Prepare With Top Rated High-quality Professional-Cloud-Security-Engineer Dumps For Success in Professional-Cloud-Security-Engineer Exam [Q78-Q101]

Prepare With Top Rated High-quality Professional-Cloud-Security-Engineer Dumps For Success in Professional-Cloud-Security-Engineer Exam

Professional-Cloud-Security-Engineer Free Certification Exam Easy to Download PDF Format 2023

What is the Passing Score, Duration & Questions for the GoogleProfessional Cloud Security Engineer Exam

• Number of Questions: 50-60
• Language: English
• Passing score: N/A
• Length of Examination: 120 minutes
• Format: Multiple choices, multiple answers

There are 3 study programs available that you can use to prepare for the test. Also, Google provides tons of skill badges that you can complete to verify your competence in implementing cloud security concepts at this level. We will be covering all of them below:

1. Google Cloud Fundamentals: Core Infrastructure

This course will help you build an important foundation for working with popular computing and storage devices in Google Cloud efficiently. These include Google Kubernetes, Cloud SQL, Cloud Storage, BigQuery, App Engine, and Compute Engine. Besides, this training option will also provide important coverage of resource and policy management tools such as Cloud Identity and Access Management and the Resource Manager hierarchy. If you are experienced in working with Azure or AWS and now looking to switch to Google Cloud, this course will be the best tool to ease the transition.

 

NEW QUESTION 78
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?

• A. Compute Engine SSD Disk
• B. Cloud Bigtable
• C. Cloud BigQuery
• D. Compute Engine Persistent Disk

Answer: C

Explanation:
https://cloud.google.com/bigquery/docs/locations

 

NEW QUESTION 79
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?

• A. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
• B. Set up a default bucket ACL and manage access for users using IAM.
• C. Set up an ACL with OWNER permission to a scope of allUsers.
• D. Set up an ACL with READER permission to a scope of allUsers.

Answer: C

Explanation:
Explanation/Reference:
Reference: https://cloud.google.com/storage/docs/access-control/lists

 

NEW QUESTION 80
Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

• A. Remove the iam.serviceAccounts.getAccessToken permission from users.
• B. Enable an organization policy to prevent service account keys from being created.
• C. Configure Secret Manager to manage service account keys.
• D. Enable an organization policy to disable service accounts from being created.

Answer: B

Explanation:
Explanation
https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys
"To prevent unnecessary usage of service account keys, use organization policy constraints: At the root of your organization's resource hierarchy, apply the Disable service account key creation and Disable service account key upload constraints to establish a default where service account keys are disallowed. When needed, override one of the constraints for selected projects to re-enable service account key creation or upload."

 

NEW QUESTION 81
A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?

• A. Enable Private Google Access on the VPC.
• B. Provision a NAT Gateway to access the Cloud Storage API endpoint.
• C. Create a firewall rule to block internet traffic from the VM.
• D. Mount a Cloud Storage bucket as a local filesystem on every VM.

Answer: A

Explanation:
Explanation
https://cloud.google.com/vpc/docs/private-google-access

 

NEW QUESTION 82
When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

• A. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
• B. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
• C. Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
• D. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Answer: D

Explanation:
Explanation/Reference:
Reference; https://cloud.google.com/dlp/docs/deidentify-sensitive-data

 

NEW QUESTION 83
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

• A. Use Cloud Build to build the container images.
• B. Delete non-used versions from Container Registry.
• C. Use a Continuous Delivery tool to deploy the application.
  Section: (none)
  Explanation
• D. Build small containers using small base images.

Answer: C

Explanation:
Reference:
https://cloud.google.com/solutions/best-practices-for-building-containers

 

NEW QUESTION 84
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?

• A. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
• B. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
• C. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
• D. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.

Answer: C

 

NEW QUESTION 85
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

• A. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
• B. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
• C. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
• D. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/dlp/docs/reference/rest/v2/InspectJobConfig

 

NEW QUESTION 86
You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

• A. Cloud Identity
• B. OpenID Connect
• C. Identity-Aware Proxy
• D. SSO SAML as a third-party IdP
• E. Identity Platform

Answer: B,D

Explanation:
Explanation
To provide users with SSO-based access to selected cloud apps, Cloud Identity as your IdP supports the OpenID Connect (OIDC) and Security Assertion Markup Language 2.0 (SAML) protocols.
https://cloud.google.com/identity/solutions/enable-sso

 

NEW QUESTION 87
A customer is collaborating with another company to build an application on Compute Engine.
The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application.
Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?

• A. Cloud VPN
• B. Shared VPC
• C. VPC peering
• D. Cloud Interconnect

Answer: A

 

NEW QUESTION 88
Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.
What should you do?

• A. 1. In BigQuery, select the related dataset.
  2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
• B. 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
  2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
  3. Click Show Matching Entries.
  4. Make sure the resulting list is empty.
• C. 1. Go to the IAM section on the project.
  2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.
  Section: (none)
  Explanation
• D. 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
  2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
  3. Click Hide Matching Entries.
  4. Make sure the resulting list is empty.

Answer: A

 

NEW QUESTION 89
You are working with a client that is concerned about control of their encryption keys for sensitive dat a. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting. Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)

• A. Google default encryption
• B. Secret Manager
• C. Customer-managed encryption keys
• D. Customer-supplied encryption keys.
• E. Cloud External Key Manager

Answer: D,E

 

NEW QUESTION 90
An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

• A. Billing Account Costs Manager
• B. Billing Account User
• C. Billing Account Viewer
• D. Project Creator
• E. Organization Administrator

Answer: A,C

Explanation:
Explanation
https://cloud.google.com/billing/docs/how-to/billing-access#overview-of-cloud-billing-roles-in-cloud-iam Billing Account Costs Manager (roles/billing.costsManager)
- Manage budgets and view and export cost information of billing accounts (but not pricing information) Billing Account Viewer (roles/billing.viewer)
- View billing account cost information and transactions.

 

NEW QUESTION 91
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?

• A. CryptoReplaceFfxFpeConfig
• B. CryptoHashConfig
• C. Redaction
• D. Generalization

Answer: C

 

NEW QUESTION 92
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

• A. Cloud Key Management Service
• B. Compute Engine guest attributes
• C. Secret Manager
• D. Compute Engine custom metadata

Answer: A

 

NEW QUESTION 93
You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence. Which tool should you use?

• A. Policy Analyzer
• B. Policy Simulator
• C. Policy Troubleshooter
• D. IAM Recommender

Answer: C

 

NEW QUESTION 94
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity- Aware Proxy.
What should the customer do to meet these requirements?

• A. Make sure that the ERP system can validate the identity headers in the HTTP requests.
• B. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
• C. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
• D. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.

Answer: B

Explanation:
Explanation
Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed object that also contains the user identity data. Your application can verify the digital signature and use the data provided in this object to be certain that it was provided by IAP without alteration.

 

NEW QUESTION 95
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

• A. Cloud Functions
• B. Compute Engine
• C. Google Kubernetes Engine
• D. Cloud Storage
• E. App Engine

Answer: B,E

 

NEW QUESTION 96
Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.
Which two tasks should your team perform to handle this request? (Choose two.)

• A. Grant the Project Editor role at the organizational level to a designated group of users.
• B. Remove all users from the Project Creator role at the organizational level.
• C. Grant the billing account creator role to the designated DevOps team.
• D. Add a designated group of users to the Project Creator role at the organizational level.
• E. Create an Organization Policy constraint, and apply it at the organizational level.

Answer: D,E

 

NEW QUESTION 97
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

• A. Cloud Functions
• B. Compute Engine
• C. Google Kubernetes Engine
• D. Cloud Storage
• E. App Engine

Answer: B,E

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

 

NEW QUESTION 98
A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads.
Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?

• A. Register a new domain name, and use that for the new Cloud Identity domain.
• B. Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.
• C. Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
• D. Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.

Answer: B

 

NEW QUESTION 99
An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.
Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses Which solution should your team implement to meet these requirements?

• A. Cloud Armor
• B. Network Load Balancing
• C. SSL Proxy Load Balancing
• D. NAT Gateway

Answer: A

Explanation:
Explanation
Explanation/Reference: https://cloud.google.com/armor/docs/security-policy-concepts

 

NEW QUESTION 100
Your customer is moving their corporate applications to Google Cloud Platform. The security team wants detailed visibility of all resources in the organization. You use Resource Manager to set yourself up as the org admin. What Cloud Identity and Access Management (Cloud IAM) roles should you give to the security team?

• A. Org viewer, Project owner
• B. Org viewer, Project viewer
• C. Org admin, Project browser
• D. Project owner, Network admin

Answer: B

Explanation:
A is not correct because Project owner is too broad. The security team does not need to be able to make changes to projects.
B is correct because:
- Org viewer grants the security team permissions to view the organization's display name.
- Project viewer grants the security team permissions to see the resources within projects.
C is not correct because Org admin is too broad. The security team does not need to be able to make changes to the organization.
D is not correct because Project owner is too broad. The security team does not need to be able to make changes to projects.
https://cloud.google.com/resource-manager/docs/access-control-org#using_predefined_roles

 

NEW QUESTION 101
......

Get 100% Success with Latest Google Cloud Certified Professional-Cloud-Security-Engineer Exam Dumps: https://www.dumpstillvalid.com/Professional-Cloud-Security-Engineer-prep4sure-review.html

The Best Professional-Cloud-Security-Engineer Exam Study Material and Preparation Test Question Dumps: https://drive.google.com/open?id=1JvuSQJq3fs8ua3YP9sbZZf7LsEL6bxh4