You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?
A. Implement Cloud VPN for the region where the bastion host lives.
B. Implement OS Login with 2-step verification for the bastion host.
C. Implement Identity-Aware Proxy TCP forwarding for the bastion host.
D. Implement Google Cloud Armor in front of the bastion host.
You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?
A. Marketplace IDS
B. VPC Flow Logs
C. VPC Service Controls logs
D. Packet Mirroring
E. Google Cloud Armor Deep Packet Inspection
You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine,
Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub.
Which option should you choose for this implementation?
A. Cloud External Key Manager
B. Customer-managed encryption keys
C. Customer-supplied encryption keys
D. Google default encryption
You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your VPCs based on network logs. However, you want to explore your environment using network payloads and headers. Which Google Cloud product should you use?
A. Cloud IDS
B. VPC Service Controls logs
C. VPC Flow Logs
D. Google Cloud Armor
E. Packet Mirroring
Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.
What should you do?
A. Configure GCDS and use GCDS search rules lo sync these users.
B. Use the transfer tool to migrate unmanaged users.
C. Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API to transfer their account.
D. Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.
Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?
A. Use client-side encryption before sending data to Google Cloud, and delete encryption keys on- premises
B. Use Cloud External Key Manager to delete specific encryption keys.
C. Use customer-managed encryption keys to delete specific encryption keys.
D. Use Google default encryption to delete specific encryption keys.
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in-scope" Nodes only. These Nodes can only contain the "in-scope" Pods. How should the organization achieve this objective?
A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope:true.
B. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
C. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
D. Run all in-scope Pods in the namespace "in-scope-pci".
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?
A. ISO 27001
B. ISO 27002
C. ISO 27017
D. ISO 27018
Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)
A. Use Identity Platform to provision users and groups to Google Cloud.
B. Use Cloud Identity SAML integration to provision users and groups to Google Cloud.
C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.
D. Create Identity and Access Management (1AM) roles with permissions corresponding to each Active Directory group.
E. Create Identity and Access Management (1AM) groups with permissions corresponding to each Active Directory group.
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)
A. Ensure that the app does not run as PID 1.
B. Package a single app as a container.
C. Remove any unnecessary tools not needed by the app.
D. Use public container images as a base image for the app.
E. Use many container image layers to hide sensitive information.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.