Google Professional Cloud Security Engineer Exam Questions Instant Access

Question 1

Your organization wants to be continuously evaluated against CIS Google Cloud Computing Foundations Benchmark v1 3 0 (CIS Google Cloud Foundation 1 3). Some of the controls are irrelevant to your organization and must be disregarded in evaluation. You need to create an automated system or process to ensure that only the relevant controls are evaluated.

What should you do?

AMark all security findings that are irrelevant with a tag and a value that indicates a security exception Select all marked findings and mute them on the console every time they appear Activate Security Command Center (SCC) Premium.

BActivate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC so they are not evaluated.

CDownload all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part of CIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for the company.

DAsk an external audit company to provide independent reports including needed CIS benchmarks. In the scope of the audit clarify that some of the controls are not needed and must be disregarded.

Answer : B

Activate Security Command Center (SCC) Premium: Security Command Center (SCC) Premium provides advanced security analytics and best practice recommendations for your Google Cloud environment. It includes functionalities such as asset discovery, vulnerability scanning, and security findings.

Create a Custom Rule to Mute Irrelevant Security Findings:

Navigate to the Security Command Center (SCC) in the Google Cloud Console.

Go to the 'Settings' tab and find the 'Mute findings' section.

Create a new mute rule by specifying the conditions that match the irrelevant controls you want to disregard. These conditions can be based on attributes such as resource type, finding type, and other metadata.

Apply this mute rule, which will ensure that the specified findings are not evaluated in your security posture assessments.

Ensure Continuous Compliance Monitoring:

The mute rules will automatically filter out the irrelevant findings, ensuring that only relevant controls from the CIS Google Cloud Computing Foundations Benchmark v1.3.0 are evaluated.

Regularly review and update the mute rules to adapt to any changes in your compliance requirements or security posture.

Security Command Center Documentation

Creating and Managing Mute Rules

Question 2

What are the steps to encrypt data using envelope encryption?

AGenerate a data encryption key (DEK) locally.
Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
Store the encrypted data and the wrapped KEK.

BGenerate a key encryption key (KEK) locally.
Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
Store the encrypted data and the wrapped DEK.

CGenerate a data encryption key (DEK) locally.
Encrypt data with the DEK.
Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

DGenerate a key encryption key (KEK) locally.
Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
Store the encrypted data and the wrapped DEK.

Answer : C

Objective: Encrypt data using envelope encryption.

Solution: Follow the envelope encryption process.

Steps:

Step 1: Generate a Data Encryption Key (DEK) locally. The DEK is used to encrypt the actual data.

Step 2: Encrypt the data using the DEK.

Step 3: Use a Key Encryption Key (KEK) to wrap the DEK. The KEK is used to encrypt the DEK.

Step 4: Store the encrypted data and the wrapped DEK. This ensures that the data can be securely decrypted in the future using the KEK to unwrap the DEK.

Envelope encryption enhances security by adding an additional layer of encryption to the data encryption key, which is particularly useful for managing large volumes of encrypted data.

Envelope Encryption Overview

Google Cloud Key Management Service Documentation

Question 3

Your organization is using Vertex AI Workbench Instances. You must ensure that newly deployed instances are automatically kept up-to-date and that users cannot accidentally alter settings in the operating system. What should you do?

AEnable the VM Manager and ensure the corresponding Google Compute Engine instances are added.

BEnforce the disableRootAccess and requireAutoUpgradeSchedule organization policies for newly deployed instances.

CAssign the AI Notebooks Runner and AI Notebooks Viewer roles to the users of the AI Workbench Instances.

DImplement a firewall rule that prevents Secure Shell access to the corresponding Google Compute Engine instances by using tags.

Answer : B

To ensure that Vertex AI Workbench Instances (formerly AI Platform Notebooks) are automatically updated and that users cannot modify operating system settings, it's crucial to implement organizational policies that enforce these requirements.

disableRootAccess Organization Policy: This policy prevents users from obtaining root access on virtual machines. By enforcing this policy, you ensure that users cannot make unauthorized changes to the operating system settings, maintaining the integrity and security of the instances.

requireAutoUpgradeSchedule Organization Policy: This policy mandates that virtual machines have an auto-upgrade schedule for their operating systems. By enforcing this policy, you ensure that instances are automatically kept up-to-date with the latest security patches and updates, reducing the risk of vulnerabilities.

Given the options:

Option A: Enabling VM Manager helps in managing updates and configurations but does not inherently prevent users from altering OS settings.

Option B: Enforcing the disableRootAccess and requireAutoUpgradeSchedule organization policies directly addresses both requirements: preventing unauthorized OS modifications and ensuring automatic updates.

Option C: Assigning specific roles controls user permissions but does not enforce OS-level restrictions or automatic updates.

Option D: Implementing firewall rules to prevent SSH access adds a layer of security but does not ensure automatic updates or prevent OS modifications through other means.

Therefore, Option B is the most effective approach, as it directly enforces the necessary policies to meet both requirements.

Organization Policy Service

VM Manager Overview

Question 4

Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.

Which type of networking design should your team use to meet these requirements?

AShared VPC Network with a host project and service projects

BGrant Compute Admin role to the networking team for each engineering project

CVPC peering between all engineering projects using a hub and spoke model

DCloud VPN Gateway between all engineering projects using a hub and spoke model

Answer : A

Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.

Question 5

You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.

What should you do?

ACreate a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.

BCreate a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.

CCreate a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.

DCreate a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.

Answer : B

Managing IAM permissions at the KeyRing level is more efficient and scalable compared to managing them at the individual Key level. By creating a single KeyRing and placing all encryption keys within it, you can apply uniform IAM permissions to the entire KeyRing, simplifying the management of permissions.

Steps:

Create a KeyRing: Set up a single KeyRing in Cloud KMS for all the encryption keys required for the persistent disks.

Create Encryption Keys: Generate the necessary encryption keys within this KeyRing.

Set IAM Permissions: Assign IAM roles and permissions to the KeyRing to manage access control at this level, ensuring that all keys within the KeyRing inherit these permissions.

Google Cloud: Cloud Key Management Service (KMS)

Managing access to resources

Question 6

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:

The network connection must be encrypted.

The communication between servers must be over private IP addresses.

What should you do?

AConfigure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

BConfigure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

CConfigure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

DConfigure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

Answer : A

To meet the requirements of encrypted communication over private IP addresses between Compute Engine instances in different Google Cloud organizations, a Cloud VPN connection is appropriate:

Cloud VPN: Cloud VPN creates a secure, encrypted tunnel between your organization's VPC network and the third party's VPC network. This ensures that data transmitted over the network is encrypted and secure.

Private IP Communication: Cloud VPN allows communication over private IP addresses, which helps maintain security by keeping traffic within the Google Cloud network and not exposing it to the public internet.

Firewall Rules: VPC firewall rules can be configured to control the traffic that flows through the VPN, ensuring that only authorized traffic is allowed, further enhancing security.

By setting up a Cloud VPN connection, you can achieve secure, encrypted communication over private IP addresses between different Google Cloud organizations.

Cloud VPN Overview

Question 7

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive dat

a. Your solution has the following requirements:

Schedule key rotation for sensitive data.

Control which region the encryption keys for sensitive data are stored in.

Minimize the latency to access encryption keys for both sensitive and non-sensitive data.

What should you do?

AEncrypt non-sensitive data and sensitive data with Cloud External Key Manager.

BEncrypt non-sensitive data and sensitive data with Cloud Key Management Service.

CEncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

DEncrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Answer : D

Encrypt non-sensitive data with Google default encryption:

Google Cloud automatically encrypts data at rest using AES-256 by default. This minimizes key management complexity for non-sensitive data as it is handled entirely by Google.

No additional setup is required for default encryption, ensuring low latency access to the encrypted data.

Encrypt sensitive data with Cloud Key Management Service (Cloud KMS):

Cloud KMS allows you to create and manage cryptographic keys in a centralized cloud service.

To meet the requirement of scheduling key rotation, configure Cloud KMS to automatically rotate keys on a regular schedule (e.g., every 90 days).

Control the region where the keys are stored by selecting the appropriate key ring location during key creation. This ensures compliance with data residency requirements.

Cloud KMS provides low-latency access to keys, ensuring minimal impact on data access performance.

Cloud Key Management Service Documentation

Encryption at Rest in Google Cloud