Google Professional Cloud Security
Engineer Exam Questions with 100%
Correct Verified Answers
A company allows every employee to use Google Cloud Platform. Each department has
a Google Group, with all department members as group members. If a department
member creates a new project, all members of that department should automatically
have read-only access to all new project resources. Members of any other department
should not have access to the project. You need to configure this behavior. What
should you do to meet these requirements? - Answer Create a Folder per department
under the Organization. For each department's Folder, assign the Project Viewer role to
the Google Group related to that department.
A customer's internal security team must manage its own encryption keys for encrypting
data on Cloud Storage and decides to use customer-supplied encryption keys
(CSEK).How should the team complete this task? - Answer Use the gsutil command line
tool to upload the object to Cloud Storage, and specify the location of the encryption
key.
A customer has 300 engineers. The company wants to grant different levels of access
and efficiently manage IAM permissions between users in the development and
production environment projects. Which two steps should the company take to meet
these requirements? (Choose two.) - Answer Create a folder for each development
and production environment.
Create an Organizational Policy constraint for each folder environment.
,You want to evaluate your organization's Google Cloud instance for PCI compliance.
You need to identify Google's inherent controls.Which document should you review to
find the information? - Answer Google Cloud Platform: Customer Responsibility Matrix
Your team needs to make sure that a Compute Engine instance does not have access
to the internet or to any Google APIs or services.Which two settings must remain
disabled to meet these requirements? (Choose two.) - Answer Public IP
Private Google Access
Which two implied firewall rules are defined on a VPC network? - Answer A rule that
allows all outbound connections
A rule that denies all inbound connections
A customer needs an alternative to storing their plain text secrets in their source-code
management (SCM) system.How should the customer achieve this using Google Cloud
Platform? - Answer Encrypt the secrets with a Customer-Managed Encryption Key
(CMEK), and store them in Cloud Storage.
Your team wants to centrally manage GCP IAM permissions from their on-premises
Active Directory Service. Your team wants to manage permissions by AD group
membership. What should your team do to meet these requirements? - Answer Set up
Cloud Directory Sync to sync groups, and set IAM permissions on the groups.
When creating a secure container image, which two items should you incorporate
into the build if possible? (Choose two.) - Answer Package a single app as a container.
Remove any unnecessary tools not needed by the app.
,A customer needs to launch a 3-tier internal web application on Google Cloud Platform
(GCP). The customer's internal compliance requirements dictate that end- user access
may only be allowed if the traffic seems to originate from a specific known good CIDR.
The customer accepts the risk that their application will only have SYN flood DDoS
protection. They want to use GCP's native SYN flood protection.Which product should
be used to meet these requirements? - Answer Cloud Armor
A company is running workloads in a dedicated server room. They must only be
accessed from within the private company network. You need to connect to these
workloads from Compute Engine instances within a Google Cloud Platform
project.Which two approaches can you take to meet the requirements? (Choose two.) -
Answer Configure the project with Cloud VPN
Configure the project with Cloud Interconnect.
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on
Compute Engine. Their security team wants to add a security layer so that theERP
systems only accept traffic from Cloud Identity-Aware Proxy.What should the customer
do to meet these requirements? - Answer Make sure that the ERP system can validate
the JWT assertion in the HTTP requests.
A company has been running their application on Compute Engine. A bug in the
application allowed a malicious user to repeatedly execute a script that results in the
Compute Engine instance crashing. Although the bug has been fixed, you want to get
notified in case this hack re-occurs.What should you do? - Answer Create an Alerting
Policy in Stackdriver using a Process Health condition, checking that the number of
executions of the script remains below the desired threshold. Enable notifications.
Your team needs to obtain a unified log view of all development cloud projects in your
SIEM. The development projects are under the NONPROD organization folder with the
test and pre-production projects. The development projects share the ABC-BILLING
billing account with the rest of the organization.Which logging export strategy should
you use to meet the requirements? - Answer 1. Create a Cloud Storage sink with
, billingAccounts/ABC-BILLING parent and includeChildren property set to False in
a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
A customer needs to prevent attackers from hijacking their domain/IP and redirecting
users to a malicious site through a man-in-the-middle attack.Which solution should
this customer use? - Answer DNS Security Extensions
A customer deploys an application to App Engine and needs to check for Open Web
Application Security Project (OWASP) vulnerabilities.Which service should be used
to accomplish this? - Answer Web Security Scanner
A customer's data science group wants to use Google Cloud Platform (GCP) for their
analytics workloads. Company policy dictates that all data must be company-owned
and all user authentications must go through their own Security Assertion Markup
Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems
Engineer was trying to set up Cloud Identity for the customer and realized that their
domain was already being used by G Suite. How should you best advise the Systems
Engineer to proceed with the least disruption? - Answer Ask customer's management to
discover any other uses of Google managed services, and work with the existing Super
Administrator.
A business unit at a multinational corporation signs up for GCP and starts moving
workloads into GCP. The business unit creates a Cloud Identity domain with an
organizational resource that has hundreds of projects.Your team becomes aware of this
and wants to take over managing permissions and auditing the domain
resources.Which type of access should your team grant to meet this requirement? -
Answer Organization Administrator
An application running on a Compute Engine instance needs to read data from a Cloud
Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable
and wants to ensure the principle of least privilege.Which option meets the requirement
of your team? - Answer Use a service account with read-only access to the Cloud
Storage bucket to retrieve the credentials from the instance metadata.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller KenAli. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $13.99. You're not tied to anything after your purchase.