[Apr-2023] Google Professional-Cloud-Security-Engineer Test Engine PDF - All Free Dumps from PDF4Test [Q95-Q110]

Rate this post

[Apr-2023] Google Professional-Cloud-Security-Engineer Test Engine PDF – All Free Dumps from PDF4Test

Get New Professional-Cloud-Security-Engineer Certification – Valid Exam Dumps Questions

Ensuring Compliance

The last topic of the certification exam evaluates the applicants’ understanding of regulatory concerns as well as compute environment concerns. Specifically, they will need to demonstrate their knowledge of the security shared responsibility model, security guarantees in the framework of Cloud execution environments, security guarantees & constraints for different compute environments (Google Kubernetes Engine, Compute Engine, App Engine), and more.

QUESTION 95
You are responsible for managing your company’s identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user’s access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?

On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.

On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.

On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.

On the Google Admin console, use a super administrator account to reset the user account’s credentials. Ask the user to update their credentials after their first login.

QUESTION 96
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

In Resource Manager, edit the organization permissions. Add the project ID as member with the role:
Compute Image User.

QUESTION 97
Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

SSL Proxy

TCP Proxy

Internal TCP/UDP

TCP/UDP Network

QUESTION 98
An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization’s risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.
What solution would help meet the requirements?

Ensure that firewall rules are in place to meet the required controls.

Set up Cloud Armor to ensure that network security controls can be managed for G Suite.

Network security is a built-in solution and Google’s Cloud responsibility for SaaS products like G Suite.

Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

QUESTION 99
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

Use Cloud Build to build the container images.

Build small containers using small base images.

Delete non-used versions from Container Registry.

Use a Continuous Delivery tool to deploy the application.

QUESTION 100
You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application’s backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

The load balancer must be an external SSL proxy load balancer.

Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.

The load balancer must use the Premium Network Service Tier.

The backend service’s load balancing scheme must be EXTERNAL.

The load balancer must be an external HTTP(S) load balancer.

QUESTION 101
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

VPC Flow Logs

Cloud Armor

DNS Security Extensions

Cloud Identity-Aware Proxy

QUESTION 102
You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application’s backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

The load balancer must be an external SSL proxy load balancer.

Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.

The load balancer must use the Premium Network Service Tier.

The backend service’s load balancing scheme must be EXTERNAL.

The load balancer must be an external HTTP(S) load balancer.

QUESTION 103
You want to evaluate GCP for PCI compliance. You need to identify Google’s inherent controls.
Which document should you review to find the information?

Google Cloud Platform: Customer Responsibility Matrix

PCI DSS Requirements and Security Assessment Procedures

PCI SSC Cloud Computing Guidelines

Product documentation for Compute Engine

QUESTION 104
A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.
How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.

Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).

Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

QUESTION 105
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?

Set the minimum length for passwords to be 8 characters.

Set the minimum length for passwords to be 10 characters.

Set the minimum length for passwords to be 12 characters.

Set the minimum length for passwords to be 6 characters.

QUESTION 106
A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

QUESTION 107
You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user’s temporary credentials.

Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.

Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.

Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

QUESTION 108
Which two implied firewall rules are defined on a VPC network? (Choose two.)

A rule that allows all outbound connections

A rule that denies all inbound connections

A rule that blocks all inbound port 25 connections

A rule that blocks all outbound connections

A rule that allows all inbound port 80 connections

QUESTION 109
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

Use Cloud Build to build the container images.

Build small containers using small base images.

Delete non-used versions from Container Registry.

Use a Continuous Delivery tool to deploy the application.

QUESTION 110
You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet.
You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?

1. Set up one VPC with two subnets: one trusted and the other untrusted.
2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.

1. Set up one VPC with two subnets: one trusted and the other untrusted.
2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.

1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.
2. Configure a custom route on each network pointed to the virtual appliance.

1. Set up two VPC networks: one trusted and the other untrusted.
2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

100% Passing Guarantee – Brilliant Professional-Cloud-Security-Engineer Exam Questions PDF: https://www.pdf4test.com/Professional-Cloud-Security-Engineer-dump-torrent.html

Free certification test prep

[Apr-2023] Google Professional-Cloud-Security-Engineer Test Engine PDF – All Free Dumps from PDF4Test [Q95-Q110]

Ensuring Compliance

Leave a Reply Cancel reply