DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Conquer the Google Professional Cloud Security Engineer Exam with Comprehensive Study Materials

Preparing for the Google Professional Cloud Security Engineer certification exam with SPOTO's exam questions and answers, test questions, exam questions, and study materials can greatly increase your chances of passing successfully. These comprehensive exam resources cover all relevant topics, including security best practices, industry requirements, identity and access management, organizational security policies, data protection using Google Cloud technologies, network security defenses, threat monitoring, security automation, AI security, secure software supply chain, and regulatory compliance. SPOTO's mock exams simulate the real exam environment, allowing you to identify areas requiring further study. By leveraging these exam preparation tools, you can confidently demonstrate your expertise in designing, developing, and managing secure solutions on Google Cloud as a Professional Cloud Security Engineer.
Take other online exams

Question #1
You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?
A. hange the access control model for the bucket
B. pdate your sink with the correct bucket destination
C. dd the roles/logging
D. dd the roles/logging
View answer
Correct Answer: B

View The Updated Professional Cloud Security Engineer Exam Questions

SPOTO Provides 100% Real Professional Cloud Security Engineer Exam Questions for You to Pass Your Professional Cloud Security Engineer Exam!

Question #2
You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?
A. ll load balancer types are denied in accordance with the global node's policy
B. NTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy
C. XTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy
D. XTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies
View answer
Correct Answer: D
Question #3
You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:Must be cloud-nativeMust be cost-efficientMinimize operational overheadHow should you accomplish this? (Choose two.)
A.
B.
C.
D.
View answer
Correct Answer: CE
Question #4
Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.What should you do?
A. emporarily disable authentication on the Cloud Storage bucket
B. se the undelete command to recover the deleted service account
C. reate a new service account with the same name as the deleted service account
D. pdate the permissions of another existing service account and supply those credentials to the applications
View answer
Correct Answer: B
Question #5
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
A. uery Data Access logs
B. uery Admin Activity logs
C. uery Access Transparency logs
D. uery Stackdriver Monitoring Workspace
View answer
Correct Answer: C
Question #6
A customer wants to deploy a large number of 3-tier web applications on Compute Engine.How should the customer ensure authenticated network separation between the different tiers of the application?
A. Run each tier in its own Project, and segregate using Project labels
B. Run each tier with a different Service Account (SA), and use SA-based firewall rules
C. Run each tier in its own subnet, and use subnet-based firewall rules
D. Run each tier with its own VM tags, and use tag-based firewall rules
View answer
Correct Answer: C
Question #7
You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:Must be cloud-nativeMust be cost-efficientMinimize operational overheadHow should you accomplish this? (Choose two.)
A.
B.
C.
D.
View answer
Correct Answer: CE
Question #8
You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?
A. nable Cloud Monitoring workspace, and add the production projects to be monitored
B. se Logs Explorer at the organization level and filter for production project logs
C. reate an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket
D. reate an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket
View answer
Correct Answer: D
Question #9
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
A. oogle Cloud Armor's preconfigured rules in preview mode
B. repopulated VPC firewall rules in monitor mode
C. he inherent protections of Google Front End (GFE)
D. loud Load Balancing firewall rules
E. PC Service Controls in dry run mode
View answer
Correct Answer: A
Question #10
You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.You want to automate the compliance with this regulation while minimizing storage costs.What should you do?
A. tore the data in a persistent disk, and delete the disk at expiration time
B. tore the data in a Cloud Bigtable table, and set an expiration time on the column families
C. tore the data in a BigQuery table, and set the table's expiration time
D. tore the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature
View answer
Correct Answer: C
Question #11
A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?
A. dmin Activity
B. ystem Event
C. ccess Transparency
D. ata Access
View answer
Correct Answer: C
Question #12
A customer wants to deploy a large number of 3-tier web applications on Compute Engine.How should the customer ensure authenticated network separation between the different tiers of the application?
A. un each tier in its own Project, and segregate using Project labels
B. un each tier with a different Service Account (SA), and use SA-based firewall rules
C. un each tier in its own subnet, and use subnet-based firewall rules
D. un each tier with its own VM tags, and use tag-based firewall rules
View answer
Correct Answer: C
Question #13
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A. se Packet Mirroring to mirror traffic to and from particular VM instances
B. nable VPC Flow Logs for all subnets in the VPC
C. onfigure the Fluentd agent on each VM Instance within the VP Perform inspection on the log data using Cloud Logging
D. onfigure Google Cloud Armor access logs to perform inspection on the log data
View answer
Correct Answer: B
Question #14
You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?
A.
B.
C.
D.
View answer
Correct Answer: C
Question #15
You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?
A.
B.
C.
D.
View answer
Correct Answer: C
Question #16
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:Only allows communication between the Web and App tiers.Enforces consistent network security when autoscaling the Web and App tiers.Prevents Compute Engine Instance Admins from altering network traffic.What should you do?
A.
B.
C.
D.
View answer
Correct Answer: A
Question #17
A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.Where should you export the logs?
A. igQuery datasets
B. loud Storage buckets
C. tackDriver logging
D. loud Pub/Sub topics
View answer
Correct Answer: B
Question #18
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.What should your team do to meet these requirements?
A. et up Cloud Directory Sync to sync groups, and set IAM permissions on the groups
B. et up SAML 2
C. se the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory
D. se the Admin SDK to create groups and assign IAM permissions from Active Directory
View answer
Correct Answer: B
Question #19
An organization is moving applications to Google Cloud while maintaining a few mission- critical applications on-premises. The organization must transfer the data at a bandwidth of at least 50 Gbps. What should they use to ensure secure continued connectivity between sites?
A. edicated Interconnect
B. loud Router
C. loud VPN
D. artner Interconnect
View answer
Correct Answer: A
Question #20
An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.How should you advise this organization?
A. se Forseti with Firewall filters to catch any unwanted configurations in production
B. andate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies
C. oute all VPC traffic through customer-managed routers to detect malicious patterns in production
D. ll production applications will run on-premises
View answer
Correct Answer: B
Question #21
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.Which two settings must remain disabled to meet these requirements? (Choose two.)
A. onfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate one-way sync
B. onfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate bidirectional sync
C. se a management tool to sync the subset based on the email address attribute
D. se a management tool to sync the subset based on group object class attribute
View answer
Correct Answer: AC
Question #22
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A. se Packet Mirroring to mirror traffic to and from particular VM instances
B. nable VPC Flow Logs for all subnets in the VPC
C. onfigure the Fluentd agent on each VM Instance within the VP Perform inspection on the log data using Cloud Logging
D. onfigure Google Cloud Armor access logs to perform inspection on the log data
View answer
Correct Answer: B
Question #23
You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google- recommended best practices should you follow when configuring authentication and authorization? (Choose two.)
A. ncrypt non-sensitive data and sensitive data with Cloud External Key Manager
B. ncrypt non-sensitive data and sensitive data with Cloud Key Management Service
C. ncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager
D. ncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service
View answer
Correct Answer: DE
Question #24
Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the
A. eploy a Cloud NAT Gateway in the service project for the MIG
B. eploy a Cloud NAT Gateway in the host (VPC) project for the MIG
C. eploy an external HTTP(S) load balancer in the service project with the MIG as a backend
D. eploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend
View answer
Correct Answer: C
Question #25
You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?
A. dd the host project containing the Shared VPC to the service perimeter
B. dd the service project where the Compute Engine instances reside to the service perimeter
C. reate a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VP
D. reate a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets
View answer
Correct Answer: C
Question #26
In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)
A. Hardware
B. Network Security
C. Storage Encryption
D. Access Policies
E. Boot
View answer
Correct Answer: CD
Question #27
Which type of load balancer should you use to maintain client IP by default while using thestandard network tier?
A. SL Proxy
B. CP Proxy
C. nternal TCP/UDP
D. CP/UDP Network
View answer
Correct Answer: C
Question #28
Which two implied firewall rules are defined on a VPC network? (Choose two.)
A. rule that allows all outbound connections
B. rule that denies all inbound connections
C. rule that blocks all inbound port 25 connections
D. rule that blocks all outbound connections
E. rule that allows all inbound port 80 connections
View answer
Correct Answer: AB
Question #29
A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.Which strategy should you use to meet these needs?
A. reate an organization node, and assign folders for each business unit
B. stablish standalone projects for each business unit, using gmail
C. ssign GCP resources in a project, with a label identifying which business unit owns the resource
D. ssign GCP resources in a VPC for each business unit to separate network access
View answer
Correct Answer: A
Question #30
You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?
A. arketplace IDS
B. PC Flow Logs
C. PC Service Controls logs
D. acket Mirroring
E. oogle Cloud Armor Deep Packet Inspection
View answer
Correct Answer: D
Question #31
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and AccessManagement (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.What should you do?
A. Create a single KeyRing for all persistent disks and all Keys in this KeyRing
B. Create a single KeyRing for all persistent disks and all Keys in this KeyRing
C. Create a KeyRing per persistent disk, with each KeyRing containing a single Key
D. Create a KeyRing per persistent disk, with each KeyRing containing a single Key
View answer
Correct Answer: C
Question #32
Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.What should you do?
A. loud Armor
B. oogle Cloud Audit Logs
C. loud Security Scanner
D. orseti Security
View answer
Correct Answer: A
Question #33
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication.Which GCP product should the customer implement to meet these requirements?
A. loud Identity-Aware Proxy
B. loud Armor
C. loud Endpoints
D. loud VPN
View answer
Correct Answer: A
Question #34
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project.Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.What should your team grant to Engineering Group A to meet this requirement?
A. ompute Network User Role at the host project level
B. ompute Network User Role at the subnet level
C. ompute Shared VPC Admin Role at the host project level
D. ompute Shared VPC Admin Role at the service project level
View answer
Correct Answer: B
Question #35
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.Which two settings must remain disabled to meet these requirements? (Choose two.)
A. onfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate one-way sync
B. onfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate bidirectional sync
C. se a management tool to sync the subset based on the email address attribute
D. se a management tool to sync the subset based on group object class attribute
View answer
Correct Answer: AC
Question #36
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.What should you do?
A. se multi-factor authentication for admin access to the web application
B. se only applications certified compliant with PA-DSS
C. ove the cardholder data environment into a separate GCP project
D. se VPN for all connections between your office and cloud environments
View answer
Correct Answer: C
Question #37
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.How should your team design this network?
A. reate an ingress firewall rule to allow access only from the application to the database using firewall tags
B. reate a different subnet for the frontend application and database to ensure network isolation
C. reate two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation
D. reate two VPC networks, and connect the two networks using VPC peering to ensure network isolation
View answer
Correct Answer: A
Question #38
You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?
A. ll load balancer types are denied in accordance with the global node's policy
B. NTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy
C. XTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy
D. XTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies
View answer
Correct Answer: D
Question #39
Which Google Cloud service should you use to enforce access control policies for applications and resources?
A. dentity-Aware Proxy
B. loud NAT
C. oogle Cloud Armor
D. hielded VMs
View answer
Correct Answer: A
Question #40
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in- scope" Nodes only. These Nodes can only contain the "in-scope" Pods.How should the organization achieve this objective?
A. dd a nodeSelector field to the pod configuration to only use the Nodes labeled inscope:true
B. reate a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label
C. lace a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration
D. un all in-scope Pods in the namespace "in-scope-pci"
View answer
Correct Answer: C
Question #41
You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?
A. end all logs to the SIEM system via an existing protocol such as syslog
B. onfigure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system
C. onfigure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow
D. uild a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs
View answer
Correct Answer: B
Question #42
An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addressesWhich solution should your team implement to meet these requirements?
A. loud Armor
B. etwork Load Balancing
C. SL Proxy Load Balancing
D. AT Gateway
View answer
Correct Answer: A
Question #43
A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.Which two steps should the company take to meet these requirements? (Choose two.)
A. reate a single KeyRing for all persistent disks and all Keys in this KeyRing
B. reate a single KeyRing for all persistent disks and all Keys in this KeyRing
C. reate a KeyRing per persistent disk, with each KeyRing containing a single Key
D. reate a KeyRing per persistent disk, with each KeyRing containing a single Key
View answer
Correct Answer: BC
Question #44
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.Which Cloud Identity password guidelines can the organization use to inform their new requirements?
A. et the minimum length for passwords to be 8 characters
B. et the minimum length for passwords to be 10 characters
C. et the minimum length for passwords to be 12 characters
D. et the minimum length for passwords to be 6 characters
View answer
Correct Answer: A
Question #45
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
A. uery Data Access logs
B. uery Admin Activity logs
C. uery Access Transparency logs
D. uery Stackdriver Monitoring Workspace
View answer
Correct Answer: C
Question #46
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.What should you do?
A. enerate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK
B. enerate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK
C. enerate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key
D. enerate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key
View answer
Correct Answer: A
Question #47
You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:Each business unit manages access controls for their own projects.Each business unit manages access control permissions at scale.Business units cannot access other business units' projects.Users lose their access if they move to a different business unit or leave the company.Users and access control permiss
A. nable Private Google Access on the regional subnets and global dynamic routing mode
B. et up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection
C. se private
D. se restricted googleapis
View answer
Correct Answer: DE
Question #48
Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.What should you do?
A. emporarily disable authentication on the Cloud Storage bucket
B. se the undelete command to recover the deleted service account
C. reate a new service account with the same name as the deleted service account
D. pdate the permissions of another existing service account and supply those credentials to the applications
View answer
Correct Answer: B
Question #49
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.Which Cloud Identity password guidelines can the organization use to inform their new requirements?
A. et the minimum length for passwords to be 8 characters
B. et the minimum length for passwords to be 10 characters
C. et the minimum length for passwords to be 12 characters
D. et the minimum length for passwords to be 6 characters
View answer
Correct Answer: A
Question #50
Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances.You have the following requirements:The network connection must be encrypted.The communication between servers must be over private IP addresses.What should you do?
A. se the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity
B. se the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity
C. onfigure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity
D. onfigure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity
View answer
Correct Answer: A
Question #51
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.What should you do?
A. enerate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK
B. enerate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK
C. enerate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key
D. enerate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key
View answer
Correct Answer: A
Question #52
You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?
A. itan Security Keys
B. oogle prompt
C. oogle Authenticator app
D. loud HSM keys
View answer
Correct Answer: C
Question #53
Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us- east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.What should you do?
A. hange the load balancer backend configuration to use network endpoint groups instead of instance groups
B. hange the load balancer frontend configuration to use the Premium Tier network, and add the new instance group
C. reate a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address
D. reate a Cloud VPN connection between the two regions, and enable Google Private Access
View answer
Correct Answer: A
Question #54
You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.Which document should you review to find the information?
A. oogle Cloud Platform: Customer Responsibility Matrix
B. CI DSS Requirements and Security Assessment Procedures
C. CI SSC Cloud Computing Guidelines
D. roduct documentation for Compute Engine
View answer
Correct Answer: A
Question #55
You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?
A. pload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator
B. n the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll
C. n the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded
D. se Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket
View answer
Correct Answer: D
Question #56
Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?
A. loud DNS with DNSSEC
B. loud NAT
C. TTP(S) Load Balancing
D. oogle Cloud Armor
View answer
Correct Answer: A
Question #57
Which Google Cloud service should you use to enforce access control policies for applications and resources?
A. dentity-Aware Proxy
B. loud NAT
C. oogle Cloud Armor
D. hielded VMs
View answer
Correct Answer: A
Question #58
Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the
A. eploy a Cloud NAT Gateway in the service project for the MIG
B. eploy a Cloud NAT Gateway in the host (VPC) project for the MIG
C. eploy an external HTTP(S) load balancer in the service project with the MIG as a backend
D. eploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend
View answer
Correct Answer: C

View The Updated GOOGLE Exam Questions

SPOTO Provides 100% Real GOOGLE Exam Questions for You to Pass Your GOOGLE Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: