Home Exams
Log In Sign Up
Exams > Google > Professional Cloud Security Engineer
Professional Cloud Security Engineer
Page 4 out of 18 pages Questions 31-40 out of 173 questions
Question#31

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on `in-scope` Nodes only. These Nodes can only contain the
`in-scope` Pods.
How should the organization achieve this objective?

  • A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
  • B. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
  • C. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
  • D. Run all in-scope Pods in the namespace ג€in-scope-pciג€.
Discover Answer Hide Answer

C

Question#32

In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and
UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard
Which options should you recommend to meet the requirements?

  • A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.
  • B. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.
  • C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.
  • D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.
Discover Answer Hide Answer

D

Question#33

A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates.
What should your team do?

  • A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
  • B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
  • C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
  • D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
Discover Answer Hide Answer

C

Question#34

You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access
Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?

  • A. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.
  • B. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
  • C. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.
  • D. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.
Discover Answer Hide Answer

C

Question#35

A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

  • A. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
  • B. Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
  • C. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
  • D. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
Discover Answer Hide Answer

C

Question#36

A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned.
What should the customer do?

  • A. Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.
  • B. Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.
  • C. Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.
  • D. Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.
Discover Answer Hide Answer

C

Question#37

An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well-established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the `source of truth` directory for identities.
Which solution meets the organization's requirements?

  • A. Google Cloud Directory Sync (GCDS)
  • B. Cloud Identity
  • C. Security Assertion Markup Language (SAML)
  • D. Pub/Sub
Discover Answer Hide Answer

B
Reference:
https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction

Question#38

Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

  • A. ISO 27001
  • B. ISO 27002
  • C. ISO 27017
  • D. ISO 27018
Discover Answer Hide Answer

C
Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.

Question#39

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
What should you do?

  • A. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
  • B. Create a custom role with the permission compute.instances.list and grant the Service Account this role.
  • C. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
  • D. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
Discover Answer Hide Answer

A

Question#40

In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

  • A. Hardware
  • B. Network Security
  • C. Storage Encryption
  • D. Access Policies
  • E. Boot
Discover Answer Hide Answer

CD

chevron rightPrevious Nextchevron right
Email: support@exam-data.com
Copyright © 2024 Exam Data. All rights reserved.
Home Exams
chevron
Public Agreement Privacy Policy Sales and Refunds