Most Recent Google Professional-Cloud-Security-Engineer Exam Questions & Answers

Prepare for the Google Professional Cloud Security Engineer exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.

QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the Google Professional-Cloud-Security-Engineer exam and achieve success.

The questions for Professional-Cloud-Security-Engineer were last updated on Nov 21, 2024.

Viewing page 1 out of 47 pages.
Viewing questions 1-5 out of 233 questions

Get All 233 Questions & Answers

Question No. 1

You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.

What should you do?

AUse a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

BCreate access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

CUse an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the 'implementation' folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.

DUse an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the 'implementation' folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.

Show Answer

Correct Answer: C

https://cloud.google.com/vpc-service-controls/docs/overview#benefits

https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/tree/master/examples/automatic_folder

Question No. 2

Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property.

You attempt to grant access to a project in the Apps folder to the user testuser@terramearth.com.

What is the result of your action and why?

AThe action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must
be defined on the current project to deactivate the constraint temporarily.

BThe action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.

CThe action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the 'Apps' folder

DThe action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

Show Answer

Correct Answer: B

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed. The inheritFromParent: false property on the ''Apps'' folder means that it does not inherit the organization policy from the organization node. Therefore, only the policy set at the folder level applies, which allows only members from the flowlogistic.com organization. As a result, the attempt to grant access to the user testuser@terramearth.com fails because this user is not a member of the flowlogistic.com organization.

Question No. 3

You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?

AUpload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain Pll from the shared bucket.

BOn the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll.

COn the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain Pll.

DUse Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect Pll, have the function move the objects into the shared Cloud Storage bucket.

Show Answer

Correct Answer: B

Question No. 4

An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.

How should you advise this organization?

AUse Forseti with Firewall filters to catch any unwanted configurations in production.

BMandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

CRoute all VPC traffic through customer-managed routers to detect malicious patterns in production.

DAll production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

Show Answer

Correct Answer: B

https://cloud.google.com/recommender/docs/tutorial-iac

Question No. 5

Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.

This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?

ADeterministic encryption

BSecure, key-based hashes

CFormat-preserving encryption

DCryptographic hashing

Show Answer

Correct Answer: A

''This encryption method is reversible, which helps to maintain referential integrity across your database and has no character-set limitations.'' https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy

https://cloud.google.com/dlp/docs/pseudonymization

FPE provides fewer security guarantees compared to other deterministic encryption methods such as AES-SIV. For these reasons, Google strongly recommends using deterministic encryption with AES-SIV instead of FPE for all security sensitive use cases. Other methods like deterministic encryption using AES-SIV provide these stronger security guarantees and are recommended for tokenization use cases unless length and character set preservation are strict requirements---for example, for backward compatibility with a legacy data system.

Unlock All Questions for Google Professional-Cloud-Security-Engineer Exam

Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits

Get All 233 Questions & Answers