Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by
the underlying host system by using a hardware-based solution.
What should you do?
A. 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly
B. 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium 2 Monitor the findings in SCC
C. 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring 2 Activate Confidential Computing 3 Enforce these actions by using organization policies
D. 1 Use secure hardened images from the Google Cloud Marketplace 2 When deploying the images activate the Confidential Computing option 3 Enforce the use of the correct images and Confidential Computing by using organization policies
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?
A. Cryptographic hashing
B. Redaction
C. Format-preserving encryption
D. Generalization
Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.
What should you do? Choose 2 answers
A. Configure the Binary Authorization policy with respective attestations for the project.
B. Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).
C. Enable Container Threat Detection in the Security Command Center (SCC) for the project.
D. Configure the trusted image organization policy constraint for the project.
E. Enable Pod Security standards and set them to Restricted.
You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?
A. Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
B. Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
C. Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.
D. Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
You are migrating an on-premises data warehouse to BigQuery Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse. Your company compliance policies mandate that the data warehouse must:
1.
Protect data at rest with full lifecycle management on cryptographic keys
2.
Implement a separate key management provider from data management
3.
Provide visibility into all encryption key requests
What services should be included in the data warehouse implementation?
Choose 2 answers
A. Customer-managed encryption keys
B. Customer-Supplied Encryption Keys
C. Key Access Justifications
D. Access Transparency and Approval
E. Cloud External Key Manager
A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.
Which strategy should you use to meet these needs?
A. Create an organization node, and assign folders for each business unit.
B. Establish standalone projects for each business unit, using gmail.com accounts.
C. Assign GCP resources in a project, with a label identifying which business unit owns the resource.
D. Assign GCP resources in a VPC for each business unit to separate network access.
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)
A. Configure the project with Cloud VPN.
B. Configure the project with Shared VPC.
C. Configure the project with Cloud Interconnect.
D. Configure the project with VPC peering.
E. Configure all Compute Engine instances with Private Access.
Your organization uses Google Workspace Enterprise Edition tor authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment.
What should you do?
A. Create a policy that requires employees to not leave their sessions open for long durations.
B. Review and disable unnecessary Google Cloud APIs.
C. Require strong passwords and 2SV through a security token or Google authenticate.
D. Set the session length timeout for Google Cloud services to a shorter duration.
After completing a security vulnerability assessment, you learned that cloud administrators leave Google Cloud CLI sessions open for days. You need to reduce the risk of attackers who might exploit these open sessions by setting these sessions to the minimum duration.
What should you do?
A. Set the session duration for the Google session control to one hour.
B. Set the reauthentication frequency (or the Google Cloud Session Control to one hour.
C. Set the organization policy constraint constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.
D. Set the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one hour and inheritFromParent to false.
Your company's chief information security officer (CISO) is requiring business data to be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on a plan to implement this requirement, you determine the following:
1.
The services in scope are included in the Google Cloud data residency requirements.
2.
The business data remains within specific locations under the same organization. The folder structure can contain multiple data residency locations.
3.
The projects are aligned to specific locations.
You plan to use the Resource Location Restriction organization policy constraint with very granular control. At which level in the hierarchy should you set the constraint?
A. Organization
B. Resource
C. Project
D. Folder
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.