CertsTopics Logo

Labour Day Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Professional-Cloud-Security-Engineer VCE Exam Download

Page: 8 / 17
Total 233 questions
Get Professional-Cloud-Security-Engineer Full Access Download Professional-Cloud-Security-Engineer PDF

Google Cloud Certified - Professional Cloud Security Engineer Questions and Answers

Question 29

You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

Options:

A.

Google Cloud Armor's preconfigured rules in preview mode

B.

Prepopulated VPC firewall rules in monitor mode

C.

The inherent protections of Google Front End (GFE)

D.

Cloud Load Balancing firewall rules

E.

VPC Service Controls in dry run mode

Question 30

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Options:

A.

Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

B.

Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

C.

Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

D.

Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

Question 31

What are the steps to encrypt data using envelope encryption?

Options:

A.

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

B.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

C.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

D.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Question 32

While migrating your organization’s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.

What should you do?

Options:

A.

Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

B.

Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

C.

Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.

D.

Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Page: 8 / 17
Total 233 questions
Get Professional-Cloud-Security-Engineer Full Access Download Professional-Cloud-Security-Engineer PDF