PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Answers

Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

A. Deploy a Cloud NAT Gateway in the service project for the MIG.

B. Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.

C. Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.

D. Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.

You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.

Which document should you review to find the information?

A. Google Cloud Platform: Customer Responsibility Matrix

B. PCI DSS Requirements and Security Assessment Procedures

C. PCI SSC Cloud Computing Guidelines

D. Product documentation for Compute Engine

You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?

A. Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.

B. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.

C. Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.

D. Configure Google Cloud Armor access logs to perform inspection on the log data.

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your

organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk

image so that it can be deployed into the perimeter.

What should you do?

A. 1 Update the perimeter 2 Configure the egressTo field to set identity Type to any_identity. 3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

B. Allow the external project by using the organizational policy constraints/compute.trustedlmageProjects.

C. 1 Update the perimeter 2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com. 3 Configure the egressFrom field to set identity Type to any_idestity.

D. 1 Update the perimeter 2 Configure the ingressFrcm field to set identityType to an-y_identity. 3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.

What should you do?

A. Set up an ACL with OWNER permission to a scope of allUsers.

B. Set up an ACL with READER permission to a scope of allUsers.

C. Set up a default bucket ACL and manage access for users using IAM.

D. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.

What should you do?

A. Use Resource Manager on the organization level.

B. Use Forseti Security to automate inventory snapshots.

C. Use Stackdriver to create a dashboard across all projects.

D. Use Security Command Center to view all assets across the organization.

You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.

What should you do?

A. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.

B. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.

C. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.

D. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

A. Hardware

B. Network Security

C. Storage Encryption

D. Access Policies

E. Boot

Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.

What should you do? Choose 2 answers

A. Configure the Binary Authorization policy with respective attestations for the project.

B. Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).

C. Enable Container Threat Detection in the Security Command Center (SCC) for the project.

D. Configure the trusted image organization policy constraint for the project.

E. Enable Pod Security standards and set them to Restricted.

Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK), but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.

What should you do?

A. Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.

B. Encrypt the files locally, and then use gsutil to upload the files to a new bucket.

C. Copy the files to a new bucket with CMEK enabled in a secondary region.

D. Change the encryption type on the bucket to CMEK, and rewrite the objects.