Question No. 1

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted dat

a. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

AUse Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

BSet up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

CUse Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

DUse Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Show Answer

Correct Answer: D

There is mention about simulating in Web Security Scanner. 'Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions.' https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss

Question No. 2

Applications often require access to ''secrets'' - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of ''who did what, where, and when?'' within their GCP projects.

Which two log streams would provide the information that the administrator is looking for? (Choose two.)

AAdmin Activity logs

BSystem Event logs

CData Access logs

DVPC Flow logs

EAgent logs

Show Answer

Correct Answer: A, C

https://cloud.google.com/secret-manager/docs/audit-logging

Question No. 3

You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

AGoogle Cloud Armor

BCloud NAT

CCloud Router

DCloud VPN

Show Answer

Correct Answer: B

https://cloud.google.com/nat/docs/overview

Question No. 4

You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

AExternal Key Manager

BCustomer-supplied encryption keys

CHardware Security Module

DConfidential Computing and Istio

EClient-side encryption

Show Answer

Correct Answer: D, E

Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio. https://cloud.google.com/docs/security/encryption-in-transit

Question No. 5

In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

AHardware

BNetwork Security

CStorage Encryption

DAccess Policies

EBoot

Show Answer

Correct Answer: B, D

https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-the-shared-responsibility-model-in-gke-container-security-shared-responsibility-model-gke

Free Google Professional-Cloud-Security-Engineer Exam Actual Questions

The questions for Professional-Cloud-Security-Engineer were last updated On Dec 19, 2024