2023 Professional-Cloud-Security-Engineer Question Bank: Free PDF Download Recently Updated Questions Professional-Cloud-Security-Engineer Certification Exam Dumps with 178 Practice Test Questions NEW QUESTION # 26 Your company is deploying their applications on Google Kubernetes Engine. You want to follow Google-recommended practices. What should you do to ensure that the container images used for [...]

All Products Contact now

2023 Professional-Cloud-Security-Engineer Question Bank Free PDF Download Recently Updated Questions [Q26-Q44]

Share

2023 Professional-Cloud-Security-Engineer Question Bank: Free PDF Download Recently Updated Questions

Professional-Cloud-Security-Engineer Certification Exam Dumps with 178 Practice Test Questions

NEW QUESTION # 26
Your company is deploying their applications on Google Kubernetes Engine. You want to follow Google-recommended practices. What should you do to ensure that the container images used for new deployments contain the latest security patches?

  • A. Use Container Analysis to detect vulnerabilities in images.
  • B. Use Google-managed base images for all containers.
  • C. Use an update script as part of every container image startup.
  • D. Use exclusively private images in Container Registry.

Answer: B

Explanation:
A is correct because Managed base images are base container images that are automatically patched by Google for security vulnerabilities, using the most recent patches available from the project upstream (for example, GitHub).
B is not correct because Container Analysis does not patch the images.
C is not correct because while an update script may help patch on startup, this will significantly increase the amount of time it takes for the instance to become ready for serving workloads.
D is not correct because private images also go out of date and need to be patched manually by the customer.
https://cloud.google.com/container-registry/docs/managed-base-images


NEW QUESTION # 27
A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?

  • A. Forseti Security
  • B. Cloud Armor
  • C. Cloud Security Scanner
  • D. Google Cloud Audit Logs

Answer: C


NEW QUESTION # 28
A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

  • A. System Event
  • B. Access Transparency
  • C. Admin Activity
  • D. Data Access

Answer: B


NEW QUESTION # 29
A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?

  • A. Forseti Security
  • B. Cloud Armor
  • C. Cloud Security Scanner
  • D. Google Cloud Audit Logs

Answer: C

Explanation:
Reference:
https://cloud.google.com/security-scanner/


NEW QUESTION # 30
You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port
3306.
What should you do?

  • A. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.
  • B. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.
  • C. Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.
  • D. Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

Answer: D


NEW QUESTION # 31
You will create a new Service Account that should be able to list the Compute Engine instances in the project.
You want to follow Google-recommended practices.
What should you do?

  • A. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
  • B. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
  • C. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
  • D. Create a custom role with the permission compute.instances.listand grant the Service Account this role.

Answer: C


NEW QUESTION # 32
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE) How should the DevOps team accomplish this?

  • A. Use Puppet or Chef to push out the patch to the running container.
  • B. Update the application code or apply a patch, build a new image, and redeploy it.
  • C. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
  • D. Configure containers to automatically upgrade when the base image is available in Container Registry.

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/kubernetes-engine/docs/security-bulletins


NEW QUESTION # 33
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

  • A. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
  • B. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
  • C. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
  • D. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.

Answer: D

Explanation:
https://cloud.google.com/dlp/docs/reference/rest/v2/InspectJobConfig


NEW QUESTION # 34
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

  • A. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
  • B. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
  • C. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
  • D. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/kms/docs/envelope-encryption


NEW QUESTION # 35
What are the steps to encrypt data using envelope encryption?

  • A. Generate a key encryption key (KEK) locally.
    Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
    Store the encrypted data and the wrapped DEK.
  • B. Generate a data encryption key (DEK) locally.
    Encrypt data with the DEK.
    Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
  • C. Generate a data encryption key (DEK) locally.
    Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
    Store the encrypted data and the wrapped KEK.
  • D. Generate a key encryption key (KEK) locally.
    Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
    Store the encrypted data and the wrapped DEK.

Answer: B

Explanation:
Explanation
The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS.
https://cloud.google.com/kms/docs/envelope-encryption#how_to_encrypt_data_using_envelope_encryption


NEW QUESTION # 36
You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?

  • A. Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys
  • B. Cloud Data Loss Prevention with cryptographic hashing
  • C. Cloud Data Loss Prevention with deterministic encryption using AES-SIV
  • D. Cloud Data Loss Prevention with format-preserving encryption

Answer: B


NEW QUESTION # 37
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

  • A. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • B. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
  • C. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
  • D. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management- system-with-google-cloud-platform


NEW QUESTION # 38
A customer wants to grant access to their application running on Compute Engine to write only to a specific Cloud Storage bucket. How should you grant access?

  • A. Create a service account for the application, and grant Cloud Storage Object Creator permissions at the bucket level.
  • B. Create a service account for the application, and grant Cloud Storage Object Creator permissions to the project.
  • C. Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the project leve
  • D. Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the bucket level.

Answer: A

Explanation:
A is not correct because it doesn't restrict the scope to specific bucket.
B is correct because it provides the right permissions and keeps the scope limited to the bucket in question.
C is not correct because using a user account goes against the recommended best practice as it should be a machine/service account that should be handling the writing to bucket.
D is not correct because using a user account goes against the recommended best practice as it should be a machine/service account that should be handling the writing to bucket and it also widens the scope to storage wide which violates minimum required privilege rules.
https://cloud.google.com/iam/docs/understanding-service-
accounts#using_service_accounts_with_compute_engine


NEW QUESTION # 39
Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.
What should you do?

  • A. Use the Cloud Key Management Service to manage the data encryption key (DEK).
  • B. Use customer-supplied encryption keys to manage the data encryption key (DEK).
  • C. Use customer-supplied encryption keys to manage the key encryption key (KEK).
  • D. Use the Cloud Key Management Service to manage the key encryption key (KEK).

Answer: D

Explanation:
Explanation
This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest.
https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption
https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms#0


NEW QUESTION # 40
Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

  • A. Remove the Editor role and grant the Compute Admin IAM role to the engineers.
  • B. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
  • C. Enable Private Access on the VPC network in the production project.
  • D. Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address


NEW QUESTION # 41
You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

  • A. Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
  • B. Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
  • C. Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
  • D. Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.

Answer: A


NEW QUESTION # 42
When creating a secure container image, which two items should you incorporate into the build if possible?
(Choose two.)

  • A. Use public container images as a base image for the app.
  • B. Remove any unnecessary tools not needed by the app.
  • C. Ensure that the app does not run as PID 1.
  • D. Package a single app as a container.
  • E. Use many container image layers to hide sensitive information.

Answer: B,D


NEW QUESTION # 43
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?

  • A. Cloud VPN Gateway between all engineering projects using a hub and spoke model
  • B. VPC peering between all engineering projects using a hub and spoke model
  • C. Shared VPC Network with a host project and service projects
  • D. Grant Compute Admin role to the networking team for each engineering project

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise- organizations#centralize_network_control


NEW QUESTION # 44
......

New Professional-Cloud-Security-Engineer Exam Dumps with High Passing Rate: https://www.realvalidexam.com/Professional-Cloud-Security-Engineer-real-exam-dumps.html

Google Professional-Cloud-Security-Engineer Actual Questions and Braindumps: https://drive.google.com/open?id=19ZVzskUdu8diKTT5nhMK8y-ZlHdvqDvd

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam

Our real exam dump is the best and fastest manner for you to pass the actual exam. The precise and valid study material will give you many directions in the preparation. Hurry up to download the valid exam demo for try. Our real valid dumps will bring you to success.

Tags

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 RealValidExam NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy