Download Google.Professional-Cloud-Security-Engineer.VCEplus.2024-08-23.140q.vcex

Download Exam

File Info

Exam Professional Cloud Security Engineer
Number Professional-Cloud-Security-Engineer
File Name Google.Professional-Cloud-Security-Engineer.VCEplus.2024-08-23.140q.vcex
Size 250 KB
Posted Aug 23, 2024
Download Google.Professional-Cloud-Security-Engineer.VCEplus.2024-08-23.140q.vcex

How to open VCEX & EXAM Files?

Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.

Download
ProfExam Simulator

Purchase

Coupon: MASTEREXAM
With discount: 20%





Demo Questions

Question 1

A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?


  1. Cloud Armor
  2. VPC Firewall Rules
  3. Cloud Identity and Access Management
  4. Cloud CDN
Correct answer: A



Question 2

A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)
 


  1. Configure the project with Cloud VPN.
  2. Configure the project with Shared VPC.
  3. Configure the project with Cloud Interconnect.
  4. Configure the project with VPC peering.
  5. Configure all Compute Engine instances with Private Access.
Correct answer: AC
Explanation:
A) IPsec VPN tunels: https://cloud.google.com/network-connectivity/docs/vpn/concepts/overviewInterconnect https://cloud.google.com/network-connectivity/docs/interconnect/concepts/dedicated-overview
A) IPsec VPN tunels: https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview
Interconnect https://cloud.google.com/network-connectivity/docs/interconnect/concepts/dedicated-overview



Question 3

A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity- Aware Proxy.
What should the customer do to meet these requirements?


  1. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
  2. Make sure that the ERP system can validate the identity headers in the HTTP requests.
  3. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
  4. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
Correct answer: A
Explanation:
Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed object that also contains the user identity data. Your application can verify the digital signature and use the data provided in this object to be certain that it was provided by IAP without alteration.
Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed object that also contains the user identity data. Your application can verify the digital signature and use the data provided in this object to be certain that it was provided by IAP without alteration.



Question 4

A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?


  1. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
  2. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
  3. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
  4. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
Correct answer: A



Question 5

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?


  1. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 
    2. Subscribe SIEM to the topic.
  2. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
    2. Process Cloud Storage objects in SIEM.
  3. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 
    2. Subscribe SIEM to the topic.
  4. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 
    2. Process Cloud Storage objects in SIEM.
Correct answer: C
Explanation:
'Your team needs to obtain a unified log view of all development cloud projects in your SIEM' - This means we are ONLY interested in development projects. 'The development projects are under the NONPROD organization folder with the test and pre-production projects' - We will need to filter out development from others i.e test and pre-prod. 'The development projects share the ABC-BILLING billing account with the rest of the organization.' - This is unnecessary information.
'Your team needs to obtain a unified log view of all development cloud projects in your SIEM' - This means we are ONLY interested in development projects. 'The development projects are under the NONPROD organization folder with the test and pre-production projects' - We will need to filter out development from others i.e test and pre-prod. 'The development projects share the ABC-BILLING billing account with the rest of the organization.' - This is unnecessary information.



Question 6

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?


  1. VPC Flow Logs
  2. Cloud Armor
  3. DNS Security Extensions
  4. Cloud Identity-Aware Proxy
Correct answer: C
Explanation:
DNSSEC --- use a DNS registrar that supports DNSSEC, and enable it. DNSSEC digitally signs DNS communication, making it more difficult (but not impossible) for hackers to intercept and spoof. Domain Name System Security Extensions (DNSSEC) adds security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Having a trustworthy Domain Name System (DNS) that translates a domain name like www.example.cominto its associated IP address is an increasingly important building block of today's web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites. https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns
DNSSEC --- use a DNS registrar that supports DNSSEC, and enable it. DNSSEC digitally signs DNS communication, making it more difficult (but not impossible) for hackers to intercept and spoof. Domain Name System Security Extensions (DNSSEC) adds security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Having a trustworthy Domain Name System (DNS) that translates a domain name like www.example.cominto its associated IP address is an increasingly important building block of today's web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites. https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns



Question 7

A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?


  1. Cloud Armor
  2. Google Cloud Audit Logs
  3. Cloud Security Scanner
  4. Forseti Security
Correct answer: C
Explanation:
Web Security Scanner supports categories in the OWASP Top Ten, a document that ranks and provides remediation guidance for the top 10 most critical web application security risks, as determined by the Open Web Application Security Project (OWASP). https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview#detectors_and_compliance 
Web Security Scanner supports categories in the OWASP Top Ten, a document that ranks and provides remediation guidance for the top 10 most critical web application security risks, as determined by the Open Web Application Security Project (OWASP). https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview#detectors_and_compliance
 



Question 8

A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?


  1. Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
  2. Register a new domain name, and use that for the new Cloud Identity domain.
  3. Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.
  4. Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
Correct answer: D
Explanation:
https://support.google.com/cloudidentity/answer/7389973
https://support.google.com/cloudidentity/answer/7389973



Question 9

A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?


  1. Organization Administrator
  2. Security Reviewer
  3. Organization Role Administrator
  4. Organization Policy Administrator
Correct answer: C
Explanation:
Here are the permissions available to organizationRoleAdminiam.roles.createiam.roles.deleteiam.roles.undeleteiam.roles.getiam.roles.listiam.roles.updateresourcemanager.projects.getresourcemanager.projects.getIamPolicyresourcemanager.projects.listresourcemanager.organizations.getresourcemanager.organizations.getIamPolicyThere are sufficient as per least privilege policy. You can do user management as well as auditing.https://cloud.google.com/iam/docs/understanding-custom-roles
Here are the permissions available to organizationRoleAdmin
iam.roles.create
iam.roles.delete
iam.roles.undelete
iam.roles.get
iam.roles.list
iam.roles.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
There are sufficient as per least privilege policy. You can do user management as well as auditing.
https://cloud.google.com/iam/docs/understanding-custom-roles



Question 10

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?


  1. Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials. 
  2. Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
  3. Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
  4. Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
Correct answer: C
Explanation:
If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code. https://cloud.google.com/docs/authentication/production#passing_the_path_to_the_service_account_key_in_code
If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code. https://cloud.google.com/docs/authentication/production#passing_the_path_to_the_service_account_key_in_code









CONNECT US

Facebook

Twitter

PROFEXAM WITH A 20% DISCOUNT

You can buy ProfExam with a 20% discount!

Get Now!


HOW TO OPEN VCEX FILES

Use ProfExam Simulator to open VCEX files