Google Professional Cloud Security Engineer Exam Practice Questions (P. 1)
- Full Access (321 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #1
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)
Which two settings must remain disabled to meet these requirements? (Choose two.)
- APublic IPMost Voted
- BIP Forwarding
- CPrivate Google AccessMost Voted
- DStatic routes
- EIAM Network User Role
Correct Answer:
AC
Reference:
https://cloud.google.com/vpc/docs/configure-private-google-access
AC
Reference:
https://cloud.google.com/vpc/docs/configure-private-google-access
send
light_mode
delete
Question #2
Which two implied firewall rules are defined on a VPC network? (Choose two.)
- AA rule that allows all outbound connectionsMost Voted
- BA rule that denies all inbound connectionsMost Voted
- CA rule that blocks all inbound port 25 connections
- DA rule that blocks all outbound connections
- EA rule that allows all inbound port 80 connections
Correct Answer:
AB
Reference:
https://cloud.google.com/vpc/docs/firewalls
AB
Reference:
https://cloud.google.com/vpc/docs/firewalls
send
light_mode
delete
Question #3
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?
How should the customer achieve this using Google Cloud Platform?
- AUse Cloud Source Repositories, and store secrets in Cloud SQL.
- BEncrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.Most Voted
- CRun the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
- DDeploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.
Correct Answer:
B
B

While choice B, using a Customer-Managed Encryption Key (CMEK) to encrypt secrets before storing them in Google Cloud Storage, does offer a solution to this problem, technology and best practices evolve. Currently, Google Cloud's Secret Manager would be the ideal and most straightforward approach to securely manage secrets. However, since the question specifically includes historical context, encryption using CMEK remains a valid answer given prior constraints.
send
light_mode
delete
Question #4
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?
What should your team do to meet these requirements?
- ASet up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.Most Voted
- BSet up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
- CUse the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
- DUse the Admin SDK to create groups and assign IAM permissions from Active Directory.
Correct Answer:
B
Reference:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
B
Reference:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
send
light_mode
delete
Question #5
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)
- AEnsure that the app does not run as PID 1.
- BPackage a single app as a container.Most Voted
- CRemove any unnecessary tools not needed by the app.Most Voted
- DUse public container images as a base image for the app.
- EUse many container image layers to hide sensitive information.
Correct Answer:
BC
Reference:
https://cloud.google.com/solutions/best-practices-for-building-containers
BC
Reference:
https://cloud.google.com/solutions/best-practices-for-building-containers
send
light_mode
delete
Question #6
A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end- user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?
Which product should be used to meet these requirements?
- ACloud ArmorMost Voted
- BVPC Firewall Rules
- CCloud Identity and Access Management
- DCloud CDN
Correct Answer:
A
Reference:
https://cloud.google.com/blog/products/identity-security/understanding-google-cloud-armors-new-waf-capabilities
A
Reference:
https://cloud.google.com/blog/products/identity-security/understanding-google-cloud-armors-new-waf-capabilities
send
light_mode
delete
Question #7
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)
Which two approaches can you take to meet the requirements? (Choose two.)
- AConfigure the project with Cloud VPN.Most Voted
- BConfigure the project with Shared VPC.
- CConfigure the project with Cloud Interconnect.Most Voted
- DConfigure the project with VPC peering.
- EConfigure all Compute Engine instances with Private Access.
Correct Answer:
AC
AC

Cloud VPN and Cloud Interconnect are prime solutions for securely linking Google Cloud Platform GCP resources to on-site workloads while maintaining their exclusivity to the company's private network. Cloud VPN establishes encrypted connections, ensuring data privacy when accessing server rooms remotely. On the other hand, for higher bandwidth demands and lower latency, Cloud Interconnect provides a dedicated connection, making it apt for intensive data transfer scenarios. These tools are essential in setups demanding strict network isolation and secure data flow between cloud and on-premises environments.
send
light_mode
delete
Question #8
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the
ERP systems only accept traffic from Cloud Identity-Aware Proxy.
What should the customer do to meet these requirements?
ERP systems only accept traffic from Cloud Identity-Aware Proxy.
What should the customer do to meet these requirements?
- AMake sure that the ERP system can validate the JWT assertion in the HTTP requests.Most Voted
- BMake sure that the ERP system can validate the identity headers in the HTTP requests.
- CMake sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
- DMake sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
Correct Answer:
A
A

To ensure that the ERP systems hosted on Compute Engine only accept traffic from Cloud Identity-Aware Proxy, it is critical that the ERP systems are equipped to validate the JWT (JSON Web Token) assertion in HTTP requests. The JWT assertion is cryptographically signed by IAP, which guarantees the authenticity and integrity of the traffic, confirming that it has indeed passed through IAP. This approach effectively blocks any unauthorized access that bypasses the IAP layer, maintaining a robust security posture for the ERP systems.
send
light_mode
delete
Question #9
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?
What should you do?
- ACreate an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.Most Voted
- BCreate an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
- CLog every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
- DLog every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
Correct Answer:
C
Reference:
https://cloud.google.com/logging/docs/logs-based-metrics/
C
Reference:
https://cloud.google.com/logging/docs/logs-based-metrics/
send
light_mode
delete
Question #10
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?
Which logging export strategy should you use to meet the requirements?
- A1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2. Subscribe SIEM to the topic.Most Voted
- B1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
- C1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
- D1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2. Process Cloud Storage objects in SIEM.
Correct Answer:
B
B

Option B is correct because it specifically targets the ABC-BILLING billing account and sets includeChildren to False, ensuring only logs from directly associated projects in that billing account are included. This prevents the inclusion of logs from other environments like test or pre-production, adhering closely to the requirement for a unified log view of just the development projects, thereby maintaining a cleaner, more relevant log collection in the SIEM system.
send
light_mode
delete
All Pages