Nest 0 Cart
Nest Account
Popular Exams
All Categories...
Nest
Nest 0
Contact
Log In / Sign Up
Copyright 2024 © store. All rights reserved.
Home Google Professional Cloud Security Engineer

Google Professional Cloud Security Engineer Exam Practice Questions (P. 3)

  • Full Access (321 questions)
  • Six months of Premium Access
  • Access to one million comments
  • Seamless ChatGPT Integration
  • Ability to download PDF files
  • Anki Flashcard files for revision
  • No Captcha & No AdSense
  • Advanced Exam Configuration
Get Contributor Access
Question #21
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)
  1. A
    App Engine
  2. B
    Cloud Functions
  3. C
    Compute Engine
  4. D
    Google Kubernetes Engine
  5. E
    Cloud Storage

Correct Answer:
AC
Reference:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

Question #22
A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.
Which solution will restrict access to the in-progress sites?
  1. A
    Upload an .htaccess file containing the customer and employee user accounts to App Engine.
  2. B
    Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
  3. C
    Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
  4. D
    Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VPC) network.

Correct Answer:
C
chatbot-img GPT-4o - Answer
Cloud Identity-Aware Proxy (IAP) is spot-on for cases where you need secure and selective access to applications from any location. This holds true for your in-progress sites, ensuring that only specific Google Groups, consisting of your customers and employees, can access these resources. Using IAP, access management is centralized and not bound to specific networks, making it more flexible and secure compared to network-based solutions. Hence, the choice of enabling IAP over other methods results in better control and scalability of access permissions.

Question #23
When working with agents in the support center via online chat, your organization's customers often share pictures of their documents with personally identifiable information (PII). Your leadership team is concerned that this PII is being stored as part of the regular chat logs, which are reviewed by internal or external analysts for customer service trends.
You want to resolve this concern while still maintaining data utility. What should you do?
  1. A
    Use Cloud Key Management Service to encrypt PII shared by customers before storing it for analysis.
  2. B
    Use Object Lifecycle Management to make sure that all chat records containing PII are discarded and not saved for analysis.
  3. C
    Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
  4. D
    Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Correct Answer:
C
Reference:
https://cloud.google.com/dlp/docs/deidentify-sensitive-data

Question #24
A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key.
What should you do?
  1. A
    Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-account=IAM_ACCOUNT.
  2. B
    Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT --key=NEW_KEY.
  3. C
    Create a new key, and use the new key in the application. Delete the old key from the Service Account.
  4. D
    Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Correct Answer:
C
Reference:
https://cloud.google.com/iam/docs/understanding-service-accounts

Question #25
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection.
The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?
  1. A
    Shared VPC Network with a host project and service projects
  2. B
    Grant Compute Admin role to the networking team for each engineering project
  3. C
    VPC peering between all engineering projects using a hub and spoke model
  4. D
    Cloud VPN Gateway between all engineering projects using a hub and spoke model

Correct Answer:
A
Reference:
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#centralize_network_control

Question #26
An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.
What solution would help meet the requirements?
  1. A
    Ensure that firewall rules are in place to meet the required controls.
  2. B
    Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
  3. C
    Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.
  4. D
    Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

Correct Answer:
C
chatbot-img GPT-4o - Answer
When considering security with G Suite, a SaaS product, the primary responsibility for network security falls on Google as the provider. Unlike on-premise solutions, where the organization must manage all aspects of network security, G Suite operates under a shared responsibility model where Google takes charge of the infrastructure that includes hardware, software, networking, and facilities. This shifts the focus for organizations from maintaining these controls themselves to ensuring they understand and comply with this shared model. Thus, for the organization concerned about maintaining network security per regulatory requirements when migrating to G Suite, it's crucial to recognize that this aspect is primarily managed by Google.

Question #27
A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.
Which strategy should you use to meet these needs?
  1. A
    Create an organization node, and assign folders for each business unit.
  2. B
    Establish standalone projects for each business unit, using gmail.com accounts.
  3. C
    Assign GCP resources in a project, with a label identifying which business unit owns the resource.
  4. D
    Assign GCP resources in a VPC for each business unit to separate network access.

Correct Answer:
A
chatbot-img GPT-4o - Answer
Absolutely, using an organization node with folders for each business unit is the most efficient method here. This strategy not only grants overarching visibility but also allows distinct IAM permissions to be managed effectively across different units. We're essentially leveraging the organizational structure to reflect the company's internal divisions clearly, making it easier to oversee and segregate resources. This setup mirrors a real-world organizational chart into GCP management, ensuring clarity and control.

Question #28
A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?
  1. A
    Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
  2. B
    Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
  3. C
    Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
  4. D
    Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Correct Answer:
D
chatbot-img GPT-4o - Answer
While some users argue different answers, exploring the setup in Google Cloud is crucial from a practical perspective. Even though option D was initially marked correct due to its association with proximity-based routing, it fundamentally applies to HTTP(s) cacheable content, not necessarily emails. Meanwhile, TCP Proxy Load Balancing, as detailed in user comments, does provide global distribution and can route traffic based on the nearest region with backend capacities, which is crucial for reducing latency in email delivery across various regions. Thus, TCP Proxy Load Balancing, presented in Option A, might be more fitting given its broad geographic distribution and its capacity handling characteristics, especially under the Premium Tier.

Question #29
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?
  1. A
    Compute Network User Role at the host project level.
  2. B
    Compute Network User Role at the subnet level.
  3. C
    Compute Shared VPC Admin Role at the host project level.
  4. D
    Compute Shared VPC Admin Role at the service project level.

Correct Answer:
C
Reference:
https://cloud.google.com/vpc/docs/shared-vpc

Question #30
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.
What should you do?
  1. A
    Use Resource Manager on the organization level.
  2. B
    Use Forseti Security to automate inventory snapshots.
  3. C
    Use Stackdriver to create a dashboard across all projects.
  4. D
    Use Security Command Center to view all assets across the organization.

Correct Answer:
B

Previous Questions Next Questions

All Pages