Question 1

Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (1AM) roles at the right resource level tor the developers and security team while you ensure least privilege.

What should you do?

A* 1 Grant logging, viewer rote to the security team at the organization resource level.
* 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.

B* 1 Grant logging. viewer rote to the security team at the organization resource level.
* 2 Grant logging. admin role to the developer team at the organization resource level.

C* 1 Grant logging.admin role to the security team at the organization resource level.
* 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.

D* 1 Grant logging.admin role to the security team at the organization resource level.
* 2 Grant logging.admin role to the developer team at the organization resource level.

Answer : A

Question 2

Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes.

What should you do?

ASet a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.

BCreate a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.

CSchedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.

DConfigure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.

Answer : B

Question 3

After completing a security vulnerability assessment, you learned that cloud administrators leave Google Cloud CLI sessions open for days. You need to reduce the risk of attackers who might exploit these open sessions by setting these sessions to the minimum duration.

What should you do?

ASet the session duration for the Google session control to one hour.

BSet the reauthentication frequency (or the Google Cloud Session Control to one hour.

CSet the organization policy constraint
constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.

DSet the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one
hour and inheritFromParent to false.

Answer : B

Question 4

Your application is deployed as a highly available cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.

What should you do?

AConfigure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.

BConfigure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.

CConfigure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.

DConfigure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

Answer : C

Question 5

You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.

What should you do?

ACreate a site-to-site VPN from your corporate network to Google Cloud.

BConfigure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.

CCreate a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.

DCreate a jump host instance with public IP Manage the instances by connecting through the jump host.

Answer : C

Free Practice Questions for Google Professional Cloud Security Engineer Exam

Question 1

Question 2

Question 3

Question 4

Question 5