Far Out Google Cloud Certified - Professional Cloud Security Engineer Professional-Cloud-Security-Engineer Pdf

NEW QUESTION 1
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

• A. BigQuery using a data pipeline job with continuous updates via Cloud VPN
• B. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
• C. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
• D. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

Answer: B

NEW QUESTION 2
An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

• A. Configuring and monitoring VPC Flow Logs
• B. Defending against XSS and SQLi attacks
• C. Manage the latest updates and security patches for the Guest OS
• D. Encrypting all stored data

Answer: D

NEW QUESTION 3
You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.
What should you do?

• A. Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.
• B. Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.
• C. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet
• D. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.
• E. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet
• F. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

Answer: B

NEW QUESTION 4
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?

• A. Use Cloud Source Repositories, and store secrets in Cloud SQL.
• B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
• C. Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
• D. Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

Answer: B

NEW QUESTION 5
You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

• A. Query Data Access logs.
• B. Query Admin Activity logs.
• C. Query Access Transparency logs.
• D. Query Stackdriver Monitoring Workspace.

Answer: A

NEW QUESTION 6
A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)

• A. Configure Private Google Access on the Compute Engine subnet
• B. Avoid assigning public IP addresses to the Compute Engine cluster.
• C. Make sure that the Compute Engine cluster is running on a separate subnet.
• D. Turn off IP forwarding on the Compute Engine instances in the cluster.
• E. Configure a Cloud NAT gateway.

Answer: BE

NEW QUESTION 7
An organization’s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?

• A. Use Forseti with Firewall filters to catch any unwanted configurations in production.
• B. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforcepolicies.
• C. Route all VPC traffic through customer-managed routers to detect malicious patterns in production.
• D. All production applications will run on-premise
• E. Allow developers free rein in GCP as their dev and QA platforms.

Answer: B

NEW QUESTION 8
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

• A. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryptionkey (KEK) in Cloud KMS to encrypt the DE
• B. Store both the encrypted data and the encrypted DEK.
• C. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DE
• D. Store both the encrypted data and the KEK.
• E. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the ke
• F. Store both the encrypted data and the encrypted DEK.
• G. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the ke
• H. Store both the encrypted data and the KEK.

Answer: A

NEW QUESTION 9
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.

• A. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate one-way sync.
• B. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have “user email address” as the attribute to facilitate bidirectional sync.
• C. Use a management tool to sync the subset based on the email address attribut
• D. Create a group in the Google domai
• E. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
• F. Use a management tool to sync the subset based on group object class attribut
• G. Create a group in the Google domai
• H. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Answer: C

NEW QUESTION 10
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)

• A. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
• B. Use the Google Admin console to view which managed users are using a personal account for their recovery email.
• C. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
• D. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
• E. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.

Answer: BE

NEW QUESTION 11
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?

• A. Cloud Bigtable
• B. Cloud BigQuery
• C. Compute Engine SSD Disk
• D. Compute Engine Persistent Disk

Answer: B

NEW QUESTION 12
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

• A. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM projec
• B. 2. Subscribe SIEM to the topic.
• C. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM projec
• D. 2. Process Cloud Storage objects in SIEM.
• E. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM projec
• F. 2. Subscribe SIEM to the topic.
• G. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each projec
• H. 2. Process Cloud Storage objects in SIEM.

Answer: B

NEW QUESTION 13
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

• A. Use the Cloud Key Management Service to manage a data encryption key (DEK).
• B. Use the Cloud Key Management Service to manage a key encryption key (KEK).
• C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
• D. Use customer-supplied encryption keys to manage the key encryption key (KEK).

Answer: A

NEW QUESTION 14
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity- Aware Proxy.
What should the customer do to meet these requirements?

• A. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
• B. Make sure that the ERP system can validate the identity headers in the HTTP requests.
• C. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
• D. Make sure that the ERP system can validate the user’s unique identifier headers in the HTTP requests.

Answer: A

NEW QUESTION 15
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

• A. Ensure that the app does not run as PID 1.
• B. Package a single app as a container.
• C. Remove any unnecessary tools not needed by the app.
• D. Use public container images as a base image for the app.
• E. Use many container image layers to hide sensitive information.

Answer: BC

NEW QUESTION 16
A customer has an analytics workload running on Compute Engine that should have limited internet access. Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?

• A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
• B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
• C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
• D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

Answer: C

NEW QUESTION 17
......