Practice Free Professional Cloud Security Engineer Exam Online Questions
Question #61
Your organization is using Google Workspace. Google Cloud, and a third-party SIEM. You need to export events such as user logins, successful logins, and failed logins to the SIEM. Logs need to be ingested in real time or near real-time.
What should you do?
- A . Create a Cloud Logging sink to export relevant authentication logs to a Pub/Sub topic for SIEM subscription.
- B . Poll Cloud Logging for authentication events using the gcloud logging read tool. Forward the events to the SIEM.
- C . Configure Google Workspace to directly send logs to the API endpoint of the third-party SIEM.
- D . Create a Cloud Storage bucket as a sink for all logs. Configure the SIEM to periodically scan the bucket for new log files.
Correct Answer: A
A
Explanation:
The most efficient and recommended way to achieve real-time/near real-time ingestion of logs (including Google Workspace Audit Logs, which feed into Cloud Logging) to a third-party system is by using a Cloud Logging sink to a Pub/Sub topic.
Cloud Logging Sink: Creates a stream of logs filtered by type (e.g., authentication events).
Pub/Sub Topic: A messaging service that acts as a reliable, real-time message queue.
SIEM Subscription: The SIEM system can subscribe directly to the Pub/Sub topic, receiving log events as soon as they are published, meeting the real-time requirement.
Extracts:
"Cloud Logging sinks let you route logs to destinations like Cloud Storage, BigQuery, or Pub/Sub… Routing logs to Pub/Sub enables real-time streaming of log data for consumption by external services or applications, such as a third-party SIEM." (Source 7.1)
Option B (polling) and Option D (Cloud Storage bucket) are batch-oriented methods, which do not meet the real-time/near real-time requirement.
A
Explanation:
The most efficient and recommended way to achieve real-time/near real-time ingestion of logs (including Google Workspace Audit Logs, which feed into Cloud Logging) to a third-party system is by using a Cloud Logging sink to a Pub/Sub topic.
Cloud Logging Sink: Creates a stream of logs filtered by type (e.g., authentication events).
Pub/Sub Topic: A messaging service that acts as a reliable, real-time message queue.
SIEM Subscription: The SIEM system can subscribe directly to the Pub/Sub topic, receiving log events as soon as they are published, meeting the real-time requirement.
Extracts:
"Cloud Logging sinks let you route logs to destinations like Cloud Storage, BigQuery, or Pub/Sub… Routing logs to Pub/Sub enables real-time streaming of log data for consumption by external services or applications, such as a third-party SIEM." (Source 7.1)
Option B (polling) and Option D (Cloud Storage bucket) are batch-oriented methods, which do not meet the real-time/near real-time requirement.
Question #62
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)
- A . Ensure that the app does not run as PID 1.
- B . Package a single app as a container.
- C . Remove any unnecessary tools not needed by the app.
- D . Use public container images as a base image for the app.
- E . Use many container image layers to hide sensitive information.
Correct Answer: B,C
B,C
Explanation:
When creating a secure container image, it is essential to follow best practices to minimize vulnerabilities and ensure the container operates as intended.
Here are the two key practices:
Package a Single App as a Container: By packaging only a single application within a container, you reduce complexity and potential attack surfaces. This practice aligns with the principle of single responsibility, ensuring each container has a clear and focused purpose.
Remove Any Unnecessary Tools: Any additional tools or software that are not required by the application should be removed from the container image. This minimizes the number of potential vulnerabilities and reduces the attack surface. A minimal container image also leads to smaller image sizes and faster deployment times.
These practices contribute to creating a more secure and efficient container image.
Reference
Container Security Best Practices
Securing Container Images
B,C
Explanation:
When creating a secure container image, it is essential to follow best practices to minimize vulnerabilities and ensure the container operates as intended.
Here are the two key practices:
Package a Single App as a Container: By packaging only a single application within a container, you reduce complexity and potential attack surfaces. This practice aligns with the principle of single responsibility, ensuring each container has a clear and focused purpose.
Remove Any Unnecessary Tools: Any additional tools or software that are not required by the application should be removed from the container image. This minimizes the number of potential vulnerabilities and reduces the attack surface. A minimal container image also leads to smaller image sizes and faster deployment times.
These practices contribute to creating a more secure and efficient container image.
Reference
Container Security Best Practices
Securing Container Images
Question #63
You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your Big Query datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes.
Which components should you use in your solution? (Choose two.)
- A . Secret Manager
- B . Cloud Key Management Service
- C . Cloud Data Loss Prevention with cryptographic hashing
- D . Cloud Data Loss Prevention with automatic text redaction
- E . Cloud Data Loss Prevention with deterministic encryption using AES-SIV
Correct Answer: C,E
C,E
Explanation:
To handle PII data ingestion and ensure both redaction and re-identification for analytics purposes, you can use Cloud Data Loss Prevention (DLP) with appropriate techniques for masking and encryption.
Cloud Data Loss Prevention (DLP) with Cryptographic Hashing (C):
Use Cloud DLP to apply cryptographic hashing to PII data. Hashing transforms the data into a fixed-length string that is not directly readable, providing a layer of obfuscation. This helps in masking the PII while retaining the ability to verify data integrity.
Cloud Data Loss Prevention (DLP) with Deterministic Encryption using AES-SIV (E):
Apply deterministic encryption using AES-SIV through Cloud DLP. Deterministic encryption ensures that the same input will always produce the same encrypted output, allowing you to re-identify the PII when necessary. This method enables secure encryption while allowing data re-identification for analytics.
By combining these two approaches, you can effectively mask PII for privacy protection and later re-identify it when required for analysis.
Reference
Cloud Data Loss Prevention Documentation
Data Redaction and Masking Techniques
C,E
Explanation:
To handle PII data ingestion and ensure both redaction and re-identification for analytics purposes, you can use Cloud Data Loss Prevention (DLP) with appropriate techniques for masking and encryption.
Cloud Data Loss Prevention (DLP) with Cryptographic Hashing (C):
Use Cloud DLP to apply cryptographic hashing to PII data. Hashing transforms the data into a fixed-length string that is not directly readable, providing a layer of obfuscation. This helps in masking the PII while retaining the ability to verify data integrity.
Cloud Data Loss Prevention (DLP) with Deterministic Encryption using AES-SIV (E):
Apply deterministic encryption using AES-SIV through Cloud DLP. Deterministic encryption ensures that the same input will always produce the same encrypted output, allowing you to re-identify the PII when necessary. This method enables secure encryption while allowing data re-identification for analytics.
By combining these two approaches, you can effectively mask PII for privacy protection and later re-identify it when required for analysis.
Reference
Cloud Data Loss Prevention Documentation
Data Redaction and Masking Techniques
Question #64
You are migrating an on-premises data warehouse to BigQuery Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse.
Your company compliance policies mandate that the data warehouse must:
• Protect data at rest with full lifecycle management on cryptographic keys
• Implement a separate key management provider from data management
• Provide visibility into all encryption key requests
What services should be included in the data warehouse implementation? Choose 2 answers
- A . Customer-managed encryption keys
- B . Customer-Supplied Encryption Keys
- C . Key Access Justifications
- D . Access Transparency and Approval
- E . Cloud External Key Manager
Correct Answer: A,E
A,E
Explanation:
Customer-Managed Encryption Keys (CMEK):
CMEK allows you to manage encryption keys using Cloud Key Management Service (KMS). This gives you control over the lifecycle of the keys, including rotation, destruction, and auditing.
Set up a Cloud KMS key ring and create encryption keys that will be used to protect your data in BigQuery, Cloud SQL, and Cloud Storage.
Configure the services to use CMEK for encrypting data at rest, ensuring compliance with your organization’s security policies.
Cloud External Key Manager (EKM):
Cloud EKM allows you to use keys managed by an external key management provider to encrypt data in Google Cloud services.
Integrate your external key management system with Google Cloud using supported protocols and APIs.
Configure your data warehouse services to use the external keys for encryption, ensuring that key management is handled outside of the Google Cloud environment.
Key Access Justifications:
Enable Key Access Justifications to provide visibility into why encryption keys are being accessed.
This helps in monitoring and auditing key usage to ensure compliance and security.
Set up policies and logging to capture and review key access requests, providing insights into how
and why keys are used.
Access Transparency and Approval:
Implement Access Transparency to gain visibility into Google’s access to your data and encryption keys.
Configure Access Approval to require explicit approval for Google support or engineering access to your data, adding an additional layer of security and control.
Reference: Customer-Managed Encryption Keys (CMEK)
Cloud External Key Manager (EKM)
Key Access Justifications
Access Transparency
Access Approval
A,E
Explanation:
Customer-Managed Encryption Keys (CMEK):
CMEK allows you to manage encryption keys using Cloud Key Management Service (KMS). This gives you control over the lifecycle of the keys, including rotation, destruction, and auditing.
Set up a Cloud KMS key ring and create encryption keys that will be used to protect your data in BigQuery, Cloud SQL, and Cloud Storage.
Configure the services to use CMEK for encrypting data at rest, ensuring compliance with your organization’s security policies.
Cloud External Key Manager (EKM):
Cloud EKM allows you to use keys managed by an external key management provider to encrypt data in Google Cloud services.
Integrate your external key management system with Google Cloud using supported protocols and APIs.
Configure your data warehouse services to use the external keys for encryption, ensuring that key management is handled outside of the Google Cloud environment.
Key Access Justifications:
Enable Key Access Justifications to provide visibility into why encryption keys are being accessed.
This helps in monitoring and auditing key usage to ensure compliance and security.
Set up policies and logging to capture and review key access requests, providing insights into how
and why keys are used.
Access Transparency and Approval:
Implement Access Transparency to gain visibility into Google’s access to your data and encryption keys.
Configure Access Approval to require explicit approval for Google support or engineering access to your data, adding an additional layer of security and control.
Reference: Customer-Managed Encryption Keys (CMEK)
Cloud External Key Manager (EKM)
Key Access Justifications
Access Transparency
Access Approval
Question #65
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?
- A . Use the Cloud Key Management Service to manage a data encryption key (DEK).
- B . Use the Cloud Key Management Service to manage a key encryption key (KEK).
- C . Use customer-supplied encryption keys to manage the data encryption key (DEK).
- D . Use customer-supplied encryption keys to manage the key encryption key (KEK).
Correct Answer: C
C
Explanation:
This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS. There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest
Reference: https://cloud.google.com/security/encryption-at-rest/default-encryption/
C
Explanation:
This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS. There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest
Reference: https://cloud.google.com/security/encryption-at-rest/default-encryption/
Question #66
You want to prevent users from accidentally deleting a Shared VPC host project.
Which organization-level policy constraint should you enable?
- A . compute.restrictSharedVpcHostProjects
- B . compute.restrictXpnProjectLienRemoval
- C . compute.restrictSharedVpcSubnetworks
- D . compute.sharedReservationsOwnerProjects
Correct Answer: B
B
Explanation:
Enable the compute.restrictXpnProjectLienRemoval organization-level policy constraint:
This constraint prevents users from removing liens from Shared VPC host projects.
By enabling this constraint, you ensure that the Shared VPC host project cannot be accidentally deleted, as liens prevent deletion without proper authorization.
Apply this constraint via the Google Cloud Console or using the gcloud command-line tool.
Reference: Organization Policy Constraints
Shared VPC
B
Explanation:
Enable the compute.restrictXpnProjectLienRemoval organization-level policy constraint:
This constraint prevents users from removing liens from Shared VPC host projects.
By enabling this constraint, you ensure that the Shared VPC host project cannot be accidentally deleted, as liens prevent deletion without proper authorization.
Apply this constraint via the Google Cloud Console or using the gcloud command-line tool.
Reference: Organization Policy Constraints
Shared VPC
Question #66
You want to prevent users from accidentally deleting a Shared VPC host project.
Which organization-level policy constraint should you enable?
- A . compute.restrictSharedVpcHostProjects
- B . compute.restrictXpnProjectLienRemoval
- C . compute.restrictSharedVpcSubnetworks
- D . compute.sharedReservationsOwnerProjects
Correct Answer: B
B
Explanation:
Enable the compute.restrictXpnProjectLienRemoval organization-level policy constraint:
This constraint prevents users from removing liens from Shared VPC host projects.
By enabling this constraint, you ensure that the Shared VPC host project cannot be accidentally deleted, as liens prevent deletion without proper authorization.
Apply this constraint via the Google Cloud Console or using the gcloud command-line tool.
Reference: Organization Policy Constraints
Shared VPC
B
Explanation:
Enable the compute.restrictXpnProjectLienRemoval organization-level policy constraint:
This constraint prevents users from removing liens from Shared VPC host projects.
By enabling this constraint, you ensure that the Shared VPC host project cannot be accidentally deleted, as liens prevent deletion without proper authorization.
Apply this constraint via the Google Cloud Console or using the gcloud command-line tool.
Reference: Organization Policy Constraints
Shared VPC
Question #68
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?
- A . Use Cloud Source Repositories, and store secrets in Cloud SQL.
- B . Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
- C . Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
- D . Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.
Correct Answer: B
B
Explanation:
Storing secrets securely is crucial for maintaining the integrity and confidentiality of your applications. Here is how you can achieve this using Google Cloud Platform:
Encrypt the Secrets: Use Customer-Managed Encryption Keys (CMEK) to encrypt your secrets. CMEK allows you to have greater control over the encryption keys used to protect your data. This ensures that even if the storage medium is compromised, the secrets remain protected by strong encryption.
Store in Cloud Storage: Store the encrypted secrets in Google Cloud Storage. Cloud Storage is a secure and scalable object storage service. By using encrypted storage, you can ensure that the secrets are securely stored and can only be accessed by authorized entities.
This method provides a secure and managed way to store secrets, ensuring that they are not exposed in plain text within your source code management system.
Reference
Customer-Managed Encryption Keys (CMEK)
Google Cloud Storage Security
B
Explanation:
Storing secrets securely is crucial for maintaining the integrity and confidentiality of your applications. Here is how you can achieve this using Google Cloud Platform:
Encrypt the Secrets: Use Customer-Managed Encryption Keys (CMEK) to encrypt your secrets. CMEK allows you to have greater control over the encryption keys used to protect your data. This ensures that even if the storage medium is compromised, the secrets remain protected by strong encryption.
Store in Cloud Storage: Store the encrypted secrets in Google Cloud Storage. Cloud Storage is a secure and scalable object storage service. By using encrypted storage, you can ensure that the secrets are securely stored and can only be accessed by authorized entities.
This method provides a secure and managed way to store secrets, ensuring that they are not exposed in plain text within your source code management system.
Reference
Customer-Managed Encryption Keys (CMEK)
Google Cloud Storage Security
Question #69
Your company hosts a critical web application on Google Cloud The application is experiencing an increasing number of sophisticated layer 7 attacks, including cross-site scripting (XSS) and SQL injection attempts. You need to protect the application from these attacks while minimizing the impact on legitimate traffic and ensuring high availability.
What should you do?
- A . Enable Google Cloud Armor’s pre-configured WAF rules for OWASP Top 10 vulnerabilities at the backend service.
- B . Implement a load balancer in front of the web application instances, and enable Adaptive Protection and throttling to mitigate the occurrence of these malicious requests.
- C . Configure Cloud Next Generation Firewall to block known malicious IP addresses targeting /32 addresses.
- D . Configure a Cloud Armor security policy with customized and pre-configured WAF rules for OWASP Top 10 vulnerabilities at the load balancer.
Correct Answer: D
D
Explanation:
Layer 7 attacks like XSS and SQL injection are application-level threats that require a Web Application
Firewall (WAF) for protection. Google Cloud Armor provides this functionality, integrated with the load balancer.
Cloud Armor: Google Cloud’s distributed denial-of-service (DDoS) and WAF service.
WAF Rules: Cloud Armor offers pre-configured OWASP Top 10 rules, which directly defend against XSS, SQL injection, and other common application vulnerabilities.
Deployment: Cloud Armor security policies are applied to a backend service that is behind an external HTTP(S) Load Balancer.
Extracts:
"Cloud Armor WAF capabilities help protect web applications from the OWASP Top 10 vulnerabilities… This includes rulesets specifically designed to detect and mitigate SQL injection (SQLi) and cross-site scripting (XSS) attacks." (Source 4.1)
"Cloud Armor security policies are implemented at the edge of the Google Cloud network, applied to the backend services of an external HTTP(S) Load Balancer." (Source 4.2)
Option A is close but incomplete; WAF rules are implemented via a security policy (Option D).
Option B relies on Adaptive Protection, which is primarily for volumetric DDoS and advanced attacks, but the direct protection for known XSS/SQLi signatures comes from explicit WAF rules.
D
Explanation:
Layer 7 attacks like XSS and SQL injection are application-level threats that require a Web Application
Firewall (WAF) for protection. Google Cloud Armor provides this functionality, integrated with the load balancer.
Cloud Armor: Google Cloud’s distributed denial-of-service (DDoS) and WAF service.
WAF Rules: Cloud Armor offers pre-configured OWASP Top 10 rules, which directly defend against XSS, SQL injection, and other common application vulnerabilities.
Deployment: Cloud Armor security policies are applied to a backend service that is behind an external HTTP(S) Load Balancer.
Extracts:
"Cloud Armor WAF capabilities help protect web applications from the OWASP Top 10 vulnerabilities… This includes rulesets specifically designed to detect and mitigate SQL injection (SQLi) and cross-site scripting (XSS) attacks." (Source 4.1)
"Cloud Armor security policies are implemented at the edge of the Google Cloud network, applied to the backend services of an external HTTP(S) Load Balancer." (Source 4.2)
Option A is close but incomplete; WAF rules are implemented via a security policy (Option D).
Option B relies on Adaptive Protection, which is primarily for volumetric DDoS and advanced attacks, but the direct protection for known XSS/SQLi signatures comes from explicit WAF rules.
Question #70
A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)
- A . Configure Private Google Access on the Compute Engine subnet
- B . Avoid assigning public IP addresses to the Compute Engine cluster.
- C . Make sure that the Compute Engine cluster is running on a separate subnet.
- D . Turn off IP forwarding on the Compute Engine instances in the cluster.
- E . Configure a Cloud NAT gateway.
Correct Answer: A,B
A,B
Explanation:
Objective: Ensure that the analytics workload on Compute Engine instances accessing Cloud Storage does not interact with the public internet.
Solution:
Private Google Access: This allows Compute Engine instances that only have internal IP addresses to reach Google APIs and services through a private connection without the need for a public IP address.
No Public IP Addresses: By avoiding public IP addresses for the instances, you ensure that they are not accessible from the internet and do not initiate internet connections.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the VPC Network page and select the subnet where the Compute Engine instances are located.
Step 3: Enable Private Google Access for the subnet.
Step 4: Ensure that when launching the Compute Engine instances, no public IP addresses are assigned to them.
Reference: Configuring Private Google Access
Preventing External IP Address Assignment
A,B
Explanation:
Objective: Ensure that the analytics workload on Compute Engine instances accessing Cloud Storage does not interact with the public internet.
Solution:
Private Google Access: This allows Compute Engine instances that only have internal IP addresses to reach Google APIs and services through a private connection without the need for a public IP address.
No Public IP Addresses: By avoiding public IP addresses for the instances, you ensure that they are not accessible from the internet and do not initiate internet connections.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the VPC Network page and select the subnet where the Compute Engine instances are located.
Step 3: Enable Private Google Access for the subnet.
Step 4: Ensure that when launching the Compute Engine instances, no public IP addresses are assigned to them.
Reference: Configuring Private Google Access
Preventing External IP Address Assignment