GOOGLE-PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google's Professional Cloud Security Engineer A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.What should you do to meet these requirements?

Google's Professional Cloud Security Engineer You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.What should you do?

Google's Professional Cloud Security Engineer A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.Which solution should this customer use?

Google's Professional Cloud Security Engineer A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.What should you do?

Google's Professional Cloud Security Engineer You are implementing a new web application on Google Cloud that will be accessed from your on-premises network. To provide protection from threats like malware, you must implement transport layer security (TLS) interception for incoming traffic to your application. What should you do?

Google's Professional Cloud Security Engineer Your organization is using Security Command Center Premium as a central tool to detect and alert on security threats. You also want to alert on suspicious outbound traffic that is targeting domains of known suspicious web services. What should you do?

Google's Professional Cloud Security Engineer Your organization must comply with the regulation to keep instance logging data within Europe. Your workloads will be hosted in the Netherlands in region europe-west4 in a new project. You must configure Cloud Logging to keep your data in the country.What should you do?

Google's Professional Cloud Security Engineer Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

Google's Professional Cloud Security Engineer Your organization processes sensitive health information. You want to ensure that data is encrypted while in use by the virtual machines (VMs). You must create a policy that is enforced across the entire organization.What should you do?

Google's Professional Cloud Security Engineer Your organization is using GitHub Actions as a continuous integration and delivery (CI/CD) platform. You must enable access to Google Cloud resources from the CI/CD pipelines in the most secure way.What should you do?

Google's Professional Cloud Security Engineer You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software.Which SCC service should you use?

Google's Professional Cloud Security Engineer Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users.What should you do?

Google's Professional Cloud Security Engineer Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:✑ Only allows communication between the Web and App tiers.✑ Enforces consistent network security when autoscaling the Web and App tiers.✑ Prevents Compute Engine Instance Admins from altering network traffic.What should you do?

Google's Professional Cloud Security Engineer You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?

Google's Professional Cloud Security Engineer Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users. You are required to:✑ Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity.✑ Disable any manually created users in Cloud Identity.You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?

Google's Professional Cloud Security Engineer You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.What should you do?

Google's Professional Cloud Security Engineer A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.Which two steps should the company take to meet these requirements? (Choose two.) E. Create projects for each environment, and grant IAM rights to each engineering user.

Google's Professional Cloud Security Engineer You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

Google's Professional Cloud Security Engineer Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.What should you do?

Google's Professional Cloud Security Engineer Which Google Cloud service should you use to enforce access control policies for applications and resources?

Google's Professional Cloud Security Engineer You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

Google's Professional Cloud Security Engineer You need to connect your organization's on-premises network with an existing Google Cloud environment that includes one Shared VPC with two subnets namedProduction and Non-Production. You are required to:✑ Use a private transport link.✑ Configure access to Google Cloud APIs through private API endpoints originating from on-premises environments.✑ Ensure that Google Cloud APIs are only consumed via VPC Service Controls.What should you do?

Google's Professional Cloud Security Engineer You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.What should you do?

Google's Professional Cloud Security Engineer Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements:✑ The Cloud Storage bucket in Project A can only be readable from Project B.✑ The Cloud Storage bucket in Project A cannot be accessed from outside the network.✑ Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket.What should the security team do?

Google's Professional Cloud Security Engineer An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.What solution would help meet the requirements?

Google's Professional Cloud Security Engineer An organization receives an increasing number of phishing emails.Which method should be used to protect employee credentials in this situation?

Google's Professional Cloud Security Engineer You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.What should you do?

Google's Professional Cloud Security Engineer A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to control the key lifecycle.Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

Google's Professional Cloud Security Engineer You work for a healthcare provider that is expanding into the cloud to store and process sensitive patient data. You must ensure the chosen Google Cloud configuration meets these strict regulatory requirements:• Data must reside within specific geographic regions.• Certain administrative actions on patient data require explicit approval from designated compliance officers.• Access to patient data must be auditable.What should you do?

Google's Professional Cloud Security Engineer Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?