Google Professional-Cloud-Security-Engineer Exam Practice Test Instant Access

Question 1

You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS). in project "pr j -a", and the Cloud Storage bucket will use project "prj-b". The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key. and you need to troubleshoot why.

What has caused the access issue?

AA firewall rule prevents the key from being accessible.

BCloud HSM does not support Cloud Storage

CThe CMEK is in a different project than the Cloud Storage bucket

DThe CMEK is in a different region than the Cloud Storage bucket.

Answer : D

When you use a customer-managed encryption key (CMEK) to secure a Cloud Storage bucket, the key and the bucket must be located in the same region. In this case, the key is in europe-west3 and the bucket is in europe-west1, which is why you're unable to access the key.

Question 2

Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users.

What should you do?

A1. Manage SAML profile assignments.
* 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant.
* 3. Verify the domain.

B1. Create a new SAML profile.
* 2. Upload the X.509 certificate.
* 3. Enable the change password URL.
* 4. Configure Entity ID and ACS URL in your IdP.

C1- Create a new SAML profile.
* 2. Populate the sign-in and sign-out page URLs.
* 3. Upload the X.509 certificate.
* 4. Configure Entity ID and ACS URL in your IdP

D1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant
* 2. Verify the AD domain.
* 3. Decide which users should use SAML.
* 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.

Answer : C

When configuring SAML-based Single Sign-On (SSO) in an organization that's using Active Directory, the general steps would involve setting up a SAML profile, specifying the necessary URLs for sign-in and sign-out processes, uploading an X.509 certificate for secure communication, and setting up the Entity ID and Assertion Consumer Service (ACS) URL in the Identity Provider (which in this case would be Active Directory).

Question 3

Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time.

What should you do?

ARun a platform security scanner on all instances in the organization.

BNotify Google about the pending audit and wait for confirmation before performing the scan.

CContact a Google approved security vendor to perform the audit.

DIdentify all external assets by using Cloud Asset Inventory and then run a network security scanner against them.

Answer : D

Cloud Asset Inventory: Using Cloud Asset Inventory allows you to quickly identify all the external assets and resources in your Google Cloud environment. This includes information about your projects, instances, storage buckets, and more. This step is crucial for understanding the scope of your audit. Network Security Scanner: Once you have identified the external assets, you can run a network security scanner to assess the security of these assets. Network security scanners can help identify vulnerabilities and potential security risks quickly.

Question 4

Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution.

What should you do?

A* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
* 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

B* 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium
* 2 Monitor the findings in SCC

C* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
* 2 Activate Confidential Computing
* 3 Enforce these actions by using organization policies

D* 1 Use secure hardened images from the Google Cloud Marketplace
* 2 When deploying the images activate the Confidential Computing option
* 3 Enforce the use of the correct images and Confidential Computing by using organization policies

Answer : C

Question 5

Your organization s record data exists in Cloud Storage. You must retain all record data for at least seven years This policy must be permanent.

What should you do?

A* 1 Identify buckets with record data
* 2 Apply a retention policy and set it to retain for seven years
* 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs

B* 1 Identify buckets with record data
* 2 Apply a retention policy and set it to retain for seven years
* 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

C* 1 Identify buckets with record data
* 2 Enable the bucket policy only to ensure that data is retained
* 3 Enable bucket lock

D* 1 Identify buckets with record data
* 2 Apply a retention policy and set it to retain for seven years
* 3 Enable bucket lock

Answer : D

Question 6

Your organization has on-premises hosts that need to access Google Cloud APIs You must enforce private connectivity between these hosts minimize costs and optimize for operational efficiency

What should you do?

ARoute all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

BSet up VPC peering between the hosts on-premises and the VPC through the internet.

CEnforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.

DRoute all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.

Answer : D

Question 7

You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.

What should you do?

ACreate a site-to-site VPN from your corporate network to Google Cloud.

BConfigure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.

CCreate a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.

DCreate a jump host instance with public IP Manage the instances by connecting through the jump host.

Answer : C

Google Professional Cloud Security Engineer Exam Practice Test