Free Google Professional-Cloud-Security-Engineer Exam Questions

Question 1

Your organization has an application hosted in Cloud Run. You must control access to the application byusing Cloud Identity-Aware Proxy (IAP) with these requirements:Only users from the AppDev group may have access.Access must be restricted to internal network IP addresses.What should you do?

A : Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusiondetection systems (NIDS) to block unauthorized access attempts.

B : Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.

C : Create an access level that includes conditions for internal IP address ranges and AppDev groups.Apply this access level to the application's IAP policy.

D : Deploy a VPN gateway and instruct the AppDev group to connect to the company network beforeaccessing the application.

Answer: C

Question 2

Your organization operates a hybrid cloud environment and has recently deployed a private Artifact Registryrepository in Google Cloud. On-premises developers cannot resolve the Artifact Registry hostname andtherefore cannot push or pull artifacts. You've verified the following:Connectivity to Google Cloud is established by Cloud VPN or Cloud Interconnect.No custom DNS configurations exist on-premises.There is no route to the internet from the on-premises network.You need to identify the cause and enable the developers to push and pull artifacts. What is likely causing theissue and what should you do to fix the issue?

A : Artifact Registry requires external HTTP/HTTPS access. Create a new firewall rule allowing ingresstraffic on ports 80 and 443 from the developer's IP ranges.

B : Private Google Access is not enabled for the subnet hosting the Artifact Registry. Enable PrivateGoogle Access for the appropriate subnet.

C : On-premises DNS servers lack the necessary records to resolve private Google API domains. CreateDNS records for restricted.googleapis.com or private.googleapis.com pointing to Google's published IPranges.

D : Developers must be granted the artifactregistry.writer IAM role. Grant the relevant developer group thisrole.

Answer: C

Question 3

Your company's users access data in a BigQuery table. You want to ensure they can only access the data during working hours. What should you do?

A : Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.

B : Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.

C : Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours

D : Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

Answer: A

Question 4

Your organization has an application hosted in Cloud Run. You must control access to the application byusing Cloud Identity-Aware Proxy (IAP) with these requirements:Only users from the AppDev group may have access.Access must be restricted to internal network IP addresses.What should you do?

A : Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusiondetection systems (NIDS) to block unauthorized access attempts.

B : Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.

C : Create an access level that includes conditions for internal IP address ranges and AppDev groups.Apply this access level to the application's IAP policy.

D : Deploy a VPN gateway and instruct the AppDev group to connect to the company network beforeaccessing the application.

Answer: C

Question 5

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning.

However, you are concerned about the lack of control on the applications that are deployed. You must ensure

that only trusted container images are deployed on Cloud Run.

What should you do?

Choose 2 answers

A : able Binary Authorization on the existing Kubernetes cluster.

B : t the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to the list of allowed Binary Authorization policy names.

C : t the organization policy constraint constraints/compute.trustedimageProjects to the list of protects that contain the trusted container images

D : able Binary Authorization on the existing Cloud Run service

E : Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

Answer: B,D