Google Professional Cloud Security Engineer Certification Exam Dumps 2023 Google Professional Cloud Security Engineer Certification Practice Tests 2023. Contains 300+ exam questions to pass the exam in first attempt. SkillCertPro offers real exam questions for practice for all major IT certifications. For a full set of 3 0 0 + questions. Go to https:/ /skillcertpro.com/product/google - professional - cloud - security - engineer - exam - questions/ SkillCertPro offers detailed explanations to each question which helps to understand the concepts better. It is recommended to score above 85% in SkillCertPro exams befo re attempting a real exam. SkillCertPro updates exam questions every 2 weeks. You will get life time access and life time free updates SkillCertPro assures 100% pass guarantee in first attempt. Below are the free 10 sample questions. Question 1: A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places. Which Storage solution are they allowed to use? A. Cloud Bigtable B. Cloud BigQuery C. Compute Engine SSD Disk D. Compute Engine Persistent Disk Answer: B Explanation: BigQuery transparently and automatically provides highly durable, replicated storage in multiple locations and high availability with no extra charge and no additional setup. Refer: https://cloud.google.com/bigquery-transfer/docs/locations What it mentions here is once you create a replication. You cannot change a location. Here the question is about high availability. Synchronous replication. Question 2: A customer wants to deploy a large number of 3-tier web applications on Compute Engine. How should the customer ensure authenticated network separation between the different tiers of the application? A. Run each tier in its own Project, and segregate using Project labels. B. Run each tier with a different Service Account (SA), and use SA-based firewall rules. C. Run each tier in its own subnet, and use subnet-based firewall rules. D. Run each tier with its own VM tags, and use tag-based firewall rules. Answer: B Explanation: “Isolate VMs using service accounts when possible” “even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instance Admin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped.” Refer – https://cloud.google.com/solutions/best-practices-vpc-design#isolate- vms-service-accounts Question 3: Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services? A. ISO 27001 B. ISO 27002 C. ISO 27017 D. ISO 27018 Answer: C Explanation: Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices. Question 4: A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys. Which boot disk encryption solution should you use on the cluster to meet this custome r’s requirements? A. Customer-supplied encryption keys (CSEK) B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS) C. Encryption by default D. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis Answer: B Explanation: Reference https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic- provisioning-cmek Question 5: An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well-established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the “source of truth” directory for identities. Which solution meets the organization‘s requirements? A. Google Cloud Directory Sync (GCDS) B. Cloud Identity C. Security Assertion Markup Language (SAML) D. Pub/Sub Answer: A Explanation: Option D is not correct as Cloud pub/sub is an asynchronous messaging service that decouples services that produce events from services that process events and not a way of federating a directory service with GCP. Option B is also incorrect as Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups, and here you need a way to federate identities with the current directory service. Option C is not correct because SAML is the official way to delegate the authentication to the directory service by using the Security Assertion Markup Language (SAML) protocol but you first need to create and synchronize identities in GCP. Option A is the correct answer, as GCDS is one of the ways you can federate identities in GCP. Reference Links: https://cloud.google.com/architecture/identity/federating-gcp-with-active- directory-introduction For a full set of 300+ questions. Go to https://skillcertpro.com/product/google - professional - cloud - security - engineer - exam - questions/ SkillCertPro offers detailed explanat ions to each question which helps to understand the concepts better. It is recommended to score above 85% in SkillCertPro exams before attempting a real exam. SkillCertPro updates exam questions every 2 weeks. You will get life time access and life time fr ee updates SkillCertPro assures 100% pass guarantee in first attempt. Question 6: Your team wants to limit users with administrative privileges at the organization level. Which two roles should your team restrict? (Choose two.) A. Organization Administrator B. Super Admin C. GKE Cluster Admin D. Compute Admin E. Organization Role Viewer Answer: A, B Explanation: The Google Workspace or Cloud Identity super administrators and the GCP Organization admin are key roles during the setup process and for lifecycle control for the Organization resource. The two roles are generally assigned to different users or groups, although this depends on the organization structure and needs. Google Workspace or Cloud Identity super administrator responsibilities, in the context of GCP Organization setup are: – Assigning the Organization admin role to some users Being a point of contact in case of recovery issues – Controlling the lifecycle of the Google Workspace or Cloud Identity account and Organization resource as explained under Deleting an Organization resource The Organization admin, once assigned, can assign IAM roles to other users. The responsibilities of the Organization admin role are: – Defining IAM policies – Determining the structure of the Resource Hierarchy – Delegating responsibility over critical components such as Networking, Billing, Resource Hierarchy through IAM roles Answers C, D and E are not correct as those roles won‘t provide admin privileges at the organization level. Reference Links: https://cloud.google.com/resource-manager/docs/creating-managing- organization Question 7: A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet. How should this be accomplished? A. Create a firewall rule to block internet traffic from the VM. B. Provision a NAT Gateway to access the Cloud Storage API endpoint. C. Enable Private Google Access on the VPC. D. Mount a Cloud Storage bucket as a local filesystem on every VM. Answer: C Question 8: A customer wants to deploy a large number of 3-tier web applications on Compute Engine. How should the customer ensure authenticated network separation between the different tiers of the application? A. Run each tier in its own Project, and segregate using Project labels. B. Run each tier with a different Service Account (SA), and use SA-based firewall rules. C. Run each tier in its own subnet, and use subnet-based firewall rules. D. Run each tier with its own VM tags, and use tag-based firewall rules. Answer: B Explanation: In this case the key sentence in the question is “ensur e authenticated network separation”. In order to do that we need to create service accounts for each tier and enforce firewall rules using those accounts. Google documentation explain how to achieve that by specifying the targets of the rule: If you want the rule to apply to select instances by associated service account, choose Specified service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Target service account field. None of the other options will meet question requirements. Reference Links: https://cloud.google.com/vpc/docs/using-firewalls Question 9: Your organization has just acquired company ABC. As management starts to consol idate assets, they find that all of ABC‘s infrastructure and applications are in GCP. Your CTO wants to consolidate ABC‘s GCP environment with that of your company in order to centralize management. Following GCP best practices, how would you achieve this? A. Use a single organization and move all ABC projects under your current company‘s organization. B. Create a new organization and put both organizations under it. C. Use a single organization and move all ABC assets to folders/sub-folders under your c urrent company‘s organization. D. Keep the organizations separate and give current users access to the ABC organization node. Answer: C Explanation: The best way to proceed in this case is to have just one single organization. This way you can centralize billing and also apply restrictions at a global level if needed. Also as the company is a new acquisition, what makes most sense is to maintain separate sub-organizations by using folders/sub-folders under your current company organization. Resources https://cloud.google.com/resource-manager/docs/cloud-platform-resource- hierarchy https://www.youtube.com/watch?v=tNG4RUpBUso Question 10: Applications often require access to “secrets” – small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of “who did what, where, and when?” within their GCP projects. Which two log streams would provide the information that the administrator is looking for? (Choose two.) A. Admin Activity logs B. System Event logs C. Data Access logs D. VPC Flow logs E. Agent logs Answer: A, C Explanation: https://cloud.google.com/kms/docs/secret-management For a full set of 300+ questions. Go to https://skillcertpro.com/product/google - professional - cloud - security - engineer - exam - questions/ SkillCertPro offers detailed explanations to each question which helps to understand the concepts better. It is recommended to score above 85% in SkillCertPro exams before attempting a real exam. SkillCertPro updates exam questions every 2 weeks. You will get life time access and life time free updates SkillCertPro assures 100% pass guarantee in first attempt.