Prepare Professional-Cloud-Security-Engineer Question Answers Free Update With 100% Exam Passing Guarantee [Q112-Q128]

Share

Prepare Professional-Cloud-Security-Engineer Question Answers Free Update With 100% Exam Passing Guarantee [2024]

Dumps Real Google Professional-Cloud-Security-Engineer Exam Questions [Updated 2024]


The Google Professional-Cloud-Security-Engineer exam covers a wide range of topics related to cloud security, including network security, data protection, identity and access management, compliance and regulation, and incident response. The primary goal of the exam is to ensure that certified professionals possess a deep understanding of the security challenges and opportunities that come with cloud computing.


Google Cloud Certified - Professional Cloud Security Engineer certification exam is designed for individuals who are responsible for creating and managing Google Cloud security architectures. Google Cloud Certified - Professional Cloud Security Engineer Exam certification exam is ideal for professionals who want to showcase their expertise in securing Google Cloud infrastructure and help organizations maintain compliance with laws and regulations concerning data security. The Professional-Cloud-Security-Engineer certification is recognized as a benchmark for excellence in cloud security engineering.

 

NEW QUESTION # 112
A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

  • A. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
  • B. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
  • C. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
  • D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/storage/docs/encryption/customer-supplied-keys


NEW QUESTION # 113
When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

  • A. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
  • B. Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
  • C. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
  • D. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Answer: D

Explanation:
Explanation/Reference:
Reference; https://cloud.google.com/dlp/docs/deidentify-sensitive-data


NEW QUESTION # 114
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

  • A. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • B. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
  • C. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
  • D. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

Answer: A

Explanation:
Explanation
https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-configuring-single-sign-on


NEW QUESTION # 115
What are the steps to encrypt data using envelope encryption?

  • A. Generate a data encryption key (DEK) locally.
    Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
    Store the encrypted data and the wrapped KEK.
  • B. Generate a data encryption key (DEK) locally.
    Encrypt data with the DEK.
    Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
  • C. Generate a key encryption key (KEK) locally.
    Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
    Store the encrypted data and the wrapped DEK.
  • D. Generate a key encryption key (KEK) locally.
    Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
    Store the encrypted data and the wrapped DEK.

Answer: B


NEW QUESTION # 116
Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT Everyday, you must patch all VMs with critical OS updates and provide summary reports What should you do?

  • A. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM and execute OS specific update commands Configure the Cloud Scheduler job to update with critical patches daily for daily updates.
  • B. Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM. and configure a daily cron job to enable for OS updates at night during low activity periods.
  • C. Ensure that VM Manager is installed and running on the VMs. In the OS patch management service.
    configure the patch jobs to update with critical patches daily.
  • D. Copy the latest patches to the Cloud Storage bucket. Log in to each VM. download the patches from the bucket, and install them.

Answer: C

Explanation:
Explanation
VM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine. It helps drive efficiency through automation and reduces the operational burden of maintaining these VM fleets. VM Manager includes several services such as OS patch management, OS inventory management, and OS configuration management. By using VM Manager, you can apply patches, collect operating system information, and install, remove, or auto-update software packages. The suite provides a high level of control and automation for managing large VM fleets on Google Cloud.
https://cloud.google.com/compute/docs/vm-manager


NEW QUESTION # 117
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

  • A. Prepopulated VPC firewall rules in monitor mode
  • B. Google Cloud Armor's preconfigured rules in preview mode
  • C. Cloud Load Balancing firewall rules
  • D. VPC Service Controls in dry run mode
  • E. The inherent protections of Google Front End (GFE)

Answer: B

Explanation:
Reference:
You can preview the effects of a rule without enforcing it. In preview mode, actions are noted in Cloud Monitoring. You can choose to preview individual rules in a security policy, or you can preview every rule in the policy. https://cloud.google.com/armor/docs/security-policy-overview#preview_mode


NEW QUESTION # 118
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

  • A. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
  • B. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
  • C. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
  • D. BigQuery using a data pipeline job with continuous updates via Cloud VPN

Answer: C

Explanation:
https://cloud.google.com/solutions/dr-scenarios-for-data#production_environment_is_on-premises
https://medium.com/@pvergadia/cold-disaster-recovery-on-google-cloud-for-applications-running-on-premises-114b31933d02


NEW QUESTION # 119
A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?

  • A. Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
  • B. Register a new domain name, and use that for the new Cloud Identity domain.
  • C. Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
  • D. Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.

Answer: C

Explanation:
https://support.google.com/cloudidentity/answer/7389973


NEW QUESTION # 120
You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:
Least-privilege access must be enforced at all times.
The DevOps team must be able to access the required resources only during the deployment issue.
How should you grant access while following Google-recommended best practices?

  • A. Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.
  • B. Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.
  • C. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.
  • D. Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.

Answer: D


NEW QUESTION # 121
You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

  • A. VPC Flow Logs
  • B. Firewall Rules Logging
  • C. Security Command Center
  • D. Firewall Insights

Answer: D

Explanation:
https://cloud.google.com/network-intelligence-center/docs/firewall-insights/concepts/overview#shadowed-firewall-rules Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.


NEW QUESTION # 122
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

  • A. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • B. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
  • C. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
  • D. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

Answer: A


NEW QUESTION # 123
Your organization recently activated the Security Command Center {SCO standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.
What should you do?

  • A. * 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets
    * 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions
    * 3 Query the data access logs to report on unauthorized access
  • B. * 1 Change bucket permissions to limit access
    * 2 Query the data access audit logs for any unauthorized access to the buckets
    * 3 After the misconfiguration is corrected mute the finding in the Security Command Center
  • C. * 1 Change the bucket permissions to limit access
    * 2 Query the buckets usage logs to report on unauthorized access to the data
    * 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions
  • D. * 1 Change permissions to limit access for authorized users
    * 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access
    * 3 Review the administrator activity audit logs to report on any unauthorized access

Answer: B

Explanation:
■■


NEW QUESTION # 124
In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

  • A. Access Policies
  • B. Hardware
  • C. Storage Encryption
  • D. Network Security
  • E. Boot

Answer: A,D

Explanation:
Explanation
https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-the-shared-responsib


NEW QUESTION # 125
What are the steps to encrypt data using envelope encryption?

  • A. Generate a data encryption key (DEK) locally.
    Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
    Store the encrypted data and the wrapped KEK.
  • B. Generate a data encryption key (DEK) locally.
    Encrypt data with the DEK.
    Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
  • C. Generate a key encryption key (KEK) locally.
    Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
    Store the encrypted data and the wrapped DEK.
  • D. Generate a key encryption key (KEK) locally.
    Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
    Store the encrypted data and the wrapped DEK.

Answer: B

Explanation:
The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS. https://cloud.google.com/kms/docs/envelope-encryption#how_to_encrypt_data_using_envelope_encryption


NEW QUESTION # 126
You are designing a new governance model for your organization's secrets that are stored in Secret Manager.
Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:
Provide granular access to secrets
Give you control over the rotation schedules for the encryption keys that wrap your secrets Maintain environment separation Provide ease of management Which approach should you take?

  • A. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
    2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
    3. Use Google-managed encryption keys to encrypt secrets.
  • B. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
    2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.
    3. Use customer-managed encryption keys to encrypt secrets.
  • C. 1. Use a single Google Cloud project to store both Production and Non-Production secrets.
    2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.
    3. Use customer-managed encryption keys to encrypt secrets.
  • D. 1. Use separate Google Cloud projects to store Production and Non-Production secrets.
    2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.
    3. Use Google-managed encryption keys to encrypt secrets.

Answer: B

Explanation:
Explanation
Provide granular access to secrets: 2.Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. Give you control over the rotation schedules for the encryption keys that wrap your secrets: 3. Use customer-managed encryption keys to encrypt secrets. Maintain environment separation:
1. Use separate Google Cloud projects to store Production and Non-Production secrets.


NEW QUESTION # 127
A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.
Where should you export the logs?

  • A. Cloud Pub/Sub topics
  • B. StackDriver logging
  • C. BigQuery datasets
  • D. Cloud Storage buckets

Answer: B

Explanation:
Reference:
https://cloud.google.com/logging/docs/exclusions


NEW QUESTION # 128
......

Professional-Cloud-Security-Engineer Exam Dumps, Professional-Cloud-Security-Engineer Practice Test Questions: https://www.pass4guide.com/Professional-Cloud-Security-Engineer-exam-guide-torrent.html

Free Professional-Cloud-Security-Engineer Exam Dumps to Pass Exam Easily: https://drive.google.com/open?id=1xo1tS7cEiJw0Xozz6H0jI-3CnXbRZ4Xg