Google Professional Cloud Security Engineer Exam Practice Test Instant Access

Question 1

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

AUse Google default encryption.

BManually add users to Google Cloud.

CProvision users with basic roles using Google's Identity and Access Management (1AM) service.

DUse SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

EProvide granular access with predefined roles.

Answer : D, E

SSO/SAML Integration: Implement SSO (Single Sign-On) with SAML integration through Cloud Identity to streamline user authentication and lifecycle management. This ensures centralized management of user identities and access.

Predefined Roles: Use predefined roles to provide granular access control. These roles are designed to follow the principle of least privilege, ensuring that users have the minimum necessary permissions to perform their tasks.

User Management: By leveraging SSO/SAML, user provisioning and de-provisioning become more efficient and secure. This integration helps maintain consistent access policies across your organization.

Access Control: Predefined roles reduce the risk of over-permission by offering well-defined access levels, enhancing security and compliance. Reference::

Google Cloud - SSO with SAML

Google Cloud - IAM Best Practices

Question 2

The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements:

Follow the least privilege model by having only view access to logs.

Have access to Admin Activity logs.

Have access to Data Access logs.

Have access to Access Transparency logs.

Which Identity and Access Management (IAM) role should the security operations team be granted?

Aroles/logging.privateLogViewer

Broles/logging.admin

Croles/viewer

Droles/logging.viewer

Answer : A

https://cloud.google.com/logging/docs/access-control#considerations roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.

Question 3

You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?

AEnable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.

BCreate a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.

CGrant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.

DOnly allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.

Answer : A

Organization Policy: Use the constraints/compute.skipDefaultNetworkCreation organization policy constraint to disable the creation of default networks in new projects.

Policy Application: Apply this constraint at the organization level to ensure it affects all projects within your organization, preventing the creation of default networks.

Best Practices Compliance: Following this best practice helps maintain a clean and secure network configuration by avoiding the use of default networks, which may not be properly segmented or secured.

Verification: Verify the policy application by creating new projects and ensuring that default networks are not created. Reference::

Google Cloud - Organization Policy Constraints

Google Cloud - Best Practices for Enterprise Organizations

Question 4

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

AGeneralization

BRedaction

CCryptoHashConfig

DCryptoReplaceFfxFpeConfig

Answer : D

De-identifying sensitive data Cloud Data Loss Prevention (DLP) can de-identify sensitive data in text content, including text stored in container structures such as tables. De-identification is the process of removing identifying information from data. The API detects sensitive data such as personally identifiable information (PII), and then uses a de-identification transformation to mask, delete, or otherwise obscure the data. For example, de-identification techniques can include any of the following: Masking sensitive data by partially or fully replacing characters with a symbol, such as an asterisk (*) or hash (#). Replacing each instance of sensitive data with a token, or surrogate, string. Encrypting and replacing sensitive data using a randomly generated or pre-determined key. When you de-identify data using the CryptoReplaceFfxFpeConfig or CryptoDeterministicConfig infoType transformations, you can re-identify that data, as long as you have the CryptoKey used to originally de-identify the data. https://cloud.google.com/dlp/docs/deidentify-sensitive-data

Question 5

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

What command should you execute?

A* organization policy: constraints/gcp.restrictStorageNonCraekServices
* binding at: orgl
* policy type: deny
* policy value: storage.gcogleapis.com

B* organization policy: constraints/gcp.restrictHonCmekServices
* binding at: orgl
* policy type: deny
* policy value: storage.googleapis.com

C* organization policy:constraints/gcp.restrictStorageNonCraekServices
* binding at: orgl
* policy type: allow
* policy value: all supported services

D* organization policy: constramts/gcp.restrictNonCmekServices
* binding at: orgl
* policy type: allow
* policy value: storage.googleapis.com

Answer : D

Requirement:

Enforce the use of Customer-Managed Encryption Keys (CMEK) for all new Cloud Storage resources in the organization.

Policy Constraint:

Use the constraints/gcp.restrictNonCmekServices constraint to enforce CMEK usage.

Policy Type and Value:

Set the policy type to allow to specify which services must use CMEK.

In this case, the policy value should be storage.googleapis.com to target Cloud Storage.

Command:

Applying the organization policy with the appropriate binding ensures that all new Cloud Storage resources under the organization will require CMEK.

Steps:

Step 1: Go to the Google Cloud Console.

Step 2: Navigate to the Organization Policies page.

Step 3: Apply the policy constraint constraints/gcp.restrictNonCmekServices with the allow policy type and storage.googleapis.com as the policy value.

Organization Policy Constraints

Customer-Managed Encryption Keys (CMEK)

Question 6

You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service Controls mode should you use?

ACloud Run

BNative

CEnforced

DDry run

Answer : D

In dry run mode, requests that violate the perimeter policy are not denied, only logged. Dry run mode is used to test perimeter configuration and to monitor usage of services without preventing access to resources. https://cloud.google.com/vpc-service-controls/docs/dry-run-mode

Question 7

A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.

What technique should the institution use?

AUse Cloud Storage as a federated Data Source.

BUse a Cloud Hardware Security Module (Cloud HSM).

CCustomer-managed encryption keys (CMEK).

DCustomer-supplied encryption keys (CSEK).

Answer : C

If you want to manage the key encryption keys used for your data at rest, instead of having Google manage the keys, use Cloud Key Management Service to manage your keys. This scenario is known as customer-managed encryption keys (CMEK). https://cloud.google.com/bigquery/docs/encryption-at-rest