DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your Performance in the Google Professional Cloud Security Engineer Exam with Practice Tests

Preparing for the Google Professional Cloud Security Engineer certification exam with SPOTO's exam questions and answers, test questions, exam questions, and study materials can greatly enhance your chances of passing successfully. These comprehensive exam resources cover all relevant topics, including security best practices, industry requirements, identity and access management, organizational security structure and policies, data protection, network security defenses, threat monitoring, security automation, AI security, secure software supply chain, and regulatory compliance. SPOTO's mock exams simulate the real exam environment, allowing you to identify areas requiring further study. By utilizing these exam preparation tools, you can confidently demonstrate your expertise in designing, developing, and managing secure solutions on Google Cloud as a Professional Cloud Security Engineer.
Take other online exams

Question #1
You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?
A.
B.
C.
D.
View answer
Correct Answer: B
Question #2
An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addressesWhich solution should your team implement to meet these requirements?
A. loud Armor
B. etwork Load Balancing
C. SL Proxy Load Balancing
D. AT Gateway
View answer
Correct Answer: A
Question #3
You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:The master key must be rotated at least once every 45 days. The solution that stores the master key must be FIPS 140-2 Level 3 validated. The master key must be stored in multiple regions within the US for redundancy.Which solution meets these requirements?
A. ustomer-managed encryption keys with Cloud Key Management Service
B. ustomer-managed encryption keys with Cloud HSM
C. ustomer-supplied encryption keys
D. oogle-managed encryption keys
View answer
Correct Answer: D
Question #4
You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?
A. nable Cloud Monitoring workspace, and add the production projects to be monitored
B. se Logs Explorer at the organization level and filter for production project logs
C. reate an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket
D. reate an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket
View answer
Correct Answer: D
Question #5
You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?
A. end all logs to the SIEM system via an existing protocol such as syslog
B. onfigure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system
C. onfigure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow
D. uild a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs
View answer
Correct Answer: B
Question #6
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.How should your team design this network?
A. reate an ingress firewall rule to allow access only from the application to the database using firewall tags
B. reate a different subnet for the frontend application and database to ensure network isolation
C. reate two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation
D. reate two VPC networks, and connect the two networks using VPC peering to ensure network isolation
View answer
Correct Answer: A
Question #7
You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?
A. loud Data Loss Prevention with deterministic encryption using AES-SIV
B. loud Data Loss Prevention with format-preserving encryption
C. loud Data Loss Prevention with cryptographic hashing
D. loud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys
View answer
Correct Answer: D
Question #8
Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).Which steps should your team take before an incident occurs? (Choose two.)
A. se the Cloud Key Management Service to manage the data encryption key (DEK)
B. se the Cloud Key Management Service to manage the key encryption key (KEK)
C. se customer-supplied encryption keys to manage the data encryption key (DEK)
D. se customer-supplied encryption keys to manage the key encryption key (KEK)
View answer
Correct Answer: AB
Question #9
A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees fromany location.Which solution will restrict access to the in-progress sites?
A. pload an
B. reate an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic
C. nable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts
D. se Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VPC) network
View answer
Correct Answer: C
Question #10
You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?
A. reate an exact replica of your existing perimeter
B. pdate your perimeter with a new access level that never matches
C. nable the dry run mode on your perimeter
D. nable the dry run mode on your perimeter
View answer
Correct Answer: D
Question #11
Which type of load balancer should you use to maintain client IP by default while using thestandard network tier?
A. SL Proxy
B. CP Proxy
C. nternal TCP/UDP
D. CP/UDP Network
View answer
Correct Answer: C
Question #12
You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service Controls mode should you use?
A. nforce 2-factor authentication in GSuite for all users
B. onfigure Cloud Identity-Aware Proxy for the App Engine Application
C. rovision user passwords using GSuite Password Sync
D. onfigure Cloud VPN between your private network and GCP
View answer
Correct Answer: D
Question #13
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.What should you do?
A. igrate the application into an isolated project using a "Lift & Shift" approach
B. igrate the application into an isolated project using a "Lift & Shift" approach in a custom network
C. efactor the application into a micro-services architecture in a GKE cluster
D. efactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project
View answer
Correct Answer: A
Question #14
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.What should you do?
A. igrate the application into an isolated project using a "Lift & Shift" approach
B. igrate the application into an isolated project using a "Lift & Shift" approach in a custom network
C. efactor the application into a micro-services architecture in a GKE cluster
D. efactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project
View answer
Correct Answer: A
Question #15
A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.Which two strategies should your team use to meet these requirements? (Choose two.)
A. reate a dedicated Cloud Identity user account for the cluster
B. reate a dedicated Cloud Identity user account for the cluster
C. reate a custom service account for the cluster Enable the constraints/iam
D. reate a custom service account for the cluster Enable the constraints/iam
View answer
Correct Answer: BE
Question #16
You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?
A. pload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator
B. n the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll
C. n the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded
D. se Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket
View answer
Correct Answer: D
Question #17
Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?
A. efine an organization policy constraint
B. onfigure packet mirroring policies
C. nable VPC Flow Logs on the subnet
D. onitor and analyze Cloud Audit Logs
View answer
Correct Answer: B
Question #18
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on- premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.Which GCP solution should the organization use?
A. reate a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region
B. onfigure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE- WEST1 region with a custom retention of 12 years
C. se a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region
D. onfigure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region
View answer
Correct Answer: A
Question #19
A customer has an analytics workload running on Compute Engine that should have limited internet access.Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?
A. reate an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000
B. reate an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000
C. reate an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000
D. reate an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000
View answer
Correct Answer: D
Question #20
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.What should you do?
A. et up an ACL with OWNER permission to a scope of allUsers
B. et up an ACL with READER permission to a scope of allUsers
C. et up a default bucket ACL and manage access for users using IAM
D. et up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM
View answer
Correct Answer: A
Question #21
You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of thecustomer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?
A. oogle Cloud Armor
B. loud NAT
C. loud Router
D. loud VPN
View answer
Correct Answer: D
Question #22
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.Which Google Cloud Service should be used to achieve this?
A. loud Key Management Service
B. loud Data Loss Prevention API
C. igQuery
D. loud Security Scanner
View answer
Correct Answer: B
Question #23
Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.What should you do?
A. loud Armor
B. oogle Cloud Audit Logs
C. loud Security Scanner
D. orseti Security
View answer
Correct Answer: A
Question #24
A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees fromany location.Which solution will restrict access to the in-progress sites?
A. pload an
B. reate an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic
C. nable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts
D. se Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VPC) network
View answer
Correct Answer: C
Question #25
You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of thecustomer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?
A. oogle Cloud Armor
B. loud NAT
C. loud Router
D. loud VPN
View answer
Correct Answer: D
Question #26
A customer wants to deploy a large number of 3-tier web applications on Compute Engine.How should the customer ensure authenticated network separation between the different tiers of the application?
A. un each tier in its own Project, and segregate using Project labels
B. un each tier with a different Service Account (SA), and use SA-based firewall rules
C. un each tier in its own subnet, and use subnet-based firewall rules
D. un each tier with its own VM tags, and use tag-based firewall rules
View answer
Correct Answer: C
Question #27
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.What should you do?
A. olicy Troubleshooter
B. olicy Analyzer
C. AM Recommender
D. olicy Simulator
View answer
Correct Answer: A
Question #28
Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances.You have the following requirements:The network connection must be encrypted.The communication between servers must be over private IP addresses.What should you do?
A. se the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity
B. se the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity
C. onfigure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity
D. onfigure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity
View answer
Correct Answer: A
Question #29
An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibil
A. nsure that firewall rules are in place to meet the required controls
B. et up Cloud Armor to ensure that network security controls can be managed for G Suite
C. etwork security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite
D. et up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation
View answer
Correct Answer: C
Question #30
You need to connect your organization's on-premises network with an existing Google Cloud environment that includes one Shared VPC with two subnets named Production and Non-Production. You are required to:Use a private transport link.Configure access to Google Cloud APIs through private API endpoints originating from on- premises environments.Ensure that Google Cloud APIs are only consumed via VPC Service Controls.What should you do?
A. onfiguring and monitoring VPC Flow Logs
B. efending against XSS and SQLi attacks
C. anage the latest updates and security patches for the Guest OS
D. ncrypting all stored data
View answer
Correct Answer: C
Question #31
An organization is moving applications to Google Cloud while maintaining a few mission- critical applications on-premises. The organization must transfer the data at a bandwidth of at least 50 Gbps. What should they use to ensure secure continued connectivity between sites?
A. edicated Interconnect
B. loud Router
C. loud VPN
D. artner Interconnect
View answer
Correct Answer: A
Question #32
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tierweb application. Communication between portions of the application must not traverse the public internet by any means.Which connectivity option should be implemented?
A. PC peering
B. loud VPN
C. loud Interconnect
D. hared VPC
View answer
Correct Answer: B
Question #33
When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.Which Google Cloud solution should the organization use to help resolve this concern for the customer
A. se Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis
B. se Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis
C. se the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis
D. se the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis
View answer
Correct Answer: C
Question #34
You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.What should you do?
A. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope
B. Create a custom role with the permission compute
C. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances
D. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances
View answer
Correct Answer: A
Question #35
When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.Which Google Cloud solution should the organization use to help resolve this concern for the customer
A. se Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis
B. se Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis
C. se the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis
D. se the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis
View answer
Correct Answer: C
Question #36
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.What should you do?
A. se the Organization Policy Service to create a compute
B. se the Organization Policy Service to create a compute
C. n Resource Manager, edit the project permissions for the trusted project
D. n Resource Manager, edit the organization permissions
View answer
Correct Answer: B
Question #37
You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.You want to automate the compliance with this regulation while minimizing storage costs.What should you do?
A. tore the data in a persistent disk, and delete the disk at expiration time
B. tore the data in a Cloud Bigtable table, and set an expiration time on the column families
C. tore the data in a BigQuery table, and set the table's expiration time
D. tore the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature
View answer
Correct Answer: C
Question #38
Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).Which steps should your team take before an incident occurs? (Choose two.)
A. se the Cloud Key Management Service to manage the data encryption key (DEK)
B. se the Cloud Key Management Service to manage the key encryption key (KEK)
C. se customer-supplied encryption keys to manage the data encryption key (DEK)
D. se customer-supplied encryption keys to manage the key encryption key (KEK)
View answer
Correct Answer: AB
Question #39
You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?
A.
B.
C.
D.
View answer
Correct Answer: B
Question #40
Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?
A. loud DNS with DNSSEC
B. loud NAT
C. TTP(S) Load Balancing
D. oogle Cloud Armor
View answer
Correct Answer: A
Question #41
Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.How should your team meet these requirements?
A. nable Private Access on the VPC network in the production project
B. emove the Editor role and grant the Compute Admin IAM role to the engineers
C. et up an organization policy to only permit public IPs for the front-end Compute Engine instances
D. et up a VPC network with two subnets: one with public IPs and one without public IPs
View answer
Correct Answer: C
Question #42
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authenticationWhich GCP product should the customer implement to meet these requirements?
A. Cloud Identity-Aware Proxy
B. Cloud Armor
C. Cloud Endpoints
D. Cloud VPN
View answer
Correct Answer: D
Question #43
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.What should you do?
A. se the Organization Policy Service to create a compute
B. se the Organization Policy Service to create a compute
C. n Resource Manager, edit the project permissions for the trusted project
D. n Resource Manager, edit the organization permissions
View answer
Correct Answer: B
Question #44
You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?
A. reate an exact replica of your existing perimeter
B. pdate your perimeter with a new access level that never matches
C. nable the dry run mode on your perimeter
D. nable the dry run mode on your perimeter
View answer
Correct Answer: D
Question #45
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?
A. loud Key Management Service
B. ompute Engine guest attributes
C. ompute Engine custom metadata
D. ecret Manager
View answer
Correct Answer: A
Question #46
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:Only allows communication between the Web and App tiers.Enforces consistent network security when autoscaling the Web and App tiers.Prevents Compute Engine Instance Admins from altering network traffic.What should you do?
A.
B.
C.
D.
View answer
Correct Answer: A
Question #47
Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate,and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.What should you do?
A. onfigure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules
B. onfigure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules
C. onfigure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level
D. onfigure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party
View answer
Correct Answer: A
Question #48
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.What should you do?
A. ontact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain
B. egister a new domain name, and use that for the new Cloud Identity domain
C. sk Google to provision the data science manager's account as a Super Administrator in the existing domain
D. sk customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator
View answer
Correct Answer: B
Question #49
You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.Which document should you review to find the information?
A. oogle Cloud Platform: Customer Responsibility Matrix
B. CI DSS Requirements and Security Assessment Procedures
C. CI SSC Cloud Computing Guidelines
D. roduct documentation for Compute Engine
View answer
Correct Answer: A
Question #50
You need to connect your organization's on-premises network with an existing Google Cloud environment that includes one Shared VPC with two subnets named Production and Non-Production. You are required to:Use a private transport link.Configure access to Google Cloud APIs through private API endpoints originating from on- premises environments.Ensure that Google Cloud APIs are only consumed via VPC Service Controls.What should you do?
A. onfiguring and monitoring VPC Flow Logs
B. efending against XSS and SQLi attacks
C. anage the latest updates and security patches for the Guest OS
D. ncrypting all stored data
View answer
Correct Answer: C
Question #51
You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.What should you do?
A. se Resource Manager on the organization level
B. se Forseti Security to automate inventory snapshots
C. se Stackdriver to create a dashboard across all projects
D. se Security Command Center to view all assets across the organization
View answer
Correct Answer: B
Question #52
You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements:Schedule key rotation for sensitive data.Control which region the encryption keys for sensitive data are stored in. Minimize the latency to access encryption keys for both sensitive and non-sensitive data.What should you do?
A. ncrypt non-sensitive data and sensitive data with Cloud External Key Manager
B. ncrypt non-sensitive data and sensitive data with Cloud Key Management Service
C. ncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager
D. ncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service
View answer
Correct Answer: B
Question #53
You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service Controls mode should you use?
A. nforce 2-factor authentication in GSuite for all users
B. onfigure Cloud Identity-Aware Proxy for the App Engine Application
C. rovision user passwords using GSuite Password Sync
D. onfigure Cloud VPN between your private network and GCP
View answer
Correct Answer: D
Question #54
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.Which cost reduction options should you recommend?
A. et appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets
B. et appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets
C. se rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans
D. se FindingLimits and TimespanContfig to sample data and minimize transformation units
View answer
Correct Answer: C
Question #55
You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google- recommended best practices should you follow when configuring authentication and authorization? (Choose two.)
A. ncrypt non-sensitive data and sensitive data with Cloud External Key Manager
B. ncrypt non-sensitive data and sensitive data with Cloud Key Management Service
C. ncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager
D. ncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service
View answer
Correct Answer: DE
Question #56
An organization receives an increasing number of phishing emails.Which method should be used to protect employee credentials in this situation?
A. ultifactor Authentication
B. strict password policy
C. aptcha on login pages
D. ncrypted emails
View answer
Correct Answer: D
Question #57
You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)
A. loud Run
B. ative
C. nforced
D. ry run
View answer
Correct Answer: AC
Question #58
You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)
A. igQuery using a data pipeline job with continuous updates via Cloud VPN
B. loud Storage using a scheduled task and gsutil via Cloud Interconnect
C. ompute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
D. loud Datastore using regularly scheduled batch upload jobs via Cloud VPN
View answer
Correct Answer: DE
Question #59
You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?
A. itan Security Keys
B. oogle prompt
C. oogle Authenticator app
D. loud HSM keys
View answer
Correct Answer: C
Question #60
Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.How should your team meet these requirements?
A. nable Private Access on the VPC network in the production project
B. emove the Editor role and grant the Compute Admin IAM role to the engineers
C. et up an organization policy to only permit public IPs for the front-end Compute Engine instances
D. et up a VPC network with two subnets: one with public IPs and one without public IPs
View answer
Correct Answer: C
Question #61
An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibil
A. nsure that firewall rules are in place to meet the required controls
B. et up Cloud Armor to ensure that network security controls can be managed for G Suite
C. etwork security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite
D. et up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation
View answer
Correct Answer: C
Question #62
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.What should they do?
A. se Cloud Build to build the container images
B. uild small containers using small base images
C. elete non-used versions from Container Registry
D. se a Continuous Delivery tool to deploy the application
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: