Question 1

You have created an OS image that is hardened per your organization’s security standards and is
being stored in a project managed by the security team. As a Google Cloud administrator, you need
to make sure all VMs in your Google Cloud organization can only use that specific OS image while
minimizing operational overhead. What should you do? (Choose two.)

Accepted Answer

Explanation: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.trustedImageProjects This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.

Question 2

An organization’s typical network and security review consists of analyzing application transit routes,
request handling, and firewall rules. They want to enable their developer teams to deploy new
applications without the overhead of this full review.
How should you advise this organization?

Accepted Answer

B

Explanation: To enable developer teams to deploy new applications without the extensive overhead of network and security reviews, it’s recommended to mandate the use of infrastructure as code (IaC) and enforce policies through static analysis in CI/CD pipelines. This approach ensures that security and compliance policies are checked automatically during the development process. Step-by-Step: Adopt IaC: Use tools like Terraform or Google Cloud Deployment Manager to manage infrastructure as code. CI/CD Pipeline Integration: Integrate static analysis tools such as TFLint or Checkov in the CI/CD pipeline to enforce security policies. Policy Definition: Define security policies and best practices that need to be adhered to in the code. Automated Checks: Configure automated checks in the CI/CD pipeline to review code against these policies before deployment. Monitor and Audit: Continuously monitor and audit deployed applications to ensure ongoing compliance. Reference:: Infrastructure as Code on Google Cloud Static Analysis for Terraform Checkov for IaC

Question 3

You work for a large organization where each business unit has thousands of users. You need to
delegate management of access control permissions to each business unit. You have the following
requirements:
Each business unit manages access controls for their own projects.
Each business unit manages access control permissions at scale.
Business units cannot access other business units' projects.
Users lose their access if they move to a different business unit or leave the company.
Users and access control permissions are managed by the on-premises directory service.
What should you do? (Choose two.)

Accepted Answer

B, E

Explanation: To delegate management of access control permissions to each business unit effectively, organizing projects into folders and assigning permissions to Google groups at the folder level allows for scalable and manageable access control. Using Google Cloud Directory Sync (GCDS) to synchronize users and groups from the on-premises directory service ensures that access controls are maintained and updated automatically as users change roles or leave the company. Steps: Organize Projects in Folders: Create a folder structure in the Google Cloud Resource Manager to organize projects by business unit. Assign Permissions to Google Groups: Use IAM to assign necessary permissions to Google Groups at the folder level, ensuring each business unit can manage access controls for their own projects. Synchronize Users and Groups: Use GCDS to sync users and group memberships from your on- premises directory service to Google Cloud Identity, ensuring that changes in the on-premises directory are reflected in Google Cloud. Reference:: Google Cloud Resource Manager Google Cloud Directory Sync

Question 4

Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize
the control over networking resources like firewall rules, subnets, and routes. They also have an on-
premises environment where resources need access back to the GCP resources through a private
VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?

Accepted Answer

A

Explanation: Reference:: https://cloud.google.com/docs/enterprise/best-practices-for-enterpriseorganizations#centralize_network_control Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.

Question 5

You are a security engineer at a finance company. Your organization plans to store data on Google
Cloud, but your leadership team is worried about the security of their highly sensitive data
Specifically, your
company is concerned about internal Google employees' ability to access your company's data on
Google Cloud. What solution should you propose?

Accepted Answer

D

Explanation: https://cloud.google.com/access-transparency Access approval Explicitly approve access to your data or configurations on Google Cloud. Access Approval requests, when combined with Access Transparency logs, can be used to audit an end-to-end chain from support ticket to access request to approval, to eventual access.

Question 6

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system. How should the customer achieve this using Google Cloud Platform?

Accepted Answer

B

Explanation: Storing secrets securely is crucial for maintaining the integrity and confidentiality of your applications. Here is how you can achieve this using Google Cloud Platform: Encrypt the Secrets: Use Customer-Managed Encryption Keys (CMEK) to encrypt your secrets. CMEK allows you to have greater control over the encryption keys used to protect your data. This ensures that even if the storage medium is compromised, the secrets remain protected by strong encryption. Store in Cloud Storage: Store the encrypted secrets in Google Cloud Storage. Cloud Storage is a secure and scalable object storage service. By using encrypted storage, you can ensure that the secrets are securely stored and can only be accessed by authorized entities. This method provides a secure and managed way to store secrets, ensuring that they are not exposed in plain text within your source code management system. Reference: Customer-Managed Encryption Keys (CMEK) Google Cloud Storage Security

Question 7

You are a security administrator at your company. Per Google-recommended best practices, you
implemented the domain restricted sharing organization policy to allow only required domains to
access your projects. An engineering team is now reporting that users at an external partner outside
your organization domain cannot be granted access to the resources in a project. How should you
make an exception for your partner's domain while following the stated best practices?

Accepted Answer

D

Explanation: https://cloud.google.com/resource-manager/docs/organization-policy/restrictingdomains#setting_the_organization_policy The domain restriction constraint is a type of list constraint. Google Workspace customer IDs can be added and removed from the allowed_values list of a domain restriction constraint. The domain restriction constraint does not support denying values, and an organization policy can't be saved with IDs in the denied_values list. All domains associated with a Google Workspace account listed in the allowed_values will be allowed by the organization policy. All other domains will be denied by the organization policy.

Question 8

An employer wants to track how bonus compensations have changed over time to identify employee
outliers and correct earning disparities. This task must be performed without exposing the sensitive
compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?

Accepted Answer

D

Explanation: De-identifying sensitive data Cloud Data Loss Prevention (DLP) can de-identify sensitive data in text content, including text stored in container structures such as tables. De-identification is the process of removing identifying information from data. The API detects sensitive data such as personally identifiable information (PII), and then uses a de-identification transformation to mask, delete, or otherwise obscure the data. For example, de-identification techniques can include any of the following: Masking sensitive data by partially or fully replacing characters with a symbol, such as an asterisk (*) or hash (#). Replacing each instance of sensitive data with a token, or surrogate, string. Encrypting and replacing sensitive data using a randomly generated or pre-determined key. When you de-identify data using the CryptoReplaceFfxFpeConfig or CryptoDeterministicConfig infoType transformations, you can re-identify that data, as long as you have the CryptoKey used to originally de-identify the data. https://cloud.google.com/dlp/docs/deidentify-sensitive-data

Question 9

You are working with protected health information (PHI) for an electronic health record system. The
privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with
anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not
preserve the character set and length. Which Google Cloud solution should you use?

Accepted Answer

C

Explanation: Use Cloud Data Loss Prevention (DLP) with cryptographic hashing: Cloud DLP allows you to de-identify sensitive data using several techniques, including cryptographic hashing. Choose a suitable hashing algorithm like SHA-256 for non-reversible anonymization. This method converts the original data into a fixed-length hash that does not preserve the original data's format or character set. Set up a Cloud DLP job to scan your data sources, identify PHI, and apply the cryptographic hashing transformation. Reference:: Cloud DLP Overview De-identification with Cloud DLP

Question 10

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using
Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a
requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer’s
requirements?

Accepted Answer

B

Explanation: For managing and rotating encryption keys in a Compute Engine-based cluster using Managed Instance Groups (MIGs), Customer-Managed Encryption Keys (CMEK) with Cloud KMS is the appropriate solution. Set Up Cloud KMS: Go to the Cloud Console and navigate to Security > Cryptographic Keys. Create a keyring and a key. Create and Use CMEK: While creating or updating a Compute Engine instance, specify the CMEK key. Example command: gcloud compute instances create example-instance \ --image-family=debian-9 \ --image- project=debian-cloud \ --boot-disk-kms- key=projects/[PROJECT_ID]/locations/global/keyRings/[KEY_RING]/cryptoKeys/[KEY] Rotate Keys: Rotate keys periodically using Cloud KMS by creating new key versions and updating the instances to use the new key versions. Reference:: Customer-Managed Encryption Keys (CMEK) Using Customer-Managed Encryption Keys

Question 11

You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

Accepted Answer

D

Explanation: Objective: Store and retrieve sensitive configuration data for an application running on Compute Engine. Solution: Use Secret Manager to securely store and manage access to sensitive configuration data. Steps: Step 1: Open the Google Cloud Console. Step 2: Navigate to the Secret Manager section. Step 3: Create a new secret and add the sensitive configuration data. Step 4: Set appropriate IAM policies to control access to the secret. Step 5: Update the application to retrieve the secret from Secret Manager using the appropriate client libraries or APIs. Secret Manager provides a secure and centralized way to manage sensitive information, with fine- grained access control and audit logging capabilities. Reference:: Secret Manager Documentation Storing and Accessing Secrets

Question 12

Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory
Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?

Accepted Answer

A

Explanation: "In order to be able to keep using the existing identity management system, identities need to be synchronized between AD and GCP IAM. To do so google provides a tool called Cloud Directory Sync. This tool will read all identities in AD and replicate those within GCP. Once the identities have been replicated then it's possible to apply IAM permissions on the groups. After that you will configure SAML so google can act as a service provider and either you ADFS or other third party tools like Ping or Okta will act as the identity provider. This way you effectively delegate the authentication from Google to something that is under your control."

Question 13

Which two implied firewall rules are defined on a VPC network? (Choose two.)

Accepted Answer

Explanation: Implied IPv4 allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination Implied IPv4 deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them. https://cloud.google.com/vpc/docs/firewalls?hl=en#default_firewall_rules

Question 14

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

Accepted Answer

C

Explanation: Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user- managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-serviceaccounts#example_policy_boolean_constraint

Question 15

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is
authorized.
Which two cloud offerings meet this requirement without additional compensating controls?
(Choose two.)

Accepted Answer

Explanation: App Engine ingress firewall rules are available, but egress rules are not currently available. Per requirements 1.2.1 and 1.3.4, you must ensure that all outbound traffic is authorized. SAQ A-EP and SAQ D–type merchants must provide compensating controls or use a different Google Cloud product. Compute Engine and GKE are the preferred alternatives. https://cloud.google.com/solutions/pci-dsscompliance-in-gcp

Free Google Professional Cloud Security Engineer Actual Exam Questions