Question 1

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment. How should you prevent and fix this vulnerability?

Options :

A : Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

B :

Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

C :

Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

D :

Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Question 2

Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way. What should you do?

Options :

A : Create a service account key and add it to the GitHub pipeline configuration file

B : Create a service account key and add it to the GitHub repository content

C :

Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

D : Configure workload identity federation to use GitHub as an identity pool provider.

Answer: D

Question 3

Your company's users access data in a BigQuery table. You want to ensure they can only access the data during working hours. What should you do?

Options :

A :

Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.

B :

Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.

C :

Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours

D :

Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

Answer: A

Question 4

As a Blockchain-based payment system company, we are migrating to Google Cloud and want to ensure network security controls are maintained. What solution can we implement to ensure effective network security controls as part of the new shared responsibility model between our company and Google Cloud?

Options :

A : Make certain that the necessary controls are met by implementing firewall rules.

B : Configure Cloud Armor to enable centralized management of network security controls for G Suite.

C : Configure a range of Virtual Private Cloud (VPC) networks in compliance with the applicable regulations to manage network security.

D : Google Cloud has a built-in network security solution that is responsible for ensuring the security of SaaS products such as G Suite.

Answer: D

Question 5

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Options :

A : Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

B : Configure your Compute Engine instances to use the Google Cloud-s operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

C : Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

D : Configure a custom retention policy of 12 years on your Google Cloud-s operations suite log bucket in the EUROPE-WEST1 region.

Answer: B

Higher Test Marks with Free Online Professional-Cloud-Security-Engineer Exam Practice

Buying Options: