Home Exams
Log In Sign Up
Exams > Google > Professional Cloud Security Engineer
Professional Cloud Security Engineer
Page 7 out of 18 pages Questions 61-70 out of 173 questions
Question#61

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually.
You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?

  • A. Set up an ACL with OWNER permission to a scope of allUsers.
  • B. Set up an ACL with READER permission to a scope of allUsers.
  • C. Set up a default bucket ACL and manage access for users using IAM.
  • D. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
Discover Answer Hide Answer

A
Reference:
https://cloud.google.com/storage/docs/access-control/lists

Question#62

You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?

  • A. Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.
  • B. Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
  • C. Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
  • D. Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
Discover Answer Hide Answer

B

Question#63

You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources.
Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)

  • A. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
  • B. Use the Google Admin console to view which managed users are using a personal account for their recovery email.
  • C. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
  • D. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
  • E. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
Discover Answer Hide Answer

BE

Question#64

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • B. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
  • C. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
Discover Answer Hide Answer

D
Reference:
https://cloud.google.com/security-scanner/docs/remediate-findings

Question#65

You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?

  • A. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
  • B. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
  • C. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
  • D. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
Discover Answer Hide Answer

B
Reference:
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains

Question#66

You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to- know basis to the Human Resources team. What should you do?

  • A. Perform data masking with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
  • B. Perform data redaction with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
  • C. Perform data inspection with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
  • D. Perform tokenization for Pseudonymization with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
Discover Answer Hide Answer

D
Reference:
https://towardsdatascience.com/bigquery-pii-and-cloud-data-loss-prevention-dlp-take-it-to-the-next-level-with-data-catalog-c47c31bcf677

Question#67

You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization. What should you do?

  • A. Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.
  • B. Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.
  • C. Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.
  • D. Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.
Discover Answer Hide Answer

D
Reference:
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts

Question#68

You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence. Which tool should you use?

  • A. Policy Troubleshooter
  • B. Policy Analyzer
  • C. IAM Recommender
  • D. Policy Simulator
Discover Answer Hide Answer

A
Reference:
https://cloud.google.com/iam/docs/granting-changing-revoking-access

Question#69

Your organization has implemented synchronization and SAML federation between Cloud Identity and Microsoft Active Directory. You want to reduce the risk of
Google Cloud user accounts being compromised. What should you do?

  • A. Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.
  • B. Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.
  • C. Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.
  • D. Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.
Discover Answer Hide Answer

D
Reference:
https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction

Question#70

You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud.
You want to validate these policy changes before they are enforced. What service should you use?

  • A. Google Cloud Armor's preconfigured rules in preview mode
  • B. Prepopulated VPC firewall rules in monitor mode
  • C. The inherent protections of Google Front End (GFE)
  • D. Cloud Load Balancing firewall rules
  • E. VPC Service Controls in dry run mode
Discover Answer Hide Answer

A
Reference:
https://cloud.google.com/architecture/owasp-top-ten-mitigation

chevron rightPrevious Nextchevron right
Email: support@exam-data.com
Copyright © 2024 Exam Data. All rights reserved.
Home Exams
chevron
Public Agreement Privacy Policy Sales and Refunds