Professional-Cloud-Security-Engineer Exam Dumps Pass with Updated 2023 Certified Exam Questions
Professional-Cloud-Security-Engineer Exam Questions - Real & Updated Questions PDF
Available Skill Badges
The Google skill badges are a form of training that allows candidates to demonstrate their understanding of Google concepts at this level. For the Google Professional Cloud Security Engineer exam, the most popular badges include the following:
- Ensure Access and Identity in Google Cloud
- Build and Secure Networks in Google Cloud
- Secure Workloads in Google Kubernetes Engine
- Create and Manage Cloud Resources
NEW QUESTION 30
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?
- A. CryptoHashConfig
- B. Redaction
- C. Generalization
- D. CryptoReplaceFfxFpeConfig
Answer: B
NEW QUESTION 31
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?
- A. Grant Compute Admin role to the networking team for each engineering project
- B. VPC peering between all engineering projects using a hub and spoke model
- C. Cloud VPN Gateway between all engineering projects using a hub and spoke model
- D. Shared VPC Network with a host project and service projects
Answer: D
Explanation:
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise- organizations#centralize_network_control
NEW QUESTION 32
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?
- A. Use VPN for all connections between your office and cloud environments.
- B. Move the cardholder data environment into a separate GCP project.
- C. Use multi-factor authentication for admin access to the web application.
- D. Use only applications certified compliant with PA-DSS.
Answer: A
Explanation:
Explanation/Reference: https://cloud.google.com/solutions/pci-dss-compliance-in-gcp
NEW QUESTION 33
You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.
After observing the traffic in your custom network, you notice that all instances can communicate freely - despite tag-based VPC firewall rules in place to segment traffic properly - with a priority of 1000. What are the most likely reasons for this behavior?
- A. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.
- B. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
- C. All VM instances are residing in the same network subnet.
- D. All VM instances are missing the respective network tags.
- E. All VM instances are configured with the same network route.
Answer: D,E
NEW QUESTION 34
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?
- A. Set the minimum length for passwords to be 10 characters.
- B. Set the minimum length for passwords to be 6 characters.
- C. Set the minimum length for passwords to be 8 characters.
- D. Set the minimum length for passwords to be 12 characters.
Answer: C
Explanation:
Explanation
Default password length is 8 characters. https://support.google.com/cloudidentity/answer/33319?hl=en
https://support.google.com/cloudidentity/answer/139399?hl=en#:~:text=It%20can%20be%20between%208,deci
NEW QUESTION 35
You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?
- A. Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.
- B. Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
- C. Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.
- D. Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
Answer: B
NEW QUESTION 36
A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?
- A. Cloud Security Scanner
- B. Forseti Security
- C. Google Cloud Audit Logs
- D. Cloud Armor
Answer: A
NEW QUESTION 37
You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?
- A. Cloud Data Loss Prevention with deterministic encryption using AES-SIV
- B. Cloud Data Loss Prevention with format-preserving encryption
- C. Cloud Data Loss Prevention with cryptographic hashing
- D. Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys
Answer: D
NEW QUESTION 38
A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?
- A. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis
- B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
- C. Customer-supplied encryption keys (CSEK)
- D. Encryption by default
Answer: B
Explanation:
Explanation/Reference:
Reference https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek
NEW QUESTION 39
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on-premises for an indefinite time. The organization wants a scalable and cost-efficient solution.
Which GCP solution should the organization use?
- A. Cloud Storage using a scheduled task and gsutil
- B. Compute Engine Virtual Machines using Persistent Disk
- C. Cloud Datastore using regularly scheduled batch upload jobs
- D. BigQuery using a data pipeline job with continuous updates
Answer: D
NEW QUESTION 40
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?
- A. Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
- B. Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.
- C. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
- D. Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
Answer: D
Explanation:
Explanation
https://cloud.google.com/bigquery/docs/scan-with-dlp
Cloud Data Loss Prevention API allows to detect and redact or remove sensitive data before the comments or reviews are published. Cloud DLP will read information from BigQuery, Cloud Storage or Datastore and scan it for sensitive data.
NEW QUESTION 41
Which two implied firewall rules are defined on a VPC network? (Choose two.)
- A. A rule that denies all inbound connections
- B. A rule that blocks all outbound connections
- C. A rule that blocks all inbound port 25 connections
- D. A rule that allows all inbound port 80 connections
- E. A rule that allows all outbound connections
Answer: A,E
Explanation:
Reference:
https://cloud.google.com/vpc/docs/firewalls
NEW QUESTION 42
A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.
How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?
- A. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
- B. Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
- C. Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
- D. Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
Answer: D
NEW QUESTION 43
You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B.
You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?
- A. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
- B. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
- C. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
- D. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
Answer: C
Explanation:
Explanation
https://cloud.google.com/vpc-service-controls/docs/overview#isolate
NEW QUESTION 44
You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?
- A. Organization Policy Service constraints
- B. Shielded VM instances
- C. Geolocation access controls
- D. Access control lists
- E. Google Cloud Armor
Answer: A
NEW QUESTION 45
......
Pass Guaranteed Quiz 2023 Realistic Verified Free Google: https://www.dumpstillvalid.com/Professional-Cloud-Security-Engineer-prep4sure-review.html
Free Google Cloud Certified Professional-Cloud-Security-Engineer Ultimate Study Guide: https://drive.google.com/open?id=1pUjzjJ4M8XfVHH1sEcrRdE917tWIQSxb
