Google (PCSE) Exam Questions And Answers page 7
Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)
Non-transitive peered networks; where only directly peered networks can communicate
Ability to peer networks that belong to different Google Cloud Platform organizations
Firewall rules that can be created with a tag from one peered network to another peered network
Ability to share specific subnets across peered networks
Google Cloud Networking Security
Google Cloud Operations Security
While migrating your organization s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?
What should you do?
Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
Google Cloud Identity and Access Management (IAM)
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?
What should you do?
Use multi-factor authentication for admin access to the web application.
Use only applications certified compliant with PA-DSS.
Move the cardholder data environment into a separate GCP project.
Use VPN for all connections between your office and cloud environments.
Google Cloud Identity and Access Management (IAM)
Google Cloud Networking Security
You are creating an internal App Engine application that needs to access a user s Google Drive on the user s behalf. Your company does not want to rely on the current user s credentials. It also wants to follow Google-recommended practices.
What should you do?
What should you do?
Create a new Service account, and give all application users the role of Service Account User.
Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
Use a dedicated G Suite Admin account, and authenticate the application s operations with these G Suite credentials.
Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
Google Cloud Identity and Access Management (IAM)
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?
What should you do?
Migrate the application into an isolated project using a Lift & Shift approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Migrate the application into an isolated project using a Lift & Shift approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Google Cloud Identity and Access Management (IAM)
Google Cloud Networking Security
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?
How should you prevent and fix this vulnerability?
Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
Google Cloud Identity and Access Management (IAM)
Google Cloud Networking Security
You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?
What should you do?
Query Data Access logs.
Query Admin Activity logs.
Query Access Transparency logs.
Query Stackdriver Monitoring Workspace.
Google Cloud Identity and Access Management (IAM)
Google Cloud Operations Security
You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?
What should you do?
Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
Google Cloud Networking Security
Google Cloud Data Security
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?
Perform data masking with the DLP API and store that data in BigQuery for later use.
Perform data redaction with the DLP API and store that data in BigQuery for later use.
Perform data inspection with the DLP API and store that data in BigQuery for later use.
Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
Google Cloud Data Security
Google Cloud Operations Security
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.
What should you do?
What should you do?
Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have user email address as the attribute to facilitate one-way sync.
Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have user email address as the attribute to facilitate bidirectional sync.
Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
Google Cloud Identity and Access Management (IAM)
Comments