Free Google Professional-Cloud-Security-Engineer Exam Questions

Become Google Certified with updated Professional-Cloud-Security-Engineer exam questions and correct answers

Page: 1 / 57

Total 284 Questions | Updated On: Nov 13, 2024

Add To Cart

Question 1

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder. What could have caused this alert?

A : VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

B : organizational policy constraint wasn't properly enforced and is running in "dry run mode.

C : project level, the organizational policy control has been overwritten with an 'allow' value.

D : policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level

Answer: A

Question 2

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.

Which two strategies should your team use to meet these requirements? (Choose two.)

A : nfigure Private Google Access on the Compute Engine subnet

B : oid assigning public IP addresses to the Compute Engine cluster.

C : ke sure that the Compute Engine cluster is running on a separate subnet.

D : rn off IP forwarding on the Compute Engine instances in the cluster.

E : nfigure a Cloud NAT gateway.

Answer: A,B

Question 3

An employer wants to track how bonus compensations have changed over time to identify employee outliers

and correct earning disparities. This task must be performed without exposing the sensitive compensation data

for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

A : Generalization

B : Redaction

C : CryptoHashConfig

D : CryptoReplaceFfxFpeConfig

Answer: D

Question 4

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

A : plement Cloud VPN for the region where the bastion host lives.

B : Implement OS Login with 2-step verification for the bastion host.

C : Implement Identity-Aware Proxy TCP forwarding for the bastion host.

D : plement Google Cloud Armor in front of the bastion host.

Answer: C

Question 5

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

A : eate an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

B : able the constraints/storage.publicAccessPrevention constraint at the organization level.

C : able the constraints/storage.uniformBucketLevelAccess constraint at the organization level.

D : eate a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

Answer: B

Page: 1 / 57

Total 284 Questions | Updated On: Nov 13, 2024

Add To Cart