Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
Scrum
All Vendors
  2. Home
  3. Exams
  4. Google
  5. Professional Cloud Security Engineer

Free Professional Cloud Security Engineer Exam Braindumps (page: 16)

Page 15 of 60
PDF with 331 Questions

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs.

The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.

How should your team meet these requirements?

  1. Enable Private Access on the VPC network in the production project.
  2. Remove the Editor role and grant the Compute Admin IAM role to the engineers.
  3. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
  4. Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Answer(s): C


Reference:

https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address https://cloud.google.com/resource-manager/docs/organization-policy/org-policy- constraints#constraints-for-specific-services



Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

  1. Central management of routes, firewalls, and VPNs for peered networks
  2. Non-transitive peered networks; where only directly peered networks can communicate
  3. Ability to peer networks that belong to different Google Cloud Platform organizations
  4. Firewall rules that can be created with a tag from one peered network to another peered network
  5. Ability to share specific subnets across peered networks

Answer(s): B,C

Explanation:

https://cloud.google.com/vpc/docs/vpc-peering#key_properties



A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).

How should the DevOps team accomplish this?

  1. Use Puppet or Chef to push out the patch to the running container.
  2. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
  3. Update the application code or apply a patch, build a new image, and redeploy it.
  4. Configure containers to automatically upgrade when the base image is available in Container Registry.

Answer(s): C

Explanation:

https://cloud.google.com/containers/security
Containers are meant to be immutable, so you deploy a new image in order to make changes. You can simplify patch management by rebuilding your images regularly, so the patch is picked up the next time a container is deployed. Get the full picture of your environment with regular image security reviews.



A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery

What should you do?

  1. Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
  2. Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
  3. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
  4. Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Answer(s): B

Explanation:

https://cloud.google.com/bigquery/docs/scan-with-dlp
Cloud Data Loss Prevention API allows to detect and redact or remove sensitive data before the comments or reviews are published. Cloud DLP will read information from BigQuery, Cloud Storage or Datastore and scan it for sensitive data.






Post your Comments and Discuss Google Professional Cloud Security Engineer exam with other Community members:

Exam Discussions & Posts