Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Exam Preparation

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

• Question 111:

  You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

  A. 1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project. 2. Grant your Google Cloud project access to a supported external key management partner system.
  B. 1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
  C. 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.
  D. 1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
  C. 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.

  ---

  Explanation/Reference:

  https://cloud.google.com/kms/docs/ekm#how_it_works

  -First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.

  -Next, you grant your Google Cloud project access to use the key, in the external key management partner system.

  -In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally- managed key.

• Question 112:

  Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.

  Which logging export strategy should you use to meet the requirements?

  A. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2.Subscribe SIEM to the topic.
  B. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2.Process Cloud Storage objects in SIEM.
  C. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2.Subscribe SIEM to the topic.
  D. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2.Process Cloud Storage objects in SIEM.
  C. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2.Subscribe SIEM to the topic.

  ---

  Explanation/Reference:

  "Your team needs to obtain a unified log view of all development cloud projects in your SIEM" -This means we are ONLY interested in development projects. "The development projects are under the NONPROD organization folder with the test and pre-production projects" We will need to filter out development from others i.e test and pre-prod. "The development projects share the ABC-BILLING billing account with the rest of the organization." This is unnecessary information.

• Question 113:

  A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.

  How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

  A. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
  B. Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
  C. Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
  D. Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
  A. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

  ---

  Explanation/Reference:

  Compute Engine doesn't automatically update the OS or the software on your deployed instances. You will need to patch or update your deployed Compute Engine instances when necessary. However, in the cloud it is not recommended that you patch or update individual running instances. Instead it is best to patch the image that was used to launch the instance and then replace each affected instance with a new copy.

• Question 114:

  An organization wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual

  and must be reversible to identify the outlier.

  Which Cloud Data Loss Prevention API technique should you use?

  A. Generalization
  B. Redaction
  C. CryptoHashConfig
  D. CryptoReplaceFfxFpeConfig
  D. CryptoReplaceFfxFpeConfig

• Question 115:

  Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs.

  Which method should you use?

  A. Define an organization policy constraint.
  B. Configure packet mirroring policies.
  C. Enable VPC Flow Logs on the subnet.
  D. Monitor and analyze Cloud Audit Logs.
  B. Configure packet mirroring policies.

  ---

  Explanation/Reference:

  https://cloud.google.com/vpc/docs/packet-mirroring Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.

• Question 116:

  You are migrating your users to Google Cloud. There are cookie replay attacks with Google web and Google Cloud CLI SDK sessions on endpoint devices. You need to reduce the risk of these threats.

  What should you do? (Choose two.)

  A. Configure Google session control to a shorter duration.
  B. Set an organizational policy for OAuth 2.0 access token with a shorter duration.
  C. Set a reauthentication policy for Google Cloud services to a shorter duration.
  D. Configure a third-party identity provider with session management.
  E. Enforce Security Key Authentication with 2SV.
  A. Configure Google session control to a shorter duration.
  E. Enforce Security Key Authentication with 2SV.

  ---

  Explanation/Reference:

  Configuring Google session control to a shorter duration reduces the time window in which an attacker can use a replayed cookie to gain unauthorized access, thereby enhancing security. Enforcing Security Key Authentication with 2-Step Verification (2SV) adds an additional layer of security by requiring users to verify their identity using a physical security key, making it more difficult for attackers to gain unauthorized access even if they have a replayed cookie.

• Question 117:

  You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

  A. Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.
  B. Enable the constraints/storage.publicAccessPrevention constraint at the organization level.
  C. Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.
  D. Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.
  B. Enable the constraints/storage.publicAccessPrevention constraint at the organization level.

  ---

  Explanation/Reference:

  https://cloud.google.com/storage/docs/public-access-prevention Public access prevention protects Cloud Storage buckets and objects from being accidentally exposed to the public. If your bucket is contained within an organization, you can enforce public access prevention by using the organization policy constraint storage.publicAccessPrevention at the project, folder, or organization level.

• Question 118:

  A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.

  What should you do?

  A. Use Resource Manager on the organization level.
  B. Use Forseti Security to automate inventory snapshots.
  C. Use Stackdriver to create a dashboard across all projects.
  D. Use Security Command Center to view all assets across the organization.
  B. Use Forseti Security to automate inventory snapshots.

  ---

  Explanation/Reference:

  Only Forseti security can have both 'past' and 'present' (i.e. historical) records of the resources. https:// forsetisecurity.org/about/

• Question 119:

  Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine, and uses Pub/Sub for message queues. Recent industry news have been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

  A. Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CVCD) pipeline.
  B. Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.
  C. Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.
  D. Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.
  A. Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CVCD) pipeline.

  ---

  Explanation/Reference:

  In response to the growing threat of attacks on the ML model supply chain, the key focus should be securing the entire development and deployment pipeline, especially when deploying models in containers, as well as ensuring that only trusted, vulnerability-free artifacts are deployed.

  Enabling container image vulnerability scanning: This helps detect and mitigate security risks in the containers that host your ML models during the development phase and prior to deployment. Vulnerability scanning checks for known issues in dependencies and libraries, ensuring that any weaknesses are identified and fixed before deployment.

  Enforcing Binary Authorization: This feature ensures that only trusted and verified container images can be deployed. It helps prevent the deployment of compromised images or models that may have been tampered with in the supply chain. By enforcing Binary Authorization, you add an additional layer of security to your deployment process, protecting the integrity of your ML models.

• Question 120:

  You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)

  A. Secret Manager
  B. Cloud Key Management Service
  C. Cloud Data Loss Prevention with cryptographic hashing
  D. Cloud Data Loss Prevention with automatic text redaction
  E. Cloud Data Loss Prevention with deterministic encryption using AES-SIV
  B. Cloud Key Management Service
  E. Cloud Data Loss Prevention with deterministic encryption using AES-SIV

  ---

  Explanation/Reference:

  B: you need KMS to store the CryptoKey https://cloud.google.com/dlp/docs/reference/rest/v2/projects.deidentifyTemplates#crypt

  E: for the de-identity you need to use CryptoReplaceFfxFpeConfig or CryptoDeterministicConfig https://cloud.google.com/dlp/docs/reference/rest/v2/projects.deidentifyTemplates#cryptodeterministicconfig https://cloud.google.com/dlp/docs/deidentify-sensitive-data