GOOGLE-PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google's Professional Cloud Security Engineer An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on- premises for an indefinite time. The organization wants a scalable and cost-efficient solution.Which GCP solution should the organization use?

Google's Professional Cloud Security Engineer Your organization leverages folders to represent different teams within your Google Cloud environment. To support Infrastructure as Code (IaC) practices, each team receives a dedicated service account upon onboarding. You want to ensure that teams have comprehensive permissions to manage resources within their assigned folders while adhering to the principle of least privilege. You must design the permissions for these team-based service accounts in the most effective way possible. What should you do?

Google's Professional Cloud Security Engineer You are responsible for managing identities in your company’s Google Cloud organization. Employees are frequently using your organization's corporate domain name to create unmanaged Google accounts. You want to implement a practical and efficient solution to prevent employees from completing this action in the future. What should you do?

Google's Professional Cloud Security Engineer You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

Google's Professional Cloud Security Engineer An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.Which GCP solution should the organization use?

Google's Professional Cloud Security Engineer A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.Where should you export the logs?

Google's Professional Cloud Security Engineer You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

Google's Professional Cloud Security Engineer Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time.What should you do?

Google's Professional Cloud Security Engineer Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

Google's Professional Cloud Security Engineer Your organization's Customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (PII) from files that are older than 12 months. Also, you must archive the anonymized files for retention purposes.What should you do?

Google's Professional Cloud Security Engineer Employees at your company use their personal computers to access your organization's Google Cloud console. You need to ensure that users can only access the Google Cloud console from their corporate-issued devices and verify that they have a valid enterprise certificate.What should you do?

Google's Professional Cloud Security Engineer You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?

Google's Professional Cloud Security Engineer You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Google's Professional Cloud Security Engineer You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name. How should you manage these consumer user accounts with Cloud Identity?

Google's Professional Cloud Security Engineer You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As aGoogle Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.) E. Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

Google's Professional Cloud Security Engineer You need to create a VPC that enables your security team to control network resources such as firewall rules. How should you configure the network to allow for separation of duties for network resources?

Google's Professional Cloud Security Engineer Your company's chief information security officer (CISO) is requiring business data to be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on a plan to implement this requirement, you determine the following:✑ The services in scope are included in the Google Cloud data residency requirements.✑ The business data remains within specific locations under the same organization.✑ The folder structure can contain multiple data residency locations.✑ The projects are aligned to specific locations.You plan to use the Resource Location Restriction organization policy constraint with very granular control. At which level in the hierarchy should you set the constraint?

Google's Professional Cloud Security Engineer You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.What should you do?

Google's Professional Cloud Security Engineer A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.What should you do?

Google's Professional Cloud Security Engineer You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources.Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.Which two actions should you take? (Choose two.) E. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.

Google's Professional Cloud Security Engineer You are auditing all your Google Cloud resources in the production project. You want to identify all principals who can change firewall rules.What should you do?

Google's Professional Cloud Security Engineer A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application. The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud.What should you do?

Google's Professional Cloud Security Engineer You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use? E. Google Cloud Armor Deep Packet Inspection

Google's Professional Cloud Security Engineer Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

Google's Professional Cloud Security Engineer Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.Which two tasks should your team perform to handle this request? (Choose two.) E. Grant the billing account creator role to the designated DevOps team.

Google's Professional Cloud Security Engineer Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

Google's Professional Cloud Security Engineer You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud.Which options should you utilize to accomplish this? (Choose two.) E. Client-side encryption

Google's Professional Cloud Security Engineer You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which SecurityCommand Center features should you use to configure these alerts? (Choose two.) E. Google Cloud Armor

Google's Professional Cloud Security Engineer You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.You want to automate the compliance with this regulation while minimizing storage costs. What should you do?

Google's Professional Cloud Security Engineer You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on- premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?