Questions for the PROFESSIONAL CLOUD SECURITY ENGINEER were updated on : Nov 29 ,2024
You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack
surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public
locations so they can access the internal VPC while off-site. How should you enable this access?
C
Explanation:
Reference: https://cloud.google.com/architecture/building-internet-connectivity-for-private-vms
You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently,
secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed
solution must:
Provide granular access to secrets
Give you control over the rotation schedules for the encryption keys that wrap your secrets
Maintain environment separation Provide ease of management
Which approach should you take?
A
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team
wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity-Aware Proxy.
What should the customer do to meet these requirements?
A
A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?
C
You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk
of its credentials being stolen by a third party. What should you do?
D
Explanation:
Reference: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)
B C
Explanation:
Reference: https://cloud.google.com/solutions/best-practices-for-building-containers
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application
layer.
What should you do?
A
Explanation:
Reference: https://cloud.google.com/kms/docs/envelope-encryption
You want to evaluate GCP for PCI compliance. You need to identify Googles inherent controls.
Which document should you review to find the information?
C
Explanation:
Reference: https://cloud.google.com/solutions/pci-dss-compliance-in-gcp
What are the steps to encrypt data using envelope encryption?
C
Explanation:
Reference: https://cloud.google.com/kms/docs/envelope-encryption
You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to
configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network
segments. How should you design the network to inspect the traffic?
B
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct
earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and
must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?
B
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit
creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?
C
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated
project.
What should you do?
B
Explanation:
Reference: https://cloud.google.com/compute/docs/images/restricting-image-access
Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-
central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google
Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in
both regions.
What should you do?
A
You are working with protected health information (PHI) for an electronic health record system. The privacy officer is
concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way
that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud
solution should you use?
D
Explanation:
Reference: https://cloud.google.com/dlp/docs/pseudonymization