Google Professional Cloud Security Engineer Exam Practice Test

Page: 1 / 14
Total 266 questions
Question 1

Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?



Answer : B

https://cloud.google.com/vpc/docs/packet-mirroring

Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.


Question 2

Your organization has Google Cloud applications that require access to external web services You must monitor, control, and log access to these services What should you do?



Answer : B

The problem states that Google Cloud applications need to access external web services and requires the ability to monitor, control, and log this access

Monitoring, Controlling, and Logging external web access: This specifically points to a proxy solution, which can intercept, inspect, and log HTTP/S traffic

Secure Web Proxy (SWP): Google Cloud's Secure Web Proxy is designed for exactly this use case It acts as an explicit forward proxy for HTTP(S) traffic, allowing organizations to implement granular access controls, inspect traffic for security threats, and log all outbound web requests from their Google Cloud environmentExtract Reference: 'Secure Web Proxy is a managed service that lets you deploy and manage an explicit forward proxy to protect your organization's internal resources from web-based threats and to control access to external web applications' and 'With Secure Web Proxy, you can: Enforce granular access policies based on different attributes, Log all HTTP(S) requests that are handled by the proxy, and Monitor web traffic for threats' (Google Cloud documentation: https://cloudgooglecom/secure-web-proxy)

Let's evaluate the other options:

A Configure VPC firewall rules to allow the services to access the IP addresses of required external web services: VPC firewall rules operate at Layer 4 (TCP/UDP) and Layer 3 (IP) While they can allow or deny traffic to specific IP addresses and ports, they cannot monitor, control, or log HTTP/S requests at the application layer They don't provide granular control over which web services are accessed or inspect the content of the requests

C Configure Google Cloud Armor to monitor and protect your applications by checking incoming traffic patterns for attack patterns: Google Cloud Armor is primarily a Distributed Denial of Service (DDoS) protection and Web Application Firewall (WAF) service It focuses on protecting applications from incoming threats (ingress traffic), not controlling and logging outgoing access to external web services

D Set up a Cloud NAT instance to allow egress traffic from your VPC: Cloud NAT allows instances without external IP addresses to connect to the internet While it enables egress, it does not provide monitoring, control, or logging capabilities for specific web services at the application layer It's a network address translation service, not an application-layer proxy

Therefore, setting up a Secure Web Proxy is the most appropriate solution to meet the requirements of monitoring, controlling, and logging access to external web services from Google Cloud applications


Question 3

An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.

Which Cloud Identity password guidelines can the organization use to inform their new requirements?



Answer : A

The minimum length for passwords in Cloud Identity can be set to 8 characters. This aligns with common security best practices for password policies, ensuring a basic level of complexity and security.

Step-by-Step:

Access Admin Console: Log in to the Google Admin console.

Navigate to Security Settings: Go to Security > Password Management.

Set Minimum Length: Set the minimum length for passwords to 8 characters.

Save Changes: Save the settings and ensure that all user accounts adhere to the new policy.


Google Cloud Identity Security Settings

Password Policy Best Practices

Question 4

Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users. You are required to:

Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity.

Disable any manually created users in Cloud Identity.

You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?



Answer : A


Question 5

Your organization recently activated the Security Command Center {SCO standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.

What should you do?



Answer : B


Cloud Storage IAM Permissions

Viewing Audit Logs

Security Command Center Documentation

Question 6

You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?



Answer : A

Titan Security Keys are a physical form of two-step verification (2SV) that provide the highest level of account security by using cryptographic signatures to verify the user and the URL of the login page.

Cryptographic Security: Titan Security Keys use a hardware-based cryptographic method to authenticate users, which is resistant to phishing attacks. This ensures that the authentication process is secure and not susceptible to being intercepted or spoofed.

URL Verification: Titan Security Keys verify the URL of the login page during the authentication process, providing an additional layer of security against phishing attempts that may try to redirect users to malicious websites.

Ease of Use: These keys are easy to use and integrate with Google's 2SV process, providing a seamless and highly secure authentication method for users.


Titan Security Keys

Question 7

Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.

What should you do?



Answer : C

This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google's Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.


Page:    1 / 14   
Total 266 questions