Home Exams
Log In Sign Up
Exams > Google > Professional Cloud Security Engineer
Professional Cloud Security Engineer
Page 2 out of 18 pages Questions 11-20 out of 173 questions
Question#11

While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

  • A. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • B. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • C. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
  • D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
Discover Answer Hide Answer

B
Reference:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform

Question#12

Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.
What should you do?

  • A. Enforce 2-factor authentication in GSuite for all users.
  • B. Configure Cloud Identity-Aware Proxy for the App Engine Application.
  • C. Provision user passwords using GSuite Password Sync.
  • D. Configure Cloud VPN between your private network and GCP.
Discover Answer Hide Answer

D

Question#13

A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?

  • A. Use Cloud Storage as a federated Data Source.
  • B. Use a Cloud Hardware Security Module (Cloud HSM).
  • C. Customer-managed encryption keys (CMEK).
  • D. Customer-supplied encryption keys (CSEK).
Discover Answer Hide Answer

C
Reference:
https://cloud.google.com/bigquery/docs/encryption-at-rest

Question#14

A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?

  • A. Cloud Bigtable
  • B. Cloud BigQuery
  • C. Compute Engine SSD Disk
  • D. Compute Engine Persistent Disk
Discover Answer Hide Answer

B
Reference:
https://cloud.google.com/bigquery/docs/locations

Question#15

A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online.
What should they do?

  • A. Configure an SSL Certificate on an L7 Load Balancer and require encryption.
  • B. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
  • C. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
  • D. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
Discover Answer Hide Answer

A

Question#16

Applications often require access to `secrets` - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of `who did what, where, and when?` within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)

  • A. Admin Activity logs
  • B. System Event logs
  • C. Data Access logs
  • D. VPC Flow logs
  • E. Agent logs
Discover Answer Hide Answer

AC
Reference:
https://cloud.google.com/kms/docs/secret-management

Question#17

You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?

  • A. Migrate the application into an isolated project using a ג€Lift & Shiftג€ approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • B. Migrate the application into an isolated project using a ג€Lift & Shiftג€ approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
  • C. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • D. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Discover Answer Hide Answer

C

Question#18

Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?

  • A. Network Load Balancing
  • B. HTTP(S) Load Balancing
  • C. TCP Proxy Load Balancing
  • D. SSL Proxy Load Balancing
Discover Answer Hide Answer

D
Reference:
https://cloud.google.com/load-balancing/docs/ssl/

Question#19

You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?

  • A. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
  • B. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
  • C. In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
  • D. In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
Discover Answer Hide Answer

B
Reference:
https://cloud.google.com/compute/docs/images/restricting-image-access

Question#20

Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.
Which two tasks should your team perform to handle this request? (Choose two.)

  • A. Remove all users from the Project Creator role at the organizational level.
  • B. Create an Organization Policy constraint, and apply it at the organizational level.
  • C. Grant the Project Editor role at the organizational level to a designated group of users.
  • D. Add a designated group of users to the Project Creator role at the organizational level.
  • E. Grant the billing account creator role to the designated DevOps team.
Discover Answer Hide Answer

BD

chevron rightPrevious Nextchevron right
Email: support@exam-data.com
Copyright © 2023 Exam Data. All rights reserved.
Home Exams
chevron
Public Agreement Privacy Policy Sales and Refunds