GOOGLE-PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google's Professional Cloud Security Engineer Applications often require access to `secrets` - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of `who did what, where, and when?` within their GCP projects.Which two log streams would provide the information that the administrator is looking for? (Choose two.) E. Agent logs

Google's Professional Cloud Security Engineer You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence. Which tool should you use?

Google's Professional Cloud Security Engineer Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud. You must implement data residency and operational sovereignty in the EU.What should you do? (Choose two.) E. Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

Google's Professional Cloud Security Engineer A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authenticationWhich GCP product should the customer implement to meet these requirements?

Google's Professional Cloud Security Engineer A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.How should this be accomplished?

Google's Professional Cloud Security Engineer Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

Google's Professional Cloud Security Engineer An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.) E. Billing Account User

Google's Professional Cloud Security Engineer You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

Google's Professional Cloud Security Engineer You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google-recommended practices.What should you do?

Google's Professional Cloud Security Engineer A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key.What should you do?

Google's Professional Cloud Security Engineer The InfoSec team has mandated that all new Cloud Run jobs and services in production must have Binary Authorization enabled. You need to enforce this requirement. What should you do?

Google's Professional Cloud Security Engineer How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

Google's Professional Cloud Security Engineer Your organization wants to be General Data Protection Regulation (GDPR) compliant. You want to ensure that your DevOps teams can only create Google Cloud resources in the Europe regions.What should you do?

Google's Professional Cloud Security Engineer You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.) E. Provide non-privileged identities to the super admin users for their day-to-day activities.

Google's Professional Cloud Security Engineer You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.What should you do?

Google's Professional Cloud Security Engineer A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQueryWhat should you do?

Google's Professional Cloud Security Engineer You need to set up a Cloud Interconnect connection between your company’s on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

Google's Professional Cloud Security Engineer Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.What command should you execute?

Google's Professional Cloud Security Engineer You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:✑ The master key must be rotated at least once every 45 days.✑ The solution that stores the master key must be FIPS 140-2 Level 3 validated.✑ The master key must be stored in multiple regions within the US for redundancy.Which solution meets these requirements?

Google's Professional Cloud Security Engineer You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.What should you do?

Google's Professional Cloud Security Engineer Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

Google's Professional Cloud Security Engineer You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run.What should you do? (Choose two.) E. Set the organization policy constraint constraints/compute.trustedImageProjects to the list of projects that contain the trusted container images.

Google's Professional Cloud Security Engineer Your company's Google Cloud organization has about 200 projects and 1,500 virtual machines. There is no uniform strategy for logs and events management, which reduces visibility for your security operations team. You need to design a logs management solution that provides visibility and allows the security team to view the environment's configuration.What should you do?

Google's Professional Cloud Security Engineer Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/owner). The organization contains thousands of Google Cloud projects. Security Command Center Premium has surfaced multiple OPEN_MYSQL_PORT findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations.What should you do?

Google's Professional Cloud Security Engineer A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

Google's Professional Cloud Security Engineer The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements:✑ Follow the least privilege model by having only view access to logs.✑ Have access to Admin Activity logs.✑ Have access to Data Access logs.✑ Have access to Access Transparency logs.Which Identity and Access Management (IAM) role should the security operations team be granted?

Google's Professional Cloud Security Engineer A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.What should they do?

Google's Professional Cloud Security Engineer You want to evaluate your organization's Google Cloud instance for PCI compliance. You need to identify Google's inherent controls.Which document should you review to find the information?

Google's Professional Cloud Security Engineer Your company is concerned about unauthorized parties gaining access to the Google Cloud environment by using a fake login page. You must implement a solution to protect against person-in-the-middle attacks.Which security measure should you use?

Google's Professional Cloud Security Engineer Your organization has on-premises hosts that need to access Google Cloud APIs. You must enforce private connectivity between these hosts, minimize costs, and optimize for operational efficiency.What should you do?