• Home
  • Articles
  • [May-2024] Download Real Google Professional-Cloud-Security-Engineer Exam Dumps Test Engine Exam Questions [Q41-Q63]

[May-2024] Download Real Google Professional-Cloud-Security-Engineer Exam Dumps Test Engine Exam Questions [Q41-Q63]

Share

[May-2024] Download Real Google Professional-Cloud-Security-Engineer Exam Dumps Test Engine Exam Questions

New Professional-Cloud-Security-Engineer exam dumps Use Updated Google Exam


Google Professional-Cloud-Security-Engineer certification exam is an important milestone for individuals who want to advance their careers in cloud security. Google Cloud Certified - Professional Cloud Security Engineer Exam certification is recognized by industry leaders and is a valuable asset for individuals who want to demonstrate their expertise in protecting cloud environments. By passing Professional-Cloud-Security-Engineer exam, individuals can demonstrate their understanding of cloud security best practices and their ability to manage and secure cloud environments effectively.


The Google Professional-Cloud-Security-Engineer exam covers a wide range of topics, including security management, data protection, network security, and compliance. Candidates are expected to have a deep understanding of the security controls and mechanisms available on the Google Cloud Platform. They should also be able to identify and mitigate potential security threats and vulnerabilities.

 

NEW QUESTION # 41
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

  • A. VPC Service Controls in dry run mode
  • B. Cloud Load Balancing firewall rules
  • C. Google Cloud Armor's preconfigured rules in preview mode
  • D. The inherent protections of Google Front End (GFE)
  • E. Prepopulated VPC firewall rules in monitor mode

Answer: C

Explanation:
Reference:
You can preview the effects of a rule without enforcing it. In preview mode, actions are noted in Cloud Monitoring. You can choose to preview individual rules in a security policy, or you can preview every rule in the policy. https://cloud.google.com/armor/docs/security-policy-overview#preview_mode


NEW QUESTION # 42
An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?

  • A. Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
  • B. Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
  • C. Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
  • D. Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

Answer: D


NEW QUESTION # 43
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

  • A. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
  • B. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
  • C. Upload the logs to both the shared bucket and the bucket only accessible by the administrator.
    Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
  • D. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Answer: A


NEW QUESTION # 44
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

  • A. Use a Continuous Delivery tool to deploy the application.
  • B. Use Cloud Build to build the container images.
  • C. Delete non-used versions from Container Registry.
  • D. Build small containers using small base images.

Answer: A


NEW QUESTION # 45
An organization receives an increasing number of phishing emails.
Which method should be used to protect employee credentials in this situation?

  • A. Captcha on login pages
  • B. Multifactor Authentication
  • C. A strict password policy
  • D. Encrypted emails

Answer: B

Explanation:
https://cloud.google.com/blog/products/g-suite/7-ways-admins-can-help-secure-accounts-against-phishing-g-suite
https://www.duocircle.com/content/email-security-services/email-security-in-cryptography#:~:text=Customer%20Login-,Email%20Security%20In%20Cryptography%20Is%20One%20Of%20The%20Most,Measures%20To%20Prevent%20Phishing%20Attempts&text=Cybercriminals%20love%20emails%20the%20most,networks%20all%20over%20the%20world.


NEW QUESTION # 46
A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

  • A. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
  • B. Encryption by default
  • C. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis
  • D. Customer-supplied encryption keys (CSEK)

Answer: A

Explanation:
Explanation
Reference https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek


NEW QUESTION # 47
You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.
Which document should you review to find the information?

  • A. PCI SSC Cloud Computing Guidelines
  • B. PCI DSS Requirements and Security Assessment Procedures
  • C. Product documentation for Compute Engine
  • D. Google Cloud Platform: Customer Responsibility Matrix

Answer: A

Explanation:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp


NEW QUESTION # 48
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

  • A. App Engine
  • B. Google Kubernetes Engine
  • C. Cloud Storage
  • D. Compute Engine
  • E. Cloud Functions

Answer: B,D

Explanation:
App Engine ingress firewall rules are available, but egress rules are not currently available. Per requirements 1.2.1 and 1.3.4, you must ensure that all outbound traffic is authorized. SAQ A-EP and SAQ D-type merchants must provide compensating controls or use a different Google Cloud product. Compute Engine and GKE are the preferred alternatives. https://cloud.google.com/solutions/pci-dss-compliance-in-gcp


NEW QUESTION # 49
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on- premises for an indefinite time. The organization wants a scalable and cost-efficient solution.
Which GCP solution should the organization use?

  • A. BigQuery using a data pipeline job with continuous updates
  • B. Compute Engine Virtual Machines using Persistent Disk
  • C. Cloud Storage using a scheduled task and gsutil
  • D. Cloud Datastore using regularly scheduled batch upload jobs

Answer: C

Explanation:
Explanation
https://cloud.google.com/solutions/dr-scenarios-planning-guide#use-cloud-storage-as-part-of-your-daily-backup-


NEW QUESTION # 50
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication Which GCP product should the customer implement to meet these requirements?

  • A. Cloud VPN
  • B. Cloud Identity-Aware Proxy
  • C. Cloud Armor
  • D. Cloud Endpoints

Answer: B

Explanation:
Explanation
Cloud IAP is integrated with Google Sign-in which Multi-factor authentication can be enabled.
https://cloud.google.com/iap/docs/concepts-overview


NEW QUESTION # 51
Which two implied firewall rules are defined on a VPC network? (Choose two.)

  • A. A rule that allows all inbound port 80 connections
  • B. A rule that denies all inbound connections
  • C. A rule that blocks all outbound connections
  • D. A rule that allows all outbound connections
  • E. A rule that blocks all inbound port 25 connections

Answer: B,D


NEW QUESTION # 52
Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.
What should you do?

  • A. Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.
  • B. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
  • C. Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing
  • D. Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

Answer: B

Explanation:
This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google's Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.


NEW QUESTION # 53
You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.
After observing the traffic in your custom network, you notice that all instances can communicate freely - despite tag-based VPC firewall rules in place to segment traffic properly - with a priority of 1000. What are the most likely reasons for this behavior?

  • A. All VM instances are residing in the same network subnet.
  • B. All VM instances are missing the respective network tags.
  • C. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.
  • D. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
  • E. All VM instances are configured with the same network route.

Answer: B,D


NEW QUESTION # 54
A customer wants to use Cloud Identity as their primary IdP. The customer wants to use other non-GCP SaaS products for CRM, messaging, and customer ticketing management. The customer also wants to improve employee experience with Single Sign-On (SSO) capabilities to securely access GCP and non-GCP applications. Only authorized individuals should be able to access these third-party applications. What action should the customer take to meet these requirements?

  • A. Copy user personas from Cloud Identity to all third-party applications for the domain.
  • B. Remove the employee from Cloud Identity, set the correct license for the individuals, and resync them to Cloud Identity for the changes to take effect.
  • C. Remove the individuals from the third-party applications, add the license to Cloud Identity, and resync the individuals back to the third-party applications.
  • D. Configure third-party applications to federate authentication and authorization to the GCP IdP.

Answer: D

Explanation:
A is not correct because Users should continue to be in Cloud Identity as central source of truth.
B is correct because cloud identity will serve as SAML auth for third party apps.
C is not correct because it doesn't help to automate user provisioning.
D is not correct because it doesn't help to automate user provisioning and deprovisioning on a continual basis.
https://cloud.google.com/identity/solutions/enable-sso


NEW QUESTION # 55
You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:
Each business unit manages access controls for their own projects.
Each business unit manages access control permissions at scale.
Business units cannot access other business units' projects.
Users lose their access if they move to a different business unit or leave the company.
Users and access control permissions are managed by the on-premises directory service.
What should you do? (Choose two.)

  • A. Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.
  • B. Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.
  • C. Group business units based on Organization Units (OUs) and manage permissions based on OUs.
  • D. Organize projects in folders, and assign permissions to Google groups at the folder level.
  • E. Use VPC Service Controls to create perimeters around each business unit's project.

Answer: A,B


NEW QUESTION # 56
Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

  • A. Ability to peer networks that belong to different Google Cloud Platform organizations
  • B. Ability to share specific subnets across peered networks
  • C. Central management of routes, firewalls, and VPNs for peered networks
  • D. Firewall rules that can be created with a tag from one peered network to another peered network
  • E. Non-transitive peered networks; where only directly peered networks can communicate

Answer: A,E

Explanation:
https://cloud.google.com/vpc/docs/vpc-peering#key_properties


NEW QUESTION # 57
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)

  • A. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
  • B. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
  • C. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
  • D. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
  • E. Use the Google Admin console to view which managed users are using a personal account for their recovery email.

Answer: B,D

Explanation:
https://cloud.google.com/architecture/identity/migrating-consumer-accounts#initiating_a_transfer


NEW QUESTION # 58
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict theuse of the default networks in your organization while following Google-recommended best practices. What should you do?

  • A. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts thecompute.googleapis.comAPI.
  • B. Enable theconstraints/compute.skipDefaultNetworkCreationorganization policy constraint at the organization level.
  • C. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
  • D. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.

Answer: B

Explanation:
Explanation
Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.skipDefaultNetworkCreation This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.


NEW QUESTION # 59
You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:
Provide granular access to secrets
Give you control over the rotation schedules for the encryption keys that wrap your secrets Maintain environment separation Provide ease of management Which approach should you take?

  • A. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
    2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
    3. Use Google-managed encryption keys to encrypt secrets.
  • B. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
    2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.
    3. Use customer-managed encryption keys to encrypt secrets.
  • C. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
    2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.
    3. Use customer-managed encryption keys to encrypt secrets.
  • D. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
    2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
    3. Use Google-managed encryption keys to encrypt secrets.

Answer: B


NEW QUESTION # 60
You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.
What could have caused this alert?

  • A. The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.
  • B. The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level.
  • C. The organizational policy constraint wasn't properly enforced and is running in "dry run mode.
  • D. At project level, the organizational policy control has been overwritten with an 'allow' value.

Answer: A


NEW QUESTION # 61
You need to perform a vulnerability scan for an App Engine app using Cloud Security Scanner.
Upon completion of the scan, the report is not producing the expected number of webpage results. The pages in the app with mouseover menus are missing from the report. Which action should you take to make sure the scan completes and captures the menu?

  • A. Adjust the Google account on which the scan is running.
  • B. Change the scan to include additional Starting URLs.
  • C. Verify the Excluded URLs.
  • D. Modify the scan schedule to return new results.

Answer: B

Explanation:
A is not correct because the missing webpages in mouseover menu are unlikely to be explicitly excluded since they're expected to be scanned.
B is not correct because changing the scan schedule will not result in scanning of more webpages.
C is correct because Cloud Security Scanner may not be able to navigate through complex JavaScript such as a mouseover-driven multilevel menu. Specifying additional starting URLs can increase scan coverage in this scenario.
D is not correct because changing the Google account will not result in scanning of more webpages.
https://cloud.google.com/security-scanner/docs/scanning


NEW QUESTION # 62
What are the steps to encrypt data using envelope encryption?

  • A. Generate a data encryption key (DEK) locally.
    Encrypt data with the DEK.
    Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
  • B. Generate a key encryption key (KEK) locally.
    Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
    Store the encrypted data and the wrapped DEK.
  • C. Generate a key encryption key (KEK) locally.
    Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
    Store the encrypted data and the wrapped DEK.
  • D. Generate a data encryption key (DEK) locally.
    Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
    Store the encrypted data and the wrapped KEK.

Answer: A

Explanation:
Explanation
The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS.
https://cloud.google.com/kms/docs/envelope-encryption#how_to_encrypt_data_using_envelope_encryption


NEW QUESTION # 63
......

Pass Your Professional-Cloud-Security-Engineer Dumps as PDF Updated on 2024 With 235 Questions: https://www.prep4sures.top/Professional-Cloud-Security-Engineer-exam-dumps-torrent.html

Verified Professional-Cloud-Security-Engineer Dumps Q&As - Professional-Cloud-Security-Engineer Test Engine with Correct Answers: https://drive.google.com/open?id=1sZ2aRsX8O85vw2U5Cd4okHhAYf_7SIE0

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam