Free Professional Cloud Security Engineer Exam Professional-Cloud-Security-Engineer Exam Practice Test

Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

• SSL Proxy
• TCP Proxy
• Internal TCP/UDP
• TCP/UDP Network

Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?

• Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises
• Use Cloud External Key Manager to delete specific encryption keys.
• Use customer-managed encryption keys to delete specific encryption keys.
• Use Google default encryption to delete specific encryption keys.

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.How should your team meet these requirements?

• Enable Private Access on the VPC network in the production project.
• Remove the Editor role and grant the Compute Admin IAM role to the engineers.
• Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
• Set up a VPC network with two subnets: one with public IPs and one without public IPs.

You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.What should you do?

• Use multi-factor authentication for admin access to the web application.
• Use only applications certified compliant with PA-DSS.
• Move the cardholder data environment into a separate GCP project.
• Use VPN for all connections between your office and cloud environments.

A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.What should you do?

• Use Resource Manager on the organization level.
• Use Forseti Security to automate inventory snapshots.
• Use Stackdriver to create a dashboard across all projects.
• Use Security Command Center to view all assets across the organization.

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.Which two strategies should your team use to meet these requirements? (Choose two.)

• Configure Private Google Access on the Compute Engine subnet
• Avoid assigning public IP addresses to the Compute Engine cluster.
• Make sure that the Compute Engine cluster is running on a separate subnet.
• Turn off IP forwarding on the Compute Engine instances in the cluster.
• Configure a Cloud NAT gateway.

An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.Which Cloud Identity password guidelines can the organization use to inform their new requirements?

• Set the minimum length for passwords to be 8 characters.
• Set the minimum length for passwords to be 10 characters.
• Set the minimum length for passwords to be 12 characters.
• Set the minimum length for passwords to be 6 characters.

Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?

• Deterministic encryption
• Secure, key-based hashes
• Format-preserving encryption
• Cryptographic hashing

You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.After observing the traffic in your custom network, you notice that all instances can communicate freely -- despite tag-based VPC firewall rules in place to segment traffic properly -- with a priority of 1000. What are the most likely reasons for this behavior?

• All VM instances are missing the respective network tags.
• All VM instances are residing in the same network subnet.
• All VM instances are configured with the same network route.
• A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
• A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.What should you do?

• Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
• Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
• Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
• Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.