PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Answers

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements:

1.

Schedule key rotation for sensitive data.

2.

Control which region the encryption keys for sensitive data are stored in.

3.

Minimize the latency to access encryption keys for both sensitive and non-sensitive data.

What should you do?

A. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

B. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.

Which document should you review to find the information?

A. Google Cloud Platform: Customer Responsibility Matrix

B. PCI DSS Requirements and Security Assessment Procedures

C. PCI SSC Cloud Computing Guidelines

D. Product documentation for Compute Engine

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

A. Implement Cloud VPN for the region where the bastion host lives.

B. Implement OS Login with 2-step verification for the bastion host.

C. Implement Identity-Aware Proxy TCP forwarding for the bastion host.

D. Implement Google Cloud Armor in front of the bastion host.

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.

What should you do?

A. Set up an ACL with OWNER permission to a scope of allUsers.

B. Set up an ACL with READER permission to a scope of allUsers.

C. Set up a default bucket ACL and manage access for users using IAM.

D. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements:

Follow the least privilege model by having only view access to logs.

Have access to Admin Activity logs.

Have access to Data Access logs.

Have access to Access Transparency logs.

Which Identity and Access Management (IAM) role should the security operations team be granted?

A. roles/logging.privateLogViewer

B. roles/logging.admin

C. roles/viewer

D. roles/logging.viewer

You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?

A. Enable Cloud Monitoring workspace, and add the production projects to be monitored.

B. Use Logs Explorer at the organization level and filter for production project logs.

C. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.

D. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.

Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.

What should you do?

A. Temporarily disable authentication on the Cloud Storage bucket.

B. Use the undelete command to recover the deleted service account.

C. Create a new service account with the same name as the deleted service account.

D. Update the permissions of another existing service account and supply those credentials to the applications.

You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments.

How should you design the network to inspect the traffic?

A. 1. Set up one VPC with two subnets: one trusted and the other untrusted.

2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.

B. 1. Set up one VPC with two subnets: one trusted and the other untrusted.

2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.

C. 1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.

2. Configure a custom route on each network pointed to the virtual appliance.

D. 1. Set up two VPC networks: one trusted and the other untrusted.

2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

A. Use Google default encryption.

B. Manually add users to Google Cloud.

C. Provision users with basic roles using Google's Identity and Access Management (1AM) service.

D. Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

E. Provide granular access with predefined roles.

Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery. What should you do?

A. Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems. Provide the raw CSEK as part of the API call.

B. Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM). Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

C. Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.

D. Create a Cloud Key Management Service (KMS) key with imported key material. Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.