Home Exams
Log In Sign Up
Exams > Google > Professional Cloud Security Engineer
Professional Cloud Security Engineer
Page 1 out of 18 pages Questions 1-10 out of 173 questions
Question#1

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

  • A. Public IP
  • B. IP Forwarding
  • C. Private Google Access
  • D. Static routes
  • E. IAM Network User Role
Discover Answer Hide Answer

AC
Reference:
https://cloud.google.com/vpc/docs/configure-private-google-access

Question#2

Which two implied firewall rules are defined on a VPC network? (Choose two.)

  • A. A rule that allows all outbound connections
  • B. A rule that denies all inbound connections
  • C. A rule that blocks all inbound port 25 connections
  • D. A rule that blocks all outbound connections
  • E. A rule that allows all inbound port 80 connections
Discover Answer Hide Answer

AB
Reference:
https://cloud.google.com/vpc/docs/firewalls

Question#3

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?

  • A. Use Cloud Source Repositories, and store secrets in Cloud SQL.
  • B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
  • C. Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
  • D. Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.
Discover Answer Hide Answer

B

Question#4

Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?

  • A. Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.
  • B. Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
  • C. Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
  • D. Use the Admin SDK to create groups and assign IAM permissions from Active Directory.
Discover Answer Hide Answer

B
Reference:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform

Question#5

A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?

  • A. Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
  • B. Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
  • C. Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
  • D. Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.
Discover Answer Hide Answer

C

Question#6

A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

  • A. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
  • B. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
  • C. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
  • D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
Discover Answer Hide Answer

D
Reference:
https://cloud.google.com/storage/docs/encryption/customer-supplied-keys

Question#7

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)

  • A. Create a project with multiple VPC networks for each environment.
  • B. Create a folder for each development and production environment.
  • C. Create a Google Group for the Engineering team, and assign permissions at the folder level.
  • D. Create an Organizational Policy constraint for each folder environment.
  • E. Create projects for each environment, and grant IAM rights to each engineering user.
Discover Answer Hide Answer

BD

Question#8

You want to evaluate your organization's Google Cloud instance for PCI compliance. You need to identify Google's inherent controls.
Which document should you review to find the information?

  • A. Google Cloud Platform: Customer Responsibility Matrix
  • B. PCI DSS Requirements and Security Assessment Procedures
  • C. PCI SSC Cloud Computing Guidelines
  • D. Product documentation for Compute Engine
Discover Answer Hide Answer

C
Reference:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

Question#9

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?

  • A. Store the data in a single Persistent Disk, and delete the disk at expiration time.
  • B. Store the data in a single BigQuery table and set the appropriate table expiration time.
  • C. Store the data in a single Cloud Storage bucket and configure the bucket's Time to Live.
  • D. Store the data in a single BigTable table and set an expiration time on the column families.
Discover Answer Hide Answer

B

Question#10

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

  • A. Use Cloud Build to build the container images.
  • B. Build small containers using small base images.
  • C. Delete non-used versions from Container Registry.
  • D. Use a Continuous Delivery tool to deploy the application.
Discover Answer Hide Answer

D
Reference:
https://cloud.google.com/solutions/best-practices-for-building-containers

chevron rightPrevious Nextchevron right
Email: support@exam-data.com
Copyright © 2023 Exam Data. All rights reserved.
Home Exams
chevron
Public Agreement Privacy Policy Sales and Refunds