Professional Cloud Security Engineer Practice Exam (2020.07.02)

[GCP] Google Cloud Certified - Professional Security Engineer
Written by E.G -
on 12月 28, 2020

Ace Your Professional Cloud Security Engineer Certification with Practice Exams.

Google Cloud Certified – Professional Cloud Security Engineer – Practice Exam (Question 40)

QUESTION 1

A customer deployed an application on Google Compute Engine that takes advantage of the elastic nature of cloud computing.
How can you work with Infrastructure Operations Engineers to best ensure that Windows Google Compute Engine VMs are up to date with all the latest OS patches?

  • A. Federate a Domain Controller into Google Compute Engine, and roll out weekly patches via Group Policy Object.
  • B. Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
  • C. Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
  • D. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

Correct Answer: C

QUESTION 2

You are part of a security team investigating a compromised service account key.
You need to audit which new resources were created by the service account.
What should you do?

  • A. Query Data Access logs.
  • B. Query Admin Activity logs.
  • C. Query Access Transparency logs.
  • D. Query Stackdriver Monitoring Workspace.

Correct Answer: A

Reference contents:
Audit logs for service accounts | Cloud IAM Documentation

QUESTION 3

A customer wants to run a batch processing system on VMs and store the output files in a Google Cloud Storage bucket.
The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?

  • A. Mount a Google Cloud Storage bucket as a local filesystem on every VM.
  • B. Provision a NAT Gateway to access the Google Cloud Storage API endpoint.
  • C. Enable Private Google Access on the VPC.
  • D. Create a firewall rule to block internet traffic from the VM.

Correct Answer: B

QUESTION 4

A company is running workloads in a dedicated server room.
They must only be accessed from within the private company network. You need to connect to these workloads from Google Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)

  • A. Configure the project with Cloud VPN.
  • B. Configure the project with Shared VPC.
  • C. Configure the project with Google Cloud Interconnect.
  • D. Configure the project with VPC peering.
  • E. Configure all Google Compute Engine instances with Private Access.

Correct Answer: D, E

Reference contents:
Help secure data workloads

QUESTION 5

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?

  • A. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Google Cloud Storage.
  • B. Run the Google Cloud Data Loss Prevention API to scan the secrets, and store them in Google Cloud SQL.C. Deploy the SCM to a Google Compute Engine VM with local SSDs, and enable preemptible VMs.
  • D. Use Cloud Source Repositories, and store secrets in Google Cloud SQL.

Correct Answer: A

QUESTION 6

A cloud customer has an on-premises key management system and wants to generate, protect, rotate, and audit encryption keys with it.
How can the customer use Google Cloud Storage with their own encryption keys?

  • A. Declare usage of default encryption at rest in the audit report on compliance.
  • B. Upload encryption keys to the same Google Cloud Storage bucket.
  • C. Use Customer Managed Encryption Keys (CMEK).
  • D. Use Customer-Supplied Encryption Keys (CSEK).

Correct Answer: D

A is not correct because default encryption at rest uses Google-generated and Google managed keys, hence does not address the use case.
B is not correct because you’ll first need the encryption keys in order to decrypt the data in this Google Cloud Storage Bucket, but you won’t be able to have these encryption keys until you actually decrypt it. Customer-supplied encryption keys are not stored on Google’s infrastructure.C is not correct because it doesn’t address this scenario in which customer wants to use their own encryption keys from their own key management system. This option will however be valid if the customer wants to use Google-generated and customer-managed keys.D is correct because you can choose to provide your own AES-256 key when using Google Cloud Storage. This key is known as a customer-supplied encryption key (CSEK). If you provide a CSEK, Google Cloud Storage does not permanently store your key on Google’s servers or otherwise manage your key. Instead, you provide your key for each Google Cloud Storage operation, and your key is purged from Google’s servers after the operation is complete. Google Cloud Storage stores only a cryptographic hash of the key so that future requests can be validated against the hash.

Reference contents:
Encryption at Rest
Using customer-supplied encryption keys | Google Cloud Storage
Customer-supplied encryption keys | Google Cloud Storage

——

QUESTION 7

You are a member of the security team at an organization.
Your team has a single Google Cloud Platform (GCP) project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

  • A. Use multi-factor authentication for admin access to the web application.
  • B. Use only applications certified compliant with PA-DSS.
  • C. Move the cardholder data environment into a separate GCP project.
  • D. Use VPN for all connections between your office and cloud environments.

Correct Answer: D

Reference contents:
PCI Data Security Standard compliance | Architectures

QUESTION 8

Your company wants to collect and analyze CVE information for packages in container images, and wants to prevent images with known security issues from running in your Google Kubernetes Engine environment.
Which two security features does Google recommend including in a container build pipeline?

  • A. Deployment policies.
  • B. Password policies.
  • C.Vulnerability scanning.
  • D. Network isolation.

Correct Answer: A

A is correct because deployment policies defined in Binary Authorization ensure that only trusted images can be deployed in Google Kubernetes Engine clusters. Binary Authorization can integrate with Container Analysis which scans container images stored in Container Registry for vulnerabilities and stores trusted metadata used in the authorization process.B is not correct because it doesn’t address the use case.C is correct because vulnerability scanning can be performed by Container Analysis to discover package vulnerability information in container base images and obtain CVE data from respective Linux distributions.D is not correct because it doesn’t address the use case.

Reference contents:
Overview | Binary Authorization
Container analysis and vulnerability scanning

QUESTION 9

A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?

  • A. Google Cloud Armor
  • B. Google Cloud Audit Logs
  • C. Google Cloud Security Scanner
  • D. Forseti Security

Correct Answer: C

Reference contents:
Security Command Center

QUESTION 10

Applications often require access to “secrets” -small pieces of sensitive data at build or run time.
The administrator managing these secrets on GCP wants to keep a track of “who did what, where, and when?” within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)

  • A. Admin Activity logs
  • B. System Event logs
  • C. Data Access logs
  • D. VPC Flow logs
  • E. Agent logs

Correct Answer: A, C

Reference contents:
Secret Manager conceptual overview | Secret Manager Documentation

QUESTION 11

In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services.
The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Google Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to instance communications. The app development team is willing to make any changes necessary to comply with the standard.
Which options should you recommend to meet the requirements?

  • A. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients’ TLS connections.
  • B. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.
  • C. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.
  • D. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

Correct Answer: A, C

QUESTION 12

When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

  • A. Ensure that the app does not run as PID 1.
  • B. Package a single app as a container.
  • C. Remove any unnecessary tools not needed by the app.
  • D. Use public container images as a base image for the app.
  • E. Use many container image layers to hide sensitive information.

Correct Answer: B,C

Reference contents:
Best practices for building containers | Architectures

QUESTION 13

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

  • A. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Google Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
  • B. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Google Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
  • C. Generate a new data encryption key (DEK) in Google Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
  • D. Generate a new data encryption key (DEK) in Google Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Correct Answer: A

Reference contents:
Envelope encryption | Google Cloud KMS Documentation

QUESTION 14

When working with agents in a support center via online chat, an organization’s customers often share pictures of their documents with personally identifiable information (PII).
The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

  • A. Use Google Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
  • B. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
  • C. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
  • D. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Correct Answer: D

Reference contents:
De-identifying sensitive data | Data Loss Prevention Documentation

QUESTION 15

A large e-retailer is moving to Google Cloud Platform with its ecommerce website.
The company wants to ensure payment information is encrypted between the customer’s browser and GCP when the customers checkout online.
What should they do?

  • A. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
  • B. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
  • C. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
  • D. Configure an SSL Certificate on an L7 Load Balancer and require encryption.

Correct Answer: D

QUESTION 16

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in Google BigQuery.
You need to ensure that no credit card numbers are stored in Google BigQuery.
What should you do?

  • A. Create a Google BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
  • B. Enable Google Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in Google BigQuery.
  • C. Leverage Security Command Center to scan for the assets of type Credit Card Number in Google BigQuery.
  • D. Use the Google Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into Google BigQuery.

Correct Answer: B

QUESTION 17

An application log’s data, including customer identifiers such as email addresses, needs to be redacted.
However, these logs also include the email addresses of internal developers from company.com, and these should NOT be redacted.
Which solution should you use to meet these requirements?

  • A. Create a regular custom dictionary detector that lists a subset of the developers’ email addresses.
  • B. Create a regular expression (regex) custom infoType detector to match on @company.com.
  • C. Create a regular custom dictionary detector to match all email addresses listed in Cloud Identity.
  • D. Create a custom infoType called COMPANY_EMAIL to match @company.com.

Correct Answer: B

A is not correct because as all company.com email addresses are sensitive and should be filtered, a static list is hard to maintain and can easily miss sensitive data. B is correct because the regex will detect all company.com email addresses that need to be protected and written to the log file.C is not correct because as the user base in Cloud Identity might only be a subset of all emails that need to be protected.D is not correct because you need to specify a detector within the custom infoType and the detector should be a regular expression to match all @company.com email addresses.

Reference contents:
InfoType detector reference | Data Loss Prevention Documentation
Creating custom infoType detectors

QUESTION 18

Which two implied firewall rules are defined on a VPC network? (Choose two.)

  • A. A rule that allows all outbound connections.
  • B. A rule that denies all inbound connections.
  • C. A rule that blocks all inbound port 25 connections.
  • D. A rule that blocks all outbound connections.
  • E. A rule that allows all inbound port 80 connections.

Correct Answer: A, B

Reference contents:
VPC firewall rules overview

QUESTION 19

Your team sets up a Shared VPC Network where project co-vpc-prod is the host project.
Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Google Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

  • A. Compute Network User Role at the host project level.
  • B. Compute Network User Role at the subnet level.
  • C. Compute Shared VPC Admin Role at the host project level.
  • D. Compute Shared VPC Admin Role at the service project level.

Correct Answer: C

Reference contents:
Shared VPC overview

QUESTION 20

An organization’s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules.
They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?

  • A. All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.
  • B. Use Forseti with Firewall filters to catch any unwanted configurations in production.
  • C. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.
  • D. Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

Correct Answer: C

QUESTION 21

You have defined subnets in a VPC within Google Cloud Platform.
You need multiple projects to create Google Compute Engine instances with IP addresses from these subnets.
What should you do?

  • A. Configure Cloud VPN between the projects.
  • B. Set up VPC peering between all related projects.
  • C. Change the VPC subnets to enable private Google access.
  • D. Use Shared VPC to share the subnets with the other projects.

Correct Answer: D

A is not correct as Cloud VPN between projects does not provide you the functionality to share a subnet to host resources on.B is not correct because peering two VPCs does allow traffic between the two shared networks, but it’s only bi-directional. Peered VPC networks remain administratively separate.C is not correct because private Google access allows you to access APIs from a private IP, but it does not have any impact on creating Compute instances on a specific subnet. D is correct because s Shared VPC allows you to share a VPC into multiple projects, keep administrative oversight in the host project, while restricting the other projects to only create VMs on IPs in the shared VPC.

Reference contents:
Shared VPC overview
VPC Network Peering overview

QUESTION 22

An application running on a Google Compute Engine instance needs to read data from a Google Cloud Storage bucket.
Your team does not allow Google Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?

  • A. Use a service account with read-only access to the Google Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Google Compute Engine instance.
  • B. Use a service account with read-only access to the Google Cloud Storage bucket to retrieve the credentials from the instance metadata.
  • C. Encrypt the data in the Google Cloud Storage bucket using Google Cloud KMS, and allow the application to decrypt the data with the KMS key.
  • D. Create a Google Cloud Storage ACL that allows read-only access from the Google Compute Engine instance’s IP address and allows the application to read from the bucket without credentials.

Correct Answer: B

QUESTION 23

Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service.
Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?

  • A. Set up Google Cloud Directory Syncto sync groups, and set IAM permissions on the groups.
  • B. Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
  • C. Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
  • D. Use the Admin SDK to create groups and assign IAM permissions from Active Directory.

Correct Answer: B

Reference contents:
News, Features and Announcements

QUESTION 24

You are the security admin of your company.
Your development team creates multiple GCP projects under the “implementation” folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?

  • A. Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
  • B. Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Google Cloud Function that monitors the “implementation” folder via Stackdriver and Google Cloud Pub/Sub.When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
  • C. Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Google Cloud Function that monitors the “implementation” folder via Stackdriver and Google Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
  • D. Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

Correct Answer: A

QUESTION 25

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?

  • A. Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
  • B. Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
  • C. Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
  • D. Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Correct Answer: D

QUESTION 26

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.
Which solution will restrict access to the in-progress sites?

  • A. Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company’s GCP Virtual Private Cloud (VPC) network.
  • B. Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
  • C. Upload an .htaccess file containing the customer and employee user accounts to App Engine.
  • D. Enable Google Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.

Correct Answer: D

QUESTION 27

A company allows every employee to use Google Cloud Platform.
Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project.
You need to configure this behavior.What should you do to meet these requirements?

  • A. Create a Project per department under the Organization. For each department’s Project, assign the Project Viewer role to the Google Group related to that department.
  • B. Create a Folder per department under the Organization. For each department’s Folder, assign the Project Viewer role to the Google Group related to that department.
  • C. Create a Project per department under the Organization. For each department’s Project, assign the Project Browser role to the Google Group related to that department.
  • D. Create a Folder per department under the Organization. For each department’s Folder, assign the Project Browser role to the Google Group related to that department.

Correct Answer: A

QUESTION 28

Your team creates an ingress firewall rule to allow SSH access from their corporate IP range to a specific bastion host on Google Compute Engine.
Your team wants to make sure that this firewall rule cannot be used by unauthorized engineers who may otherwise have access to manage VMs in the development environment.
What should your team do to meet this requirement?

  • A. Create the firewall rule with a target of a network tag. Centrally manage access to the tag.
  • B. Create the firewall rule with a target of a service account. Centrally manage access to the service account.
  • C. Create the firewall rule in a Shared VPC with a target of a network tag.
  • D. Create the firewall rule in a Shared VPC with a target of a specific subnet. 

Correct Answer: B

A is not correct because the network tag value can be inferred by examining the Firewall Rule or VM metadata.B is correct because access to the Service Account is required to use a firewall rule with a target of a Service Account.C is not correct because the target network tag value can be inferred by examining the Firewall Rule or VM metadata.D is not correct because the target subnet value can be inferred by examining the Firewall Rule or VM metadata.

Reference contents:
VPC firewall rules overview > Filtering by service account versus network tag

QUESTION 29

You are creating an internal App Engine application that needs to access a user’s Google Drive on the user’s behalf.
Your company does not want to rely on the current user’s credentials. It also wants to follow Google-recommended practices.
What should you do?

  • A. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
  • B. Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
  • C. Use a dedicated G Suite Admin account, and authenticate the application’s operations with these G Suite credentials.
  • D. Create a new Service account, and give all application users the role of Service Account User

Correct Answer: D

QUESTION 30

Your company runs a website that will store PII on Google Cloud Platform.
To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted.
You want to automate the process of complying with this regulation.What should you do?

  • A. Store the data in a single Persistent Disk, and delete the disk at expiration time.
  • B. Store the data in a single BigTable table and set an expiration time on the column families.
  • C. Store the data in a single Google BigQuery table and set the appropriate table expiration time.
  • D. Store the data in a single Google Cloud Storage bucket and configure the bucket’s Time to Live. 

Correct Answer: C

QUESTION 31

You want to evaluate GCP for PCI compliance.
You need to identify Google’s inherent controls.Which document should you review to find the information?

  • A. Google Cloud Platform: Customer Responsibility Matrix.
  • B. PCI DSS Requirements and Security Assessment Procedures.
  • C. PCI SSC Cloud Computing Guidelines.
  • D. Product documentation for Google Compute Engine.

Correct Answer: C

Reference contents:
PCI Data Security Standard compliance | Architectures

QUESTION 32

You are on your company’s development team.
You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user’s browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • B. Set up an HTTPS load balancer, and then use Google Cloud Armor for the production environment to prevent the potential XSS attack.
  • C. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Correct Answer: D

Reference contents:
Security Command Center documentation

QUESTION 33

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

  • A. VPC Flow Logs.
  • B. Google Cloud Armor.
  • C. DNS Security Extensions.
  • D. Google Cloud Identity-Aware Proxy.

Correct Answer: C

Reference contents:
DNSSEC now available in Cloud DNS

QUESTION 34

A customer is collaborating with another company to build an application on Google Compute Engine.
The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?

  • A. Cloud VPN.
  • B. VPC peering.
  • C. Shared VPC.
  • D. Google Cloud Interconnect.

Correct Answer: A

QUESTION 35

A customer wants to deploy a large number of 3-tier web applications on Google Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?

  • A. Run each tier in its own subnet, and use subnet-based firewall rules.
  • B. Run each tier in its own Project, and segregate using Project labels.
  • C. Run each tier with its own VM tags, and use tag-based firewall rules.
  • D. Run each tier with a different Service Account (SA), and use SA-based firewall rules.

Correct Answer: A

QUESTION 36

A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in Google BigQuery.
What technique should the institution use?

  • A. Use Google Cloud Storage as a federated Data Source.
  • B. Use a Cloud Hardware Security Module (Cloud HSM).
  • C. Customer-managed encryption keys (CMEK).
  • D. Customer-supplied encryption keys (CSEK).

Correct Answer: C

Reference contents:
Encryption at rest | Google BigQuery

QUESTION 37

Your company is storing files on Google Cloud Storage.
To comply with local regulations, you want to ensure that uploaded files cannot be deleted within the first 5 years. It should not be possible to lower the retention period after it has been set.
What should you do?

  • A. Apply a retention period of 5 years to the bucket, and lock the bucket.
  • B. Enable Temporary hold and apply a retention period of 5 years to the bucket.
  • C. Use Cloud IAM to ensure that nobody has an IAM role that has the permissions to delete files from Google Cloud Storage.
  • D. Create an object lifecycle rule using the Age condition and the Delete action. Set the Age condition to 5 years.

Correct Answer: A

A is correct because Bucket Lock allows you to configure a data retention policy for a Google Cloud Storage bucket that governs how long objects in the bucket must be retained. The feature also allows you to lock the data retention policy, permanently preventing the policy from being reduced or removed.B is not correct because object holds can be easily released by operators/admins. C is not correct because an admin can grant themselves or someone else enough rights to tamper with the files in Google Cloud Storage.D is not correct because Age condition and a Delete action does not prevent objects from being manually deleted before the Age condition is met.

Reference contents:
Retention policies and retention policy locks | Google Cloud Storage

QUESTION 38

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities.
This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Google Cloud Data Loss Prevention API technique should you use to accomplish this?

  • A. Generalization
  • B. Redaction
  • C. CryptoReplaceFfxFpeConfig
  • D. CryptoHashConfig

Correct Answer:B

QUESTION 39

A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP).
The customer’s internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP’s native SYN flood protection.
Which product should be used to meet these requirements?

  • A. Google Cloud Armor
  • B. VPC Firewall Rules
  • C. Cloud Identity and Access Management
  • D. Cloud CDN

Correct Answer: A

Reference contents:
Google Google Cloud Armor adds WAF, telemetry features

QUESTION 40

A customer terminates an engineer and needs to make sure the engineer’s Google account is automatically deprovisioned.
What should the customer do?

  • A. Use the Google Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.
  • .B. Use the Google Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.
  • C. Configure Google Cloud Directory Syncwith their directory service to provision and deprovision users from Cloud Identity.
  • D. Configure Google Cloud Directory Syncwith their directory service to remove their IAM permissions in Cloud Identity.

Correct Answer: C

Categories:

Google Cloud Platform

Tags:

Professional Cloud Security Engineer

Comments are closed