Google Professional Cloud Security Engineer (GCP) Sample Questions
Google Professional Cloud Security Engineer test empowers candidates working in the associations to plan and carry out a solid foundation on the Google Cloud Platform. Up-and-comers are expected to get an intensive comprehension of safety best practices and industry security prerequisites, this singular plan creates and deals with a protected framework utilizing Google security innovations.
Up-and-comers getting ready for Google Professional Cloud Security Engineer (GCP) test are cloud Security experts. They are expected to be capable in all parts of Cloud Security including overseeing character and access to the board, characterizing hierarchical construction and approaches, utilizing Google advances to give information assurance, arranging network security safeguards, gathering and breaking down Google Cloud Platform logs, overseeing episode reactions, and comprehension of administrative worries.
Let us start with some of the important sample questions which will help you prepare for the exam in a better way-
1.) Your group needs to ensure that a Compute Engine instance doesn’t approach the web or to any Google APIs or administrations.
Which two settings should stay crippled to meet these necessities? (Pick two.)
A. Public IP
B. IP Forwarding
C. Confidential Google Access
D. Static courses
E. IAM Network User Role
Right Answer: AC
Explanation: Configuring Private Google Access
2.) Which two suggested firewall rules are characterized by a VPC organization? (Pick two.)
A. A standard that permits generally outbound associations
B. A standard that denies every inbound association
C. A standard that hinders all inbound port 25 associations
D. A standard that impedes every outbound association
E. A standard that permits generally inbound port 80 associations
Right Answer: AB
Explanation: VPC firewall rules overview
3.) Client needs an option in contrast to putting away their plain text secrets in their source-code management (SCM) framework.
How could the client accomplish this utilizing the Google Cloud Platform?
A. Use Cloud Source Repositories, and store mysteries in Cloud SQL.
B. Scramble the mysteries with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
C. Run the Cloud Data Loss Prevention API to examine the mysteries, and store them in Cloud SQL.
D. Convey the SCM to a Compute Engine VM with nearby SSDs and empower preemptible VMs.
Right Answer: B
4.) Your group needs to midway oversee GCP IAM consents from their on-premises Active Directory Service. Your group needs to oversee consent by AD bunch participation.
How should your group meet these prerequisites?
A. Set up Cloud Directory Sync to adjust gatherings, and set IAM consents on the gatherings.
B. Set up SAML 2.0 Single Sign-On (SSO), and allocate IAM consents to the gatherings.
C. Utilize the Cloud Identity and Access Management API to make gatherings and IAM authorizations from Active Directory.
D. Utilize the Admin SDK to make gatherings and dole out IAM consents from Active Directory.
Right Answer: A
Explanation: Using your existing identity management system with the Google Cloud Platform
5.) While making a secured container image, which two things would it be a good idea for you to integrate into the form if conceivable? (Pick two.)
A. Guarantee that the application doesn’t run as PID 1.
B. Bundle a solitary application as a holder.
C. Eliminate any pointless devices not required by the application.
D. Utilize public compartment pictures as a base picture for the application.
E. Utilize any holder picture layers to conceal delicate data.
Right Answer: BC
Explanation: Best practices for building containers
6.) A client needs to send off a 3-tier internal web application on Google Cloud Platform (GCP). The client’s inward consistence prerequisites direct that end-client access may possibly be permitted assuming that the traffic appears to start from a particular known-great CIDR. The client acknowledges the gamble that their application will just have SYN flood DDoS insurance. They need to utilize GCP’s local SYN flood assurance.
Which item ought to be utilized to meet these prerequisites?
A. Cloud Armor
B. VPC Firewall Rules
C. Cloud Identity and Access Management
D. Cloud CDN
Right Answer: A
Explanation: Understanding Google Cloud Armor’s new WAF capabilities
7.) An organization is running jobs in a devoted server room. They should just be gotten to from inside the privately-owned business organization. You really want to interface with these jobs from Compute Engine occasions inside a Google Cloud Platform project.
Which two methodologies might you at any point take to meet the necessities? (Pick two.)
A. Design the undertaking with Cloud VPN.
B. Design the undertaking with Shared VPC.
C. Design the undertaking with Cloud Interconnect.
D. Design the undertaking with VPC looking.
E. Design all Compute Engine examples with Private Access.
Right Answer: AC
Explanation: Help secure data workloads: Google Cloud use cases
8.) A client carries out Cloud Identity-Aware Proxy for their ERP framework facilitated on Compute Engine. Their security group needs to add a security layer so that the
ERP frameworks just acknowledge traffic from Cloud Identity-Aware Proxy.
How should the client meet these prerequisites?
A. Ensure that the ERP framework can approve the JWT attestation in the HTTP demands.
B. Ensure that the ERP framework can approve the personality headers in the HTTP demands.
C. Ensure that the ERP framework can approve the x-sent for headers in the HTTP demands.
D. Ensure that the ERP framework can approve the client’s exceptional identifier headers in the HTTP demands.
Right Answer: A
9.) An organization has been running its application on Compute Engine. A bug in the application permitted a pernicious client to more than once execute content that outcomes in the Compute Engine example crashing. Albeit the bug has been fixed, you need to get advised on the off chance that this hack re-happens.
How would it be a good idea for you to respond?
A. Make an Alerting Policy in Stackdriver utilizing a Process Health condition, making sure that the number of executions of the content remaining parts is beneath the ideal edge. Empower notices.
B. Make an Alerting Policy in Stackdriver utilizing the CPU use metric. Set the limit to 80% to be advised when the CPU use goes over this 80%.
C. Log each execution of the content to Stackdriver Logging. Make a User-characterized measurement in Stackdriver Logging on the logs, and make a Stackdriver Dashboard showing the measurement.
D. Log each execution of the content to Stackdriver Logging. Design BigQuery as a log sink, and make a BigQuery planned question to include the number of executions in a particular time period.
Right Answer: C
Explanation: Log-based metrics overview
10.) Your group needs to get a brought-together log perspective on all improvement cloud projects in your SIEM. The improvement projects are under the NONPROD association envelope with the test and pre-creation projects. The improvement projects share the ABC-BILLING charging account with the remainder of the association.
Which logging trade system would it be a good idea for you to use to meet the necessities?
A. 1. Trade logs to a Cloud Pub/Sub theme with envelopes/NONPROD parent and remember youngsters’ property set to True for a devoted SIEM project. 2. Buy in SIEM to the point.
B. 1. Make a Cloud Storage sink with charging accounts/ABC-BILLING guardian and incorporate youngsters’ property set to False in a devoted SIEM project. 2. Process Cloud Storage objects in SIEM.
C. 1. Send out signs in each dev venture to a Cloud Pub/Sub theme in a committed SIEM project. 2. Buy in SIEM to the point.
D. 1. Make a Cloud Storage sink with a freely shared Cloud Storage container in each venture. 2. Process Cloud Storage objects in SIEM.
Right Answer: B
11.) A client needs to keep attackers from hijacking their domain/IP and diverting clients to a vindictive site through a man-in-the-center assault.
Which arrangement should this client utilize?
A. VPC Flow Logs
B. Cloud Armor
C. DNS Security Extensions
D. Cloud Identity-Aware Proxy
Right Answer: C
Explanation: DNSSEC now available in Cloud DNS
12.) A client sends an application to App Engine and requirements to check for Open Web Application Security Project (OWASP) weaknesses.
Which administration ought to be utilized to achieve this?
A. Cloud Armor
B. Google Cloud Audit Logs
C. Web Security Scanner
D. Inconsistency Detection
Right Answer: C
Explanation: Security Command Center
13.) A client’s data science group needs to utilize Google Cloud Platform (GCP) for their analytics jobs. Organization policy directs that all information should be organization claimed and all client validations should go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure
Tasks Systems Engineer was attempting to set up Cloud Identity for the client and understood that their space was at that point being utilized by G Suite.
How might you best prompt the Systems Engineer to continue with the least interruption?
A. Contact Google Support and start the Domain Contestation Process to utilize the area name in your new Cloud Identity space.
B. Register another space name, and utilize that for the new Cloud Identity area.
C. Request that Google arranges the information science director’s record as a Super Administrator in the current space.
D. Request that the client’s administration finds some other purposes of Google oversaw administrations, and work with the current Super Administrator.
Right Answer: C
14.) A business unit at a worldwide organization pursues GCP and begins moving responsibilities into GCP. The specialty unit makes a Cloud Identity space with a hierarchical asset that has many ventures.
Your group becomes mindful of this and needs to take over overseeing consents and examining the space assets.
Which kind of access should your group give to meet this necessity?
A. Association Administrator
B. Security Reviewer
C. Association Role Administrator
D. Association Policy Administrator
Right Answer: C
15.) An application running on a Compute Engine occasion requirements to peruse information from a Cloud Storage can. Your group doesn’t permit Cloud Storage cans to be universally meaningful and needs to guarantee the guideline of least honor.
Which choice meets the necessity of your group?
A. Make a Cloud Storage ACL that permits read-just access from the Compute Engine occasion’s IP address and permits the application to peruse from the can without certifications.
B. Utilize a help account with read-just admittance to the Cloud Storage container, and store the qualifications to the help account in the config of the application on the Compute Engine case.
C. Utilize a help account with read-just admittance to the Cloud Storage pail to recover the certifications from the case metadata.
D. Encode the information in the Cloud Storage pail utilizing Cloud KMS, and permit the application to decode the information with the KMS key.
Right Answer: C
16.) An association’s regular organization and security survey comprises dissecting application travel courses, demand dealing with, and firewall rules. They need to empower their engineer groups to send new applications without the above of this full audit.
How could you exhort this association?
A. Use Forseti with Firewall channels to get any undesirable arrangements underway.
B. Order utilization of framework as code and give static examination in the CI/CD pipelines to uphold strategies.
C. Course all VPC traffic through client oversaw switches to distinguish malignant examples underway.
D. All creation applications will run on-premises. Permit designers free rein in GCP as their dev and QA stages.
Right Answer: B
17.) A business needs to follow how extra remunerations have changed over the long haul to distinguish worker exceptions and right procuring incongruities. This errand should be performed without uncovering the delicate remuneration information for any individual and should be reversible to distinguish the exception.
Which Cloud Data Loss Prevention API strategy would it be a good idea for you to use to achieve this?
A. Speculation
B. Redaction
C. CryptoHashConfig
D. CryptoReplaceFfxFpeConfig
Right Answer: D
18.) An association adopts Google Cloud Platform (GCP) for application facilitating administrations and necessary direction on setting up secret key prerequisites for their Cloud
Character account. The association has a secret key strategy prerequisite that corporate worker passwords should have a base number of characters.
Which Cloud Identity secret phrase rules could the association at any point use to illuminate their new necessities?
A. Set the base length for passwords to be 8 characters.
B. Set the base length for passwords to be 10 characters.
C. Set the base length for passwords to be 12 characters.
D. Set the base length for passwords to be 6 characters.
Right Answer: C
19.) You really want to follow Google-prescribed practices to use envelope encryption and scramble information at the application layer.
How would it be advisable for you to respond?
A. Create an information encryption key (DEK) locally to encode the information, and produce another key-encryption key (KEK) in Cloud KMS to scramble the DEK. Store both the encoded information and the scrambled DEK.
B. Create an information encryption key (DEK) locally to scramble the information, and produce another key-encryption key (KEK) in Cloud KMS to encode the DEK. Store both the scrambled information and the KEK.
C. Create another information encryption key (DEK) in Cloud KMS to scramble the information, and produce a key-encryption key (KEK) locally to encode the key. Store both the scrambled information and the encoded DEK.
D. Produce another information encryption key (DEK) in Cloud KMS to encode the information, and create a key-encryption key (KEK) locally to scramble the key. Store both the scrambled information and the KEK.
Right Answer: A
Explanation: Envelope encryption
20.) How might a client dependably convey Stackdriver logs from GCP to their on-premises SIEM framework in google cloud?
A. send all logs to the SIEM framework by means of a current convention like Syslog.
B. Design each task to send out the entirety of their logs to a typical BigQuery DataSet, which will be questioned by the SIEM framework.
C. Design Organizational Log Sinks to send out logs to a Cloud Pub/Sub Topic, which will be shipped off the SIEM through Dataflow.
D. Construct a connector for the SIEM to question all logs continuously from the GCP RESTful JSON APIs.
Right Answer: C
