Google Professional Cloud Security Engineer Exam Questions Instant Access

Question 1

You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.

You want to automate the compliance with this regulation while minimizing storage costs. What should you do?

AStore the data in a persistent disk, and delete the disk at expiration time.

BStore the data in a Cloud Bigtable table, and set an expiration time on the column families.

CStore the data in a BigQuery table, and set the table's expiration time.

DStore the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

Answer : D

Google Cloud Storage provides an Object Lifecycle Management feature that can help automate data retention and deletion processes, ensuring compliance with data privacy regulations while minimizing storage costs.

Lifecycle Management: Object Lifecycle Management allows you to define rules that automatically delete objects after a specific period. This ensures that data is only retained for the required amount of time and is deleted once it expires.

Configuration: You can configure lifecycle rules to delete objects based on conditions such as the age of the object, the creation date, or custom metadata. This allows for precise control over the retention period of your data.

Cost Efficiency: By using lifecycle policies to delete data automatically, you can reduce storage costs, as you only pay for the storage you actively use.

Cloud Storage Object Lifecycle Management

Question 2

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

AImplement Cloud VPN for the region where the bastion host lives.

BImplement OS Login with 2-step verification for the bastion host.

CImplement Identity-Aware Proxy TCP forwarding for the bastion host.

DImplement Google Cloud Armor in front of the bastion host.

Answer : C

Question 3

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate,

and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.

What should you do?

AUse the Cloud Key Management Service to manage the data encryption key (DEK).

BUse the Cloud Key Management Service to manage the key encryption key (KEK).

CUse customer-supplied encryption keys to manage the data encryption key (DEK).

DUse customer-supplied encryption keys to manage the key encryption key (KEK).

Answer : B

This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest. https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption

https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms#0

Question 4

You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)

AGrant users the compuce.imageUser role in their own projects.

BGrant users the compuce.imageUser role in the OS image project.

CStore the image in every project that is spun up in your organization.

DSet up an image access organization policy constraint, and list the security team managed project in the projects allow list.

ERemove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

Answer : B, D

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.trustedImageProjects

This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.

Question 5

Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users. You are required to:

Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity.

Disable any manually created users in Cloud Identity.

You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?

A1. Configure the option to suspend domain users not found in LDAP.
2. Set up a recurring GCDS task.

B1. Configure the option to delete domain users not found in LDAP.
2. Run GCDS after user and group lifecycle changes.

C1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP.
2. Set up a recurring GCDS task.

D1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP.
2. Run GCDS after user and group lifecycle changes.

Answer : A

Question 6

Your team wants to limit users with administrative privileges at the organization level.

Which two roles should your team restrict? (Choose two.)

AOrganization Administrator

BSuper Admin

CGKE Cluster Admin

DCompute Admin

EOrganization Role Viewer

Answer : A, B

The Organization Administrator and Super Admin roles have extensive administrative privileges at the organization level. Restricting these roles is crucial to limit the number of users who have the ability to manage critical resources and configurations within the organization, thereby enhancing security and minimizing potential risks.

Organization Administrator: Has comprehensive permissions to manage all aspects of the Google Cloud organization, including projects, folders, and IAM policies.

Super Admin: In Google Workspace (formerly G Suite), the Super Admin has access to all administrative features and can manage user accounts, services, and settings across the organization.

Google Cloud IAM roles

Managing super admin roles in Google Workspace

Question 7

A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).

How should the team complete this task?

AUpload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.

BUse the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

CGenerate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.

DEncrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Answer : B

To use customer-supplied encryption keys (CSEK) for encrypting data on Cloud Storage, follow these steps:

Generate an Encryption Key: Generate a 256-bit AES encryption key. This key should be base64-encoded.

Copy code

openssl rand -base64 32

Upload Object with CSEK: Use the gsutil command-line tool to upload the object to Cloud Storage, specifying the location of the encryption key using the -o option.

gsutil -o 'GSUtil:encryption_key=<base64-encoded-key>' cp [LOCAL_OBJECT_PATH] gs://[BUCKET_NAME]/

Verify Encryption: After uploading the object, you can verify that it is encrypted using the provided CSEK by checking the object's metadata.

gsutil stat gs://[BUCKET_NAME]/[OBJECT_NAME]

Key Management: Ensure that the encryption key is securely stored and managed. It should not be hard-coded in scripts or applications.

By using the gsutil tool and specifying the encryption key, you ensure that the object is encrypted using the customer-supplied encryption key during the upload process.

Customer-Supplied Encryption Keys (CSEK) Documentation

gsutil Command Line Tool Documentation