Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Exam Preparation

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

• Question 181:

  An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well-established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.

  Which solution meets the organization's requirements?

  A. Google Cloud Directory Sync (GCDS)
  B. Cloud Identity
  C. Security Assertion Markup Language (SAML)
  D. Pub/Sub
  A. Google Cloud Directory Sync (GCDS)

  ---

  Explanation/Reference:

  With Google Cloud Directory Sync (GCDS), you can synchronize the data in your Google Account with your Microsoft Active Directory or LDAP server. GCDS doesn't migrate any content (such as email messages, calendar events, or files) to your Google Account. You use GCDS to synchronize your Google users, groups, and shared contacts to match the information in your LDAP server. https://support.google.com/a/answer/106368?hl=en

• Question 182:

  Your team wants to limit users with administrative privileges at the organization level. Which two roles should your team restrict? (Choose two.)

  A. Organization Administrator
  B. Super Admin
  C. GKE Cluster Admin
  D. Compute Admin
  E. Organization Role Viewer
  A. Organization Administrator
  B. Super Admin

  ---

  Explanation/Reference:

  Reference: https://cloud.google.com/resource-manager/docs/creating-managing-organization

• Question 183:

  A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.

  What technique should the institution use?

  A. Use Cloud Storage as a federated Data Source.
  B. Use a Cloud Hardware Security Module (Cloud HSM).
  C. Customer-managed encryption keys (CMEK).
  D. Customer-supplied encryption keys (CSEK).
  C. Customer-managed encryption keys (CMEK).

  ---

  Explanation/Reference:

  If you want to manage the key encryption keys used for your data at rest, instead of having Google manage the keys, use Cloud Key Management Service to manage your keys. This scenario is known as customer-managed encryption keys (CMEK). https://cloud.google.com/bigquery/docs/encryption-at-rest

  Reference: https://cloud.google.com/bigquery/docs/encryption-at-rest

• Question 184:

  Your organization is developing a sophisticated machine learning (ML) model to predict customer behavior for targeted marketing campaigns. The BigQuery dataset used for training includes sensitive personal information. You must design the security controls around the AI/ML pipeline. Data privacy must be maintained throughout the model's lifecycle and you must ensure that personal data is not used in the training process. Additionally, you must restrict access to the dataset to an authorized subset of people only. What should you do?

  A. De-identify sensitive data before model training by using Cloud Data Loss Prevention (DLP)APIs. and implement strict Identity and Access Management (IAM) policies to control access to BigQuery.
  B. Implement Identity-Aware Proxy to enforce context-aware access to BigQuery and models based on user identity and device.
  C. Implement at-rest encryption by using customer-managed encryption keys (CMEK) for the pipeline. Implement strict Identity and Access Management (IAM) policies to control access to BigQuery.
  D. Deploy the model on Confidential VMs for enhanced protection of data and code while in use. Implement strict Identity and Access Management (IAM) policies to control access to BigQuery.
  A. De-identify sensitive data before model training by using Cloud Data Loss Prevention (DLP)APIs. and implement strict Identity and Access Management (IAM) policies to control access to BigQuery.

• Question 185:

  Your organization has implemented synchronization and SAML federation between Cloud Identity and Microsoft Active Directory. You want to reduce the risk of Google Cloud user accounts being compromised. What should you do?

  A. Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.
  B. Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.
  C. Create an Active Directory domain password policy with strong password settings, and configure post- SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.
  D. Create an Active Directory domain password policy with strong password settings, and configure post- SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.
  C. Create an Active Directory domain password policy with strong password settings, and configure post- SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.

  ---

  Explanation/Reference:

  Reference: https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction

  "We recommend against using text messages. The National Institute of Standards and Technology (NIST) no longer recommends SMS-based 2SV due to the hijacking risk from state-sponsored entities."

• Question 186:

  Your organization has sensitive data stored in BigQuery and Cloud Storage. You need to design a solution that provides granular and flexible control authorization to read data. What should you do?

  A. Deidentify sensitive fields within the dataset by using data leakage protection within the Sensitive Data Protection services.
  B. Use Cloud External Key Manager (Cloud EKM) to encrypt the data in BigQuery and Cloud Storage.
  C. Grant identity and access management (IAM) roles and permissions to principals.
  D. Enable server-side encryption on the data in BigQuery and Cloud Storage.
  C. Grant identity and access management (IAM) roles and permissions to principals.

• Question 187:

  You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run.

  What should you do? Choose 2 answers

  A. Enable Binary Authorization on the existing Kubernetes cluster.
  B. Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to the list of allowed Binary Authorization policy names.
  C. Set the organization policy constraint constraints/compute.trustedimageProjects to the list of protects that contain the trusted container images.
  D. Enable Binary Authorization on the existing Cloud Run service.
  E. Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.
  A. Enable Binary Authorization on the existing Kubernetes cluster.
  B. Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to the list of allowed Binary Authorization policy names.

• Question 188:

  You have a highly sensitive BigQuery workload that contains personally identifiable information (Pll) that you want to ensure is not accessible from the internet. To prevent data exfiltration only requests from authorized IP addresses are allowed to query your BigQuery tables.

  What should you do?

  A. Use service perimeter and create an access level based on the authorized source IP address as the condition.
  B. Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.
  C. Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).
  D. Use the Restrict Resource service usage organization policy constraint along with Cloud Data Loss Prevention (DLP).
  A. Use service perimeter and create an access level based on the authorized source IP address as the condition.

• Question 189:

  Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:

  1.

  Scans must run at least once per week

  2.

  Must be able to detect cross-site scripting vulnerabilities

  3.

  Must be able to authenticate using Google accounts

  Which solution should you use?

  A. Google Cloud Armor
  B. Web Security Scanner
  C. Security Health Analytics
  D. Container Threat Detection
  B. Web Security Scanner

  ---

  Explanation/Reference:

  Reference:

  https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview

  Web Security Scanner identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications.

  https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview

• Question 190:

  Your company's users access data in a BigQuery table. You want to ensure they can only access the data during working hours.

  What should you do?

  A. Assign a BigQuery Data Viewer role along with an IAM condition that limits the access to specified working hours.
  B. Run a gsutil script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.
  C. Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours.
  D. Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraint for BigQuery during the specified working hours.
  A. Assign a BigQuery Data Viewer role along with an IAM condition that limits the access to specified working hours.

  ---

  Explanation/Reference:

  Assign a BigQuery Data Viewer role along with an IAM condition that limits the access to specified working hours.

  IAM conditions in Google Cloud can be used to fine-tune access control according to attributes like time, date, and IP address. In this case, you can create an IAM condition that allows access only during working hours. This condition can be attached to the BigQuery Data Viewer role, ensuring that users can only access the data in the BigQuery table during the specified times.