Free Google Professional-Cloud-Security-Engineer Exam Questions

Question 1

Your organization operates a hybrid cloud environment and has recently deployed a private Artifact Registryrepository in Google Cloud. On-premises developers cannot resolve the Artifact Registry hostname andtherefore cannot push or pull artifacts. You've verified the following:Connectivity to Google Cloud is established by Cloud VPN or Cloud Interconnect.No custom DNS configurations exist on-premises.There is no route to the internet from the on-premises network.You need to identify the cause and enable the developers to push and pull artifacts. What is likely causing theissue and what should you do to fix the issue?

A : Artifact Registry requires external HTTP/HTTPS access. Create a new firewall rule allowing ingresstraffic on ports 80 and 443 from the developer's IP ranges.

B : Private Google Access is not enabled for the subnet hosting the Artifact Registry. Enable PrivateGoogle Access for the appropriate subnet.

C : On-premises DNS servers lack the necessary records to resolve private Google API domains. CreateDNS records for restricted.googleapis.com or private.googleapis.com pointing to Google's published IPranges.

D : Developers must be granted the artifactregistry.writer IAM role. Grant the relevant developer group thisrole.

Answer: C

Question 2

Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine and uses Pub/Sub for message queues. Recent industry news has been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

A : Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

B : Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

C : Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

D : Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.

Answer: B

Question 3

Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine and uses Pub/Sub for message queues. Recent industry news has been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

A : Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

B : Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

C : Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

D : Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.

Answer: B

Question 4

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

A : Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

B : t up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

C : Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

D : Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Question 5

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

A : plement Cloud VPN for the region where the bastion host lives.

B : Implement OS Login with 2-step verification for the bastion host.

C : Implement Identity-Aware Proxy TCP forwarding for the bastion host.

D : plement Google Cloud Armor in front of the bastion host.

Answer: C