Question 1

A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places. Which Storage solution are they allowed to use?

Accepted Answer

A)  Cloud Bigtable 
B)  Cloud BigQuery 
C)  Compute Engine SSD Disk 
D)  Compute Engine Persistent Disk

Question 2

A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing. How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

Accepted Answer

A)  Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally. 
B)  Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object. 
C)  Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs). 
D)  Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

Question 3

You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts. Which two actions should you take? (Choose two.)

Accepted Answer

A)  Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity. 
B)  Use the Google Admin console to view which managed users are using a personal account for their recovery email. 
C)  Add users to your managed Google account and force users to change the email addresses associated with their personal accounts. 
D)  Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts. 
E)  Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.

Question 4

You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google-recommended practices. What should you do?

Accepted Answer

A)  Create a new Service account, and give all application users the role of Service Account User. 
B)  Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User. 
C)  Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials. 
D)  Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

Question 5

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer. What should you do?

Accepted Answer

A)  Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK. 
B)  Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK. 
C)  Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK. 
D)  Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Question 6

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys. Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

Accepted Answer

A)  Customer-supplied encryption keys (CSEK) 
B)  Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS) 
C)  Encryption by default 
D)  Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

Question 7

Your team wants to limit users with administrative privileges at the organization level Which two roles should your team restrict? (Choose two.)

Accepted Answer

A)  Organization Administrator 
B)  Super Admin 
C)  GKE Cluster Admin 
D)  Compute Admin 
E)  Organization Role Viewer

Question 8

A customer wants to deploy a large number of 3-tier web applications on Compute Engine. How should the customer ensure authenticated network separation between the different tiers of the application?

Accepted Answer

A)  Run each tier in its own Project, and segregate using Project labels. 
B)  Run each tier with a different Service Account (S
A) , and use SA-based firewall rules. 
C)  Run each tier in its own subnet, and use subnet-based firewall rules. 
D)  Run each tier with its own VM tags, and use tag-based firewall rules.

Question 9

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?

Accepted Answer

A)  Generalization 
B)  Redaction 
C)  CryptoHashConfig 
D)  CryptoReplaceFfxFpeConfig

Question 10

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location. How should the company accomplish this?

Accepted Answer

A)  Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995. 
B)  Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location. 
C)  Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region. 
D)  Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Question 11

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege. Which option meets the requirement of your team?

Accepted Answer

A)  Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials. 
B)  Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance. 
C)  Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata. 
D)  Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.

Question 12

An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters. Which Cloud Identity password guidelines can the organization use to inform their new requirements?

Accepted Answer

A)  Set the minimum length for passwords to be 8 characters. 
B)  Set the minimum length for passwords to be 10 characters. 
C)  Set the minimum length for passwords to be 12 characters. 
D)  Set the minimum length for passwords to be 6 characters.

Question 13

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack. Which solution should this customer use?

Accepted Answer

A)  VPC Flow Logs 
B)  Cloud Armor 
C)  DNS Security Extensions 
D)  Cloud Identity-Aware Proxy

Question 14

Which two implied firewall rules are defined on a VPC network? (Choose two.)

Accepted Answer

A)  A rule that allows all outbound connections 
B)  A rule that denies all inbound connections 
C)  A rule that blocks all inbound port 25 connections 
D)  A rule that blocks all outbound connections 
E)  A rule that allows all inbound port 80 connections

Question 15

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized. Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

Accepted Answer

A)  App Engine 
B)  Cloud Functions 
C)  Compute Engine 
D)  Google Kubernetes Engine 
E)  Cloud Storage

Question 16

Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet. What should your team grant to Engineering Group A to meet this requirement?

Accepted Answer

A)  Compute Network User Role at the host project level. 
B)  Compute Network User Role at the subnet level. 
C)  Compute Shared VPC Admin Role at the host project level. 
D)  Compute Shared VPC Admin Role at the service project level.

Question 17

An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily. Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

Accepted Answer

A)  Configuring and monitoring VPC Flow Logs 
B)  Defending against XSS and SQLi attacks 
C)  Manage the latest updates and security patches for the Guest OS 
D)  Encrypting all stored data

Question 18

While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password. What should you do?

Accepted Answer

A)  Manually synchronize the data in Google domain with your existing Active Directory or LDAP server. 
B)  Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server. 
C)  Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider. 
D)  Users sign in using OpenID (OID
C)  compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Question 19

A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries. Where should you export the logs?

Accepted Answer

A)  BigQuery datasets 
B)  Cloud Storage buckets 
C)  StackDriver logging 
D)  Cloud Pub/Sub topics

Question 20

A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity-Aware Proxy. What should the customer do to meet these requirements?

Accepted Answer

A)  Make sure that the ERP system can validate the JWT assertion in the HTTP requests. 
B)  Make sure that the ERP system can validate the identity headers in the HTTP requests. 
C)  Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests. 
D)  Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.

Exam 16: Professional Cloud Security Engineer