Practice Free Professional Cloud Security Engineer Exam Online Questions
An organization receives an increasing number of phishing emails.
Which method should be used to protect employee credentials in this situation?
- A . Multifactor Authentication
- B . A strict password policy
- C . Captcha on login pages
- D . Encrypted emails
A
Explanation:
https://cloud.google.com/blog/products/g-suite/7-ways-admins-can-help-secure-accounts-against-phishing-g-suite
https://www.duocircle.com/content/email-security-services/email-security-in-cryptography#:~:text=Customer%20Login-,Email%20Security%20In%20Cryptography%20Is%20One%20Of%20The%20Most,Measures%20To%20Prevent%20Phishing%20Attempts&text=Cybercriminals%20love%20emails%20the%20most,networks%20all%20over%20the%20world.
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?
- A . Set the minimum length for passwords to be 8 characters.
- B . Set the minimum length for passwords to be 10 characters.
- C . Set the minimum length for passwords to be 12 characters.
- D . Set the minimum length for passwords to be 6 characters.
A
Explanation:
The minimum length for passwords in Cloud Identity can be set to 8 characters. This aligns with common security best practices for password policies, ensuring a basic level of complexity and security.
Step-by-Step:
Access Admin Console: Log in to the Google Admin console.
Navigate to Security Settings: Go to Security > Password Management.
Set Minimum Length: Set the minimum length for passwords to 8 characters.
Save Changes: Save the settings and ensure that all user accounts adhere to the new policy.
Google Cloud Identity Security Settings
Password Policy Best Practices
You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments.
How should you design the network to inspect the traffic?
- A . 1. Set up one VPC with two subnets: one trusted and the other untrusted.2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
- B . 1. Set up one VPC with two subnets: one trusted and the other untrusted.2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
- C . 1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.2.
Configure a custom route on each network pointed to the virtual appliance. - D . 1. Set up two VPC networks: one trusted and the other untrusted.2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.
D
Explanation:
Multiple network interfaces. The simplest way to connect multiple VPC networks through a virtual appliance is by using multiple network interfaces, with each interface connecting to one of the VPC networks. Internet and on-premises connectivity is provided over one or two separate network interfaces. With many NGFW products, internet connectivity is connected through an interface marked as untrusted in the NGFW software.
https://cloud.google.com/architecture/best-practices-vpc-design#l7
This architecture has multiple VPC networks that are bridged by an L7 next-generation firewall (NGFW) appliance, which functions as a multi-NIC bridge between VPC networks. An untrusted, outside VPC network is introduced to terminate hybrid interconnects and internet-based connections that terminate on the outside leg of the L7 NGFW for inspection. There are many variations on this design, but the key principle is to filter traffic through the firewall before the traffic reaches trusted VPC networks.
You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments.
How should you design the network to inspect the traffic?
- A . 1. Set up one VPC with two subnets: one trusted and the other untrusted.2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
- B . 1. Set up one VPC with two subnets: one trusted and the other untrusted.2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
- C . 1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.2.
Configure a custom route on each network pointed to the virtual appliance. - D . 1. Set up two VPC networks: one trusted and the other untrusted.2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.
D
Explanation:
Multiple network interfaces. The simplest way to connect multiple VPC networks through a virtual appliance is by using multiple network interfaces, with each interface connecting to one of the VPC networks. Internet and on-premises connectivity is provided over one or two separate network interfaces. With many NGFW products, internet connectivity is connected through an interface marked as untrusted in the NGFW software.
https://cloud.google.com/architecture/best-practices-vpc-design#l7
This architecture has multiple VPC networks that are bridged by an L7 next-generation firewall (NGFW) appliance, which functions as a multi-NIC bridge between VPC networks. An untrusted, outside VPC network is introduced to terminate hybrid interconnects and internet-based connections that terminate on the outside leg of the L7 NGFW for inspection. There are many variations on this design, but the key principle is to filter traffic through the firewall before the traffic reaches trusted VPC networks.
Your financial services company has an audit requirement under a strict regulatory framework that requires comprehensive, immutable audit trails for all administrative and data access activity that ensures that data is kept for seven years. Your current logging is fragmented across individual projects. You need to establish a centralized, tamper-proof, long-term logging solution accessible for audits.
What should you do?
- A . Implement Pub/Sub to stream all audit logs from each project in real-time to an external Security Information and Event Management (SIEM) for long-term analysis.
- B . Establish organization-level Cloud Logging sinks to export Cloud Audit Logs to a dedicated Cloud Storage bucket with object retention lock.
- C . Enable Security Command Center across the organization to gain centralized visibility into threats and manage compliance posture for all Google Cloud projects.
- D . Individually configure Cloud Audit Logs for all Google Cloud services in each project. Store the logs in regional Cloud Logging buckets with 30-day retention policies.
B
Explanation:
The core requirements are: centralized, tamper-proof, long-term (seven years) immutable audit trails for administrative and data access activity.
Centralization: The current logging is fragmented. To centralize, you need to collect logs from across the organization. Cloud Logging sinks configured at the organization level are designed for this purpose. They allow you to route logs from all projects within an organization to a single destination. Extract
Reference: "Aggregated exports allow you to export logs from multiple Google Cloud projects, folders, or your entire organization. An aggregated export can include all logs from all included resources, or you can use queries to include only specific logs." (Google Cloud documentation: https://cloud.google.com/logging/docs/export/aggregated_exports)
Long-Term Storage (Seven Years): Cloud Logging buckets have default retention periods (e.g., 30 days for Data Access logs, 400 days for Admin Activity logs) which are not sufficient for a seven-year requirement. Cloud Storage is ideal for long-term archival. Extract
Reference: "Cloud Storage is a highly scalable and durable object storage service suitable for archiving large volumes of data for extended periods." (Google Cloud documentation, general overview of Cloud Storage features)
Tamper-Proof / Immutability: This is a critical requirement for audit trails in financial services under strict regulatory frameworks. Cloud Storage’s "object retention lock" feature provides immutability. Once an object retention lock is set on a bucket, objects within that bucket cannot be deleted or overwritten for a specified duration, ensuring data integrity for compliance purposes. Extract
Reference: "Object Retention Lock helps you meet compliance requirements by preventing data from being deleted or modified for a fixed amount of time or indefinitely. This feature satisfies SEC Rule 17a-4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d) requirements." (Google Cloud documentation: https://cloud.google.com/storage/docs/bucket-lock)
Let’s evaluate the other options:
You must ensure that the keys used for at-rest encryption of your data are compliant with your organization’s security controls. One security control mandates that keys get rotated every 90 days. You must implement an effective detection strategy to validate if keys are rotated as required.
What should you do?
- A . Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.
- B . Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.
- C . Assess the keys in the Cloud Key Management Service by implementing code in Cloud Run. If a key is not rotated after 90 days, raise a finding in Security Command Center.
- D . Define a metric that checks for timely key updates by using Cloud Logging. If a key is not rotated after 90 days, send an alert message through your incident notification channel.
You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data.
You need to meet these requirements;
• Manage the data encryption key (DEK) outside the Google Cloud boundary.
• Maintain full control of encryption keys through a third-party provider.
• Encrypt the sensitive data before uploading it to Cloud Storage
• Decrypt the sensitive data during processing in the Compute Engine VMs
• Encrypt the sensitive data in memory while in use in the Compute Engine VMs
What should you do? Choose 2 answers
- A . Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets
- B . Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.
- C . Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs
- D . Create Confidential VMs to access the sensitive data.
- E . Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
C,D
Explanation:
https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance#considerations
Confidential VM does not support live migration. You can only enable Confidential Computing on a VM when you first create the instance. https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team.
What should you do?
- A . Perform data masking with the DLP API and store that data in BigQuery for later use.
- B . Perform data redaction with the DLP API and store that data in BigQuery for later use.
- C . Perform data inspection with the DLP API and store that data in BigQuery for later use.
- D . Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
D
Explanation:
Pseudonymization is a de-identification technique that replaces sensitive data values with cryptographically generated tokens. Pseudonymization is widely used in industries like finance and healthcare to help reduce the risk of data in use, narrow compliance scope, and minimize the exposure of sensitive data to systems while preserving data utility and accuracy.
https://cloud.google.com/dlp/docs/pseudonymization
Applications often require access to “secrets” – small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of “who did what, where, and when?” within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)
- A . Admin Activity logs
- B . System Event logs
- C . Data Access logs
- D . VPC Flow logs
- E . Agent logs
A,C
Explanation:
To keep track of "who did what, where, and when?" within GCP projects, the administrator should focus on Admin Activity logs and Data Access logs. Here’s a detailed explanation of why these two log streams are essential:
Admin Activity Logs:
These logs capture administrative actions performed in your Google Cloud resources. This includes actions like creating, modifying, or deleting resources.
Admin Activity logs provide detailed information about the user who performed the action, the resource that was affected, the action performed, and the timestamp.
Data Access Logs:
These logs capture read and write operations on data within your Google Cloud services. This includes actions like accessing or modifying data stored in databases, storage buckets, etc.
Data Access logs help track the access patterns of users and services to sensitive data, providing insights into who accessed which data and when.
Steps to Enable and Access Logs:
Navigate to the Google Cloud Console.
Go to Logging in the left-hand menu.
Enable Admin Activity and Data Access logs if not already enabled.
Use Logs Explorer to filter and view specific logs based on your requirements.
By monitoring both Admin Activity and Data Access logs, administrators can gain comprehensive visibility into the actions performed on their GCP resources and data, ensuring robust security and compliance tracking.
Google Cloud Logging Documentation
Audit Logs Overview
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location
and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?
- A . Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
- B . Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
- C . Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
- D . Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
C
Explanation:
Objective: Optimize the usage of Cloud Data Loss Prevention (DLP) API to reduce costs.
Solution:
rowsLimit and bytesLimitPerFile: These parameters help in sampling data instead of scanning the entire dataset, thereby reducing the amount of data processed.
CloudStorageRegexFileSet: This feature allows you to specify a subset of files to be scanned using regular expressions, limiting the scope and volume of data scanned.
Steps:
Step 1: Set appropriate rowsLimit values for BigQuery data scans to sample rows instead of scanning entire tables.
Step 2: Set bytesLimitPerFile values for Cloud Storage buckets to limit the number of bytes scanned per file.
Step 3: Use CloudStorageRegexFileSet to specify the subset of files to be scanned based on patterns that match the filenames.
By combining these strategies, you effectively reduce the scope and volume of data processed by the DLP API, leading to cost savings.
Reference: DLP API Best Practices
Configuring Finding Limits