Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

Professional Cloud Security EngineerFree trialFree trial

By google
Aug, 2025

Verified

25Q per page

Question 26

You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

  • A: Marketplace IDS
  • B: VPC Flow Logs
  • C: VPC Service Controls logs
  • D: Packet Mirroring
  • E: Google Cloud Armor Deep Packet Inspection

Question 27

Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:
✑ Only allows communication between the Web and App tiers.
✑ Enforces consistent network security when autoscaling the Web and App tiers.
✑ Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?

  • A: 1. Configure all running Web and App servers with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
  • B: 1. Configure all running Web and App servers with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
  • C: 1. Re-deploy the Web and App servers with instance templates configured with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
  • D: 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

Question 28

You need to connect your organization's on-premises network with an existing Google Cloud environment that includes one Shared VPC with two subnets named
Production and Non-Production. You are required to:
✑ Use a private transport link.
✑ Configure access to Google Cloud APIs through private API endpoints originating from on-premises environments.
✑ Ensure that Google Cloud APIs are only consumed via VPC Service Controls.
What should you do?

  • A: 1. Set up a Cloud VPN link between the on-premises environment and Google Cloud. 2. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.
  • B: 1. Set up a Partner Interconnect link between the on-premises environment and Google Cloud. 2. Configure private access using the private.googleapis.com domains in on-premises DNS configurations.
  • C: 1. Set up a Direct Peering link between the on-premises environment and Google Cloud. 2. Configure private access for both VPC subnets.
  • D: 1. Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud. 2. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.

Question 29

You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?

  • A: Cloud Data Loss Prevention with deterministic encryption using AES-SIV
  • B: Cloud Data Loss Prevention with format-preserving encryption
  • C: Cloud Data Loss Prevention with cryptographic hashing
  • D: Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys

Question 30

You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:

Must be cloud-native -

Image 1

✑ Must be cost-efficient
✑ Minimize operational overhead
How should you accomplish this? (Choose two.)

  • A: Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
  • B: Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
  • C: Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
  • D: Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
  • E: In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Question 31

Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

  • A: SSL Proxy
  • B: TCP Proxy
  • C: Internal TCP/UDP
  • D: TCP/UDP Network

Question 32

You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?

  • A: compute.restrictSharedVpcHostProjects
  • B: compute.restrictXpnProjectLienRemoval
  • C: compute.restrictSharedVpcSubnetworks
  • D: compute.sharedReservationsOwnerProjects

Question 33

Users are reporting an outage on your public-facing application that is hosted on Compute Engine. You suspect that a recent change to your firewall rules is responsible. You need to test whether your firewall rules are working properly. What should you do?

  • A: Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.
  • B: Connect to a bastion host in your VPC. Use a network traffic analyzer to determine at which point your requests are being blocked.
  • C: In a pre-production environment, disable all firewall rules individually to determine which one is blocking user traffic.
  • D: Enable VPC Flow Logs in your VPC. Use Logs Explorer to analyze whether the rules are working correctly.

Question 34

You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

  • A: Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."
  • B: Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
  • C: Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
  • D: Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

Question 35

A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The
Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?

  • A: Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
  • B: Register a new domain name, and use that for the new Cloud Identity domain.
  • C: Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.
  • D: Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.

Question 36

You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

  • A: The load balancer must be an external SSL proxy load balancer.
  • B: Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.
  • C: The load balancer must use the Premium Network Service Tier.
  • D: The backend service's load balancing scheme must be EXTERNAL.
  • E: The load balancer must be an external HTTP(S) load balancer.

Question 37

You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

  • A: Google Cloud Armor
  • B: Cloud NAT
  • C: Cloud Router
  • D: Cloud VPN

Question 38

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google
Cloud resources. Your export must meet the following requirements:
✑ Export related logs for all projects in the Google Cloud organization.
✑ Export logs in near real-time to an external SIEM.
What should you do? (Choose two.)

  • A: Create a Log Sink at the organization level with a Pub/Sub destination.
  • B: Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.
  • C: Enable Data Access audit logs at the organization level to apply to all projects.
  • D: Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.
  • E: Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Question 39

Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following:
✑ The services in scope are included in the Google Cloud Data Residency Terms.
✑ The business data remains within specific locations under the same organization.
✑ The folder structure can contain multiple data residency locations.
You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?

  • A: Folder
  • B: Resource
  • C: Project
  • D: Organization

Question 40

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on- premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

  • A: Enable Private Google Access on the regional subnets and global dynamic routing mode.
  • B: Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.
  • C: Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.
  • D: Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Question 41

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements:
✑ Schedule key rotation for sensitive data.
✑ Control which region the encryption keys for sensitive data are stored in.
✑ Minimize the latency to access encryption keys for both sensitive and non-sensitive data.
What should you do?

  • A: Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
  • B: Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
  • C: Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
  • D: Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Question 42

Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).
Which steps should your team take before an incident occurs? (Choose two.)

  • A: Disable and revoke access to compromised keys.
  • B: Enable automatic key version rotation on a regular schedule.
  • C: Manually rotate key versions on an ad hoc schedule.
  • D: Limit the number of messages encrypted with each key version.
  • E: Disable the Cloud KMS API.

Question 43

Your company's chief information security officer (CISO) is requiring business data to be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on a plan to implement this requirement, you determine the following:
✑ The services in scope are included in the Google Cloud data residency requirements.
✑ The business data remains within specific locations under the same organization.
✑ The folder structure can contain multiple data residency locations.
✑ The projects are aligned to specific locations.
You plan to use the Resource Location Restriction organization policy constraint with very granular control. At which level in the hierarchy should you set the constraint?

  • A: Organization
  • B: Resource
  • C: Project
  • D: Folder

Question 44

A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

  • A: Admin Activity
  • B: System Event
  • C: Access Transparency
  • D: Data Access

Question 45

You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?

  • A: Upload the logs to both the shared bucket and the bucket with PII that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain PII from the shared bucket.
  • B: On the shared bucket, configure Object Lifecycle Management to delete objects that contain PII.
  • C: On the shared bucket, configure a Cloud Storage trigger that is only triggered when PII is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain PII.
  • D: Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket.

Question 46

A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?

  • A: Organization Administrator
  • B: Security Reviewer
  • C: Organization Role Administrator
  • D: Organization Policy Administrator

Question 47

You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.
You want to automate the compliance with this regulation while minimizing storage costs. What should you do?

  • A: Store the data in a persistent disk, and delete the disk at expiration time.
  • B: Store the data in a Cloud Bigtable table, and set an expiration time on the column families.
  • C: Store the data in a BigQuery table, and set the table's expiration time.
  • D: Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

Question 48

You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security
Command Center features should you use to configure these alerts? (Choose two.)

  • A: Event Threat Detection
  • B: Container Threat Detection
  • C: Security Health Analytics
  • D: Cloud Data Loss Prevention
  • E: Google Cloud Armor

Question 49

You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

  • A: Titan Security Keys
  • B: Google prompt
  • C: Google Authenticator app
  • D: Cloud HSM keys

Question 50

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
✑ The network connection must be encrypted.
✑ The communication between servers must be over private IP addresses.
What should you do?

  • A: Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
  • B: Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
  • C: Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
  • D: Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
Page 2 of 14 • Questions 26-50 of 329
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!