Google (PCSE) Exam Questions And Answers page 1
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?
Security Reviewer
Organization Role Administrator
Organization Policy Administrator
Google Cloud Identity and Access Management (IAM)
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?
What should you do to meet these requirements?
Create a Folder per department under the Organization. For each department s Folder, assign the Project Viewer role to the Google Group related to that department.
Create a Folder per department under the Organization. For each department s Folder, assign the Project Browser role to the Google Group related to that department.
Create a Project per department under the Organization. For each department s Project, assign the Project Viewer role to the Google Group related to that department.
Create a Project per department under the Organization. For each department s Project, assign the Project Browser role to the Google Group related to that department.
Google Cloud Identity and Access Management (IAM)
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?
What should you do?
Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
Google Cloud Networking Security
Google Cloud Operations Security
A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?
How should the company accomplish this?
Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.
Google Cloud Networking Security
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?
What should you do?
Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
Google Cloud Identity and Access Management (IAM)
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?
Which Storage solution are they allowed to use?
Cloud Bigtable
Cloud BigQuery
Compute Engine SSD Disk
Compute Engine Persistent Disk
Google Cloud Networking Security
Google Cloud Data Security
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery
What should you do?
What should you do?
Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.
Google Cloud Networking Security
Google Cloud Data Security
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)
Which two approaches can you take to meet the requirements? (Choose two.)
Configure the project with Cloud VPN.
Configure the project with Shared VPC.
Configure the project with Cloud Interconnect.
Configure the project with VPC peering.
Configure all Compute Engine instances with Private Access.
Google Cloud Identity and Access Management (IAM)
Google Cloud Networking Security
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.
What should you do?
What should you do?
Use Resource Manager on the organization level.
Use Forseti Security to automate inventory snapshots.
Use Stackdriver to create a dashboard across all projects.
Use Security Command Center to view all assets across the organization.
Google Cloud Networking Security
Google Cloud Operations Security
A company s application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key.
What should you do?
What should you do?
Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-account=IAM_ACCOUNT.
Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT --key=NEW_KEY.
Create a new key, and use the new key in the application. Delete the old key from the Service Account.
Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
Google Cloud Identity and Access Management (IAM)
Comments