Try Professional-Cloud-Security-Engineer Exam Valid Dumps with Instant Download Free Updates [Q25-Q50]

Try Professional-Cloud-Security-Engineer Exam Valid Dumps with Instant Download Free Updates

Professional-Cloud-Security-Engineer Dumps First Attempt Guaranteed Success

NEW QUESTION # 25
A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.
How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

• A. Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
• B. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
• C. Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
• D. Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

Answer: B

Explanation:
Compute Engine doesn't automatically update the OS or the software on your deployed instances. You will need to patch or update your deployed Compute Engine instances when necessary. However, in the cloud it is not recommended that you patch or update individual running instances. Instead it is best to patch the image that was used to launch the instance and then replace each affected instance with a new copy.

NEW QUESTION # 26
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

• A. BigQuery using a data pipeline job with continuous updates via Cloud VPN
• B. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
• C. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
• D. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/migration-to-google-cloud-building-your-foundation

NEW QUESTION # 27
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?

• A. Update the application code or apply a patch, build a new image, and redeploy it.
• B. Use Puppet or Chef to push out the patch to the running container.
• C. Configure containers to automatically upgrade when the base image is available in Container Registry.
• D. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.

Answer: D

Explanation:
Reference:
https://cloud.google.com/kubernetes-engine/docs/security-bulletins

NEW QUESTION # 28
A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?

• A. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
• B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
• C. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
• D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

Answer: B

Explanation:
https://cloud.google.com/vpc/docs/firewalls#priority_order_for_firewall_rules

NEW QUESTION # 29
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications anddata processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

• A. Use VPN for all connections between your office and cloud environments.
• B. Use multi-factor authentication for admin access to the web application.
• C. Use only applications certified compliant with PA-DSS.
• D. Move the cardholder data environment into a separate GCP project.

Answer: D

Explanation:
Explanation
https://cloud.google.com/solutions/best-practices-vpc-design
"Setting up your payment-processing environment" section
inhttps://cloud.google.com/solutions/pci-dss-compliance-in-gcp.

NEW QUESTION # 30
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

• A. App Engine
• B. Cloud Functions
• C. Cloud Storage
• D. Google Kubernetes Engine
• E. Compute Engine

Answer: D,E

Explanation:
Explanation
App Engine ingress firewall rules are available, but egress rules are not currently available. Per requirements
1.2.1 and 1.3.4, you must ensure that all outbound traffic is authorized. SAQ A-EP and SAQ D-type merchants must provide compensating controls or use a different Google Cloud product. Compute Engine and GKE are the preferred alternatives. https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

NEW QUESTION # 31
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?

• A. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
• B. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
• C. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
• D. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/logging/docs/logs-based-metrics/

NEW QUESTION # 32
Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

• A. TCP/UDP Network
• B. SSL Proxy
• C. TCP Proxy
• D. Internal TCP/UDP

Answer: A

Explanation:
https://cloud.google.com/load-balancing/docs/load-balancing-overview
https://cloud.google.com/load-balancing/docs/load-balancing-overview#choosing_a_load_balancer

NEW QUESTION # 33
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

• A. Use customer-supplied encryption keys to manage the key encryption key (KEK).
• B. Use the Cloud Key Management Service to manage a data encryption key (DEK).
• C. Use the Cloud Key Management Service to manage a key encryption key (KEK).
• D. Use customer-supplied encryption keys to manage the data encryption key (DEK).

Answer: D

Explanation:
Explanation
This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS.There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest

NEW QUESTION # 34
An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.
What solution would help meet the requirements?

• A. Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.
• B. Ensure that firewall rules are in place to meet the required controls.
• C. Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
• D. Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

Answer: A

Explanation:
Explanation
https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html Shared responsibility "Security of the Cloud" - GCP is responsible for protecting the infrastructure that runs all of the services offered in the GCP Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run GCP Cloud services.

NEW QUESTION # 35
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

• A. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
• B. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
• C. Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
• D. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

Answer: B

Explanation:
https://codelabs.developers.google.com/codelabs/cloud-storage-dlp-functions#0 https://www.youtube.com/watch?v=0TmO1f-Ox40

NEW QUESTION # 36
Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution.
What should you do?

• A. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
  * 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly
• B. * 1 Use secure hardened images from the Google Cloud Marketplace
  * 2 When deploying the images activate the Confidential Computing option
  * 3 Enforce the use of the correct images and Confidential Computing by using organization policies
• C. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
  * 2 Activate Confidential Computing
  * 3 Enforce these actions by using organization policies
• D. * 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium
  * 2 Monitor the findings in SCC

Answer: C

NEW QUESTION # 37
You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

• A. Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.
• B. Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
• C. Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
• D. Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

Answer: B

NEW QUESTION # 38
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?

• A. Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
• B. Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
• C. Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.
• D. Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.

Answer: A

Explanation:
https://cloud.google.com/iam/docs/understanding-roles#project-roles

NEW QUESTION # 39
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

• A. BigQuery using a data pipeline job with continuous updates via Cloud VPN
• B. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
• C. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
• D. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

Answer: D

Explanation:
https://cloud.google.com/solutions/migration-to-google-cloud-building-your-foundation

NEW QUESTION # 40
A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.
What should you do?

• A. Create a new key, and use the new key in the application. Delete the old key from the Service Account.
• B. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.
• C. Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
• D. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

Answer: A

Explanation:
You can rotate a key by creating a new key, updating applications to use the new key, and deleting the old key. Use the serviceAccount.keys.create() method and serviceAccount.keys.delete() method together to automate the rotation.

NEW QUESTION # 41
Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?

• A. Use customer-managed encryption keys to delete specific encryption keys.
• B. Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises
• C. Use Cloud External Key Manager to delete specific encryption keys.
• D. Use Google default encryption to delete specific encryption keys.

Answer: A

Explanation:
Explanation
https://cloud.google.com/sql/docs/mysql/cmek
"You might have situations where you want to permanently destroy data encrypted with CMEK. To do this, you destroy the customer-managed encryption key version. You can't destroy the keyring or key, but you can destroy key versions of the key."

NEW QUESTION # 42
A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?

• A. Mount a Cloud Storage bucket as a local filesystem on every VM.
• B. Enable Private Google Access on the VPC.
• C. Create a firewall rule to block internet traffic from the VM.
• D. Provision a NAT Gateway to access the Cloud Storage API endpoint.

Answer: B

Explanation:
Explanation
https://cloud.google.com/vpc/docs/private-google-access

NEW QUESTION # 43
You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

• A. Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
• B. Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
• C. Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
• D. Remove*.setIamPolicypermissions from all roles, and enforce domain restricted sharing in an organization policy.

Answer: A

Explanation:
Explanation
- Uniform bucket-level
access:https://cloud.google.com/storage/docs/uniform-bucket-level-access#should-you-use
- Domain Restricted
Sharing:https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#public_data_s

NEW QUESTION # 44
You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

• A. Customer-supplied encryption keys
• B. Hardware Security Module
• C. Client-side encryption
• D. Confidential Computing and Istio
• E. External Key Manager

Answer: C,D

Explanation:
Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio. https://cloud.google.com/docs/security/encryption-in-transit

NEW QUESTION # 45
A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.
Where should you export the logs?

• A. BigQuery datasets
• B. Cloud Pub/Sub topics
• C. Cloud Storage buckets
• D. StackDriver logging

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/logging/docs/exclusions

NEW QUESTION # 46
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

• A. Use customer-supplied encryption keys to manage the key encryption key (KEK).
• B. Use the Cloud Key Management Service to manage a data encryption key (DEK).
• C. Use the Cloud Key Management Service to manage a key encryption key (KEK).
• D. Use customer-supplied encryption keys to manage the data encryption key (DEK).

Answer: D

Explanation:
This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS.There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest

NEW QUESTION # 47
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?

• A. In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
• B. In Resource Manager, edit the organization permissions. Add the project ID as member with the role:
  Compute Image User.
• C. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
• D. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

Answer: D

Explanation:
https://cloud.google.com/compute/docs/images/restricting-image-access

NEW QUESTION # 48
An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

• A. Encrypting all stored data
• B. Defending against XSS and SQLi attacks
• C. Configuring and monitoring VPC Flow Logs
• D. Manage the latest updates and security patches for the Guest OS

Answer: B

Explanation:
in PaaS the customer is responsible for web app security, deployment, usage, access policy, and content. https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate

NEW QUESTION # 49
You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B.
You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?

• A. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
• B. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
• C. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
• D. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

Answer: B

Explanation:
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains

NEW QUESTION # 50
......

100% Guarantee Download Professional-Cloud-Security-Engineer Exam Dumps PDF Q&A: https://www.realexamfree.com/Professional-Cloud-Security-Engineer-real-exam-dumps.html

Kickstart your Career with Real  Updated Questions: https://drive.google.com/open?id=1ZxJXPbDSn2SMfDRAP-h38cdcw19g4ldp