Free Google Professional-Cloud-Security-Engineer Exam Questions

Question 1

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

A : Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials

B : Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/ iam.disableServiceAccountCreation organization policy at the project level.

C : Create a custom service account for the cluster Enable the constraints/ iam.disableServiceAccountKeyCreation organization policy at the project level

D : Create a custom service account for the cluster Enable the constraints/ iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

Answer: C

Question 2

Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine and uses Pub/Sub for message queues. Recent industry news has been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

A : Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

B : Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

C : Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

D : Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.

Answer: B

Question 3

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

A : Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

B : t up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

C : Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

D : Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Question 4

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.

Which two strategies should your team use to meet these requirements? (Choose two.)

A : nfigure Private Google Access on the Compute Engine subnet

B : oid assigning public IP addresses to the Compute Engine cluster.

C : ke sure that the Compute Engine cluster is running on a separate subnet.

D : rn off IP forwarding on the Compute Engine instances in the cluster.

E : nfigure a Cloud NAT gateway.

Answer: A,B

Question 5

Your organization has established a highly sensitive project within a VPC Service Controls perimeter. Youneed to ensure that only users meeting specific contextual requirements such as having a company-manageddevice, a specific location, and a valid user identity can access resources within this perimeter. You want toevaluate the impact of this change without blocking legitimate access. What should you do?

A : Configure a VPC Service Controls perimeter in dry run mode, and enforce strict network segmentationusing firewall rules. Use multi-factor authentication (MFA) for user verification.

B : Use Cloud Audit Logs to monitor user access to the project resources. Use post-incident analysis toidentify unauthorized access attempts.

C : Establish a Context-Aware Access policy that specifies the required contextual attributes, and associatethe policy with the VPC Service Controls perimeter in dry run mode.

D : Use the VPC Service Control Violation dashboard to identify the impact of details about access denialsby service perimeters.

Answer: C