Google Professional-Cloud-Security-Engineer Exam Practice Test Instant Access

Question 1

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.

Which two strategies should your team use to meet these requirements? (Choose two.)

AConfigure Private Google Access on the Compute Engine subnet

BAvoid assigning public IP addresses to the Compute Engine cluster.

CMake sure that the Compute Engine cluster is running on a separate subnet.

DTurn off IP forwarding on the Compute Engine instances in the cluster.

EConfigure a Cloud NAT gateway.

Answer : B, E

Question 2

An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.

Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses

Which solution should your team implement to meet these requirements?

ACloud Armor

BNetwork Load Balancing

CSSL Proxy Load Balancing

DNAT Gateway

Answer : A

Question 3

An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.

Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

AConfiguring and monitoring VPC Flow Logs

BDefending against XSS and SQLi attacks

CManage the latest updates and security patches for the Guest OS

DEncrypting all stored data

Answer : B

Question 4

Your team wants to limit users with administrative privileges at the organization level.

Which two roles should your team restrict? (Choose two.)

AOrganization Administrator

BSuper Admin

CGKE Cluster Admin

DCompute Admin

EOrganization Role Viewer

Answer : A, B

Question 5

Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.

What should you do?

A1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
3. Click Hide Matching Entries.
4. Make sure the resulting list is empty.

B1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
3. Click Show Matching Entries.
4. Make sure the resulting list is empty.

C1. In BigQuery, select the related dataset.
2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.

D1. Go to the IAM section on the project.
2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.

Answer : C

Question 6

Applications often require access to ''secrets'' - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of ''who did what, where, and when?'' within their GCP projects.

Which two log streams would provide the information that the administrator is looking for? (Choose two.)

AAdmin Activity logs

BSystem Event logs

CData Access logs

DVPC Flow logs

EAgent logs

Answer : A, C

Question 7

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.

What should you do?

AStore the data in a single Persistent Disk, and delete the disk at expiration time.

BStore the data in a single BigQuery table and set the appropriate table expiration time.

CStore the data in a single Cloud Storage bucket and configure the bucket's Time to Live.

DStore the data in a single BigTable table and set an expiration time on the column families.