NEW 2024 Certification Sample Questions Professional-Cloud-Security-Engineer Dumps & Practice Exam [Q107-Q129]

NEW 2024 Certification Sample Questions Professional-Cloud-Security-Engineer Dumps & Practice Exam

Professional-Cloud-Security-Engineer Deluxe Study Guide with Online Test Engine

Google Professional-Cloud-Security-Engineer certification exam is a professional-level certification program designed for cloud security engineers who have experience working with Google Cloud Platform (GCP). Professional-Cloud-Security-Engineer exam is designed to test your knowledge and skills in securing and managing cloud infrastructure and services on GCP. Google Cloud Certified - Professional Cloud Security Engineer Exam certification validates your expertise in designing, implementing, and managing security solutions for GCP.

 

NEW QUESTION # 107
You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

• A. The load balancer must use the Premium Network Service Tier.
• B. The load balancer must be an external SSL proxy load balancer.
• C. The load balancer must be an external HTTP(S) load balancer.
• D. Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.
• E. The backend service's load balancing scheme must be EXTERNAL.

Answer: C,E

Explanation:
https://cloud.google.com/armor/docs/security-policy-overview#requirements says: The backend service's load balancing scheme must be EXTERNAL, or EXTERNAL_MANAGED *** if you are using global external HTTP(S) load balancer ***.

NEW QUESTION # 108
You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)

• A. Secret Manager
• B. Cloud Data Loss Prevention with automatic text redaction
• C. Cloud Data Loss Prevention with cryptographic hashing
• D. Cloud Key Management Service
• E. Cloud Data Loss Prevention with deterministic encryption using AES-SIV

Answer: B,E

NEW QUESTION # 109
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?

• A. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
• B. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
• C. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
• D. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

Answer: D

NEW QUESTION # 110
You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.
What should you do?

• A. Create a jump host instance with public IP Manage the instances by connecting through the jump host.
• B. Create a site-to-site VPN from your corporate network to Google Cloud.
• C. Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.
• D. Configure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.

Answer: C

NEW QUESTION # 111
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

• A. Google Cloud Armor's preconfigured rules in preview mode
• B. Cloud Load Balancing firewall rules
• C. VPC Service Controls in dry run mode
• D. The inherent protections of Google Front End (GFE)
• E. Prepopulated VPC firewall rules in monitor mode

Answer: A

Explanation:
Reference:
You can preview the effects of a rule without enforcing it. In preview mode, actions are noted in Cloud Monitoring. You can choose to preview individual rules in a security policy, or you can preview every rule in the policy. https://cloud.google.com/armor/docs/security-policy-overview#preview_mode

NEW QUESTION # 112
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?

• A. Configure containers to automatically upgrade when the base image is available in Container Registry.
• B. Update the application code or apply a patch, build a new image, and redeploy it.
• C. Use Puppet or Chef to push out the patch to the running container.
• D. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.

Answer: B

Explanation:
Explanation
https://cloud.google.com/containers/security
Containers are meant to be immutable, so you deploy a new image in order to make changes. You can simplify patch management by rebuilding your images regularly, so the patch is picked up the next time a container is deployed. Get the full picture of your environment with regular image security reviews.

NEW QUESTION # 113
Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following:
The services in scope are included in the Google Cloud Data Residency Terms.
The business data remains within specific locations under the same organization.
The folder structure can contain multiple data residency locations.
You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?

• A. Folder
• B. Organization
• C. Resource
• D. Project

Answer: D

Explanation:
https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations

NEW QUESTION # 114
A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?

• A. Customer-supplied encryption keys (CSEK).
• B. Use a Cloud Hardware Security Module (Cloud HSM).
• C. Customer-managed encryption keys (CMEK).
• D. Use Cloud Storage as a federated Data Source.

Answer: C

Explanation:
Reference:
https://cloud.google.com/bigquery/docs/encryption-at-rest

NEW QUESTION # 115
You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive dat a. Your solution has the following requirements:
Schedule key rotation for sensitive data.
Control which region the encryption keys for sensitive data are stored in.
Minimize the latency to access encryption keys for both sensitive and non-sensitive data.
What should you do?

• A. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
• B. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
• C. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
• D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

Answer: A

Explanation:
Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 Level 1 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. To provideflexibility of controlling the key residency and rotation schedule, use google provided key for non-sensitive and encrypt sensitive data with Cloud Key Management Service

NEW QUESTION # 116
A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.
What should you do?

• A. Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
• B. Create a new key, and use the new key in the application. Delete the old key from the Service Account.
• C. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.
• D. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

Answer: B

Explanation:
You can rotate a key by creating a new key, updating applications to use the new key, and deleting the old key. Use the serviceAccount.keys.create() method and serviceAccount.keys.delete() method together to automate the rotation.

NEW QUESTION # 117
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication Which GCP product should the customer implement to meet these requirements?

• A. Cloud VPN
• B. Cloud Identity-Aware Proxy
• C. Cloud Endpoints
• D. Cloud Armor

Answer: B

Explanation:
Explanation
Cloud IAP is integrated with Google Sign-in which Multi-factor authentication can be enabled.
https://cloud.google.com/iap/docs/concepts-overview

NEW QUESTION # 118
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

• A. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
• B. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
• C. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
• D. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

Answer: B

Explanation:
Explanation
https://cloud.google.com/dlp/docs/inspecting-storage#samplinghttps://cloud.google.com/dlp/docs/best-practices-

NEW QUESTION # 119
Which two security characteristics are related to the use of VPC peering to connect two VPC networks?
(Choose two.)

• A. Ability to share specific subnets across peered networks
• B. Non-transitive peered networks; where only directly peered networks can communicate
• C. Ability to peer networks that belong to different Google Cloud Platform organizations
• D. Firewall rules that can be created with a tag from one peered network to another peered network
• E. Central management of routes, firewalls, and VPNs for peered networks

Answer: D,E

NEW QUESTION # 120
You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.
After observing the traffic in your custom network, you notice that all instances can communicate freely - despite tag-based VPC firewall rules in place to segment traffic properly - with a priority of 1000. What are the most likely reasons for this behavior?

• A. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
• B. All VM instances are configured with the same network route.
• C. All VM instances are missing the respective network tags.
• D. All VM instances are residing in the same network subnet.
• E. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

Answer: A,C

NEW QUESTION # 121
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re- occurs.
What should you do?

• A. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
• B. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
• C. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
• D. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

Answer: A

Explanation:
https://cloud.google.com/logging/docs/logs-based-metrics/

NEW QUESTION # 122
Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

• A. Enable an organization policy to prevent service account keys from being created.
• B. Configure Secret Manager to manage service account keys.
• C. Remove the iam.serviceAccounts.getAccessToken permission from users.
• D. Enable an organization policy to disable service accounts from being created.

Answer: A

NEW QUESTION # 123
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.
What should you do?

• A. Use Resource Manager on the organization level.
• B. Use Stackdriver to create a dashboard across all projects.
• C. Use Security Command Center to view all assets across the organization.
• D. Use Forseti Security to automate inventory snapshots.

Answer: D

Explanation:
Explanation
Only Forseti security can have both 'past' and 'present' (i.e. historical) records of the resources.https://forsetisecurity.org/about/

NEW QUESTION # 124
You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

• A. Add the service project where the Compute Engine instances reside to the service perimeter.
• B. Add the host project containing the Shared VPC to the service perimeter.
• C. Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
• D. Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

Answer: C

NEW QUESTION # 125
A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.
How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

• A. Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
• B. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
• C. Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
• D. Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

Answer: B

Explanation:
Compute Engine doesn't automatically update the OS or the software on your deployed instances. You will need to patch or update your deployed Compute Engine instances when necessary. However, in the cloud it is not recommended that you patch or update individual running instances. Instead it is best to patch the image that was used to launch the instance and then replace each affected instance with a new copy.

NEW QUESTION # 126
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

• A. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
  2. Process Cloud Storage objects in SIEM.
• B. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
  2. Subscribe SIEM to the topic.
• C. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
  2. Subscribe SIEM to the topic.
• D. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
  2. Process Cloud Storage objects in SIEM.

Answer: A

NEW QUESTION # 127
Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users.
What should you do?

• A. 1. Manage SAML profile assignments.
  * 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant.
  * 3. Verify the domain.
• B. 1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant
  * 2. Verify the AD domain.
  * 3. Decide which users should use SAML.
  * 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.
• C. 1. Create a new SAML profile.
  * 2. Upload the X.509 certificate.
  * 3. Enable the change password URL.
  * 4. Configure Entity ID and ACS URL in your IdP.
• D. 1- Create a new SAML profile.
  * 2. Populate the sign-in and sign-out page URLs.
  * 3. Upload the X.509 certificate.
  * 4. Configure Entity ID and ACS URL in your IdP

Answer: D

Explanation:
Explanation
When configuring SAML-based Single Sign-On (SSO) in an organization that's using Active Directory, the general steps would involve setting up a SAML profile, specifying the necessary URLs for sign-in and sign-out processes, uploading an X.509 certificate for secure communication, and setting up the Entity ID and Assertion Consumer Service (ACS) URL in the Identity Provider (which in this case would be Active Directory).

NEW QUESTION # 128
A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online.
What should they do?

• A. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
• B. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
• C. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
• D. Configure an SSL Certificate on an L7 Load Balancer and require encryption.

Answer: D

NEW QUESTION # 129
......

Professional-Cloud-Security-Engineer dumps review - Professional Quiz Study Materials: https://www.pass4training.com/Professional-Cloud-Security-Engineer-pass-exam-training.html

Professional-Cloud-Security-Engineer Test Prep Training Practice Exam Questions Practice Tests: https://drive.google.com/open?id=1_5OqMCoge7gYM8md0rRm-6elOHSq7B0Q