A centralized security service has been implemented by your company All applications running in Google Cloud are required to send data to this service You need to ensure that developers have high autonomy to configure firewall rules within their projects, while preventing accidental blockage of access to the central security service What should you do?
Correct Answer: B
The problem has two key requirements: All applications must send data to a centralized security service Developers need high autonomy over firewall rules within their projects Prevent accidental blockage of access to the central security service This scenario requires a mechanism to enforce critical network policies at a higher level of the resource hierarchy while still allowing project-level flexibility Hierarchical Firewall Policies: Google Cloud's Hierarchical Firewall Policies (HFP) are designed precisely for this purpose They allow administrators to define firewall rules at the organization or folder level, and these rules are inherited by all projects and VPC networks within that hierarchy Crucially, HFP rules can be prioritized Rules with higher priority (lower numerical value) are evaluated first This means you can create high-priority "allow" rules for critical services that cannot be overridden or blocked by project-level firewall rulesExtract Reference: "Hierarchical firewall policies allow you to define and enforce consistent network security policies across your organization Policies can be applied at the organization or folder level, and they are inherited by all projects and VPC networks within that hierarchy" and "Rules in a hierarchical firewall policy can take precedence over VPC network firewall rules based on priority A rule with a lower priority value takes precedence over a rule with a higher priority value" (Google Cloud documentation: https://cloudgooglecom/vpc/docs/firewall-policies-overview) Preventing Accidental Blockage while Allowing Autonomy: By setting a high-priority "allow" rule for the central security service in a hierarchical firewall policy, you guarantee that this traffic will always be permitted, regardless of what project-level firewall rules developers might configure This ensures the critical connectivity while still allowing developers to manage other, less critical firewall rules within their projects with high autonomy Let's evaluate the other options: A Deploy a central Secure Web Proxy and connect it to all VPC networks Create a Secure Web Proxy policy to allow traffic to the central security service A Secure Web Proxy is for HTTP/S outbound traffic to external web services The central security service might not be an external web service, and this solution is focused on application-layer proxies, not general network connectivity like sending data to an internal service Also, it doesn't directly address the challenge of developers blocking access with project-level firewall rules C Create a central project to manage Shared VPC networks which will be accessible to all other projects Administer all firewall rules centrally within this project While Shared VPC centralizes network management, it means all firewall rules are administered centrally This directly contradicts the requirement for developers to have "high autonomy to configure firewall rules within their projects" Shared VPC would centralize too much control for this specific scenario D Use Terraform to automate the creation of the required firewall rule in all projects Restrict rule change permissions solely to the Terraform service account This approach automates the creation but doesn't prevent developers from creating conflicting or overriding rules in their projects (unless Terraform is used to manage all rules, again removing autonomy) It also relies on restricting IAM permissions for all firewall rules, which is against the "high autonomy" requirement for developers Hierarchical firewall policies offer a more robust and native solution for overriding and enforcing specific rules
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication Which GCP product should the customer implement to meet these requirements?
Correct Answer: A
Cloud Identity-Aware Proxy (Cloud IAP) provides a way to control access to your web applications and resources running on Google Cloud. It works by verifying the identity of a user trying to access the application and supports multi-factor authentication (MFA). Cloud IAP can restrict access to users on the corporate network and also supports access over the internet securely. Steps: Enable Cloud IAP: In the Google Cloud Console, navigate to the IAP section and enable IAP for your web application. Configure OAuth Consent Screen: Set up the OAuth consent screen to manage how users grant access. Set Up Authentication: Use Google Identity Platform to manage users and enable two-factor authentication. Add Users: Grant users access to the application by adding their identities in the IAP settings. Reference: Google Cloud: Identity-Aware Proxy Setting up IAP
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?
Correct Answer: B
https://cloud.google.com/bigquery/docs/scan-with-dlp Cloud Data Loss Prevention API allows to detect and redact or remove sensitive data before the comments or reviews are published. Cloud DLP will read information from BigQuery, Cloud Storage or Datastore and scan it for sensitive data.
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services. Which two settings must remain disabled to meet these requirements? (Choose two.)
Correct Answer: A,C
To ensure that a Compute Engine instance does not have access to the internet or to any Google APIs or services, you need to disable the following settings: Public IP: Disabling the public IP address ensures that the instance does not have a direct connection to the internet. Without a public IP address, the instance cannot be accessed from or communicate with the internet directly. Private Google Access: Disabling Private Google Access ensures that the instance does not have access to Google APIs and services through the internal Google network. Private Google Access allows instances without a public IP to reach Google APIs and services using private IP addresses, but disabling it will block this path. Disabling these settings will effectively isolate the instance from both the public internet and Google's internal API services. Reference: Google Cloud VPC Documentation - Overview Configuring Private Google Access Compute Engine Network Overview
Your organization is using Google Cloud to develop and host its applications Following Google-recommended practices, the team has created dedicated projects for development and production Your development team is located in Canada and Germany The operations team works exclusively from Germany to adhere to local laws You need to ensure that admin access to Google Cloud APIs is restricted to these countries and environments What should you do?
Correct Answer: C
The problem requires restricting admin access to Google Cloud APIs based on geographic location (Canada and Germany) and environment (development and production projects) VPC Service Controls (VPC SC): VPC Service Controls is designed to create security perimeters around Google Cloud resources and services Its primary purpose is to prevent data exfiltration and control access to Google Cloud APIs based on the context of the request, which includes the source IP address Extract Reference: "VPC Service Controls provides an extra layer of security defense for Google Cloud services that is independent of Identity and Access Management (IAM) While IAM enables granular identity-based access control, VPC Service Controls enables broader context-based perimeter security, including controlling data egress across the perimeter" (Google Cloud Documentation: "Overview of VPC Service Controls" - https://cloudgooglecom/vpc-service-controls/docs/overview) Service Perimeters for Environments: Creating dedicated perimeters for development and production projects allows for logical separation of environments, which aligns with the "dedicated projects for development and production" structure Ingress Policies with Geographic Restrictions: VPC Service Controls uses "ingress rules" to define who and from where requests can enter a service perimeter These ingress rules can be configured to allow access based on various attributes, including the source IP address of the request By allowing access from specific IP ranges corresponding to Canada and Germany, you effectively restrict administrative access to APIs from those countries You can define "access levels" (which can include IP subnets or geographical origins) and attach them to ingress policies Extract Reference: "To allow ingress to resources, VPC Service Controls evaluates sources and identityType attributes as an AND condition You must specify an accessLevel or a resource (Google Cloud project or VPC network), or set accessLevel attribute to *" (Google Cloud Documentation: "Ingress and egress rules | VPC Service Controls" - https://cloudgooglecom/vpc-service-controls/docs/ingress-egress-rules) Extract Reference (for Context-Aware Access which underpins access levels): "You can create different types of Context-Aware Access policies for accessing apps: IP, device, geographic origin, and custom access-level attributes" (Google Workspace Admin Help: "Protect your business with Context-Aware Access" - https://supportgooglecom/a/answer/9275380) - While this references Workspace apps, the underlying mechanism of Access Context Manager (used by VPC SC) supports geographic restrictions Let's evaluate the other options: A Create dedicated firewall policies restrict access based on geolocations: VPC firewall rules operate at the network level (Layers 3/4) within a VPC They control traffic between VM instances or to/from the internet for network services They do not directly control admin access to Google Cloud APIs (eg, via the console or gcloud CLI calls) originating from outside the VPC B Activate the organization policy on the folders to restrict resource location: The Resource Location Restriction organization policy constraint restricts where new resources can be created or stored (eg, data residency requirements) It does not restrict where administrators can connect from to manage these resources or access APIs D Create dedicated IAM Groups Grant access: IAM (Identity and Access Management) controls who can access what resources and what actions they can perform It does not natively provide control over where the access originates from (eg, country-specific IP addresses)
Newest Professional-Cloud-Security-Engineer Exam PDF Dumps shared by Actual4test.com for Helping Passing Professional-Cloud-Security-Engineer Exam! Actual4test.com now offer the updated Professional-Cloud-Security-Engineer exam dumps, the Actual4test.com Professional-Cloud-Security-Engineer exam questions have been updated and answers have been corrected get the latest Actual4test.com Professional-Cloud-Security-Engineer pdf dumps with Exam Engine here: