Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
Professional Cloud Security Engineer
Free trial
Verified
Question 51
Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)
- A: Remove all project-level custom Identity and Access Management (IAM) roles.
- B: Disallow inheritance of organization policies.
- C: Identify inherited Identity and Access Management (IAM) roles on projects to be migrated.
- D: Create a new folder for all projects to be migrated.
- E: Remove the specific migration projects from any VPC Service Controls perimeters and bridges.
Question 52
You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?
- A: Organization Policy Service constraints
- B: Shielded VM instances
- C: Access control lists
- D: Geolocation access controls
- E: Google Cloud Armor
Question 53
Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?
- A: Configure Secret Manager to manage service account keys.
- B: Enable an organization policy to disable service accounts from being created.
- C: Enable an organization policy to prevent service account keys from being created.
- D: Remove the iam.serviceAccounts.getAccessToken permission from users.
Question 54
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
- A: On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.
- B: On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.
- C: On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account. Ask the user to update their second factor, and then re-enable 2SV for this account.
- D: On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.
Question 55
Which Google Cloud service should you use to enforce access control policies for applications and resources?
- A: Identity-Aware Proxy
- B: Cloud NAT
- C: Google Cloud Armor
- D: Shielded VMs
Question 56
You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?
- A: Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
- B: Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
- C: Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.
- D: Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
Question 57
An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?
- A: Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
- B: Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
- C: Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
- D: Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
Question 58
Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?
- A: Deploy a Cloud NAT Gateway in the service project for the MIG.
- B: Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.
- C: Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
- D: Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
Question 59
Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?
- A: Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises.
- B: Use Cloud External Key Manager to delete specific encryption keys.
- C: Use customer-managed encryption keys to delete specific encryption keys.
- D: Use Google default encryption to delete specific encryption keys.
Question 60
You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?
- A: Enable Cloud Monitoring workspace, and add the production projects to be monitored.
- B: Use Logs Explorer at the organization level and filter for production project logs.
- C: Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.
- D: Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
Question 61
You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?
- A: 1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project. 2. Grant your Google Cloud project access to a supported external key management partner system.
- B: 1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
- C: 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.
- D: 1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
Question 62
Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?
- A: Identity Aware-Proxy
- B: Cloud NAT
- C: TCP/UDP Load Balancing
- D: Cloud DNS
Question 63
You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all
Cloud Storage buckets. What should you do?
- A: Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
- B: Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
- C: Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
- D: Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.
Question 64
Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)
- A: Use Identity Platform to provision users and groups to Google Cloud.
- B: Use Cloud Identity SAML integration to provision users and groups to Google Cloud.
- C: Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.
- D: Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.
- E: Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.
Question 65
You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)
- A: Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.
- B: Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.
- C: Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).
- D: Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
- E: Provide non-privileged identities to the super admin users for their day-to-day activities.
Question 66
You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?
- A: Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.
- B: Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
- C: Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
- D: Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.
That’s the end of your free questions
You’ve reached the preview limit for Professional Cloud Security EngineerConsider upgrading to gain full access!
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!