• Home
  • Articles
  • Free Jan-2024 Professional-Cloud-Security-Engineer Dumps are Available for Instant Access [Q93-Q116]

Free Jan-2024 Professional-Cloud-Security-Engineer Dumps are Available for Instant Access [Q93-Q116]

Share

Free Jan-2024 Professional-Cloud-Security-Engineer Dumps are Available for Instant Access

View All Professional-Cloud-Security-Engineer Actual Exam Questions Answers and Explanations for Free


Where can you take the Google Professional Cloud Security Engineer Exam

The registration for the Google Professional Cloud Security Engineer Exam follows the steps given below.

  • Step 1: Visit the Google Cloud Webassessor Website
  • Step 2: Sign in or sign up to your Google Cloud Webassessor account
  • Step 3: Search for the exam name Google Professional Cloud Security Engineer
  • Step 4: Take the date of the exam, choose exam center and make further payment using payment method like credit/debit etc.

 

NEW QUESTION # 93
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

  • A. Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
  • B. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
  • C. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
  • D. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Answer: D

Explanation:
https://codelabs.developers.google.com/codelabs/cloud-storage-dlp-functions#0 https://www.youtube.com/watch?v=0TmO1f-Ox40


NEW QUESTION # 94
Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users. You are required to:
Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity.
Disable any manually created users in Cloud Identity.
You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?

  • A. 1. Configure the option to suspend domain users not found in LDAP.
    2. Set up a recurring GCDS task.
  • B. 1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP.
    2. Run GCDS after user and group lifecycle changes.
  • C. 1. Configure the option to delete domain users not found in LDAP.
    2. Run GCDS after user and group lifecycle changes.
  • D. 1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP.
    2. Set up a recurring GCDS task.

Answer: A

Explanation:
Explanation
To achieve the requirement "Disable any manually created users in Cloud Identity", configure GCDS to suspend rather than delete accounts if user accounts are not found in the LDAP directory in GCDS. Ref:
https://support.google.com/a/answer/7177267


NEW QUESTION # 95
You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:
The master key must be rotated at least once every 45 days.
The solution that stores the master key must be FIPS 140-2 Level 3 validated.
The master key must be stored in multiple regions within the US for redundancy.
Which solution meets these requirements?

  • A. Customer-managed encryption keys with Cloud Key Management Service
  • B. Google-managed encryption keys
  • C. Customer-supplied encryption keys
  • D. Customer-managed encryption keys with Cloud HSM

Answer: B


NEW QUESTION # 96
Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
The network connection must be encrypted.
The communication between servers must be over private IP addresses.
What should you do?

  • A. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
  • B. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
  • C. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
  • D. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

Answer: A

Explanation:
Google encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. All VM-to-VM traffic within a VPC network and peered VPC networks is encrypted. https://cloud.google.com/docs/security/encryption-in-transit#cio-level_summary


NEW QUESTION # 97
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?

  • A. Perform data inspection with the DLP API and store that data in BigQuery for later use.
  • B. Perform data masking with the DLP API and store that data in BigQuery for later use.
  • C. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
  • D. Perform data redaction with the DLP API and store that data in BigQuery for later use.

Answer: C

Explanation:
Pseudonymization is a de-identification technique that replaces sensitive data values with cryptographically generated tokens. Pseudonymization is widely used in industries like finance and healthcare to help reduce the risk of data in use, narrow compliance scope, and minimize the exposure of sensitive data to systems while preserving data utility and accuracy.
https://cloud.google.com/dlp/docs/pseudonymization


NEW QUESTION # 98
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?

  • A. Organization Administrator
  • B. Security Reviewer
  • C. Organization Policy Administrator
  • D. Organization Role Administrator

Answer: C

Explanation:
https://cloud.google.com/resource-manager/docs/access-control-org


NEW QUESTION # 99
Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.
What should you do?

  • A. Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).
  • B. Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.
  • C. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
  • D. Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends.
    Leverage the gcloud tool for importing

Answer: C

Explanation:
Explanation
This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google's Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.


NEW QUESTION # 100
You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

  • A. Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.
  • B. Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.
  • C. Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
  • D. Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.

Answer: A

Explanation:
Explanation
Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint.
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_polic


NEW QUESTION # 101
A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

  • A. Admin Activity
  • B. Data Access
  • C. System Event
  • D. Access Transparency

Answer: D


NEW QUESTION # 102
An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.
What solution would help meet the requirements?

  • A. Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.
  • B. Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
  • C. Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.
  • D. Ensure that firewall rules are in place to meet the required controls.

Answer: A

Explanation:
https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html Shared responsibility "Security of the Cloud" - GCP is responsible for protecting the infrastructure that runs all of the services offered in the GCP Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run GCP Cloud services.


NEW QUESTION # 103
Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.
What should you do?

  • A. 1. In BigQuery, select the related dataset.
    2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
  • B. 1. Go to the IAM section on the project.
    2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.
  • C. 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
    2.Click on the email address in line with the App Engine Default Service Account in the authentication field.
    3.Click Show Matching Entries.
    4.Make sure the resulting list is empty.
  • D. 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
    2.Click on the email address in line with the App Engine Default Service Account in the authentication field.
    3.Click Hide Matching Entries.
    4.Make sure the resulting list is empty.

Answer: D


NEW QUESTION # 104
A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates.
What should your team do?

  • A. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
  • B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than
    1000.
  • C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than
    1000.
  • D. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than
    1000.

Answer: C


NEW QUESTION # 105
You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

  • A. Cloud VPN
  • B. Cloud NAT
  • C. Cloud Router
  • D. Google Cloud Armor

Answer: A


NEW QUESTION # 106
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

  • A. Private Google Access
  • B. Static routes
  • C. IP Forwarding
  • D. Public IP
  • E. IAM Network User Role

Answer: A,B

Explanation:
Reference:
https://cloud.google.com/vpc/docs/configure-private-google-access


NEW QUESTION # 107
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)

  • A. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
  • B. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
  • C. Use the Google Admin console to view which managed users are using a personal account for their recovery email.
  • D. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
  • E. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.

Answer: C,D


NEW QUESTION # 108
Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

  • A. TCP/UDP Load Balancing
  • B. Cloud NAT
  • C. Identity Aware-Proxy
  • D. Cloud DNS

Answer: B

Explanation:
https://cloud.google.com/nat/docs/overview "Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet."


NEW QUESTION # 109
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity- Aware Proxy.
What should the customer do to meet these requirements?

  • A. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
  • B. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
  • C. Make sure that the ERP system can validate the identity headers in the HTTP requests.
  • D. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.

Answer: B

Explanation:
Explanation/Reference:


NEW QUESTION # 110
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?

  • A. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.
  • B. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.
  • C. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.
  • D. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.

Answer: B


NEW QUESTION # 111
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.
What should you do?

  • A. Use Resource Manager on the organization level.
  • B. Use Stackdriver to create a dashboard across all projects.
  • C. Use Security Command Center to view all assets across the organization.
  • D. Use Forseti Security to automate inventory snapshots.

Answer: D

Explanation:
Only Forseti security can have both 'past' and 'present' (i.e. historical) records of the resources. https://forsetisecurity.org/about/


NEW QUESTION # 112
A Cloud Development team needs to use service accounts extensively in their local development.
You need to provide the team with the keys for these service accounts. You want to follow Google-recommended practices. What should you do?

  • A. Implement a daily key rotation process, and provide developers with a Cloud Storage bucket from which they can download the new key every day.
  • B. Create a Google Group with all developers. Assign the group the IAM role of Service Account User, and have developers generate and download their own keys.
  • C. Create a Google Group with all developers. Assign the group the IAM role of Service Account Admin, and have developers generate and download their own keys.
  • D. Implement a daily key rotation process that generates a new key and commits it to the source code repository every day.

Answer: A

Explanation:
A is not correct because source code repository isn't the place to store keys that expire/change.
B is correct because it allows for centralized admin managed key rotation process and doesn't delegate key creation to developers which is easier and secure way to manage keys.
C is not correct because the IAM role specified doesn't allow for creation of keys.
D is not correct because it veers away from best practices as the keys now reside in decentralized place and can be subjected to a leak.
https://cloud.google.com/blog/products/gcp/help-keep-your-google-cloud-service-account-keys-safe
https://cloud.google.com/iam/docs/understanding-service-accounts#best_practices
https://cloud.google.com/iam/docs/creating-managing-service-account-keys


NEW QUESTION # 113
You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:
Least-privilege access must be enforced at all times.
The DevOps team must be able to access the required resources only during the deployment issue.
How should you grant access while following Google-recommended best practices?

  • A. Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.
  • B. Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.
  • C. Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.
  • D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

Answer: A


NEW QUESTION # 114
Which two implied firewall rules are defined on a VPC network? (Choose two.)

  • A. A rule that blocks all outbound connections
  • B. A rule that blocks all inbound port 25 connections
  • C. A rule that denies all inbound connections
  • D. A rule that allows all inbound port 80 connections
  • E. A rule that allows all outbound connections

Answer: C,E

Explanation:
Explanation/Reference: https://cloud.google.com/vpc/docs/firewalls


NEW QUESTION # 115
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

  • A. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • B. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
  • C. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
  • D. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

Answer: D

Explanation:
Explanation
Explanation/Reference: https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management- system-with-google-cloud-platform


NEW QUESTION # 116
......


To prepare for the Professional-Cloud-Security-Engineer certification exam, Google offers a variety of training resources such as online courses, practice tests, and certification guides. Additionally, Google recommends having hands-on experience with Google Cloud Platform and familiarity with the relevant concepts and objectives of the certification exam. Google also offers a community platform where individuals can interact with other professionals, share their knowledge, and learn from the experiences of others.

 

The Most In-Demand Professional-Cloud-Security-Engineer Pass Guaranteed Quiz : https://tesking.pass4cram.com/Professional-Cloud-Security-Engineer-dumps-torrent.html

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam

The most valid exam cram is the best study and review material for your upcoming IT exam. With the useful and accurate pass4cram study material, you will pass your exam with a high core.

Latest Valid Exams

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Pass4cram NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy