Google Certified Professional Cloud Security Engineer Practice Questions Part 2

A social media company wants to ensure it meets the requirement of GDPR regulation. The key requirement for you as the security engineer is to make sure no customer personal
identifiable information (PII) data stored in the company’s Cloud Storage bucket can be exposed internally.
Which step should you use to meet this requirement?

You are responsible for implementing security controls in your organizations’ Cloud environment to mitigate Distributed Denial of Service (DDoS) attacks.
Which of the options is NOT a recommended best practice?

You are responsible for implementing a data loss prevention strategy. You need to scan a database for email addresses to be redacted but do not want any email addresses that end in “@test.com’.
Which solution can you use to fulfill these requirements?

You are responsible for implementing edge security for your organization. You have asked to ensure that the security mechanism is deployed closer to the user to prevent attacks from reaching the backend VMs.
Which solution can you use to fulfill these requirements?

You are responsible for securing incoming and outgoing traffic from your company’s VPC. The VPC has four subnets for high availability. Different applications are deployed to various instances in all the subnets. Every application has its service account and network tags.
What is the recommended practice for applying firewall rules to specific applications (VMs)?

You are responsible for implementing content-related security in your organization. You need to ensure outdated libraries are not used in applications.
Which solution can you use to fulfill these requirements?

Your company recently merged with another company. Both companies have resources in Google Cloud. The new Chief Operating Office wants to consolidate the management of the Cloud resources in both companies.
Which solution follows GCP best practices?

Your company has its applications running on VMs on-premises. The company has decided to move to Google Cloud. You have been asked to create an organization and folders in GCP.
How can you achieve this?

You are part of your company’s security team, and you have been tasked with implementing restrictions on how your organization’s resources can be used.
How can you achieve this?

Your company has defined organization policies at the organization and project levels, as shown below.
Organization node has the policy “Enforce uniform bucket-level access” turned on
Project A has a custom organization policy that sets inheritFromParent to TRUE and “Restricts VPC peering usage” set to Deny All.
Project B has a custom organization policy that sets inheritFromParent to FALSE and “Enforces public access prevention’ Enforcement turned on.
Which of the following is not TRUE?

Your company wants to apply and enforce consistent access control policies at the network level for multiple service projects in the organization while delegating administrative responsibilities.

Your company has resources on-premises and in a VPC in Google Cloud. There is a need to provide RFC1918 connectivity between both networks. The connection between both
networks must be encrypted.
How can you achieve this?

Your company has a custom VPC with two (2) subnets, web subnet and application subnet. The web subnet has a web-facing application running on Compute Engine; there are other applications in the subnet. The application subnet has the corresponding backend application running on a Compute Engine instance. You need to ensure the backend can be reached ONLY by the web-facing application from the web subnet.
How can you achieve this? Choose TWO.

Your company is developing a new application that will be deployed on App Engine. The application will need to read access resources in Cloud Storage, put data into Cloud SQL and Pub/Sub.
Following the best practice of least privilege, how can you achieve this?

Your company plans to deploy its application on Managed Instance Group behind an HTTP(S) load balancer and Cloud CDN.
Which of the following attacks docs Cloud CDN help to mitigate?

Your organization wants to establish a private connection between its on-premises network and its infrastructure in Google Cloud. Which of the following will ensure that data is not routed through the internet and that latency is maintained to a minimum?

Your company has set up a web-facing application on a Compute Engine behind a Load Balancer, and Cloud DNS is set up to route traffic to the Load Balancer. You have been tasked with preventing attackers from tampering with DNS responses for the application. Which of the following will assist you in meeting this requirement?

Your company deals with a lot of sensitive information. Some sensitive data, such as credit card numbers, must be de-identified and then re-identified for processing. Which of the following Cloud DLP approaches will assist you in meeting this requirement?

Your organization wants to serve Cloud Storage content to its internet consumers, with or without authentication. You have been entrusted for implementing the bucket’s access management based on the idea of least privilege. How will you accomplish this?

Your company has offices in a number of cities. The corporation wishes to grant access to one of its web-facing applications from the CIDR range of chosen branches. The application is hosted on a Compute Engine and is served by an HTTP(S) load balancer. How will you accomplish this?

Your organization has a Compute Engine application running behind an HTTP(S) load balancer. You have been tasked with configuring Cloud Armor to block traffic from the IP address 10.0.0.150.
Which of the following does NOT contribute to meeting the requirement?

As a security Engineer in your business, you must guarantee that the Cloud NAT only transmits logs when the NAT gateway is unable to allocate a NAT IP and port due to port exhaustion.
Which of the following contributes to your ability to meet the requirement?

A publishing company wishes to launch a new application on Google Cloud. As the company’s security Engineer, you have been tasked with managing application access using Cloud Identity-Aware Proxy.
Which of the following is NOT required for Cloud IAP configuration?

Your organization wants to automate the detection of frequent misconfigurations in your Cloud infrastructure and present the results in a dashboard. How will you accomplish this?

Your organization performs On-premises processing of sensitive data. To process this data, the business intends to use a Compute Engine. As a security team member, you have been tasked with ensuring that data is encrypted in memory while being processed in Compute Engine VMs. How will you accomplish this?

Your organization wants to keep sensitive data in the cloud, and data at rest encryption will be accomplished through the use of customer-managed encryption keys (CMEK) in Cloud KMS. Which of the following statements about envelope encryption is FALSE? Select TWO.

You are in charge of handling the secrets contained in Secrets Manager. Secrets must be changed every 7 days, according to a new rule from the organizations. Which of the following is NOT required for secret rotation configuration?

As the amount of data in your organization’s Cloud Storage bucket increases, so does the use of Cloud DLP. Periodically, scans for certain infoTypes are performed. You have been tasked with developing a system that stores configuration information for what you inspect in data.
How will you accomplish this?

Your organization has a Compute Engine application running behind an HTTP(S) load balancer. You are in charge of configuring the Cloud Armor policies. You create two rules in a policy to restrict traffic from a CIDR range with Priority 1000 and accept traffic from a CIDR range with Priority 2000. Which of the following is the most likely result?

A corporation has a GCP Organization with numerous Folders and Projects. You have been entrusted with gathering audit logs from each Project and storing them in a designated Cloud Storage Bucket for compliance purposes. How can you implement the best practice of least privilege? Select TWO.

A corporation has a GCP Organization with numerous Folders and Projects. You have been assigned the duty of gathering VPC Flow logs and Firewall logs from each Project for security analysis. Which of the following is NOT a supported log destination?

An organization’s applications run on a hardened Compute Engine. The company is thinking about switching to a containerized platform. On Google Kubernetes Engine clusters, there is a compliance need to use only hardened container images. How will you enforce this stipulation?

In a Project, a company has applications running on Compute Engine. According to a new security standard, the Recovery Point Objective (RPO) of any application operating on a Compute Engine should be 1 hour. Which of the following assists you in meeting the requirement with the least amount of overhead?

You have requested that the Apache server logs that are coming into Cloud Logging be collected and stored in a custom Cloud Logging bucket. Which of the following contributes to your ability to meet the requirement?

An organization wants to put its applications on Google Cloud. The capacity to recover from any disaster is a critical security requirement. Which of the following is NOT a Google Cloud disaster recovery pattern?

Your organization wants to offer a group of Auditors read-only access to the contents of Cloud Storage for a limited time without authentication. You have been entrusted with implementing the bucket’s access management based on the idea of least privilege. How will you accomplish this?

Your company wishes to store and process data on Google Cloud. Encryption keys must comply with the FIPS 140-2 Level 3 Security standard.
Which of the following will assist you in meeting this set of criteria?

A GCP VPC has two subnets, A and B, each with one Compute engine instance. You’ve set up two firewall rules with logging turned on.
• Rule 1 is an egress firewall rule that allows communication from network instances to subnet B on port 80.
• Rule 2 is an ingress firewall rule that allows traffic from subnet A on port 80 to all instances in the network.
Subnet A’s Compute Engine tries to connect to Subnet B’s Compute Engine.
Which of the following assertions is TRUE? Select TWO.

Your organization wishes to use Compute Engine to deploy an application. The program will save data to a Cloud Storage service. It is required that all data be encrypted before being uploaded to Cloud Storage. How will you accomplish this?

Your organization manages a vast dataset containing personally identifiable information. Some sensitive data, such as age and job title, must be de-identified by replacing it with a less distinctive value. Which of the following Cloud DLP approaches will assist you in meeting this requirement?