Google Google Certifications PROFESSIONAL-CLOUD-SECURITY-ENGINEER Questions & Answers

• Question 181:

  Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

  A. Configure Secret Manager to manage service account keys.

  B. Enable an organization policy to disable service accounts from being created.

  C. Enable an organization policy to prevent service account keys from being created.

  D. Remove the iam.serviceAccounts.getAccessToken permission from users.

  Correct Answer: C

  https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys "To prevent unnecessary usage of service account keys, use organization policy constraints: At the root of your organization's resource hierarchy, apply the Disable service account key creation and Disable service account key upload constraints to establish a default where service account keys are disallowed. When needed, override one of the constraints for selected projects to re-enable service account key creation or upload."

• Question 182:

  You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name. How should you manage these consumer user accounts with Cloud Identity?

  A. Use Google Cloud Directory Sync to convert the unmanaged user accounts.

  B. Create a new managed user account for each consumer user account.

  C. Use the transfer tool for unmanaged user accounts.

  D. Configure single sign-on using a customer's third-party provider.

  Correct Answer: C

  https://support.google.com/a/answer/6178640?hl=en

  The transfer tool enables you to see what unmanaged users exist, and then invite those unmanaged users to the domain.

• Question 183:

  You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer. What should you do?

  A. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

  B. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

  C. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.

  D. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

  Correct Answer: A

  Reference: https://cloud.google.com/kms/docs/envelope-encryption Envelope Encryption: https://cloud.google.com/kms/docs/envelope-encryption Here are best practices for managing DEKs:

  1.

  Generate DEKs locally.

  2.

  When stored, always ensure DEKs are encrypted at rest.

  3.

  For easy access, store the DEK near the data that it encrypts.

  The DEK is encrypted (also known as wrapped) by a key encryption key (KEK). The process of encrypting a key with another key is known as envelope encryption.

  Here are best practices for managing KEKs:

  1.

  Store KEKs centrally. (KMS )

  2.

  Set the granularity of the DEKs they encrypt based on their use case.

  For example, consider a workload that requires multiple DEKs to encrypt the workload's data chunks.

  You could use a single KEK to wrap all DEKs that are responsible for that workload's encryption.

  Rotate keys regularly, and also after a suspected incident.

• Question 184:

  You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements:

  1.

  Schedule key rotation for sensitive data.

  2.

  Control which region the encryption keys for sensitive data are stored in.

  3.

  Minimize the latency to access encryption keys for both sensitive and non-sensitive data.

  What should you do?

  A. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

  B. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

  C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

  D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

  Correct Answer: D

  Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 Level 1 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. To provideflexibility of controlling the key residency and rotation schedule, use google provided key for non- sensitive and encrypt sensitive data with Cloud Key Management Service

• Question 185:

  You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:

  Export related logs for all projects in the Google Cloud organization.

  Export logs in near real-time to an external SIEM.

  What should you do? (Choose two.)

  A. Create a Log Sink at the organization level with a Pub/Sub destination.

  B. Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

  C. Enable Data Access audit logs at the organization level to apply to all projects.

  D. Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

  E. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

  Correct Answer: BD

  Reference:

  https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/ https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#services "Google Workspace Login Audit: Login Audit logs track user sign-ins to your domain. These logs only

  record the login event. They don't record which system was used to perform the login action."

• Question 186:

  An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.

  How should you advise this organization?

  A. Use Forseti with Firewall filters to catch any unwanted configurations in production.

  B. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

  C. Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

  D. All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

  Correct Answer: B

  https://cloud.google.com/recommender/docs/tutorial-iac

• Question 187:

  What are the steps to encrypt data using envelope encryption?

  A. Generate a data encryption key (DEK) locally. Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK. Store the encrypted data and the wrapped KEK.

  B. Generate a key encryption key (KEK) locally. Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK. Store the encrypted data and the wrapped DEK.

  C. Generate a data encryption key (DEK) locally. Encrypt data with the DEK. Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

  D. Generate a key encryption key (KEK) locally. Generate a data encryption key (DEK) locally. Encrypt data with the KEK. Store the encrypted data and the wrapped DEK.

  Correct Answer: C

  The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS. Reference: https://cloud.google.com/kms/docs/envelope-encryption https://cloud.google.com/kms/docs/envelopeencryption#how_to_encrypt_data_using_envelope_encryption

• Question 188:

  A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication

  Which GCP product should the customer implement to meet these requirements?

  A. Cloud Identity-Aware Proxy

  B. Cloud Armor

  C. Cloud Endpoints

  D. Cloud VPN

  Correct Answer: A

  Cloud IAP is integrated with Google Sign-in which Multi-factor authentication can be enabled. https://cloud.google.com/iap/docs/concepts-overview

• Question 189:

  Applications often require access to "secrets" -small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.

  Which two log streams would provide the information that the administrator is looking for? (Choose two.)

  A. Admin Activity logs

  B. System Event logs

  C. Data Access logs

  D. VPC Flow logs

  E. Agent logs

  Correct Answer: AC

  Reference: https://cloud.google.com/kms/docs/secret-management https://cloud.google.com/secret-manager/docs/audit-logging

• Question 190:

  Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

  A. SSL Proxy

  B. TCP Proxy

  C. Internal TCP/UDP

  D. TCP/UDP Network

  Correct Answer: D

  https://cloud.google.com/load-balancing/docs/load-balancing-overview https://cloud.google.com/load-balancing/docs/load-balancing-overview#choosing_a_load_balancer