Google Professional Cloud Security Engineer Exam Practice Test Instant Access

Question 1

You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.

Which two actions should you take? (Choose two.)

AUse Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.

BUse the Google Admin console to view which managed users are using a personal account for their recovery email.

CAdd users to your managed Google account and force users to change the email addresses associated with their personal accounts.

DUse the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.

ESend an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.

Answer : A, D

To manage user accounts and ensure they comply with corporate policies, using Google Cloud Directory Sync (GCDS) allows synchronization between your local identity system and Cloud Identity. The Transfer Tool for Unmanaged Users (TTUU) helps identify and manage conflicting accounts by allowing users to transfer their personal accounts to managed accounts.

Steps:

Synchronize Identities: Use GCDS to sync users from your local identity management system to Cloud Identity, ensuring that all corporate user accounts are managed.

Identify Conflicting Accounts: Use TTUU to find users who have personal Google accounts using corporate email addresses.

Manage Conflicting Accounts: Request users to transfer their personal accounts to managed accounts using TTUU, ensuring all accounts are under corporate control.

Google Cloud Directory Sync

Transfer Tool for Unmanaged Users

Question 2

Which Google Cloud service should you use to enforce access control policies for applications and resources?

AIdentity-Aware Proxy

BCloud NAT

CGoogle Cloud Armor

DShielded VMs

Answer : A

To enforce access control policies for applications and resources in Google Cloud, the recommended service is Identity-Aware Proxy (IAP).

Identity-Aware Proxy (IAP):

IAP allows you to control access to your applications and resources based on the identity of the user and the context of the request. It integrates with IAM to provide fine-grained access control, ensuring that only authorized users can access specific resources.

IAP helps enforce security policies at the application layer, providing an additional layer of protection beyond traditional network-based security measures.

Identity-Aware Proxy documentation

Question 3

Users are reporting an outage on your public-facing application that is hosted on Compute Engine. You suspect that a recent change to your firewall rules is responsible. You need to test whether your firewall rules are working properly. What should you do?

AEnable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.

BConnect to a bastion host in your VPC. Use a network traffic analyzer to determine at which point your requests are being blocked.

CIn a pre-production environment, disable all firewall rules individually to determine which one is blocking user traffic.

DEnable VPC Flow Logs in your VPC. Use Logs Explorer to analyze whether the rules are working correctly.

Answer : A

Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly:

Enable Firewall Rules Logging for the specific firewall rules in question through the Google Cloud Console.

Once logging is enabled, use Logs Explorer to filter and review the firewall logs.

Analyze the logs to determine if the rules are allowing or blocking traffic as intended, identifying any misconfigurations or issues.

Firewall Rules Logging

Using Logs Explorer

Question 4

You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.

What should you do?

AConfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate one-way sync.

BConfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate bidirectional sync.

CUse a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

DUse a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Answer : A

Objective: Synchronize security groups with email addresses from an LDAP directory to Cloud IAM.

Solution: Use Google Cloud Directory Sync (GCDS) to perform one-way synchronization based on LDAP search rules.

Steps:

Step 1: Download and install Google Cloud Directory Sync (GCDS) on a secure server.

Step 2: Configure GCDS with the LDAP server details and authentication.

Step 3: Define LDAP search rules to filter security groups based on the ''user email address'' attribute.

Step 4: Map LDAP security groups to Google Cloud IAM roles.

Step 5: Set up a synchronization schedule to keep the groups in sync.

Step 6: Perform a test sync to ensure that the configuration is correct.

Step 7: Activate the synchronization to keep the LDAP directory and Cloud IAM in sync.

Using GCDS for one-way synchronization ensures that the security groups in Cloud IAM are consistently updated based on the LDAP directory, maintaining alignment with the organization's security policies.

Google Cloud Directory Sync Documentation

Setting Up Google Cloud Directory Sync

Question 5

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.

How should the customer achieve this using Google Cloud Platform?

AUse Cloud Source Repositories, and store secrets in Cloud SQL.

BEncrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.

CRun the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.

DDeploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

Answer : B

Storing secrets securely is crucial for maintaining the integrity and confidentiality of your applications. Here is how you can achieve this using Google Cloud Platform:

Encrypt the Secrets: Use Customer-Managed Encryption Keys (CMEK) to encrypt your secrets. CMEK allows you to have greater control over the encryption keys used to protect your data. This ensures that even if the storage medium is compromised, the secrets remain protected by strong encryption.

Store in Cloud Storage: Store the encrypted secrets in Google Cloud Storage. Cloud Storage is a secure and scalable object storage service. By using encrypted storage, you can ensure that the secrets are securely stored and can only be accessed by authorized entities.

This method provides a secure and managed way to store secrets, ensuring that they are not exposed in plain text within your source code management system.

Customer-Managed Encryption Keys (CMEK)

Google Cloud Storage Security

Question 6

You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?

AUpload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain Pll from the shared bucket.

BOn the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll.

COn the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain Pll.

DUse Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect Pll, have the function move the objects into the shared Cloud Storage bucket.

Answer : D

Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket:

Configure a Pub/Sub topic to publish notifications when new files are uploaded to the administrator's bucket.

Create a Cloud Function that is triggered by the Pub/Sub topic. This function uses the Cloud Data Loss Prevention (DLP) API to scan the uploaded files for PII.

If the scan does not detect PII, the function moves the file to the shared Cloud Storage bucket. This ensures that only non-sensitive data is accessible to analysts, while PII remains secure in the administrator's bucket.

Using Pub/Sub with Cloud Functions

Cloud Data Loss Prevention API

Question 7

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:

Scans must run at least once per week

Must be able to detect cross-site scripting vulnerabilities

Must be able to authenticate using Google accounts

Which solution should you use?

AGoogle Cloud Armor

BWeb Security Scanner

CSecurity Health Analytics

DContainer Threat Detection

Answer : B

Web Security Scanner is designed to scan your web applications deployed on Google Cloud for common vulnerabilities, including cross-site scripting (XSS). It can authenticate using Google accounts and can be scheduled to run scans regularly.

Steps:

Enable Web Security Scanner: In the Google Cloud Console, enable Web Security Scanner for your project.

Configure Scan: Set up the scan configuration, specifying the target URLs, authentication details (Google accounts), and scan frequency (at least once per week).

Run and Monitor Scans: Run the scans and monitor the results for vulnerabilities, addressing any issues found.

Web Security Scanner documentation