Google Professional Cloud Security Engineer Exam Questions - Real Practice Questions for Guaranteed Success

Question 1

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud.

What should you do?

A1. Enable Container Threat Detection in the Security Command Center Premium tier.
* 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version.
* 3. View and share the results from the Security Command Center

B* 1. Use an open source tool in Cloud Build to scan the images.
* 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil
* 3. Share the scan report link with your security department.

C* 1. Enable vulnerability scanning in the Artifact Registry settings.
* 2. Use Cloud Build to build the images
* 3. Push the images to the Artifact Registry for automatic scanning.
* 4. View the reports in the Artifact Registry.

D* 1. Get a GitHub subscription.
* 2. Build the images in Cloud Build and store them in GitHub for automatic scanning
* 3. Download the report from GitHub and share with the Security Team

Correct : C

'The service evaluates all changes and remote access attempts to detect runtime attacks in near-real time.' : https://cloud.google.com/security-command-center/docs/concepts-container-threat-detection-overview This has nothing to do with KNOWN security Vulns in images

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

D* 1. Get a GitHub subscription.
* 2. Build the images in Cloud Build and store them in GitHub for automatic scanning
* 3. Download the report from GitHub and share with the Security Team

0 / 1500

Question 2

An administrative application is running on a virtual machine (VM) in a managed group at port 5601 inside a Virtual Private Cloud (VPC) instance without access to the internet currently. You want to expose the web interface at port 5601 to users and enforce authentication and authorization Google credentials

What should you do?

AModify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.

BConfigure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application

CConfigure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials Modify the VPC firewall to allow access from IAP network range

DConfigure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application

Correct : C

This approach allows you to expose the web interface securely by using Identity-Aware Proxy (IAP), which provides authentication and authorization with Google credentials. The HTTP Load Balancer can distribute traffic to the VMs in the managed group, and the VPC firewall rule ensures that access is allowed from the IAP network range.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AModify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.

0 / 1500

Question 3

Your company is concerned about unauthorized parties gaming access to the Google Cloud environment by using a fake login page. You must implement a solution to protect against person-in-the-middle attacks.

Which security measure should you use?

AText message or phone call code

BSecurity key

CGoogle Authenticator application

DGoogle prompt

Correct : B

A security key is a physical device that you can use for two-step verification, providing an additional layer of security for your Google Account. Security keys can defend against phishing and man-in-the-middle attacks, making your login process more secure.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AText message or phone call code

BSecurity key

CGoogle Authenticator application

DGoogle prompt

0 / 1500

Question 4

Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK). but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.

What should you do?

AEncrypt the files locally, and then use gsutil to upload the files to a new bucket.

BCopy the files to a new bucket with CMEK enabled in a secondary region

CReupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.

DChange the encryption type on the bucket to CMEK, and rewrite the objects

Correct : D

Rewriting the objects in-place within the same bucket, specifying the new CMEK for encryption, allows you to re-encrypt the data without downloading and re-uploading it, thus minimizing costs and time.

https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AEncrypt the files locally, and then use gsutil to upload the files to a new bucket.

BCopy the files to a new bucket with CMEK enabled in a secondary region

CReupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.

DChange the encryption type on the bucket to CMEK, and rewrite the objects

0 / 1500

Question 5

Your company conducts clinical trials and needs to analyze the results of a recent study that are stored in BigQuery. The interval when the medicine was taken contains start and stop dates The interval data is critical to the analysis, but specific dates may identify a particular batch and introduce bias You need to obfuscate the start and end dates for each row and preserve the interval data.

What should you do?

AUse bucketing to shift values to a predetermined date based on the initial value.

BExtract the date using TimePartConfig from each date field and append a random month and year

CUse date shifting with the context set to the unique ID of the test subject

DUse the FFX mode of format preserving encryption (FPE) and maintain data consistency

Correct : A

'Date shifting techniques randomly shift a set of dates but preserve the sequence and duration of a period of time. Shifting dates is usually done in context to an individual or an entity. That is, each individual's dates are shifted by an amount of time that is unique to that individual.'

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AUse bucketing to shift values to a predetermined date based on the initial value.

BExtract the date using TimePartConfig from each date field and append a random month and year

CUse date shifting with the context set to the unique ID of the test subject

DUse the FFX mode of format preserving encryption (FPE) and maintain data consistency

0 / 1500

Master Google Professional Cloud Security Engineer Exam with Reliable Practice Questions

Options Selected by Other Users:

Options Selected by Other Users:

Options Selected by Other Users:

Options Selected by Other Users:

Options Selected by Other Users: