Google Professional Cloud Security Practice Exam PR000115

Developers in an organization are prototyping a few applications on Google Cloud Platform (GCP) and are starting to store sensitive information on GCP. The developers are using their personal/consumer Gmail accounts to set up and manage their projects within GCP. A security engineer identifies this practice as a concern to the organization management because of the lack of centralized project management and access to the data being stored in these accounts. Which solution should be used to resolve this concern?

A customer wants to use Cloud Identity as their primary IdP. The customer wants to use other non-GCP SaaS products for CRM, messaging, and customer ticketing management. The customer also wants to improve employee experience with Single Sign-On (SSO) capabilities to securely access GCP and non-GCP applications. Only authorized individuals should be able to access these third-party applications. What action should the customer take to meet these requirements?

A Cloud Development team needs to use service accounts extensively in their local development. You need to provide the team with the keys for these service accounts. You want to follow Google-recommended practices. What should you do?

A customer needs to rely on their existing user directory with the requirements of native authentication against it when developing for Google Cloud Platform (GCP). They want to leverage their existing tooling and functionality to gather insight on user activity from a familiar interface. Which action should you take to meet the customer’s requirements?

A customer wants to grant access to their application running on Compute Engine to write only to a specific Cloud Storage bucket. How should you grant access?

Your team creates an ingress firewall rule to allow SSH access from their corporate IP range to a specific bastion host on Compute Engine. Your team wants to make sure that this firewall rule cannot be used by unauthorized engineers who may otherwise have access to manage VMs in the development environment. What should your team do to meet this requirement?

You want to protect the default VPC network from all inbound and outbound internet traffic. What action should you take?

An organization recently began using App Engine to build and host its new web application for its customers. The organization wants to use its existing IAM setup to allow its developer employees to have elevated access to the application remotely. This would allow them to push updates and fixes to the application via an HTTPS connection. Non-developer employees should only get access to the production version without development permissions. Which Google Cloud Platform solution should be used to meet these requirements?

You have defined subnets in a VPC within Google Cloud Platform. You need multiple projects to create Compute Engine instances with IP addresses from these subnets. What should you do?

An application log’s data, including customer identifiers such as email addresses, needs to be redacted. However, these logs also include the email addresses of internal developers from company.com, and these should NOT be redacted. Which solution should you use to meet these requirements?

Which encryption algorithm is used with Default Encryption in Cloud Storage?

Your company is storing files on Cloud Storage. To comply with local regulations, you want to ensure that uploaded files cannot be deleted within the first 5 years. It should not be possible to lower the retention period after it has been set. What should you do?

A security team at an e-commerce company wants to define an automatic incident response process for fraudulent credit card usage attempts. The team targets a 10-minute or faster response time for such incidents. The fraudulent card list is updated every 60 seconds. The e-commerce servers log the transaction details in near-real time. Which option should you recommend to the security team?

Your company is deploying their applications on Google Kubernetes Engine. You want to follow Google-recommended practices. What should you do to ensure that the container images used for new deployments contain the latest security patches?

Your customer is moving their corporate applications to Google Cloud Platform. The security team wants detailed visibility of all resources in the organization. You use Resource Manager to set yourself up as the org admin. What Cloud Identity and Access Management (Cloud IAM) roles should you give to the security team?

Your company wants to collect and analyze CVE information for packages in container images, and wants to prevent images with known security issues from running in your Google Kubernetes Engine environment. Which two security features does Google recommend including in a container build pipeline?

You need to perform a vulnerability scan for an App Engine app using Cloud Security Scanner. Upon completion of the scan, the report is not producing the expected number of webpage results. The pages in the app with mouseover menus are missing from the report. Which action should you take to make sure the scan completes and captures the menu?

An organization is working on their GDPR compliance strategy. It wants to ensure that controls are in place to ensure that customer PII is stored in Cloud Storage buckets without third-party exposure. Which Google Cloud solution should the organization use to verify that PII is stored in the correct place without exposing PII internally?

A cloud customer has an on-premises key management system and wants to generate, protect, rotate, and audit encryption keys with it. How can the customer use Cloud Storage with their own encryption keys?

You are responsible for implementing a payment processing environment that will use Kubernetes and need to apply proper security controls. What should you do?