Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud Security Engineer

Searching for workable clues to ace the Google Professional-Cloud-Security-Engineer Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s Professional-Cloud-Security-Engineer PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:

<< First
Prev
2
3
4
5
6
7
8
9
10
11
Next
Last >>

Question # 49

You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:

Each business unit manages access controls for their own projects.

Each business unit manages access control permissions at scale.

Business units cannot access other business units' projects.

Users lose their access if they move to a different business unit or leave the company.

Users and access control permissions are managed by the on-premises directory service.

What should you do? (Choose two.)

Use VPC Service Controls to create perimeters around each business unit's project.

Organize projects in folders, and assign permissions to Google groups at the folder level.

Group business units based on Organization Units (OUs) and manage permissions based on OUs.

Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.

Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

Full Access

Question # 50

An organizationâ€™s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.

How should you advise this organization?

Use Forseti with Firewall filters to catch any unwanted configurations in production.

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

Full Access

Question # 51

An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organizationâ€™s risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.

What solution would help meet the requirements?

Ensure that firewall rules are in place to meet the required controls.

Set up Cloud Armor to ensure that network security controls can be managed for G Suite.

Network security is a built-in solution and Googleâ€™s Cloud responsibility for SaaS products like G Suite.

Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

Full Access

Question # 52

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate,

and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.

What should you do?

Use the Cloud Key Management Service to manage the data encryption key (DEK).

Use the Cloud Key Management Service to manage the key encryption key (KEK).

Use customer-supplied encryption keys to manage the data encryption key (DEK).

Use customer-supplied encryption keys to manage the key encryption key (KEK).

Full Access

Question # 53

Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

Security Reviewer

lAP-Secured Tunnel User

lAP-Secured Web App User

Service Broker Operator

Full Access

Question # 54

Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

Define an organization policy constraint.

Configure packet mirroring policies.

Enable VPC Flow Logs on the subnet.

Monitor and analyze Cloud Audit Logs.

Full Access

Question # 55

You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:

Provide granular access to secrets

Give you control over the rotation schedules for the encryption keys that wrap your secrets

Maintain environment separation

Provide ease of management

Which approach should you take?

1. Use separate Google Cloud projects to store Production and Non-Production secrets.2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.3. Use customer-managed encryption keys to encrypt secrets.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.3. Use Google-managed encryption keys to encrypt secrets.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.3. Use Google-managed encryption keys to encrypt secrets.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.3. Use customer-managed encryption keys to encrypt secrets.

Full Access

Question # 56

You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data. You need to meet these requirements;

â€¢ Manage the data encryption key (DEK) outside the Google Cloud boundary.

â€¢ Maintain full control of encryption keys through a third-party provider.

â€¢ Encrypt the sensitive data before uploading it to Cloud Storage

â€¢ Decrypt the sensitive data during processing in the Compute Engine VMs

â€¢ Encrypt the sensitive data in memory while in use in the Compute Engine VMs

What should you do?

Choose 2 answers

Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

Create Confidential VMs to access the sensitive data.

Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Full Access