Question 1

When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis. Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

Accepted Answer

D

Question 2

An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud. What solution would help meet the requirements?

Accepted Answer

Cloud Armor is a managed security service that provides DDoS protection and advanced threat protection for G Suite and other Google Cloud services. It can be used to implement network security controls such as firewalls, intrusion detection, and access control.

Question 3

A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities. Which service should be used to accomplish this?

Accepted Answer

Cloud Security Scanner is a service that helps identify security vulnerabilities in your App Engine applications, including OWASP vulnerabilities.

Question 4

A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects. Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources. Which type of access should your team grant to meet this requirement?

Accepted Answer

The answer of A business unit at a multinational corporation...

Question 5

Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team. Which type of networking design should your team use to meet these requirements?

Accepted Answer

Shared VPC allows centralization of networking resources in a host project, which can be managed by the network security team, while service projects can use these resources. This setup supports private VPN connections to on-premises environments.

Question 6

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege. Which option meets the requirement of your team?

Accepted Answer

Using a service account with read-only access to the Cloud Storage bucket and retrieving the credentials from the instance metadata ensures the principle of least privilege and avoids storing credentials directly on the instance.

Question 7

A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project. Which two approaches can you take to meet the requirements? (Choose two.)

Accepted Answer

The answer of A company is running workloads in a...

Question 8

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on-premises for an indefinite time. The organization wants a scalable and cost-efficient solution. Which GCP solution should the organization use?

Accepted Answer

BigQuery is a scalable and cost-efficient solution for data backup and disaster recovery. It can be used to create a data pipeline job that continuously updates data from the on-premises environment to GCP.

Question 9

A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection. Which product should be used to meet these requirements?

Accepted Answer

Cloud Armor is a web application firewall that can be used to protect against DDoS attacks, including SYN floods. It can also be used to restrict access to a web application based on the source IP address.

Question 10

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location. Which solution will restrict access to the in-progress sites?

Accepted Answer

Enabling Cloud Identity-Aware Proxy (IAP) and allowing access to a Google Group that contains the customer and employee user accounts will restrict access to the in-progress sites to only those users, regardless of their location.

Question 11

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys. Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

Accepted Answer

Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS) allow the customer to manage and rotate encryption keys, meeting the requirement for key management and rotation.

Question 12

A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key. What should you do?

Accepted Answer

Creating a new key and updating the application to use it, then deleting the old key, follows Google-recommended practices for key rotation, ensuring security by removing the old key.

Question 13

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system. How should the customer achieve this using Google Cloud Platform?

Accepted Answer

Encrypting secrets with a Customer-Managed Encryption Key (CMEK) and storing them in Cloud Storage provides a secure and manageable way to handle sensitive information outside of the source-code management system.

Question 14

Which two implied firewall rules are defined on a VPC network? (Choose two.)

Accepted Answer

In a VPC network, there is an implied rule that allows all outbound connections and another implied rule that denies all inbound connections unless explicitly allowed.

Question 15

How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

Accepted Answer

Using Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic allows for scalable and reliable delivery of logs, which can then be processed and sent to the SIEM system using Dataflow.

Question 16

Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet. What should your team grant to Engineering Group A to meet this requirement?

Accepted Answer

The answer of Your team sets up a Shared VPC...

Question 17

You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google-recommended practices. What should you do?

Accepted Answer

The answer of You are creating an internal App Engine...

Question 18

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services. Which two settings must remain disabled to meet these requirements? (Choose two.)

Accepted Answer

The answer of Your team needs to make sure that...

Question 19

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack. Which solution should this customer use?

Accepted Answer

DNS Security Extensions (DNSSEC) is a suite of specifications used to secure information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It helps prevent attackers from hijacking domains by ensuring that the responses to DNS queries are authentic and have not been tampered with, thus protecting against man-in-the-middle attacks.

Question 20

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?

Accepted Answer

The answer of An employer wants to track how bonus...

Exam 16: Professional Cloud Security Engineer