Updated PDF (New 2022) Actual Google Professional-Cloud-Security-Engineer Exam Questions [Q95-Q112]

Updated PDF (New 2022) Actual Google Professional-Cloud-Security-Engineer Exam Questions

Verified Professional-Cloud-Security-Engineer Exam Dumps PDF [2022] Access using itPass4sure

NEW QUESTION 95
You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

• A. Google Cloud Armor Deep Packet Inspection
• B. Marketplace IDS
• C. Packet Mirroring
• D. VPC Flow Logs
• E. VPC Service Controls logs

Answer: C

 

NEW QUESTION 96
Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.
What should you do?

• A. Create a Cloud VPN connection between the two regions, and enable Google Private Access.
• B. Change the load balancer backend configuration to use network endpoint groups instead of instance groups.
• C. Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.
• D. Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.

Answer: B

 

NEW QUESTION 97
A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online.
What should they do?

• A. Configure an SSL Certificate on an L7 Load Balancer and require encryption.
• B. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
• C. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
• D. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.

Answer: A

 

NEW QUESTION 98
An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.
Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses Which solution should your team implement to meet these requirements?

• A. NAT Gateway
• B. SSL Proxy Load Balancing
• C. Network Load Balancing
• D. Cloud Armor

Answer: D

Explanation:
https://cloud.google.com/armor/docs/security-policy-concepts

 

NEW QUESTION 99
A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.
Where should you export the logs?

• A. BigQuery datasets
• B. StackDriver logging
• C. Cloud Pub/Sub topics
• D. Cloud Storage buckets

Answer: B

Explanation:
https://cloud.google.com/logging/docs/exclusions

 

NEW QUESTION 100
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

• A. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.2. Subscribe SIEM to the topic.
• B. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.2. Process Cloud Storage objects in SIEM.
• C. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.2. Subscribe SIEM to the topic.
• D. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.2. Process Cloud Storage objects in SIEM.

Answer: D

 

NEW QUESTION 101
A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)

• A. Configure a Cloud NAT gateway.
• B. Turn off IP forwarding on the Compute Engine instances in the cluster.
• C. Make sure that the Compute Engine cluster is running on a separate subnet.
• D. Avoid assigning public IP addresses to the Compute Engine cluster.
• E. Configure Private Google Access on the Compute Engine subnet

Answer: A,D

 

NEW QUESTION 102
Your team creates an ingress firewall rule to allow SSH access from their corporate IP range to a specific bastion host on Compute Engine. Your team wants to make sure that this firewall rule cannot be used by unauthorized engineers who may otherwise have access to manage VMs in the development environment. What should your team do to meet this requirement?

• A. Create the firewall rule in a Shared VPC with a target of a network tag.
• B. Create the firewall rule with a target of a network tag. Centrally manage access to the tag.
• C. Create the firewall rule in a Shared VPC with a target of a specific subnet.
• D. Create the firewall rule with a target of a service account. Centrally manage access to the service account.

Answer: D

Explanation:
A is not correct because the network tag value can be inferred by examining the Firewall Rule or VM metadata.
B is correct because access to the Service Account is required to use a firewall rule with a target of a Service Account.
C is not correct because the target network tag value can be inferred by examining the Firewall Rule or VM metadata.
D is not correct because the target subnet value can be inferred by examining the Firewall Rule or VM metadata.
https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags

 

NEW QUESTION 103
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?

• A. Configure containers to automatically upgrade when the base image is available in Container Registry.
• B. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
• C. Use Puppet or Chef to push out the patch to the running container.
• D. Update the application code or apply a patch, build a new image, and redeploy it.

Answer: B

Explanation:
Reference:
https://cloud.google.com/kubernetes-engine/docs/security-bulletins

 

NEW QUESTION 104
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.
What should you do?

• A. Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
• B. Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
• C. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate bidirectional sync.
• D. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate one-way sync.

Answer: B

 

NEW QUESTION 105
A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)

• A. Create a folder for each development and production environment.
• B. Create a project with multiple VPC networks for each environment.
• C. Create projects for each environment, and grant IAM rights to each engineering user.
• D. Create an Organizational Policy constraint for each folder environment.
• E. Create a Google Group for the Engineering team, and assign permissions at the folder level.

Answer: A,E

 

NEW QUESTION 106
A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.
Which strategy should you use to meet these needs?

• A. Assign GCP resources in a project, with a label identifying which business unit owns the resource.
• B. Establish standalone projects for each business unit, using gmail.com accounts.
• C. Assign GCP resources in a VPC for each business unit to separate network access.
• D. Create an organization node, and assign folders for each business unit.

Answer: D

 

NEW QUESTION 107
You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.
Which document should you review to find the information?

• A. Product documentation for Compute Engine
• B. PCI DSS Requirements and Security Assessment Procedures
• C. Google Cloud Platform: Customer Responsibility Matrix
• D. PCI SSC Cloud Computing Guidelines

Answer: D

 

NEW QUESTION 108
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?

• A. Redaction
• B. CryptoReplaceFfxFpeConfig
• C. CryptoHashConfig
• D. Generalization

Answer: A

 

NEW QUESTION 109
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?

• A. Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
• B. Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
• C. Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
• D. Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.

Answer: B

 

NEW QUESTION 110
You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

• A. Query Stackdriver Monitoring Workspace.
• B. Query Access Transparency logs.
• C. Query Data Access logs.
• D. Query Admin Activity logs.

Answer: D

 

NEW QUESTION 111
You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

• A. Google Cloud Armor
• B. Cloud VPN
• C. Cloud Router
• D. Cloud NAT

Answer: B

 

NEW QUESTION 112
......

Preparation Options

Preparing for the certification exam, you do not have to make a long search for the right study materials as everything you need is located on the official website. The most effective way to study for the Google Professional Cloud Security Engineer test is to follow the learning path available on the vendor’s platform. The Security Engineer learning path consists of a number of courses and hands-on labs covering each aspect of the exam. You will learn the best practices in Cloud security and how the Google Cloud security model can help you protect your technology stack.

The official platform also provides the learners with a variety of additional resources such as Google Cloud documentation and Google Cloud solutions. At the end of your preparation, use the sample questions to evaluate your readiness for the upcoming exam.

 

Try Best Professional-Cloud-Security-Engineer Exam Questions from Training Expert itPass4sure: https://www.itpass4sure.com/Professional-Cloud-Security-Engineer-practice-exam.html

Practice Examples and Dumps & Tips for 2022 Latest Professional-Cloud-Security-Engineer Valid Tests Dumps: https://drive.google.com/open?id=1LVTBT2tSM2N3gc0fEHXcXU24aazghJDL