DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

100% Pass Cisco, PMP, CISA, CISM, AWS Practice test on SALE!

Latest Google Professional Cloud Security Engineer Exam Questions for Comprehensive Preparation

SPOTO's Google Professional Cloud Security Engineer exam questions offer a significant advantage for individuals aiming to specialize in securing workloads and infrastructure on Google Cloud. With a focus on exam questions and answers, test questions, and mock exams, SPOTO provides a comprehensive platform for effective exam preparation. As a Cloud Security Engineer, candidates develop expertise in identity and access management, security policies, data protection using Google Cloud technologies, network security, threat monitoring, security automation, AI security, and regulatory compliance. SPOTO's study materials cover security best practices and industry requirements, empowering candidates to design and implement secure solutions confidently. By leveraging SPOTO's exam resources, candidates can enhance their skills and knowledge, increasing their chances of passing the exam successfully and contributing to robust security implementations in cloud environments.
Take other online exams
Question #1
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQueryWhat should you do?
A. reate a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows
B. se the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery
C. everage Security Command Center to scan for the assets of type Credit Card Number in BigQuery
D. nable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery
View answer
Correct Answer: D
Question #2
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.Which two settings must remain disabled to meet these requirements? (Choose two.)
A. ublic IP
B. P Forwarding
C. rivate Google Access
D. tatic routes
E. AM Network User Role
View answer
Correct Answer: AC
Question #3
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.What should you do?
A. se Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket
B. pload the logs to both the shared bucket and the bucket only accessible by the administrator
C. n the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII
D. n the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded
View answer
Correct Answer: C
Question #4
A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.Which two steps should the company take to meet these requirements? (Choose two.)
A. reate a single KeyRing for all persistent disks and all Keys in this KeyRing
B. reate a single KeyRing for all persistent disks and all Keys in this KeyRing
C. reate a KeyRing per persistent disk, with each KeyRing containing a single Key
D. reate a KeyRing per persistent disk, with each KeyRing containing a single Key
View answer
Correct Answer: BC
Question #5
A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.Which two strategies should your team use to meet these requirements? (Choose two.)
A. reate a dedicated Cloud Identity user account for the cluster
B. reate a dedicated Cloud Identity user account for the cluster
C. reate a custom service account for the cluster Enable the constraints/iam
D. reate a custom service account for the cluster Enable the constraints/iam
View answer
Correct Answer: BE
Question #6
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on `in-scope` Nodes only. These Nodes can only contain the`in-scope` Pods.How should the organization achieve this objective?
A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true
B. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label
C. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration
D. Run all in-scope Pods in the namespace ?€in-scope-pci?€
View answer
Correct Answer: C
Question #7
A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?
A. dmin Activity
B. ystem Event
C. ccess Transparency
D. ata Access
View answer
Correct Answer: C
Question #8
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.How should the customer achieve this using Google Cloud Platform?
A. se Cloud Source Repositories, and store secrets in Cloud SQL
B. ncrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage
C. un the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL
D. eploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs
View answer
Correct Answer: B
Question #9
Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)
A. nable domain restricted sharing in an organization policy, and enable uniform bucket- level access on the Cloud Storage bucket
B. nable VPC Service Controls, create a perimeter around Projects A and and include the Cloud Storage API in the Service Perimeter configuration
C. nable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks
D. nable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks
View answer
Correct Answer: BE
Question #10
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQueryWhat should you do?
A. reate a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows
B. se the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery
C. everage Security Command Center to scan for the assets of type Credit Card Number in BigQuery
D. nable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery
View answer
Correct Answer: D
Question #11
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.What should you do?
A. ontact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain
B. egister a new domain name, and use that for the new Cloud Identity domain
C. sk Google to provision the data science manager's account as a Super Administrator in the existing domain
D. sk customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator
View answer
Correct Answer: B
Question #12
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.How should the customer achieve this using Google Cloud Platform?
A. se Cloud Source Repositories, and store secrets in Cloud SQL
B. ncrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage
C. un the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL
D. eploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs
View answer
Correct Answer: B
Question #13
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.What should you do?
A. et up an ACL with OWNER permission to a scope of allUsers
B. et up an ACL with READER permission to a scope of allUsers
C. et up a default bucket ACL and manage access for users using IAM
D. et up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM
View answer
Correct Answer: A
Question #14
Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?
A. efine an organization policy constraint
B. onfigure packet mirroring policies
C. nable VPC Flow Logs on the subnet
D. onitor and analyze Cloud Audit Logs
View answer
Correct Answer: C
Question #15
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication.Which GCP product should the customer implement to meet these requirements?
A. loud Identity-Aware Proxy
B. loud Armor
C. loud Endpoints
D. loud VPN
View answer
Correct Answer: A
Question #16
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.Which cost reduction options should you recommend?
A. et appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets
B. et appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets
C. se rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans
D. se FindingLimits and TimespanContfig to sample data and minimize transformation units
View answer
Correct Answer: C
Question #17
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.What should your team do to meet these requirements?
A. et up Cloud Directory Sync to sync groups, and set IAM permissions on the groups
B. et up SAML 2
C. se the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory
D. se the Admin SDK to create groups and assign IAM permissions from Active Directory
View answer
Correct Answer: B
Question #18
Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs.Which service should you use?
A. dentity Aware-Proxy
B. loud NAT
C. CP/UDP Load Balancing
D. loud DNS
View answer
Correct Answer: B
Question #19
You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)
A. loud Run
B. ative
C. nforced
D. ry run
View answer
Correct Answer: AC
Question #20
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in- scope" Nodes only. These Nodes can only contain the "in-scope" Pods.How should the organization achieve this objective?
A. dd a nodeSelector field to the pod configuration to only use the Nodes labeled inscope:true
B. reate a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label
C. lace a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration
D. un all in-scope Pods in the namespace "in-scope-pci"
View answer
Correct Answer: C
Question #21
You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:The master key must be rotated at least once every 45 days. The solution that stores the master key must be FIPS 140-2 Level 3 validated. The master key must be stored in multiple regions within the US for redundancy.Which solution meets these requirements?
A. ustomer-managed encryption keys with Cloud Key Management Service
B. ustomer-managed encryption keys with Cloud HSM
C. ustomer-supplied encryption keys
D. oogle-managed encryption keys
View answer
Correct Answer: D
Question #22
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.Which GCP solution should the organization use?
A. BigQuery using a data pipeline job with continuous updates via Cloud VPN
B. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
C. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
D. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
View answer
Correct Answer: B
Question #23
A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.Where should you export the logs?
A. BigQuery datasets
B. Cloud Storage buckets
C. StackDriver logging
D. Cloud Pub/Sub topics
View answer
Correct Answer: C
Question #24
A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.Where should you export the logs?
A. igQuery datasets
B. loud Storage buckets
C. tackDriver logging
D. loud Pub/Sub topics
View answer
Correct Answer: B
Question #25
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)
A. nsure that the app does not run as PID 1
B. ackage a single app as a container
C. emove any unnecessary tools not needed by the app
D. se public container images as a base image for the app
E. se many container image layers to hide sensitive information
View answer
Correct Answer: BC
Question #26
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.What should you do?
A. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket
B. Upload the logs to both the shared bucket and the bucket only accessible by the administrator
C. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII
D. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded
View answer
Correct Answer: C
Question #27
You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets.What should you do?
A. emove Owner roles from end users, and configure Cloud Data Loss Prevention
B. emove Owner roles from end users, and enforce domain restricted sharing in an organization policy
C. onfigure uniform bucket-level access, and enforce domain restricted sharing in an organization policy
D. emove *
View answer
Correct Answer: C
Question #28
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.What should your team do to meet these requirements?
A. et up Cloud Directory Sync to sync groups, and set IAM permissions on the groups
B. et up SAML 2
C. se the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory
D. se the Admin SDK to create groups and assign IAM permissions from Active Directory
View answer
Correct Answer: B
Question #29
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.How should the customer achieve this using Google Cloud Platform?
A. se Cloud Source Repositories, and store secrets in Cloud SQL
B. ncrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage
C. un the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL
D. eploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs
View answer
Correct Answer: B
Question #30
Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate,and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.What should you do?
A. onfigure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules
B. onfigure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules
C. onfigure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level
D. onfigure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party
View answer
Correct Answer: A
Question #31
Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?
A. efine an organization policy constraint
B. onfigure packet mirroring policies
C. nable VPC Flow Logs on the subnet
D. onitor and analyze Cloud Audit Logs
View answer
Correct Answer: C
Question #32
You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.What should you do?
A. se Resource Manager on the organization level
B. se Forseti Security to automate inventory snapshots
C. se Stackdriver to create a dashboard across all projects
D. se Security Command Center to view all assets across the organization
View answer
Correct Answer: B
Question #33
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.What should you do?
A. olicy Troubleshooter
B. olicy Analyzer
C. AM Recommender
D. olicy Simulator
View answer
Correct Answer: A
Question #34
You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.What should you do?
A. onfigure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306
B. onfigure an ingress firewall rule that allows communication from the frontend's uniqueservice account to the unique service account of the mysql Compute Engine VM on port 3306
C. onfigure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B
D. onfigure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B
View answer
Correct Answer: B
Question #35
You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets.What should you do?
A. emove Owner roles from end users, and configure Cloud Data Loss Prevention
B. emove Owner roles from end users, and enforce domain restricted sharing in an organization policy
C. onfigure uniform bucket-level access, and enforce domain restricted sharing in an organization policy
D. emove *
View answer
Correct Answer: C
Question #36
Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)
A. nable domain restricted sharing in an organization policy, and enable uniform bucket- level access on the Cloud Storage bucket
B. nable VPC Service Controls, create a perimeter around Projects A and and include the Cloud Storage API in the Service Perimeter configuration
C. nable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks
D. nable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks
View answer
Correct Answer: BE
Question #37
A customer has an analytics workload running on Compute Engine that should have limited internet access.Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.The Compute Engine instances now need to reach out to the public repository to get security updates.What should your team do?
A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000
B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000
C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000
D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000
View answer
Correct Answer: C
Question #38
Applications often require access to "secrets" - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.Which two log streams would provide the information that the administrator is looking for? (Choose two.)
A. reate an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope
B. reate a custom role with the permission compute
C. ive the Service Account the role of Compute Viewer, and use the new Service Accountfor all instances
D. ive the Service Account the role of Project Viewer, and use the new Service Account for all instances
View answer
Correct Answer: AC
Question #39
Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs.Which service should you use?
A. dentity Aware-Proxy
B. loud NAT
C. CP/UDP Load Balancing
D. loud DNS
View answer
Correct Answer: B
Question #40
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.What should they do?
A. se Cloud Build to build the container images
B. uild small containers using small base images
C. elete non-used versions from Container Registry
D. se a Continuous Delivery tool to deploy the application
View answer
Correct Answer: D
Question #41
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.Which Google Cloud Service should be used to achieve this?
A. loud Key Management Service
B. loud Data Loss Prevention API
C. igQuery
D. loud Security Scanner
View answer
Correct Answer: B
Question #42
You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)
A. igQuery using a data pipeline job with continuous updates via Cloud VPN
B. loud Storage using a scheduled task and gsutil via Cloud Interconnect
C. ompute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
D. loud Datastore using regularly scheduled batch upload jobs via Cloud VPN
View answer
Correct Answer: DE
Question #43
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on- premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.Which GCP solution should the organization use?
A. reate a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region
B. onfigure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE- WEST1 region with a custom retention of 12 years
C. se a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region
D. onfigure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region
View answer
Correct Answer: A
Question #44
You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.What should you do?
A. onfigure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306
B. onfigure an ingress firewall rule that allows communication from the frontend's uniqueservice account to the unique service account of the mysql Compute Engine VM on port 3306
C. onfigure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B
D. onfigure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B
View answer
Correct Answer: B
Question #45
You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements:Schedule key rotation for sensitive data.Control which region the encryption keys for sensitive data are stored in. Minimize the latency to access encryption keys for both sensitive and non-sensitive data.What should you do?
A. ncrypt non-sensitive data and sensitive data with Cloud External Key Manager
B. ncrypt non-sensitive data and sensitive data with Cloud Key Management Service
C. ncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager
D. ncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service
View answer
Correct Answer: B
Question #46
Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us- east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.What should you do?
A. hange the load balancer backend configuration to use network endpoint groups instead of instance groups
B. hange the load balancer frontend configuration to use the Premium Tier network, and add the new instance group
C. reate a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address
D. reate a Cloud VPN connection between the two regions, and enable Google Private Access
View answer
Correct Answer: A
Question #47
You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:Each business unit manages access controls for their own projects.Each business unit manages access control permissions at scale.Business units cannot access other business units' projects.Users lose their access if they move to a different business unit or leave the company.Users and access control permiss
A. nable Private Google Access on the regional subnets and global dynamic routing mode
B. et up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection
C. se private
D. se restricted googleapis
View answer
Correct Answer: DE
Question #48
In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching andUDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standardWhich options should you recommend to meet the requirements?
A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module
B. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances
C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections
D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications
View answer
Correct Answer: D
Question #49
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tierweb application. Communication between portions of the application must not traverse the public internet by any means.Which connectivity option should be implemented?
A. PC peering
B. loud VPN
C. loud Interconnect
D. hared VPC
View answer
Correct Answer: B
Question #50
You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?
A. hange the access control model for the bucket
B. pdate your sink with the correct bucket destination
C. dd the roles/logging
D. dd the roles/logging
View answer
Correct Answer: B
Question #51
Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?
A. efine an organization policy constraint
B. onfigure packet mirroring policies
C. nable VPC Flow Logs on the subnet
D. onitor and analyze Cloud Audit Logs
View answer
Correct Answer: B
Question #52
An organization receives an increasing number of phishing emails.Which method should be used to protect employee credentials in this situation?
A. ultifactor Authentication
B. strict password policy
C. aptcha on login pages
D. ncrypted emails
View answer
Correct Answer: D
Question #53
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project.Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.What should your team grant to Engineering Group A to meet this requirement?
A. ompute Network User Role at the host project level
B. ompute Network User Role at the subnet level
C. ompute Shared VPC Admin Role at the host project level
D. ompute Shared VPC Admin Role at the service project level
View answer
Correct Answer: B
Question #54
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.What should you do?
A. se Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket
B. pload the logs to both the shared bucket and the bucket only accessible by the administrator
C. n the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII
D. n the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded
View answer
Correct Answer: C
Question #55
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?
A. oogle Cloud Armor's preconfigured rules in preview mode
B. repopulated VPC firewall rules in monitor mode
C. he inherent protections of Google Front End (GFE)
D. loud Load Balancing firewall rules
E. PC Service Controls in dry run mode
View answer
Correct Answer: A
Question #56
You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?
A. loud Data Loss Prevention with deterministic encryption using AES-SIV
B. loud Data Loss Prevention with format-preserving encryption
C. loud Data Loss Prevention with cryptographic hashing
D. loud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys
View answer
Correct Answer: D
Question #57
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.What should you do?
A. se multi-factor authentication for admin access to the web application
B. se only applications certified compliant with PA-DSS
C. ove the cardholder data environment into a separate GCP project
D. se VPN for all connections between your office and cloud environments
View answer
Correct Answer: C
Question #58
You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?
A. arketplace IDS
B. PC Flow Logs
C. PC Service Controls logs
D. acket Mirroring
E. oogle Cloud Armor Deep Packet Inspection
View answer
Correct Answer: D
Question #59
Applications often require access to "secrets" - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.Which two log streams would provide the information that the administrator is looking for? (Choose two.)
A. reate an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope
B. reate a custom role with the permission compute
C. ive the Service Account the role of Compute Viewer, and use the new Service Accountfor all instances
D. ive the Service Account the role of Project Viewer, and use the new Service Account for all instances
View answer
Correct Answer: AC
Question #60
A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned.What should the customer do?
A. Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity
B. Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity
C. Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity
D. Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity
View answer
Correct Answer: C
Question #61
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well-established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the `source of truth` directory for identities.Which solution meets the organization's requirements?
A. Google Cloud Directory Sync (GCDS)
B. Cloud Identity
C. Security Assertion Markup Language (SAML)
D. Pub/Sub
View answer
Correct Answer: B
Question #62
You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?
A. dd the host project containing the Shared VPC to the service perimeter
B. dd the service project where the Compute Engine instances reside to the service perimeter
C. reate a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VP
D. reate a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets
View answer
Correct Answer: C
Question #63
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?
A. ISO 27001
B. ISO 27002
C. ISO 27017
D. ISO 27018
View answer
Correct Answer: C
Question #64
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?
A. loud Key Management Service
B. ompute Engine guest attributes
C. ompute Engine custom metadata
D. ecret Manager
View answer
Correct Answer: A
Question #65
A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.Which strategy should you use to meet these needs?
A. reate an organization node, and assign folders for each business unit
B. stablish standalone projects for each business unit, using gmail
C. ssign GCP resources in a project, with a label identifying which business unit owns the resource
D. ssign GCP resources in a VPC for each business unit to separate network access
View answer
Correct Answer: A
Question #66
An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.How should you advise this organization?
A. se Forseti with Firewall filters to catch any unwanted configurations in production
B. andate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies
C. oute all VPC traffic through customer-managed routers to detect malicious patterns in production
D. ll production applications will run on-premises
View answer
Correct Answer: B
Question #67
A customer has an analytics workload running on Compute Engine that should have limited internet access.Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?
A. reate an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000
B. reate an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000
C. reate an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000
D. reate an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.