Question 1

Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way. What should you do?

Options :

A : Create a service account key and add it to the GitHub pipeline configuration file

B : Create a service account key and add it to the GitHub repository content

C :

Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

D : Configure workload identity federation to use GitHub as an identity pool provider.

Answer: D

Question 2

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?

Options :

A : Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

B :

Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

C :

Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

D :

Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Question 3

An employer wants to track how bonus compensations have changed over time to identify employee outliers

and correct earning disparities. This task must be performed without exposing the sensitive compensation data

for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

Options :

A : Generalization

B : Redaction

C : CryptoHashConfig

D : CryptoReplaceFfxFpeConfig

Answer: D

Question 4

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Options :

A : Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

B : Configure your Compute Engine instances to use the Google Cloud-s operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

C : Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

D : Configure a custom retention policy of 12 years on your Google Cloud-s operations suite log bucket in the EUROPE-WEST1 region.

Answer: B

Question 5

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder. What could have caused this alert?

Options :

A :

The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

B : The organizational policy constraint wasn't properly enforced and is running in "dry run mode.

C : At project level, the organizational policy control has been overwritten with an 'allow' value.

D :

The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level

Answer: C

Higher Test Marks with Free Online Professional-Cloud-Security-Engineer Exam Practice

Buying Options: