google professional cloud security engineer practice test
Professional Cloud Security Engineer
Question 1
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce
cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the
resource name.
Which cost reduction options should you recommend?
- A. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
- B. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
- C. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
- D. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
Answer:
C
Explanation:
Reference: https://cloud.google.com/dlp/docs/reference/rest/v2/InspectJobConfig
Question 2
A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control
over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?
- A. Use Cloud Storage as a federated Data Source.
- B. Use a Cloud Hardware Security Module (Cloud HSM).
- C. Customer-managed encryption keys (CMEK).
- D. Customer-supplied encryption keys (CSEK).
Answer:
C
Explanation:
Reference: https://cloud.google.com/bigquery/docs/encryption-at-rest
Question 3
You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that
modify configurations to Google Cloud resources. Your export must meet the following requirements:
Export related logs for all projects in the Google Cloud organization. Export logs in near real-time to an external SIEM.
What should you do? (Choose two.)
- A. Create a Log Sink at the organization level with a Pub/Sub destination.
- B. Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.
- C. Enable Data Access audit logs at the organization level to apply to all projects.
- D. Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.
- E. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.
Answer:
A E
Explanation:
Reference: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/
Question 4
You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is
stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several
other Compute Engine VMs. You only want to allow the application frontend to access the data in the application's mysql
instance on port 3306.
What should you do?
- A. Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.
- B. Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.
- D. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet
Answer:
B
Question 5
A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should
only be visible to customers and company employees from any location.
Which solution will restrict access to the in-progress sites?
- A. Upload an .htaccess file containing the customer and employee user accounts to App Engine.
- B. Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
- C. Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
- D. Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the companys GCP Virtual Private Cloud (VPC) network.
Answer:
C
Question 6
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other
instances on the network.
How should your team design this network?
- A. Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
- B. Create a different subnet for the frontend application and database to ensure network isolation.
- C. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
- D. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
Answer:
A
Question 7
You are creating an internal App Engine application that needs to access a users Google Drive on the users behalf. Your
company does not want to rely on the current users credentials. It also wants to follow Google-recommended practices.
What should you do?
- A. Create a new Service account, and give all application users the role of Service Account User.
- B. Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
- C. Use a dedicated G Suite Admin account, and authenticate the application’s operations with these G Suite credentials.
- D. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
Answer:
A
Question 8
Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data
can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet
reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?
- A. Store the data in a single Persistent Disk, and delete the disk at expiration time.
- B. Store the data in a single BigQuery table and set the appropriate table expiration time.
- C. Store the data in a single Cloud Storage bucket and configure the bucket’s Time to Live.
- D. Store the data in a single BigTable table and set an expiration time on the column families.
Answer:
B
Question 9
A customers internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides
to use customer-supplied encryption keys (CSEK).
How should the team complete this task?
- A. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
- B. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
- C. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
- D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
Answer:
D
Explanation:
Reference: https://cloud.google.com/storage/docs/encryption/customer-supplied-keys
Question 10
An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security
controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The
organizations risk team wants to ensure that network security controls are maintained and effective in G Suite. A security
architect supporting this migration has been asked to ensure that network security controls are in place as part of the new
shared responsibility model between the organization and Google Cloud.
What solution would help meet the requirements?
- A. Ensure that firewall rules are in place to meet the required controls.
- B. Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
- C. Network security is a built-in solution and Google’s Cloud responsibility for SaaS products like G Suite.
- D. Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.
Answer:
B
Question 11
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department
members as group members. If a department member creates a new project, all members of that department should
automatically have read-only access to all new project resources. Members of any other department should not have access
to the project. You need to configure this behavior.
What should you do to meet these requirements?
- A. Create a Folder per department under the Organization. For each departments Folder, assign the Project Viewer role to the Google Group related to that department.
- B. Create a Folder per department under the Organization. For each departments Folder, assign the Project Browser role to the Google Group related to that department.
- C. Create a Project per department under the Organization. For each departments Project, assign the Project Viewer role to the Google Group related to that department.
- D. Create a Project per department under the Organization. For each departments Project, assign the Project Browser role to the Google Group related to that department.
Answer:
C
Question 12
Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which
Google Cloud service should you use?
- A. Cloud DNS with DNSSEC
- B. Cloud NAT
- C. HTTP(S) Load Balancing
- D. Google Cloud Armor
Answer:
A
Explanation:
Reference: https://developers.google.com/speed/public-dns/faq
Question 13
Which type of load balancer should you use to maintain client IP by default while using the standard network tier?
- A. SSL Proxy
- B. TCP Proxy
- C. Internal TCP/UDP
- D. TCP/UDP Network
Answer:
C
Explanation:
Reference: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_forwarding_rule
Question 14
Applications often require access to secrets - small pieces of sensitive data at build or run time. The administrator
managing these secrets on GCP wants to keep a track of who did what, where, and when? within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)
- A. Admin Activity logs
- B. System Event logs
- C. Data Access logs
- D. VPC Flow logs
- E. Agent logs
Answer:
A C
Explanation:
Reference: https://cloud.google.com/kms/docs/secret-management
Question 15
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on
Compute Engine. Which option should you recommend?
- A. Cloud Key Management Service
- B. Compute Engine guest attributes
- C. Compute Engine custom metadata
- D. Secret Manager
Answer:
A
Explanation:
Reference: https://www.freecodecamp.org/news/google-cloud-platform-from-zero-to-hero/