Get The Important Preparation Guide With Professional-Cloud-Security-Engineer Dumps [Q135-Q159]

Get The Important Preparation Guide With Professional-Cloud-Security-Engineer Dumps

Get Totally Free Updates on Professional-Cloud-Security-Engineer Dumps PDF Questions

The Google Cloud Certified - Professional Cloud Security Engineer Exam certification exam covers a range of topics, including GCP infrastructure security, data protection, identity and access management, and compliance. Candidates should have a good understanding of key security concepts and best practices, as well as experience working with GCP security tools and services.

 

NEW QUESTION # 135
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?

• A. Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
• B. Use the Admin SDK to create groups and assign IAM permissions from Active Directory.
• C. Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
• D. Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.

Answer: A

Explanation:
Reference:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management- system-with-google-cloud-platform

NEW QUESTION # 136
You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?

• A. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.
• B. Use Logs Explorer at the organization level and filter for production project logs.
• C. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
• D. Enable Cloud Monitoring workspace, and add the production projects to be monitored.

Answer: C

NEW QUESTION # 137
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in- scope" Nodes only. These Nodes can only contain the "in-scope" Pods.
How should the organization achieve this objective?

• A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
• B. Run all in-scope Pods in the namespace "in-scope-pci".
• C. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
• D. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Answer: A

Explanation:
nodeSelector is the simplest recommended form of node selection constraint. You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have. Kubernetes only schedules the Pod onto nodes that have each of the labels you specify. => https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don't guarantee scheduling: the scheduler also evaluates other parameters as part of its function. => https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

NEW QUESTION # 138
Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.
What should you do?

• A. Update the permissions of another existing service account and supply those credentials to the applications.
• B. Use the undelete command to recover the deleted service account.
• C. Temporarily disable authentication on the Cloud Storage bucket.
• D. Create a new service account with the same name as the deleted service account.

Answer: B

Explanation:
Explanation
https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/undelete

NEW QUESTION # 139
Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?

• A. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
• B. Store the data in a single BigQuery table and set the appropriate table expiration time.
• C. Store the data in a single Persistent Disk, and delete the disk at expiration time.
• D. Store the data in a single BigTable table and set an expiration time on the column families.

Answer: A

Explanation:
"To support common use cases like setting a Time to Live (TTL) for objects, retaining noncurrent versions of objects, or "downgrading" storage classes of objects to help manage costs, Cloud Storage offers the Object Lifecycle Management feature. This page describes the feature as well as the options available when using it. To learn how to enable Object Lifecycle Management, and for examples of lifecycle policies, see Managing Lifecycles." https://cloud.google.com/storage/docs/lifecycle

NEW QUESTION # 140
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

• A. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
• B. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
• C. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
• D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/security-scanner/docs/remediate-findings

NEW QUESTION # 141
Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

• A. Enable an organization policy to prevent service account keys from being created.
• B. Configure Secret Manager to manage service account keys.
• C. Enable an organization policy to disable service accounts from being created.
• D. Remove the iam.serviceAccounts.getAccessToken permission from users.

Answer: A

NEW QUESTION # 142
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:
Only allows communication between the Web and App tiers.
Enforces consistent network security when autoscaling the Web and App tiers.
Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?

• A. 1. Configure all running Web and App servers with respective network tags.
  2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
• B. 1. Configure all running Web and App servers with respective service accounts.
  2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
• C. 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts.
  2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
• D. 1. Re-deploy the Web and App servers with instance templates configured with respective network tags.
  2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

Answer: C

Explanation:
Explanation
https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
A service account represents an identity associated with an instance. Only one service account can be associated with an instance. You control access to the service account by controlling the grant of the Service Account User role for other IAM principals. For an IAM principal to start an instance by using a service account, that principal must have the Service Account User role to at least use that service account and appropriate permissions to create instances (for example, having the Compute Engine Instance Admin role to the project).

NEW QUESTION # 143
Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

• A. Set up a VPC network with two subnets: one with public IPs and one without public IPs.
• B. Enable Private Access on the VPC network in the production project.
• C. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
• D. Remove the Editor role and grant the Compute Admin IAM role to the engineers.

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address

NEW QUESTION # 144
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?

• A. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.
  Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
• B. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
• C. Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
• D. Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.

Answer: B

Explanation:
Explanation/Reference:

NEW QUESTION # 145
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in- scope" Nodes only. These Nodes can only contain the "in-scope" Pods.
How should the organization achieve this objective?

• A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
• B. Run all in-scope Pods in the namespace "in-scope-pci".
• C. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
• D. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Answer: A

Explanation:
Explanation
nodeSelector is the simplest recommended form of node selection constraint. You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have. Kubernetes only schedules the Pod onto nodes that have each of the labels you specify. =>
https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don't guarantee scheduling: the scheduler also evaluates other parameters as part of its function. =>
https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

NEW QUESTION # 146
A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?

• A. Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
• B. Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.
• C. Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
• D. Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

Answer: D

Explanation:
Explanation
https://cloud.google.com/load-balancing/docs/tcp
TCP Proxy Load Balancing is implemented on GFEs that are distributed globally. If you choose the Premium Tier of Network Service Tiers, a TCP proxy load balancer is global. In Premium Tier, you can deploy backends in multiple regions, and the load balancer automatically directs user traffic to the closest region that has capacity. If you choose the Standard Tier, a TCP proxy load balancer can only direct traffic among backends in a single region.
https://cloud.google.com/load-balancing/docs/load-balancing-overview#tcp-proxy-load-balancing

NEW QUESTION # 147
A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

• A. Admin Activity
• B. Data Access
• C. Access Transparency
• D. System Event

Answer: B

Explanation:
https://cloud.google.com/logging/docs/audit/#data-access "Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data."

NEW QUESTION # 148
Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

• A. TCP/UDP Load Balancing
• B. Cloud DNS
• C. Cloud NAT
• D. Identity Aware-Proxy

Answer: C

Explanation:
Explanation
https://cloud.google.com/nat/docs/overview "Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet."

NEW QUESTION # 149
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.
Which Google Cloud Service should be used to achieve this?

• A. Cloud Security Scanner
• B. Cloud Data Loss Prevention API
• C. Cloud Key Management Service
• D. BigQuery

Answer: A

NEW QUESTION # 150
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

• A. VPC Flow Logs
• B. Cloud Armor
• C. DNS Security Extensions
• D. Cloud Identity-Aware Proxy

Answer: C

Explanation:
https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns

NEW QUESTION # 151
What are the steps to encrypt data using envelope encryption?

• A. Generate a data encryption key (DEK) locally.
  Encrypt data with the DEK.
  Use a key encryption key (KEK) to wrap the DEK.
  Store the encrypted data and the wrapped DEK.
• B. Generate a key encryption key (KEK) locally.
  Use the KEK to generate a data encryption key (DEK).
  Encrypt data with the DEK.
  Store the encrypted data and the wrapped DEK.
• C. Generate a data encryption key (DEK) locally.
  Use a key encryption key (KEK) to wrap the DEK.
  Encrypt data with the KEK.
  Store the encrypted data and the wrapped KEK.
• D. Generate a key encryption key (KEK) locally.
  Generate a data encryption key (DEK) locally.
  Encrypt data with the KEK.
  Store the encrypted data and the wrapped DEK.

Answer: A

Explanation:
https://cloud.google.com/kms/docs/envelope-encryption

NEW QUESTION # 152
Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)

• A. Disallow inheritance of organization policies.
• B. Remove all project-level custom Identity and Access Management (1AM) roles.
• C. Identify inherited Identity and Access Management (1AM) roles on projects to be migrated.
• D. Create a new folder for all projects to be migrated.
• E. Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

Answer: C,D

Explanation:
Explanation
https://cloud.google.com/resource-manager/docs/project-migration#plan_policy When you migrate your project, it will no longer inherit the policies from its current place in the resource hierarchy, and will be subject to the effective policy evaluation at its destination. We recommend making sure that the effective policies at the project's destination match as much as possible the policies that the project had in its source location.
https://cloud.google.com/resource-manager/docs/project-migration#import_export_folders Policy inheritance can cause unintended effects when you are migrating a project, both in the source and destination organization resources. You can mitigate this risk by creating specific folders to hold only projects for export and import, and ensuring that the same policies are inherited by the folders in both organization resources. You can also set permissions on these folders that will be inherited to the projects moved within them, helping to accelerate the project migration process.

NEW QUESTION # 153
You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

• A. Query Admin Activity logs.
• B. Query Access Transparency logs.
• C. Query Data Access logs.
• D. Query Stackdriver Monitoring Workspace.

Answer: C

Explanation:
Reference:
https://cloud.google.com/iam/docs/audit-logging/examples-service-accounts

NEW QUESTION # 154
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

• A. Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.
• B. Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
• C. Send all logs to the SIEM system via an existing protocol such as syslog.
• D. Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.

Answer: D

Explanation:
Scenarios for exporting Cloud Logging data: Splunk This scenario shows how to export selected logs from Cloud Logging to Pub/Sub for ingestion into Splunk. Splunk is a security information and event management (SIEM) solution that supports several ways of ingesting data, such as receiving streaming data out of Google Cloud through Splunk HTTP Event Collector (HEC) or by fetching data from Google Cloud APIs through Splunk Add-on for Google Cloud. Using the Pub/Sub to Splunk Dataflow template, you can natively forward logs and events from a Pub/Sub topic into Splunk HEC. If Splunk HEC is not available in your Splunk deployment, you can use the Add-on to collect the logs and events from the Pub/Sub topic. https://cloud.google.com/solutions/exporting-stackdriver-logging-for-splunk

NEW QUESTION # 155
You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

• A. Cloud HSM keys
• B. Google prompt
• C. Titan Security Keys
• D. Google Authenticator app

Answer: C

Explanation:
https://cloud.google.com/titan-security-key
Security keys use public key cryptography to verify a user's identity and URL of the login page ensuring attackers can't access your account even if you are tricked into providing your username and password.

NEW QUESTION # 156
Your team wants to limit users with administrative privileges at the organization level.
Which two roles should your team restrict? (Choose two.)

• A. Organization Role Viewer
• B. Compute Admin
• C. Organization Administrator
• D. GKE Cluster Admin
• E. Super Admin

Answer: C,E

Explanation:
Reference:
https://cloud.google.com/resource-manager/docs/creating-managing-organization

NEW QUESTION # 157
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.
What should you do?

• A. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate bidirectional sync.
• B. Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
• C. Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
• D. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate one-way sync.

Answer: D

Explanation:
search rules that have "user email address" as the attribute to facilitate one-way sync. Reference Links: https://support.google.com/a/answer/6126589?hl=en

NEW QUESTION # 158
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE) How should the DevOps team accomplish this?

• A. Update the application code or apply a patch, build a new image, and redeploy it.
• B. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
• C. Use Puppet or Chef to push out the patch to the running container.
• D. Configure containers to automatically upgrade when the base image is available in Container Registry.

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/kubernetes-engine/docs/security-bulletins

NEW QUESTION # 159
......

Prepare With Top Rated High-quality Professional-Cloud-Security-Engineer Dumps For Success in Exam: https://torrentvce.certkingdompdf.com/Professional-Cloud-Security-Engineer-latest-certkingdom-dumps.html