Practice Free Professional Cloud Security Engineer Exam Online Questions
You want to prevent users from accidentally deleting a Shared VPC host project.
Which organization-level policy constraint should you enable?
- A . compute.restrictSharedVpcHostProjects
- B . compute.restrictXpnProjectLienRemoval
- C . compute.restrictSharedVpcSubnetworks
- D . compute.sharedReservationsOwnerProjects
B
Explanation:
Enable the compute.restrictXpnProjectLienRemoval organization-level policy constraint:
This constraint prevents users from removing liens from Shared VPC host projects.
By enabling this constraint, you ensure that the Shared VPC host project cannot be accidentally deleted, as liens prevent deletion without proper authorization.
Apply this constraint via the Google Cloud Console or using the gcloud command-line tool.
Reference:
Organization Policy Constraints
Shared VPC
Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud.
Which two steps should you take to integrate the company’s on-premises Active Directory with Google Cloud and configure access management? (Choose two.)
- A . Use Identity Platform to provision users and groups to Google Cloud.
- B . Use Cloud Identity SAML integration to provision users and groups to Google Cloud.
- C . Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.
- D . Create Identity and Access Management (1AM) roles with permissions corresponding to each Active Directory group.
- E . Create Identity and Access Management (1AM) groups with permissions corresponding to each Active Directory group.
CE
Explanation:
Google Cloud Directory Sync (GCDS): Install and configure GCDS to synchronize your on-premises Active Directory with Google Cloud Identity. This tool helps in maintaining consistency between your local directory and Google Cloud.
IAM Groups: Create IAM groups in Google Cloud with permissions that correspond to your Active Directory groups. This mapping ensures that users inherit the appropriate permissions based on their AD group membership.
Synchronization: Set up regular synchronization schedules to keep the user and group information up-to-date between your on-premises AD and Google Cloud.
Access Management: Use these IAM groups to manage access to Google Cloud resources, ensuring that permissions are applied consistently and securely. This approach leverages existing AD infrastructure for identity management, providing a seamless integration with Google Cloud.
Reference:
Google Cloud – Google Cloud Directory Sync
Google Cloud – IAM Groups
The security operations team needs access to the security-related logs for all projects in their organization.
They have the following requirements:
Follow the least privilege model by having only view access to logs.
Have access to Admin Activity logs.
Have access to Data Access logs.
Have access to Access Transparency logs.
Which Identity and Access Management (IAM) role should the security operations team be granted?
- A . roles/logging.privateLogViewer
- B . roles/logging.admin
- C . roles/viewer
- D . roles/logging.viewer
A
Explanation:
https://cloud.google.com/logging/docs/access-control#considerations
roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by
roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.