Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Exam Preparation

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

• Question 241:

  A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication

  Which GCP product should the customer implement to meet these requirements?

  A. Cloud Identity-Aware Proxy
  B. Cloud Armor
  C. Cloud Endpoints
  D. Cloud VPN
  A. Cloud Identity-Aware Proxy

  ---

  Explanation/Reference:

  Cloud IAP is integrated with Google Sign-in which Multi-factor authentication can be enabled. https://cloud.google.com/iap/docs/concepts-overview

• Question 242:

  Your company recently published a security policy to minimize the usage of service account keys. On- premises Windows-based applications are interacting with Google Cloud APIs. You need to implement Workload Identity Federation (WIF) with your identity provider on-premises.

  What should you do?

  A. Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure a rule to let principals in the pool impersonate the Google Cloud service account.
  B. Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let all principals in the pool impersonate the Google Cloud service account.
  C. Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure a rule to let principals in the pool impersonate the Google Cloud service account.
  D. Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let all principals in the pool impersonate the Google Cloud service account.
  A. Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure a rule to let principals in the pool impersonate the Google Cloud service account.

• Question 243:

  Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:

  1.

  Only allows communication between the Web and App tiers.

  2.

  Enforces consistent network security when autoscaling the Web and App tiers.

  3.

  Prevents Compute Engine Instance Admins from altering network traffic.

  What should you do?

  A. 1. Configure all running Web and App servers with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
  B. 1. Configure all running Web and App servers with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
  C. 1. Re-deploy the Web and App servers with instance templates configured with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
  D. 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
  C. 1. Re-deploy the Web and App servers with instance templates configured with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

• Question 244:

  Which Google Cloud service should you use to enforce access control policies for applications and resources?

  A. Identity-Aware Proxy
  B. Cloud NAT
  C. Google Cloud Armor
  D. Shielded VMs
  A. Identity-Aware Proxy

  ---

  Explanation/Reference:

  https://cloud.google.com/iap/docs/concepts-overview "Use IAP when you want to enforce access control policies for applications and resources."

• Question 245:

  You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of

  time and must be deleted after this specific period.

  You want to automate the compliance with this regulation while minimizing storage costs.

  What should you do?

  A. Store the data in a persistent disk, and delete the disk at expiration time.
  B. Store the data in a Cloud Bigtable table, and set an expiration time on the column families.
  C. Store the data in a BigQuery table, and set the table's expiration time.
  D. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
  D. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

  ---

  Explanation/Reference:

  To miminize costs, it's always GCS even though BQ comes as a close 2nd. But, since the question did not specify what kind of data it is (raw files vs tabular data), it is safe to assume GCS is the preferred option with LifeCycle enablement.

• Question 246:

  Your organization has two VPC Service Controls service perimeters, Perimeter-A and Perimeter-B, in Google Cloud. You want to allow data to be copied from a Cloud Storage bucket in Perimeter-A to another Cloud Storage bucket in Perimeter-B. You must minimize exfiltration risk, only allow required connections, and follow the principle of least privilege. What should you do?

  A. Configure a perimeter bridge between Perimeter-A and Perimeter-B, and specify the Cloud Storage buckets as the resources involved.
  B. Configure a perimeter bridge between the projects hosting the Cloud Storage buckets in Perimeter-A and Perimeter-B.
  C. Configure an egress rule for the Cloud Storage bucket in Perimeter-A and a corresponding ingress rule in Perimeter-B.
  D. Configure a bidirectional egress/ingress rule for the Cloud Storage buckets in Perimeter-A and Perimeter-B.
  A. Configure a perimeter bridge between Perimeter-A and Perimeter-B, and specify the Cloud Storage buckets as the resources involved.

• Question 247:

  Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs, but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (IAM) roles at the right resource level for the developers and security team while you ensure least privilege.

  What should you do?

  A. 1. Grant logging.viewer role to the security team at the organization resource level. 2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.
  B. 1. Grant logging.viewer role to the security team at the organization resource level. 2. Grant logging.admin role to the developer team at the organization resource level.
  C. 1. Grant logging.admin role to the security team at the organization resource level. 2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.
  D. 1. Grant logging.admin role to the security team at the organization resource level. 2. Grant logging.admin role to the developer team at the organization resource level.
  A. 1. Grant logging.viewer role to the security team at the organization resource level. 2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.

  ---

  Explanation/Reference:

  Grant logging.viewer role to the security team at the organization resource level. This allows the security team to view all logs in both production and development environments. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects. This allows the developers to view all application development audit logs, but not the production logs, ensuring least privilege.

• Question 248:

  You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:

  1.

  Least-privilege access must be enforced at all times.

  2.

  The DevOps team must be able to access the required resources only during the deployment issue.

  How should you grant access while following Google-recommended best practices?

  A. Assign the Project Viewer Identity and Access Management (IAM) role to the DevOps team.
  B. Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.
  C. Create a service account, and grant it the Project Owner IAM role. Give the Service Account User Role on this service account to the DevOps team.
  D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.
  D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

• Question 249:

  You work for a global company. Due to compliance requirements, certain Compute Engine instances that reside within specific projects must be located exclusively in cloud regions within the European Union (EU). You need to ensure that existing non-compliant workloads are remediated and prevent future Compute Engine instances from being launched in restricted regions. What should you do?

  A. Use a third-party configuration management tool to monitor the location of Compute Engine instances. Automatically delete or migrate non-compliant instances, including existing deployments.
  B. Deploy a Security Command Center source to detect Compute Engine instances created outside the EU. Use a custom remediation function to automatically relocate the instances, run the function once a day.
  C. Use organization policy constraints in Resource Manager to enforce allowed regions for Compute Engine instance creation within specific projects.
  D. Set an organization policy that denies the creation of Compute Engine instances outside the EU. Apply the policy to the appropriate projects. Identify existing non-compliant instances and migrate the instances to compliant EU regions.
  D. Set an organization policy that denies the creation of Compute Engine instances outside the EU. Apply the policy to the appropriate projects. Identify existing non-compliant instances and migrate the instances to compliant EU regions.

• Question 250:

  Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.

  Which two tasks should your team perform to handle this request? (Choose two.)

  A. Remove all users from the Project Creator role at the organizational level.
  B. Create an Organization Policy constraint, and apply it at the organizational level.
  C. Grant the Project Editor role at the organizational level to a designated group of users.
  D. Add a designated group of users to the Project Creator role at the organizational level.
  E. Grant the billing account creator role to the designated DevOps team.
  A. Remove all users from the Project Creator role at the organizational level.
  D. Add a designated group of users to the Project Creator role at the organizational level.

  ---

  Explanation/Reference:

  https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints