Free Google Professional-Cloud-Security-Engineer Exam Questions

Question 1

As an Online education platform company, you need to develop an internal App Engine application that can access a user's Google Drive without relying on current user credentials, while following Google's recommended practices. What steps should you take to accomplish this using Google Cloud Services?

A : To impersonate the user, you should create a new service account and provide it G Suite domain-wide delegation, which the application can use.

B : To ensure secure operations of the application, it is recommended to use a separate G Suite Admin account and authenticate the application's activities using these credentials.

C : Generate a fresh Service account and assign Service Account User role to all the users of the application.

D : To grant access to all application users, a new Service account should be created and a Google Group should be created and all application users should be added to this group. Then, grant the Service Account User role to this group.

Answer: A

Question 2

You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?

A : Perform data masking with the DLP API and store that data in BigQuery for later use

B : Perform data redaction with the DLP API and store that data in BigQuery for later use

C : Perform data inspection with the DLP API and store that data in BigQuery for later use.

D : Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.

Answer: D

Question 3

As a virtual interior design service company, we want to use Google Cloud Platform (GCP) for certain IT workloads. We already use a well-established directory service to manage user identities and lifecycle management, which must remain the `source of truth` directory for identities. What GCP solution can we use to meet our requirements?

A : SAML (Security Assertion Markup Language) is a protocol used for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider.

B : Identity and Access Management (IAM) in Google Cloud is known as Cloud Identity.

C : Pub/Sub is a messaging service provided by Google Cloud.

D : GCDS stands for Google Cloud Directory Sync.

Answer: D

Question 4

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A : Use Identity Platform to provision users and groups to Google Cloud.

B : Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

C : Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

D : Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.

E : Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

Answer: C,E

Question 5

Your organization operates a hybrid cloud environment and has recently deployed a private Artifact Registryrepository in Google Cloud. On-premises developers cannot resolve the Artifact Registry hostname andtherefore cannot push or pull artifacts. You've verified the following:Connectivity to Google Cloud is established by Cloud VPN or Cloud Interconnect.No custom DNS configurations exist on-premises.There is no route to the internet from the on-premises network.You need to identify the cause and enable the developers to push and pull artifacts. What is likely causing theissue and what should you do to fix the issue?

A : Artifact Registry requires external HTTP/HTTPS access. Create a new firewall rule allowing ingresstraffic on ports 80 and 443 from the developer's IP ranges.

B : Private Google Access is not enabled for the subnet hosting the Artifact Registry. Enable PrivateGoogle Access for the appropriate subnet.

C : On-premises DNS servers lack the necessary records to resolve private Google API domains. CreateDNS records for restricted.googleapis.com or private.googleapis.com pointing to Google's published IPranges.

D : Developers must be granted the artifactregistry.writer IAM role. Grant the relevant developer group thisrole.

Answer: C