Free Google Professional-Cloud-Security-Engineer Exam Questions

Question 1

You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner. What should you do?

A : Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.

B : Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a userdefined sink, and select the new log bucket as the sink destination.

C : Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.

D : Edit the _Default sink, and select the new log bucket as the sink destination.

Answer: D

Question 2

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

A : Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials

B : Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/ iam.disableServiceAccountCreation organization policy at the project level.

C : Create a custom service account for the cluster Enable the constraints/ iam.disableServiceAccountKeyCreation organization policy at the project level

D : Create a custom service account for the cluster Enable the constraints/ iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

Answer: C

Question 3

Your organization has an application hosted in Cloud Run. You must control access to the application byusing Cloud Identity-Aware Proxy (IAP) with these requirements:Only users from the AppDev group may have access.Access must be restricted to internal network IP addresses.What should you do?

A : Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusiondetection systems (NIDS) to block unauthorized access attempts.

B : Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.

C : Create an access level that includes conditions for internal IP address ranges and AppDev groups.Apply this access level to the application's IAP policy.

D : Deploy a VPN gateway and instruct the AppDev group to connect to the company network beforeaccessing the application.

Answer: C

Question 4

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A : Use Identity Platform to provision users and groups to Google Cloud.

B : Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

C : Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

D : Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.

E : Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

Answer: C,E

Question 5

Your organization has an application hosted in Cloud Run. You must control access to the application byusing Cloud Identity-Aware Proxy (IAP) with these requirements:Only users from the AppDev group may have access.Access must be restricted to internal network IP addresses.What should you do?

A : Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusiondetection systems (NIDS) to block unauthorized access attempts.

B : Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.

C : Create an access level that includes conditions for internal IP address ranges and AppDev groups.Apply this access level to the application's IAP policy.

D : Deploy a VPN gateway and instruct the AppDev group to connect to the company network beforeaccessing the application.

Answer: C