• Home
  • Articles
  • [Q54-Q74] The Best Valid Professional-Cloud-Security-Engineer Dumps for Helping Passing Professional-Cloud-Security-Engineer Exam!

[Q54-Q74] The Best Valid Professional-Cloud-Security-Engineer Dumps for Helping Passing Professional-Cloud-Security-Engineer Exam!

Share

The Best Valid Professional-Cloud-Security-Engineer Dumps for Helping Passing Professional-Cloud-Security-Engineer Exam!

UPDATED Google Professional-Cloud-Security-Engineer Exam Questions & Answer


Google Professional-Cloud-Security-Engineer exam is a challenging and comprehensive certification exam that requires a deep understanding of cloud security principles and GCP services. Earning this certification is a testament to a security engineer's expertise in securing GCP environments and demonstrates a commitment to continuous learning and professional growth in the field of cloud security.


Google Professional-Cloud-Security-Engineer Certification Exam is a rigorous and comprehensive exam that tests the knowledge and skills of professionals responsible for securing cloud-based applications and infrastructure in the Google Cloud environment. It is a globally recognized certification that can help professionals advance their careers in cloud security and demonstrate their expertise in the field.

 

NEW QUESTION # 54
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)

  • A. Configure the project with Cloud Interconnect.
  • B. Configure all Compute Engine instances with Private Access.
  • C. Configure the project with Shared VPC.
  • D. Configure the project with VPC peering.
  • E. Configure the project with Cloud VPN.

Answer: B,D

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/secure-data-workloads-use-cases


NEW QUESTION # 55
A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

  • A. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
  • B. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
  • C. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
  • D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Answer: D

Explanation:
https://cloud.google.com/storage/docs/encryption/customer-supplied-keys


NEW QUESTION # 56
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.
What should you do?

  • A. Use Forseti Security to automate inventory snapshots.
  • B. Use Resource Manager on the organization level.
  • C. Use Stackdriver to create a dashboard across all projects.
  • D. Use Security Command Center to view all assets across the organization.

Answer: A

Explanation:
Explanation
Only Forseti security can have both 'past' and 'present' (i.e. historical) records of the resources.https://forsetisecurity.org/about/


NEW QUESTION # 57
You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

  • A. Query Stackdriver Monitoring Workspace.
  • B. Query Admin Activity logs.
  • C. Query Access Transparency logs.
  • D. Query Data Access logs.

Answer: B

Explanation:
Explanation
Admin activity logs are always created to log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.


NEW QUESTION # 58
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

  • A. Use Cloud Build to build the container images.
  • B. Use a Continuous Delivery tool to deploy the application.
  • C. Delete non-used versions from Container Registry.
  • D. Build small containers using small base images.

Answer: B

Explanation:
https://cloud.google.com/solutions/best-practices-for-building-containers


NEW QUESTION # 59
You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

  • A. Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
  • B. Remove*.setIamPolicypermissions from all roles, and enforce domain restricted sharing in an organization policy.
  • C. Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
  • D. Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.

Answer: D

Explanation:
Explanation
- Uniform bucket-level
access:https://cloud.google.com/storage/docs/uniform-bucket-level-access#should-you-use
- Domain Restricted
Sharing:https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#public_data_s


NEW QUESTION # 60
Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

  • A. lAP-Secured Tunnel User
  • B. lAP-Secured Web App User
  • C. Service Broker Operator
  • D. Security Reviewer

Answer: A


NEW QUESTION # 61
Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes.
What should you do?

  • A. Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.
  • B. Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.
  • C. Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.
  • D. Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.

Answer: C


NEW QUESTION # 62
Your organization has implemented synchronization and SAML federation between Cloud Identity and Microsoft Active Directory. You want to reduce the risk of Google Cloud user accounts being compromised. What should you do?

  • A. Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.
  • B. Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.
  • C. Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.
  • D. Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.

Answer: B

Explanation:
Reference:
"We recommend against using text messages. The National Institute of Standards and Technology (NIST) no longer recommends SMS-based 2SV due to the hijacking risk from state-sponsored entities."


NEW QUESTION # 63
Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:
Scans must run at least once per week
Must be able to detect cross-site scripting vulnerabilities
Must be able to authenticate using Google accounts
Which solution should you use?

  • A. Security Health Analytics
  • B. Container Threat Detection
  • C. Google Cloud Armor
  • D. Web Security Scanner

Answer: D

Explanation:
Reference:
Web Security Scanner identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview


NEW QUESTION # 64
You have defined subnets in a VPC within Google Cloud Platform. You need multiple projects to create Compute Engine instances with IP addresses from these subnets. What should you do?

  • A. Use Shared VPC to share the subnets with the other projects.
  • B. Change the VPC subnets to enable private Google access.
  • C. Configure Cloud VPN between the projects.
  • D. Set up VPC peering between all related projects.

Answer: A

Explanation:
A is not correct as Cloud VPN between projects does not provide you the functionality to share a subnet to host resources on.
B is not correct because peering two VPCs does allow traffic between the two shared networks, but it's only bi-directional. Peered VPC networks remain administratively separate.
C is not correct because private Google access allows you to access APIs from a private IP, but it does not have any impact on creating Compute instances on a specific subnet.
D is correct because s Shared VPC allows you to share a VPC into multiple projects, keep administrative oversight in the host project, while restricting the other projects to only create VMs on IPs in the shared VPC.
https://cloud.google.com/vpc/docs/shared-vpc
https://cloud.google.com/vpc/docs/vpc-peering


NEW QUESTION # 65
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google-recommended practices.
What should you do?

  • A. Create a new Service account, and give all application users the role of Service Account User.
  • B. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
  • C. Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
  • D. Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.

Answer: A


NEW QUESTION # 66
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

  • A. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
  • B. Upload the logs to both the shared bucket and the bucket only accessible by the administrator.
    Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
  • C. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
  • D. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Answer: C


NEW QUESTION # 67
A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?

  • A. Create a firewall rule to block internet traffic from the VM.
  • B. Mount a Cloud Storage bucket as a local filesystem on every VM.
  • C. Enable Private Google Access on the VPC.
  • D. Provision a NAT Gateway to access the Cloud Storage API endpoint.

Answer: C

Explanation:
Explanation
https://cloud.google.com/vpc/docs/private-google-access


NEW QUESTION # 68
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?

  • A. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
  • B. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
  • C. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
  • D. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

Answer: C

Explanation:
Reference:
https://cloud.google.com/logging/docs/logs-based-metrics/


NEW QUESTION # 69
You are deploying regulated workloads on Google Cloud. The regulation has data residency and data access requirements. It also requires that support is provided from the same geographical location as where the data resides.
What should you do?

  • A. Deploy resources only to regions permitted by data residency requirements
  • B. Enable Access Transparency Logging.
  • C. Deploy Assured Workloads.
  • D. Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.

Answer: C

Explanation:
Explanation
Assured Workloads for Google Cloud allows you to deploy regulated workloads with data residency, access, and support requirements. It helps you configure your environment in a manner that aligns with specific compliance frameworks and standards.


NEW QUESTION # 70
A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key.
What should you do?

  • A. Create a new key, and use the new key in the application. Delete the old key from the Service Account.
  • B. Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
  • C. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-.
    account=IAM_ACCOUNT
  • D. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam-.
    account=IAM_ACCOUNT --key=NEW_KEY

Answer: A

Explanation:
https://cloud.google.com/iam/docs/understanding-service-accounts


NEW QUESTION # 71
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?

  • A. Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
  • B. Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
  • C. Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
  • D. Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.

Answer: C

Explanation:
Explanation
https://cloud.google.com/iam/docs/understanding-roles#project-roles


NEW QUESTION # 72
You are designing a new governance model for your organization's secrets that are stored in Secret Manager.
Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:
Provide granular access to secrets
Give you control over the rotation schedules for the encryption keys that wrap your secrets Maintain environment separation Provide ease of management Which approach should you take?

  • A. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
    2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.
    3. Use customer-managed encryption keys to encrypt secrets.
  • B. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
    2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.
    3. Use customer-managed encryption keys to encrypt secrets.
  • C. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
    2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
    3. Use Google-managed encryption keys to encrypt secrets.
  • D. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
    2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
    3. Use Google-managed encryption keys to encrypt secrets.

Answer: B

Explanation:
Explanation
Provide granular access to secrets: 2.Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. Give you control over the rotation schedules for the encryption keys that wrap your secrets: 3. Use customer-managed encryption keys to encrypt secrets. Maintain environment separation:
1. Use separate Google Cloud projects to store Production and Non-Production secrets.


NEW QUESTION # 73
When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

  • A. Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
  • B. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.
  • C. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
  • D. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.

Answer: B

Explanation:
Reference; https://cloud.google.com/dlp/docs/deidentify-sensitive-data


NEW QUESTION # 74
......

Updated Professional-Cloud-Security-Engineer Dumps Questions For Google Exam: https://www.passsureexam.com/Professional-Cloud-Security-Engineer-pass4sure-exam-dumps.html

Latest Success Metrics For Actual Professional-Cloud-Security-Engineer Exam Realistic Dumps: https://drive.google.com/open?id=1rJqH2OBoy2dy6pEzvp6SRqVFXS6nGU-r

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam