NotJustExam Interactive Question Bank | [Google] GCP-PCSE - Professional Cloud Security Engineer

Question 1

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

A. Public IP
B. IP Forwarding
C. Private Google Access
D. Static routes
E. IAM Network User Role

Correct Answer: AC

Explanation:

The AI agrees with the suggested answer of AC (Public IP and Private Google Access).

Reasoning:
To ensure a Compute Engine instance does not have access to the internet or Google APIs/services, both a public IP address and Private Google Access must be disabled. Disabling a public IP prevents direct internet connectivity. Disabling Private Google Access prevents the instance from using its internal IP to reach Google services.

Detailed explanation of why the selected options are correct:

A. Public IP: If a Compute Engine instance has a public IP address, it can directly communicate with the internet. Removing the public IP prevents this direct access.
C. Private Google Access: Private Google Access allows instances without public IPs to access Google Cloud services using their internal IPs. Disabling this feature ensures the instance cannot reach Google APIs or services.

Explanation of why the other options are incorrect:

B. IP Forwarding: IP Forwarding allows an instance to act as a router, forwarding traffic between networks. While relevant for network configuration, it doesn't directly control the instance's own access to the internet or Google APIs.
D. Static routes: Static routes define the path network traffic takes. They are not directly related to whether an instance can access the internet or Google APIs.
E. IAM Network User Role: This IAM role grants permissions to use network resources, but it doesn't directly control internet or Google API access for the instance itself.

Citations:

Compute Engine documentation on Private Google Access, https://cloud.google.com/compute/docs/configure-private-google-access

Question 2

Which two implied firewall rules are defined on a VPC network? (Choose two.)

A. A rule that allows all outbound connections
B. A rule that denies all inbound connections
C. A rule that blocks all inbound port 25 connections
D. A rule that blocks all outbound connections
E. A rule that allows all inbound port 80 connections

Correct Answer: AB

Explanation:

The AI agrees with the suggested answer of AB.
Reasoning: The default firewall rules in a Google Cloud VPC include two implied rules: an implied allow egress rule and an implied deny ingress rule. These rules are fundamental to the operation and security of the VPC network.

A. A rule that allows all outbound connections: This aligns with the implied egress rule, which permits instances within the VPC to initiate connections to any destination. This rule is in place by default, allowing instances to access external resources or communicate with other services.
B. A rule that denies all inbound connections: This corresponds to the implied ingress rule. By default, all incoming connections to instances within the VPC are blocked unless explicitly allowed by configured firewall rules. This provides a baseline level of security.

Reasons for not choosing the other options:

C. A rule that blocks all inbound port 25 connections: While blocking port 25 (SMTP) might be a common security practice, it is not an implied rule in Google Cloud VPC. Implied rules are more general, covering all inbound traffic.
D. A rule that blocks all outbound connections: This is the opposite of the implied egress rule. Blocking all outbound connections by default would severely limit the functionality of instances within the VPC.
E. A rule that allows all inbound port 80 connections: Allowing all inbound port 80 connections is not an implied rule. While you can create a firewall rule to allow this, it is not enabled by default. The default is to deny all inbound connections unless explicitly allowed.

Citations:
Google Cloud VPC Firewall Rules, https://cloud.google.com/vpc/docs/firewalls

Question 3

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?

A. Use Cloud Source Repositories, and store secrets in Cloud SQL.
B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
C. Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
D. Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

Correct Answer: B

Explanation:

The AI agrees with the suggested answer.
The suggested answer is B: Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
Reasoning: The question addresses the need to avoid storing plain text secrets in source code management. While Google Cloud Secret Manager is the ideal solution for managing secrets, it isn't listed as an option. Therefore, the next best solution is to encrypt the secrets before storing them. Option B achieves this by using Customer-Managed Encryption Keys (CMEK) to encrypt the secrets and then storing them in Cloud Storage, which provides a secure and scalable storage solution.
Reasons for not choosing other options:

Option A: Use Cloud Source Repositories, and store secrets in Cloud SQL. Storing secrets in Cloud SQL without encryption is not secure and defeats the purpose of the question. Cloud Source Repositories is for source code, not secret storage.
Option C: Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL. The Cloud Data Loss Prevention API is for identifying and classifying sensitive data, not for securely storing secrets. Storing the secrets in Cloud SQL after scanning them without encryption remains insecure.
Option D: Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs. This option does not address the problem of storing secrets securely. Furthermore, using preemptible VMs for SCM might lead to instability.

Citations:

Cloud KMS, https://cloud.google.com/kms/docs/customer-managed-encryption
Cloud Storage, https://cloud.google.com/storage/docs/encryption/customer-managed-keys

Question 4

Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?

A. Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.
B. Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
C. Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
D. Use the Admin SDK to create groups and assign IAM permissions from Active Directory.

Correct Answer: A

Explanation:

The AI suggests that the correct answer is A: Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.

Reasoning: The primary requirement is to centrally manage GCP IAM permissions based on on-premises Active Directory group memberships. Cloud Directory Sync (CDS) directly addresses this by synchronizing AD groups with Google Cloud. This allows you to then assign IAM roles to these synced groups, effectively managing permissions based on AD group membership.

Reasons for not choosing other options:

B: Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups. SAML 2.0 SSO handles authentication, not authorization or group synchronization. While SSO is important for user access, it doesn't directly link AD groups to GCP IAM permissions. It doesn't automatically sync the groups and their memberships.
C: Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory. While the IAM API can be used to manage groups and permissions, it would require custom scripting and continuous management to keep the groups in sync with Active Directory. This is more complex and less efficient than using Cloud Directory Sync.
D: Use the Admin SDK to create groups and assign IAM permissions from Active Directory. Similar to option C, using the Admin SDK would require custom scripting and ongoing management to keep groups synchronized. CDS provides a managed and automated solution for this purpose.

Question 5

When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

A. Ensure that the app does not run as PID 1.
B. Package a single app as a container.
C. Remove any unnecessary tools not needed by the app.
D. Use public container images as a base image for the app.
E. Use many container image layers to hide sensitive information.

Correct Answer: BC

Explanation:

The AI agrees with the suggested answer of BC.
Reasoning:

B: Package a single app as a container. This follows the principle of least privilege and makes the container more focused and secure. It also simplifies updates and reduces the attack surface.
C: Remove any unnecessary tools not needed by the app. Removing unnecessary tools reduces the attack surface of the container. Fewer tools mean fewer potential vulnerabilities.

Reasons for not choosing other answers:

A: Ensure that the app does not run as PID 1. Running as PID 1 isn't inherently insecure. In fact, proper handling of signals and zombie processes is crucial for a well-behaved container, and often PID 1 managers handle this.
D: Use public container images as a base image for the app. Using public container images can be risky if not properly vetted and regularly updated. Public images may contain vulnerabilities or outdated software. If used, it is best practice to scan public images for vulnerabilities before use.
E: Use many container image layers to hide sensitive information. Using many layers to hide sensitive information is not a security best practice. Image layers are often cached and shared, and can be easily inspected, making this a poor approach to security. Secrets should be managed using dedicated secret management solutions.

Citations:

Best practices for building containers, https://cloud.google.com/solutions/best-practices-for-building-containers
Container Security: A Comprehensive Guide, https://www.aquasec.com/cloud-native-academy/container-security/

Question 6

A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end- user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?

A. Cloud Armor
B. VPC Firewall Rules
C. Cloud Identity and Access Management
D. Cloud CDN

Correct Answer: B

Explanation:

The AI agrees with the suggested answer, which is B: VPC Firewall Rules.

Reasoning: VPC Firewall Rules are the most suitable option for the customer's requirements. The customer needs to restrict access based on a specific known good CIDR and is willing to rely on GCP's native SYN flood protection. VPC Firewall Rules allow defining ingress rules that permit traffic only from the specified CIDR range. This directly addresses the compliance requirement of allowing end-user access only from the known good CIDR.

Why other options are not suitable:

A: Cloud Armor - While Cloud Armor can filter traffic based on IP addresses and provides DDoS protection, it is primarily designed for protecting public-facing web applications from sophisticated attacks. It is an overkill for a simple CIDR-based filtering requirement for an internal application. Additionally, the question mentions that the customer accepts the risk of only having SYN flood DDoS protection and wants to use GCP's native SYN flood protection, implying they don't need the advanced protection offered by Cloud Armor.
C: Cloud Identity and Access Management (IAM) - IAM controls access to GCP resources based on user identities and roles, not network CIDR ranges. It is not the appropriate tool for filtering network traffic based on source IP addresses.
D: Cloud CDN - Cloud CDN is a content delivery network used to cache and serve content closer to users. It does not provide the functionality to restrict access based on source IP addresses. Also, it is not designed for internal web applications.

Citations:

VPC firewall rules overview, https://cloud.google.com/vpc/docs/firewalls
Cloud Armor overview, https://cloud.google.com/armor/docs/overview

Question 7

A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)

A. Configure the project with Cloud VPN.
B. Configure the project with Shared VPC.
C. Configure the project with Cloud Interconnect.
D. Configure the project with VPC peering.
E. Configure all Compute Engine instances with Private Access.

Correct Answer: AC

Explanation:

The AI agrees with the suggested answer of AC.

Reasoning:
The question specifies a need to connect Compute Engine instances in Google Cloud to workloads in a dedicated server room accessible only via a private company network. Both Cloud VPN and Cloud Interconnect provide ways to securely bridge this gap.

Cloud VPN: Establishes an encrypted tunnel over the internet between the Google Cloud VPC and the on-premises network. This ensures data confidentiality and integrity as it traverses the public internet.
Cloud Interconnect: Provides a direct, private, high-bandwidth connection between the Google Cloud VPC and the on-premises network. This bypasses the public internet, offering lower latency and higher reliability.

Why other options are not suitable:

B. Shared VPC: Shared VPC allows multiple projects within an organization to use a common VPC network. This is useful for managing network resources centrally within Google Cloud, but it doesn't address connectivity to an external, on-premises network.
D. VPC Peering: VPC Peering allows you to connect two VPC networks so that traffic can be routed between them privately. However, like Shared VPC, it operates within Google Cloud and doesn't provide connectivity to an external network.
E. Configure all Compute Engine instances with Private Access: Private Google Access allows Compute Engine instances without external IP addresses to access Google Cloud services. It does not provide connectivity to on-premises networks. While Private Service Connect could be an option, it is not listed.

Citations:

Cloud VPN, https://cloud.google.com/vpn/docs
Cloud Interconnect, https://cloud.google.com/interconnect/docs
Shared VPC, https://cloud.google.com/vpc/docs/shared-vpc
VPC Network Peering, https://cloud.google.com/vpc/docs/vpc-peering
Private Google Access, https://cloud.google.com/vpc/docs/private-google-access

Question 8

A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the
ERP systems only accept traffic from Cloud Identity-Aware Proxy.
What should the customer do to meet these requirements?

A. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
B. Make sure that the ERP system can validate the identity headers in the HTTP requests.
C. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
D. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.

Correct Answer: A

Explanation:

The AI agrees with the suggested answer of A.
Reasoning:
Cloud Identity-Aware Proxy (IAP) uses JSON Web Tokens (JWT) to securely pass user identity information to the backend application.
To ensure that the ERP system only accepts traffic from IAP, it should validate the JWT assertion in the HTTP requests.
This confirms that the request has been authenticated and authorized by IAP before reaching the ERP system.

Detailed Explanation:
When IAP is enabled, it intercepts incoming requests and authenticates the user. If the user is authorized, IAP adds headers to the request before forwarding it to the backend application. One of these headers contains a JWT assertion signed by Google.
The ERP system can then validate this JWT assertion using Google's public keys. This validation ensures that:

The request originated from IAP.
The user has been authenticated by Google.
The user is authorized to access the ERP system.

By validating the JWT, the ERP system can trust the identity information and enforce access control policies.

Why other options are not correct:

B. Make sure that the ERP system can validate the identity headers in the HTTP requests. While IAP does add identity headers, simply validating the presence of these headers is not sufficient. An attacker could potentially add these headers without going through IAP. The JWT provides a cryptographically verifiable identity.
C. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests. x-forwarded-for headers can be easily spoofed and are not a reliable way to ensure traffic originates from IAP.
D. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests. Similar to option B, relying solely on user identifier headers is not secure, as these headers can be tampered with.

Citations:

Securing Applications with Cloud Identity-Aware Proxy, https://cloud.google.com/iap/docs/
Validating JWTs, https://cloud.google.com/iap/docs/signed-headers-howto

Question 9

A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?

A. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
B. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
C. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
D. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

Correct Answer: A

Explanation:

The AI agrees with the suggested answer, which is option A.

Suggested Answer: A

Reasoning for Choosing Option A: The question explicitly asks for a notification mechanism when the script re-occurs and causes the Compute Engine instance to crash. Option A directly addresses this requirement by suggesting the creation of an Alerting Policy in Stackdriver using a Process Health condition. This allows monitoring the number of script executions and triggering a notification when the threshold is breached. This provides a proactive alerting solution.

Reasons for Not Choosing the Other Options:

Option B: Monitoring CPU usage might indicate a problem, but it's not specific to the script execution. High CPU usage could stem from various other factors, leading to false positives and doesn't directly address the root cause (script execution).
Option C: Logging script executions and creating a dashboard is helpful for analysis and visualization, but it doesn't provide immediate notifications when the issue recurs. It requires manual monitoring of the dashboard, which is not ideal for a proactive alerting system.
Option D: Using BigQuery as a log sink and creating a scheduled query can provide insights into the frequency of script executions over time. However, similar to option C, it does not offer real-time notifications when the problem occurs. It involves delayed analysis.

Therefore, option A is the most appropriate solution because it directly addresses the requirement for notifications when the malicious script re-occurs.

Google Cloud Documentation on Alerting Policies: https://cloud.google.com/monitoring/alerts

Question 10

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

A. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
B. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
C. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
D. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2. Process Cloud Storage objects in SIEM.

Correct Answer: A

Explanation:

Based on the question and discussion, the AI agrees with the suggested answer A.
Reasoning: Option A is the most suitable solution because it leverages the folder-level log aggregation capability of Google Cloud Logging, allowing logs from all development projects under the NONPROD folder (including child projects) to be exported to a single Cloud Pub/Sub topic. The includeChildren property ensures that logs from all projects within the NONPROD folder hierarchy are included. This approach provides a centralized and unified log view in the SIEM, which meets the stated requirements. The Pub/Sub topic enables real-time streaming of logs to the SIEM.
Why other options are not recommended:

B: Creating a Cloud Storage sink at the billing account level (ABC-BILLING) without includeChildren set to true will not capture logs specifically from the NONPROD folder's projects. It would collect logs from all projects associated with that billing account, which is broader than the requirement. Additionally, processing Cloud Storage objects in the SIEM introduces latency compared to real-time streaming.
C: Exporting logs from each individual development project to a Cloud Pub/Sub topic would be a management overhead, especially as the number of projects grows. It also doesn't provide a unified view as effectively as a folder-level export.
D: Creating a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project is a significant security risk. Publicly sharing buckets is generally discouraged. It also lacks centralized management and aggregation.

Based on the above analysis, Option A provides the best solution for a unified log view with proper scoping and management.

[Google] GCP-PCSE - Professional Cloud Security Engineer Exam Dumps & Study Guide

Free [Google] GCP-PCSE - Professional Cloud Security Engineer Practice Questions Preview

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10