Google (PCSE) Exam Questions And Answers page 5
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?
Which GCP solution should the organization use?
Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
Google Cloud Networking Security
Google Cloud Data Security
An organization receives an increasing number of phishing emails.
Which method should be used to protect employee credentials in this situation?
Which method should be used to protect employee credentials in this situation?
Multifactor Authentication
A strict password policy
Captcha on login pages
Encrypted emails
Google Cloud Identity and Access Management (IAM)
An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?
Configuring and monitoring VPC Flow Logs
Defending against XSS and SQLi attacks
Manage the latest updates and security patches for the Guest OS
Encrypting all stored data
Google Cloud Identity and Access Management (IAM)
An organization s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?
How should you advise this organization?
Use Forseti with Firewall filters to catch any unwanted configurations in production.
Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.
Route all VPC traffic through customer-managed routers to detect malicious patterns in production.
All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.
Google Cloud Networking Security
Google Cloud Operations Security
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?
How should the DevOps team accomplish this?
Use Puppet or Chef to push out the patch to the running container.
Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
Update the application code or apply a patch, build a new image, and redeploy it.
Configure containers to automatically upgrade when the base image is available in Container Registry.
Google Cloud Networking Security
Google Cloud Security Management
Applications often require access to secrets - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of who did what, where, and when? within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)
Which two log streams would provide the information that the administrator is looking for? (Choose two.)
Admin Activity logs
System Event logs
Data Access logs
VPC Flow logs
Agent logs
Google Cloud Identity and Access Management (IAM)
Google Cloud Operations Security
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.
Which Google Cloud Service should be used to achieve this?
Which Google Cloud Service should be used to achieve this?
Cloud Key Management Service
Cloud Data Loss Prevention API
BigQuery
Web Security Scanner
Google Cloud Networking Security
Google Cloud Data Security
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?
Which cost reduction options should you recommend?
Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
Google Cloud Networking Security
Google Cloud Data Security
A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.
Which solution will restrict access to the in-progress sites?
Which solution will restrict access to the in-progress sites?
Upload an .htaccess file containing the customer and employee user accounts to App Engine.
Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company s GCP Virtual Private Cloud (VPC) network.
Google Cloud Identity and Access Management (IAM)
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on in-scope Nodes only. These Nodes can only contain the in-scope Pods.
How should the organization achieve this objective?
How should the organization achieve this objective?
Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
Run all in-scope Pods in the namespace in-scope-pci .
Google Cloud Networking Security
Google Cloud Data Security
Comments