Practice Free Professional Cloud Security Engineer Exam Online Questions
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices.
What should you do?
- A . Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
- B . Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
- C . Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls
perimeter around the project that restricts the compute.googleapis.com API. - D . Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
A
Explanation:
Organization Policy: Use the constraints/compute.skipDefaultNetworkCreation organization policy constraint to disable the creation of default networks in new projects.
Policy Application: Apply this constraint at the organization level to ensure it affects all projects within your organization, preventing the creation of default networks.
Best Practices Compliance: Following this best practice helps maintain a clean and secure network configuration by avoiding the use of default networks, which may not be properly segmented or secured.
Verification: Verify the policy application by creating new projects and ensuring that default networks are not created.
Reference:
Google Cloud – Organization Policy Constraints
Google Cloud – Best Practices for Enterprise Organizations
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices.
What should you do?
- A . Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
- B . Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
- C . Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls
perimeter around the project that restricts the compute.googleapis.com API. - D . Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
A
Explanation:
Organization Policy: Use the constraints/compute.skipDefaultNetworkCreation organization policy constraint to disable the creation of default networks in new projects.
Policy Application: Apply this constraint at the organization level to ensure it affects all projects within your organization, preventing the creation of default networks.
Best Practices Compliance: Following this best practice helps maintain a clean and secure network configuration by avoiding the use of default networks, which may not be properly segmented or secured.
Verification: Verify the policy application by creating new projects and ensuring that default networks are not created.
Reference:
Google Cloud – Organization Policy Constraints
Google Cloud – Best Practices for Enterprise Organizations
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices.
What should you do?
- A . Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
- B . Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
- C . Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls
perimeter around the project that restricts the compute.googleapis.com API. - D . Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
A
Explanation:
Organization Policy: Use the constraints/compute.skipDefaultNetworkCreation organization policy constraint to disable the creation of default networks in new projects.
Policy Application: Apply this constraint at the organization level to ensure it affects all projects within your organization, preventing the creation of default networks.
Best Practices Compliance: Following this best practice helps maintain a clean and secure network configuration by avoiding the use of default networks, which may not be properly segmented or secured.
Verification: Verify the policy application by creating new projects and ensuring that default networks are not created.
Reference:
Google Cloud – Organization Policy Constraints
Google Cloud – Best Practices for Enterprise Organizations
Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud
Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.
What should you do?
- A . Configure GCDS and use GCDS search rules lo sync these users.
- B . Use the transfer tool to migrate unmanaged users.
- C . Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API to transfer their account.
- D . Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.
B
Explanation:
Understanding Unmanaged Users:
Unmanaged users are those who have created Google Cloud accounts using their company email addresses outside of the organization’s management (e.g., through GCDS).
Challenge:
The goal is to bring these unmanaged accounts under your company’s control without disrupting their existing accounts and access.
Using the Transfer Tool:
Google provides a transfer tool specifically designed to migrate unmanaged users to a managed state.
This tool allows administrators to invite unmanaged users to join the organization’s Google Cloud
Identity or Google Workspace account.
Steps to Use the Transfer Tool:
Step 1: Access the transfer tool from the Google Admin console.
Step 2: Identify the unmanaged users using their email addresses.
Step 3: Send invitations to these users to transfer their accounts.
Step 4: Users accept the invitations, allowing their accounts to be managed under the organization’s
domain.
Benefits:
This method ensures a smooth transition for users without losing access to their existing data and services.
It aligns with best practices for managing user accounts in a corporate environment.
Reference:
Migrate unmanaged users
Google Cloud Directory Sync
Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.
Explanation:
Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud: Dedicated Interconnect provides a direct physical connection between your on-premises network and Google’s network, which is ideal for high-throughput, low-latency connections.
Request a Dedicated Interconnect from the Google Cloud Console, specifying the required bandwidth and location.
Once provisioned, set up the connection on your on-premises router and configure the BGP sessions to exchange routes with Google Cloud.
Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations:
Configure your on-premises DNS server to resolve Google APIs to restricted.googleapis.com. This ensures that the traffic stays within the Google network and is not exposed to the public internet. Update your DNS settings to use restricted.googleapis.com for the necessary API endpoints.
This setup ensures that all Google Cloud API traffic is routed through the private link and subject to VPC Service Controls for additional security and compliance.
Reference:
Dedicated Interconnect Overview
Configuring DNS to use restricted.googleapis.com
You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer’s typical operations.
What should you recommend to reduce the need for public IP addresses in your customer’s VMs?
- A . Google Cloud Armor
- B . Cloud NAT
- C . Cloud Router
- D . Cloud VPN
B
Explanation:
Cloud NAT (Network Address Translation) enables instances in a private network to connect to external services while not exposing their internal IP addresses to the public internet. This solution helps in situations where VMs need to initiate outbound connections without having a public IP address:
Cloud NAT Setup: Configure Cloud NAT for the subnet where your VMs are located. This allows these VMs to use the NAT gateway to communicate with external services securely.
Network Security: By using Cloud NAT, the internal IP addresses of VMs remain private, reducing the attack surface and enhancing security.
Operational Continuity: VMs can continue to communicate with external sites as needed for operations without requiring public IP addresses, meeting both security and functional requirements.
Reference: Cloud NAT Documentation
Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time.
What should you do?
- A . Run a platform security scanner on all instances in the organization.
- B . Notify Google about the pending audit and wait for confirmation before performing the scan.
- C . Contact a Google approved security vendor to perform the audit.
- D . Identify all external assets by using Cloud Asset Inventory and then run a network security scanner against them.
D
Explanation:
Cloud Asset Inventory: Using Cloud Asset Inventory allows you to quickly identify all the external assets and resources in your Google Cloud environment. This includes information about your projects, instances, storage buckets, and more. This step is crucial for understanding the scope of your audit. Network Security Scanner: Once you have identified the external assets, you can run a network security scanner to assess the security of these assets. Network security scanners can help identify vulnerabilities and potential security risks quickly.
Your organization’s Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG).
What should you do?
- A . Deploy a Cloud NAT Gateway in the service project for the MIG.
- B . Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.
- C . Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
- D . Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
D
Explanation:
External HTTP(S) Load Balancer: Deploy an external HTTP(S) load balancer to manage traffic to your VMs. This load balancer will handle incoming traffic from the internet while the VMs themselves do not have public IP addresses.
Host (VPC) Project Deployment: Deploy the load balancer in the host (VPC) project. This allows for centralized management of network resources and maintains the integrity of your shared VPC configuration.
Backend Configuration: Configure the MIG as the backend for the load balancer. This setup ensures that the VMs can still serve external users while reducing their direct exposure to the internet. This solution provides the required access to external users through the load balancer, enhancing security by not exposing individual VM IP addresses.
Reference:
Google Cloud – External HTTP(S) Load Balancer Overview Google Cloud – Shared VPC Overview
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?
- A . Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.
- B . Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
- C . Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.
- D . Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.
B
Explanation:
Managing IAM permissions at the KeyRing level is more efficient and scalable compared to managing them at the individual Key level. By creating a single KeyRing and placing all encryption keys within it, you can apply uniform IAM permissions to the entire KeyRing, simplifying the management of permissions.
Steps:
Create a KeyRing: Set up a single KeyRing in Cloud KMS for all the encryption keys required for the persistent disks.
Create Encryption Keys: Generate the necessary encryption keys within this KeyRing.
Set IAM Permissions: Assign IAM roles and permissions to the KeyRing to manage access control at this level, ensuring that all keys within the KeyRing inherit these permissions.
Reference:
Google Cloud: Cloud Key Management Service (KMS)
Managing access to resources
You must ensure that the keys used for at-rest encryption of your data are compliant with your organization’s security controls. One security control mandates that keys get rotated every 90 days. You must implement an effective detection strategy to validate if keys are rotated as required.
What should you do?
- A . Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.
- B . Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.
- C . Assess the keys in the Cloud Key Management Service by implementing code in Cloud Run. If a key is not rotated after 90 days, raise a finding in Security Command Center.
- D . Define a metric that checks for timely key updates by using Cloud Logging. If a key is not rotated after 90 days, send an alert message through your incident notification channel.