GOOGLE-PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google's Professional Cloud Security Engineer Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.What type of Load Balancing should you use?

Google's Professional Cloud Security Engineer Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine, and uses Pub/Sub for message queues. Recent industry news have been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

Google's Professional Cloud Security Engineer A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.How should the company accomplish this?

Google's Professional Cloud Security Engineer In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.) E. Cloud Storage

Google's Professional Cloud Security Engineer Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.Which logging export strategy should you use to meet the requirements?

Google's Professional Cloud Security Engineer You are working with developers to secure custom training jobs running on Vertex AI. For compliance reasons, all supported data types must be encrypted by key materials that reside in the Europe region and are controlled by your organization. The encryption activity must not impact the training operation in Vertex AI. What should you do?

Google's Professional Cloud Security Engineer Your organization has an internet-facing application behind a load balancer. Your regulators require end-to-end encryption of user login credentials. You must implement this requirement. What should you do?

Google's Professional Cloud Security Engineer Your organization is implementing separation of duties in a Google Cloud project. A group of developers must deploy new code, but cannot have permission to change network firewall rules. What should you do?

Google's Professional Cloud Security Engineer You are managing a Google Cloud environment that is organized into folders that represent different teams. These teams need the flexibility to modify organization policies relevant to their work. You want to grant the teams the necessary permissions while upholding Google-recommended security practices and minimizing administrative complexity. What should you do?

Google's Professional Cloud Security Engineer Your organization is implementing a new Python application that will be deployed on Cloud Run. The application needs to connect to a MySQL database that runs on Cloud SQL in a different project in your Google Cloud organization. You must secure the connection from the application to the Cloud SQL instance while minimizing management overhead. What should you do?

Google's Professional Cloud Security Engineer You are responsible for configuring Identity and Access Management in your organization's Google Cloud environment. You need to restrict your organization's users from accessing Cloud Storage buckets in other Google Cloud organizations. What should you do?

Google's Professional Cloud Security Engineer Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud. Many teams will use their own instances of the CI/CD workflow. It will run on Google Kubernetes Engine (GKE). The CI/CD pipelines must be designed to securely access Google Cloud APIs.What should you do?

Google's Professional Cloud Security Engineer Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.What should you do?

Google's Professional Cloud Security Engineer Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:✑ The network connection must be encrypted.✑ The communication between servers must be over private IP addresses.What should you do?

Google's Professional Cloud Security Engineer An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.Which option meets the requirement of your team?

Google's Professional Cloud Security Engineer You plan to synchronize identities to Cloud Identity from a third-party identity provider (IdP). You discovered that some employees used their corporate email address to set up consumer accounts to access Google services. You need to ensure that the organization has control over the configuration, security, and lifecycle of these consumer accounts.What should you do? (Choose two.) E. Use the transfer tool to invite those corporate employees to transfer their unmanaged consumer accounts to the corporate domain.

Google's Professional Cloud Security Engineer Your organization is transitioning to Google Cloud. You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed Container Registry and signed by a trusted authority.What should you do? (Choose two.) E. Configure the Binary Authorization policy with respective attestations for the project.

Google's Professional Cloud Security Engineer Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.) E. Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

Google's Professional Cloud Security Engineer Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.What should you do?

Google's Professional Cloud Security Engineer You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:✑ Provide granular access to secrets✑ Give you control over the rotation schedules for the encryption keys that wrap your secrets✑ Maintain environment separation✑ Provide ease of managementWhich approach should you take?

Google's Professional Cloud Security Engineer You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on- premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.) E. Cloud Data Loss Prevention with deterministic encryption using AES-SIV

Google's Professional Cloud Security Engineer Your organization must store highly sensitive data within Google Cloud. You need to design a solution that provides the strongest level of security and control. What should you do?

Google's Professional Cloud Security Engineer You are migrating an on-premises data warehouse to BigQuery, Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse. Your company compliance policies mandate that the data warehouse must:• Protect data at rest with full lifecycle management on cryptographic keys.• Implement a separate key management provider from data management.• Provide visibility into all encryption key requests.What services should be included in the data warehouse implementation? (Choose two.) E. Cloud External Key Manager

Google's Professional Cloud Security Engineer You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.) E. Cloud Identity

Google's Professional Cloud Security Engineer You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.What should you do?

Google's Professional Cloud Security Engineer Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.) E. Ability to share specific subnets across peered networks

Google's Professional Cloud Security Engineer Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.What should you do?

Google's Professional Cloud Security Engineer You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.What should you do?

Google's Professional Cloud Security Engineer A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.Which Storage solution are they allowed to use?

Google's Professional Cloud Security Engineer A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?