Approved Google Professional-Cloud-Security-Engineer Practice Question Online

Professional-Cloud-Security-Engineer

It is impossible to pass Google Professional-Cloud-Security-Engineer exam without any help in the short term. Come to Passleader soon and find the most advanced, correct and guaranteed Google Professional-Cloud-Security-Engineer practice questions. You will get a surprising result by our Most up-to-date Google Cloud Certified - Professional Cloud Security Engineer practice guides.

Online Google Professional-Cloud-Security-Engineer free dumps demo Below:

NEW QUESTION 1
An organization’s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?

  • A. Use Forseti with Firewall filters to catch any unwanted configurations in production.
  • B. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforcepolicies.
  • C. Route all VPC traffic through customer-managed routers to detect malicious patterns in production.
  • D. All production applications will run on-premise
  • E. Allow developers free rein in GCP as their dev and QA platforms.

Answer: B

NEW QUESTION 2
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?

  • A. VPC peering
  • B. Cloud VPN
  • C. Cloud Interconnect
  • D. Shared VPC

Answer: B

NEW QUESTION 3
Your team wants to limit users with administrative privileges at the organization level. Which two roles should your team restrict? (Choose two.)

  • A. Organization Administrator
  • B. Super Admin
  • C. GKE Cluster Admin
  • D. Compute Admin
  • E. Organization Role Viewer

Answer: AB

NEW QUESTION 4
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?

  • A. Create a single KeyRing for all persistent disks and all Keys in this KeyRin
  • B. Manage the IAM permissions at the Key level.
  • C. Create a single KeyRing for all persistent disks and all Keys in this KeyRin
  • D. Manage the IAM permissions at the KeyRing level.
  • E. Create a KeyRing per persistent disk, with each KeyRing containing a single Ke
  • F. Manage the IAM permissions at the Key level.
  • G. Create a KeyRing per persistent disk, with each KeyRing containing a single Ke
  • H. Manage the IAM permissions at the KeyRing level.

Answer: C

NEW QUESTION 5
What are the steps to encrypt data using envelope encryption?

  • A. Generate a data encryption key (DEK) locally.Use a key encryption key (KEK) to wrap the DE
  • B. Encrypt data with the KE
  • C. Store the encrypted data and the wrapped KEK.
  • D. Generate a key encryption key (KEK) locally.Use the KEK to generate a data encryption key (DEK). Encrypt data with the DE
  • E. Store the encrypted data and the wrapped DEK.
  • F. Generate a data encryption key (DEK) locally.Encrypt data with the DEK.Use a key encryption key (KEK) to wrap the DE
  • G. Store the encrypted data and the wrapped DEK.
  • H. Generate a key encryption key (KEK) locally.Generate a data encryption key (DEK) locall
  • I. Encrypt data with the KE
  • J. Store the encrypted data and the wrapped DEK.

Answer: C

NEW QUESTION 6
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.
How should your team design this network?

  • A. Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
  • B. Create a different subnet for the frontend application and database to ensure network isolation.
  • C. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
  • D. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.

Answer: A

NEW QUESTION 7
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the “source of truth” directory for identities.
Which solution meets the organization's requirements?

  • A. Google Cloud Directory Sync (GCDS)
  • B. Cloud Identity
  • C. Security Assertion Markup Language (SAML)
  • D. Pub/Sub

Answer: B

NEW QUESTION 8
Which two implied firewall rules are defined on a VPC network? (Choose two.)

  • A. A rule that allows all outbound connections
  • B. A rule that denies all inbound connections
  • C. A rule that blocks all inbound port 25 connections
  • D. A rule that blocks all outbound connections
  • E. A rule that allows all inbound port 80 connections

Answer: AB

NEW QUESTION 9
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?

  • A. Migrate the application into an isolated project using a “Lift & Shift” approac
  • B. Enable all internal TCP traffic using VPC Firewall rule
  • C. Use VPC Flow logs to determine what traffic should be allowed for theapplication to work properly.
  • D. Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network.Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
  • E. Refactor the application into a micro-services architecture in a GKE cluste
  • F. Disable all traffic from outside the cluster using Firewall Rule
  • G. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • H. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.Disable all traffic from outside your project using Firewall Rule
  • I. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Answer: C

NEW QUESTION 10
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

  • A. Use the Cloud Key Management Service to manage a data encryption key (DEK).
  • B. Use the Cloud Key Management Service to manage a key encryption key (KEK).
  • C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
  • D. Use customer-supplied encryption keys to manage the key encryption key (KEK).

Answer: A

NEW QUESTION 11
You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?

  • A. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
  • B. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
  • C. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
  • D. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

Answer: B

NEW QUESTION 12
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?

  • A. Shared VPC Network with a host project and service projects
  • B. Grant Compute Admin role to the networking team for each engineering project
  • C. VPC peering between all engineering projects using a hub and spoke model
  • D. Cloud VPN Gateway between all engineering projects using a hub and spoke model

Answer: A

NEW QUESTION 13
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • B. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
  • C. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

NEW QUESTION 14
A company’s application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.
What should you do?

  • A. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.
  • B. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT--key=NEW_KEY.
  • C. Create a new key, and use the new key in the applicatio
  • D. Delete the old key from the Service Account.
  • E. Create a new key, and use the new key in the applicatio
  • F. Store the old key on the system as a backup key.

Answer: C

NEW QUESTION 15
A customer’s data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?

  • A. Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
  • B. Register a new domain name, and use that for the new Cloud Identity domain.
  • C. Ask Google to provision the data science manager’s account as a Super Administrator in the existing domain.
  • D. Ask customer’s management to discover any other uses of Google managed services, and work with the existing Super Administrator.

Answer: C

NEW QUESTION 16
......

P.S. Surepassexam now are offering 100% pass ensure Professional-Cloud-Security-Engineer dumps! All Professional-Cloud-Security-Engineer exam questions have been updated with correct answers: https://www.surepassexam.com/Professional-Cloud-Security-Engineer-exam-dumps.html (210 New Questions)