Google Professional Cloud Security Engineer Exam Practice Test Instant Access

Question 1

Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?

ADefine an organization policy constraint.

BConfigure packet mirroring policies.

CEnable VPC Flow Logs on the subnet.

DMonitor and analyze Cloud Audit Logs.

Answer : B

https://cloud.google.com/vpc/docs/packet-mirroring

Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.

Question 2

Your organization has Google Cloud applications that require access to external web services You must monitor, control, and log access to these services What should you do?

AConfigure VPC firewall rules to allow the services to access the IP addresses of required external web services

BSet up a Secure Web Proxy that allows access to the specific external web services Configure applications to use the proxy for the web service requests

CConfigure Google Cloud Armor to monitor and protect your applications by checking incoming traffic patterns for attack patterns

DSet up a Cloud NAT instance to allow egress traffic from your VPC

Answer : B

The problem states that Google Cloud applications need to access external web services and requires the ability to monitor, control, and log this access

Monitoring, Controlling, and Logging external web access: This specifically points to a proxy solution, which can intercept, inspect, and log HTTP/S traffic

Secure Web Proxy (SWP): Google Cloud's Secure Web Proxy is designed for exactly this use case It acts as an explicit forward proxy for HTTP(S) traffic, allowing organizations to implement granular access controls, inspect traffic for security threats, and log all outbound web requests from their Google Cloud environmentExtract Reference: 'Secure Web Proxy is a managed service that lets you deploy and manage an explicit forward proxy to protect your organization's internal resources from web-based threats and to control access to external web applications' and 'With Secure Web Proxy, you can: Enforce granular access policies based on different attributes, Log all HTTP(S) requests that are handled by the proxy, and Monitor web traffic for threats' (Google Cloud documentation: https://cloudgooglecom/secure-web-proxy)

Let's evaluate the other options:

A Configure VPC firewall rules to allow the services to access the IP addresses of required external web services: VPC firewall rules operate at Layer 4 (TCP/UDP) and Layer 3 (IP) While they can allow or deny traffic to specific IP addresses and ports, they cannot monitor, control, or log HTTP/S requests at the application layer They don't provide granular control over which web services are accessed or inspect the content of the requests

C Configure Google Cloud Armor to monitor and protect your applications by checking incoming traffic patterns for attack patterns: Google Cloud Armor is primarily a Distributed Denial of Service (DDoS) protection and Web Application Firewall (WAF) service It focuses on protecting applications from incoming threats (ingress traffic), not controlling and logging outgoing access to external web services

D Set up a Cloud NAT instance to allow egress traffic from your VPC: Cloud NAT allows instances without external IP addresses to connect to the internet While it enables egress, it does not provide monitoring, control, or logging capabilities for specific web services at the application layer It's a network address translation service, not an application-layer proxy

Therefore, setting up a Secure Web Proxy is the most appropriate solution to meet the requirements of monitoring, controlling, and logging access to external web services from Google Cloud applications

Question 3

An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.

Which Cloud Identity password guidelines can the organization use to inform their new requirements?

ASet the minimum length for passwords to be 8 characters.

BSet the minimum length for passwords to be 10 characters.

CSet the minimum length for passwords to be 12 characters.

DSet the minimum length for passwords to be 6 characters.

Answer : A

The minimum length for passwords in Cloud Identity can be set to 8 characters. This aligns with common security best practices for password policies, ensuring a basic level of complexity and security.

Step-by-Step:

Access Admin Console: Log in to the Google Admin console.

Navigate to Security Settings: Go to Security > Password Management.

Set Minimum Length: Set the minimum length for passwords to 8 characters.

Save Changes: Save the settings and ensure that all user accounts adhere to the new policy.

Google Cloud Identity Security Settings

Password Policy Best Practices

Question 4

Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users. You are required to:

Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity.

Disable any manually created users in Cloud Identity.

You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?

A1. Configure the option to suspend domain users not found in LDAP.
2. Set up a recurring GCDS task.

B1. Configure the option to delete domain users not found in LDAP.
2. Run GCDS after user and group lifecycle changes.

C1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP.
2. Set up a recurring GCDS task.

D1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP.
2. Run GCDS after user and group lifecycle changes.

Answer : A

Question 5

Your organization recently activated the Security Command Center {SCO standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.

What should you do?

A* 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets
* 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions
* 3 Query the data access logs to report on unauthorized access

B* 1 Change bucket permissions to limit access
* 2 Query the data access audit logs for any unauthorized access to the buckets
* 3 After the misconfiguration is corrected mute the finding in the Security Command Center

C* 1 Change permissions to limit access for authorized users
* 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access
* 3 Review the administrator activity audit logs to report on any unauthorized access

D* 1 Change the bucket permissions to limit access
* 2 Query the buckets usage logs to report on unauthorized access to the data
* 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions

To investigate and remediate the issue of public access to Cloud Storage buckets, you can follow these steps:
Change Bucket Permissions:
Navigate to the Cloud Storage section in the Google Cloud Console.
For each affected bucket, remove any public access permissions (e.g., removing allUsers or allAuthenticatedUsers from the IAM policy).
Ensure that only authorized users have the necessary permissions to access the buckets.
Query Data Access Audit Logs:
Go to the Logging section in the Google Cloud Console.
Query the audit logs for the affected buckets to identify any unauthorized access. You can use filters to search for access by unauthorized users.
Correct the Misconfiguration:
After correcting the permissions, mute the relevant findings in the Security Command Center to indicate that the issue has been resolved.
This helps in maintaining a clear view of ongoing security issues and ensures the findings are not flagged again unless there's a new occurrence.
By following these steps, you ensure that the buckets are no longer publicly accessible, investigate any potential unauthorized access, and update the Security Command Center status to reflect the resolution of the issue.

Answer : B

Cloud Storage IAM Permissions

Viewing Audit Logs

Security Command Center Documentation

Question 6

You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

ATitan Security Keys

BGoogle prompt

CGoogle Authenticator app

DCloud HSM keys

Answer : A

Titan Security Keys are a physical form of two-step verification (2SV) that provide the highest level of account security by using cryptographic signatures to verify the user and the URL of the login page.

Cryptographic Security: Titan Security Keys use a hardware-based cryptographic method to authenticate users, which is resistant to phishing attacks. This ensures that the authentication process is secure and not susceptible to being intercepted or spoofed.

URL Verification: Titan Security Keys verify the URL of the login page during the authentication process, providing an additional layer of security against phishing attempts that may try to redirect users to malicious websites.

Ease of Use: These keys are easy to use and integrate with Google's 2SV process, providing a seamless and highly secure authentication method for users.

Titan Security Keys

Question 7

Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.

What should you do?

AUse Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

BUse Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing

CUse a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

DUse the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

Answer : C

This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google's Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.