Google Professional-Cloud-Security-Engineer Exam Practice Test Instant Access

Question 1

You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive dat

a. You need to meet these requirements;

* Manage the data encryption key (DEK) outside the Google Cloud boundary.

* Maintain full control of encryption keys through a third-party provider.

* Encrypt the sensitive data before uploading it to Cloud Storage

* Decrypt the sensitive data during processing in the Compute Engine VMs

* Encrypt the sensitive data in memory while in use in the Compute Engine VMs

What should you do?

Choose 2 answers

ACreate a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

BMigrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

CConfigure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

DCreate Confidential VMs to access the sensitive data.

EConfigure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Answer : C, D

https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance#considerations

Confidential VM does not support live migration. You can only enable Confidential Computing on a VM when you first create the instance. https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance

Question 2

You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.

What should you do?

ACreate a site-to-site VPN from your corporate network to Google Cloud.

BConfigure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.

CCreate a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.

DCreate a jump host instance with public IP Manage the instances by connecting through the jump host.

Answer : C

Question 3

Your application is deployed as a highly available cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.

What should you do?

AConfigure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.

BConfigure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.

CConfigure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.

DConfigure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

Answer : C

Question 4

After completing a security vulnerability assessment, you learned that cloud administrators leave Google Cloud CLI sessions open for days. You need to reduce the risk of attackers who might exploit these open sessions by setting these sessions to the minimum duration.

What should you do?

ASet the session duration for the Google session control to one hour.

BSet the reauthentication frequency (or the Google Cloud Session Control to one hour.

CSet the organization policy constraint
constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.

DSet the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one
hour and inheritFromParent to false.

Answer : B

Question 5

Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes.

What should you do?

ASet a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.

BCreate a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.

CSchedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.

DConfigure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.

Answer : B

Question 6

Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (1AM) roles at the right resource level tor the developers and security team while you ensure least privilege.

What should you do?

A* 1 Grant logging, viewer rote to the security team at the organization resource level.
* 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.

B* 1 Grant logging. viewer rote to the security team at the organization resource level.
* 2 Grant logging. admin role to the developer team at the organization resource level.

C* 1 Grant logging.admin role to the security team at the organization resource level.
* 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.

D* 1 Grant logging.admin role to the security team at the organization resource level.
* 2 Grant logging.admin role to the developer team at the organization resource level.

Answer : A

Question 7

Your organization recently activated the Security Command Center {SCO standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.

What should you do?

A* 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets
* 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions
* 3 Query the data access logs to report on unauthorized access

B* 1 Change bucket permissions to limit access
* 2 Query the data access audit logs for any unauthorized access to the buckets
* 3 After the misconfiguration is corrected mute the finding in the Security Command Center

C* 1 Change permissions to limit access for authorized users
* 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access
* 3 Review the administrator activity audit logs to report on any unauthorized access

D* 1 Change the bucket permissions to limit access
* 2 Query the buckets usage logs to report on unauthorized access to the data
* 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions

Answer : B

Google Professional Cloud Security Engineer Exam Practice Test