Google Professional Cloud Security Engineer Exam Practice Questions (P. 2)
- Full Access (321 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #13
A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The
Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?
Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?
- AContact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
- BRegister a new domain name, and use that for the new Cloud Identity domain.
- CAsk Google to provision the data science manager's account as a Super Administrator in the existing domain.
- DAsk customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
Correct Answer:
C
C
GPT-4o - Answer
Ensuring minimal disruption in integrating the company’s SAML 2.0 IdP with GCP, it’s best to utilize the existing G Suite domain. Provisioning the data science manager as a Super Administrator allows for immediate, centralized management of user authentications without conflicting with existing services or setup. Thus, simplifying access control and compliance with company policies without the need for additional domains or extended verification processes. This approach leverages existing infrastructure, cutting down on both time and potential complications from setting up a new domain.
Question #14
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?
- AOrganization Administrator
- BSecurity Reviewer
- COrganization Role Administrator
- DOrganization Policy Administrator
Correct Answer:
C
C
GPT-4o - Answer
The correct choice, Organization Role Administrator (Option C), fits perfectly with the goal of managing permissions and auditing within a specific organizational resource under the Cloud Identity domain, aligning with the principle of least privilege. This role enables creating and managing custom roles, which includes the capability to assign roles, contrary to the assumption that it only allows role creation. It also grants necessary permissions for retrieving and managing policies across the projects, making it a balanced choice for administrating without overly broad access.
Question #15
An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?
Which option meets the requirement of your team?
- ACreate a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
- BUse a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
- CUse a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
- DEncrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
Correct Answer:
C
C
GPT-4o - Answer
Using a service account with read-only access to the Cloud Storage bucket is indeed the optimal approach. This method leverages the instance metadata to securely fetch credentials without necessitating their storage or explicit management within the application configuration. It effectively enforces the principle of least privilege by granting specific, minimal permissions needed for the task, thus enhancing security and compliance with organizational policies that prohibit global readability of resources.
Question #16
An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?
How should you advise this organization?
- AUse Forseti with Firewall filters to catch any unwanted configurations in production.
- BMandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.
- CRoute all VPC traffic through customer-managed routers to detect malicious patterns in production.
- DAll production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.
Correct Answer:
B
B
GPT-4o - Answer
Mandating the use of infrastructure as code (IaC) and integrating static analysis in the CI/CD pipelines is a practical strategy for reducing unnecessary overhead for developers. This approach allows developers to focus on their tasks without getting bogged down by the intricate details of network and security reviews, since IaC can programmatically enforce security best practices and policies upfront, significantly streamlining the deployment process.
Question #17
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?
Which Cloud Data Loss Prevention API technique should you use to accomplish this?
- AGeneralization
- BRedaction
- CCryptoHashConfig
- DCryptoReplaceFfxFpeConfig
Correct Answer:
B
B
GPT-4o - Answer
Option D, CryptoReplaceFfxFpeConfig, is the correct choice for tracking bonus compensations over time while maintaining confidentiality and reversibility, ensuring any analysis done can identify outliers without exposing individual data. This approach applies cryptographic transformations that are reversible, crucial for linking the data back to specific individuals if necessary for addressing discrepancies.
Question #18
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud
Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?
Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?
- ASet the minimum length for passwords to be 8 characters.
- BSet the minimum length for passwords to be 10 characters.
- CSet the minimum length for passwords to be 12 characters.
- DSet the minimum length for passwords to be 6 characters.
Correct Answer:
A
A
GPT-4o - Answer
Google Cloud Identity allows setting the minimum password length to 8 characters, aligning with the default requirements provided in their documentation. Organizations can enforce this policy to ensure a fundamental level of security while allowing flexibility for those requiring or preferring longer passwords. It's a starting point, giving room for adjustments based on evolving security needs or specific company policies. So, sticking with 8 characters as a minimum is perfectly valid and aligns with current guidelines.
Question #20
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
- ASend all logs to the SIEM system via an existing protocol such as syslog.
- BConfigure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
- CConfigure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
- DBuild a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.
Correct Answer:
C
C
GPT-4o - Answer
Using organizational log sinks to export logs to a Pub/Sub topic, which is then processed by Dataflow for delivery to an on-premises SIEM system, like Splunk, is a highly efficient and reliable approach. This setup taps into the native integration capabilities of GCP, ensuring real-time log management and optimal utilization of Cloud-native tools for secure, scalable, and maintenance-free operations. This method supports a robust security infrastructure by providing streamlined log data transition from GCP to external SIEM systems.
All Pages