Google Professional Cloud Security Engineer Exam Practice Test Instant Access

Question 1

You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.

What should you do?

AConfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate one-way sync.

BConfigure Google Cloud Directory Sync to sync security groups using LDAP search rules that have ''user email address'' as the attribute to facilitate bidirectional sync.

CUse a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

DUse a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Answer : A

Objective: Synchronize security groups with email addresses from an LDAP directory to Cloud IAM.

Solution: Use Google Cloud Directory Sync (GCDS) to perform one-way synchronization based on LDAP search rules.

Steps:

Step 1: Download and install Google Cloud Directory Sync (GCDS) on a secure server.

Step 2: Configure GCDS with the LDAP server details and authentication.

Step 3: Define LDAP search rules to filter security groups based on the ''user email address'' attribute.

Step 4: Map LDAP security groups to Google Cloud IAM roles.

Step 5: Set up a synchronization schedule to keep the groups in sync.

Step 6: Perform a test sync to ensure that the configuration is correct.

Step 7: Activate the synchronization to keep the LDAP directory and Cloud IAM in sync.

Using GCDS for one-way synchronization ensures that the security groups in Cloud IAM are consistently updated based on the LDAP directory, maintaining alignment with the organization's security policies.

Google Cloud Directory Sync Documentation

Setting Up Google Cloud Directory Sync

Question 2

You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

ASecurity Command Center

BFirewall Rules Logging

CVPC Flow Logs

DFirewall Insights

Answer : D

https://cloud.google.com/network-intelligence-center/docs/firewall-insights/concepts/overview#shadowed-firewall-rules

Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.

Question 3

You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence. Which tool should you use?

APolicy Troubleshooter

BPolicy Analyzer

CIAM Recommender

DPolicy Simulator

Answer : B

Objective: Provide evidence of access reviews for an upcoming audit.

Solution: Use Policy Analyzer to review and report on IAM policies.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Policy Analyzer tool.

Step 3: Select the project for which you need to review access policies.

Step 4: Use the tool to generate reports on IAM roles and permissions.

Step 5: Export the reports as evidence for the audit.

Policy Analyzer provides detailed insights into IAM policies, helping you to review access configurations and generate necessary reports for compliance and auditing purposes.

Policy Analyzer Documentation

Question 4

A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.

Which two approaches can you take to meet the requirements? (Choose two.)

AConfigure the project with Cloud VPN.

BConfigure the project with Shared VPC.

CConfigure the project with Cloud Interconnect.

DConfigure the project with VPC peering.

EConfigure all Compute Engine instances with Private Access.

Answer : A, C

To connect Compute Engine instances within a Google Cloud Platform project to workloads running in a dedicated server room that can only be accessed from within the private company network, you can use the following approaches:

Cloud VPN: Cloud VPN securely connects your on-premises network to your Google Cloud Virtual Private Cloud (VPC) network through an IPsec VPN connection. This enables secure communication between your GCP instances and your on-premises workloads over the internet.

Cloud Interconnect: Cloud Interconnect provides direct physical connections between your on-premises network and Google's network. It offers higher bandwidth and lower latency compared to Cloud VPN, making it suitable for workloads that require fast and reliable connectivity.

Both Cloud VPN and Cloud Interconnect allow you to securely connect your on-premises environments to Google Cloud, ensuring that the workloads remain within the private company network.

Cloud VPN Overview

Cloud Interconnect Overview

Question 5

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:

Export related logs for all projects in the Google Cloud organization.

Export logs in near real-time to an external SIEM.

What should you do? (Choose two.)

ACreate a Log Sink at the organization level with a Pub/Sub destination.

BCreate a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

CEnable Data Access audit logs at the organization level to apply to all projects.

DEnable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

EEnsure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Answer : B, C

To meet the requirements for exporting and auditing security logs in near real-time for login activity events and API calls:

Organization-Level Log Sink with Pub/Sub: Create a log sink at the organization level to ensure logs from all projects are captured. Use the includeChildren parameter to include logs from all child resources (projects). Set the destination to a Pub/Sub topic to facilitate near real-time log export to an external SIEM.

Enable Data Access Audit Logs: Enable Data Access audit logs at the organization level to capture and export detailed information about API calls that modify configurations of Google Cloud resources across all projects.

These steps ensure comprehensive logging and real-time export capabilities, which are crucial for security auditing and monitoring.

Audit Logs Overview

Exporting with Sinks

Question 6

Which two implied firewall rules are defined on a VPC network? (Choose two.)

AA rule that allows all outbound connections

BA rule that denies all inbound connections

CA rule that blocks all inbound port 25 connections

DA rule that blocks all outbound connections

EA rule that allows all inbound port 80 connections

Answer : A, B

Implied IPv4 allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination

Implied IPv4 deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them.

https://cloud.google.com/vpc/docs/firewalls?hl=en#default_firewall_rules

Question 7

Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.

What should you do?

AUse Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

BUse Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing

CUse a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

DUse the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

Answer : C

This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google's Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.