Online Access Free Professional-Cloud-Security-Engineer Practice Test

You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

• A.Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
• B.Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
• C.Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration.
  Update the perimeter configuration after the access level has been vetted.
• D.Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

Your organization enforces a custom organization policy that disables the use of Compute Engine VM instances with external IP addresses.1 However, a regulated business unit requires an exception to temporarily use external IPs for a third-party audit process. The regulated business workload must comply with least privilege principles and minimize policy drift. You need to ensure secure policy management and proper handling. What should you do?

• A.Apply the custom organization policy at the organization level to restrict external IPs. Move the regulated business workload to a separate folder. Override the policy at that folder level.
• B.Apply the restrictive organization policy at the organization level. Create an IAM custom role with permissions to bypass organization policies. Assign the custom role to the regulated business team for the specific project.
• C.Modify the custom organization policy at the organization level to allow external IPs for all projects.
  Configure VPC firewall rules to restrict egress traffic except for the regulated business workload.
• D.Create a folder. Apply the restrictive organization policy for non-regulated business workloads in the folder. Place the regulated business workload in that folder.

You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

• A.Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
• B.Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
• C.Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
• D.Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.

You are running a workload which processes very sensitive data that is intended to be used downstream by data scientists to train further models. The security team has very strict requirements around data handling and encryption, approved workloads, as well as separation of duties for the users of the output of the workload.
You need to build the environment to support these requirements. What should you do?

• A.Use Confidential Computing within Confidential Space, assign workload operator roles to the confidential compute VM service account. Assign the data collaborator role to the data scientist service account. Manage user access to these service accounts by using attestations and Workload Identity pools.
• B.Use Dataflow with Confidential Computing enabled to process the data and stream the results to a CMEK encrypted Cloud Storage bucket. Assign a storage object viewer role to the data scientist service account. Manage access to this service account by using Workload Identity pools.
• C.Use Dataproc with Confidential Computing enabled to process the data and stream the results to a CMEK encrypted Cloud Storage bucket. Assign a storage object reader role to the data scientist service account. Manage access to this service account by using Workload Identity pools.
• D.Use Confidential Computing on an N2D VM instance to process that data and output the results to a CMEK encrypted Cloud Storage bucket. Assign a storage object reader role to the data scientist service account. Manage access to this service account by using Workload Identity pools.

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

• A.Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.
• B.Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.
• C.Enable the constraints/storage.publicAccessPrevention constraint at the organization level.
• D.Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.