Google Professional Cloud Security Engineer Exam ||
Complete Exam File: High-Scoring Q&A Set!!
Your team needs to make sure that a Compute Engine instance does not have access to the
internet or to any Google APIs or services.Which two settings must remain disabled to meet
these requirements? (Choose two.) correct answers Public IP
Private Google Access
Which two implied firewall rules are defined on a VPC network? correct answers A rule that
allows all outbound connections
A rule that denies all inbound connections
A customer needs an alternative to storing their plain text secrets in their source-code
management (SCM) system.How should the customer achieve this using Google Cloud
Platform? correct answers Encrypt the secrets with a Customer-Managed Encryption Key
(CMEK), and store them in Cloud Storage.
Your team wants to centrally manage GCP IAM permissions from their on-premises Active
Directory Service. Your team wants to manage permissions by AD group membership. What
should your team do to meet these requirements? correct answers Set up Cloud Directory
Sync to sync groups, and set IAM permissions on the groups.
When creating a secure container image, which two items should you incorporate into the
build if possible? (Choose two.) correct answers Package a single app as a container.
Remove any unnecessary tools not needed by the app.
A customer needs to launch a 3-tier internal web application on Google Cloud Platform
(GCP). The customer's internal compliance requirements dictate that end- user access may
only be allowed if the traffic seems to originate from a specific known good CIDR. The
customer accepts the risk that their application will only have SYN flood DDoS protection.
They want to use GCP's native SYN flood protection.Which product should be used to meet
these requirements? correct answers Cloud Armor
A company is running workloads in a dedicated server room. They must only be accessed
from within the private company network. You need to connect to these workloads from
Compute Engine instances within a Google Cloud Platform project.Which two approaches
can you take to meet the requirements? (Choose two.) correct answers Configure the project
with Cloud VPN
Configure the project with Cloud Interconnect.
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on
Compute Engine. Their security team wants to add a security layer so that theERP systems
only accept traffic from Cloud Identity-Aware Proxy.What should the customer do to meet
these requirements? correct answers Make sure that the ERP system can validate the JWT
assertion in the HTTP requests.
,A company has been running their application on Compute Engine. A bug in the application
allowed a malicious user to repeatedly execute a script that results in the Compute Engine
instance crashing. Although the bug has been fixed, you want to get notified in case this hack
re-occurs.What should you do? correct answers Create an Alerting Policy in Stackdriver
using a Process Health condition, checking that the number of executions of the script
remains below the desired threshold. Enable notifications.
Your team needs to obtain a unified log view of all development cloud projects in your
SIEM. The development projects are under the NONPROD organization folder with the test
and pre-production projects. The development projects share the ABC-BILLING billing
account with the rest of the organization.Which logging export strategy should you use to
meet the requirements? correct answers 1. Create a Cloud Storage sink with
billingAccounts/ABC-BILLING parent and includeChildren property set to False in a
dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to
a malicious site through a man-in-the-middle attack.Which solution should this customer use?
correct answers DNS Security Extensions
A customer deploys an application to App Engine and needs to check for Open Web
Application Security Project (OWASP) vulnerabilities.Which service should be used to
accomplish this? correct answers Web Security Scanner
A customer's data science group wants to use Google Cloud Platform (GCP) for their
analytics workloads. Company policy dictates that all data must be company-owned and all
user authentications must go through their own Security Assertion Markup Language
(SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was
trying to set up Cloud Identity for the customer and realized that their domain was already
being used by G Suite. How should you best advise the Systems Engineer to proceed with the
least disruption? correct answers Ask customer's management to discover any other uses of
Google managed services, and work with the existing Super Administrator.
A business unit at a multinational corporation signs up for GCP and starts moving workloads
into GCP. The business unit creates a Cloud Identity domain with an organizational resource
that has hundreds of projects.Your team becomes aware of this and wants to take over
managing permissions and auditing the domain resources.Which type of access should your
team grant to meet this requirement? correct answers Organization Administrator
An application running on a Compute Engine instance needs to read data from a Cloud
Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and
wants to ensure the principle of least privilege.Which option meets the requirement of your
team? correct answers Use a service account with read-only access to the Cloud Storage
bucket to retrieve the credentials from the instance metadata.
An organization's typical network and security review consists of analyzing application
transit routes, request handling, and firewall rules. They want to enable their developer teams
to deploy new applications without the overhead of this full review.How should you advise
this organization? correct answers Mandate use of infrastructure as code and provide static
analysis in the CI/CD pipelines to enforce policies.
,An employer wants to track how bonus compensations have changed over time to identify
employee outliers and correct earning disparities. This task must be performed without
exposing the sensitive compensation data for any individual and must be reversible to
identify the outlier.Which Cloud Data Loss Prevention API technique should you use to
accomplish this? correct answers CryptoReplaceFfxFpeConfig
An organization adopts Google Cloud Platform (GCP) for application hosting services and
needs guidance on setting up password requirements for their CloudIdentity account. The
organization has a password policy requirement that corporate employee passwords must
have a minimum number of characters.Which Cloud Identity password guidelines can the
organization use to inform their new requirements? correct answers Set the minimum length
for passwords to be 8 characters.
You need to follow Google-recommended practices to leverage envelope encryption and
encrypt data at the application layer.What should you do? correct answers Generate a data
encryption key (DEK) locally to encrypt the data, and generate a new key encryption key
(KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted
DEK.
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises
SIEM system? correct answers Configure Organizational Log Sinks to export logs to a Cloud
Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic
is authorized.Which two cloud offerings meet this requirement without additional
compensating controls? (Choose two.) correct answers Compute Engine
Google Kubernetes Engine
A website design company recently migrated all customer sites to App Engine. Some sites
are still in progress and should only be visible to customers and company employees from
any location.Which solution will restrict access to the in-progress sites? correct answers
Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains
the customer and employee user accounts.
When working with agents in the support center via online chat, your organization's
customers often share pictures of their documents with personally identifiable information
(PII). Your leadership team is concerned that this PII is being stored as part of the regular
chat logs, which are reviewed by internal or external analysts for customer service trends.You
want to resolve this concern while still maintaining data utility. What should you do? correct
answers Use the image inspection and redaction actions of the DLP API to redact PII from
the images before storing them for analysis.
A company's application is deployed with a user-managed Service Account key. You want to
use Google-recommended practices to rotate the key.What should you do? correct answers
Create a new key, and use the new key in the application. Delete the old key from the Service
Account.
Your team needs to configure their Google Cloud Platform (GCP) environment so they can
centralize the control over networking resources like firewall rules, subnets, and routes. They
, also have an on-premises environment where resources need access back to the GCP
resources through a private VPN connection.The networking resources will need to be
controlled by the network security team.Which type of networking design should your team
use to meet these requirements? correct answers Shared VPC Network with a host project and
service projects
An organization is migrating from their current on-premises productivity software systems to
G Suite. Some network security controls were in place that were mandated by a regulatory
body in their region for their previous on-premises system. The organization's risk team
wants to ensure that network security controls are maintained and effective in G Suite. A
security architect supporting this migration has been asked to ensure that network security
controls are in place as part of the new shared responsibility model between the organization
and Google Cloud.What solution would help meet the requirements? correct answers
Network security is a built-in solution and Google's Cloud responsibility for SaaS products
like G Suite.
A customer's company has multiple business units. Each business unit operates
independently, and each has their own engineering group. Your team wants visibility into all
projects created within the company and wants to organize their Google Cloud Platform
(GCP) projects based on different business units. Each business unit also requires separate
sets of IAM permissions.Which strategy should you use to meet these needs? correct answers
Create an organization node, and assign folders for each business unit.
A company has redundant mail servers in different Google Cloud Platform regions and wants
to route customers to the nearest mail server based on location.How should the company
accomplish this? correct answers Create a Network Load Balancer to listen on TCP port 995
with a forwarding rule to forward traffic based on location. (or proxy network load balancer)
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project.
Your team has configured the firewall rules, subnets, and VPN gateway on the host project.
They need to enable Engineering Group A to attach a Compute Engine instance to only the
10.1.1.0/24 subnet.What should your team grant to Engineering Group A to meet this
requirement? correct answers Compute Network User Role at the subnet level.
A company migrated their entire data/center to Google Cloud Platform. It is running
thousands of instances across multiple projects managed by different departments. You want
to have a historical record of what was running in Google Cloud Platform at any point in
time.What should you do? correct answers Use Security Command Center to view all assets
across the organization.
An organization is starting to move its infrastructure from its on-premises environment to
Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its
current data backup and disaster recovery solutions to GCP for later analysis. The
organization's production environment will remain on- premises for an indefinite time. The
organization wants a scalable and cost-efficient solution.Which GCP solution should the
organization use? correct answers Cloud Storage using a scheduled task and gsutil
You are creating an internal App Engine application that needs to access a user's Google
Drive on the user's behalf. Your company does not want to rely on the current user's
credentials. It also wants to follow Google-recommended practices.What should you do?
Complete Exam File: High-Scoring Q&A Set!!
Your team needs to make sure that a Compute Engine instance does not have access to the
internet or to any Google APIs or services.Which two settings must remain disabled to meet
these requirements? (Choose two.) correct answers Public IP
Private Google Access
Which two implied firewall rules are defined on a VPC network? correct answers A rule that
allows all outbound connections
A rule that denies all inbound connections
A customer needs an alternative to storing their plain text secrets in their source-code
management (SCM) system.How should the customer achieve this using Google Cloud
Platform? correct answers Encrypt the secrets with a Customer-Managed Encryption Key
(CMEK), and store them in Cloud Storage.
Your team wants to centrally manage GCP IAM permissions from their on-premises Active
Directory Service. Your team wants to manage permissions by AD group membership. What
should your team do to meet these requirements? correct answers Set up Cloud Directory
Sync to sync groups, and set IAM permissions on the groups.
When creating a secure container image, which two items should you incorporate into the
build if possible? (Choose two.) correct answers Package a single app as a container.
Remove any unnecessary tools not needed by the app.
A customer needs to launch a 3-tier internal web application on Google Cloud Platform
(GCP). The customer's internal compliance requirements dictate that end- user access may
only be allowed if the traffic seems to originate from a specific known good CIDR. The
customer accepts the risk that their application will only have SYN flood DDoS protection.
They want to use GCP's native SYN flood protection.Which product should be used to meet
these requirements? correct answers Cloud Armor
A company is running workloads in a dedicated server room. They must only be accessed
from within the private company network. You need to connect to these workloads from
Compute Engine instances within a Google Cloud Platform project.Which two approaches
can you take to meet the requirements? (Choose two.) correct answers Configure the project
with Cloud VPN
Configure the project with Cloud Interconnect.
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on
Compute Engine. Their security team wants to add a security layer so that theERP systems
only accept traffic from Cloud Identity-Aware Proxy.What should the customer do to meet
these requirements? correct answers Make sure that the ERP system can validate the JWT
assertion in the HTTP requests.
,A company has been running their application on Compute Engine. A bug in the application
allowed a malicious user to repeatedly execute a script that results in the Compute Engine
instance crashing. Although the bug has been fixed, you want to get notified in case this hack
re-occurs.What should you do? correct answers Create an Alerting Policy in Stackdriver
using a Process Health condition, checking that the number of executions of the script
remains below the desired threshold. Enable notifications.
Your team needs to obtain a unified log view of all development cloud projects in your
SIEM. The development projects are under the NONPROD organization folder with the test
and pre-production projects. The development projects share the ABC-BILLING billing
account with the rest of the organization.Which logging export strategy should you use to
meet the requirements? correct answers 1. Create a Cloud Storage sink with
billingAccounts/ABC-BILLING parent and includeChildren property set to False in a
dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to
a malicious site through a man-in-the-middle attack.Which solution should this customer use?
correct answers DNS Security Extensions
A customer deploys an application to App Engine and needs to check for Open Web
Application Security Project (OWASP) vulnerabilities.Which service should be used to
accomplish this? correct answers Web Security Scanner
A customer's data science group wants to use Google Cloud Platform (GCP) for their
analytics workloads. Company policy dictates that all data must be company-owned and all
user authentications must go through their own Security Assertion Markup Language
(SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was
trying to set up Cloud Identity for the customer and realized that their domain was already
being used by G Suite. How should you best advise the Systems Engineer to proceed with the
least disruption? correct answers Ask customer's management to discover any other uses of
Google managed services, and work with the existing Super Administrator.
A business unit at a multinational corporation signs up for GCP and starts moving workloads
into GCP. The business unit creates a Cloud Identity domain with an organizational resource
that has hundreds of projects.Your team becomes aware of this and wants to take over
managing permissions and auditing the domain resources.Which type of access should your
team grant to meet this requirement? correct answers Organization Administrator
An application running on a Compute Engine instance needs to read data from a Cloud
Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and
wants to ensure the principle of least privilege.Which option meets the requirement of your
team? correct answers Use a service account with read-only access to the Cloud Storage
bucket to retrieve the credentials from the instance metadata.
An organization's typical network and security review consists of analyzing application
transit routes, request handling, and firewall rules. They want to enable their developer teams
to deploy new applications without the overhead of this full review.How should you advise
this organization? correct answers Mandate use of infrastructure as code and provide static
analysis in the CI/CD pipelines to enforce policies.
,An employer wants to track how bonus compensations have changed over time to identify
employee outliers and correct earning disparities. This task must be performed without
exposing the sensitive compensation data for any individual and must be reversible to
identify the outlier.Which Cloud Data Loss Prevention API technique should you use to
accomplish this? correct answers CryptoReplaceFfxFpeConfig
An organization adopts Google Cloud Platform (GCP) for application hosting services and
needs guidance on setting up password requirements for their CloudIdentity account. The
organization has a password policy requirement that corporate employee passwords must
have a minimum number of characters.Which Cloud Identity password guidelines can the
organization use to inform their new requirements? correct answers Set the minimum length
for passwords to be 8 characters.
You need to follow Google-recommended practices to leverage envelope encryption and
encrypt data at the application layer.What should you do? correct answers Generate a data
encryption key (DEK) locally to encrypt the data, and generate a new key encryption key
(KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted
DEK.
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises
SIEM system? correct answers Configure Organizational Log Sinks to export logs to a Cloud
Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic
is authorized.Which two cloud offerings meet this requirement without additional
compensating controls? (Choose two.) correct answers Compute Engine
Google Kubernetes Engine
A website design company recently migrated all customer sites to App Engine. Some sites
are still in progress and should only be visible to customers and company employees from
any location.Which solution will restrict access to the in-progress sites? correct answers
Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains
the customer and employee user accounts.
When working with agents in the support center via online chat, your organization's
customers often share pictures of their documents with personally identifiable information
(PII). Your leadership team is concerned that this PII is being stored as part of the regular
chat logs, which are reviewed by internal or external analysts for customer service trends.You
want to resolve this concern while still maintaining data utility. What should you do? correct
answers Use the image inspection and redaction actions of the DLP API to redact PII from
the images before storing them for analysis.
A company's application is deployed with a user-managed Service Account key. You want to
use Google-recommended practices to rotate the key.What should you do? correct answers
Create a new key, and use the new key in the application. Delete the old key from the Service
Account.
Your team needs to configure their Google Cloud Platform (GCP) environment so they can
centralize the control over networking resources like firewall rules, subnets, and routes. They
, also have an on-premises environment where resources need access back to the GCP
resources through a private VPN connection.The networking resources will need to be
controlled by the network security team.Which type of networking design should your team
use to meet these requirements? correct answers Shared VPC Network with a host project and
service projects
An organization is migrating from their current on-premises productivity software systems to
G Suite. Some network security controls were in place that were mandated by a regulatory
body in their region for their previous on-premises system. The organization's risk team
wants to ensure that network security controls are maintained and effective in G Suite. A
security architect supporting this migration has been asked to ensure that network security
controls are in place as part of the new shared responsibility model between the organization
and Google Cloud.What solution would help meet the requirements? correct answers
Network security is a built-in solution and Google's Cloud responsibility for SaaS products
like G Suite.
A customer's company has multiple business units. Each business unit operates
independently, and each has their own engineering group. Your team wants visibility into all
projects created within the company and wants to organize their Google Cloud Platform
(GCP) projects based on different business units. Each business unit also requires separate
sets of IAM permissions.Which strategy should you use to meet these needs? correct answers
Create an organization node, and assign folders for each business unit.
A company has redundant mail servers in different Google Cloud Platform regions and wants
to route customers to the nearest mail server based on location.How should the company
accomplish this? correct answers Create a Network Load Balancer to listen on TCP port 995
with a forwarding rule to forward traffic based on location. (or proxy network load balancer)
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project.
Your team has configured the firewall rules, subnets, and VPN gateway on the host project.
They need to enable Engineering Group A to attach a Compute Engine instance to only the
10.1.1.0/24 subnet.What should your team grant to Engineering Group A to meet this
requirement? correct answers Compute Network User Role at the subnet level.
A company migrated their entire data/center to Google Cloud Platform. It is running
thousands of instances across multiple projects managed by different departments. You want
to have a historical record of what was running in Google Cloud Platform at any point in
time.What should you do? correct answers Use Security Command Center to view all assets
across the organization.
An organization is starting to move its infrastructure from its on-premises environment to
Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its
current data backup and disaster recovery solutions to GCP for later analysis. The
organization's production environment will remain on- premises for an indefinite time. The
organization wants a scalable and cost-efficient solution.Which GCP solution should the
organization use? correct answers Cloud Storage using a scheduled task and gsutil
You are creating an internal App Engine application that needs to access a user's Google
Drive on the user's behalf. Your company does not want to rely on the current user's
credentials. It also wants to follow Google-recommended practices.What should you do?
