Practice Professional-Cloud-Security-Engineer Exam Online

Question 1

A company is running workloads in a dedicated server room. They must only be accessed from within the

private company network. You need to connect to these workloads from Compute Engine instances within a

Google Cloud Platform project.

Which two approaches can you take to meet the requirements? (Choose two.)

A : Configure the project with Cloud VPN.

B : Configure the project with Shared VPC.

C : Configure the project with Cloud Interconnect.

D : Configure the project with VPC peering.

E : Configure all Compute Engine instances with Private Access.

Answer: A,C

Question 2

Your company has deployed an application on Compute Engine. The application is accessible by clients on port

587. You need to balance the load between the different instances running the application. The connection

should be secured using TLS, and terminated by the Load Balancer.

What type of Load Balancing should you use?

A : Network Load Balancing

B : HTTP(S) Load Balancing

C : TCP Proxy Load Balancing

D : SSL Proxy Load Balancing

Answer: D

Question 3

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder. What could have caused this alert?

A : The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

B : The organizational policy constraint wasn't properly enforced and is running in "dry run mode.

C : At project level, the organizational policy control has been overwritten with an 'allow' value.

D : The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level

Answer: A

Question 4

Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allowsmembers from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property. You attempt to grant access to a project in the Apps folder to the user [email protected]. What is the result of your action and why?

A :

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily

B :

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed

C :

The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder

D :

The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

Answer: B

Question 5

You are in charge of migrating a legacy application from your company datacenters to GCP before the current

maintenance contract expires. You do not know what ports the application is using and no documentation is

available for you to check. You want to complete the migration without putting your environment at risk.

What should you do?

A : Migrate the application into an isolated project using a “Lift & Shift” approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

B : Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.

C : Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

D : Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Answer: A

Name:	Professional Cloud Security Engineer
Exam Code:	Professional-Cloud-Security-Engineer
Certification:	Google Cloud Certified
Vendor:	Google
Total Questions:	284
Last Updated:	Apr 25, 2024

Google Professional-Cloud-Security-Engineer