Winter Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bigdisc65

Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified Questions and Answers

Question # 4

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on “in- scope” Nodes only. These Nodes can only contain the “in-scope” Pods.

How should the organization achieve this objective?

Options:

A.

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

B.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

C.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

D.

Run all in-scope Pods in the namespace “in-scope-pci”.

Buy Now
Question # 5

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:

    The master key must be rotated at least once every 45 days.

    The solution that stores the master key must be FIPS 140-2 Level 3 validated.

    The master key must be stored in multiple regions within the US for redundancy.

Which solution meets these requirements?

Options:

A.

Customer-managed encryption keys with Cloud Key Management Service

B.

Customer-managed encryption keys with Cloud HSM

C.

Customer-supplied encryption keys

D.

Google-managed encryption keys

Buy Now
Question # 6

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.

Which solution will restrict access to the in-progress sites?

Options:

A.

Upload an .htaccess file containing the customer and employee user accounts to App Engine.

B.

Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.

C.

Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.

D.

Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company’s GCP Virtual Private Cloud (VPC) network.

Buy Now
Question # 7

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.

What should they do?

Options:

A.

Use Cloud Build to build the container images.

B.

Build small containers using small base images.

C.

Delete non-used versions from Container Registry.

D.

Use a Continuous Delivery tool to deploy the application.

Buy Now
Question # 8

Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.

Which two tasks should your team perform to handle this request? (Choose two.)

Options:

A.

Remove all users from the Project Creator role at the organizational level.

B.

Create an Organization Policy constraint, and apply it at the organizational level.

C.

Grant the Project Editor role at the organizational level to a designated group of users.

D.

Add a designated group of users to the Project Creator role at the organizational level.

E.

Grant the billing account creator role to the designated DevOps team.

Buy Now
Question # 9

You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?

Options:

A.

Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.

B.

Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.

C.

Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.

D.

Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.

Buy Now
Question # 10

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.

What should you do?

Options:

A.

Use the Cloud Key Management Service to manage a data encryption key (DEK).

B.

Use the Cloud Key Management Service to manage a key encryption key (KEK).

C.

Use customer-supplied encryption keys to manage the data encryption key (DEK).

D.

Use customer-supplied encryption keys to manage the key encryption key (KEK).

Buy Now
Question # 11

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:

Scans must run at least once per week

Must be able to detect cross-site scripting vulnerabilities

Must be able to authenticate using Google accounts

Which solution should you use?

Options:

A.

Google Cloud Armor

B.

Web Security Scanner

C.

Security Health Analytics

D.

Container Threat Detection

Buy Now
Question # 12

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.

Which two settings must remain disabled to meet these requirements? (Choose two.)

Options:

A.

Public IP

B.

IP Forwarding

C.

Private Google Access

D.

Static routes

E.

IAM Network User Role

Buy Now
Question # 13

You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

Options:

A.

Marketplace IDS

B.

VPC Flow Logs

C.

VPC Service Controls logs

D.

Packet Mirroring

E.

Google Cloud Armor Deep Packet Inspection

Buy Now
Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
Last Update: Feb 18, 2025
Questions: 234
Professional-Cloud-Security-Engineer pdf

Professional-Cloud-Security-Engineer PDF

$29.75  $84.99
Professional-Cloud-Security-Engineer Engine

Professional-Cloud-Security-Engineer Testing Engine

$33.25  $94.99
Professional-Cloud-Security-Engineer PDF + Engine

Professional-Cloud-Security-Engineer PDF + Testing Engine

$47.25  $134.99