Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud Security Engineer

Go to page:
Question # 17

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:

    The master key must be rotated at least once every 45 days.

    The solution that stores the master key must be FIPS 140-2 Level 3 validated.

    The master key must be stored in multiple regions within the US for redundancy.

Which solution meets these requirements?

A.

Customer-managed encryption keys with Cloud Key Management Service

B.

Customer-managed encryption keys with Cloud HSM

C.

Customer-supplied encryption keys

D.

Google-managed encryption keys

Full Access
Question # 18

A customer’s company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.

Which strategy should you use to meet these needs?

A.

Create an organization node, and assign folders for each business unit.

B.

Establish standalone projects for each business unit, using gmail.com accounts.

C.

Assign GCP resources in a project, with a label identifying which business unit owns the resource.

D.

Assign GCP resources in a VPC for each business unit to separate network access.

Full Access
Question # 19

Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.

What should you do?

Choose 2 answers

A.

Configure the Binary Authorization policy with respective attestations for the project.

B.

Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).

C.

Enable Container Threat Detection in the Security Command Center (SCC) for the project.

D.

Configure the trusted image organization policy constraint for the project.

E.

Enable Pod Security standards and set them to Restricted.

Full Access
Question # 20

An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

A.

Organization Administrator

B.

Project Creator

C.

Billing Account Viewer

D.

Billing Account Costs Manager

E.

Billing Account User

Full Access
Question # 21

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.

How should the company accomplish this?

A.

Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

B.

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based

on location.

C.

Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

D.

Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Full Access
Question # 22

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.

What should you do?

A.

Set up an ACL with OWNER permission to a scope of allUsers.

B.

Set up an ACL with READER permission to a scope of allUsers.

C.

Set up a default bucket ACL and manage access for users using IAM.

D.

Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

Full Access
Question # 23

You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner. What should you do?​

A.

Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.​

B.

Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a user-defined sink, and select the new log bucket as the sink destination.​

C.

Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.​

D.

Edit the _Default sink, and select the new log bucket as the sink destination.​

Full Access
Question # 24

You want to evaluate GCP for PCI compliance. You need to identify Google’s inherent controls.

Which document should you review to find the information?

A.

Google Cloud Platform: Customer Responsibility Matrix

B.

PCI DSS Requirements and Security Assessment Procedures

C.

PCI SSC Cloud Computing Guidelines

D.

Product documentation for Compute Engine

Full Access
Go to page: