GOOGLE-PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google's Professional Cloud Security Engineer As part of your organization's zero trust strategy, you use Identity-Aware Proxy (IAP) to protect multiple applications. You need to ingest logs into a Security Information and Event Management (SIEM) system so that you are alerted to possible intrusions.Which logs should you analyze?

Google's Professional Cloud Security Engineer You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements:✑ Schedule key rotation for sensitive data.✑ Control which region the encryption keys for sensitive data are stored in.✑ Minimize the latency to access encryption keys for both sensitive and non-sensitive data.What should you do?

Google's Professional Cloud Security Engineer A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). TheInfrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.How should you best advise the Systems Engineer to proceed with the least disruption?

Google's Professional Cloud Security Engineer Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.What should your team grant to Engineering Group A to meet this requirement?

Google's Professional Cloud Security Engineer An organization wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.Which Cloud Data Loss Prevention API technique should you use?

Google's Professional Cloud Security Engineer While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.What should you do?

Google's Professional Cloud Security Engineer Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:✑ Scans must run at least once per week✑ Must be able to detect cross-site scripting vulnerabilities✑ Must be able to authenticate using Google accountsWhich solution should you use?

Google's Professional Cloud Security Engineer A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCPOrganization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.Which connectivity option should be implemented?

Google's Professional Cloud Security Engineer A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned.What should the customer do?

Google's Professional Cloud Security Engineer Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK), but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.What should you do?

Google's Professional Cloud Security Engineer You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

Google's Professional Cloud Security Engineer You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across allCloud Storage buckets. What should you do?

Google's Professional Cloud Security Engineer Your company conducts clinical trials and needs to analyze the results of a recent study that are stored in BigQuery. The interval when the medicine was taken contains start and stop dates. The interval data is critical to the analysis, but specific dates may identify a particular batch and introduce bias. You need to obfuscate the start and end dates for each row and preserve the interval data.What should you do?

Google's Professional Cloud Security Engineer For compliance reporting purposes, the internal audit department needs you to provide the list of virtual machines (VMs) that have critical operating system (OS) security updates available, but not installed. You must provide this list every six months, and you want to perform this task quickly.What should you do?

Google's Professional Cloud Security Engineer Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT. Everyday, you must patch all VMs with critical OS updates and provide summary reports.What should you do?

Google's Professional Cloud Security Engineer Your organization develops software involved in many open source projects and is concerned about software supply chain threats. You need to deliver provenance for the build to demonstrate the software is untampered.What should you do?

Google's Professional Cloud Security Engineer Your organization manages a critical web application that serves international customers on Google Cloud. An increase in malicious traffic targeting this application has strained resources and caused periods of downtime. You need to design security measures to increase the application's resilience against web attacks, enhance perimeter protection, and provide access control. What should you do?

Google's Professional Cloud Security Engineer Your organization has a workload that is regulated by European laws. You must restrict the creation of resources outside of the EU for this specific workload. You must find an effective way to implement this security control without disrupting the other global applications. What should you do?

Google's Professional Cloud Security Engineer You are developing a new application that uses exclusively Compute Engine VMs. Once a day, this application will execute five different batch jobs. Each of the batch jobs requires a dedicated set of permissions on Google Cloud resources outside of your application. You need to design a secure access concept for the batch jobs that adheres to the least-privilege principle.What should you do?

Google's Professional Cloud Security Engineer You have a highly sensitive BigQuery workload that contains personally identifiable information (PII) that you want to ensure is not accessible from the internet. To prevent data exfiltration, only requests from authorized IP addresses are allowed to query your BigQuery tables.What should you do?

Google's Professional Cloud Security Engineer Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

Google's Professional Cloud Security Engineer Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.What should you do?

Google's Professional Cloud Security Engineer Your company’s users access data in a BigQuery table. You want to ensure they can only access the data during working hours.What should you do?

Google's Professional Cloud Security Engineer Your organization uses a microservices architecture based on Google Kubernetes Engine (GKE). Recent security reviews recommend tighter controls around deployed container images to reduce potential vulnerabilities and maintain compliance. You need to implement an automated system by using managed services to ensure that only approved container images are deployed to the GKE clusters. What should you do?

Google's Professional Cloud Security Engineer Your organization has a hybrid cloud environment with a data center connected to Google Cloud through a dedicated Cloud Interconnect connection. You need to configure private access from your on-premises hosts to Google APIs, specifically Cloud Storage and BigQuery, without exposing traffic to the public internet. What should you do?

Google's Professional Cloud Security Engineer Your DevOps team uses Packer to build Compute Engine images by using this process:1. Create an ephemeral Compute Engine VM.2. Copy a binary from a Cloud Storage bucket to the VM's file system.3. Update the VM's package manager.4. Install external packages from the internet onto the VM.Your security team just enabled the organizational policy, constraints/ compute.vmExternalIpAccess, to restrict the usage of public IP Addresses on VMs. In response, your DevOps team updated their scripts to remove public IP addresses on the Compute Engine VMs; however, the build pipeline is failing due to connectivity issues.What should you do? (Choose two.) E. Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.

Google's Professional Cloud Security Engineer You manage a BigQuery analytical data warehouse in your organization. You want to keep data for all your customers in a common table while you also restrict query access based on rows and columns permissions. Non-query operations should not be supported.What should you do? (Choose two.) E. Create column-level policy tags to control access to columns at query runtime.

Google's Professional Cloud Security Engineer You are running applications outside Google Cloud that need access to Google Cloud resources. You are using workload identity federation to grant external identities Identity and Access Management (IAM) roles to eliminate the maintenance and security burden associated with service account keys. You must protect against attempts to spoof another user's identity and gain unauthorized access to Google Cloud resources.What should you do? (Choose two.) E. Limit the resources that a service account can access.

Google's Professional Cloud Security Engineer You are migrating an application into the cloud. The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material.What should you do?

Google's Professional Cloud Security Engineer Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs, but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (IAM) roles at the right resource level for the developers and security team while you ensure least privilege.What should you do?