Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified Questions and Answers

Question # 34

You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

Options:

A.

1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.

2. Grant your Google Cloud project access to a supported external key management partner system.

B.

1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).

2. In Cloud KMS, grant your Google Cloud project access to use the key.

C.

1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.

2. In the external key management partner system, grant access for this key to use your Google Cloud project.

D.

1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).

2. In Cloud KMS, grant your Google Cloud project access to use the key.

Buy Now
Question # 35

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

Options:

A.

Generalization

B.

Redaction

C.

CryptoHashConfig

D.

CryptoReplaceFfxFpeConfig

Buy Now
Question # 36

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.

What should you do?

Options:

A.

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

B.

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

C.

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.

D.

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Buy Now
Question # 37

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.

Which GCP solution should the organization use?

Options:

A.

BigQuery using a data pipeline job with continuous updates via Cloud VPN

B.

Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

C.

Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

D.

Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

Buy Now
Question # 38

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.

What should you do?

Options:

A.

Set up an ACL with OWNER permission to a scope of allUsers.

B.

Set up an ACL with READER permission to a scope of allUsers.

C.

Set up a default bucket ACL and manage access for users using IAM.

D.

Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

Buy Now
Question # 39

You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.

What should you do?

Options:

A.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

B.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

C.

In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

D.

In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.

Buy Now
Question # 40

While migrating your organization’s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.

What should you do?

Options:

A.

Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

B.

Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

C.

Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.

D.

Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Buy Now
Question # 41

You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

Options:

A.

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

B.

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

C.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

D.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

Buy Now
Question # 42

You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?

Options:

A.

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

B.

Cloud Data Loss Prevention with format-preserving encryption

C.

Cloud Data Loss Prevention with cryptographic hashing

D.

Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys

Buy Now
Question # 43

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.

What should you do?

Options:

A.

• 1 Update the perimeter

• 2 Configure the egressTo field to set identity Type to any_identity.

• 3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

B.

* Allow the external project by using the organizational policy

constraints/compute.trustedlmageProjects.

C.

• 1 Update the perimeter

• 2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

• 3 Configure the egressFrom field to set identity Type to any_idestity.

D.

• 1 Update the perimeter

• 2 Configure the ingressFrcm field to set identityType to an-y_identity.

• 3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

Buy Now
Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
Last Update: Apr 1, 2025
Questions: 249
Professional-Cloud-Security-Engineer pdf

Professional-Cloud-Security-Engineer PDF

$25.5  $84.99
Professional-Cloud-Security-Engineer Engine

Professional-Cloud-Security-Engineer Testing Engine

$28.5  $94.99
Professional-Cloud-Security-Engineer PDF + Engine

Professional-Cloud-Security-Engineer PDF + Testing Engine

$40.5  $134.99