Question 1

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder. What could have caused this alert?

Options :

A : The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

B : The organizational policy constraint wasn't properly enforced and is running in "dry run mode.

C : At project level, the organizational policy control has been overwritten with an 'allow' value.

D : The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level

Answer: C

Question 2

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects. Which two steps should the company take to meet these requirements? (Choose two.)

Options :

A : Create a project with multiple VPC networks for each environment.

B : Create a folder for each development and production environment.

C : Create a Google Group for the Engineering team, and assign permissions at the folder level.

D : Create an Organizational Policy constraint for each folder environment.

E : Create projects for each environment, and grant IAM rights to each engineering user.

Answer: B,C

Question 3

You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

Options :

A : External Key Manager

B : Customer-supplied encryption keys

C : Hardware Security Module

D : Confidential Computing and Istio

E : Client-side encryption

Answer: D,E

Question 4

A customer’s company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions. Which strategy should you use to meet these needs?

Options :

A : Create an organization node, and assign folders for each business unit.

B : Establish standalone projects for each business unit, using gmail.com accounts.

C : Assign GCP resources in a project, with a label identifying which business unit owns the resource.

D : Assign GCP resources in a VPC for each business unit to separate network access.

Answer: A

Question 5

You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner. What should you do?

Options :

A : Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.

B : Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a userdefined sink, and select the new log bucket as the sink destination.

C : Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.

D : Edit the _Default sink, and select the new log bucket as the sink destination.

Answer: D

Free Professional-Cloud-Security-Engineer Mock Exam – Practice Online Confidently

Buying Options: