Google Professional Cloud Security Engineer Exam Questions

Question 6 of 346

A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end- user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?

Cloud Armor

VPC Firewall Rules

Cloud Identity and Access Management

Cloud CDN

Correct Answer: B

To satisfy the customer's specific requirement that end-user access be allowed only if traffic originates from a specific known good CIDR, VPC Firewall Rules should be used. VPC Firewall Rules are designed to control network traffic to and from instances based on IP ranges, making them suitable for enforcing CIDR-based access restrictions. Additionally, the GCP native SYN flood protection can be handled by the standard load balancer, which is sufficient as per the customer's acceptance of the risk. Cloud Armor, while providing advanced DDoS protection, is not the most appropriate tool for enforcing CIDR-based access control in this internal application scenario.

Question 7 of 346

A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)

Configure the project with Cloud VPN.

Configure the project with Shared VPC.

Configure the project with Cloud Interconnect.

Configure the project with VPC peering.

Configure all Compute Engine instances with Private Access.

Correct Answer: A, C

To connect to workloads in a dedicated server room from Compute Engine instances within a Google Cloud Platform project while ensuring access only from within the private company network, you can use Cloud VPN and Cloud Interconnect. Cloud VPN allows you to set up a secure, encrypted connection between your Google Cloud project and your on-premises network, ensuring private network connectivity. Cloud Interconnect offers a dedicated, high-performance connection between your Google Cloud project and your on-premises data center, providing low-latency and reliable connectivity for scenarios where high bandwidth and performance are critical.

Question 8 of 346

A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the
ERP systems only accept traffic from Cloud Identity-Aware Proxy.
What should the customer do to meet these requirements?

Make sure that the ERP system can validate the JWT assertion in the HTTP requests.

Make sure that the ERP system can validate the identity headers in the HTTP requests.

Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.

Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.

Correct Answer: A

The correct way to ensure that the ERP system only accepts traffic from Cloud Identity-Aware Proxy (IAP) is to validate the JWT assertion in the HTTP requests. JWT assertions are cryptographically signed tokens that confirm the identity of the sender. By validating these tokens, the ERP system can ensure that the requests have been routed through the Cloud Identity-Aware Proxy, which manages authentication and identity verification. This method provides a robust security layer by preventing unauthorized traffic from reaching the ERP system.

Question 9 of 346

A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?

Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.

Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.

Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

Correct Answer: A

To effectively get notified in case the hack re-occurs, the best approach would be to create an Alerting Policy in Stackdriver using a Process Health condition. This involves setting up a threshold to monitor the number of executions of the script, and enabling notifications to alert you when the threshold is breached. This method not only tracks the crucial metric directly associated with the hack but also ensures you receive real-time notifications, thereby enabling quick response to potential threats.

Question 10 of 346

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2. Subscribe SIEM to the topic.

1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.

1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic.

1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2. Process Cloud Storage objects in SIEM.

Correct Answer: A

The requirement is to obtain a unified log view of all development cloud projects under the NONPROD organization folder. Exporting logs to a Cloud Pub/Sub topic with folders/NONPROD as the parent and setting the includeChildren property to True will ensure that logs from all child projects, including development projects, are captured. This approach facilitates a centralized and scalable way to stream logs to your SIEM, ensuring you meet the requirements for a unified log view.