Google Professional Cloud Security Engineer Exam Practice Test Instant Access

Question 1

You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive dat

a. You need to meet these requirements;

* Manage the data encryption key (DEK) outside the Google Cloud boundary.

* Maintain full control of encryption keys through a third-party provider.

* Encrypt the sensitive data before uploading it to Cloud Storage

* Decrypt the sensitive data during processing in the Compute Engine VMs

* Encrypt the sensitive data in memory while in use in the Compute Engine VMs

What should you do?

Choose 2 answers

ACreate a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

BMigrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

CConfigure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

DCreate Confidential VMs to access the sensitive data.

EConfigure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Answer : C, D

https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance#considerations

Confidential VM does not support live migration. You can only enable Confidential Computing on a VM when you first create the instance. https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance

Question 2

Employees at your company use their personal computers to access your organization s Google Cloud console. You need to ensure that users can only access the Google Cloud console from their corporate-issued devices and verify that they have a valid enterprise certificate

What should you do?

AImplement an Identity and Access Management (1AM) conditional policy to verify the device certificate

BImplement a VPC firewall policy Activate packet inspection and create an allow rule to validate and verify the device certificate.

CImplement an organization policy to verify the certificate from the access context.

DImplement an Access Policy in BeyondCorp Enterprise to verify the device certificate Create an access binding with the access policy just created.

Answer : D

https://cloud.google.com/beyondcorp?hl=pt-br

Question 3

You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects.

What should you do?

Choose 2 answers

ADeploy patches with VM Manager by using OS patch management

BView patch management data in VM Manager by using OS patch management.

CDeploy patches with Security Command Center by using Rapid Vulnerability Detection.

DView patch management data in a Security Command Center dashboard.

EView patch management data in Artifact Registry.

Answer : A, B

https://cloud.google.com/compute/docs/os-patch-management

Question 4

Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT Everyday, you must patch all VMs with critical OS updates and provide summary reports

What should you do?

AValidate that the egress firewall rules allow any outgoing traffic Log in to each VM and execute OS specific update commands Configure the Cloud Scheduler job to update with critical patches daily for daily updates.

BEnsure that VM Manager is installed and running on the VMs. In the OS patch management service. configure the patch jobs to update with critical patches daily.

CAssign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM. and configure a daily cron job to enable for OS updates at night during low activity periods.

DCopy the latest patches to the Cloud Storage bucket. Log in to each VM. download the patches from the bucket, and install them.

Answer : B

VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine. It helps drive efficiency through automation and reduces the operational burden of maintaining these VM fleets. VM Manager includes several services such as OS patch management, OS inventory management, and OS configuration management. By using VM Manager, you can apply patches, collect operating system information, and install, remove, or auto-update software packages. The suite provides a high level of control and automation for managing large VM fleets on Google Cloud.

https://cloud.google.com/compute/docs/vm-manager

Question 5

Your organization uses BigQuery to process highly sensitive, structured datasets. Following the "need to know" principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users:

* Business user must access curated reports.

* Data engineer: must administrate the data lifecycle in the platform.

* Security operator: must review user activity on the data platform.

What should you do?

AConfigure data access log for BigQuery services, and grant Project Viewer role to security operators.

BGenerate a CSV data file based on the business user's needs, and send the data to their email addresses.

CCreate curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.

DSet row-based access control based on the 'region' column, and filter the record from the United States for data engineers.

Answer : C

This option directly addresses the needs of the business user who must access curated reports. By creating curated tables in a separate dataset, you can control access to specific data. Assigning the roles/bigquery.dataViewer role allows the business user to view the data in BigQuery.

Question 6

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.

What could have caused this alert?

AThe VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

BThe organizational policy constraint wasn't properly enforced and is running in 'dry run mode.

CAt project level, the organizational policy control has been overwritten with an 'allow' value.

DThe policy constraint on the folder level does not have any effect because of an allow' value for that constraint on the organizational level.

Answer : A

Question 7

Your organization is moving virtual machines (VMs) to Google Cloud. You must ensure that operating system images that are used across your projects are trusted and meet your security requirements.

What should you do?

AImplement an organization policy to enforce that boot disks can only be created from images that come from the trusted image project.

BCreate a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository Verify that the image is not deprecated.

CImplement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.

DAutomate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.

Answer : D