Google Professional-Cloud-Security-Engineer Dumps - Google Cloud Certified - Professional Cloud Security Engineer PDF Sample Questions

discount banner
Exam Code:
Professional-Cloud-Security-Engineer
Exam Name:
Google Cloud Certified - Professional Cloud Security Engineer
234 Questions
Last Update Date : 22 July, 2024
PDF + Test Engine
$60 $78
Test Engine Only Demo
$50 $65
PDF Only Demo
$35 $45.5

Google Professional-Cloud-Security-Engineer This Week Result

0

They can't be wrong

0

Score in Real Exam at Testing Centre

0

Questions came word by word from this dumps

Best Google Professional-Cloud-Security-Engineer Dumps - pass your exam In First Attempt

Our Professional-Cloud-Security-Engineer dumps are better than all other cheap Professional-Cloud-Security-Engineer study material.

Only best way to pass your Google Professional-Cloud-Security-Engineer is that if you will get reliable exam study materials. We ensure you that realexamdumps is one of the most authentic website for Google Google Cloud Certified exam question answers. Pass your Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer with full confidence. You can get free Google Cloud Certified - Professional Cloud Security Engineer demo from realexamdumps. We ensure 100% your success in Professional-Cloud-Security-Engineer Exam with the help of Google Dumps. you will feel proud to become a part of realexamdumps family.

Our success rate from past 5 year very impressive. Our customers are able to build their carrier in IT field.

Owl
Search

45000+ Exams

Buy

Desire Exam

Download

Exam

and pass your exam...

Related Exam

Realexamdumps Providing most updated Google Cloud Certified Question Answers. Here are a few exams:


Sample Questions

Realexamdumps Providing most updated Google Cloud Certified Question Answers. Here are a few sample questions:

Google Professional-Cloud-Security-Engineer Sample Question 1

A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.

How should this be accomplished?


Options:

A. Create a firewall rule to block internet traffic from the VM.
B. Provision a NAT Gateway to access the Cloud Storage API endpoint.
C. Enable Private Google Access on the VPC.
D. Mount a Cloud Storage bucket as a local filesystem on every VM.

Answer: D

Google Professional-Cloud-Security-Engineer Sample Question 2

Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.

What should your team grant to Engineering Group A to meet this requirement?


Options:

A. Compute Network User Role at the host project level.
B. Compute Network User Role at the subnet level.
C. Compute Shared VPC Admin Role at the host project level.
D. Compute Shared VPC Admin Role at the service project level.

Answer: B Explanation: Explanation: https://cloud.google.com/vpc/docs/sh ared-vpc#svc_proj_admint

Google Professional-Cloud-Security-Engineer Sample Question 3

Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.

What should you do?


Options:

A. 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.2.Click on the email address in line with the App Engine Default Service Account in the authentication field.3.Click Hide Matching Entries.4.Make sure the resulting list is empty.
B. 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.2.Click on the email address in line with the App Engine Default Service Account in the authentication field.3.Click Show Matching Entries.4.Make sure the resulting list is empty.
C. 1. In BigQuery, select the related dataset.2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
D. 1. Go to the IAM section on the project.2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.

Answer: D

Google Professional-Cloud-Security-Engineer Sample Question 4

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.

Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)


Options:

A. App Engine
B. Cloud Functions
C. Compute Engine
D. Google Kubernetes Engine
E. Cloud Storage

Answer: C, D Explanation: Explanation: App Engine ingress firewall rules are available, but egress rules are not currently available. Per requirements 1.2.1 and 1.3.4, you must ensure that all outbound traffic is authorized. SAQ A-EP and SAQ D–type merchants must provide compensating controls or use a different Google Cloud product. Compute Engine and GKE are the preferred alternatives. https://cloud.google.com/solutions/pci-dss-compliance-in-gcq

Google Professional-Cloud-Security-Engineer Sample Question 5

You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?


Options:

A. compute.restrictSharedVpcHostProjects
B. compute.restrictXpnProjectLienRemoval
C. compute.restrictSharedVpcSubnetworks
D. compute.sharedReservationsOwnerProjects

Answer: B Explanation: Reference: [Reference: https://cloud.google.com/vpc/docs/provisioning-shared-vpc, , ]

Google Professional-Cloud-Security-Engineer Sample Question 6

Which type of load balancer should you use to maintain client IP by default while using the standard network tier?


Options:

A. SSL Proxy
B. TCP Proxy
C. Internal TCP/UDP
D. TCP/UDP Network

Answer: C Explanation: Reference: [Reference: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_forwarding_rule, , ]

Google Professional-Cloud-Security-Engineer Sample Question 7

A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with

all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.

What should you do to meet these requirements?


Options:

A. Create a Folder per department under the Organization. For each department’s Folder, assign the Project Viewer role to the Google Group related to that department.
B. Create a Folder per department under the Organization. For each department’s Folder, assign the Project Browser role to the Google Group related to that department.
C. Create a Project per department under the Organization. For each department’s Project, assign the Project Viewer role to the Google Group related to that department.
D. Create a Project per department under the Organization. For each department’s Project, assign the Project Browser role to the Google Group related to that department.

Answer: B

Google Professional-Cloud-Security-Engineer Sample Question 8

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:

Scans must run at least once per week

Must be able to detect cross-site scripting vulnerabilities

Must be able to authenticate using Google accounts

Which solution should you use?


Options:

A. Google Cloud Armor
B. Web Security Scanner
C. Security Health Analytics
D. Container Threat Detection

Answer: B Explanation: Reference: [Reference: https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview, , ]

Google Professional-Cloud-Security-Engineer Sample Question 9

You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.

What should you do?


Options:

A. Migrate the application into an isolated project using a “Lift & Shift” approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for theapplication to work properly.
B. Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
C. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
D. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Answer: B

Google Professional-Cloud-Security-Engineer Sample Question 10

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.

Which two settings must remain disabled to meet these requirements? (Choose two.)


Options:

A. Public IP
B. IP Forwarding
C. Private Google Access
D. Static routes
E. IAM Network User Role

Answer: A, C Explanation: Reference: [Reference: https://cloud.google.com/vpc/docs/configure-private-google-access, ]

Google Professional-Cloud-Security-Engineer Sample Question 11

A customer wants to deploy a large number of 3-tier web applications on Compute Engine.

How should the customer ensure authenticated network separation between the different tiers of the application?


Options:

A. Run each tier in its own Project, and segregate using Project labels.
B. Run each tier with a different Service Account (SA), and use SA-based firewall rules.
C. Run each tier in its own subnet, and use subnet-based firewall rules.
D. Run each tier with its own VM tags, and use tag-based firewall rules.

Answer: D

Google Professional-Cloud-Security-Engineer Sample Question 12

You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.

What should you do?


Options:

A. Query Data Access logs.
B. Query Admin Activity logs.
C. Query Access Transparency logs.
D. Query Stackdriver Monitoring Workspace.

Answer: B Explanation: Reference: [Reference: https://cloud.google.com/iam/docs/audit-logging/examples-service-accounts, ]

Google Professional-Cloud-Security-Engineer Sample Question 13

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.

Which solution should this customer use?


Options:

A. VPC Flow Logs
B. Cloud Armor
C. DNS Security Extensions
D. Cloud Identity-Aware Proxy

Answer: C Explanation: Reference: [Reference: https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns, ]

Google Professional-Cloud-Security-Engineer Sample Question 14

A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.

What should you do?


Options:

A. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
B. Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create ajob trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
C. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
D. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Answer: D


and so much more...