Question 1

An organization receives an increasing number of phishing emails. Which method should be used to protect employee credentials in this situation?

Accepted Answer

A)  Multifactor Authentication 
B)  A strict password policy 
C)  Captcha on login pages 
D)  Encrypted emails 
A)  Multifactor Authentication 
B)  A strict password policy 
C)  Captcha on login pages 
D)  Encrypted emails D

Question 2

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location. Which solution will restrict access to the in-progress sites?

Accepted Answer

A)  Upload an .htaccess file containing the customer and employee user accounts to App Engine. 
B)  Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic. 
C)  Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts. 
D)  Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VP
C)  network. 
A)  Upload an .htaccess file containing the customer and employee user accounts to App Engine. 
B)  Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic. 
C)  Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts. 
D)  Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VP
C)  network. C

Question 3

You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project. What should you do?

Accepted Answer

A)  Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation. 
B)  Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation. 
C)  In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User. 
D)  In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User. 
A)  Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation. 
B)  Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation. 
C)  In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User. 
D)  In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User. B

Question 4

A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project. Which two approaches can you take to meet the requirements? (Choose two.)

Accepted Answer

A)  Configure the project with Cloud VPN. 
B)  Configure the project with Shared VPC. 
C)  Configure the project with Cloud Interconnect. 
D)  Configure the project with VPC peering. 
E)  Configure all Compute Engine instances with Private Access. 
A)  Configure the project with Cloud VPN. 
B)  Configure the project with Shared VPC. 
C)  Configure the project with Cloud Interconnect. 
D)  Configure the project with VPC peering. 
E)  Configure all Compute Engine instances with Private Access.

Question 5

Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions. What should you do?

Accepted Answer

A)  Change the load balancer backend configuration to use network endpoint groups instead of instance groups. 
B)  Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group. 
C)  Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address. 
D)  Create a Cloud VPN connection between the two regions, and enable Google Private Access. 
A)  Change the load balancer backend configuration to use network endpoint groups instead of instance groups. 
B)  Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group. 
C)  Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address. 
D)  Create a Cloud VPN connection between the two regions, and enable Google Private Access.

Question 6

A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means. Which connectivity option should be implemented?

Accepted Answer

A)  VPC peering 
B)  Cloud VPN 
C)  Cloud Interconnect 
D)  Shared VPC 
A)  VPC peering 
B)  Cloud VPN 
C)  Cloud Interconnect 
D)  Shared VPC

Question 7

A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online. What should they do?

Accepted Answer

A)  Configure an SSL Certificate on an L7 Load Balancer and require encryption. 
B)  Configure an SSL Certificate on a Network TCP Load Balancer and require encryption. 
C)  Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic. 
D)  Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic. 
A)  Configure an SSL Certificate on an L7 Load Balancer and require encryption. 
B)  Configure an SSL Certificate on a Network TCP Load Balancer and require encryption. 
C)  Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic. 
D)  Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.

Question 8

A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs. What should you do?

Accepted Answer

A)  Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications. 
B)  Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%. 
C)  Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric. 
D)  Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe. 
A)  Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications. 
B)  Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%. 
C)  Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric. 
D)  Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

Question 9

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud. What should you do?

Accepted Answer

A)  Use the Cloud Key Management Service to manage the data encryption key (DEK). 
B)  Use the Cloud Key Management Service to manage the key encryption key (KEK). 
C)  Use customer-supplied encryption keys to manage the data encryption key (DEK). 
D)  Use customer-supplied encryption keys to manage the key encryption key (KEK). 
A)  Use the Cloud Key Management Service to manage the data encryption key (DEK). 
B)  Use the Cloud Key Management Service to manage the key encryption key (KEK). 
C)  Use customer-supplied encryption keys to manage the data encryption key (DEK). 
D)  Use customer-supplied encryption keys to manage the key encryption key (KEK).

Question 10

Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

Accepted Answer

A)  Central management of routes, firewalls, and VPNs for peered networks 
B)  Non-transitive peered networks; where only directly peered networks can communicate 
C)  Ability to peer networks that belong to different Google Cloud Platform organizations 
D)  Firewall rules that can be created with a tag from one peered network to another peered network 
E)  Ability to share specific subnets across peered networks 
A)  Central management of routes, firewalls, and VPNs for peered networks 
B)  Non-transitive peered networks; where only directly peered networks can communicate 
C)  Ability to peer networks that belong to different Google Cloud Platform organizations 
D)  Firewall rules that can be created with a tag from one peered network to another peered network 
E)  Ability to share specific subnets across peered networks

Question 11

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket. What should you do?

Accepted Answer

A)  Set up an ACL with OWNER permission to a scope of allUsers. 
B)  Set up an ACL with READER permission to a scope of allUsers. 
C)  Set up a default bucket ACL and manage access for users using IAM. 
D)  Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM. 
A)  Set up an ACL with OWNER permission to a scope of allUsers. 
B)  Set up an ACL with READER permission to a scope of allUsers. 
C)  Set up a default bucket ACL and manage access for users using IAM. 
D)  Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

Question 12

How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

Accepted Answer

A)  Send all logs to the SIEM system via an existing protocol such as syslog. 
B)  Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system. 
C)  Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow. 
D)  Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs. 
A)  Send all logs to the SIEM system via an existing protocol such as syslog. 
B)  Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system. 
C)  Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow. 
D)  Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.

Question 13

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?

Accepted Answer

A)  Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows. 
B)  Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery. 
C)  Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery. 
D)  Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery. 
A)  Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows. 
B)  Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery. 
C)  Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery. 
D)  Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Question 14

You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk. What should you do?

Accepted Answer

A)  Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly. 
B)  Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly. 
C)  Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly. 
D)  Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly. 
A)  Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly. 
B)  Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly. 
C)  Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly. 
D)  Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Question 15

Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network. How should your team design this network?

Accepted Answer

A)  Create an ingress firewall rule to allow access only from the application to the database using firewall tags. 
B)  Create a different subnet for the frontend application and database to ensure network isolation. 
C)  Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation. 
D)  Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation. 
A)  Create an ingress firewall rule to allow access only from the application to the database using firewall tags. 
B)  Create a different subnet for the frontend application and database to ensure network isolation. 
C)  Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation. 
D)  Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.

Question 16

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in-scope" Nodes only. These Nodes can only contain the "in-scope" Pods. How should the organization achieve this objective?

Accepted Answer

A)  Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true. 
B)  Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label. 
C)  Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration. 
D)  Run all in-scope Pods in the namespace "in-scope-pci". 
A)  Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true. 
B)  Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label. 
C)  Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration. 
D)  Run all in-scope Pods in the namespace "in-scope-pci".

Question 17

As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name. Which cost reduction options should you recommend?

Accepted Answer

A)  Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets. 
B)  Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets. 
C)  Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans. 
D)  Use FindingLimits and TimespanContfig to sample data and minimize transformation units. 
A)  Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets. 
B)  Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets. 
C)  Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans. 
D)  Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

Question 18

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects. Which two steps should the company take to meet these requirements? (Choose two.)

Accepted Answer

A)  Create a project with multiple VPC networks for each environment. 
B)  Create a folder for each development and production environment. 
C)  Create a Google Group for the Engineering team, and assign permissions at the folder level. 
D)  Create an Organizational Policy constraint for each folder environment. 
E)  Create projects for each environment, and grant IAM rights to each engineering user. 
A)  Create a project with multiple VPC networks for each environment. 
B)  Create a folder for each development and production environment. 
C)  Create a Google Group for the Engineering team, and assign permissions at the folder level. 
D)  Create an Organizational Policy constraint for each folder environment. 
E)  Create projects for each environment, and grant IAM rights to each engineering user.

Question 19

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services. Which two settings must remain disabled to meet these requirements? (Choose two.)

Accepted Answer

A)  Public IP 
B)  IP Forwarding 
C)  Private Google Access 
D)  Static routes 
E)  IAM Network User Role 
A)  Public IP 
B)  IP Forwarding 
C)  Private Google Access 
D)  Static routes 
E)  IAM Network User Role

Question 20

A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key. What should you do?

Accepted Answer

A)  Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-account=IAM_ACCOUNT . Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-account=IAM_ACCOUNT . 
B)  Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT --key=NEW_KEY . gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT --key=NEW_KEY 
C)  Create a new key, and use the new key in the application. Delete the old key from the Service Account. 
D)  Create a new key, and use the new key in the application. Store the old key on the system as a backup key. 
A)  Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-account=IAM_ACCOUNT . Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-account=IAM_ACCOUNT . 
B)  Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT --key=NEW_KEY . gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT --key=NEW_KEY 
C)  Create a new key, and use the new key in the application. Delete the old key from the Service Account. 
D)  Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

An organization receives an increasing number of phishing emails. Which method should be used to protect employee credentials in this situation?

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location. Which solution will restrict access to the in-progress sites?

You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project. What should you do?

A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online. What should they do?

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud. What should you do?

Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?

Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network. How should your team design this network?

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in-scope" Nodes only. These Nodes can only contain the "in-scope" Pods. How should the organization achieve this objective?

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects. Which two steps should the company take to meet these requirements? (Choose two.)

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services. Which two settings must remain disabled to meet these requirements? (Choose two.)

A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key. What should you do?

Google AdWords: Display Advertising

Google AdWords Fundamentals

Associate Android Developer

Associate Cloud Engineer

Cloud Digital Leader

Google Analytics Individual Qualification (IQ)

Google Analytics Individual Qualification

GSuite

Looker Business Analyst

LookML Developer

Mobile Web Specialist

Professional Cloud Architect on Google Cloud Platform

Professional Cloud Developer

Professional Cloud DevOps Engineer

Professional Cloud Network Engineer

Professional Collaboration Engineer

Professional Data Engineer on Google Cloud Platform

Professional Machine Learning Engineer

Filters

Exam 16: Professional Cloud Security Engineer

An organization receives an increasing number of phishing emails. Which method should be used to protect employee credentials in this situation?

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location. Which solution will restrict access to the in-progress sites?

You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project. What should you do?

A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online. What should they do?

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud. What should you do?

Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?

Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network. How should your team design this network?

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in-scope" Nodes only. These Nodes can only contain the "in-scope" Pods. How should the organization achieve this objective?

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects. Which two steps should the company take to meet these requirements? (Choose two.)

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services. Which two settings must remain disabled to meet these requirements? (Choose two.)

A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key. What should you do?

Google AdWords: Display Advertising

Google AdWords Fundamentals

Associate Android Developer

Associate Cloud Engineer

Cloud Digital Leader

Google Analytics Individual Qualification (IQ)

Google Analytics Individual Qualification

GSuite

Looker Business Analyst

LookML Developer

Mobile Web Specialist

Professional Cloud Architect on Google Cloud Platform

Professional Cloud Developer

Professional Cloud DevOps Engineer

Professional Cloud Network Engineer

Professional Collaboration Engineer

Professional Data Engineer on Google Cloud Platform

Professional Machine Learning Engineer

Filters