• Home
  • Articles
  • Google Professional-Cloud-Security-Engineer Deluxe Study Guide with Online Test Engine [Q55-Q80]

Google Professional-Cloud-Security-Engineer Deluxe Study Guide with Online Test Engine [Q55-Q80]

Share

Google Professional-Cloud-Security-Engineer Deluxe Study Guide with Online Test Engine

Professional-Cloud-Security-Engineer dumps review - Professional Quiz Study Materials


Google Professional Cloud Security Engineer Exam Cover Topics

Candidates must know the exam topics before they start of preparation. Because it will really help them in hitting the core. Our Google Professional Cloud Security Engineer exam dumps will include the following topics:

  • Configuring access within a cloud solution environment
  • Ensuring data protection
  • Ensuring compliance
  • Configuring network security
  • Management of operations in a cloud solution environment

 

NEW QUESTION 55
You will create a new Service Account that should be able to list the Compute Engine instances in the project.
You want to follow Google-recommended practices.
What should you do?

  • A. Create a custom role with the permission compute.instances.listand grant the Service Account this role.
  • B. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
  • C. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
  • D. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.

Answer: B

 

NEW QUESTION 56
You are responsible for implementing a payment processing environment that will use Kubernetes and need to apply proper security controls. What should you do?

  • A. Require file integrity monitoring and antivirus scans of pods and nodes.
  • B. Activate a firewall to prevent all egress traffic.
  • C. Establish minimum password length requirements for all systems.
  • D. Implement and enforce two-factor authentication.

Answer: A

Explanation:
A. Is not correct because this solution is not specific to Kubernetes.
B. Is not correct because this would render the environment non-functional.
C. Is not correct because this solution is not specific to Kubernetes.
D. Is correct because this is a requirement of PCI DSS in Sections 5 and 11.

 

NEW QUESTION 57
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

  • A. DNS Security Extensions
  • B. Cloud Identity-Aware Proxy
  • C. Cloud Armor
  • D. VPC Flow Logs

Answer: A

 

NEW QUESTION 58
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

  • A. Use only applications certified compliant with PA-DSS.
  • B. Use VPN for all connections between your office and cloud environments.
  • C. Use multi-factor authentication for admin access to the web application.
  • D. Move the cardholder data environment into a separate GCP project.

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

 

NEW QUESTION 59
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

  • A. Cloud Functions
  • B. Compute Engine
  • C. Cloud Storage
  • D. App Engine
  • E. Google Kubernetes Engine

Answer: B,D

Explanation:
Reference:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

 

NEW QUESTION 60
Applications often require access to "secrets" -small pieces of sensitive data at build or run time.
The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.
Which two log streams would provide the information that the administrator is looking for?
(Choose two.)

  • A. VPC Flow logs
  • B. Data Access logs
  • C. Admin Activity logs
  • D. Agent logs
  • E. System Event logs

Answer: B,C

Explanation:
https://cloud.google.com/kms/docs/secret-management

 

NEW QUESTION 61
Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:
Scans must run at least once per week
Must be able to detect cross-site scripting vulnerabilities
Must be able to authenticate using Google accounts
Which solution should you use?

  • A. Web Security Scanner
  • B. Security Health Analytics
  • C. Container Threat Detection
  • D. Google Cloud Armor

Answer: A

 

NEW QUESTION 62
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls?
(Choose two.)

  • A. Cloud Functions
  • B. Compute Engine
  • C. Cloud Storage
  • D. App Engine
  • E. Google Kubernetes Engine

Answer: B,D

Explanation:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

 

NEW QUESTION 63
You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

  • A. OpenID Connect
  • B. Identity Platform
  • C. Identity-Aware Proxy
  • D. Cloud Identity
  • E. SSO SAML as a third-party IdP

Answer: A,E

 

NEW QUESTION 64
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted dat a. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • B. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
  • C. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • D. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

Answer: B

 

NEW QUESTION 65
A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?

  • A. Use a Cloud Hardware Security Module (Cloud HSM).
  • B. Use Cloud Storage as a federated Data Source.
  • C. Customer-supplied encryption keys (CSEK).
  • D. Customer-managed encryption keys (CMEK).

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/bigquery/docs/encryption-at-rest

 

NEW QUESTION 66
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

  • A. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
  • B. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
  • C. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
  • D. Upload the logs to both the shared bucket and the bucket only accessible by the administrator.
    Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

Answer: A

 

NEW QUESTION 67
You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

  • A. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the
  • B. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."
  • C. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
  • D. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.

Answer: C

Explanation:
organization policy, and then turn the policy back on.

 

NEW QUESTION 68
A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?

  • A. Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.
  • B. Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
  • C. Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
  • D. Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

Answer: A

 

NEW QUESTION 69
You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

  • A. Query Data Access logs.
  • B. Query Stackdriver Monitoring Workspace.
  • C. Query Access Transparency logs.
  • D. Query Admin Activity logs.

Answer: A

Explanation:
Reference:
https://cloud.google.com/iam/docs/audit-logging/examples-service-accounts

 

NEW QUESTION 70
Your company is deploying their applications on Google Kubernetes Engine. You want to follow Google-recommended practices. What should you do to ensure that the container images used for new deployments contain the latest security patches?

  • A. Use an update script as part of every container image startup.
  • B. Use exclusively private images in Container Registry.
  • C. Use Container Analysis to detect vulnerabilities in images.
  • D. Use Google-managed base images for all containers.

Answer: D

Explanation:
A is correct because Managed base images are base container images that are automatically patched by Google for security vulnerabilities, using the most recent patches available from the project upstream (for example, GitHub).
B is not correct because Container Analysis does not patch the images.
C is not correct because while an update script may help patch on startup, this will significantly increase the amount of time it takes for the instance to become ready for serving workloads.
D is not correct because private images also go out of date and need to be patched manually by the customer.
https://cloud.google.com/container-registry/docs/managed-base-images

 

NEW QUESTION 71
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?

  • A. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
  • B. Set up a default bucket ACL and manage access for users using IAM.
  • C. Set up an ACL with OWNER permission to a scope of allUsers.
  • D. Set up an ACL with READER permission to a scope of allUsers.

Answer: C

 

NEW QUESTION 72
You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

  • A. Packet Mirroring
  • B. Marketplace IDS
  • C. Google Cloud Armor Deep Packet Inspection
  • D. VPC Service Controls logs
  • E. VPC Flow Logs

Answer: A

 

NEW QUESTION 73
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

  • A. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
  • B. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
  • C. BigQuery using a data pipeline job with continuous updates via Cloud VPN
  • D. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/migration-to-google-cloud-building-your-foundation

 

NEW QUESTION 74
A customer needs to rely on their existing user directory with the requirements of native authentication against it when developing for Google Cloud Platform (GCP). They want to leverage their existing tooling and functionality to gather insight on user activity from a familiar interface. Which action should you take to meet the customer's requirements?

  • A. Configure Cloud Identity as a SAML 2.0 Service Provider, using the customer's User Directory as the Identity Provider.
  • B. Configure a third-party IdP (Octa or Ping Federate) to manage authentication.
  • C. Configure and enforce 2-Step Verification in Cloud Identity for all Super Admins.
  • D. Provision users into Cloud Identity using Just-in-Time SAML 2.0 user provisioning with the customer User Directory as source.

Answer: A

Explanation:
A is not correct because client wants to continue using their existing directory.
B is correct because it lets client use their current user directory as source of truth and to be authenticated against while using Cloud identity as their SAML broker.
C is not correct because it adds a protection to super admin account but doesn't address the use case.
D is not correct because it proposes a non-native solution and doesn't address the use case.
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management- system-with-google-cloud-platform
https://support.google.com/a/answer/60224

 

NEW QUESTION 75
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

  • A. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • B. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • C. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
  • D. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.

Answer: A

Explanation:
Explanation/Reference: https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management- system-with-google-cloud-platform

 

NEW QUESTION 76
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

  • A. Package a single app as a container.
  • B. Use many container image layers to hide sensitive information.
  • C. Remove any unnecessary tools not needed by the app.
  • D. Use public container images as a base image for the app.
  • E. Ensure that the app does not run as PID 1.

Answer: A,C

Explanation:
Reference:
https://cloud.google.com/solutions/best-practices-for-building-containers

 

NEW QUESTION 77
You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?

  • A. compute.sharedReservationsOwnerProjects
  • B. compute.restrictSharedVpcHostProjects
  • C. compute.restrictXpnProjectLienRemoval
  • D. compute.restrictSharedVpcSubnetworks

Answer: C

 

NEW QUESTION 78
Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

  • A. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
  • B. Set up a VPC network with two subnets: one with public IPs and one without public IPs.
  • C. Remove the Editor role and grant the Compute Admin IAM role to the engineers.
  • D. Enable Private Access on the VPC network in the production project.

Answer: A

Explanation:
Reference:
https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address

 

NEW QUESTION 79
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?

  • A. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
  • B. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
  • C. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
  • D. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

Answer: C

 

NEW QUESTION 80
......


Conclusion

Cloud-centered services have been on-demand in recent years, hence the need to work with professional cloud computing experts who can leverage these solutions. And the status is not expected to change anytime soon if the recent statistics are anything to go by. With digital attacks posing a serious concern to established corporations with every passing day, it's easy to see why every institution now desires to work with competent cloud security professionals.

In other words, this is the perfect time to get into a new role as a cloud security engineer. And if that’s the case, passing the Google Professional Cloud Security Engineer exam and earning the corresponding certification is mandatory. Just refer to credible study materials like those mentioned above, and this achievement will help streamline your career and give you the upper hand when eyeing new roles in this field.


There are 3 study programs available that you can use to prepare for the test. Also, Google provides tons of skill badges that you can complete to verify your competence in implementing cloud security concepts at this level. We will be covering all of them below:

1. Google Cloud Fundamentals: Core Infrastructure

This course will help you build an important foundation for working with popular computing and storage devices in Google Cloud efficiently. These include Google Kubernetes, Cloud SQL, Cloud Storage, BigQuery, App Engine, and Compute Engine. Besides, this training option will also provide important coverage of resource and policy management tools such as Cloud Identity and Access Management and the Resource Manager hierarchy. If you are experienced in working with Azure or AWS and now looking to switch to Google Cloud, this course will be the best tool to ease the transition.

 

Exam Questions Answers Braindumps Professional-Cloud-Security-Engineer Exam Dumps PDF Questions: https://www.braindumpspass.com/Google/Professional-Cloud-Security-Engineer-practice-exam-dumps.html

Professional-Cloud-Security-Engineer Test Prep Training Practice Exam Questions Practice Tests: https://drive.google.com/open?id=1-3eubGDMM9KLR0MUVV3i6di9PFUN9Zdo

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam