Google Cloud Certified – Professional Cloud Security Engineer – Practice Exam (Question 40)
QUESTION 1
A customer deployed an application on Google Compute Engine that takes advantage of the elastic nature of cloud computing.
How can you work with Infrastructure Operations Engineers to best ensure that Windows Google Compute Engine VMs are up to date with all the latest OS patches?
- A. Federate a Domain Controller into Google Compute Engine, and roll out weekly patches via Group Policy Object.
- B. Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
- C. Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
- D. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
Correct Answer: C
QUESTION 2
You are part of a security team investigating a compromised service account key.
You need to audit which new resources were created by the service account.
What should you do?
- A. Query Data Access logs.
- B. Query Admin Activity logs.
- C. Query Access Transparency logs.
- D. Query Stackdriver Monitoring Workspace.
Correct Answer: A
Reference contents:
– Audit logs for service accounts | Cloud IAM Documentation
QUESTION 3
A customer wants to run a batch processing system on VMs and store the output files in a Google Cloud Storage bucket.
The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?
- A. Mount a Google Cloud Storage bucket as a local filesystem on every VM.
- B. Provision a NAT Gateway to access the Google Cloud Storage API endpoint.
- C. Enable Private Google Access on the VPC.
- D. Create a firewall rule to block internet traffic from the VM.