Free Google Professional-Cloud-Security-Engineer Exam Questions

Question 1

Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine and uses Pub/Sub for message queues. Recent industry news has been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

A : Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

B : Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

C : Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

D : Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.

Answer: B

Question 2

Your organization uses Google Workspace as the primary identity provider for Google Cloud Users in yourorganization initially created their passwords. You need to improve password security due to a recent securityevent. What should you do?

A : Audit user activity for suspicious logins by using the audit and investigation tool.

B : Conduct a security awareness training session, and set the password expiration settings to require more frequent updates.

C : Check the Enforce strong password box, and set the password expiration to occur more frequently.

D : Check the Enforce strong password box, and check Enforce password policy at the next sign-in.

Answer: D

Question 3

Your organization relies heavily on virtual machines (VMs) in Compute Engine. Due to team growth andresource demands. VM sprawl is becoming problematic. Maintaining consistent security hardening and timelypackage updates poses an increasing challenge. You need to centralize VM image management and automatethe enforcement of security baselines throughout the virtual machine lifecycle. What should you do?

A : Activate Security Command Center Enterprise. Use VM discovery and posture management features tomonitor hardening state and trigger automatic responses upon detection of issues.B. Create a CloudBuild trigger to build a pipeline that generates hardened VM images. Run vulnerability scans in thepipeline, and store images with passing scans in a registry. Use instance templates pointing to thisregistry.

B : Configure the sole-tenancy feature in Compute Engine for all projects. Set up custom organization policies in Policy Controller to restrict the operating systems and image sources that teams are allowed to use.

C : Use VM Manager to automatically distribute and apply patches to VMs across your projects. IntegrateVM Manager with hardened. organization-standard VM images stored in a central repository.

Answer: B

Question 4

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements: • Schedule key rotation for sensitive data. • Control which region the encryption keys for sensitive data are stored in. • Minimize the latency to access encryption keys for both sensitive and non-sensitive data.

What should you do?

A : Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

B : Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

C : Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

D : Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Senrice

Answer: D

Question 5

You will create a new Service Account that should be able to list the Compute Engine instances in the project.

You want to follow Google-recommended practices.

What should you do?

A : eate an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

B : eate a custom role with the permission compute.instances.list and grant the Service Account this role

C : ve the Service Account the role of Compute Viewer, and use the new Service Account for all instances

D : ve the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Answer: B