New Release Professional-Cloud-Security-Engineer Google Cloud Certified Questions

Page: 14 / 17

Question 56

You are developing a new application that uses exclusively Compute Engine VMs Once a day. this application will execute five different batch jobs Each of the batch jobs requires a dedicated set of permissions on Google Cloud resources outside of your application. You need to design a secure access concept for the batch jobs that adheres to the least-privilege principle

What should you do?

Options:

1. Create a general service account **g-sa" to execute the batch jobs.

• 2 Grant the permissions required to execute the batch jobs to g-sa.

• 3. Execute the batch jobs with the permissions granted to g-sa

1. Create a general service account "g-sa" to orchestrate the batch jobs.

• 2. Create one service account per batch job Mb-sa-[1-5]," and grant only the permissions required to run the individual batch jobs to the service accounts.

• 3. Grant the Service Account Token Creator role to g-sa Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].

1. Create a workload identity pool and configure workload identity pool providers for each batch job

• 2 Assign the workload identity user role to each of the identities configured in the providers.

• 3. Create one service account per batch job Mb-sa-[1-5]". and grant only the permissions required to run the individual batch jobs to the service accounts

• 4 Generate credential configuration files for each of the providers

• 1. Create a general service account "g-sa" to orchestrate the batch jobs.

• 2 Create one service account per batch job 'b-sa-[1-5)\ Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts

• 3. Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permis

Question 57

Which Google Cloud service should you use to enforce access control policies for applications and resources?

Options:

Identity-Aware Proxy

Cloud NAT

Google Cloud Armor

Shielded VMs

Question 58

You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.

After observing the traffic in your custom network, you notice that all instances can communicate freely – despite tag-based VPC firewall rules in place to segment traffic properly – with a priority of 1000. What are the most likely reasons for this behavior?

Options:

All VM instances are missing the respective network tags.

All VM instances are residing in the same network subnet.

All VM instances are configured with the same network route.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.

A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

Question 59

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company’s servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:

The network connection must be encrypted.

The communication between servers must be over private IP addresses.

What should you do?

Options:

Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.