GOOGLE-PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google's Professional Cloud Security Engineer A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.Which strategy should you use to meet these needs?

Google's Professional Cloud Security Engineer You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.How should you prevent and fix this vulnerability?

Google's Professional Cloud Security Engineer An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.How should you advise this organization?

Google's Professional Cloud Security Engineer A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.Which solution will restrict access to the in-progress sites?

Google's Professional Cloud Security Engineer You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow the application frontend to access the data in the application's mysql instance on port 3306.What should you do?

Google's Professional Cloud Security Engineer An administrative application is running on a virtual machine (VM) in a managed group at port 5601 inside a Virtual Private Cloud (VPC) instance without access to the internet currently. You want to expose the web interface at port 5601 to users and enforce authentication and authorization Google credentials.What should you do?

Google's Professional Cloud Security Engineer Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.How should your team design this network?

Google's Professional Cloud Security Engineer Your team wants to limit users with administrative privileges at the organization level.Which two roles should your team restrict? (Choose two.) E. Organization Role Viewer

Google's Professional Cloud Security Engineer Your organization wants to be continuously evaluated against CIS Google Cloud Computing Foundations Benchmark v1.3.0 (CIS Google Cloud Foundation 1.3). Some of the controls are irrelevant to your organization and must be disregarded in evaluation. You need to create an automated system or process to ensure that only the relevant controls are evaluated.What should you do?

Google's Professional Cloud Security Engineer You manage a Google Cloud organization with many projects located in various regions around the world. The projects are protected by the same Access Context Manager access policy. You created a new folder that will host two projects that process protected health information (PHI) for US-based customers. The two projects will be separately managed and require stricter protections. You are setting up the VPC Service Controls configuration for the new folder. You must ensure that only US-based personnel can access these projects and restrict Google Cloud API access to only BigQuery and Cloud Storage within these projects. What should you do?

Google's Professional Cloud Security Engineer Your team maintains 1PB of sensitive data within BigOuery that contains personally identifiable information (PII). You need to provide access to this dataset to another team within your organization for analysis purposes. You must share the BigQuery dataset with the other team while protecting the PII. What should you do?

Google's Professional Cloud Security Engineer Your organization has an operational image classification model running on a managed AI service on Google Cloud. You are in a configuration review with stakeholders and must describe the security responsibilities for the image classification model. What should you do?

Google's Professional Cloud Security Engineer You are running code in Google Kubernetes Engine (GKE) containers in Google Cloud that require access to objects stored in a Cloud Storage bucket. You need to securely grant the Pods access to the bucket while minimizing management overhead. What should you do?

Google's Professional Cloud Security Engineer Your organization is adopting Google Cloud and wants to ensure sensitive resources are only accessible from devices within the internal on-premises corporate network. You must configure Access Context Manager to enforce this requirement. These considerations apply:• The internal network uses IP ranges 10.100.0.0/16 and 192.168.0.0/16.• Some employees work remotely but connect securely through a company-managed virtual private network (VPN). The VPN dynamically allocates IP addresses from the pool 172.16.0.0/20.• Access should be restricted to a specific Google Cloud project that is contained within an existing service perimeter.What should you do?

Google's Professional Cloud Security Engineer Your organization uses Google Cloud to process large amounts of location data for analysis and visualization. The location data is potentially sensitive. You must design a solution that allows storing and processing the location data securely, minimizing data exposure risks, and adhering to both regulatory guidelines and your organization's internal data residency policies. What should you do?

Google's Professional Cloud Security Engineer Your organization utilizes Cloud Run services within multiple projects underneath the non-production folder which requires primarily internal communication. Some services need external access to approved fully qualified domain names (FQDN) while other external traffic must be blocked. Internal applications must not be exposed. You must achieve this granular control with allowlists overriding broader restrictions only for designated VPCs. What should you do?

Google's Professional Cloud Security Engineer Your organization hosts a sensitive web application in Google Cloud. To protect the web application, you've set up a virtual private cloud (VPC) with dedicated subnets for the application's frontend and backend components. You must implement security controls to restrict incoming traffic, protect against web-based attacks, and monitor internal traffic. What should you do?

Google's Professional Cloud Security Engineer In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.) E. Boot

Google's Professional Cloud Security Engineer Your organization recently activated the Security Command Center (SCC) standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.What should you do?

Google's Professional Cloud Security Engineer Your application is deployed as a highly available, cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses, but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.What should you do?

Google's Professional Cloud Security Engineer You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud? E. Google Cloud Armor

Google's Professional Cloud Security Engineer Users are reporting an outage on your public-facing application that is hosted on Compute Engine. You suspect that a recent change to your firewall rules is responsible. You need to test whether your firewall rules are working properly. What should you do?

Google's Professional Cloud Security Engineer You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?

Google's Professional Cloud Security Engineer You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC ServiceControls mode should you use?

Google's Professional Cloud Security Engineer You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

Google's Professional Cloud Security Engineer You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

Google's Professional Cloud Security Engineer Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?

Google's Professional Cloud Security Engineer You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:✑ Each business unit manages access controls for their own projects.✑ Each business unit manages access control permissions at scale.✑ Business units cannot access other business units' projects.✑ Users lose their access if they move to a different business unit or leave the company.✑ Users and access control permissions are managed by the on-premises directory service.What should you do? (Choose two.) E. Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

Google's Professional Cloud Security Engineer You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud.You want to validate these policy changes before they are enforced. What service should you use? E. VPC Service Controls in dry run mode

Google's Professional Cloud Security Engineer Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use theStandard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.What should you do?