You manage a BigQuery analytical data warehouse in your organization. You want to keep data for all your customers in a common table while you also restrict query access based on rows and columns permissions. Non-query operations should not be supported.
What should you do? (Choose two.)
A. Create row-level access policies to restrict the result data when you run queries with the filter expression set to TRUE.
B. Configure column-level encryption by using Authenticated Encryption with Associated Data (AEAD) functions with Cloud Key Management Service (KMS) to control access to columns at query runtime.
C. Create row-level access policies to restrict the result data when you run queries with the filter expression set to FALSE.
D. Configure dynamic data masking rules to control access to columns at query runtime.
E. Create column-level policy tags to control access to columns at query runtime.
You are running applications outside Google Cloud that need access to Google Cloud resources. You are using workload identity federation to grant external identities Identity and Access Management (IAM) roles to eliminate the maintenance and security burden associated with service account keys. You must protect against attempts to spoof another user's identity and gain unauthorized access to Google Cloud resources.
What should you do? (Choose two.)
A. Enable data access logs for IAM APIs.
B. Limit the number of external identities that can impersonate a service account.
C. Use a dedicated project to manage workload identity pools and providers.
D. Use immutable attributes in attribute mappings.
E. Limit the resources that a service account can access.
Your company's Google Cloud organization has about 200 projects and 1,500 virtual machines. There is no uniform strategy for logs and events management, which reduces visibility for your security operations team. You need to design a logs management solution that provides visibility and allows the security team to view the environment's configuration.
What should you do?
A. 1. Create a dedicated log sink for each project that is in scope.
2.
Use a BigQuery dataset with time partitioning enabled as a destination of the log sinks.
3.
Deploy alerts based on log metrics in every project.
4.
Grant the role "Monitoring Viewer" to the security operations team in each project.
B. 1. Create one log sink at the organization level that includes all the child resources.
2.
Use as destination a Pub/Sub topic to ingest the logs into the security information and event.
management (SIEM) on-premises, and ensure that the right team can access the SIEM.
3.
Grant the Viewer role at organization level to the security operations team.
C. 1. Enable network logs and data access logs for all resources in the "Production" folder.
2.
Do not create log sinks to avoid unnecessary costs and latency.
3.
Grant the roles "Logs Viewer" and "Browser" at project level to the security operations team.
D. 1. Create one sink for the "Production" folder that includes child resources and one sink for the logs ingested at the organization level that excludes child resources.
2.
As destination, use a log bucket with a minimum retention period of 90 days in a project that can be accessed by the security team.
3.
Grant the security operations team the role of Security Reviewer at organization level.
As part of your organization's zero trust strategy, you use Identity-Aware Proxy (IAP) to protect multiple applications. You need to ingest logs into a Security Information and Event Management (SIEM) system so that you are alerted to possible intrusions.
Which logs should you analyze?
A. Data Access audit logs
B. Policy Denied audit logs
C. Cloud Identity user log events
D. Admin Activity audit logs
Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK), but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.
What should you do?
A. Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.
B. Encrypt the files locally, and then use gsutil to upload the files to a new bucket.
C. Copy the files to a new bucket with CMEK enabled in a secondary region.
D. Change the encryption type on the bucket to CMEK, and rewrite the objects.
You plan to synchronize identities to Cloud Identity from a third-party identity provider (IdP). You discovered that some employees used their corporate email address to set up consumer accounts to access Google services. You need to
ensure that the organization has control over the configuration, security, and lifecycle of these consumer accounts.
What should you do? (Choose two.)
A. Mandate that those corporate employees delete their unmanaged consumer accounts.
B. Reconcile accounts that exist in Cloud Identity but not in the third-party IdP.
C. Evict the unmanaged consumer accounts in the third-party IdP before you sync identities.
D. Use Google Cloud Directory Sync (GCDS) to migrate the unmanaged consumer accounts' emails as user aliases.
E. Use the transfer tool to invite those corporate employees to transfer their unmanaged consumer accounts to the corporate domain.
Employees at your company use their personal computers to access your organization's Google Cloud console. You need to ensure that users can only access the Google Cloud console from their corporate- issued devices and verify that they have a valid enterprise certificate.
What should you do?
A. Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate. Create an access binding with the access policy just created.
B. Implement a VPC firewall policy. Activate packet inspection and create an allow rule to validate and verify the device certificate.
C. Implement an organization policy to verify the certificate from the access context.
D. Implement an Identity and Access Management (IAM) conditional policy to verify the device certificate.
Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users.
What should you do?
A. 1. Create a new SAML profile.
2.
Populate the sign-in and sign-out page URLs.
3.
Upload the X.509 certificate.
4.
Configure Entity ID and ACS URL in your IdP.
B. 1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant.
2.
Verify the AD domain.
3.
Decide which users should use SAML.
4.
Assign the pre-configured profile to the select organizational units (OUs) and groups.
C. 1. Create a new SAML profile.
2.
Upload the X.509 certificate.
3.
Enable the change password URL.
4.
Configure Entity ID and ACS URL in your IdP.
D. 1. Manage SAML profile assignments.
2.
Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant.
3.
Verify the domain.
A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application. The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud.
What should you do?
A. 1. Enable Container Threat Detection in the Security Command Center Premium tier.
2.
Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version.
3.
View and share the results from the Security Command Center.
B. 1. Use an open source tool in Cloud Build to scan the images.
2.
Upload reports to publicly accessible buckets in Cloud Storage by using gsutil.
3.
Share the scan report link with your security department.
C. 1. Enable vulnerability scanning in the Artifact Registry settings.
2.
Use Cloud Build to build the images.
3.
Push the images to the Artifact Registry for automatic scanning.
4.
View the reports in the Artifact Registry.
D. 1. Get a GitHub subscription.
2.
Build the images in Cloud Build and store them in GitHub for automatic scanning.
3.
Download the report from GitHub and share with the Security Team.
A service account key has been publicly exposed on multiple public code repositories. After reviewing the logs, you notice that the keys were used to generate short-lived credentials. You need to immediately remove access with the service account.
What should you do?
A. Delete the compromised service account.
B. Disable the compromised service account key.
C. Wait until the service account credentials expire automatically.
D. Rotate the compromised service account key.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.