Practice Free Professional Cloud Security Engineer Exam Online Questions
Question #20
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine.
Which option should you recommend?
- A . Cloud Key Management Service
- B . Compute Engine guest attributes
- C . Compute Engine custom metadata
- D . Secret Manager
Correct Answer: D
D
Explanation:
Objective: Store and retrieve sensitive configuration data for an application running on Compute Engine.
Solution: Use Secret Manager to securely store and manage access to sensitive configuration data.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the Secret Manager section.
Step 3: Create a new secret and add the sensitive configuration data.
Step 4: Set appropriate IAM policies to control access to the secret.
Step 5: Update the application to retrieve the secret from Secret Manager using the appropriate client libraries or APIs.
Secret Manager provides a secure and centralized way to manage sensitive information, with fine-grained access control and audit logging capabilities.
Reference: Secret Manager Documentation
Storing and Accessing Secrets
D
Explanation:
Objective: Store and retrieve sensitive configuration data for an application running on Compute Engine.
Solution: Use Secret Manager to securely store and manage access to sensitive configuration data.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the Secret Manager section.
Step 3: Create a new secret and add the sensitive configuration data.
Step 4: Set appropriate IAM policies to control access to the secret.
Step 5: Update the application to retrieve the secret from Secret Manager using the appropriate client libraries or APIs.
Secret Manager provides a secure and centralized way to manage sensitive information, with fine-grained access control and audit logging capabilities.
Reference: Secret Manager Documentation
Storing and Accessing Secrets
Question #22
A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)
- A . Create a project with multiple VPC networks for each environment.
- B . Create a folder for each development and production environment.
- C . Create a Google Group for the Engineering team, and assign permissions at the folder level.
- D . Create an Organizational Policy constraint for each folder environment.
- E . Create projects for each environment, and grant IAM rights to each engineering user.
Correct Answer: B,C
B,C
Explanation:
To manage IAM permissions efficiently for a large engineering team with different levels of access in development and production environments, follow these steps:
Create Separate Folders:
Create a folder for the development environment.
Create a folder for the production environment.
This allows you to organize projects and apply different policies and permissions to each environment.
Navigate to IAM & Admin in the GCP Console.
Select "Folders" from the left-hand menu.
Create a new folder named "Development".
Create a new folder named "Production".
Create Google Groups:
Create Google Groups for different teams within the engineering department (e.g., Development Team, Production Team).
This helps in managing permissions centrally.
Use the Google Admin Console to create groups.
Add relevant engineers to each group.
Assign Permissions at the Folder Level:
Assign appropriate IAM roles to the Google Groups at the folder level.
For example, grant Viewer role to the Development Team group for the development folder.
Grant Editor or more restrictive roles as required for the Production Team group for the production folder.
Select the development folder.
Go to the "Permissions" tab.
Click on "Add" and enter the email address of the Development Team Google Group.
Assign the "Viewer" role.
Repeat for the production folder, assigning appropriate roles to the Production Team Google Group.
By following these steps, you create a clear separation between development and production environments and manage permissions efficiently using Google Groups and folders.
Google Cloud IAM Documentation
Google Cloud Resource Manager Documentation
B,C
Explanation:
To manage IAM permissions efficiently for a large engineering team with different levels of access in development and production environments, follow these steps:
Create Separate Folders:
Create a folder for the development environment.
Create a folder for the production environment.
This allows you to organize projects and apply different policies and permissions to each environment.
Navigate to IAM & Admin in the GCP Console.
Select "Folders" from the left-hand menu.
Create a new folder named "Development".
Create a new folder named "Production".
Create Google Groups:
Create Google Groups for different teams within the engineering department (e.g., Development Team, Production Team).
This helps in managing permissions centrally.
Use the Google Admin Console to create groups.
Add relevant engineers to each group.
Assign Permissions at the Folder Level:
Assign appropriate IAM roles to the Google Groups at the folder level.
For example, grant Viewer role to the Development Team group for the development folder.
Grant Editor or more restrictive roles as required for the Production Team group for the production folder.
Select the development folder.
Go to the "Permissions" tab.
Click on "Add" and enter the email address of the Development Team Google Group.
Assign the "Viewer" role.
Repeat for the production folder, assigning appropriate roles to the Production Team Google Group.
By following these steps, you create a clear separation between development and production environments and manage permissions efficiently using Google Groups and folders.
Google Cloud IAM Documentation
Google Cloud Resource Manager Documentation
Question #23
You are migrating an application into the cloud The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material.
What should you do?
- A . Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups
- B . Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.
- C . Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.
- D . Generate a key in your on-premises environment to encrypt the data before you upload the data
to the Cloud Storage bucket Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.
Correct Answer: C
C
Explanation:
By generating a key in your on-premises environment and storing it in an HSM that you manage, you’re ensuring that the key material is fully under your control. Using the key as an external key in Cloud KMS allows you to use the key with Google Cloud services without having the key stored on Google Cloud. Activating Key Access Justifications (KAJ) provides a reason every time the key is accessed, and you can configure the external key system to reject unauthorized access attempts.
C
Explanation:
By generating a key in your on-premises environment and storing it in an HSM that you manage, you’re ensuring that the key material is fully under your control. Using the key as an external key in Cloud KMS allows you to use the key with Google Cloud services without having the key stored on Google Cloud. Activating Key Access Justifications (KAJ) provides a reason every time the key is accessed, and you can configure the external key system to reject unauthorized access attempts.
Question #24
A centralized security service has been implemented by your company. All applications running in Google Cloud are required to send data to this service. You need to ensure that developers have high autonomy to configure firewall rules within their projects, while preventing accidental blockage of access to the central security service.
What should you do?
- A . Deploy a central Secure Web Proxy and connect it to all VPC networks. Create a Secure Web Proxy policy to allow traffic to the central security service.
- B . Implement a hierarchical firewall policy that prioritizes the central security service by allowing its connections and directing all other traffic to the subsequent firewall level.
- C . Create a central project to manage Shared VPC networks which will be accessible to all other projects. Administer all firewall rules centrally within this project.
- D . Use Terraform to automate the creation of the required firewall rule in all projects. Restrict rule change permissions solely to the Terraform service account.
Correct Answer: B
B
Explanation:
The problem has two key requirements:
All applications must send data to a centralized security service.
Developers need high autonomy over firewall rules within their projects.
Prevent accidental blockage of access to the central security service.
This scenario requires a mechanism to enforce critical network policies at a higher level of the
resource hierarchy while still allowing project-level flexibility.
Hierarchical Firewall Policies: Google Cloud’s Hierarchical Firewall Policies (HFP) are designed precisely for this purpose. They allow administrators to define firewall rules at the organization or folder level, and these rules are inherited by all projects and VPC networks within that hierarchy. Crucially, HFP rules can be prioritized. Rules with higher priority (lower numerical value) are evaluated first. This means you can create high-priority "allow" rules for critical services that cannot be overridden or blocked by project-level firewall rules.Extract
Reference: "Hierarchical firewall policies allow you to define and enforce consistent network security policies across your organization. Policies can be applied at the organization or folder level, and they are inherited by all projects and VPC networks within that hierarchy." and "Rules in a hierarchical firewall policy can take precedence over VPC network firewall rules based on priority. A rule with a lower priority value takes precedence over a rule with a higher priority value." (Google Cloud documentation: https://cloud.google.com/vpc/docs/firewall-policies-overview)
Preventing Accidental Blockage while Allowing Autonomy: By setting a high-priority "allow" rule for the central security service in a hierarchical firewall policy, you guarantee that this traffic will always be permitted, regardless of what project-level firewall rules developers might configure. This ensures the critical connectivity while still allowing developers to manage other, less critical firewall rules within their projects with high autonomy.
Let’s evaluate the other options:
B
Explanation:
The problem has two key requirements:
All applications must send data to a centralized security service.
Developers need high autonomy over firewall rules within their projects.
Prevent accidental blockage of access to the central security service.
This scenario requires a mechanism to enforce critical network policies at a higher level of the
resource hierarchy while still allowing project-level flexibility.
Hierarchical Firewall Policies: Google Cloud’s Hierarchical Firewall Policies (HFP) are designed precisely for this purpose. They allow administrators to define firewall rules at the organization or folder level, and these rules are inherited by all projects and VPC networks within that hierarchy. Crucially, HFP rules can be prioritized. Rules with higher priority (lower numerical value) are evaluated first. This means you can create high-priority "allow" rules for critical services that cannot be overridden or blocked by project-level firewall rules.Extract
Reference: "Hierarchical firewall policies allow you to define and enforce consistent network security policies across your organization. Policies can be applied at the organization or folder level, and they are inherited by all projects and VPC networks within that hierarchy." and "Rules in a hierarchical firewall policy can take precedence over VPC network firewall rules based on priority. A rule with a lower priority value takes precedence over a rule with a higher priority value." (Google Cloud documentation: https://cloud.google.com/vpc/docs/firewall-policies-overview)
Preventing Accidental Blockage while Allowing Autonomy: By setting a high-priority "allow" rule for the central security service in a hierarchical firewall policy, you guarantee that this traffic will always be permitted, regardless of what project-level firewall rules developers might configure. This ensures the critical connectivity while still allowing developers to manage other, less critical firewall rules within their projects with high autonomy.
Let’s evaluate the other options:
Question #25
Your organization uses BigQuery to process highly sensitive, structured datasets.
Following the "need to know" principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users:
• Business user must access curated reports.
• Data engineer: must administrate the data lifecycle in the platform.
• Security operator: must review user activity on the data platform.
What should you do?
- A . Configure data access log for BigQuery services, and grant Project Viewer role to security operators.
- B . Generate a CSV data file based on the business user’s needs, and send the data to their email addresses.
- C . Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.
- D . Set row-based access control based on the "region" column, and filter the record from the United States for data engineers.
Correct Answer: C
C
Explanation:
This option directly addresses the needs of the business user who must access curated reports. By creating curated tables in a separate dataset, you can control access to specific data. Assigning the roles/bigquery.dataViewer role allows the business user to view the data in BigQuery.
C
Explanation:
This option directly addresses the needs of the business user who must access curated reports. By creating curated tables in a separate dataset, you can control access to specific data. Assigning the roles/bigquery.dataViewer role allows the business user to view the data in BigQuery.
Question #26
Your company is deploying a three-tier web application―web, application, and database―on Google Cloud. You need to configure network isolation between tiers to minimize the attack surface. The web tier needs to be accessible from the public internet, the application tier should only be accessible from the web tier, and the database tier should only be accessible from the application tier. Your solution must follow Google-recommended practices.
What should you do?
- A . Create three separate VPC networks, one for each tier. Configure VPC Network Peering between the web and application VPCs, and between the application and database VPCs. Use firewall rules to control the traffic.
- B . Create a single subnet for all tiers. Create firewall rules that allow all traffic between instances within the same subnet. Use application-level security to prevent unauthorized access.
- C . Create three subnets within the VPC, one for each tier. Create firewall rules that allow traffic on specific ports on each subnet. Use network tags or service accounts on the VMs to apply the firewall rules.
- D . Create three subnets within the VPC, one for each tier. Enable Private Google Access on each subnet. Create a single firewall rule allowing all traffic between the subnets.
Correct Answer: C
C
Explanation:
In Google Cloud, the best practice for micro-segmentation and tier isolation is to use a single VPC with multiple subnets and apply firewall rules using Service Accounts or Network Tags. Using Service Accounts is generally preferred over tags because they are identity-based and more secure.
According to the Google Cloud Security Foundations Guide:
"Segment your VPC networks into subnets to provide logical isolation. Use firewall rules to control traffic between tiers. Instead of relying on IP addresses, use service accounts to define source and destination for firewall rules. This ensures that even if an IP changes, the security policy remains enforced based on the identity of the workload."
Implementation Details:
Web Tier: Use a firewall rule allowing 0.0.0.0/0 (Internet) to the Service Account associated with the web VMs on port 80/443.
App Tier: Use a firewall rule allowing traffic ONLY from the Web Tier Service Account to the App Tier Service Account.
DB Tier: Use a firewall rule allowing traffic ONLY from the App Tier Service Account to the DB Tier Service Account.
Reference: Google Cloud Documentation: "Best practices for VPC design – Use service accounts to restrict traffic" (https://cloud.google.com/vpc/docs/using-firewalls#service-account-vs-tag).
Professional Cloud Security Engineer Study Guide: Section on "Configuring Network Security – Micro-segmentation."
C
Explanation:
In Google Cloud, the best practice for micro-segmentation and tier isolation is to use a single VPC with multiple subnets and apply firewall rules using Service Accounts or Network Tags. Using Service Accounts is generally preferred over tags because they are identity-based and more secure.
According to the Google Cloud Security Foundations Guide:
"Segment your VPC networks into subnets to provide logical isolation. Use firewall rules to control traffic between tiers. Instead of relying on IP addresses, use service accounts to define source and destination for firewall rules. This ensures that even if an IP changes, the security policy remains enforced based on the identity of the workload."
Implementation Details:
Web Tier: Use a firewall rule allowing 0.0.0.0/0 (Internet) to the Service Account associated with the web VMs on port 80/443.
App Tier: Use a firewall rule allowing traffic ONLY from the Web Tier Service Account to the App Tier Service Account.
DB Tier: Use a firewall rule allowing traffic ONLY from the App Tier Service Account to the DB Tier Service Account.
Reference: Google Cloud Documentation: "Best practices for VPC design – Use service accounts to restrict traffic" (https://cloud.google.com/vpc/docs/using-firewalls#service-account-vs-tag).
Professional Cloud Security Engineer Study Guide: Section on "Configuring Network Security – Micro-segmentation."
Question #27
You are on your company’s development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user’s browser in a production environment.
How should you prevent and fix this vulnerability?
- A . Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
- B . Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
- C . Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
- D . Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
Correct Answer: D
D
Explanation:
There is mention about simulating in Web Security Scanner. "Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions." https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss
Reference: https://cloud.google.com/security-scanner/docs/remediate-findings
D
Explanation:
There is mention about simulating in Web Security Scanner. "Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions." https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss
Reference: https://cloud.google.com/security-scanner/docs/remediate-findings
Question #28
You recently joined the networking team supporting your company’s Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience.
What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?
- A . Security Command Center
- B . Firewall Rules Logging
- C . VPC Flow Logs
- D . Firewall Insights
Correct Answer: D
D
Explanation:
https://cloud.google.com/network-intelligence-center/docs/firewall-insights/concepts/overview#shadowed-firewall-rules
Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.
D
Explanation:
https://cloud.google.com/network-intelligence-center/docs/firewall-insights/concepts/overview#shadowed-firewall-rules
Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.
Question #29
Your organization wants to publish yearly reports of your website usage analytics. You must ensure that no data with personally identifiable information (PII) is published by using the Cloud Data Loss Prevention (Cloud DLP) API. Data integrity must be preserved.
What should you do?
- A . Encrypt the PII from the report by using the Cloud DLP API.
- B . Discover and transform PII data in your reports by using the Cloud DLP API.
- C . Detect all PII in storage by using the Cloud DLP API. Create a cloud function to delete the PII.
- D . Discover and quarantine your PII data in your storage by using the Cloud DLP API.
Correct Answer: B
B
Explanation:
To ensure that no personally identifiable information (PII) is published in your yearly website usage analytics reports while preserving data integrity, the Cloud Data Loss Prevention (Cloud DLP) API can be utilized to identify and transform PII within your datasets.
Option A: Encrypting PII does not remove it from the reports; it merely obscures it, which may not be sufficient for compliance or privacy requirements.
Option B: Discovering and transforming PII ensures that sensitive information is either masked, tokenized, or otherwise obfuscated, effectively removing PII from the reports while maintaining the overall structure and utility of the data.
Option C: Detecting and deleting PII could lead to loss of valuable data and may disrupt the integrity of the reports.
Option D: Quarantining PII data implies isolating it, which doesn’t address the need to publish reports without PII.
Therefore, Option B is the most appropriate approach, as it leverages the Cloud DLP API to identify and transform PII, ensuring that the published reports are free from sensitive information while preserving data integrity.
Reference: Cloud DLP Overview
De-identifying Sensitive Data
B
Explanation:
To ensure that no personally identifiable information (PII) is published in your yearly website usage analytics reports while preserving data integrity, the Cloud Data Loss Prevention (Cloud DLP) API can be utilized to identify and transform PII within your datasets.
Option A: Encrypting PII does not remove it from the reports; it merely obscures it, which may not be sufficient for compliance or privacy requirements.
Option B: Discovering and transforming PII ensures that sensitive information is either masked, tokenized, or otherwise obfuscated, effectively removing PII from the reports while maintaining the overall structure and utility of the data.
Option C: Detecting and deleting PII could lead to loss of valuable data and may disrupt the integrity of the reports.
Option D: Quarantining PII data implies isolating it, which doesn’t address the need to publish reports without PII.
Therefore, Option B is the most appropriate approach, as it leverages the Cloud DLP API to identify and transform PII, ensuring that the published reports are free from sensitive information while preserving data integrity.
Reference: Cloud DLP Overview
De-identifying Sensitive Data
Question #30
Your organization wants to be continuously evaluated against CIS Google Cloud Computing Foundations Benchmark v1 3 0 (CIS Google Cloud Foundation 1 3). Some of the controls are irrelevant to your organization and must be disregarded in evaluation. You need to create an automated system or process to ensure that only the relevant controls are evaluated.
What should you do?
- A . Mark all security findings that are irrelevant with a tag and a value that indicates a security exception Select all marked findings and mute them on the console every time they appear Activate Security Command Center (SCC) Premium.
- B . Activate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC so they are not evaluated.
- C . Download all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part of CIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for the company.
- D . Ask an external audit company to provide independent reports including needed CIS benchmarks.
In the scope of the audit clarify that some of the controls are not needed and must be disregarded.
Correct Answer: B
B
Explanation:
Activate Security Command Center (SCC) Premium: Security Command Center (SCC) Premium provides advanced security analytics and best practice recommendations for your Google Cloud environment. It includes functionalities such as asset discovery, vulnerability scanning, and security findings.
Create a Custom Rule to Mute Irrelevant Security Findings:
Navigate to the Security Command Center (SCC) in the Google Cloud Console.
Go to the "Settings" tab and find the "Mute findings" section.
Create a new mute rule by specifying the conditions that match the irrelevant controls you want to disregard. These conditions can be based on attributes such as resource type, finding type, and other metadata.
Apply this mute rule, which will ensure that the specified findings are not evaluated in your security posture assessments.
Ensure Continuous Compliance Monitoring:
The mute rules will automatically filter out the irrelevant findings, ensuring that only relevant controls from the CIS Google Cloud Computing Foundations Benchmark v1.3.0 are evaluated.
Regularly review and update the mute rules to adapt to any changes in your compliance requirements or security posture.
Reference: Security Command Center Documentation
Creating and Managing Mute Rules
B
Explanation:
Activate Security Command Center (SCC) Premium: Security Command Center (SCC) Premium provides advanced security analytics and best practice recommendations for your Google Cloud environment. It includes functionalities such as asset discovery, vulnerability scanning, and security findings.
Create a Custom Rule to Mute Irrelevant Security Findings:
Navigate to the Security Command Center (SCC) in the Google Cloud Console.
Go to the "Settings" tab and find the "Mute findings" section.
Create a new mute rule by specifying the conditions that match the irrelevant controls you want to disregard. These conditions can be based on attributes such as resource type, finding type, and other metadata.
Apply this mute rule, which will ensure that the specified findings are not evaluated in your security posture assessments.
Ensure Continuous Compliance Monitoring:
The mute rules will automatically filter out the irrelevant findings, ensuring that only relevant controls from the CIS Google Cloud Computing Foundations Benchmark v1.3.0 are evaluated.
Regularly review and update the mute rules to adapt to any changes in your compliance requirements or security posture.
Reference: Security Command Center Documentation
Creating and Managing Mute Rules