GCP Professional Cloud Security Engineer Practice Exam Part 1
Notes: Hi all, Google Professional Cloud Security Engineer Practice Exam will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics.
We highly recommend you should take Google Professional Cloud Security Engineer Actual Exam Version because it include actual exam questions and highlighted answers are collected and verified in our exam. It will help you pass exam in easier way.
1. Developers in an organization are prototyping a few applications on Google Cloud Platform (GCP) and are starting to store sensitive information on GCP. The developers are using their personal/consumer Gmail accounts to set up and manage their projects within GCP. A security engineer identifies this practice as a concern to the organization management because of the lack of centralized project management and access to the data being stored in these accounts. Which solution should be used to resolve this concern?
A. Enforce the setup of Security Keys as the 2SV method for those Gmail accounts.
B. Set up Google Cloud Identity and require the developers to use those accounts for GCP work.
C. Require the developers to log/store their Gmail passwords with the Security team.
D. Enable logging on all GCP projects to track all developer activities.
Hint Answers: B
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#manage-identities
2. A customer wants to use Cloud Identity as their primary IdP. The customer wants to use other non-GCP SaaS products for CRM, messaging, and customer ticketing management. The customer also wants to improve employee experience with Single Sign-On (SSO) capabilities to securely access GCP and non-GCP applications. Only authorized individuals should be able to access these third-party applications. What action should the customer take to meet these requirements?
A. Remove the employee from Cloud Identity, set the correct license for the individuals, and resync them to Cloud Identity for the changes to take effect.
B. Configure third-party applications to federate authentication and authorization to the GCP IdP.
C. Remove the individuals from the third-party applications, add the license to Cloud Identity, and resync the individuals back to the third-party applications.
D. Copy user personas from Cloud Identity to all third-party applications for the domain.
Hint Answers: B
https://cloud.google.com/identity/solutions/enable-sso
3.A Cloud Development team needs to use service accounts extensively in their local development. You need to provide the team with the keys for these service accounts. You want to follow Google-recommended practices. What should you do?
A. Implement a daily key rotation process that generates a new key and commits it to the source code repository every day.
B. Implement a daily key rotation process, and provide developers with a Cloud Storage bucket from which they can download the new key every day.
C. Create a Google Group with all developers. Assign the group the IAM role of Service Account User, and have developers generate and download their own keys.
D. Create a Google Group with all developers. Assign the group the IAM role of Service Account Admin, and have developers generate and download their own keys.
Hint Answers: B
https://cloud.google.com/blog/products/gcp/help-keep-your-google-cloud-service-account-keys-safe
https://cloud.google.com/iam/docs/creating-managing-service-account-keys
https://cloud.google.com/iam/docs/understanding-service-accounts#best_practices
4. A customer needs to rely on their existing user directory with the requirements of native authentication against it when developing for Google Cloud Platform (GCP). They want to leverage their existing tooling and functionality to gather insight on user activity from a familiar interface. Which action should you take to meet the customer’s requirements?
A. Provision users into Cloud Identity using Just-in-Time SAML 2.0 user provisioning with the customer User Directory as source.
B. Configure Cloud Identity as a SAML 2.0 Service Provider, using the customer’s User Directory as the Identity Provider.
C. Configure and enforce 2-Step Verification in Cloud Identity for all Super Admins.
D. Configure a third-party IdP (Octa or Ping Federate) to manage authentication.
Hint Answers: B
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
https://support.google.com/a/answer/60224
5. A customer wants to grant access to their application running on Compute Engine to write only to a specific Cloud Storage bucket. How should you grant access?
A. Create a service account for the application, and grant Cloud Storage Object Creator permissions to the project.
B. Create a service account for the application, and grant Cloud Storage Object Creator permissions at the bucket level.
C. Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the bucket level.
D. Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the project level.
Hint Answers: B
https://cloud.google.com/iam/docs/understanding-service-accounts#using_service_accounts_with_compute_engine
6. Your team creates an ingress firewall rule to allow SSH access from their corporate IP range to a specific bastion host on Compute Engine. Your team wants to make sure that this firewall rule cannot be used by unauthorized engineers who may otherwise have access to manage VMs in the development environment. What should your team do to meet this requirement?
A. Create the firewall rule with a target of a network tag. Centrally manage access to the tag.
B. Create the firewall rule with a target of a service account. Centrally manage access to the service account.
C. Create the firewall rule in a Shared VPC with a target of a network tag.
D. Create the firewall rule in a Shared VPC with a target of a specific subnet.
Hint Answers: B
https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
7. You want to protect the default VPC network from all inbound and outbound internet traffic. What action should you take?
A. Create a Deny All inbound internet firewall rule.
B. Create a Deny All outbound internet firewall rule.
C. Create a new subnet in the VPC network with private Google access enabled.
D. Create instances without external IP addresses only.
Hint Answers: B
https://cloud.google.com/nat/docs/overview
https://cloud.google.com/vpc/docs/using-firewalls
https://cloud.google.com/vpc/docs/private-access-options
8. An organization recently began using App Engine to build and host its new web application for its customers. The organization wants to use its existing IAM setup to allow its developer employees to have elevated access to the application remotely. This would allow them to push updates and fixes to the application via an HTTPS connection. Non-developer employees should only get access to the production version without development permissions. Which Google Cloud Platform solution should be used to meet these requirements?
A. Synchronize the organization’s Active Directory using Cloud Identity for employee access via Cloud VPN.
B. Disable access for non-developer employees by removing their Google Group from the application access control list (ACL).
C. Set up Cloud Identity-Aware Proxy (Cloud IAP) to manage authentication and different authorization levels for employee access.
D. Set up Virtual Private Cloud (VPC) firewall rules to manage authentication and different authorization levels for employee access.
Hint Answers: C
https://cloud.google.com/appengine/docs/standard/python/access-control
https://cloud.google.com/iap/docs/concepts-overview
9. You have defined subnets in a VPC within Google Cloud Platform. You need multiple projects to create Compute Engine instances with IP addresses from these subnets. What should you do?
A. Configure Cloud VPN between the projects.
B. Set up VPC peering between all related projects.
C. Change the VPC subnets to enable private Google access.
D. Use Shared VPC to share the subnets with the other projects.
Hint Answers: D
https://cloud.google.com/vpc/docs/shared-vpc
https://cloud.google.com/vpc/docs/vpc-peering
10. An application log’s data, including customer identifiers such as email addresses, needs to be redacted. However, these logs also include the email addresses of internal developers from company.com, and these should NOT be redacted. Which solution should you use to meet these requirements?
A. Create a regular custom dictionary detector that lists a subset of the developers’ email addresses.
B. Create a regular expression (regex) custom infoType detector to match on @company.com.
C. Create a regular custom dictionary detector to match all email addresses listed in Cloud Identity.
D. Create a custom infoType called COMPANY_EMAIL to match @company.com.
Hint Answers: B
https://cloud.google.com/dlp/docs/infotypes-reference
https://cloud.google.com/dlp/docs/creating-custom-infotypes
11. Which encryption algorithm is used with Default Encryption in Cloud Storage?
A. AES-256
B. SHA512
C. MD5
D. 3DES
Hint Answers: A
https://cloud.google.com/storage/docs/encryption/default-keys
12. Your company is storing files on Cloud Storage. To comply with local regulations, you want to ensure that uploaded files cannot be deleted within the first 5 years. It should not be possible to lower the retention period after it has been set. What should you do?
A. Apply a retention period of 5 years to the bucket, and lock the bucket.
B. Enable Temporary hold and apply a retention period of 5 years to the bucket.
C. Use Cloud IAM to ensure that nobody has an IAM role that has the permissions to delete files from Cloud Storage.
D. Create an object lifecycle rule using the Age condition and the Delete action. Set the Age condition to 5 years.
Hint Answers: A
https://cloud.google.com/storage/docs/bucket-lock
13. A security team at an e-commerce company wants to define an automatic incident response process for fraudulent credit card usage attempts. The team targets a 10-minute or faster response time for such incidents. The fraudulent card list is updated every 60 seconds. The e-commerce servers log the transaction details in near-real time. Which option should you recommend to the security team?
A. Define a log-based metric for each fraudulent credit card, and set a Stackdriver alert for these metrics.
B. Maintain a log ingestion exclusion filter based on the fraudulent credit card lists.
C. Use AutoML to automatically build models based on the fraudulent credit card lists.
D. Create a new logging export with a filter to match the transaction and a sink pointing to a Cloud Pub/Sub topic.
Hint Answers: D
https://cloud.google.com/logging/docs/export/configure_export_v2
14. Your company is deploying their applications on Google Kubernetes Engine. You want to follow Google-recommended practices. What should you do to ensure that the container images used for new deployments contain the latest security patches?
A. Use Google-managed base images for all containers.
B. Use Container Analysis to detect vulnerabilities in images.
C. Use an update script as part of every container image startup.
D. Use exclusively private images in Container Registry.
Hint Answers: A
https://cloud.google.com/container-registry/docs/managed-base-images
15. Your customer is moving their corporate applications to Google Cloud Platform. The security team wants detailed visibility of all resources in the organization. You use Resource Manager to set yourself up as the org admin. What Cloud Identity and Access Management (Cloud IAM) roles should you give to the security team?
A. Org viewer, Project owner
B. Org viewer, Project viewer
C. Org admin, Project browser
D. Project owner, Network admin
Hint Answers: B
https://cloud.google.com/resource-manager/docs/access-control-org#using_predefined_roles
16. Your company wants to collect and analyze CVE information for packages in container images, and wants to prevent images with known security issues from running in your Google Kubernetes Engine environment. Which two security features does Google recommend including in a container build pipeline?
A. Deployment policies
B. Password policies
C. Vulnerability scanning
D. Network isolation
Hint Answers: AC
https://cloud.google.com/binary-authorization/docs/overview
https://cloud.google.com/container-registry/docs/container-analysis
17. You need to perform a vulnerability scan for an App Engine app using Cloud Security Scanner. Upon completion of the scan, the report is not producing the expected number of webpage results. The pages in the app with mouseover menus are missing from the report. Which action should you take to make sure the scan completes and captures the menu?
A. Verify the Excluded URLs.
B. Modify the scan schedule to return new results.
C. Change the scan to include additional Starting URLs.
D. Adjust the Google account on which the scan is running.
Hint Answers: C
https://cloud.google.com/security-scanner/docs/scanning
18. An organization is working on their GDPR compliance strategy. It wants to ensure that controls are in place to ensure that customer PII is stored in Cloud Storage buckets without third-party exposure. Which Google Cloud solution should the organization use to verify that PII is stored in the correct place without exposing PII internally?
A. Cloud Storage Bucket Lock
B. Cloud Data Loss Prevention API
C. VPC Service Controls
D. Cloud Security Scanner
Hint Answers: B
https://cloud.google.com/storage/docs/bucket-lock
https://cloud.google.com/vpc-service-controls/
https://cloud.google.com/dlp/docs/inspecting-storage#inspecting-gcs
https://cloud.google.com/security-scanner/
19. A cloud customer has an on-premises key management system and wants to generate, protect, rotate, and audit encryption keys with it. How can the customer use Cloud Storage with their own encryption keys?
A. Declare usage of default encryption at rest in the audit report on compliance
B. Upload encryption keys to the same Cloud Storage bucket
C. Use Customer Managed Encryption Keys (CMEK)
D. Use Customer-Supplied Encryption Keys (CSEK)
Hint Answers: D
https://cloud.google.com/security/encryption-at-rest/
https://cloud.google.com/storage/docs/encryption/customer-supplied-keys
https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys
https://cloud.google.com/storage/docs/encryption/customer-managed-keys
20. You are responsible for implementing a payment processing environment that will use Kubernetes and need to apply proper security controls. What should you do?
A. Implement and enforce two-factor authentication.
B. Activate a firewall to prevent all egress traffic.
C. Establish minimum password length requirements for all systems.
D. Require file integrity monitoring and antivirus scans of pods and nodes.
Hint Answers: D