Professional-Cloud-Security-Engineer Practice Questions

A.  

All VM instances are missing the respective network tags.

B.  

All VM instances are residing in the same network subnet.

C.  

All VM instances are configured with the same network route.

D.  

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.

E.  

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

A.  

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

B.  

Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

C.  

Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

D.  

Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

A.  

A rule that allows all outbound connections

B.  

A rule that denies all inbound connections

C.  

A rule that blocks all inbound port 25 connections

D.  

A rule that blocks all outbound connections

E.  

A rule that allows all inbound port 80 connections

A.  

Select multiple standard Google Cloud regions for high availability. Implement Access Control Lists (ACLs) on individual storage objects containing patient data. Enable Cloud Audit Logs.​

B.  

Deploy an Assured Workloads environment in multiple regions for redundancy. Utilize custom IAM roles with granular permissions. Isolate network-level data by using VPC Service Controls.​

C.  

Deploy an Assured Workloads environment in an approved region. Configure Access Approval for sensitive operations on patient data. Enable both Cloud Audit Logs and Access Transparency.​

D.  

Select a standard Google Cloud region. Restrict access to patient data based on user location and job function by using Access Context Manager. Enable both Cloud Audit Logging and Access Transparency.​

A.  

Deploy a Cloud NAT Gateway in the service project for the MI

G.  

B.  

Deploy a Cloud NAT Gateway in the host (VPC) project for the MI

G.  

C.  

Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.

D.  

Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.

A.  

Enforce Binary Authorization in your GKE clusters. Integrate container image vulnerability scanning into the CI/CD pipeline and require vulnerability scan results to be used for Binary Authorization policy decisions.​

B.  

Develop custom organization policies that restrict GKE cluster deployments to container images hosted within a specific Artifact Registry project where your approved images reside.​

C.  

Build a system using third-party vulnerability databases and custom scripts to identify potential Common Vulnerabilities and Exposures (CVEs) in your container images. Prevent image deployment if the CVE impact score is beyond a specified threshold.​

D.  

Automatically deploy new container images upon successful CI/CD builds by using Cloud Build triggers. Set up firewall rules to limit and control access to instances to mitigate malware injection.​

A.  

compute.restrictSharedVpcHostProjects

B.  

compute.restrictXpnProjectLienRemoval

C.  

compute.restrictSharedVpcSubnetworks

D.  

compute.sharedReservationsOwnerProjects

A.  

Query Data Access logs.

B.  

Query Admin Activity logs.

C.  

Query Access Transparency logs.

D.  

Query Stackdriver Monitoring Workspace.

A.  

• 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring• 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

B.  

• 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium• 2 Monitor the findings in SCC

C.  

* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring• 2 Activate Confidential Computing• 3 Enforce these actions by using organization policies

D.  

• 1 Use secure hardened images from the Google Cloud Marketplace• 2 When deploying the images activate the Confidential Computing option• 3 Enforce the use of the correct images and Confidential Computing by using organization policies

A.  

Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

B.  

Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

C.  

Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

D.  

Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.