[Dec-2023] 100% Actual Professional-Cloud-Security-Engineer dumps Q&As with Explanations Verified & Correct Answers [Q33-Q52]

[Dec-2023] 100% Actual Professional-Cloud-Security-Engineer dumps Q&As with Explanations Verified & Correct Answers

Professional-Cloud-Security-Engineer Dumps with Free 365 Days Update Fast Exam Updates

Study guide of Google Professional Cloud Security Engineer Exam

How can you read the study guide for Google Professional Cloud Security Engineer Exam

What is the worth of Google Professional Cloud Security Engineer Exam

Cloud-based solutions have been in high demand in recent years and are not expected to change in the future either. With large and reputable companies, academic institutions, and even cities severely affected by strikes and poor security practices, companies must understand exactly how effectively and successfully a Google Cloud (GC) infrastructure is protected.

In this overview, you will learn about the GC Professional Cloud Security Engineer certification and the exam you may need to obtain it.

Data Protection Ensuring

To answer the questions related to this module, the learners need to have the skills in managing encryption at rest. This comprises their comprehension of use cases for default encryption, customer-supplied encryption keys (CSEK), and customer-managed encryption keys (CMEK). The candidates should also be capable of creating & managing encryption keys for CSEK and CMEK as well as managing application secrets. They should have an understanding of enclave computing, envelope encryption, and object lifecycle policies for Cloud Storage. Moreover, this area requires your competency in preventing data loss using DLP API. This involves the ability to configure tokenization, restrict access to DLP datasets, determine and redact PII, as well as configure the format-preserving substitution.

 

NEW QUESTION # 33
You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.
After observing the traffic in your custom network, you notice that all instances can communicate freely - despite tag-based VPC firewall rules in place to segment traffic properly - with a priority of 1000. What are the most likely reasons for this behavior?

• A. All VM instances are residing in the same network subnet.
• B. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.
• C. All VM instances are configured with the same network route.
• D. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
• E. All VM instances are missing the respective network tags.

Answer: D,E

NEW QUESTION # 34
Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?

• A. TCP Proxy Load Balancing
• B. Network Load Balancing
• C. HTTP(S) Load Balancing
• D. SSL Proxy Load Balancing

Answer: D

NEW QUESTION # 35
You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

• A. Query Admin Activity logs.
• B. Query Stackdriver Monitoring Workspace.
• C. Query Access Transparency logs.
• D. Query Data Access logs.

Answer: A

Explanation:
Admin activity logs are always created to log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.

NEW QUESTION # 36
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

• A. Ensure that the app does not run as PID 1.
• B. Use many container image layers to hide sensitive information.
• C. Use public container images as a base image for the app.
• D. Remove any unnecessary tools not needed by the app.
• E. Package a single app as a container.

Answer: D,E

NEW QUESTION # 37
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

• A. Compute Engine guest attributes
• B. Cloud Key Management Service
• C. Compute Engine custom metadata
• D. Secret Manager

Answer: D

Explanation:
Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud. https://cloud.google.com/secret-manager

NEW QUESTION # 38
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

• A. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
• B. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
• C. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
• D. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

Answer: C

Explanation:
Explanation
There is mention about simulating in Web Security Scanner. "Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions."
https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss

NEW QUESTION # 39
You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.
You want to automate the compliance with this regulation while minimizing storage costs. What should you do?

• A. Store the data in a BigQuery table, and set the table's expiration time.
• B. Store the data in a Cloud Bigtable table, and set an expiration time on the column families.
• C. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
• D. Store the data in a persistent disk, and delete the disk at expiration time.

Answer: C

Explanation:
Explanation
To miminize costs, it's always GCS even though BQ comes as a close 2nd. But, since the question did not specify what kind of data it is (raw files vs tabular data), it is safe to assume GCS is the preferred option with LifeCycle enablement.

NEW QUESTION # 40
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

• A. Use the Cloud Key Management Service to manage a key encryption key (KEK).
• B. Use customer-supplied encryption keys to manage the key encryption key (KEK).
• C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
• D. Use the Cloud Key Management Service to manage a data encryption key (DEK).

Answer: C

Explanation:
Explanation
This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS.There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest

NEW QUESTION # 41
You need to implement an encryption at-rest strategy that reduces key management complexity for non-sensitive data and protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule. FIPS 140-2 L1 compliance is required for all data types. What should you do?

• A. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
• B. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
• C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
• D. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service

Answer: D

NEW QUESTION # 42
You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)

• A. Security Health Analytics
• B. Google Cloud Armor
• C. Cloud Data Loss Prevention
• D. Event Threat Detection
• E. Container Threat Detection

Answer: B,D

NEW QUESTION # 43
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

• A. Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
• B. Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
• C. Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.
• D. Send all logs to the SIEM system via an existing protocol such as syslog.

Answer: B

Explanation:
Scenarios for exporting Cloud Logging data: Splunk This scenario shows how to export selected logs from Cloud Logging to Pub/Sub for ingestion into Splunk. Splunk is a security information and event management (SIEM) solution that supports several ways of ingesting data, such as receiving streaming data out of Google Cloud through Splunk HTTP Event Collector (HEC) or by fetching data from Google Cloud APIs through Splunk Add-on for Google Cloud. Using the Pub/Sub to Splunk Dataflow template, you can natively forward logs and events from a Pub/Sub topic into Splunk HEC. If Splunk HEC is not available in your Splunk deployment, you can use the Add-on to collect the logs and events from the Pub/Sub topic. https://cloud.google.com/solutions/exporting-stackdriver-logging-for-splunk

NEW QUESTION # 44
Your company's chief information security officer (CISO) is requiring business data to be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on a plan to implement this requirement, you determine the following:
* The services in scope are included in the Google Cloud data residency requirements.
* The business data remains within specific locations under the same organization.
* The folder structure can contain multiple data residency locations.
* The projects are aligned to specific locations.
You plan to use the Resource Location Restriction organization policy constraint with very granular control.
At which level in the hierarchy should you set the constraint?

• A. Project
• B. Folder
• C. Resource
• D. Organization

Answer: A

NEW QUESTION # 45
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:
Only allows communication between the Web and App tiers.
Enforces consistent network security when autoscaling the Web and App tiers.
Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?

• A. 1. Configure all running Web and App servers with respective network tags.
  2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
• B. 1. Re-deploy the Web and App servers with instance templates configured with respective network tags.
  2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
• C. 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts.
  2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
• D. 1. Configure all running Web and App servers with respective service accounts.
  2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

Answer: C

Explanation:
Explanation
https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
A service account represents an identity associated with an instance. Only one service account can be associated with an instance. You control access to the service account by controlling the grant of the Service Account User role for other IAM principals. For an IAM principal to start an instance by using a service account, that principal must have the Service Account User role to at least use that service account and appropriate permissions to create instances (for example, having the Compute Engine Instance Admin role to the project).

NEW QUESTION # 46
Your organization processes sensitive health information. You want to ensure that data is encrypted while in use by the virtual machines (VMs). You must create a policy that is enforced across the entire organization.
What should you do?

• A. Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.
• B. No action is necessary because Google encrypts data while it is in use by default.
• C. Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.
• D. Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.

Answer: C

NEW QUESTION # 47
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

• A. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
• B. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
• C. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
• D. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.

Answer: C

NEW QUESTION # 48
You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?

• A. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
• B. Enable Cloud Monitoring workspace, and add the production projects to be monitored.
• C. Use Logs Explorer at the organization level and filter for production project logs.
• D. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.

Answer: A

Explanation:
Explanation
https://cloud.google.com/logging/docs/export/aggregated_sinks#supported-destinations You can use aggregated sinks to route logs within or between the same organizations and folders to the following destinations: - Another Cloud Logging bucket: Log entries held in Cloud Logging log buckets.

NEW QUESTION # 49
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?

• A. Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
• B. Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
• C. Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
• D. Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.

Answer: B

Explanation:
https://cloud.google.com/iam/docs/understanding-roles#project-roles

NEW QUESTION # 50
You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

• A. Google prompt
• B. Cloud HSM keys
• C. Google Authenticator app
• D. Titan Security Keys

Answer: D

Explanation:
https://cloud.google.com/titan-security-key
Security keys use public key cryptography to verify a user's identity and URL of the login page ensuring attackers can't access your account even if you are tricked into providing your username and password.

NEW QUESTION # 51
You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

• A. External Key Manager
• B. Hardware Security Module
• C. Client-side encryption
• D. Confidential Computing and Istio
• E. Customer-supplied encryption keys

Answer: C,D

Explanation:
Explanation
Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio.
https://cloud.google.com/docs/security/encryption-in-transit

NEW QUESTION # 52
......

Verified Professional-Cloud-Security-Engineer dumps Q&As - 2023 Latest Professional-Cloud-Security-Engineer Download: https://www.dumpstillvalid.com/Professional-Cloud-Security-Engineer-prep4sure-review.html

Dumps Questions [2023] Pass for Professional-Cloud-Security-Engineer Exam: https://drive.google.com/open?id=1JvuSQJq3fs8ua3YP9sbZZf7LsEL6bxh4