Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
MuleSoft
All Vendors
  2. Home
  3. Exams
  4. Google
  5. Professional Cloud Security Engineer

Free Professional Cloud Security Engineer Exam Braindumps (page: 2)

Page 2 of 60
PDF with 331 Questions

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.

Which two settings must remain disabled to meet these requirements? (Choose two.)

  1. Public IP
  2. IP Forwarding
  3. Private Google Access
  4. Static routes
  5. IAM Network User Role

Answer(s): A,C


Reference:

https://cloud.google.com/vpc/docs/configure-private-google-access



Which two implied firewall rules are defined on a VPC network? (Choose two.)

  1. A rule that allows all outbound connections
  2. A rule that denies all inbound connections
  3. A rule that blocks all inbound port 25 connections
  4. A rule that blocks all outbound connections
  5. A rule that allows all inbound port 80 connections

Answer(s): A,B

Explanation:

Implied IPv4 allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination

Implied IPv4 deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them.

https://cloud.google.com/vpc/docs/firewalls?hl=en#default_firewall_rules



A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.

How should the customer achieve this using Google Cloud Platform?

  1. Use Cloud Source Repositories, and store secrets in Cloud SQL.
  2. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
  3. Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
  4. Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

Answer(s): B



Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.

What should your team do to meet these requirements?

  1. Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.
  2. Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
  3. Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
  4. Use the Admin SDK to create groups and assign IAM permissions from Active Directory.

Answer(s): A

Explanation:

"In order to be able to keep using the existing identity management system, identities need to be synchronized between AD and GCP IAM. To do so google provides a tool called Cloud Directory Sync. This tool will read all identities in AD and replicate those within GCP. Once the identities have been replicated then it's possible to apply IAM permissions on the groups. After that you will configure SAML so google can act as a service provider and either you ADFS or other third party tools like Ping or Okta will act as the identity provider. This way you effectively delegate the authentication from Google to something that is under your control."






Post your Comments and Discuss Google Professional Cloud Security Engineer exam prep with other Community members:

Professional Cloud Security Engineer Exam Discussions & Posts