GOOGLE-PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google's Professional Cloud Security Engineer You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?

Google's Professional Cloud Security Engineer Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.) E. Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

Google's Professional Cloud Security Engineer You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to GoogleCloud resources. Your export must meet the following requirements:✑ Export related logs for all projects in the Google Cloud organization.✑ Export logs in near real-time to an external SIEM.What should you do? (Choose two.) E. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Google's Professional Cloud Security Engineer You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

Google's Professional Cloud Security Engineer You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

Google's Professional Cloud Security Engineer An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.Which Cloud Data Loss Prevention API technique should you use to accomplish this?

Google's Professional Cloud Security Engineer You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

Google's Professional Cloud Security Engineer A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).How should the team complete this task?

Google's Professional Cloud Security Engineer An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running inGoogle Cloud and where Google's responsibility lies. They are mostly running workloads using Google Cloud's platform-as-a-Service (PaaS) offerings, includingApp Engine primarily.Which area in the technology stack should they focus on as their primary responsibility when using App Engine?

Google's Professional Cloud Security Engineer A customer has an analytics workload running on Compute Engine that should have limited internet access.Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.The Compute Engine instances now need to reach out to the public repository to get security updates.What should your team do?

Google's Professional Cloud Security Engineer A customer wants to deploy a large number of 3-tier web applications on Compute Engine.How should the customer ensure authenticated network separation between the different tiers of the application?

Google's Professional Cloud Security Engineer You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects.What should you do? (Choose two.) E. Deploy patches with VM Manager by using OS patch management.

Google's Professional Cloud Security Engineer Your organization шs using a third-party identity and authentication provider to centrally manage users. You want to use this identity provider to grant access to the Google Cloud console without syncing identities to Google Cloud. Users should receive permissions based on attributes. What should you do?

Google's Professional Cloud Security Engineer Your organization's use of the Google Cloud has grown substantially and there are many different groups using different cloud resources independently. You must identify common misconfigurations and compliance violations across the organization and track findings for remedial action in a dashboard. What should you do?

Google's Professional Cloud Security Engineer Your organization deploys a large number of containerized applications on Google Kubernetes Engine (GKE). Node updates are currently applied manually. Audit findings show that a critical patch has not been installed due to a missed notification. You need to design a more reliable, cloud-first, and scalable process for node updates. What should you do?

Google's Professional Cloud Security Engineer You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS), in project “prj-a”, and the Cloud Storage bucket will use project “prj-b”. The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key, and you need to troubleshoot why.What has caused the access issue?

Google's Professional Cloud Security Engineer Your organization is moving virtual machines (VMs) to Google Cloud. You must ensure that operating system images that are used across your projects are trusted and meet your security requirements.What should you do?

Google's Professional Cloud Security Engineer You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service(IaaS) environments. All your VM instances are deployed without any service account customization.After observing the traffic in your custom network, you notice that all instances can communicate freely `" despite tag-based VPC firewall rules in place to segment traffic properly `" with a priority of 1000. What are the most likely reasons for this behavior?

Google's Professional Cloud Security Engineer For data residency requirements, you want your secrets in Google Clouds Secret Manager to only have payloads in europe-west1 and europe-west4. Your secrets must be highly available in both regions.What should you do?

Google's Professional Cloud Security Engineer After completing a security vulnerability assessment, you learned that cloud administrators leave Google Cloud CLI sessions open for days. You need to reduce the risk of attackers who might exploit these open sessions by setting these sessions to the minimum duration.What should you do?

Google's Professional Cloud Security Engineer You manage one of your organization's Google Cloud projects (Project A). A VPC Service Control (SC) perimeter is blocking API access requests to this project, including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project. Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least privilege.What should you do?

Google's Professional Cloud Security Engineer Your organization uses Google Workspace Enterprise Edition for authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment.What should you do?

Google's Professional Cloud Security Engineer You are a Cloud Identity administrator for your organization. In your Google Cloud environment, groups are used to manage user permissions. Each application team has a dedicated group. Your team is responsible for creating these groups and the application teams can manage the team members on their own through the Google Cloud console. You must ensure that the application teams can only add users from within your organization to their groups.What should you do?

Google's Professional Cloud Security Engineer You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.) E. The load balancer must be an external HTTP(S) load balancer.

Google's Professional Cloud Security Engineer A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).How should the DevOps team accomplish this?

Google's Professional Cloud Security Engineer An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses.Which solution should your team implement to meet these requirements?

Google's Professional Cloud Security Engineer A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online.What should they do?

Google's Professional Cloud Security Engineer Your organization is migrating a complex application to Google Cloud. The application has multiple internal components that interact with each other across several Google Cloud projects. Security is a major concern, and you must design an authorization scheme for administrators that aligns with the principles of least privilege and separation of duties. What should you do?

Google's Professional Cloud Security Engineer You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on GoogleCloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.) E. Provide granular access with predefined roles.

Google's Professional Cloud Security Engineer Your organization has implemented synchronization and SAML federation between Cloud Identity and Microsoft Active Directory. You want to reduce the risk ofGoogle Cloud user accounts being compromised. What should you do?