CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Google
  5. Professional Cloud Security Engineer

Free Professional Cloud Security Engineer Exam Braindumps (page: 4)

Page 3 of 60
PDF with 321 Questions

A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.

What should you do?

  1. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
  2. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
  3. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
  4. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

Answer(s): A


Reference:

https://cloud.google.com/logging/docs/logs-based-metrics/



Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.

Which logging export strategy should you use to meet the requirements?

  1. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
    2. Subscribe SIEM to the topic.
  2. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
    2. Process Cloud Storage objects in SIEM.
  3. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
    2. Subscribe SIEM to the topic.
  4. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
    2. Process Cloud Storage objects in SIEM.

Answer(s): C

Explanation:

"Your team needs to obtain a unified log view of all development cloud projects in your SIEM" - This means we are ONLY interested in development projects. "The development projects are under the NONPROD organization folder with the test and pre-production projects" - We will need to filter out development from others i.e test and pre-prod. "The development projects share the ABC-BILLING billing account with the rest of the organization." - This is unnecessary information.



A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.

Which solution should this customer use?

  1. VPC Flow Logs
  2. Cloud Armor
  3. DNS Security Extensions
  4. Cloud Identity-Aware Proxy

Answer(s): C


Reference:

https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns

DNSSEC -- use a DNS registrar that supports DNSSEC, and enable it. DNSSEC digitally signs DNS communication, making it more difficult (but not impossible) for hackers to intercept and spoof. Domain Name System Security Extensions (DNSSEC) adds security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Having a trustworthy Domain Name System (DNS) that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in- the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites. https://cloud.google.com/blog/products/gcp/dnssec-now-available- in-cloud-dns



A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.

Which service should be used to accomplish this?

  1. Cloud Armor
  2. Google Cloud Audit Logs
  3. Cloud Security Scanner
  4. Forseti Security

Answer(s): C


Reference:

https://cloud.google.com/security-scanner/

Web Security Scanner supports categories in the OWASP Top Ten, a document that ranks and provides remediation guidance for the top 10 most critical web application security risks, as determined by the Open Web Application Security Project (OWASP). https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner- overview#detectors_and_compliance






Post your Comments and Discuss Google Professional Cloud Security Engineer exam with other Community members:

Professional Cloud Security Engineer Discussions & Posts