Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: validbest

Pass the Google Cloud Certified Professional-Cloud-Security-Engineer Questions and answers with ValidTests

Exam Professional-Cloud-Security-Engineer All Questions
Exam Professional-Cloud-Security-Engineer Premium Access

View all detail and faqs for the Professional-Cloud-Security-Engineer exam

Viewing page 7 out of 10 pages
Viewing questions 61-70 out of questions
Questions # 61:

You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)

Options:

A.

Secret Manager

B.

Cloud Key Management Service

C.

Cloud Data Loss Prevention with cryptographic hashing

D.

Cloud Data Loss Prevention with automatic text redaction

E.

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

Expert Solution
Questions # 62:

Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?

Options:

A.

Define an organization policy constraint.

B.

Configure packet mirroring policies.

C.

Enable VPC Flow Logs on the subnet.

D.

Monitor and analyze Cloud Audit Logs.

Expert Solution
Questions # 63:

Your organization strives to be a market leader in software innovation. You provided a large number of Google Cloud environments so developers can test the integration of Gemini in Vertex AI into their existing applications or create new projects. Your organization has 200 developers and a five-person security team. You must prevent and detect proper security policies across the Google Cloud environments. What should you do? (Choose 2 answers)​

Options:

A.

Apply a predefined AI-recommended security posture template for Gemini in Vertex AI in Security Command Center Enterprise or Premium tiers.​

B.

Publish internal policies and clear guidelines to securely develop applications.​

C.

Implement the least privileged access Identity and Access Management roles to prevent misconfigurations.​

D.

Apply organization policy constraints. Detect and monitor drifts by using Security Health Analytics.​

E.

Use Cloud Logging to create log filters to detect misconfigurations. Trigger Cloud Run functions to remediate misconfigurations.​

Expert Solution
Questions # 64:

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Options:

A.

Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

B.

Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

C.

Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

D.

Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

Expert Solution
Questions # 65:

When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

Options:

A.

Ensure that the app does not run as PID 1.

B.

Package a single app as a container.

C.

Remove any unnecessary tools not needed by the app.

D.

Use public container images as a base image for the app.

E.

Use many container image layers to hide sensitive information.

Expert Solution
Questions # 66:

Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.

Which two tasks should your team perform to handle this request? (Choose two.)

Options:

A.

Remove all users from the Project Creator role at the organizational level.

B.

Create an Organization Policy constraint, and apply it at the organizational level.

C.

Grant the Project Editor role at the organizational level to a designated group of users.

D.

Add a designated group of users to the Project Creator role at the organizational level.

E.

Grant the billing account creator role to the designated DevOps team.

Expert Solution
Questions # 67:

Your organization is using Vertex AI Workbench Instances. You must ensure that newly deployed instances are automatically kept up-to-date and that users cannot accidentally alter settings in the operating system. What should you do?

Options:

A.

Enable the VM Manager and ensure the corresponding Google Compute Engine instances are added.

B.

Enforce the disableRootAccess and requireAutoUpgradeSchedule organization policies for newly deployed instances.

C.

Assign the AI Notebooks Runner and AI Notebooks Viewer roles to the users of the AI Workbench Instances.

D.

Implement a firewall rule that prevents Secure Shell access to the corresponding Google Compute Engine instances by using tags.

Expert Solution
Questions # 68:

You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.

What should you do?

Options:

A.

Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.

B.

Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

C.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.

D.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

Expert Solution
Questions # 69:

Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.

What should you do?

Options:

A.

1. Use StackDriver Logging and filter on BigQuery Insert Jobs.

2.Click on the email address in line with the App Engine Default Service Account in the authentication field.

3.Click Hide Matching Entries.

4.Make sure the resulting list is empty.

B.

1. Use StackDriver Logging and filter on BigQuery Insert Jobs.

2.Click on the email address in line with the App Engine Default Service Account in the authentication field.

3.Click Show Matching Entries.

4.Make sure the resulting list is empty.

C.

1. In BigQuery, select the related dataset.

2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.

D.

1. Go to the IAM section on the project.

2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.

Expert Solution
Questions # 70:

You have been tasked with configuring Security Command Center for your organization’s Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization’s compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)

Options:

A.

Event Threat Detection

B.

Container Threat Detection

C.

Security Health Analytics

D.

Cloud Data Loss Prevention

E.

Google Cloud Armor

Expert Solution
Viewing page 7 out of 10 pages
Viewing questions 61-70 out of questions