Free Google Professional-Cloud-Security-Engineer Exam Questions

Question 1

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning.

However, you are concerned about the lack of control on the applications that are deployed. You must ensure

that only trusted container images are deployed on Cloud Run.

What should you do?

Choose 2 answers

A : able Binary Authorization on the existing Kubernetes cluster.

B : t the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to the list of allowed Binary Authorization policy names.

C : t the organization policy constraint constraints/compute.trustedimageProjects to the list of protects that contain the trusted container images

D : able Binary Authorization on the existing Cloud Run service

E : Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

Answer: B,D

Question 2

Your organization must comply with the regulation to keep instance logging data within Europe. Yourworkloads will be hosted in the Netherlands in region europe-west4 in a new project. You must configureCloud Logging to keep your data in the country.What should you do?

A : Configure the organization policy constraint gcp.resourceLocations to europe-west4.

B : Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.

C : Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.

D : Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.

Answer: D

Question 3

Your organization has an application hosted in Cloud Run. You must control access to the application byusing Cloud Identity-Aware Proxy (IAP) with these requirements:Only users from the AppDev group may have access.Access must be restricted to internal network IP addresses.What should you do?

A : Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusiondetection systems (NIDS) to block unauthorized access attempts.

B : Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.

C : Create an access level that includes conditions for internal IP address ranges and AppDev groups.Apply this access level to the application's IAP policy.

D : Deploy a VPN gateway and instruct the AppDev group to connect to the company network beforeaccessing the application.

Answer: C

Question 4

Your organization must comply with the regulation to keep instance logging data within Europe. Yourworkloads will be hosted in the Netherlands in region europe-west4 in a new project. You must configureCloud Logging to keep your data in the country.What should you do?

A : Configure the organization policy constraint gcp.resourceLocations to europe-west4.

B : Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.

C : Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.

D : Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.

Answer: D

Question 5

An employer wants to track how bonus compensations have changed over time to identify employee outliers

and correct earning disparities. This task must be performed without exposing the sensitive compensation data

for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

A : Generalization

B : Redaction

C : CryptoHashConfig

D : CryptoReplaceFfxFpeConfig

Answer: D