Professional Security Engineer 251-294 Quiz

1.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

251. Your organization has a centralized identity provider that is used to manage human and machine access. You want to leverage this existing identity management system to enable on-premises applications to access Google Cloud without hard coded credentials. What should you do?

A. Enable Secure Web Proxy. Create a proxy subnet for each region that Secure Web Proxy will be deployed. Deploy an SSL certificate to Certificate Manager. Create a Secure Web Proxy policy and rules that allow access to Google Cloud services.

B. Enable Workforce Identity Federation. Create a workforce identity pool and specify the on-premises identity provider as a workforce identity pool provider. Create an attribute mapping to map the on-premises identity provider token to a Google STS token. Create an IAM binding that binds the required role(s) to the external identity by specifying the project ID, workload identity pool, and attribute that should be matched.

C. Enable Identity-Aware Proxy (IAP). Configure IAP by specifying the groups and service accounts that should have access to the application. Grant these identities the IAP-secured web app user role.

D. Enable Workload Identity Federation. Create a workload identity pool and specify the on-premises identity provider as a workload identity pool provider. Create an attribute mapping to map the on-premises identity provider token to a Google STS token. Create a service account with the necessary permissions for the workload. Grant the external identity the Workload Identity user role on the service account.

2.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

252. Your organization is migrating a sensitive data processing workflow from on-premises infrastructure to Google Cloud. This workflow involves the collection, storage, and analysis of customer information that includes personally identifiable information (PII). You need to design security measures to mitigate the risk of data exfiltration in this new cloud environment. What should you do?

A. Encrypt all sensitive data in transit and at rest. Establish secure communication channels by using TLS and HTTPS protocols.

B. Implement a Cloud DLP solution to scan and identify sensitive information, and apply redaction or masking techniques to the PII. Integrate VPC SC with your network security controls to block potential data exfiltration attempts.

C. Restrict all outbound network traffic from cloud resources. Implement rigorous access controls and logging for all sensitive data and the systems that process the data.

D. Rely on employee expertise to prevent accidental data exfiltration incidents.

3.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

253. Your organization is building a chatbot that is powered by generative AI to deliver automated conversations with internal employees. You must ensure that no data with personally identifiable information (PII) is communicated through the chatbot. What should you do?

A. Encrypt data at rest for both input and output by using Cloud KMS, and apply least privilege access to the encryption keys.

B. Discover and transform PII data in both input and output by using the Cloud Data Loss Prevention (Cloud DLP) API.

C. Prevent PII data exfiltration by using VPC-SC to create a safe scope around your chatbot.

D. Scan both input and output by using data encryption tools from the Google Cloud Marketplace.

4.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

254. Your organization has applications that run in multiple clouds. The applications require access to a Google Cloud resource running in your project. You must use short-lived access credentials to maintain security across the clouds. What should you do?

A. Create a managed workload identity. Bind an attested identity to the Compute Engine workload.

B. Create a service account key. Download the key to each application that requires access to the Google Cloud resource.

C. Create a workload identity pool with a workload identity provider for each external cloud. Set up a service account and add an IAM binding for impersonation.

D. Create a VPC firewall rule for ingress traffic with an allowlist of the IP ranges of the external cloud applications.

5.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

255. Your organization's financial modeling application is already deployed on Google Cloud. The application processes large amounts of sensitive customer financial data. Application code is old and poorly understood by your current software engineers. Recent threat modeling exercises have highlighted the potential risk of sophisticated side-channel attacks against the application while the application is running. You need to further harden the Google Cloud solution to mitigate the risk of these side-channel attacks, ensuring maximum protection for the confidentiality of financial data during processing, while minimizing application problems. What should you do?

A. Enforce stricter access controls for Compute Engine instances by using service accounts, least privilege IAM policies, and limit network access.

B. Implement a runtime library designed to introduce noise and timing variations into the application's execution which will disrupt sidechannel attack.

C. Migrate the application to Confidential VMs to provide hardware-level encryption of memory and protect sensitive data during processing.

D. Utilize customer-managed encryption keys (CMEK) to ensure complete control over the encryption process.

6.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

256. Your organization has two VPC Service Controls service perimeters, Perimeter-A and Perimeter-B, in Google Cloud. You want to allow data to be copied from a Cloud Storage bucket in Perimeter-A to another Cloud Storage bucket in Perimeter-B. You must minimize exfiltration risk, only allow required connections, and follow the principle of least privilege. What should you do?

A. Configure a perimeter bridge between Perimeter-A and Perimeter-B, and specify the Cloud Storage buckets as the resources involved.

B. Configure a perimeter bridge between the projects hosting the Cloud Storage buckets in Perimeter-A and Perimeter-B.

C. Configure an egress rule for the Cloud Storage bucket in Perimeter-A and a corresponding ingress rule in Perimeter-B.

D. Configure a bidirectional egress/ingress rule for the Cloud Storage buckets in Perimeter-A and Perimeter-B.

7.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

257. You are running code in Google Kubernetes Engine (GKE) containers in Google Cloud that require access to objects stored in a Cloud Storage bucket. You need to securely grant the Pods access to the bucket while minimizing management overhead. What should you do?

A. Create a service account. Grant bucket access to the Pods by using Workload Identity Federation for GKE.

B. Create a service account with keys. Store the keys in Secret Manager with a 30-day rotation schedule. Reference the keys in the Pods.

C. Create a service account with keys. Store the keys as a Kubernetes secret. Reference the keys in the Pods.

D. Create a service account with keys. Store the keys in Secret Manager. Reference the keys in the Pods.

8.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

258. Your organization is adopting Google Cloud and wants to ensure sensitive resources are only accessible from devices within the internal onpremises corporate network. You must configure Access Context Manager to enforce this requirement. These considerations apply: • The internal network uses IP ranges 10.100.0.0/16 and 192.168.0.0/16. • Some employees work remotely but connect securely through a company-managed virtual private network (VPN). The VPN dynamically allocates IP addresses from the pool 172.16.0.0/20. • Access should be restricted to a specific Google Cloud project that is contained within an existing service perimeter. What should you do?

A. Create an access level named "Authorized Devices." Utilize the Device Policy attribute to require corporate-managed devices. Apply the access level to the Google Cloud project and instruct all employees to enroll their devices in the organization's management system.

B. Create an access level titled "Internal Network Only." Add a condition with these attributes: • IP Subnetworks: 10.100.0.0/16, 192.168.0.0/16 • Device Policy: Require OS as Windows or macOS. Apply this access level to the sensitive Google Cloud project.

C. Create an access level titled "Corporate Access." Add a condition with the IP Subnetworks attribute, including the ranges: 10.100.0.0/16, 192.168.0.0/16, 172.16.0.0/20. Assign this access level to a service perimeter encompassing the sensitive project.

D. Create a new IAM role called "InternalAccess. Add the IP ranges 10.100.0.0/16, 192.16.0.0/16, and 172.16.0.0/20 to the role as an IAM condition. Assign this role to IAM groups corresponding to on-premises and VPN users. Grant this role the necessary permissions on the resource within this sensitive Google Cloud project.

9.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

259. Your team maintains 1PB of sensitive data within BigOuery that contains personally identifiable information (PII). You need to provide access to this dataset to another team within your organization for analysis purposes. You must share the BigQuery dataset with the other team while protecting the PII. What should you do?

A. Utilize BigQuery's row-level access policies to mask PII columns based on the other team's user identities.

B. Export the BigQuery dataset to Cloud Storage. Create a VPC Service Control perimeter and allow only their team's project access to the bucket.

C. Implement data pseudonymization techniques to replace the PII fields with non-identifiable values. Grant the other team access to the pseudonymized dataset.

D. Create a filtered copy of the dataset and replace the sensitive data with hash values in a separate project. Grant the other team access to this new project.

10.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

260. Your organization uses Google Cloud to process large amounts of location data for analysis and visualization. The location data is potentially sensitive. You must design a solution that allows storing and processing the location data securely, minimizing data exposure risks, and adhering to both regulatory guidelines and your organization's internal data residency policies. What should you do?

A. Enable location restrictions on Compute Engine instances and virtual disk resources where the data is handled. Apply labels to tag geographic metadata for all stored data.

B. Use the Cloud Data Loss Prevention (Cloud DLP) API to scan for sensitive location data before any storage or processing. Create Cloud Storage buckets with global availability for optimal performance, relying on Cloud DLP results to filter and control data access.

C. Create regional Cloud Storage buckets with Object Lifecycle Management policies that limit data lifetime. Enable fine-grained access controls by using IAM conditions. Encrypt data with customer-managed encryption keys (CMEK) generated within specific Cloud KMS key locations.

D. Store data within BigQuery in a specified region by using dataset location configuration. Use authorized views and row-level security to enforce geographic access restrictions. Encrypt data within BigQuery tables by using customer-managed encryption keys (CMEK).

Create a free account and access millions of resources

Popular Resources on Wayground

Discover more resources for others