How Many Questions Of Professional-Cloud-Security-Engineer Pdf

NEW QUESTION 1
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?

• A. Organization Administrator
• B. Security Reviewer
• C. Organization Role Administrator
• D. Organization Policy Administrator

Answer: C

NEW QUESTION 2
Applications often require access to “secrets” - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of “who did what, where, and when?” within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)

• A. Admin Activity logs
• B. System Event logs
• C. Data Access logs
• D. VPC Flow logs
• E. Agent logs

Answer: AC

NEW QUESTION 3
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

• A. ISO 27001
• B. ISO 27002
• C. ISO 27017
• D. ISO 27018

Answer: C

Explanation:
Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.

NEW QUESTION 4
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery
What should you do?

• A. Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
• B. Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
• C. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
• D. Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Answer: D

NEW QUESTION 5
In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

• A. Hardware
• B. Network Security
• C. Storage Encryption
• D. Access Policies
• E. Boot

Answer: CD

NEW QUESTION 6
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

• A. Compute Network User Role at the host project level.
• B. Compute Network User Role at the subnet level.
• C. Compute Shared VPC Admin Role at the host project level.
• D. Compute Shared VPC Admin Role at the service project level.

Answer: C

NEW QUESTION 7
Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?

• A. Store the data in a single Persistent Disk, and delete the disk at expiration time.
• B. Store the data in a single BigQuery table and set the appropriate table expiration time.
• C. Store the data in a single Cloud Storage bucket and configure the bucket’s Time to Live.
• D. Store the data in a single BigTable table and set an expiration time on the column families.

Answer: B

NEW QUESTION 8
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

• A. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM projec
• B. 2. Subscribe SIEM to the topic.
• C. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM projec
• D. 2. Process Cloud Storage objects in SIEM.
• E. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM projec
• F. 2. Subscribe SIEM to the topic.
• G. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each projec
• H. 2. Process Cloud Storage objects in SIEM.

Answer: B

NEW QUESTION 9
A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?

• A. Cloud Armor
• B. Google Cloud Audit Logs
• C. Cloud Security Scanner
• D. Forseti Security

Answer: C

NEW QUESTION 10
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)

• A. Configure the project with Cloud VPN.
• B. Configure the project with Shared VPC.
• C. Configure the project with Cloud Interconnect.
• D. Configure the project with VPC peering.
• E. Configure all Compute Engine instances with Private Access.

Answer: DE

NEW QUESTION 11
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

• A. VPC Flow Logs
• B. Cloud Armor
• C. DNS Security Extensions
• D. Cloud Identity-Aware Proxy

Answer: C

NEW QUESTION 12
A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?

• A. Run each tier in its own Project, and segregate using Project labels.
• B. Run each tier with a different Service Account (SA), and use SA-based firewall rules.
• C. Run each tier in its own subnet, and use subnet-based firewall rules.
• D. Run each tier with its own VM tags, and use tag-based firewall rules.

Answer: C

NEW QUESTION 13
Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.
What should you do?

• A. * 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.* 2. Click on the email address in line with the App Engine Default Service Account in the authentication field.* 3. Click Hide Matching Entrie
• B. * 4. Make sure the resulting list is empty.
• C. * 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.* 2. Click on the email address in line with the App Engine Default Service Account in the authentication field.* 3. Click Show Matching Entrie
• D. * 4. Make sure the resulting list is empty.
• E. * 1. In BigQuery, select the related dataset.* 2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
• F. * 1. Go to the IAM section on the project.* 2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.

Answer: C

NEW QUESTION 14
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication
Which GCP product should the customer implement to meet these requirements?

• A. Cloud Identity-Aware Proxy
• B. Cloud Armor
• C. Cloud Endpoints
• D. Cloud VPN

Answer: D

NEW QUESTION 15
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?

• A. Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.
• B. Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
• C. Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
• D. Use the Admin SDK to create groups and assign IAM permissions from Active Directory.

Answer: B

NEW QUESTION 16
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

• A. Use the Cloud Key Management Service to manage a data encryption key (DEK).
• B. Use the Cloud Key Management Service to manage a key encryption key (KEK).
• C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
• D. Use customer-supplied encryption keys to manage the key encryption key (KEK).

Answer: A

NEW QUESTION 17
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?

• A. VPC peering
• B. Cloud VPN
• C. Cloud Interconnect
• D. Shared VPC

Answer: B

NEW QUESTION 18
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.
Which Google Cloud Service should be used to achieve this?

• A. Cloud Key Management Service
• B. Cloud Data Loss Prevention API
• C. BigQuery
• D. Cloud Security Scanner

Answer: D

NEW QUESTION 19
A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer’s internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP’s native SYN flood protection.
Which product should be used to meet these requirements?

• A. Cloud Armor
• B. VPC Firewall Rules
• C. Cloud Identity and Access Management
• D. Cloud CDN

Answer: A

NEW QUESTION 20
......