Google Professional-Cloud-Security-Engineer Exam Practice Test Instant Access

Question 1

Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud You must implement data residency and operational sovereignty in the EU.

What should you do?

Choose 2 answers

ALimit the physical location of a new resource with the Organization Policy Service resource locations
constraint.'

BUse Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.

CLimit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications

DUse identity federation to limit access to Google Cloud resources from non-EU entities.

EUse VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

Answer : A, C

https://cloud.google.com/architecture/framework/security/data-residency-sovereignty#manage_your_operational_sovereignty

Question 2

Your organization wants to be General Data Protection Regulation (GDPR) compliant You want to ensure that your DevOps teams can only create Google Cloud resources in the Europe regions.

What should you do?

AUse the org policy constraint 'Restrict Resource Service Usage'* on your Google Cloud organization node.

BUse Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions

CUse the org policy constraint Google Cloud Platform - Resource Location Restriction' on your Google Cloud
organization node.

DUse Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.

Answer : C

https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations

Question 3

Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery.

What should you do?

ACreate a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

BCreate a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

CUse Cloud External Key Management (EKM) that integrates with an external Hardware Security Module
(HSM) system from supported vendors.

DUse customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

Answer : C

Cloud EKM allows you to use encryption keys that are stored and managed in a third-party key management system deployed outside of Google's infrastructure. This gives your organization full control over the keys used to encrypt data at rest in Google Cloud environments, including BigQuery.

Question 4

Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.

What should you do?

AUse Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

BUse Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing

CUse a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

DUse the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

Answer : C

This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google's Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.

Question 5

Your organization has on-premises hosts that need to access Google Cloud APIs You must enforce private connectivity between these hosts minimize costs and optimize for operational efficiency

What should you do?

ARoute all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

BSet up VPC peering between the hosts on-premises and the VPC through the internet.

CEnforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.

DRoute all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.

Answer : D

Question 6

You have a highly sensitive BigQuery workload that contains personally identifiable information (Pll) that you want to ensure is not accessible from the internet. To prevent data exfiltration only requests from authorized IP addresses are allowed to query your BigQuery tables.

What should you do?

AUse service perimeter and create an access level based on the authorized source IP address as the condition.

BUse Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.

CUse the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).

DUse the Restrict Resource service usage organization policy constraint along with Cloud Data Loss Prevention (DLP).

Answer : A

Question 7

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run.

What should you do?

Choose 2 answers

AEnable Binary Authorization on the existing Kubernetes cluster.

BSet the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to
the list of allowed Binary Authorization policy names.

CSet the organization policy constraint constraints/compute.trustedimageProjects to the list of
protects that contain the trusted container images.

DEnable Binary Authorization on the existing Cloud Run service.

EUse Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

Answer : B, D

Google Professional Cloud Security Engineer Exam Practice Test