Practice Free Professional Cloud Security Engineer Exam Online Questions
Question #31
Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.
Correct Answer: A
Explanation:
To validate that all data written to BigQuery was done using the App Engine Default Service Account, you can use StackDriver Logging (now known as Cloud Logging) to filter and inspect the logs for BigQuery insert jobs. By hiding the entries matching the App Engine Default Service Account, you can ensure that no other service account has written to BigQuery if the resulting list is empty.
Steps:
Open Cloud Logging: Navigate to Cloud Logging in the Google Cloud Console.
Filter Logs: Apply a filter to display logs for BigQuery insert jobs.
Inspect Entries: Click on the email address that corresponds to the App Engine Default Service Account in the authentication field.
Hide Matching Entries: Select the option to hide matching entries.
Validate: Check if the resulting list is empty, confirming that no other service account has performed write operations to BigQuery.
Reference: Google Cloud Logging
Monitoring BigQuery logs
Explanation:
To validate that all data written to BigQuery was done using the App Engine Default Service Account, you can use StackDriver Logging (now known as Cloud Logging) to filter and inspect the logs for BigQuery insert jobs. By hiding the entries matching the App Engine Default Service Account, you can ensure that no other service account has written to BigQuery if the resulting list is empty.
Steps:
Open Cloud Logging: Navigate to Cloud Logging in the Google Cloud Console.
Filter Logs: Apply a filter to display logs for BigQuery insert jobs.
Inspect Entries: Click on the email address that corresponds to the App Engine Default Service Account in the authentication field.
Hide Matching Entries: Select the option to hide matching entries.
Validate: Check if the resulting list is empty, confirming that no other service account has performed write operations to BigQuery.
Reference: Google Cloud Logging
Monitoring BigQuery logs
Question #32
Your organization has recently migrated sensitive customer data to Cloud Storage buckets. For compliance reasons, you must ensure that all vendor data access and administrative access by Google personnel is logged.
What should you do?
- A . Configure Data Access audit logs for Cloud Storage on the project hosting the Cloud Storage buckets.
- B . Enable Access Transparency for the organization.
- C . Configure Data Access audit logs for Cloud Storage at the organization level.
- D . Enable Access Transparency for the project hosting the Cloud Storage buckets.
Correct Answer: B
B
Explanation:
The requirement to log access by Google personnel (e.g., Google administrators or support) is the specific function of Access Transparency.
Access Transparency logs provide records of actions taken by Google staff when they interact with your content, which is a requirement for many regulated industries. It is typically enabled at the Organization level to ensure consistent coverage, though it can be configured lower.
Extracts:
"Access Transparency logs provide records of actions taken by Google employees when accessing your data or configuration… Access Transparency allows you to monitor compliance with vendor access rules, including those for security and privacy." (Source 9.1)
"Access Transparency is enabled for all supported Google Cloud services across your organization when enabled at the organization level." (Source 9.2)
Option A and C (Data Access logs) record customer/user access to data, but do not record actions taken by Google personnel.
B
Explanation:
The requirement to log access by Google personnel (e.g., Google administrators or support) is the specific function of Access Transparency.
Access Transparency logs provide records of actions taken by Google staff when they interact with your content, which is a requirement for many regulated industries. It is typically enabled at the Organization level to ensure consistent coverage, though it can be configured lower.
Extracts:
"Access Transparency logs provide records of actions taken by Google employees when accessing your data or configuration… Access Transparency allows you to monitor compliance with vendor access rules, including those for security and privacy." (Source 9.1)
"Access Transparency is enabled for all supported Google Cloud services across your organization when enabled at the organization level." (Source 9.2)
Option A and C (Data Access logs) record customer/user access to data, but do not record actions taken by Google personnel.
Question #33
Your organization operates a hybrid cloud environment and has recently deployed a private Artifact Registry repository in Google Cloud.
On-premises developers cannot resolve the Artifact Registry
hostname and therefore cannot push or pull artifacts.
You’ve verified the following:
Connectivity to Google Cloud is established by Cloud VPN or Cloud Interconnect.
No custom DNS configurations exist on-premises.
There is no route to the internet from the on-premises network.
You need to identify the cause and enable the developers to push and pull artifacts.
What is likely causing the issue and what should you do to fix the issue?
- A . Artifact Registry requires external HTTP/HTTPS access. Create a new firewall rule allowing ingress traffic on ports 80 and 443 from the developer’s IP ranges.
- B . Private Google Access is not enabled for the subnet hosting the Artifact Registry. Enable Private Google Access for the appropriate subnet.
- C . On-premises DNS servers lack the necessary records to resolve private Google API domains. Create DNS records for restricted.googleapis.com or private.googleapis.com pointing to Google’s published IP ranges.
- D . Developers must be granted the artifactregistry.writer IAM role. Grant the relevant developer group this role.
Correct Answer: C
C
Explanation:
The problem is that the on-premises developers cannot resolve the Artifact Registry hostname, and they have no route to the internet. This is a classic DNS resolution problem in a hybrid network using private API access.
Artifact Registry is a Google-managed service, and its hostname (e.g., us-west1-docker.pkg.dev) resolves to a Google API domain. To access Google services privately from an on-premises network without an internet route, the traffic must be directed to Private Google Access IP ranges.
Issue: The on-premises DNS cannot resolve the Google service domain to the required private IP range.
Solution: The on-premises DNS needs a record (or a forwarding rule) to resolve the Google service domain to the dedicated IP ranges used for Private Google Access, specifically
restricted.googleapis.com or private.googleapis.com (which provide the IP addresses for private access).
Extracts (Conceptual Basis):
"To direct traffic privately, you must ensure that your on-premises network’s DNS is configured to resolve Google API and service domain names to the IP address range for Private Google Access." (Source 1.1)
"The IP addresses for private.googleapis.com are used for Private Google Access. To enable on-premises hosts to access Google APIs and services using this method, you must configure on-premises DNS to resolve requests for Google API domain names to the IP address range for private.googleapis.com." (Source 1.2)
Option B is incorrect because Private Google Access (PGA) is enabled on the VPC subnet, allowing VMs within the VPC to access Google APIs. However, the problem is with the on-premises developers; the on-premises DNS must be configured to resolve the hostname correctly.
C
Explanation:
The problem is that the on-premises developers cannot resolve the Artifact Registry hostname, and they have no route to the internet. This is a classic DNS resolution problem in a hybrid network using private API access.
Artifact Registry is a Google-managed service, and its hostname (e.g., us-west1-docker.pkg.dev) resolves to a Google API domain. To access Google services privately from an on-premises network without an internet route, the traffic must be directed to Private Google Access IP ranges.
Issue: The on-premises DNS cannot resolve the Google service domain to the required private IP range.
Solution: The on-premises DNS needs a record (or a forwarding rule) to resolve the Google service domain to the dedicated IP ranges used for Private Google Access, specifically
restricted.googleapis.com or private.googleapis.com (which provide the IP addresses for private access).
Extracts (Conceptual Basis):
"To direct traffic privately, you must ensure that your on-premises network’s DNS is configured to resolve Google API and service domain names to the IP address range for Private Google Access." (Source 1.1)
"The IP addresses for private.googleapis.com are used for Private Google Access. To enable on-premises hosts to access Google APIs and services using this method, you must configure on-premises DNS to resolve requests for Google API domain names to the IP address range for private.googleapis.com." (Source 1.2)
Option B is incorrect because Private Google Access (PGA) is enabled on the VPC subnet, allowing VMs within the VPC to access Google APIs. However, the problem is with the on-premises developers; the on-premises DNS must be configured to resolve the hostname correctly.
Question #34
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)
- A . Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
- B . Use the Google Admin console to view which managed users are using a personal account for their recovery email.
- C . Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
- D . Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
- E . Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
Correct Answer: A,D
A,D
Explanation:
To manage user accounts and ensure they comply with corporate policies, using Google Cloud Directory Sync (GCDS) allows synchronization between your local identity system and Cloud Identity. The Transfer Tool for Unmanaged Users (TTUU) helps identify and manage conflicting accounts by allowing users to transfer their personal accounts to managed accounts.
Steps:
Synchronize Identities: Use GCDS to sync users from your local identity management system to Cloud Identity, ensuring that all corporate user accounts are managed.
Identify Conflicting Accounts: Use TTUU to find users who have personal Google accounts using corporate email addresses.
Manage Conflicting Accounts: Request users to transfer their personal accounts to managed accounts using TTUU, ensuring all accounts are under corporate control.
Reference: Google Cloud Directory Sync
Transfer Tool for Unmanaged Users
A,D
Explanation:
To manage user accounts and ensure they comply with corporate policies, using Google Cloud Directory Sync (GCDS) allows synchronization between your local identity system and Cloud Identity. The Transfer Tool for Unmanaged Users (TTUU) helps identify and manage conflicting accounts by allowing users to transfer their personal accounts to managed accounts.
Steps:
Synchronize Identities: Use GCDS to sync users from your local identity management system to Cloud Identity, ensuring that all corporate user accounts are managed.
Identify Conflicting Accounts: Use TTUU to find users who have personal Google accounts using corporate email addresses.
Manage Conflicting Accounts: Request users to transfer their personal accounts to managed accounts using TTUU, ensuring all accounts are under corporate control.
Reference: Google Cloud Directory Sync
Transfer Tool for Unmanaged Users
Question #34
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)
- A . Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
- B . Use the Google Admin console to view which managed users are using a personal account for their recovery email.
- C . Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
- D . Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
- E . Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
Correct Answer: A,D
A,D
Explanation:
To manage user accounts and ensure they comply with corporate policies, using Google Cloud Directory Sync (GCDS) allows synchronization between your local identity system and Cloud Identity. The Transfer Tool for Unmanaged Users (TTUU) helps identify and manage conflicting accounts by allowing users to transfer their personal accounts to managed accounts.
Steps:
Synchronize Identities: Use GCDS to sync users from your local identity management system to Cloud Identity, ensuring that all corporate user accounts are managed.
Identify Conflicting Accounts: Use TTUU to find users who have personal Google accounts using corporate email addresses.
Manage Conflicting Accounts: Request users to transfer their personal accounts to managed accounts using TTUU, ensuring all accounts are under corporate control.
Reference: Google Cloud Directory Sync
Transfer Tool for Unmanaged Users
A,D
Explanation:
To manage user accounts and ensure they comply with corporate policies, using Google Cloud Directory Sync (GCDS) allows synchronization between your local identity system and Cloud Identity. The Transfer Tool for Unmanaged Users (TTUU) helps identify and manage conflicting accounts by allowing users to transfer their personal accounts to managed accounts.
Steps:
Synchronize Identities: Use GCDS to sync users from your local identity management system to Cloud Identity, ensuring that all corporate user accounts are managed.
Identify Conflicting Accounts: Use TTUU to find users who have personal Google accounts using corporate email addresses.
Manage Conflicting Accounts: Request users to transfer their personal accounts to managed accounts using TTUU, ensuring all accounts are under corporate control.
Reference: Google Cloud Directory Sync
Transfer Tool for Unmanaged Users
Question #36
location and to deploy different types of models in a consistent way You must ensure that your users can only access the approved models
What should you do?
- A . Configure IAM permissions on individual Model Garden to restrict access to specific models.
- B . Regularly audit user activity logs in Vertex AI to identify and revoke access to unapproved models.
- C . Train custom models within your Vertex AI project and restrict user access to these models.
- D . Implement an organization policy that restricts the vertexai.allowedModels constraint.
Correct Answer: D
D
Explanation:
The problem states that the organization is using Model Garden and needs to ensure users can only access approved models. This implies a need for a central, enforceable control mechanism.
Organization Policies and Constraints: Google Cloud Organization Policy Service allows administrators to centrally control resources across an organization. Constraints are specific types of restrictions that can be applied. For AI Platform (which includes Vertex AI and Model Garden), there are specific constraints designed to control model usage.
vertexai.allowedModels Constraint: This specific organization policy constraint is designed precisely to restrict which models can be used within a given organization, folder, or project. It provides a centralized way to define a list of approved models that users are allowed to access.Extract
Reference: "The vertexai.allowedModels constraint allows you to specify a list of model URIs that are allowed to be used within the resource hierarchy." and "This constraint helps organizations enforce compliance and control which models are consumed by their users." (Google Cloud documentation, typically found under Organization Policy Service constraints for Vertex AI or AI Platform)
Let’s evaluate the other options:
D
Explanation:
The problem states that the organization is using Model Garden and needs to ensure users can only access approved models. This implies a need for a central, enforceable control mechanism.
Organization Policies and Constraints: Google Cloud Organization Policy Service allows administrators to centrally control resources across an organization. Constraints are specific types of restrictions that can be applied. For AI Platform (which includes Vertex AI and Model Garden), there are specific constraints designed to control model usage.
vertexai.allowedModels Constraint: This specific organization policy constraint is designed precisely to restrict which models can be used within a given organization, folder, or project. It provides a centralized way to define a list of approved models that users are allowed to access.Extract
Reference: "The vertexai.allowedModels constraint allows you to specify a list of model URIs that are allowed to be used within the resource hierarchy." and "This constraint helps organizations enforce compliance and control which models are consumed by their users." (Google Cloud documentation, typically found under Organization Policy Service constraints for Vertex AI or AI Platform)
Let’s evaluate the other options:
Question #36
location and to deploy different types of models in a consistent way You must ensure that your users can only access the approved models
What should you do?
- A . Configure IAM permissions on individual Model Garden to restrict access to specific models.
- B . Regularly audit user activity logs in Vertex AI to identify and revoke access to unapproved models.
- C . Train custom models within your Vertex AI project and restrict user access to these models.
- D . Implement an organization policy that restricts the vertexai.allowedModels constraint.
Correct Answer: D
D
Explanation:
The problem states that the organization is using Model Garden and needs to ensure users can only access approved models. This implies a need for a central, enforceable control mechanism.
Organization Policies and Constraints: Google Cloud Organization Policy Service allows administrators to centrally control resources across an organization. Constraints are specific types of restrictions that can be applied. For AI Platform (which includes Vertex AI and Model Garden), there are specific constraints designed to control model usage.
vertexai.allowedModels Constraint: This specific organization policy constraint is designed precisely to restrict which models can be used within a given organization, folder, or project. It provides a centralized way to define a list of approved models that users are allowed to access.Extract
Reference: "The vertexai.allowedModels constraint allows you to specify a list of model URIs that are allowed to be used within the resource hierarchy." and "This constraint helps organizations enforce compliance and control which models are consumed by their users." (Google Cloud documentation, typically found under Organization Policy Service constraints for Vertex AI or AI Platform)
Let’s evaluate the other options:
D
Explanation:
The problem states that the organization is using Model Garden and needs to ensure users can only access approved models. This implies a need for a central, enforceable control mechanism.
Organization Policies and Constraints: Google Cloud Organization Policy Service allows administrators to centrally control resources across an organization. Constraints are specific types of restrictions that can be applied. For AI Platform (which includes Vertex AI and Model Garden), there are specific constraints designed to control model usage.
vertexai.allowedModels Constraint: This specific organization policy constraint is designed precisely to restrict which models can be used within a given organization, folder, or project. It provides a centralized way to define a list of approved models that users are allowed to access.Extract
Reference: "The vertexai.allowedModels constraint allows you to specify a list of model URIs that are allowed to be used within the resource hierarchy." and "This constraint helps organizations enforce compliance and control which models are consumed by their users." (Google Cloud documentation, typically found under Organization Policy Service constraints for Vertex AI or AI Platform)
Let’s evaluate the other options:
Question #38
You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS). in project "pr j -a", and the Cloud Storage bucket will use project "prj-b". The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key. and you need to troubleshoot why.
What has caused the access issue?
- A . A firewall rule prevents the key from being accessible.
- B . Cloud HSM does not support Cloud Storage
- C . The CMEK is in a different project than the Cloud Storage bucket
- D . The CMEK is in a different region than the Cloud Storage bucket.
Correct Answer: D
D
Explanation:
When you use a customer-managed encryption key (CMEK) to secure a Cloud Storage bucket, the key and the bucket must be located in the same region. In this case, the key is in europe-west3 and the bucket is in europe-west1, which is why you’re unable to access the key.
D
Explanation:
When you use a customer-managed encryption key (CMEK) to secure a Cloud Storage bucket, the key and the bucket must be located in the same region. In this case, the key is in europe-west3 and the bucket is in europe-west1, which is why you’re unable to access the key.
Question #39
A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates.
What should your team do?
- A . Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
- B . Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
- C . Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
- D . Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
Correct Answer: B
B
Explanation:
To allow Compute Engine instances to access public repositories for security updates while an egress firewall rule is in place to deny all internet traffic, you need to create a more specific egress rule that permits traffic to the CIDR range of the repository. The priority of this rule should be lower (i.e., a higher priority number) than the deny rule.
Steps:
Identify the CIDR Range: Determine the CIDR range of the public repository from which the security updates will be fetched.
Create Egress Firewall Rule: Create a new egress firewall rule allowing traffic to the identified CIDR range with a priority less than 1000.
Apply Firewall Rule: Use the Google Cloud Console or gcloud command-line tool to apply the new firewall rule.
Reference: Google Cloud: Firewall rules
Creating firewall rules
B
Explanation:
To allow Compute Engine instances to access public repositories for security updates while an egress firewall rule is in place to deny all internet traffic, you need to create a more specific egress rule that permits traffic to the CIDR range of the repository. The priority of this rule should be lower (i.e., a higher priority number) than the deny rule.
Steps:
Identify the CIDR Range: Determine the CIDR range of the public repository from which the security updates will be fetched.
Create Egress Firewall Rule: Create a new egress firewall rule allowing traffic to the identified CIDR range with a priority less than 1000.
Apply Firewall Rule: Use the Google Cloud Console or gcloud command-line tool to apply the new firewall rule.
Reference: Google Cloud: Firewall rules
Creating firewall rules
Question #40
Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?
- A . Security Reviewer
- B . lAP-Secured Tunnel User
- C . lAP-Secured Web App User
- D . Service Broker Operator
Correct Answer: C
C
Explanation:
To grant an IAM user access to HTTPS resources protected by Identity-Aware Proxy (IAP), you should assign the IAP-Secured Web App User role.
IAP-Secured Web App User (C):
This role grants the necessary permissions for a user to access web applications secured by IAP. It includes permissions to access the IAP-secured resources, ensuring that users can authenticate and gain the appropriate access based on the policies defined in IAP.
Assigning this role ensures that users have the right level of access to protected web resources, aligned with the security controls enforced by IAP.
Reference
Identity-Aware Proxy Documentation
IAP Roles and Permissions
C
Explanation:
To grant an IAM user access to HTTPS resources protected by Identity-Aware Proxy (IAP), you should assign the IAP-Secured Web App User role.
IAP-Secured Web App User (C):
This role grants the necessary permissions for a user to access web applications secured by IAP. It includes permissions to access the IAP-secured resources, ensuring that users can authenticate and gain the appropriate access based on the policies defined in IAP.
Assigning this role ensures that users have the right level of access to protected web resources, aligned with the security controls enforced by IAP.
Reference
Identity-Aware Proxy Documentation
IAP Roles and Permissions