Free Access Google.Professional-Cloud-Security-Engineer.v2022-10-17.q111 Practice Test (Page 15)

Question 66

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

A.Use Cloud Build to build the container images.

B.Build small containers using small base images.

C.Delete non-used versions from Container Registry.

D.Use a Continuous Delivery tool to deploy the application.

Question 67

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

A.Use customer-supplied encryption keys to manage the data encryption key (DEK).

B.Use customer-supplied encryption keys to manage the key encryption key (KEK).

C.Use the Cloud Key Management Service to manage a data encryption key (DEK).

D.Use the Cloud Key Management Service to manage a key encryption key (KEK).

Question 68

You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.
What should you do?

A.Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate bidirectional sync.

B.Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

C.Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate one-way sync.

D.Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

Question 69

A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.
What should you do?

A.Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

B.Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.

C.Create a new key, and use the new key in the application. Delete the old key from the Service Account.

D.Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Question 70

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

A.Use the Cloud Key Management Service to manage a data encryption key (DEK).

B.Use the Cloud Key Management Service to manage a key encryption key (KEK).

C.Use customer-supplied encryption keys to manage the data encryption key (DEK).

D.Use customer-supplied encryption keys to manage the key encryption key (KEK).

Other Version: 2384Google.Professional-Cloud-Security-Engineer.v2022-08-22.q116; 2432Google.Professional-Cloud-Security-Engineer.v2022-01-23.q100

Latest Upload: 117Oracle.1Z0-1057-23.v2025-09-10.q47; 150Google.Professional-Cloud-Network-Engineer.v2025-09-09.q179; 131SAP.C-S4EWM-2023.v2025-09-08.q83; 162TheSecOpsGroup.CNSP.v2025-09-08.q20; 220CFAInstitute.ESG-Investing.v2025-09-08.q173; 155PECB.ISO-IEC-27001-Lead-Implementer.v2025-09-06.q132; 145Salesforce.Data-Architect.v2025-09-05.q216; 139Adobe.AD0-E605.v2025-09-05.q50; 183Nutanix.NCP-MCI-6.10.v2025-09-05.q55; 114Oracle.1z0-591.v2025-09-05.q104

Question 66

Question 67

Question 68

Question 69

Question 70

Download PDF File