Professional-Cloud-Security-Engineer Practice Exam Questions and Answers

A.  

Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.

B.  

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project

A.  

C.  

Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.

D.  

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project

A.  

A.  

Cloud Armor

B.  

Network Load Balancing

C.  

SSL Proxy Load Balancing

D.  

NAT Gateway

A.  

Security Reviewer

B.  

lAP-Secured Tunnel User

C.  

lAP-Secured Web App User

D.  

Service Broker Operator

A.  

Customer-supplied encryption keys (CSEK)

B.  

Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

C.  

Encryption by default

D.  

Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

A.  

Use Security Health Analytics to determine user activity.

B.  

Use the Cloud Monitoring console to filter audit logs by user.

C.  

Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.

D.  

Use the Logs Explorer to search for user activity.

A.  

Perform data masking with the DLP API and store that data in BigQuery for later use.

B.  

Perform data redaction with the DLP API and store that data in BigQuery for later use.

C.  

Perform data inspection with the DLP API and store that data in BigQuery for later use.

D.  

Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.

A.  

Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.

B.  

Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.

C.  

Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premises destination.

D.  

Configure Cloud Interconnect and route traffic through an on-premises firewall.

A.  

Generalization

B.  

Redaction

C.  

CryptoHashConfig

D.  

CryptoReplaceFfxFpeConfig

A.  

All load balancer types are denied in accordance with the global node’s policy.

B.  

INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder’s policy.

C.  

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project’s policy.

D.  

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project’s policies.

A.  

Google Cloud Armor

B.  

Web Security Scanner

C.  

Security Health Analytics

D.  

Container Threat Detection

A.  

Upload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain Pll from the shared bucket.

B.  

On the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll.

C.  

On the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain Pll.

D.  

Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect Pll, have the function move the objects into the shared Cloud Storage bucket.

A.  

Enable Binary Authorization on the existing Kubernetes cluster.

B.  

Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to

the list of allowed Binary Authorization policy names.

C.  

Set the organization policy constraint constraints/compute.trustedimageProjects to the list of

protects that contain the trusted container images.

D.  

Enable Binary Authorization on the existing Cloud Run service.

E.  

Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

A.  

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

B.  

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

C.  

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.

D.  

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

A.  

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

B.  

Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

C.  

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

D.  

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

A.  

Create a project with multiple VPC networks for each environment.

B.  

Create a folder for each development and production environment.

C.  

Create a Google Group for the Engineering team, and assign permissions at the folder level.

D.  

Create an Organizational Policy constraint for each folder environment.

E.  

Create projects for each environment, and grant IAM rights to each engineering user.