Your organization uses BigQuery to process highly sensitive, structured datasets. Following the "need to know" principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users:
? Business user: must access curated reports.
? Data engineer: must administrate the data lifecycle in the platform. ? Security operator: must review user activity on the data platform.
What should you do?
A. Configure data access log for BigQuery services, and grant Project Viewer role to security operator.
B. Set row-based access control based on the "region" column, and filter the record from the United States for data engineers.
C. Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.
D. Generate a CSV data file based on the business user's needs, and send the data to their email addresses.
You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects.
What should you do? (Choose two.)
A. View patch management data in VM Manager by using OS patch management.
B. View patch management data in Artifact Registry.
C. View patch management data in a Security Command Center dashboard.
D. Deploy patches with Security Command Genter by using Rapid Vulnerability Detection.
E. Deploy patches with VM Manager by using OS patch management.
Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs, but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (IAM) roles at the right resource level for the developers and security team while you ensure least privilege.
What should you do?
A. 1. Grant logging.viewer role to the security team at the organization resource level.
2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.
B. 1. Grant logging.viewer role to the security team at the organization resource level.
2. Grant logging.admin role to the developer team at the organization resource level.
C. 1. Grant logging.admin role to the security team at the organization resource level.
2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.
D. 1. Grant logging.admin role to the security team at the organization resource level.
2. Grant logging.admin role to the developer team at the organization resource level.
You are migrating an application into the cloud. The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material.
What should you do?
A. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an IAM deny policy for unauthorized groups.
B. Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket. Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.
C. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.
D. Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises. Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.
For data residency requirements, you want your secrets in Google Clouds Secret Manager to only have payloads in europe-west1 and europe-west4. Your secrets must be highly available in both regions. What should you do?
A. Create your secret with a user managed replication policy, and choose only compliant locations.
B. Create your secret with an automatic replication policy, and choose only compliant locations.
C. Create two secrets by using Terraform, one in europe-west1 and the other in europe-west4.
D. Create your secret with an automatic replication policy, and create an organizational policy to deny secret creation in non-compliant locations.
Your organization wants to be General Data Protection Regulation (GDPR) compliant. You want to ensure that your DevOps teams can only create Google Cloud resources in the Europe regions. What should you do?
A. Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.
B. Use the org policy constraint 'Google Cloud Platform ?Resource Location Restriction' on your Google Cloud organization node.
C. Use the org policy constraint 'Restrict Resource Service Usage' on your Google Cloud organization node.
D. Use Identity and Access Management (IAM) custom roles to ensure that your DevOps team can only create resources in the Europe regions.
You manage a mission-critical workload for your organization, which is in a highly regulated industry. The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpoint
computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data. You need to meet these requirements:
Manage the data encryption key (DEK) outside the Google Cloud boundary.
Maintain full control of encryption keys through a third-party provider.
Encrypt the sensitive data before uploading it to Cloud Storage.
Decrypt the sensitive data during processing in the Compute Engine VMs.
Encrypt the sensitive data in memory while in use in the Compute Engine VMs.
What should you do? (Choose two.)
A. Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
B. Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
C. Create Confidential VMs to access the sensitive data.
D. Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.
E. Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets.
You are migrating your users to Google Cloud. There are cookie replay attacks with Google web and Google Cloud CLI SDK sessions on endpoint devices. You need to reduce the risk of these threats. What should you do? (Choose two.)
A. Configure Google session control to a shorter duration.
B. Set an organizational policy for OAuth 2.0 access token with a shorter duration.
C. Set a reauthentication policy for Google Cloud services to a shorter duration.
D. Configure a third-party identity provider with session management.
E. Enforce Security Key Authentication with 2SV.
Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud. You must implement data residency and operational sovereignty in the EU.
What should you do? (Choose two.)
A. Limit the physical location of a new resource with the Organization Policy Service "resource locations constraint."
B. Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and inter-VPC communication.
C. Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications.
D. Use identity federation to limit access to Google Cloud resources from non-EU entities.
E. Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.
Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time.
What should you do?
A. Run a platform security scanner on all instances in the organization.
B. Identify all external assets by using Cloud Asset Inventory, and then run a network security scanner against them.
C. Contact a Google approved security vendor to perform the audit.
D. Notify Google about the pending audit, and wait for confirmation before performing the scan.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.