Practice Free Professional Cloud Security Engineer Exam Online Questions
Question #60
You must ensure that the keys used for at-rest encryption of your data are compliant with your organization’s security controls. One security control mandates that keys get rotated every 90 days. You must implement an effective detection strategy to validate if keys are rotated as required.
What should you do?
- A . Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.
- B . Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.
- C . Assess the keys in the Cloud Key Management Service by implementing code in Cloud Run. If a key is not rotated after 90 days, raise a finding in Security Command Center.
- D . Define a metric that checks for timely key updates by using Cloud Logging. If a key is not rotated after 90 days, send an alert message through your incident notification channel.
Correct Answer: A
Question #62
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization’s on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?
- A . BigQuery using a data pipeline job with continuous updates via Cloud VPN
- B . Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
- C . Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
- D . Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
Correct Answer: B
B
Explanation:
Objective: Migrate ongoing data backup and disaster recovery solutions to GCP.
Solution: Use Cloud Storage with scheduled tasks and gsutil.
Steps:
Step 1: Set up a Cloud Interconnect to ensure stable networking connectivity between the on-
premises environment and GCP.
Step 2: Create a Cloud Storage bucket to store backups.
Step 3: Use gsutil, a command-line tool for Cloud Storage, to create scripts for data transfer. Step 4: Schedule these scripts using cron jobs or another scheduling tool to automate the backup process.
Using Cloud Storage with scheduled tasks and gsutil ensures efficient and reliable backup and disaster recovery while leveraging stable connectivity provided by Cloud Interconnect.
Reference:
Cloud Storage Documentation
gsutil Tool Documentation
Cloud Interconnect Documentation
B
Explanation:
Objective: Migrate ongoing data backup and disaster recovery solutions to GCP.
Solution: Use Cloud Storage with scheduled tasks and gsutil.
Steps:
Step 1: Set up a Cloud Interconnect to ensure stable networking connectivity between the on-
premises environment and GCP.
Step 2: Create a Cloud Storage bucket to store backups.
Step 3: Use gsutil, a command-line tool for Cloud Storage, to create scripts for data transfer. Step 4: Schedule these scripts using cron jobs or another scheduling tool to automate the backup process.
Using Cloud Storage with scheduled tasks and gsutil ensures efficient and reliable backup and disaster recovery while leveraging stable connectivity provided by Cloud Interconnect.
Reference:
Cloud Storage Documentation
gsutil Tool Documentation
Cloud Interconnect Documentation
Question #63
A customer’s data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?
- A . Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
- B . Register a new domain name, and use that for the new Cloud Identity domain.
- C . Ask Google to provision the data science manager’s account as a Super Administrator in the existing domain.
- D . Ask customer’s management to discover any other uses of Google managed services, and work with the existing Super Administrator.
Correct Answer: D
D
Explanation:
Since the domain is already being used by G Suite, the best course of action is to minimize disruption by discovering any existing uses of Google-managed services. Collaborate with the existing Super Administrator to align the setup with the company’s requirements.
Step-by-Step:
Identify Existing Usage: Have the customer’s management identify all current uses of the domain within Google-managed services.
Collaboration: Work closely with the existing Super Administrator of the domain.
Provision Required Accounts: Ask the Super Administrator to provision necessary accounts and permissions for the data science manager or other relevant personnel.
Integrate SAML IdP: Ensure that the existing domain integrates with the company’s SAML 2.0 IdP for user authentication.
Set Up Cloud Identity: Configure Cloud Identity under the guidance of the Super Administrator
without disrupting current services.
Reference:
Google Cloud Identity Administration
Google Support for Domain Issues
D
Explanation:
Since the domain is already being used by G Suite, the best course of action is to minimize disruption by discovering any existing uses of Google-managed services. Collaborate with the existing Super Administrator to align the setup with the company’s requirements.
Step-by-Step:
Identify Existing Usage: Have the customer’s management identify all current uses of the domain within Google-managed services.
Collaboration: Work closely with the existing Super Administrator of the domain.
Provision Required Accounts: Ask the Super Administrator to provision necessary accounts and permissions for the data science manager or other relevant personnel.
Integrate SAML IdP: Ensure that the existing domain integrates with the company’s SAML 2.0 IdP for user authentication.
Set Up Cloud Identity: Configure Cloud Identity under the guidance of the Super Administrator
without disrupting current services.
Reference:
Google Cloud Identity Administration
Google Support for Domain Issues
Question #64
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?
- A . VPC peering
- B . Cloud VPN
- C . Cloud Interconnect
- D . Shared VPC
Correct Answer: A
A
Explanation:
Objective: Ensure private communication between application tiers in different GCP Organizations.
Solution: Use VPC peering to enable private communication without traversing the public internet.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the VPC Network Peering page.
Step 3: Create a new VPC peering connection in the project hosting the application tier.
Step 4: Specify the VPC network in the other organization (hosting the storage tier) to peer with.
Step 5: Accept the peering request in the other project.
Step 6: Configure the necessary routes and firewall rules to allow traffic between the peered VPC networks.
VPC peering allows you to connect two VPC networks privately and directly, ensuring that traffic between them does not traverse the public internet.
Reference:
GCP VPC Peering Documentation
VPC Network Peering Guide
A
Explanation:
Objective: Ensure private communication between application tiers in different GCP Organizations.
Solution: Use VPC peering to enable private communication without traversing the public internet.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the VPC Network Peering page.
Step 3: Create a new VPC peering connection in the project hosting the application tier.
Step 4: Specify the VPC network in the other organization (hosting the storage tier) to peer with.
Step 5: Accept the peering request in the other project.
Step 6: Configure the necessary routes and firewall rules to allow traffic between the peered VPC networks.
VPC peering allows you to connect two VPC networks privately and directly, ensuring that traffic between them does not traverse the public internet.
Reference:
GCP VPC Peering Documentation
VPC Network Peering Guide
Question #65
Your organization has Google Cloud applications that require access to external web services You must monitor, control, and log access to these services What should you do?
- A . Configure VPC firewall rules to allow the services to access the IP addresses of required external web services
- B . Set up a Secure Web Proxy that allows access to the specific external web services Configure applications to use the proxy for the web service requests
- C . Configure Google Cloud Armor to monitor and protect your applications by checking incoming traffic patterns for attack patterns
- D . Set up a Cloud NAT instance to allow egress traffic from your VPC
Correct Answer: B
B
Explanation:
The problem states that Google Cloud applications need to access external web services and requires the ability to monitor, control, and log this access
Monitoring, Controlling, and Logging external web access: This specifically points to a proxy solution, which can intercept, inspect, and log HTTP/S traffic
Secure Web Proxy (SWP): Google Cloud’s Secure Web Proxy is designed for exactly this use case It acts as an explicit forward proxy for HTTP(S) traffic, allowing organizations to implement granular access controls, inspect traffic for security threats, and log all outbound web requests from their Google Cloud environmentExtract
Reference: "Secure Web Proxy is a managed service that lets you deploy and manage an explicit forward proxy to protect your organization’s internal resources from web-based threats and to control access to external web applications" and "With Secure Web Proxy,
you can: Enforce granular access policies based on different attributes, Log all HTTP(S) requests that are handled by the proxy, and Monitor web traffic for threats" (Google Cloud documentation:
https://cloudgooglecom/secure-web-proxy)
Let’s evaluate the other options:
A Configure VPC firewall rules to allow the services to access the IP addresses of required external web services: VPC firewall rules operate at Layer 4 (TCP/UDP) and Layer 3 (IP) While they can allow or deny traffic to specific IP addresses and ports, they cannot monitor, control, or log HTTP/S requests at the application layer They don’t provide granular control over which web services are accessed or inspect the content of the requests
C Configure Google Cloud Armor to monitor and protect your applications by checking incoming traffic patterns for attack patterns: Google Cloud Armor is primarily a Distributed Denial of Service (DDoS) protection and Web Application Firewall (WAF) service It focuses on protecting applications from incoming threats (ingress traffic), not controlling and logging outgoing access to external web services
D Set up a Cloud NAT instance to allow egress traffic from your VPC: Cloud NAT allows instances without external IP addresses to connect to the internet While it enables egress, it does not provide monitoring, control, or logging capabilities for specific web services at the application layer It’s a network address translation service, not an application-layer proxy
Therefore, setting up a Secure Web Proxy is the most appropriate solution to meet the requirements of monitoring, controlling, and logging access to external web services from Google Cloud applications
B
Explanation:
The problem states that Google Cloud applications need to access external web services and requires the ability to monitor, control, and log this access
Monitoring, Controlling, and Logging external web access: This specifically points to a proxy solution, which can intercept, inspect, and log HTTP/S traffic
Secure Web Proxy (SWP): Google Cloud’s Secure Web Proxy is designed for exactly this use case It acts as an explicit forward proxy for HTTP(S) traffic, allowing organizations to implement granular access controls, inspect traffic for security threats, and log all outbound web requests from their Google Cloud environmentExtract
Reference: "Secure Web Proxy is a managed service that lets you deploy and manage an explicit forward proxy to protect your organization’s internal resources from web-based threats and to control access to external web applications" and "With Secure Web Proxy,
you can: Enforce granular access policies based on different attributes, Log all HTTP(S) requests that are handled by the proxy, and Monitor web traffic for threats" (Google Cloud documentation:
https://cloudgooglecom/secure-web-proxy)
Let’s evaluate the other options:
A Configure VPC firewall rules to allow the services to access the IP addresses of required external web services: VPC firewall rules operate at Layer 4 (TCP/UDP) and Layer 3 (IP) While they can allow or deny traffic to specific IP addresses and ports, they cannot monitor, control, or log HTTP/S requests at the application layer They don’t provide granular control over which web services are accessed or inspect the content of the requests
C Configure Google Cloud Armor to monitor and protect your applications by checking incoming traffic patterns for attack patterns: Google Cloud Armor is primarily a Distributed Denial of Service (DDoS) protection and Web Application Firewall (WAF) service It focuses on protecting applications from incoming threats (ingress traffic), not controlling and logging outgoing access to external web services
D Set up a Cloud NAT instance to allow egress traffic from your VPC: Cloud NAT allows instances without external IP addresses to connect to the internet While it enables egress, it does not provide monitoring, control, or logging capabilities for specific web services at the application layer It’s a network address translation service, not an application-layer proxy
Therefore, setting up a Secure Web Proxy is the most appropriate solution to meet the requirements of monitoring, controlling, and logging access to external web services from Google Cloud applications
Question #66
You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence.
Which tool should you use?
- A . Policy Troubleshooter
- B . Policy Analyzer
- C . IAM Recommender
- D . Policy Simulator
Correct Answer: B
B
Explanation:
Objective: Provide evidence of access reviews for an upcoming audit.
Solution: Use Policy Analyzer to review and report on IAM policies.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the Policy Analyzer tool.
Step 3: Select the project for which you need to review access policies.
Step 4: Use the tool to generate reports on IAM roles and permissions.
Step 5: Export the reports as evidence for the audit.
Policy Analyzer provides detailed insights into IAM policies, helping you to review access configurations and generate necessary reports for compliance and auditing purposes.
Reference:
Policy Analyzer Documentation
B
Explanation:
Objective: Provide evidence of access reviews for an upcoming audit.
Solution: Use Policy Analyzer to review and report on IAM policies.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the Policy Analyzer tool.
Step 3: Select the project for which you need to review access policies.
Step 4: Use the tool to generate reports on IAM roles and permissions.
Step 5: Export the reports as evidence for the audit.
Policy Analyzer provides detailed insights into IAM policies, helping you to review access configurations and generate necessary reports for compliance and auditing purposes.
Reference:
Policy Analyzer Documentation
Question #67
You have been tasked with inspecting IP packet data for invalid or malicious content.
What should you do?
- A . Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.
- B . Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.
- C . Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.
- D . Configure Google Cloud Armor access logs to perform inspection on the log data.
Correct Answer: A
A
Explanation:
Packet Mirroring Setup: Configure Packet Mirroring in your Google Cloud VPC to capture traffic to and from specific VM instances. This allows you to analyze the traffic for security and compliance purposes.
Security Software: Use specialized security software to inspect the mirrored traffic. This software can detect invalid or malicious content in the IP packets.
Mirroring Configuration: Specify the instances, network, and traffic direction (ingress, egress, or both) to be mirrored. Ensure that the mirrored traffic is directed to an appropriate analysis destination.
Traffic Analysis: Continuously monitor and analyze the mirrored traffic for any signs of malicious activity or anomalies. Use the findings to enhance your security posture and respond to potential threats.
Reference:
Google Cloud – Packet Mirroring
Google Cloud – Packet Mirroring Best Practices
A
Explanation:
Packet Mirroring Setup: Configure Packet Mirroring in your Google Cloud VPC to capture traffic to and from specific VM instances. This allows you to analyze the traffic for security and compliance purposes.
Security Software: Use specialized security software to inspect the mirrored traffic. This software can detect invalid or malicious content in the IP packets.
Mirroring Configuration: Specify the instances, network, and traffic direction (ingress, egress, or both) to be mirrored. Ensure that the mirrored traffic is directed to an appropriate analysis destination.
Traffic Analysis: Continuously monitor and analyze the mirrored traffic for any signs of malicious activity or anomalies. Use the findings to enhance your security posture and respond to potential threats.
Reference:
Google Cloud – Packet Mirroring
Google Cloud – Packet Mirroring Best Practices
Question #68
Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization.
How should you enforce this?
- A . Configure Secret Manager to manage service account keys.
- B . Enable an organization policy to disable service accounts from being created.
- C . Enable an organization policy to prevent service account keys from being created.
- D . Remove the iam.serviceAccounts.getAccessToken permission from users.
Correct Answer: C
C
Explanation:
To prevent developers from creating user-managed service account keys and reduce the risk of key mismanagement, you should enable an organization policy that specifically prohibits the creation of these keys.
Enable an organization policy to prevent service account keys from being created (C):
Google Cloud provides the capability to enforce organizational policies that restrict various actions, including the creation of service account keys. By enabling this policy, you ensure that developers cannot create new user-managed service account keys, thus minimizing the risk of key mismanagement and potential security breaches.
Reference: Service Accounts documentation
Organization Policy Service documentation
C
Explanation:
To prevent developers from creating user-managed service account keys and reduce the risk of key mismanagement, you should enable an organization policy that specifically prohibits the creation of these keys.
Enable an organization policy to prevent service account keys from being created (C):
Google Cloud provides the capability to enforce organizational policies that restrict various actions, including the creation of service account keys. By enabling this policy, you ensure that developers cannot create new user-managed service account keys, thus minimizing the risk of key mismanagement and potential security breaches.
Reference: Service Accounts documentation
Organization Policy Service documentation
Question #69
You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name.
How should you manage these consumer user accounts with Cloud Identity?
- A . Use Google Cloud Directory Sync to convert the unmanaged user accounts.
- B . Create a new managed user account for each consumer user account.
- C . Use the transfer tool for unmanaged user accounts.
- D . Configure single sign-on using a customer’s third-party provider.
Correct Answer: C
C
Explanation:
To manage consumer user accounts created using the corporate domain name, you can use the transfer tool for unmanaged user accounts provided by Google Cloud Identity.
Here’s how you can proceed:
Identify Unmanaged Accounts:
Use the Cloud Identity interface to identify consumer (unmanaged) accounts that exist you’re your corporate domain.
Initiate Transfer Process:
Use the transfer tool for unmanaged user accounts to initiate the transfer. This tool helps in converting unmanaged accounts (consumer accounts) into managed accounts. User Notification:
Users with unmanaged accounts will receive an email notification prompting them to accept the transfer to the organization’s managed account system. Accept Transfer:
Users need to follow the instructions in the email to accept the transfer. Once accepted, their accounts will be managed under your organization’s Cloud Identity setup. Benefits:
Centralized Management: All user accounts under your corporate domain are managed centrally, ensuring compliance and security.
Enhanced Security: Managed accounts provide better control over security policies and access management.
Reference: Transfer tool for unmanaged users
Cloud Identity Documentation
C
Explanation:
To manage consumer user accounts created using the corporate domain name, you can use the transfer tool for unmanaged user accounts provided by Google Cloud Identity.
Here’s how you can proceed:
Identify Unmanaged Accounts:
Use the Cloud Identity interface to identify consumer (unmanaged) accounts that exist you’re your corporate domain.
Initiate Transfer Process:
Use the transfer tool for unmanaged user accounts to initiate the transfer. This tool helps in converting unmanaged accounts (consumer accounts) into managed accounts. User Notification:
Users with unmanaged accounts will receive an email notification prompting them to accept the transfer to the organization’s managed account system. Accept Transfer:
Users need to follow the instructions in the email to accept the transfer. Once accepted, their accounts will be managed under your organization’s Cloud Identity setup. Benefits:
Centralized Management: All user accounts under your corporate domain are managed centrally, ensuring compliance and security.
Enhanced Security: Managed accounts provide better control over security policies and access management.
Reference: Transfer tool for unmanaged users
Cloud Identity Documentation
Question #70
You are implementing a new web application on Google Cloud that will be accessed from your on-premises network. To provide protection from threats like malware, you must implement transport layer security (TLS) interception for incoming traffic to your application.
What should you do?
- A . Configure Secure Web Proxy. Offload the TLS traffic in the load balancer, inspect the traffic, and forward the traffic to the web application.
- B . Configure an internal proxy load balancer. Offload the TLS traffic in the load balancer, inspect the traffic, and forward the traffic to the web application.
- C . Configure a hierarchical firewall policy. Enable TLS interception by using Cloud Next Generation Firewall (NGFW) Enterprise.
- D . Configure a VPC firewall rule. Enable TLS interception by using Cloud Next Generation Firewall (NGFW) Enterprise.
Correct Answer: A
A
Explanation:
To protect your web application from threats like malware by implementing TLS interception for incoming traffic, configuring a Secure Web Proxy with TLS offloading at the load balancer is an effective approach.
Option A: By configuring a Secure Web Proxy, you can offload TLS traffic at the load balancer, inspect the decrypted traffic for threats such as malware, and then forward the inspected traffic to your web application. This approach ensures that encrypted traffic is securely analyzed without compromising the security of the data in transit.
Option B: An internal proxy load balancer is designed for distributing traffic within a private network and may not support TLS interception capabilities required for inspecting incoming traffic from external sources.
Option C: Hierarchical firewall policies in Google Cloud are used to enforce security rules across your organization but do not provide TLS interception capabilities.
Option D: VPC firewall rules control traffic to and from VM instances based on specified rules but do not have the capability to perform TLS interception or traffic inspection.
Therefore, Option A is the most suitable solution, as it allows for TLS interception through a Secure Web Proxy, enabling the inspection of incoming encrypted traffic to detect and mitigate threats like malware before the traffic reaches your web application.
Reference:
Secure Web Proxy Overview
Cloud Load Balancing Overview
A
Explanation:
To protect your web application from threats like malware by implementing TLS interception for incoming traffic, configuring a Secure Web Proxy with TLS offloading at the load balancer is an effective approach.
Option A: By configuring a Secure Web Proxy, you can offload TLS traffic at the load balancer, inspect the decrypted traffic for threats such as malware, and then forward the inspected traffic to your web application. This approach ensures that encrypted traffic is securely analyzed without compromising the security of the data in transit.
Option B: An internal proxy load balancer is designed for distributing traffic within a private network and may not support TLS interception capabilities required for inspecting incoming traffic from external sources.
Option C: Hierarchical firewall policies in Google Cloud are used to enforce security rules across your organization but do not provide TLS interception capabilities.
Option D: VPC firewall rules control traffic to and from VM instances based on specified rules but do not have the capability to perform TLS interception or traffic inspection.
Therefore, Option A is the most suitable solution, as it allows for TLS interception through a Secure Web Proxy, enabling the inspection of incoming encrypted traffic to detect and mitigate threats like malware before the traffic reaches your web application.
Reference:
Secure Web Proxy Overview
Cloud Load Balancing Overview