access the sensitive data.
    D. Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.
    E. Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets.

  • Question 2:

    You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.

    What should you do?

    A. Use multi-factor authentication for admin access to the web application.
    B. Use only applications certified compliant with PA-DSS.
    C. Move the cardholder data environment into a separate GCP project.
    D. Use VPN for all connections between your office and cloud environments.

  • Question 3:

    Users are reporting an outage on your public-facing application that is hosted on Compute Engine. You suspect that a recent change to your firewall rules is responsible. You need to test whether your firewall rules are working properly. What should you do?

    A. Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.
    B. Connect to a bastion host in your VPC. Use a network traffic analyzer to determine at which point your requests are being blocked.
    C. In a pre-production environment, disable all firewall rules individually to determine which one is blocking user traffic.
    D. Enable VPC Flow Logs in your VPC. Use Logs Explorer to analyze whether the rules are working correctly.

  • Question 4:

    You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects.

    What should you do? (Choose two.)

    A. View patch management data in VM Manager by using OS patch management.
    B. View patch management data in Artifact Registry.
    C. View patch management data in a Security Command Center dashboard.
    D. Deploy patches with Security Command Genter by using Rapid Vulnerability Detection.
    E. Deploy patches with VM Manager by using OS patch management.

  • Question 5:

    Your organization has an operational image classification model running on a managed AI service on Google Cloud. You are in a configuration review with stakeholders and must describe the security responsibilities for the image classification model. What should you do?

    A. Explain that using platform-as-a-service (PaaS) transfers security concerns to Google. Describe the need for strict API usage limits to protect against unexpected usage and billing spikes.
    B. Explain the security aspects of the code that transforms user-uploaded images using Google's service. Define Cloud IAM for fine-grained access control within the development team.
    C. Explain Google's shared responsibility model. Focus the configuration review on Identity and Access Management (IAM) permissions, secure data upload/download procedures, and monitoring logs for any potential malicious activity.
    D. Explain the development of custom network firewalls around the image classification service for deep intrusion detection and prevention. Describe vulnerability scanning tools for known vulnerabilities.

  • Question 6:

    Your organization is migrating a complex application to Google Cloud. The application has multiple internal components that interact with each other across several Google Cloud projects. Security is a major concern, and you must design an authorization scheme for administrators that aligns with the principles of least privilege and separation of duties. What should you do?

    A. Identify the users who will migrate the application, revoke the default user roles and assign the users with purposely created custom roles.
    B. Use multiple external identity providers (IdP) configured to use different SAML profiles and federate the IdPs for each application component.
    C. Configure multi-factor authentication (MFA) to enforce the use of physical tokens for all users who will migrate the application.
    D. No action needed. When a Google Cloud organization is created, the appropriate permissions are automatically assigned to all users in the domain.

  • Question 7:

    Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

    A. SSL Proxy
    B. TCP Proxy
    C. Internal TCP/UDP
    D. TCP/UDP Network

  • Question 8:

    Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.

    What should your team grant to Engineering Group A to meet this requirement?

    A. Compute Network User Role at the host project level.
    B. Compute Network User Role at the subnet level.
    C. Compute Shared VPC Admin Role at the host project level.
    D. Compute Shared VPC Admin Role at the service project level.

  • Question 9:

    Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node.

    Which preparation steps are necessary before this migration occurs? (Choose two.)

    A. Remove all project-level custom Identity and Access Management (IAM) roles.
    B. Disallow inheritance of organization policies.
    C. Identify inherited Identity and Access Management (IAM) roles on projects to be migrated.
    D. Create a new folder for all projects to be migrated.
    E. Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

  • Question 10:

    You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?

    A. compute.restrictSharedVpcHostProjects
    B. compute.restrictXpnProjectLienRemoval
    C. compute.restrictSharedVpcSubnetworks
    D. compute.sharedReservationsOwnerProjects

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.