1. Home
  2. Google
  3. PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Professional Cloud Security Engineer

Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :244 Q&As
  • Last Updated
    :May 12, 2024

Google Google Certifications PROFESSIONAL-CLOUD-SECURITY-ENGINEER Questions & Answers

  • Question 21:

    You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting.

    Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)

    A. Customer-supplied encryption keys.

    B. Google default encryption

    C. Secret Manager

    D. Cloud External Key Manager

    E. Customer-managed encryption keys

  • Question 22:

    Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs.

    Which method should you use?

    A. Define an organization policy constraint.

    B. Configure packet mirroring policies.

    C. Enable VPC Flow Logs on the subnet.

    D. Monitor and analyze Cloud Audit Logs.

  • Question 23:

    A customer has an analytics workload running on Compute Engine that should have limited internet access.

    Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.

    The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?

    A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.

    B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.

    C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

    D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

  • Question 24:

    You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments.

    How should you design the network to inspect the traffic?

    A. 1. Set up one VPC with two subnets: one trusted and the other untrusted.

    2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.

    B. 1. Set up one VPC with two subnets: one trusted and the other untrusted.

    2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.

    C. 1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.

    2. Configure a custom route on each network pointed to the virtual appliance.

    D. 1. Set up two VPC networks: one trusted and the other untrusted.

    2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

  • Question 25:

    A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.

    What should they do?

    A. Use Cloud Build to build the container images.

    B. Build small containers using small base images.

    C. Delete non-used versions from Container Registry.

    D. Use a Continuous Delivery tool to deploy the application.

  • Question 26:

    A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

    A. Admin Activity

    B. System Event

    C. Access Transparency

    D. Data Access

  • Question 27:

    You are a Cloud Identity administrator for your organization. In your Google Cloud environment groups are used to manage user permissions. Each application team has a dedicated group Your team is responsible for creating these groups and the application teams can manage the team members on their own through the Google Cloud console. You must ensure that the application teams can only add users from within your organization to their groups.

    What should you do?

    A. Change the configuration of the relevant groups in the Google Workspace Admin console to prevent external users from being added to the group.

    B. Set an Identity and Access Management (1AM) policy that includes a condition that restricts group membership to user principals that belong to your organization.

    C. Define an Identity and Access Management (IAM) deny policy that denies the assignment of principals that are outside your organization to the groups in scope.

    D. Export the Cloud Identity logs to BigQuery Configure an alert for external members added to groups Have the alert trigger a Cloud Function instance that removes the external members from the group.

  • Question 28:

    Your organization has on-premises hosts that need to access Google Cloud APIs You must enforce private connectivity between these hosts minimize costs and optimize for operational efficiency What should you do?

    A. Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

    B. Set up VPC peering between the hosts on-premises and the VPC through the internet.

    C. Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.

    D. Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.

  • Question 29:

    Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.

    What type of Load Balancing should you use?

    A. Network Load Balancing

    B. HTTP(S) Load Balancing

    C. TCP Proxy Load Balancing

    D. SSL Proxy Load Balancing

  • Question 30:

    You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?

    A. All load balancer types are denied in accordance with the global node's policy.

    B. INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.

    C. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.

    D. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.