CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Google
  5. Professional Cloud Security Engineer

Free Professional Cloud Security Engineer Exam Braindumps (page: 3)

Page 2 of 60
PDF with 321 Questions

When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

  1. Ensure that the app does not run as PID 1.
  2. Package a single app as a container.
  3. Remove any unnecessary tools not needed by the app.
  4. Use public container images as a base image for the app.
  5. Use many container image layers to hide sensitive information.

Answer(s): B,C


Reference:

https://cloud.google.com/solutions/best-practices-for-building-containers https://cloud.google.com/architecture/best-practices-for-building- containers#solution_1_run_as_pid_1_and_register_signal_handlers



A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.

Which product should be used to meet these requirements?

  1. Cloud Armor
  2. VPC Firewall Rules
  3. Cloud Identity and Access Management
  4. Cloud CDN

Answer(s): A


Reference:

https://cloud.google.com/blog/products/identity-security/understanding-google-cloud- armors-new- waf-capabilities



A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.

Which two approaches can you take to meet the requirements? (Choose two.)

  1. Configure the project with Cloud VPN.
  2. Configure the project with Shared VPC.
  3. Configure the project with Cloud Interconnect.
  4. Configure the project with VPC peering.
  5. Configure all Compute Engine instances with Private Access.

Answer(s): A,C

Explanation:

A) IPsec VPN tunels: https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview Interconnect https://cloud.google.com/network-
connectivity/docs/interconnect/concepts/dedicated-overview


Reference:

https://cloud.google.com/solutions/secure-data-workloads-use-cases



A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity- Aware Proxy.

What should the customer do to meet these requirements?

  1. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
  2. Make sure that the ERP system can validate the identity headers in the HTTP requests.
  3. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
  4. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.

Answer(s): A

Explanation:

Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed object that also contains the user identity data. Your application can verify the digital signature and use the data provided in this object to be certain that it was provided by IAP without alteration.






Post your Comments and Discuss Google Professional Cloud Security Engineer exam with other Community members:

Professional Cloud Security Engineer Discussions & Posts