Google Professional-Cloud-Security-Engineer Exam Real Questions

Prepare and pass your Professional Cloud Security Engineer with free Professional-Cloud-Security-Engineer exam questions.

Page: 1 / 57

Total 284 Questions | Updated On: Oct 23, 2024

Add To Cart

Question 1

You are in charge of migrating a legacy application from your company datacenters to GCP before the current

maintenance contract expires. You do not know what ports the application is using and no documentation is

available for you to check. You want to complete the migration without putting your environment at risk.

What should you do?

A : grate the application into an isolated project using a “Lift & Shift” approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

B : grate the application into an isolated project using a “Lift & Shift” approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.

C : factor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

D : factor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Answer: A

Question 2

You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?

A : l load balancer types are denied in accordance with the global node's policy.

B : TERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.

C : TERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.

D : TERNAL TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.

Answer: D

Question 3

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A : Use Identity Platform to provision users and groups to Google Cloud.

B : Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

C : Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

D : Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.

E : Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

Answer: C,E

Question 4

Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way. What should you do?

A : eate a service account key and add it to the GitHub pipeline configuration file

B : eate a service account key and add it to the GitHub repository content

C : nfigure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

D : nfigure workload identity federation to use GitHub as an identity pool provider.

Answer: D

Question 5

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

A : eate an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

B : able the constraints/storage.publicAccessPrevention constraint at the organization level.

C : able the constraints/storage.uniformBucketLevelAccess constraint at the organization level.

D : eate a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

Answer: B

Page: 1 / 57

Total 284 Questions | Updated On: Oct 23, 2024

Add To Cart