Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.
Which two tasks should your team perform to handle this request? (Choose two.)
A. Remove all users from the Project Creator role at the organizational level.
B. Create an Organization Policy constraint, and apply it at the organizational level.
C. Grant the Project Editor role at the organizational level to a designated group of users.
D. Add a designated group of users to the Project Creator role at the organizational level.
E. Grant the billing account creator role to the designated DevOps team.
A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)
A. Create a project with multiple VPC networks for each environment.
B. Create a folder for each development and production environment.
C. Create a Google Group for the Engineering team, and assign permissions at the folder level.
D. Create an Organizational Policy constraint for each folder environment.
E. Create projects for each environment, and grant IAM rights to each engineering user.
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?
A. Cloud Key Management Service
B. Compute Engine guest attributes
C. Compute Engine custom metadata
D. Secret Manager
You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:
Provide granular access to secrets
Give you control over the rotation schedules for the encryption keys that wrap your secrets
Maintain environment separation
Provide ease of management
Which approach should you take?
A. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
2.
Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.
3.
Use customer-managed encryption keys to encrypt secrets.
B. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
2.
Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
3.
Use Google-managed encryption keys to encrypt secrets.
C. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
2.
Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
3.
Use Google-managed encryption keys to encrypt secrets.
D. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
2.
Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.
3.
Use customer-managed encryption keys to encrypt secrets.
Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to
update the VMs.
Which service should you use?
A. Identity Aware-Proxy
B. Cloud NAT
C. TCP/UDP Load Balancing
D. Cloud DNS
You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:
Each business unit manages access controls for their own projects.
Each business unit manages access control permissions at scale.
Business units cannot access other business units' projects.
Users lose their access if they move to a different business unit or leave the company.
Users and access control permissions are managed by the on-premises directory service. What should you do? (Choose two.)
A. Use VPC Service Controls to create perimeters around each business unit's project.
B. Organize projects in folders, and assign permissions to Google groups at the folder level.
C. Group business units based on Organization Units (OUs) and manage permissions based on OUs.
D. Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.
E. Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.
You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)
A. The load balancer must be an external SSL proxy load balancer.
B. Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.
C. The load balancer must use the Premium Network Service Tier.
D. The backend service's load balancing scheme must be EXTERNAL.
E. The load balancer must be an external HTTP(S) load balancer.
You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?
A. Enable Private Google Access on the regional subnets and global dynamic routing mode.
B. Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.
C. Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.
D. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.
You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your
organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk
image so that it can be deployed into the perimeter.
What should you do?
A. 1 Update the perimeter 2 Configure the egressTo field to set identity Type to any_identity. 3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.
B. Allow the external project by using the organizational policy constraints/compute.trustedlmageProjects.
C. 1 Update the perimeter 2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com. 3 Configure the egressFrom field to set identity Type to any_idestity.
D. 1 Update the perimeter 2 Configure the ingressFrcm field to set identityType to an-y_identity. 3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.
How should your team design this network?
A. Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
B. Create a different subnet for the frontend application and database to ensure network isolation.
C. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
D. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.