Google Cloud Certified - Professional Cloud Security Engineer Exam (Professional-Cloud-Security-Engineer) Free Practice Test

Question 1

You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS). in project
"pr j -a", and the Cloud Storage bucket will use project "prj-b". The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key. and you need to troubleshoot why.
What has caused the access issue?

A. A firewall rule prevents the key from being accessible.

B. Cloud HSM does not support Cloud Storage

C. The CMEK is in a different project than the Cloud Storage bucket

D. The CMEK is in a different region than the Cloud Storage bucket.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?

A. Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.

B. Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.

C. Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.

D. Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A. Create Identity and Access Management (1AM) roles with permissions corresponding to each Active Directory group.

B. Create Identity and Access Management (1AM) groups with permissions corresponding to each Active Directory group.

C. Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

D. Use Identity Platform to provision users and groups to Google Cloud.

E. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

Correct Answer: B,E

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

A. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

B. Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

C. Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

D. Enable Private Google Access on the regional subnets and global dynamic routing mode.

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

Your organization has hired a small, temporary partner team for 18 months. The temporary team will work alongside your DevOps team to develop your organization's application that is hosted on Google Cloud. You must give the temporary partner team access to your application's resources on Google Cloud and ensure that partner employees lose access if they are removed from their employer's organization. What should you do?

A. Implement just-in-time privileged access to Google Cloud for the temporary partner team.

B. Create a workforce identity pool and federate the identity pool with the identity provider (IdP) of the temporary partner team.

C. Create a temporary username and password for the temporary partner team members. Auto-clean the usernames and passwords after the work engagement has ended.

D. Add the identities of the temporary partner team members to your identity provider (IdP).

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

A. Manage the latest updates and security patches for the Guest OS

B. Configuring and monitoring VPC Flow Logs

C. Encrypting all stored data

D. Defending against XSS and SQLi attacks

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

A. Billing Account User

B. Project Creator

C. Organization Administrator

D. Billing Account Viewer

E. Billing Account Costs Manager

Correct Answer: D,E

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

You are responsible for the operation of your company's application that runs on Google Cloud. The database for the application will be maintained by an external partner. You need to give the partner team access to the database. This access must be restricted solely to the database and can not extend to any other resources within your company's network. Your solution should follow Google-recommended practices. What should you do?

A. Configure Workforce Identity Federation for the partner. Connect the identity pool provider to the partner's identity provider. Grant the workforce pool resources access to the database.

B. Create accounts for the partner team in your corporate identity provider. Synchronize these accounts with Google Cloud Identity. Grant the accounts access to the database.

C. Add a public IP address to the application's database. Create database users for each of the partner's employees. Securely distribute the credentials for these users to the partner team.

D. Ask the partner team to set up Cloud Identity accounts within their own corporate environment and identity provider. Grant the partner's Cloud Identity accounts access to the database.

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

Google Cloud Certified - Professional Cloud Security Engineer (Professional-Cloud-Security-Engineer) Free Practice Test