Free Google Professional-Cloud-Security-Engineer Exam Questions

Question 1

You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

A : ganization Policy Service constraints

B : ielded VM instances

C : cess control lists

D : olocation access controls

E : ogle Cloud Armor

Answer: A

Question 2

Your organization has established a highly sensitive project within a VPC Service Controls perimeter. Youneed to ensure that only users meeting specific contextual requirements such as having a company-manageddevice, a specific location, and a valid user identity can access resources within this perimeter. You want toevaluate the impact of this change without blocking legitimate access. What should you do?

A : Configure a VPC Service Controls perimeter in dry run mode, and enforce strict network segmentationusing firewall rules. Use multi-factor authentication (MFA) for user verification.

B : Use Cloud Audit Logs to monitor user access to the project resources. Use post-incident analysis toidentify unauthorized access attempts.

C : Establish a Context-Aware Access policy that specifies the required contextual attributes, and associatethe policy with the VPC Service Controls perimeter in dry run mode.

D : Use the VPC Service Control Violation dashboard to identify the impact of details about access denialsby service perimeters.

Answer: C

Question 3

Your organization relies heavily on virtual machines (VMs) in Compute Engine. Due to team growth andresource demands. VM sprawl is becoming problematic. Maintaining consistent security hardening and timelypackage updates poses an increasing challenge. You need to centralize VM image management and automatethe enforcement of security baselines throughout the virtual machine lifecycle. What should you do?

A : Activate Security Command Center Enterprise. Use VM discovery and posture management features tomonitor hardening state and trigger automatic responses upon detection of issues.B. Create a CloudBuild trigger to build a pipeline that generates hardened VM images. Run vulnerability scans in thepipeline, and store images with passing scans in a registry. Use instance templates pointing to thisregistry.

B : Configure the sole-tenancy feature in Compute Engine for all projects. Set up custom organization policies in Policy Controller to restrict the operating systems and image sources that teams are allowed to use.

C : Use VM Manager to automatically distribute and apply patches to VMs across your projects. IntegrateVM Manager with hardened. organization-standard VM images stored in a central repository.

Answer: B

Question 4

You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner. What should you do?

A : Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.

B : Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a userdefined sink, and select the new log bucket as the sink destination.

C : Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.

D : Edit the _Default sink, and select the new log bucket as the sink destination.

Answer: D

Question 5

Your organization operates a hybrid cloud environment and has recently deployed a private Artifact Registryrepository in Google Cloud. On-premises developers cannot resolve the Artifact Registry hostname andtherefore cannot push or pull artifacts. You've verified the following:Connectivity to Google Cloud is established by Cloud VPN or Cloud Interconnect.No custom DNS configurations exist on-premises.There is no route to the internet from the on-premises network.You need to identify the cause and enable the developers to push and pull artifacts. What is likely causing theissue and what should you do to fix the issue?

A : Artifact Registry requires external HTTP/HTTPS access. Create a new firewall rule allowing ingresstraffic on ports 80 and 443 from the developer's IP ranges.

B : Private Google Access is not enabled for the subnet hosting the Artifact Registry. Enable PrivateGoogle Access for the appropriate subnet.

C : On-premises DNS servers lack the necessary records to resolve private Google API domains. CreateDNS records for restricted.googleapis.com or private.googleapis.com pointing to Google's published IPranges.

D : Developers must be granted the artifactregistry.writer IAM role. Grant the relevant developer group thisrole.

Answer: C