Free Google Professional-Cloud-Security-Engineer Exam Questions

Question 1

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

A : Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

B : t up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

C : Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

D : Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Question 2

Your organization operates a hybrid cloud environment and has recently deployed a private Artifact Registryrepository in Google Cloud. On-premises developers cannot resolve the Artifact Registry hostname andtherefore cannot push or pull artifacts. You've verified the following:Connectivity to Google Cloud is established by Cloud VPN or Cloud Interconnect.No custom DNS configurations exist on-premises.There is no route to the internet from the on-premises network.You need to identify the cause and enable the developers to push and pull artifacts. What is likely causing theissue and what should you do to fix the issue?

A : Artifact Registry requires external HTTP/HTTPS access. Create a new firewall rule allowing ingresstraffic on ports 80 and 443 from the developer's IP ranges.

B : Private Google Access is not enabled for the subnet hosting the Artifact Registry. Enable PrivateGoogle Access for the appropriate subnet.

C : On-premises DNS servers lack the necessary records to resolve private Google API domains. CreateDNS records for restricted.googleapis.com or private.googleapis.com pointing to Google's published IPranges.

D : Developers must be granted the artifactregistry.writer IAM role. Grant the relevant developer group thisrole.

Answer: C

Question 3

Your organization relies heavily on virtual machines (VMs) in Compute Engine. Due to team growth andresource demands. VM sprawl is becoming problematic. Maintaining consistent security hardening and timelypackage updates poses an increasing challenge. You need to centralize VM image management and automatethe enforcement of security baselines throughout the virtual machine lifecycle. What should you do?

A : Activate Security Command Center Enterprise. Use VM discovery and posture management features tomonitor hardening state and trigger automatic responses upon detection of issues.B. Create a CloudBuild trigger to build a pipeline that generates hardened VM images. Run vulnerability scans in thepipeline, and store images with passing scans in a registry. Use instance templates pointing to thisregistry.

B : Configure the sole-tenancy feature in Compute Engine for all projects. Set up custom organization policies in Policy Controller to restrict the operating systems and image sources that teams are allowed to use.

C : Use VM Manager to automatically distribute and apply patches to VMs across your projects. IntegrateVM Manager with hardened. organization-standard VM images stored in a central repository.

Answer: B

Question 4

You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner. What should you do?

A : Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.

B : Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a userdefined sink, and select the new log bucket as the sink destination.

C : Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.

D : Edit the _Default sink, and select the new log bucket as the sink destination.

Answer: D

Question 5

As an Online education platform company, you need to develop an internal App Engine application that can access a user's Google Drive without relying on current user credentials, while following Google's recommended practices. What steps should you take to accomplish this using Google Cloud Services?

A : To impersonate the user, you should create a new service account and provide it G Suite domain-wide delegation, which the application can use.

B : To ensure secure operations of the application, it is recommended to use a separate G Suite Admin account and authenticate the application's activities using these credentials.

C : Generate a fresh Service account and assign Service Account User role to all the users of the application.

D : To grant access to all application users, a new Service account should be created and a Google Group should be created and all application users should be added to this group. Then, grant the Service Account User role to this group.

Answer: A