Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
Scrum
All Vendors
  2. Home
  3. Exams
  4. Google
  5. Professional Cloud Security Engineer

Free Professional Cloud Security Engineer Exam Braindumps

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.

Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

  1. Customer-supplied encryption keys (CSEK)
  2. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
  3. Encryption by default
  4. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

Answer(s): B


Reference:

https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek



Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate,

and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.

What should you do?

  1. Use the Cloud Key Management Service to manage the data encryption key (DEK).
  2. Use the Cloud Key Management Service to manage the key encryption key (KEK).
  3. Use customer-supplied encryption keys to manage the data encryption key (DEK).
  4. Use customer-supplied encryption keys to manage the key encryption key (KEK).

Answer(s): B

Explanation:

This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest.
https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed- encryption https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms#0



You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.

What should you do?

  1. Use multi-factor authentication for admin access to the web application.
  2. Use only applications certified compliant with PA-DSS.
  3. Move the cardholder data environment into a separate GCP project.
  4. Use VPN for all connections between your office and cloud environments.

Answer(s): C

Explanation:

https://cloud.google.com/solutions/best-practices-vpc-design

"Setting up your payment-processing environment" section in https://cloud.google.com/solutions/pci-dss-compliance-in-gcp.



A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.

Which Google Cloud Service should be used to achieve this?

  1. Cloud Key Management Service
  2. Cloud Data Loss Prevention API
  3. BigQuery
  4. Cloud Security Scanner

Answer(s): B






Post your Comments and Discuss Google Professional Cloud Security Engineer exam with other Community members:

Exam Discussions & Posts