Google Professional Cloud Security Engineer Exam Questions

Page: 1 / 14
Total 318 questions

Want more questions? Get Premium Access.
()

Question 1

Your company's detection and response team requires break-glass access to the Google Cloud organization in the event of a security investigation. At the end of each day, all security group membership is removed. You need to automate user provisioning to a Cloud Identity security group. You have created a service account to provision group memberships. Your solution must follow Google-recommended practices and comply with the principle of least privilege. What should you do?

AIn Google Workspace, grant the service account client ID access to the scope, https://www.googleapis.com/auth/admin.directory.group, by using domain-wide delegation, and use a service account key.

BIn Google Workspace, grant the service account client ID access to the scope, https://www.googleapis.com/auth/admin.directory.group, by using domain-wide delegation. Use Application Default Credentials with the resource-attached service account.

CIn Google Workspace, grant the Groups Editor role to the service account. Enable the Cloud Identity API. Use a service account key.

DIn Google Workspace, grant the Groups Editor role to the service account, enable the Cloud Identity API, and use Application Default Credentials with the resource-attached service account.

Answer : B

The problem requires automating user provisioning to a Cloud Identity security group using a service account, adhering to Google-recommended practices and the principle of least privilege.

Cloud Identity Groups and Google Workspace: Cloud Identity groups are managed as part of Google Workspace. To programmatically manage Google Workspace resources (like groups), you typically use the Admin SDK APIs.

Domain-Wide Delegation: Service accounts cannot directly authenticate to Google Workspace APIs using IAM roles. Instead, they require 'domain-wide delegation' to impersonate a user with the necessary administrative privileges within Google Workspace. This allows a service account to access user data or perform administrative tasks across the domain. The correct scope for managing groups is https://www.googleapis.com/auth/admin.directory.group.Extract Reference: 'To allow a service account to access user data on behalf of users in a Google Workspace domain, you must delegate domain-wide authority to your service account.' (Google Cloud documentation: https://developers.google.com/identity/protocols/oauth2/service-account#delegating)

Extract Reference (Admin SDK Scopes): The https://www.googleapis.com/auth/admin.directory.group scope is explicitly listed for 'View and manage all groups on the domain.' (Google Workspace Admin SDK documentation: https://developers.google.com/admin-sdk/directory/v1/scopes)

Application Default Credentials (ADC) with Resource-Attached Service Account: Google-recommended practices strongly advise against using service account keys directly for authentication when running on Google Cloud infrastructure. Instead, it's recommended to use Application Default Credentials (ADC) with a service account attached to the resource (e.g., a Compute Engine VM, Cloud Run service, or Cloud Functions). This method manages credentials automatically and securely, reducing the risk associated with managing and rotating keys.Extract Reference: 'For most Google Cloud services, Application Default Credentials (ADC) is the recommended way to authenticate.' and 'When running code in a Google Cloud environment, such as Compute Engine, Cloud Run, or Cloud Functions, use the built-in service account to authenticate automatically with ADC. This is the most secure approach, as you don't need to manually create or manage service account keys.' (Google Cloud documentation: https://cloud.google.com/docs/authentication/production)

Options C and D are incorrect because granting an IAM role like 'Groups Editor' in Google Cloud does not enable a service account to manage Google Workspace (Cloud Identity) group memberships; domain-wide delegation is required for that. Option A uses a service account key, which is less secure than ADC with a resource-attached service account according to Google's recommendations.

Therefore, option B is the most aligned with Google's recommended practices for securely automating group provisioning using a service account and domain-wide delegation.

Question 2

When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for

review by internal or external analysts for customer service trend analysis.

Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

AUse Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.

BUse Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.

CUse the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.

DUse the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Answer : C

To handle images containing personally identifiable information (PII) in chat logs while maintaining data utility, you can use Google Cloud's Data Loss Prevention (DLP) API. The DLP API provides capabilities to inspect and redact sensitive information from images. Here's how you can use it:

Inspect Images: Use the DLP API to inspect images shared by customers for PII. This involves configuring the API to detect various types of sensitive information, such as names, social security numbers, and other PII.

Redact PII: Apply the redaction actions provided by the DLP API to remove or mask the PII in the images. The redaction can blur, mask, or replace sensitive information with placeholders, ensuring that the PII is not stored in the databases.

Store Redacted Images: Store the redacted images in your database for further analysis. This ensures that the sensitive information is not retained, addressing privacy concerns while still preserving the utility of the data for analysis.

By using the DLP API, the organization can effectively manage PII in customer-provided images, ensuring compliance with privacy regulations.

Reference

Cloud DLP Documentation

Redacting Sensitive Data with DLP API

Question 3

You are implementing communications restrictions for specific services in your Google Cloud organization. Your data analytics team works in a dedicated folder You need to ensure that access to BigQuery is controlled for that folder and its projects. The data analytics team must be able to control the restrictions only at the folder level What should you do?

AEnforce the Restrict Resource Service Usage organization policy constraint on the folder to restrict BigQuery access. Assign the data analytics team the Organization Policy Administrator role to allow the team to manage exclusions within the folder.

BCreate a scoped policy on the folder with a service perimeter to restrict BigQuery access. Assign the data analytics team the Access Context Manager Editor role on the scoped policy to allow the team to configure the scoped policy.

CDefine a hierarchical firewall policy on the folder to deny BigQuery access. Assign the data analytics team the Compute Organization Firewall Policy Admin role to allow the team to configure rules for the firewall policy.

DCreate an organization-level access policy with a service perimeter to restrict BigQuery access. Assign the data analytics team the Access Context Manager Editor role on the access policy to allow the team to configure the access policy.

Answer : B

The requirement is to establish a network security boundary around a specific service (BigQuery) for resources in a Folder, while allowing the team to manage that boundary. This is the definition of using VPC Service Controls (VPC SC) with scoped policies.

VPC Service Controls (VPC SC): Used to create a service perimeter (a security boundary) around BigQuery and other Google Cloud services, which restricts API access.

Scoped Policy on the Folder: This enforces the boundary exactly at the required Folder level, as opposed to the organization level.

Access Context Manager Editor Role: Access Context Manager is the service that manages VPC SC policies (Service Perimeters and Access Levels). Granting this role on the scoped policy allows the data analytics team to fulfill the requirement to 'control the restrictions.'

Extracts (Conceptual Basis for VPC SC and Scoped Policies):

'Private Service Connect provides... Explicit authorization. Private Service Connect provides an authorization model that gives consumers and producers granular control, ensuring that only the intended service endpoints and no other resources can connect to a service.' (Source 2.4 - VPC SC and PSC share a core architectural concept of explicit, service-oriented boundaries)

Option B is the technical implementation that matches the requirements: using a VPC SC service perimeter (for service restriction) applied as a scoped policy on the folder (for resource hierarchy scope) with Access Context Manager Editor (for team management/control).

Question 4

Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.

What should you do?

AChange the load balancer backend configuration to use network endpoint groups instead of instance groups.

BChange the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.

CCreate a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.

DCreate a Cloud VPN connection between the two regions, and enable Google Private Access.

Answer : B

The Standard Tier network only provides regional load balancing, while the Premium Tier supports global load balancing with a single anycast IP address. To distribute requests across multiple regions, you need to use the Premium Tier and update the load balancer configuration accordingly.

Steps:

Upgrade to Premium Tier: Update the load balancer to use the Premium Tier network in the Google Cloud Console.

Add New Instance Group: Add the instance group in the new region (us-east-2) to the backend configuration of the existing load balancer.

Verify Configuration: Ensure that the frontend configuration of the load balancer uses a single external IP address for global distribution.

Google Cloud: Global load balancing

Question 5

You are managing a set of Google Cloud projects that are contained in a folder named Data Warehouse A new data analysis team has been approved to perform data analysis for all BigQuery data in the projects within the Data Warehouse folder. They should only be able to read the data and not have permissions to modify or delete the data. You want to reduce the operational overhead of provisioning access while adhering to the principle of least privilege. What should you do?

AGrant the BigQuery Data Viewer role at the dataset level for each BigQuery dataset within each project in the Data Warehouse folder

BGrant the BigQuery Data Viewer role at the Data Warehouse folder.

CGrant the BigQuery Data Viewer role at the project level for each project within the Data Warehouse folder.

DGrant the BigQuery Metadata Viewer role at the Data Warehouse folder

Answer : B

The requirements are met by granting access at the highest point in the resource hierarchy that encompasses all the necessary resources, using the least privileged role required.

Least Privilege Role: The team needs to read data and not modify or delete it. The roles/bigquery.dataViewer role is the correct least privileged role for read-only access to data.

Minimize Operational Overhead: Granting the role at the Folder level ensures that the access is automatically inherited by all current and future projects within that folder, drastically reducing the operational overhead compared to granting the role per project (C) or per dataset (A).

Scope: The Folder scope (Data Warehouse folder) is the container for all BigQuery data in the projects within the folder, making it the ideal single point of granting access.

Extracts:

'IAM roles are inherited down the resource hierarchy... Granting a role at the folder level will grant the principal that role across all projects within that folder, including any projects created in the future.' (Source 10.1)

'The BigQuery Data Viewer (roles/bigquery.dataViewer) role grants permission to read data in BigQuery tables and views... It does not grant permissions to modify or delete the data, adhering to the principle of least privilege for read-only tasks.' (Source 10.2)

Question 6

You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data. You need to meet these requirements;

* Manage the data encryption key (DEK) outside the Google Cloud boundary.

* Maintain full control of encryption keys through a third-party provider.

* Encrypt the sensitive data before uploading it to Cloud Storage

* Decrypt the sensitive data during processing in the Compute Engine VMs

* Encrypt the sensitive data in memory while in use in the Compute Engine VMs

What should you do?

Choose 2 answers

ACreate a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

BMigrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

CConfigure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

DCreate Confidential VMs to access the sensitive data.

EConfigure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Answer : C, D

https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance#considerations

Confidential VM does not support live migration. You can only enable Confidential Computing on a VM when you first create the instance. https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance

Question 7

You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.

What should you do?

AConfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate one-way sync.

BConfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate bidirectional sync.

CUse a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

DUse a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Answer : A

Objective: Synchronize security groups with email addresses from an LDAP directory to Cloud IAM.

Solution: Use Google Cloud Directory Sync (GCDS) to perform one-way synchronization based on LDAP search rules.

Steps:

Step 1: Download and install Google Cloud Directory Sync (GCDS) on a secure server.

Step 2: Configure GCDS with the LDAP server details and authentication.

Step 3: Define LDAP search rules to filter security groups based on the ''user email address'' attribute.

Step 4: Map LDAP security groups to Google Cloud IAM roles.

Step 5: Set up a synchronization schedule to keep the groups in sync.

Step 6: Perform a test sync to ensure that the configuration is correct.

Step 7: Activate the synchronization to keep the LDAP directory and Cloud IAM in sync.

Using GCDS for one-way synchronization ensures that the security groups in Cloud IAM are consistently updated based on the LDAP directory, maintaining alignment with the organization's security policies.

Google Cloud Directory Sync Documentation

Setting Up Google Cloud Directory Sync