Practice Free Professional Cloud Security Engineer Exam Online Questions
Question #21
You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting.
Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)
- A . Customer-supplied encryption keys.
- B . Google default encryption
- C . Secret Manager
- D . Cloud External Key Manager
- E . Customer-managed encryption keys
Correct Answer: AD
AD
Explanation:
For a client concerned about the control of their encryption keys and not wanting to store these keys within the same cloud service provider (CSP) as the data, the following solutions are suitable:
Customer-supplied encryption keys (A):
With customer-supplied encryption keys, clients manage their own encryption keys outside of Google Cloud and supply them to encrypt and decrypt data. This ensures that the keys are not stored in Google Cloud, providing full control over the key management process.
Cloud External Key Manager (D):
Cloud External Key Manager (EKM) allows clients to integrate an external key management system (KMS) with Google Cloud services. This setup enables the client to keep their encryption keys outside Google Cloud while still allowing the data to be encrypted and decrypted within Google Cloud services. This method offers an additional layer of security and control over the encryption keys.
These options provide robust solutions for clients requiring external key management and enhanced control over their encryption processes.
Reference: Customer-Supplied Encryption Keys
Cloud External Key Manager
AD
Explanation:
For a client concerned about the control of their encryption keys and not wanting to store these keys within the same cloud service provider (CSP) as the data, the following solutions are suitable:
Customer-supplied encryption keys (A):
With customer-supplied encryption keys, clients manage their own encryption keys outside of Google Cloud and supply them to encrypt and decrypt data. This ensures that the keys are not stored in Google Cloud, providing full control over the key management process.
Cloud External Key Manager (D):
Cloud External Key Manager (EKM) allows clients to integrate an external key management system (KMS) with Google Cloud services. This setup enables the client to keep their encryption keys outside Google Cloud while still allowing the data to be encrypted and decrypted within Google Cloud services. This method offers an additional layer of security and control over the encryption keys.
These options provide robust solutions for clients requiring external key management and enhanced control over their encryption processes.
Reference: Customer-Supplied Encryption Keys
Cloud External Key Manager
Question #22
You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.
What should you do?
- A . Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.
- B . Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.
- C . Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premises destination.
- D . Configure Cloud Interconnect and route traffic through an on-premises firewall.
Correct Answer: C
C
Explanation:
Configure Cloud Interconnect:
Cloud Interconnect provides high-bandwidth, low-latency connectivity between your on-premises network and Google Cloud. You can choose between Dedicated Interconnect or Partner Interconnect depending on your requirements.
Set up the physical connection and establish the interconnect through the Google Cloud Console or
by working with a partner.
Set Up HA VPN:
High Availability (HA) VPN provides a robust, reliable VPN connection to Google Cloud with SLA guarantees. This is crucial for ensuring secure and high-bandwidth connectivity. Configure two VPN tunnels to ensure redundancy and failover capabilities.
Update Default Route:
Replace the default 0.0.0.0/0 route in your Google Cloud VPC to direct traffic to your on-premises network via the Cloud Interconnect and HA VPN setup.
This ensures all internet-facing traffic is securely routed through your on-premises internet connection.
Ensure Proper Security and Routing Policies:
Implement appropriate firewall rules and security policies on both Google Cloud and on-premises environments to control traffic and ensure secure communication.
Monitor the traffic and connectivity status to maintain optimal performance and security.
Reference:
Cloud Interconnect Documentation
HA VPN Documentation
Routing Traffic
C
Explanation:
Configure Cloud Interconnect:
Cloud Interconnect provides high-bandwidth, low-latency connectivity between your on-premises network and Google Cloud. You can choose between Dedicated Interconnect or Partner Interconnect depending on your requirements.
Set up the physical connection and establish the interconnect through the Google Cloud Console or
by working with a partner.
Set Up HA VPN:
High Availability (HA) VPN provides a robust, reliable VPN connection to Google Cloud with SLA guarantees. This is crucial for ensuring secure and high-bandwidth connectivity. Configure two VPN tunnels to ensure redundancy and failover capabilities.
Update Default Route:
Replace the default 0.0.0.0/0 route in your Google Cloud VPC to direct traffic to your on-premises network via the Cloud Interconnect and HA VPN setup.
This ensures all internet-facing traffic is securely routed through your on-premises internet connection.
Ensure Proper Security and Routing Policies:
Implement appropriate firewall rules and security policies on both Google Cloud and on-premises environments to control traffic and ensure secure communication.
Monitor the traffic and connectivity status to maintain optimal performance and security.
Reference:
Cloud Interconnect Documentation
HA VPN Documentation
Routing Traffic
Question #23
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)
- A . Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
- B . Use the Google Admin console to view which managed users are using a personal account for their recovery email.
- C . Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
- D . Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
- E . Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
Correct Answer: AD
AD
Explanation:
To manage user accounts and ensure they comply with corporate policies, using Google Cloud Directory Sync (GCDS) allows synchronization between your local identity system and Cloud Identity. The Transfer Tool for Unmanaged Users (TTUU) helps identify and manage conflicting accounts by allowing users to transfer their personal accounts to managed accounts.
Steps:
Synchronize Identities: Use GCDS to sync users from your local identity management system to Cloud Identity, ensuring that all corporate user accounts are managed.
Identify Conflicting Accounts: Use TTUU to find users who have personal Google accounts using corporate email addresses.
Manage Conflicting Accounts: Request users to transfer their personal accounts to managed accounts using TTUU, ensuring all accounts are under corporate control.
Reference:
Google Cloud Directory Sync
Transfer Tool for Unmanaged Users
AD
Explanation:
To manage user accounts and ensure they comply with corporate policies, using Google Cloud Directory Sync (GCDS) allows synchronization between your local identity system and Cloud Identity. The Transfer Tool for Unmanaged Users (TTUU) helps identify and manage conflicting accounts by allowing users to transfer their personal accounts to managed accounts.
Steps:
Synchronize Identities: Use GCDS to sync users from your local identity management system to Cloud Identity, ensuring that all corporate user accounts are managed.
Identify Conflicting Accounts: Use TTUU to find users who have personal Google accounts using corporate email addresses.
Manage Conflicting Accounts: Request users to transfer their personal accounts to managed accounts using TTUU, ensuring all accounts are under corporate control.
Reference:
Google Cloud Directory Sync
Transfer Tool for Unmanaged Users
Question #24
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well-established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the “source of truth” directory for identities.
Which solution meets the organization’s requirements?
- A . Google Cloud Directory Sync (GCDS)
- B . Cloud Identity
- C . Security Assertion Markup Language (SAML)
- D . Pub/Sub
Correct Answer: A
A
Explanation:
With Google Cloud Directory Sync (GCDS), you can synchronize the data in your Google Account with your Microsoft Active Directory or LDAP server. GCDS doesn’t migrate any content (such as email messages, calendar events, or files) to your Google Account. You use GCDS to synchronize your Google users, groups, and shared contacts to match the information in your LDAP server. https://support.google.com/a/answer/106368?hl=en
A
Explanation:
With Google Cloud Directory Sync (GCDS), you can synchronize the data in your Google Account with your Microsoft Active Directory or LDAP server. GCDS doesn’t migrate any content (such as email messages, calendar events, or files) to your Google Account. You use GCDS to synchronize your Google users, groups, and shared contacts to match the information in your LDAP server. https://support.google.com/a/answer/106368?hl=en
Question #25
Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee’s password has been compromised.
What should you do?
- A . Enforce 2-factor authentication in GSuite for all users.
- B . Configure Cloud Identity-Aware Proxy for the App Engine Application.
- C . Provision user passwords using GSuite Password Sync.
- D . Configure Cloud VPN between your private network and GCP.
Correct Answer: B
B
Explanation:
To ensure that an external user cannot gain access to an internal application on Google App Engine even if an employee’s password is compromised, configure Cloud Identity-Aware Proxy (IAP).
Enable IAP:
Go to the Cloud Console, navigate to the App Engine application, and select "Identity-Aware Proxy".
Enable IAP for the application.
Configure Access Policies:
Set up access policies to restrict who can access the application. Use IAM roles to grant access only to specific users or groups. Enforce Authentication:
IAP enforces Google authentication, ensuring that users must log in with their GSuite credentials.
Enable Multi-Factor Authentication (MFA):
Enforce 2FA for all GSuite users to add an extra layer of security.
Advantages:
Protection against Compromised Credentials: Even if passwords are compromised, attackers cannot access the application without passing IAP authentication.
Centralized Access Management: Easily manage and monitor access through IAM and IAP policies.
Reference:
Identity-Aware Proxy Overview
Setting up IAP
B
Explanation:
To ensure that an external user cannot gain access to an internal application on Google App Engine even if an employee’s password is compromised, configure Cloud Identity-Aware Proxy (IAP).
Enable IAP:
Go to the Cloud Console, navigate to the App Engine application, and select "Identity-Aware Proxy".
Enable IAP for the application.
Configure Access Policies:
Set up access policies to restrict who can access the application. Use IAM roles to grant access only to specific users or groups. Enforce Authentication:
IAP enforces Google authentication, ensuring that users must log in with their GSuite credentials.
Enable Multi-Factor Authentication (MFA):
Enforce 2FA for all GSuite users to add an extra layer of security.
Advantages:
Protection against Compromised Credentials: Even if passwords are compromised, attackers cannot access the application without passing IAP authentication.
Centralized Access Management: Easily manage and monitor access through IAM and IAP policies.
Reference:
Identity-Aware Proxy Overview
Setting up IAP
Question #26
Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users.
What should you do?
- A . 1. Manage SAML profile assignments.
• 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant.
• 3. Verify the domain. - B . 1. Create a new SAML profile.
• 2. Upload the X.509 certificate.
• 3. Enable the change password URL.
• 4. Configure Entity ID and ACS URL in your IdP. - C . 1- Create a new SAML profile.
• 2. Populate the sign-in and sign-out page URLs.
• 3. Upload the X.509 certificate.
• 4. Configure Entity ID and ACS URL in your IdP - D . 1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant
• 2. Verify the AD domain.
• 3. Decide which users should use SAML.
• 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.
Correct Answer: C
C
Explanation:
When configuring SAML-based Single Sign-On (SSO) in an organization that’s using Active Directory, the general steps would involve setting up a SAML profile, specifying the necessary URLs for sign-in and sign-out processes, uploading an X.509 certificate for secure communication, and setting up the Entity ID and Assertion Consumer Service (ACS) URL in the Identity Provider (which in this case would be Active Directory).
C
Explanation:
When configuring SAML-based Single Sign-On (SSO) in an organization that’s using Active Directory, the general steps would involve setting up a SAML profile, specifying the necessary URLs for sign-in and sign-out processes, uploading an X.509 certificate for secure communication, and setting up the Entity ID and Assertion Consumer Service (ACS) URL in the Identity Provider (which in this case would be Active Directory).
Question #27
What are the steps to encrypt data using envelope encryption?
- A . Generate a data encryption key (DEK) locally.
Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
Store the encrypted data and the wrapped KEK. - B . Generate a key encryption key (KEK) locally.
Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
Store the encrypted data and the wrapped DEK. - C . Generate a data encryption key (DEK) locally.
Encrypt data with the DEK.
Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK. - D . Generate a key encryption key (KEK) locally.
Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
Store the encrypted data and the wrapped DEK.
Correct Answer: C
C
Explanation:
Objective: Encrypt data using envelope encryption.
Solution: Follow the envelope encryption process.
Steps:
Step 1: Generate a Data Encryption Key (DEK) locally. The DEK is used to encrypt the actual data.
Step 2: Encrypt the data using the DEK.
Step 3: Use a Key Encryption Key (KEK) to wrap the DEK. The KEK is used to encrypt the DEK.
Step 4: Store the encrypted data and the wrapped DEK. This ensures that the data can be securely decrypted in the future using the KEK to unwrap the DEK.
Envelope encryption enhances security by adding an additional layer of encryption to the data encryption key, which is particularly useful for managing large volumes of encrypted data.
Reference:
Envelope Encryption Overview
Google Cloud Key Management Service Documentation
C
Explanation:
Objective: Encrypt data using envelope encryption.
Solution: Follow the envelope encryption process.
Steps:
Step 1: Generate a Data Encryption Key (DEK) locally. The DEK is used to encrypt the actual data.
Step 2: Encrypt the data using the DEK.
Step 3: Use a Key Encryption Key (KEK) to wrap the DEK. The KEK is used to encrypt the DEK.
Step 4: Store the encrypted data and the wrapped DEK. This ensures that the data can be securely decrypted in the future using the KEK to unwrap the DEK.
Envelope encryption enhances security by adding an additional layer of encryption to the data encryption key, which is particularly useful for managing large volumes of encrypted data.
Reference:
Envelope Encryption Overview
Google Cloud Key Management Service Documentation
Question #28
A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?
- A . Create a firewall rule to block internet traffic from the VM.
- B . Provision a NAT Gateway to access the Cloud Storage API endpoint.
- C . Enable Private Google Access on the VPC.
- D . Mount a Cloud Storage bucket as a local filesystem on every VM.
Correct Answer: C
C
Explanation:
Objective: Ensure VMs can access Cloud Storage without reaching the public internet. Solution: Enable Private Google Access on the VPC network, allowing VMs with only internal IP addresses to access Google APIs and services privately.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Go to the VPC Network section.
Step 3: Select the relevant VPC network and subnet.
Step 4: Enable Private Google Access for the subnet.
Private Google Access ensures that instances can access Google APIs and services (such as Cloud Storage) over a private network connection, without requiring a public IP address.
Reference:
Configuring Private Google Access
Best Practices for Secure Access
C
Explanation:
Objective: Ensure VMs can access Cloud Storage without reaching the public internet. Solution: Enable Private Google Access on the VPC network, allowing VMs with only internal IP addresses to access Google APIs and services privately.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Go to the VPC Network section.
Step 3: Select the relevant VPC network and subnet.
Step 4: Enable Private Google Access for the subnet.
Private Google Access ensures that instances can access Google APIs and services (such as Cloud Storage) over a private network connection, without requiring a public IP address.
Reference:
Configuring Private Google Access
Best Practices for Secure Access
Question #29
Your company’s new CEO recently sold two of the company’s divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node.
Which preparation steps are necessary before this migration occurs? (Choose two.)
- A . Remove all project-level custom Identity and Access Management (1AM) roles.
- B . Disallow inheritance of organization policies.
- C . Identify inherited Identity and Access Management (1AM) roles on projects to be migrated.
- D . Create a new folder for all projects to be migrated.
- E . Remove the specific migration projects from any VPC Service Controls perimeters and bridges.
Correct Answer: C E
C E
Explanation:
To prepare for migrating Google Cloud projects to a new organization node, it’s crucial to ensure that the projects’ current configurations and dependencies are appropriately managed.
The two necessary preparation steps are:
Identify inherited Identity and Access Management (IAM) roles on projects to be migrated (C): Projects inherit IAM roles from their parent resources. Identifying these roles is essential to understand the permissions and access levels that users have on the projects. This will help in ensuring that after migration, the appropriate roles and permissions are applied correctly. Remove the specific migration projects from any VPC Service Controls perimeters and bridges (E): VPC Service Controls provide security boundaries around your Google Cloud resources to mitigate data exfiltration risks. Before migrating the projects, they need to be removed from any existing VPC Service Controls perimeters and bridges to prevent any disruption in access or network communication. After migration, the projects can be added back to the necessary perimeters.
Reference: Google Cloud IAM documentation
VPC Service Controls documentation
C E
Explanation:
To prepare for migrating Google Cloud projects to a new organization node, it’s crucial to ensure that the projects’ current configurations and dependencies are appropriately managed.
The two necessary preparation steps are:
Identify inherited Identity and Access Management (IAM) roles on projects to be migrated (C): Projects inherit IAM roles from their parent resources. Identifying these roles is essential to understand the permissions and access levels that users have on the projects. This will help in ensuring that after migration, the appropriate roles and permissions are applied correctly. Remove the specific migration projects from any VPC Service Controls perimeters and bridges (E): VPC Service Controls provide security boundaries around your Google Cloud resources to mitigate data exfiltration risks. Before migrating the projects, they need to be removed from any existing VPC Service Controls perimeters and bridges to prevent any disruption in access or network communication. After migration, the projects can be added back to the necessary perimeters.
Reference: Google Cloud IAM documentation
VPC Service Controls documentation
Question #30
Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups.
Which Google Cloud service should you use?
- A . Cloud DNS with DNSSEC
- B . Cloud NAT
- C . HTTP(S) Load Balancing
- D . Google Cloud Armor
Correct Answer: A
A
Explanation:
Cloud DNS with DNSSEC (Domain Name System Security Extensions) provides authentication for DNS responses, ensuring that they are legitimate and have not been tampered with. DNSSEC helps protect against DNS spoofing and cache poisoning attacks, which are common techniques used in DDoS attacks.
Steps:
Enable DNSSEC: In the Google Cloud Console, navigate to Cloud DNS and enable DNSSEC for your managed zones.
Configure Key Signing: Set up key signing keys (KSK) and zone signing keys (ZSK) to sign your DNS records.
Monitor DNSSEC Status: Regularly monitor the DNSSEC status and logs to ensure it is functioning
correctly.
Reference:
Cloud DNS documentation
A
Explanation:
Cloud DNS with DNSSEC (Domain Name System Security Extensions) provides authentication for DNS responses, ensuring that they are legitimate and have not been tampered with. DNSSEC helps protect against DNS spoofing and cache poisoning attacks, which are common techniques used in DDoS attacks.
Steps:
Enable DNSSEC: In the Google Cloud Console, navigate to Cloud DNS and enable DNSSEC for your managed zones.
Configure Key Signing: Set up key signing keys (KSK) and zone signing keys (ZSK) to sign your DNS records.
Monitor DNSSEC Status: Regularly monitor the DNSSEC status and logs to ensure it is functioning
correctly.
Reference:
Cloud DNS documentation