Professional-Cloud-Security-Engineer Practice Questions

A.  

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

B.  

Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

C.  

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

D.  

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

A.  

Implement an automated process that scans all identities in your organization and disables any unmanaged accounts.

B.  

Create a Google Cloud identity for all users in your organization. Ensure that new users are added automatically.

C.  

Register a new domain for your Google Cloud resources. Move all existing identities and resources to this domain.

D.  

Switch your corporate email system to another domain to avoid using the same domain for Google Cloud identities and corporate emails.

A.  

Within the model project, create an external Application Load Balancer that points to the model endpoint. Create a Cloud Armor policy to restrict IP addresses to Google Cloud.

B.  

Within the model project, create an internal Application Load Balancer that points to the model endpoint. Expose this load balancer with Private Service Connect to a configured list of projects.

B.  

Activate Private Google Access in both the model project and in each project that needs to connect to the model. Create a firewall policy to allow connectivity to Private Google Access addresses.

C.  

Create a central project to host Shared VPC networks that are provided to all other projects. Centrally administer all firewall rules in this project to grant access to the model.

A.  

Configure Secure Web Proxy. Offload the TLS traffic in the load balancer, inspect the traffic, and forward the traffic to the web application.​

B.  

Configure an internal proxy load balancer. Offload the TLS traffic in the load balancer, inspect the traffic, and forward the traffic to the web application.​

C.  

Configure a hierarchical firewall policy. Enable TLS interception by using Cloud Next Generation Firewall (NGFW) Enterprise.​

D.  

Configure a VPC firewall rule. Enable TLS interception by using Cloud Next Generation Firewall (NGFW) Enterprise.​

A.  

Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.

B.  

Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.

C.  

Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.

D.  

Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.

A.  

Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.

B.  

Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.

C.  

Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.

D.  

Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

A.  

Temporarily disable authentication on the Cloud Storage bucket.

B.  

Use the undelete command to recover the deleted service account.

C.  

Create a new service account with the same name as the deleted service account.

D.  

Update the permissions of another existing service account and supply those credentials to the applications.

A.  

1. Create a general service account **g-sa" to execute the batch jobs.• 2 Grant the permissions required to execute the batch jobs to g-sa.• 3. Execute the batch jobs with the permissions granted to g-sa

B.  

1. Create a general service account "g-sa" to orchestrate the batch jobs.• 2. Create one service account per batch job Mb-sa-[1-5]," and grant only the permissions required to run the individual batch jobs to the service accounts.• 3. Grant the Service Account Token Creator role to g-sa Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].

C.  

1. Create a workload identity pool and configure workload identity pool providers for each batch job• 2 Assign the workload identity user role to each of the identities configured in the providers.• 3. Create one service account per batch job Mb-sa-[1-5]". and grant only the permissions required to run the individual batch jobs to the service accounts• 4 Generate credential configuration files for each of the providers Use these files to ex

D.  

• 1. Create a general service account "g-sa" to orchestrate the batch jobs.• 2 Create one service account per batch job 'b-sa-[1-5)\ Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts• 3. Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permissions of b-sa-[1-5].<

A.  

Cloud Bigtable

B.  

Cloud BigQuery

C.  

Compute Engine SSD Disk

D.  

Compute Engine Persistent Disk

A.  

Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.

B.  

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project

A.  

C.  

Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.

D.  

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project

A.