Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud Security Engineer

Go to page:
Question # 57

You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

A.

The load balancer must be an external SSL proxy load balancer.

B.

Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.

C.

The load balancer must use the Premium Network Service Tier.

D.

The backend service's load balancing scheme must be EXTERNAL.

E.

The load balancer must be an external HTTP(S) load balancer.

Full Access
Question # 58

Your organization leverages folders to represent different teams within your Google Cloud environment. To support Infrastructure as Code (IaC) practices, each team receives a dedicated service account upon onboarding. You want to ensure that teams have comprehensive permissions to manage resources within their assigned folders while adhering to the principle of least privilege. You must design the permissions for these team-based service accounts in the most effective way possible. What should you do?​

A.

Grant each service account the folder administrator role on its respective folder.​

B.

Grant each service account the project creator role at the organization level and use folder-level IAM conditions to restrict project creation to specific folders.​Reddit

C.

Assign each service account the project editor role at the organization level and instruct teams to use IAM bindings at the folder level for fine-grained permissions.​

D.

Assign each service account the folder IAM administrator role on its respective folder to allow teams to create and manage additional custom roles if needed.​

Full Access
Question # 59

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

What command should you execute?

A.

• organization policy: constraints/gcp.restrictStorageNonCraekServices

• binding at: orgl

• policy type: deny

• policy value: storage.gcogleapis.com

B.

• organization policy: constraints/gcp.restrictHonCmekServices

• binding at: orgl

• policy type: deny

• policy value: storage.googleapis.com

C.

• organization policy:constraints/gcp.restrictStorageNonCraekServices

• binding at: orgl

• policy type: allow

• policy value: all supported services

D.

• organization policy: constramts/gcp.restrictNonCmekServices

• binding at: orgl

• policy type: allow

• policy value: storage.googleapis.com

Full Access
Question # 60

The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements:

Follow the least privilege model by having only view access to logs.

Have access to Admin Activity logs.

Have access to Data Access logs.

Have access to Access Transparency logs.

Which Identity and Access Management (IAM) role should the security operations team be granted?

A.

roles/logging.privateLogViewer

B.

roles/logging.admin

C.

roles/viewer

D.

roles/logging.viewer

Full Access
Question # 61

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.

Which GCP solution should the organization use?

A.

BigQuery using a data pipeline job with continuous updates via Cloud VPN

B.

Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

C.

Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

D.

Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

Full Access
Question # 62

You must ensure that the keys used for at-rest encryption of your data are compliant with your organization's security controls. One security control mandates that keys get rotated every 90 days. You must implement an effective detection strategy to validate if keys are rotated as required. What should you do?​

A.

Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.​

B.

Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.​

C.

Assess the keys in the Cloud Key Management Service by implementing code in Cloud Run. If a key is not rotated after 90 days, raise a finding in Security Command Center.​

D.

Define a metric that checks for timely key updates by using Cloud Logging. If a key is not rotated after 90 days, send an alert message through your incident notification channel.​

Full Access
Question # 63

You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS). in project "pr j -a", and the Cloud Storage bucket will use project "prj-b". The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key. and you need to troubleshoot why.

What has caused the access issue?

A.

A firewall rule prevents the key from being accessible.

B.

Cloud HSM does not support Cloud Storage

C.

The CMEK is in a different project than the Cloud Storage bucket

D.

The CMEK is in a different region than the Cloud Storage bucket.

Full Access
Question # 64

Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time.

What should you do?

A.

Run a platform security scanner on all instances in the organization.

B.

Notify Google about the pending audit and wait for confirmation before performing the scan.

C.

Contact a Google approved security vendor to perform the audit.

D.

Identify all external assets by using Cloud Asset Inventory and then run a network security scanner against them.

Full Access
Go to page: