Google Certified Professional Cloud Security Engineer Practice Questions Part 1

Your team is tasked with mitigating any content-related security threats to a new application. Which of the following actions will help you achieve this objective?

You have been asked to manage the permissions, at a granular level, assigned to Google Compute Engine instances in your GCP Organization.
Following Google’s best practice, which of the following is recommended?

You are part of the security team in an advertising company that wants to migrate its workload to the Google Cloud. The company has an on-premises Active Directory that it intends to manage its users and groups.
Which of the following can be used to grant its users and groups access to Google Cloud resources?

You are part of the security team in your company that is responsible for securing data in the cloud. The company uses Cloud Storage to store objects.
Which of the following is TRUE managing access to the Cloud Storage bucket?

You are part of the security team in your company that is responsible for securing data in the cloud. The company wants to utilize Cloud Storage to store objects. You have been
asked to ensure object-level permissions can be managed.
How can this be achieved?

You have been asked to connect the development VPCs in two organizations so that traffic flowing between the two VPCs is never exposed to the public internet.
How can this be achieved?

AVPC has different applications running on Compute Engine instances. You have been asked to create a firewall rule that will accept HTTP traffic from the internet to some Instances.
How can this be achieved?

A financial institution wants to store its assets in Google Cloud Storage. There is a legal requirement for the institution to manage its encryption keys outside of the cloud.
Which of the following meets the requirement?

An e-commerce company wants to store its data in Google Cloud Storage. Data encryption is a core requirement. The company would like to manage the lifecycle of the encryption keys with minimal overhead.
Which of the following meets the requirement?

A company wants to old backup files to Google Cloud. They require a service that allows data storage to be moved to a cheaper storage tier after a specified time.
Which of the following meets the requirement?

A development team has built a new application to run on App Engine. You have been asked to scan the new application for vulnerabilities. The results should be displayed in
centralized dashboard for analysis and action.
How can this be achieved?

You need to show that the infrastructure on which your applications are deployed on Google Cloud meets regulatory standards such as HIPAA.
How would you prove this?

As the security engineer of your company, you are responsible for managing IAM permissions for users, groups, and service accounts.
Which of the following is NOT a Cloud IAM object?

A large organization currently manages its users with an on-premises Active Directory. They intend to synchronize users from Active Directory to Cloud Identity.
Which of the following services can be used to fulfill the requirement?

Your Organization has decided to use Google Workspace to manage users and groups. The organization has its domain name.
Which of the following is TRUE for the use of Google Workspace?

You work for a financial organization as a security engineer. You have been tasked with designing a storage strategy for stored cardholder data that ensures they arc deleted after a specified time.
Following Google’s shared responsibility model, which is the responsibility of your organization?

Your company has resources in Google Cloud VPC and on-premises. A new requirement specifies that communication between the cloud and the on-premises network be encrypted.
Which of the following meets the requirement?

Your company has decided to deploy its containerized applications on Google Kubernetes Engine (GKE). A key security requirement is to limit pod-to-pod communications.
How can you achieve this?

Your company has decided to deploy its containerized applications on Google Kubernetes Engine (GKE). As the security engineer, you are required to design security controls for the application.
Following Google’s shared responsibility model, which is your company’s responsibility?

Your company wants to deploy its applications to Google Cloud. A key security requirement is to have access to the root operating system of the computing environment.
Which of the following environments DOES NOT allow you to fulfill this requirement?

You are part of the security team for an application deployed on Google Kubernetes Engine (GKE). Your team has implemented Identity- Aware Proxy (IAP) for authentication to the application following Google’s best practice.
Which of the following is not a best practice when using IAP?

Your work for a financial institution as a security engineer. The company has a new web-facing application deployed on Managed Instance Groups behind an HTTP(S) load balancer. You want to ensure that connections negotiated between clients and the load balancer meets the strictest compliance requirements with minimal overhead.
What SSL policy should you use on the Load Balancer?

As the security engineer in your organization, you notice that developers are using personal emails to create Google projects and work with sensitive data. You have been asked to design a more centralized and secure way of managing access to GCP.
Which of the following solves the problem?

The testing team wants to grant access to their application running on the Kubernetes engine to write to a specific bucket only.
Following Google’s best practice, which of the following is recommended?

You are part of the security team in your company that wants to grant temporary access to an auditor to the files in a Cloud Storage bucket in your Google Cloud project. The auditor does not have a Google account.
Which of the following is Google’s recommended practice to grant the auditor access?

Your team has decided to use the default VPC network to deploy its applications to Compute Engine. You have been asked to ensure there is no outbound traffic to the internet.
Which solution should you use to meet this requirement?

Your company has a custom VPC network with applications running Compute Engine instances. As security, you need to collect a sample of the network flows sent to and received by VM instances and sent to a third+ party SIEM tool in real-time.
Which of the following achieves this?

Your company has Three VPC Projects (Services, Dev, and Test). You have created subnets in the Services Project and would like the Dev and Test projects to deploy their Compute Engine instances into these subnets.
What can you do to achieve this?

You are part of the security team for a new application deployed on Google App Engine. Your team needs to implement a central authorization layer for the application at the application layer.
Which solution should you use to meet this requirement?

Your company has a custom VPC network with two subnets. A security requirement specifies that all the Compute Engine instances in the dev subnet should not have external Ips. You need to give those instances access to Cloud Storage without traffic going over the internet.
What can you do to achieve this?

A banking client moving to Google Cloud has an on-premises key management system. The company intends to use its key management system for managing the lifecycle of all its encryption keys. How can the client utilize its encryption keys with Cloud Storage for encryption at rest?

Your security team has decided to use service accounts as the Targets in firewall rules. You are responsible for implementing this new strategy.
Which of the following is NOT a possible source filter for the firewall rule?

A new application that will process customer payments will be deployed to Compute Engine. The application needs to authenticate to a Cloud SQL database to store data. How
should the credentials of the database be stored following Google’s recommendation?

A financial organization stores files on Cloud Storage. Government regulation states uploaded files cannot be deleted for 7 years, and it should be impossible to reduce the retention period on the bucket after it has been set.
How can you achieve this?

A government organization that handles very sensitive data is considering moving to Google Cloud. One key area of concern is to reduce the risk of data exfiltration by authorized users.
Which solution should you use to meet this requirement?

You have been asked to automate near real-time monitoring based on the logs from a production application. Certain logs are sent to a third-party Security Information and Event Management System (SIEM) such as Cisco.
Which solution should you use to meet this requirement?

Your customer processes financial transactions on Compute Engine. There is a legal requirement to store the logs from the VMs, sent to Cloud Logging for ton years.
Which solution should you use to meet this requirement? Choose TWO

Your security team manages the Service perimeters in your organization. There is a need to allow users to access BigQuery in the perimeter from trusted devices over the internet.
What can you do to achieve this?

You have been asked to automate security scanning for Common Vulnerabilities and Exposures (CVEs) in the container images from the company’s CICD pipeline.
Which solution can you use to fulfill this requirement?

You are responsible for the vulnerability scan for applications running on Google Kubernetes Engine in Production. You need to ensure Security Scanner does not activate certain features in your application.
Which of the following is NOT a best practice when using Security Scanner?