Professional Cloud Security Engineer v1.0

Page:    1 / 7   
Exam contains 93 questions

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization"™s production environment will remain on- premises for an indefinite time. The organization wants a scalable and cost-efficient solution.
Which GCP solution should the organization use?

  • A. BigQuery using a data pipeline job with continuous updates
  • B. Cloud Storage using a scheduled task and gsutil
  • C. Compute Engine Virtual Machines using Persistent Disk
  • D. Cloud Datastore using regularly scheduled batch upload jobs


Answer : A

You are creating an internal App Engine application that needs to access a user"™s Google Drive on the user"™s behalf. Your company does not want to rely on the current user"™s credentials. It also wants to follow Google-recommended practices.
What should you do?

  • A. Create a new Service account, and give all application users the role of Service Account User.
  • B. Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
  • C. Use a dedicated G Suite Admin account, and authenticate the application"™s operations with these G Suite credentials.
  • D. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.


Answer : A

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer"™s requirements?

  • A. Customer-supplied encryption keys (CSEK)
  • B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
  • C. Encryption by default
  • D. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis


Answer : B

Reference -
https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.
What should you do?

  • A. Use the Cloud Key Management Service to manage the data encryption key (DEK).
  • B. Use the Cloud Key Management Service to manage the key encryption key (KEK).
  • C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
  • D. Use customer-supplied encryption keys to manage the key encryption key (KEK).


Answer : A

You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

  • A. Use multi-factor authentication for admin access to the web application.
  • B. Use only applications certified compliant with PA-DSS.
  • C. Move the cardholder data environment into a separate GCP project.
  • D. Use VPN for all connections between your office and cloud environments.


Answer : D

Reference:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.
Which Google Cloud Service should be used to achieve this?

  • A. Cloud Key Management Service
  • B. Cloud Data Loss Prevention API
  • C. BigQuery
  • D. Cloud Security Scanner


Answer : D

A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?

  • A. Create a Folder per department under the Organization. For each department"™s Folder, assign the Project Viewer role to the Google Group related to that department.
  • B. Create a Folder per department under the Organization. For each department"™s Folder, assign the Project Browser role to the Google Group related to that department.
  • C. Create a Project per department under the Organization. For each department"™s Project, assign the Project Viewer role to the Google Group related to that department.
  • D. Create a Project per department under the Organization. For each department"™s Project, assign the Project Browser role to the Google Group related to that department.


Answer : C

A customer"™s internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

  • A. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
  • B. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
  • C. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
  • D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.


Answer : D

Reference:
https://cloud.google.com/storage/docs/encryption/customer-supplied-keys

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)

  • A. Create a project with multiple VPC networks for each environment.
  • B. Create a folder for each development and production environment.
  • C. Create a Google Group for the Engineering team, and assign permissions at the folder level.
  • D. Create an Organizational Policy constraint for each folder environment.
  • E. Create projects for each environment, and grant IAM rights to each engineering user.


Answer : BD

You want to evaluate GCP for PCI compliance. You need to identify Google"™s inherent controls.
Which document should you review to find the information?

  • A. Google Cloud Platform: Customer Responsibility Matrix
  • B. PCI DSS Requirements and Security Assessment Procedures
  • C. PCI SSC Cloud Computing Guidelines
  • D. Product documentation for Compute Engine


Answer : C

Reference:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?

  • A. Store the data in a single Persistent Disk, and delete the disk at expiration time.
  • B. Store the data in a single BigQuery table and set the appropriate table expiration time.
  • C. Store the data in a single Cloud Storage bucket and configure the bucket"™s Time to Live.
  • D. Store the data in a single BigTable table and set an expiration time on the column families.


Answer : B

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

  • A. Use Cloud Build to build the container images.
  • B. Build small containers using small base images.
  • C. Delete non-used versions from Container Registry.
  • D. Use a Continuous Delivery tool to deploy the application.


Answer : D

Reference:
https://cloud.google.com/solutions/best-practices-for-building-containers

While migrating your organization"™s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

  • A. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • B. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • C. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
  • D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.


Answer : B

Reference:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform

Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee"™s password has been compromised.
What should you do?

  • A. Enforce 2-factor authentication in GSuite for all users.
  • B. Configure Cloud Identity-Aware Proxy for the App Engine Application.
  • C. Provision user passwords using GSuite Password Sync.
  • D. Configure Cloud VPN between your private network and GCP.


Answer : D

A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?

  • A. Use Cloud Storage as a federated Data Source.
  • B. Use a Cloud Hardware Security Module (Cloud HSM).
  • C. Customer-managed encryption keys (CMEK).
  • D. Customer-supplied encryption keys (CSEK).


Answer : C

Reference:
https://cloud.google.com/bigquery/docs/encryption-at-rest

Page:    1 / 7   
Exam contains 93 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.