At ValidExamDumps, we consistently monitor updates to the Google Professional-Cloud-Security-Engineer exam questions by Google. Whenever our team identifies changes in the exam questions,exam objectives, exam focus areas or in exam requirements, We immediately update our exam questions for both PDF and online practice exams. This commitment ensures our customers always have access to the most current and accurate questions. By preparing with these actual questions, our customers can successfully pass the Google Professional Cloud Security Engineer exam on their first attempt without needing additional materials or study guides.
Other certification materials providers often include outdated or removed questions by Google in their Google Professional-Cloud-Security-Engineer exam. These outdated questions lead to customers failing their Google Professional Cloud Security Engineer exam. In contrast, we ensure our questions bank includes only precise and up-to-date questions, guaranteeing their presence in your actual exam. Our main priority is your success in the Google Professional-Cloud-Security-Engineer exam, not profiting from selling obsolete exam questions in PDF or Online Practice Test.
You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects.
What should you do?
Choose 2 answers
Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK). but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.
What should you do?
Rewriting the objects in-place within the same bucket, specifying the new CMEK for encryption, allows you to re-encrypt the data without downloading and re-uploading it, thus minimizing costs and time.
https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?
To ensure that PII data is separated from non-PII data, using Cloud Pub/Sub and Cloud Functions to trigger a scan by the Data Loss Prevention (DLP) API is an effective approach. This method allows for automated detection and handling of PII.
Steps:
Set Up Cloud Pub/Sub: Configure a Cloud Pub/Sub topic to receive notifications whenever a file is uploaded to the shared Cloud Storage bucket.
Deploy Cloud Functions: Create a Cloud Function that is triggered by the Pub/Sub topic. This function will invoke the DLP API to scan the uploaded file for PII.
Move Detected PII Files: If the scan detects PII, the Cloud Function will move the file to a secure Cloud Storage bucket accessible only by the administrator.
Set Permissions: Ensure that appropriate permissions are set on the Cloud Storage buckets to restrict access to files containing PII.
Google Cloud: Data Loss Prevention
Cloud Functions documentation
Your organization uses Google Workspace Enterprise Edition tor authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment.
What should you do?
Access Google Cloud Console:
Log in to the Google Cloud Console with administrative privileges.
Navigate to the 'IAM & Admin' section.
Set Session Length Timeout:
Go to the 'Settings' page within IAM & Admin.
Locate the 'Session control' settings.
Configure the session length timeout to a shorter duration, such as 15 or 30 minutes. This ensures that user sessions expire automatically after the specified time of inactivity.
Apply and Enforce the Policy:
Save the changes and ensure the new session timeout policy is applied across all users and services.
Communicate the new policy to employees, highlighting the importance of session security and the rationale behind the change.
Additional Security Measures:
Consider implementing additional measures such as automatic screen locks and secure session management practices.
Educate employees on the importance of logging out of their sessions and securing their devices when not in use.
Google Cloud IAM Documentation
Session Management Best Practices
Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.
What command should you execute?
Requirement:
Enforce the use of Customer-Managed Encryption Keys (CMEK) for all new Cloud Storage resources in the organization.
Policy Constraint:
Use the constraints/gcp.restrictNonCmekServices constraint to enforce CMEK usage.
Policy Type and Value:
Set the policy type to allow to specify which services must use CMEK.
In this case, the policy value should be storage.googleapis.com to target Cloud Storage.
Command:
Applying the organization policy with the appropriate binding ensures that all new Cloud Storage resources under the organization will require CMEK.
Steps:
Step 1: Go to the Google Cloud Console.
Step 2: Navigate to the Organization Policies page.
Step 3: Apply the policy constraint constraints/gcp.restrictNonCmekServices with the allow policy type and storage.googleapis.com as the policy value.
Organization Policy Constraints
Customer-Managed Encryption Keys (CMEK)
