• Home
  • Articles
  • Prepare Important Exam with Professional-Cloud-Security-Engineer Exam Dumps(2023) [Q13-Q30]

Prepare Important Exam with Professional-Cloud-Security-Engineer Exam Dumps(2023) [Q13-Q30]

Share

Prepare Important Exam with Professional-Cloud-Security-Engineer Exam Dumps(2023) 

Pass Exam Questions Efficiently With Professional-Cloud-Security-Engineer Questions


The Google Professional-Cloud-Security-Engineer exam covers a wide range of topics related to cloud security, including network security, data protection, identity and access management, compliance and regulation, and incident response. The primary goal of the exam is to ensure that certified professionals possess a deep understanding of the security challenges and opportunities that come with cloud computing.


The Google Professional-Cloud-Security-Engineer exam consists of 50 multiple-choice and multiple-select questions, which must be completed in two hours. The questions are designed to test the candidate's knowledge and understanding of various aspects of cloud security, such as identity and access management, network security, data protection, and compliance. Professional-Cloud-Security-Engineer exam is available in multiple languages, including English, Japanese, and Korean.

 

NEW QUESTION # 13
Applications often require access to "secrets" - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)

  • A. VPC Flow logs
  • B. Data Access logs
  • C. Admin Activity logs
  • D. Agent logs
  • E. System Event logs

Answer: B,C

Explanation:
Reference:
https://cloud.google.com/kms/docs/secret-management


NEW QUESTION # 14
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?

  • A. Set the minimum length for passwords to be 10 characters.
  • B. Set the minimum length for passwords to be 12 characters.
  • C. Set the minimum length for passwords to be 8 characters.
  • D. Set the minimum length for passwords to be 6 characters.

Answer: B


NEW QUESTION # 15
You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.
What should you do?

  • A. Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.
  • B. Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.
  • C. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.
  • D. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

Answer: A


NEW QUESTION # 16
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?

  • A. Security Assertion Markup Language (SAML)
  • B. Cloud Identity
  • C. Google Cloud Directory Sync (GCDS)
  • D. Pub/Sub

Answer: B

Explanation:
Explanation
Explanation/Reference: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction


NEW QUESTION # 17
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

  • A. Compute Network User Role at the host project level.
  • B. Compute Shared VPC Admin Role at the host project level.
  • C. Compute Network User Role at the subnet level.
  • D. Compute Shared VPC Admin Role at the service project level.

Answer: C

Explanation:
https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins


NEW QUESTION # 18
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices.
What should you do?

  • A. Create a new Service account, and give all application users the role of Service Account User.
  • B. Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
  • C. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
  • D. Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.

Answer: C

Explanation:
Explanation
https://developers.google.com/admin-sdk/directory/v1/guides/delegation


NEW QUESTION # 19
A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online.
What should they do?

  • A. Configure an SSL Certificate on an L7 Load Balancer and require encryption.
  • B. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
  • C. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
  • D. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.

Answer: A

Explanation:
Explanation
https://cloud.google.com/load-balancing/docs/load-balancing-overview#external_versus_internal_load_balancing


NEW QUESTION # 20
Your team wants to limit users with administrative privileges at the organization level Which two roles should your team restrict? (Choose two.)

  • A. GKE Cluster Admin
  • B. Organization Administrator
  • C. Compute Admin
  • D. Super Admin
  • E. Organization Role Viewer

Answer: B,D

Explanation:
Explanation/Reference: https://cloud.google.com/resource-manager/docs/creating-managing-organization


NEW QUESTION # 21
Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

  • A. TCP/UDP Load Balancing
  • B. Cloud NAT
  • C. Identity Aware-Proxy
  • D. Cloud DNS

Answer: B

Explanation:
Explanation
https://cloud.google.com/nat/docs/overview "Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet."


NEW QUESTION # 22
An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.
Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses Which solution should your team implement to meet these requirements?

  • A. SSL Proxy Load Balancing
  • B. NAT Gateway
  • C. Cloud Armor
  • D. Network Load Balancing

Answer: C


NEW QUESTION # 23
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

  • A. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.2. Subscribe SIEM to the topic.
  • B. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.2. Process Cloud Storage objects in SIEM.
  • C. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.2. Process Cloud Storage objects in SIEM.
  • D. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.2. Subscribe SIEM to the topic.

Answer: C


NEW QUESTION # 24
Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.
Which two tasks should your team perform to handle this request? (Choose two.)

  • A. Remove all users from the Project Creator role at the organizational level.
  • B. Add a designated group of users to the Project Creator role at the organizational level.
  • C. Grant the Project Editor role at the organizational level to a designated group of users.
  • D. Grant the billing account creator role to the designated DevOps team.
  • E. Create an Organization Policy constraint, and apply it at the organizational level.

Answer: A,B

Explanation:
Explanation
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints


NEW QUESTION # 25
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

  • A. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
  • B. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
  • C. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
  • D. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

Answer: D

Explanation:
https://cloud.google.com/kms/docs/envelope-encryption


NEW QUESTION # 26
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?

  • A. Perform data masking with the DLP API and store that data in BigQuery for later use.
  • B. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
  • C. Perform data inspection with the DLP API and store that data in BigQuery for later use.
  • D. Perform data redaction with the DLP API and store that data in BigQuery for later use.

Answer: B

Explanation:
Explanation
Pseudonymization is a de-identification technique that replaces sensitive data values with cryptographically generated tokens. Pseudonymization is widely used in industries like finance and healthcare to help reduce the risk of data in use, narrow compliance scope, and minimize the exposure of sensitive data to systems while preserving data utility and accuracy.
https://cloud.google.com/dlp/docs/pseudonymization


NEW QUESTION # 27
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?

  • A. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
  • B. In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
  • C. In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
  • D. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

Answer: A

Explanation:
Explanation
https://cloud.google.com/compute/docs/images/restricting-image-access#trusted_images


NEW QUESTION # 28
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?

  • A. VPC peering
  • B. Cloud Interconnect
  • C. Cloud VPN
  • D. Shared VPC

Answer: A

Explanation:
Explanation
Peering two VPCs does permit traffic to flow between the two shared networks, but it's only bi-directional.
Peered VPC networks remain administratively separate.


NEW QUESTION # 29
You are the security admin of your company. Your development team creates multiple GCP projects under the
"implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?

  • A. Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
  • B. Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.
  • C. Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
  • D. Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

Answer: A

Explanation:
Explanation
https://cloud.google.com/vpc-service-controls/docs/overview#benefits
https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/tree/master/examples/autom


NEW QUESTION # 30
......


The Google Professional Cloud Security Engineer exam is targeted towards IT professionals who are responsible for designing and implementing secure infrastructures on the Google Cloud Platform. Through mastery of industry-specific security requirements, accredited individuals will demonstrate their competency in designing, developing, and managing secure infrastructure using Google security technologies.

 

Professional-Cloud-Security-Engineer Questions - Truly Beneficial For Your Google Exam: https://www.actualpdf.com/Professional-Cloud-Security-Engineer_exam-dumps.html

Download Google Professional-Cloud-Security-Engineer Sample Questions: https://drive.google.com/open?id=1mjn3qws18Qa3nP1_wL3_U7YvEJyLRJBA

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam