Google Professional-Cloud-Security-Engineer Professional Cloud Security Engineer Exam Exam Practice Test Questions

• Question 1

  A customer wants to deploy a large number of 3-tier web applications on Compute Engine.How should the customer ensure authenticated network separation between the different tiers of the application?

  • Run each tier in its own Project, and segregate using Project labels.
  • Run each tier with a different Service Account (SA), and use SA-based firewall rules.
  • Run each tier in its own subnet, and use subnet-based firewall rules.
  • Run each tier with its own VM tags, and use tag-based firewall rules.

  Show Answer Answer: B Next

• Question 2

  You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

  • Implement Cloud VPN for the region where the bastion host lives.
  • Implement OS Login with 2-step verification for the bastion host.
  • Implement Identity-Aware Proxy TCP forwarding for the bastion host.
  • Implement Google Cloud Armor in front of the bastion host.

  Show Answer Answer: C Next

• Question 3

  Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way.What should you do?

  • Create a service account key and add it to the GitHub pipeline configuration file.
  • Create a service account key and add it to the GitHub repository content.
  • Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.
  • Configure workload identity federation to use GitHub as an identity pool provider.

  Show Answer Answer: D Next

• Question 4

  Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.Which two settings must remain disabled to meet these requirements? (Choose two.)

  • Public IP
  • IP Forwarding
  • Private Google Access
  • Static routes
  • IAM Network User Role

  Show Answer Answer: A, C Next

• Question 5

  You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:Must be cloud-nativeMust be cost-efficientMinimize operational overheadHow should you accomplish this? (Choose two.)

  • Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
  • Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
  • Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
  • Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
  • In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

  Show Answer Answer: A, E Next