Google Google Certifications PROFESSIONAL-CLOUD-SECURITY-ENGINEER Questions & Answers

• Question 71:

  You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

  A. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."

  B. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.

  C. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.

  D. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

  Correct Answer: D

  https://cloud.google.com/resource-manager/docs/organization-policy/restricting- domains#setting_the_organization_policy

  The domain restriction constraint is a type of list constraint. Google Workspace customer IDs can be added and removed from the allowed_values list of a domain restriction constraint.

  The domain restriction constraint does not support denying values, and an organization policy can't be saved with IDs in the denied_values list.

  All domains associated with a Google Workspace account listed in the allowed_values will be allowed by the organization policy.

  All other domains will be denied by the organization policy.

• Question 72:

  A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.

  Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources. Which type of access should your team grant to meet this requirement?

  A. Organization Administrator

  B. Security Reviewer

  C. Organization Role Administrator

  D. Organization Policy Administrator

  Correct Answer: C

  Here are the permissions available to organizationRoleAdmin

  iam.roles.create iam.roles.delete iam.roles.undelete iam.roles.get iam.roles.list iam.roles.update resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy

  There are sufficient as per least privilege policy. You can do user management as well as auditing. https://cloud.google.com/iam/docs/understanding-custom-roles

• Question 73:

  Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.

  What should you do?

  A. Change the load balancer backend configuration to use network endpoint groups instead of instance groups.

  B. Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.

  C. Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.

  D. Create a Cloud VPN connection between the two regions, and enable Google Private Access.

  Correct Answer: B

  https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional

• Question 74:

  You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

  A. SSO SAML as a third-party IdP

  B. Identity Platform

  C. OpenID Connect

  D. Identity-Aware Proxy

  E. Cloud Identity

  Correct Answer: AC

  To provide users with SSO-based access to selected cloud apps, Cloud Identity as your IdP supports the OpenID Connect (OIDC) and Security Assertion Markup Language 2.0 (SAML) protocols. https:// cloud.google.com/identity/solutions/ enable-sso

• Question 75:

  You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.

  What should you do?

  A. Set up an ACL with OWNER permission to a scope of allUsers.

  B. Set up an ACL with READER permission to a scope of allUsers.

  C. Set up a default bucket ACL and manage access for users using IAM.

  D. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

  Correct Answer: D

  https://cloud.google.com/storage/docs/uniform-bucket-level-access#enabled https://cloud.google.com/storage/docs/access-control/lists

• Question 76:

  Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.

  What should your team do to meet these requirements?

  A. Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.

  B. Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.

  C. Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.

  D. Use the Admin SDK to create groups and assign IAM permissions from Active Directory.

  Correct Answer: A

  "In order to be able to keep using the existing identity management system, identities need to be synchronized between AD and GCP IAM. To do so google provides a tool called Cloud Directory Sync. This tool will read all identities in AD and replicate those within GCP. Once the identities have been replicated then it's possible to apply IAM permissions on the groups. After that you will configure SAML so google can act as a service provider and either you ADFS or other third party tools like Ping or Okta will act as the identity provider. This way you effectively delegate the authentication from Google to something that is under your control."

• Question 77:

  An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.

  Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

  A. Configuring and monitoring VPC Flow Logs

  B. Defending against XSS and SQLi attacks

  C. Manage the latest updates and security patches for the Guest OS

  D. Encrypting all stored data

  Correct Answer: B

  in PaaS the customer is responsible for web app security, deployment, usage, access policy, and content. https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate

• Question 78:

  An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

  A. Organization Administrator

  B. Project Creator

  C. Billing Account Viewer

  D. Billing Account Costs Manager

  E. Billing Account User

  Correct Answer: CD

  https://cloud.google.com/billing/docs/how-to/billing-access#overview-of-cloud-billing-roles-in-cloud-iam Billing Account Costs Manager (roles/billing.costsManager) -Manage budgets and view and export cost information of billing accounts (but

  not pricing information)

  Billing Account Viewer (roles/billing.viewer)

  -View billing account cost information and transactions.

• Question 79:

  You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data Specifically, your company is concerned about internal Google employees' ability to access your company's data on Google Cloud. What solution should you propose?

  A. Use customer-managed encryption keys.

  B. Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.

  C. Enable Admin activity logs to monitor access to resources.

  D. Enable Access Transparency logs with Access Approval requests for Google employees.

  Correct Answer: D

  https://cloud.google.com/access-transparency Access approval Explicitly approve access to your data or configurations on Google Cloud. Access Approval requests, when combined with Access Transparency logs, can be used to audit an end-to-end chain from support ticket to access request to approval, to eventual access.

• Question 80:

  Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services. Which two settings must remain disabled to meet these requirements? (Choose two.)

  A. Public IP

  B. IP Forwarding

  C. Private Google Access

  D. Static routes

  E. IAM Network User Role

  Correct Answer: AC

  Reference: https://cloud.google.com/vpc/docs/configure-private-google-access