Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
Scrum
All Vendors
  2. Home
  3. Exams
  4. Google
  5. Professional Cloud Security Engineer

Free Professional Cloud Security Engineer Exam Braindumps (page: 18)

Page 17 of 60
PDF with 331 Questions

A customer has an analytics workload running on Compute Engine that should have limited internet access.

Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.

The Compute Engine instances now need to reach out to the public repository to get security updates.
What should your team do?

  1. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
  2. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
  3. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
  4. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

Answer(s): B

Explanation:

https://cloud.google.com/vpc/docs/firewalls#priority_order_for_firewall_rules



You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.

What should you do?

  1. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.
  2. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
  3. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.
  4. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.

Answer(s): B

Explanation:

https://cloud.netapp.com/blog/gcp-cvo-blg-how-to-use-google-cloud-encryption-with-a-persistent- disk



A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.

What should you do?

  1. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
  2. Upload the logs to both the shared bucket and the bucket only accessible by the administrator.

    Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
  3. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
  4. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Answer(s): A

Explanation:

https://codelabs.developers.google.com/codelabs/cloud-storage-dlp-functions#0 https://www.youtube.com/watch?v=0TmO1f-Ox40



A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned.

What should the customer do?

  1. Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.
  2. Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.
  3. Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.
  4. Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.

Answer(s): C

Explanation:

https://cloud.google.com/identity/solutions/automate-user-

provisioning#cloud_identity_automated_provisioning
"Cloud Identity has a catalog of automated provisioning connectors, which act as a bridge between Cloud Identity and third-party cloud apps."






Post your Comments and Discuss Google Professional Cloud Security Engineer exam with other Community members:

Exam Discussions & Posts