Month End Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

Achieve Success in the Google Professional-Cloud-Security-Engineer Exam: A Detailed Google Cloud Certified - Professional Cloud Security Engineer Guide

Questions 1

Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.

What type of Load Balancing should you use?

Options:
A.

Network Load Balancing

B.

HTTP(S) Load Balancing

C.

TCP Proxy Load Balancing

D.

SSL Proxy Load Balancing

Google Professional-Cloud-Security-Engineer Premium Access
Questions 2

You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:

Provide granular access to secrets

Give you control over the rotation schedules for the encryption keys that wrap your secrets

Maintain environment separation

Provide ease of management

Which approach should you take?

Options:
A.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.

B.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

C.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

D.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.

Questions 3

Your company’s cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

Options:
A.

Identity Aware-Proxy

B.

Cloud NAT

C.

TCP/UDP Load Balancing

D.

Cloud DNS

Questions 4

You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

Options:
A.

SSO SAML as a third-party IdP

B.

Identity Platform

C.

OpenID Connect

D.

Identity-Aware Proxy

E.

Cloud Identity

Questions 5

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

What command should you execute?

Options:
A.

• organization policy: constraints/gcp.restrictStorageNonCraekServices

• binding at: orgl

• policy type: deny

• policy value: storage.gcogleapis.com

B.

• organization policy: constraints/gcp.restrictHonCmekServices

• binding at: orgl

• policy type: deny

• policy value: storage.googleapis.com

C.

• organization policy:constraints/gcp.restrictStorageNonCraekServices

• binding at: orgl

• policy type: allow

• policy value: all supported services

D.

• organization policy: constramts/gcp.restrictNonCmekServices

• binding at: orgl

• policy type: allow

• policy value: storage.googleapis.com

Questions 6

Your organization’s Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

Options:
A.

Deploy a Cloud NAT Gateway in the service project for the MIG.

B.

Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.

C.

Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.

D.

Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.

Questions 7

Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery.

What should you do?

Options:
A.

Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

B.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

C.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module

(HSM) system from supported vendors.

D.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

Questions 8

You want to make sure that your organization’s Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

Options:
A.

Remove Owner roles from end users, and configure Cloud Data Loss Prevention.

B.

Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

C.

Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.

D.

Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.

Questions 9

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

Options:
A.

Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.

B.

Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.

C.

Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.

D.

Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

Questions 10

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.

Which GCP solution should the organization use?

Options:
A.

BigQuery using a data pipeline job with continuous updates via Cloud VPN

B.

Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

C.

Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

D.

Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN