Professional-Cloud-Security-Engineer Premium Exam Questions

Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

Question 41

A company’s application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.

What should you do?

Options:

Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Question 42

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.

What should you do?

Options:

•1 Update the perimeter

•2 Configure the egressTo field to set identity Type toany_identity.

•3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

* Allow the external project by using the organizational policy

constraints/compute.trustedlmageProjects.

•1 Update the perimeter

•2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

•3 Configure the egressFrom field to set identity Type toany_idestity.

•1 Update the perimeter

•2 Configure the ingressFrcm field to set identityType toan-y_identity.

•3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

Question 43

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:

Export related logs for all projects in the Google Cloud organization.

Export logs in near real-time to an external SIEM.

What should you do? (Choose two.)

Options:

Create a Log Sink at the organization level with a Pub/Sub destination.

Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

Enable Data Access audit logs at the organization level to apply to all projects.

Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Question 44

In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

Options:

Hardware

Network Security

Storage Encryption

Access Policies

Boot

Labour Day Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Professional-Cloud-Security-Engineer Premium Exam Questions

Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation: