Professional-Cloud-Security-Engineer Practice Exam Questions and Answers

A.  

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups

B.  

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.

C.  

Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.

D.  

Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.

A.  

Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.

B.  

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project

A.  

C.  

Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.

D.  

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project

A.  

A.  

Encrypt the files locally, and then use gsutil to upload the files to a new bucket.

B.  

Copy the files to a new bucket with CMEK enabled in a secondary region

C.  

Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.

D.  

Change the encryption type on the bucket to CMEK, and rewrite the objects

A.  

Make sure that the ERP system can validate the JWT assertion in the HTTP requests.

B.  

Make sure that the ERP system can validate the identity headers in the HTTP requests.

C.  

Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.

D.  

Make sure that the ERP system can validate the user’s unique identifier headers in the HTTP requests.

A.  

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.

B.  

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.

C.  

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

D.  

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

A.  

Security Command Center

B.  

Firewall Rules Logging

C.  

VPC Flow Logs

D.  

Firewall Insights

A.  

Use Forseti with Firewall filters to catch any unwanted configurations in production.

B.  

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

C.  

Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

D.  

All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

A.  

Use the Cloud Key Management Service to manage a data encryption key (DEK).

B.  

Use the Cloud Key Management Service to manage a key encryption key (KEK).

C.  

Use customer-supplied encryption keys to manage the data encryption key (DEK).

D.  

Use customer-supplied encryption keys to manage the key encryption key (KEK).

A.  

Deploy patches with VM Manager by using OS patch management

B.  

View patch management data in VM Manager by using OS patch management.

C.  

Deploy patches with Security Command Center by using Rapid Vulnerability Detection.

D.  

View patch management data in a Security Command Center dashboard.

E.  

View patch management data in Artifact Registry.

A.  

Enable Access Transparency Logging.

B.  

Deploy resources only to regions permitted by data residency requirements

C.  

Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.

D.  

Deploy Assured Workloads.