Professional Cloud Security Engineer

KILLMAD 
You're correct it is A C
Public IP 
Private Google Access

B & C is the right answer.
Disabling the public IP can still route the traffic via NAT gateway if its configured in the VPC
VPC + NAT (Converts private IP to public ip) -> Internet and vise versa.. 
Whereas Disabling the IP forwarding will not route any traffic or doesn't act as a gatewy for any communication.

A is for disabling external access
C is for disabling internal google services

Selected Answer: AC
The correct answer is AC

Private google access is enabled at Subnet level not at VM level. I am unsure why its not subnet. If you disable the route to internet- you cannot reach internet.

Selected Answer: AC
Public IP
Private Google Access

Correct Answer is AC
Option A : because per GCP documentation, “Prevent internet access to instances by setting them up with only a private IP address” meaning no public IPs.
Option C: because VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the external IP addresses of Google APIs and services.

Internet access and public IP service are disabled by default
https://cloud.google.com/vmware-engine/docs/networking/howto-setup-internet-access#:~:text=VMware%20Engine%20portal-,Select%20Network%20%3E%20Regional%20settings.,can%20disable%20public%20IP%20service.
this is why A can not be correct

For me its A and C
Google documentation is clear enough https://cloud.google.com/vpc/docs/private-google-access

this is from Google document

If you want to completely isolate your network from the internet or if you need to replace the default route with a custom route, you can delete the default route:

"If you want to route internet traffic to a different next hop, you can replace the default route with a custom static or dynamic route. For example, you could replace it with a custom static route whose next hop is a Cloud VPN tunnel or another instance, such as a proxy server.

If you remove the default route and do not replace it, packets destined to IP ranges that are not covered by other routes are dropped."

so if option has default route than yes that need to be disabled, a static route can be for anything so how disabling that will help. 
https://cloud.google.com/vpc/docs/routes#routingpacketsinternet
https://cloud.google.com/vpc/docs/vpc#internet_access_reqs

disable Public IP will block internet access and Disable Private Google Access will block communicating Google services through internal IP.
Answer: A & C

without public IP an instance can still access internet via NAT instance. Disabling static route will make sure that instance cannot route via NAT gw. therefore i think the answers are CD.

Correct Answer is AC
Option A : because per GCP documentation, "Prevent internet access to instances by setting them up with only a private IP address" meaning no public IPs.
Option C: because VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the external IP addresses of Google APIs and services.

I think CD is correct 
D: Because the static routes are used by the instance to reach the NAT Gateway for internet access.

I can understand C, but I don't understand why keeping a static route disabled versus a public IP makes sense. Any thoughts on that?

@killmad
The correct answer is C, D because Private Google Access does not automatically enable any API. You must enable the Google APIs you need to use via the APIs & services page in the Google Cloud Console separately.

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

But that is exactly what requiremnets says in the question. ALL development projects. Now we have 2 tomorrow we are going to have 10 . Clearly answer is A

with this you would also be getting logs for Preprod and other environments under the folder. Hence A is eliminated.
Answer should be C

This property "includeChildren parameter to True" as per your above link will route logs from folder, billing accounts + Projects -- I think that's not a Unified View of logs ?

Answer is A. https://cloud.google.com/logging/docs/export/aggregated_sinks

To use the aggregated sink feature, create a sink in a Google Cloud organization or folder and set the sink's includeChildren parameter to True. That sink can then export log entries from the organization or folder, plus (recursively) from any contained folders, billing accounts, or projects. You can use the sink's filter to specify log entries from projects, resource types, or named logs.
https://cloud.google.com/logging/docs/export/aggregated_sinks

so the Ans is A

in real-word best practice:
- use log sink at NONPROD folder level
- set includeChildren=true
- apply a log filter that targets only development projects IDs

option A will be correct if there's statement that you should also configure/apply a filter to only export logs from dev projects. If this statement there, I'm 100% choose A

Selected Answer: C
I'm still confused why the right answer is A. I choose C even though will put operationally heavy and error-prone. What I understand is the team only needs "development" projects, and the "development" project is under NONPROD folder along with other projects ("test" and "pre-production"). All these projects use the same billing account.
But the goal is only send dev project logs to the SIEM, not including test or pre-production projects.
Option C is give me guarantee that only dev projects logs are being sent to Pub/Sub in a dedicated SIEM project. then the topic is consume by SIEM

Selected Answer: A
By setting the parent resource to folders/NONPROD and includeChildren to True, you specifically capture logs from all projects within the NONPROD folder (test and pre-production). This avoids collecting logs from other parts of the organization.

Selected Answer: A
Centralized Export: By exporting logs at the folder level with includeChildren set to True, you centralize the logging export process. This setup ensures that all logs from the relevant projects under the NONPROD folder are captured without needing individual setups for each project.
Real-Time Processing: Using a Cloud Pub/Sub topic allows for real-time log export to your SIEM, which is beneficial for timely log analysis and monitoring.

It can't be C because exporting logs from each development project individually is more complex to manage and requires subscribing your SIEM to multiple topics.

Option C suggests exporting logs to individual Cloud Pub/Sub topics for each dev project, which may not provide a unified view of all development projects' logs.

As per my understanding the Folder NON PROD has three Projects test,nonprod & dev. The questions unified logs from dev only, setting Children properties on FOLDER will extract logs from other two projects which we do not want . so export logs from dev is only solution here - Correct me if I am wrong here ?

Option B may work but is less efficient because it exports logs separately from each project and relies on Cloud Storage, which may not be as real-time as Pub/Sub for log streaming.

Option C would require configuring exports individually for each dev project, which can be cumbersome to manage and doesn't provide a unified view without additional aggregation.

Option D is not recommended because it involves creating publicly shared Cloud Storage buckets in each project, which can lead to security and access control issues. It's also less centralized than using Pub/Sub for log export.

Selected Answer: A
Option A is the recommended logging export strategy to meet the requirements:

A. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. Subscribe SIEM to the topic.

Here's why this option is suitable:

It exports logs from all development cloud projects under the NONPROD organization folder, ensuring a unified view.
The use of the "includeChildren" property set to True allows you to capture logs from all child projects within the folder hierarchy.
Exporting logs to a Cloud Pub/Sub topic provides a scalable and real-time way to stream logs to an external system like your SIEM.
Subscribing the SIEM to the Pub/Sub topic enables it to consume and process the logs effectively.

Answer should be C. please refer the below link
https://cloud.google.com/logging/docs/export/configure_export_v2#managing_sinks

Selected Answer: C
1. They require a unified view of all Dev projects - didn't however mention pre-prod and test otherwise A would have been the right one. Hence C seems to be more accurate.

Option B is not correct because setting the includeChildren property to False will exclude the test and pre-production projects from the log export.

Option C is not correct because it would require you to create a separate Cloud Pub/Sub topic for each development project, which would not meet the requirement to obtain a unified log view of all development projects.

Option D is not correct because using a publicly shared Cloud Storage bucket would not provide a secure way to store and access the logs. It is generally not recommended to use publicly shared Cloud Storage buckets for storing sensitive data such as logs.

You can create aggregated sinks for Google Cloud folders and organizations. Because neither Cloud projects nor billing accounts contain child resources, you can't create aggregated sinks for those. which means logs will be for the folder and contains non dev entries as well
Ans -C

You can create aggregated sinks for Google Cloud folders and organizations. Because neither Cloud projects nor billing accounts contain child resources, you can't create aggregated sinks for those.
So ans has to be c

Selected Answer: C
c is the right ans. more percise way

But it also gives you logs of the projects that are not required. 
The question asks about logs from only development. hence C is the answer

Selected Answer: A
If you create a sink in the NONPROD folder level all logs from the projects in that folder will be routed wherever you want. So, you don't need to configure sinks in every project nor setup this every tome you have a new project in the NONPROD folder. Answer is A

Selected Answer: C
The correct answer is C

"Your team needs to obtain a unified log view of all development cloud projects in your SIEM" - This means we are ONLY interested in development projects.
"The development projects are under the NONPROD organization folder with the test and pre-production projects" - We will need to filter out development from others i.e test and pre-prod.
"The development projects share the ABC-BILLING billing account with the rest of the organization." - This is unnecessary information.
The only option that filters the log is C - so the answer must be C.

I took the test yesterday and didn't pass, NO ISSUE is from here. The questions are totally new, don't use this dump.

Guys, C is the answer.
A - NO, This will bring in test and pre-prod as well, this does not solve our problem
B - NO, This has nothing to do with the question,
C - YES- Specifically take development projects, and centralises the logs 
D - Once the work public comes in answer, it is wrong.

Request the admins to set answer to C
This is seriously a simple question

A because it's more selective and adds only projects below NONPROD folder

c is the ans A export log with recursive option c is selective

Atleast B is false. See this link.

https://cloud.google.com/logging/docs/export/aggregated_sinks

Without the aggregated sink feature, sinks are limited to exporting log entries from the exact resource in which the sink was created: a Google Cloud project, organization, folder, or billing account.

To use the aggregated sink feature, create a sink in a Google Cloud organization or folder and set the sink's includeChildren parameter to True. That sink can then export log entries from the organization or folder, plus (recursively) from any contained folders, billing accounts, or projects. You can use the sink's query to specify log entries from projects, resource types, or named logs.

I second you. A, B and D for sure are wrong.

I think the only feasible answer is C. State goal is to provide a unified log view of ALL development cloud projects.
A Approach A won't work as this will send logs for test as well as pre-prod projects also to the SIEM.
B Approach B won't work as this will send logs for all projects (billing code is shared with rest of the organization) to the SIEM.
C This is only feasible approach. I will prefer to filter logs based on a tag or some other property.
D Approach D will send data for every project to SIEM. We only want dev projects.

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

Selected Answer: D
Both B and D seem correct tbh. D might be "more correct" depending on the interpretation.

"reduces key management complexity for non-sensitive data" - Google default encryption
"protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule" - Customer Managed Key

Selected Answer: D
https://cloud.google.com/kms/docs/key-management-service#choose
For example, you might use software keys for your least sensitive data and hardware or external keys for your most sensitive data.

FIPS 140-2 Level 1 validated applies to both Google default encryption and Cloud Key Management Service (KMS)

Selected Answer: D
D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service (KMS)

corrcet Answer is D, both KMS and default encryption are FIPS 140-2 L1 compliance https://cloud.google.com/kms/docs/key-management-service#choose

Selected Answer: D
"D"
Default encryption is Fips 140-2 L2 compliant (reference A below). Cloud KMS provides the rotation convenience desired (reference B below).

References:
A- https://cloud.google.com/docs/security/encryption/default-encryption
B- https://cloud.google.com/docs/security/key-management-deep-dive

"reduces key management" & "FIPS 140-2 L1 compliance is required for all data types" - strongly suggests answer B

As FIPS 140-2 L1 compliance is required for all types of data, Cloud KMS should be used to manage encryption. Correct answer is B

https://cloud.google.com/docs/security/key-management-deep-dive#software-protection-level:~:text=The%20Cloud%20KMS%20binary%20is%20built%20against%20FIPS%20140%2D2%20Level%201%E2%80%93validated%20Cryptographic%20Primitives%20of%20this%20module

Selected Answer: D
Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 Level 1 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. To provideflexibility of controlling the key residency and rotation schedule, use google provided key for non-sensitive and encrypt sensitive data with Cloud Key Management Service

Selected Answer: B
base on "FIPS 140-2 L1 compliance is required for all data types"

Regarding FIPS 140-2 level 1 and GCP default encryption:

Google Cloud uses a FIPS 140-2 validated Level 1 encryption module (certificate 3318) in our production environment.

https://cloud.google.com/docs/security/encryption/default-encryption?hl=en#encryption_of_data_at_rest

Selected Answer: D
KMS is ok for fips 140-2 level 1
https://cloud.google.com/docs/security/key-management-deep-dive#platform-overview

The answer is D.
1. reduce key management complexity for non-sensitive data --> Google Managed key
2. protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule --> KMS

In my opinion, the answer is B. The question says that it is necessary to control "key residency and rotation schedule" for both types of data. Default encryption at rest does not provide that but Cloud KMS does. Furthermore, Cloud KMS is FIPS140-2 level 1.
https://cloud.google.com/docs/security/key-management-deep-dive

You need to implement an encryption at-rest strategy that reduces key management complexity for non-sensitive data and protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule. FIPS 140-2 L1 compliance is required for all data types. What should you do?

Selected Answer: A
”This encryption method is reversible, which helps to maintain referential integrity across your database and has no character-set limitations.”
https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy

Selected Answer: C
C. Format-preserving encryption
Justification Based on Documentation:
https://cloud.google.com/dlp/docs/transformations-reference#transformation_methods
 According to the Google Cloud DLP guidelines, format-preserving encryption (FPE) transforms sensitive data while keeping its original format. This is essential for working with structured data where you need to maintain the integrity of data types (e.g., keeping a credit score as a numeric field) while ensuring security through encryption.

 The ability to join user information in the banking app with credit score data while preserving the structure and format of the data is critical, especially since the goal is to analyze the data without exposing sensitive information.

YES, C is correct:
https://cloud.google.com/dlp/docs/transformations-reference#transformation_methods
Format preserving encryption: Replaces an input value with a token that has been generated using format-preserving encryption (FPE) with the FFX mode of operation. This transformation method produces a token that is limited to the same alphabet as the input value and is the same length as the input value. FPE also supports re-identification given the original encryption key.
-> The key is that we talk about tokenization.

Selected Answer: C
Why C. Format-preserving encryption is correct:
Format-preserving encryption (FPE) encrypts data while preserving its format (e.g., encrypting a credit card number would still result in a string with the same length and structure).
It ensures that data relationships and referential integrity across systems remain intact.
FPE is supported by Google Cloud DLP for tokenization tasks.

Why not the other options:
A. Deterministic encryption:

Deterministic encryption ensures that the same plaintext always encrypts to the same ciphertext, which can preserve referential integrity. However, it doesn't inherently maintain the format of the original data, which might be a requirement in this case.

D Cryptogrpahic hashing as it maintains refenrtial integrity and not reversible https://cloud.google.com/dlp/docs/pseudonymization

Selected Answer: A
To meet the requirements of de-identifying and tokenizing sensitive data while maintaining referential integrity across the database, you should use "Deterministic encryption."

Deterministic encryption is a form of encryption where the same input value consistently produces the same encrypted output (token). This ensures referential integrity because the same original value will always result in the same token, allowing you to link and join data across different systems or databases while still protecting sensitive information.

Format-preserving encryption is a specific form of deterministic encryption that preserves the format and length of the original data, which can be useful for maintaining data structures and relationships.

So, the correct option is:

A. Deterministic encryption

This is a poor question and not enough data is provided to determine which Tokenization method should be selected. There are three methods for Tokenization (also referred to as Pseudonymization). See: https://cloud.google.com/dlp/docs/transformations-reference#crypto and each method maintains referential integrity See: https://www.youtube.com/watch?v=h0BnA7R8vg4. Thus, you'd need to know whether it needs to be reversible, format preserving to confidentially select an answer..

Selected Answer: A
https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy

"Deterministic encryption" is too wide definition, the key phrase is "Which cryptographic token format " so th answer is "Format-preserving encryption" - where Referential integrity is assured (...allows for records to maintain their relationship ....ensures that connections between values (and, with structured data, records) are preserved, even across tables)

both create tokens, the FPE is more used where u have format [0-9a-za-Z]

Cryptographic uses strings , it asks to use tokenization and hence deterministic is better than FPE hence A

Selected Answer: D
Though it's not clear, but, to prevent from data leak, it's better to have a non-reversible method as analysts don't need re-identification

Selected Answer: A
A. Deterministic encryption

Selected Answer: A
A is the answer.

https://cloud.google.com/dlp/docs/pseudonymization
FPE provides fewer security guarantees compared to other deterministic encryption methods such as AES-SIV.
For these reasons, Google strongly recommends using deterministic encryption with AES-SIV instead of FPE for all security sensitive use cases.

Other methods like deterministic encryption using AES-SIV provide these stronger security guarantees and are recommended for tokenization use cases unless length and character set preservation are strict requirements—for example, for backward compatibility with a legacy data system.

Selected Answer: A
This question is taken from the exact scenario described in this link
https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy

Selected Answer: D
Both "Deterministic" and "format preserving" are key-based hashes (and reversible).
It's not clear from the question, but doesn't look like we need it to be reversible.
All of them maintain referential integrity
https://cloud.google.com/architecture/de-identification-re-identification-pii-using-cloud-dlp#method_selection

Selected Answer: D
preserve referential integrity and ensure that no re-identification is possible

https://cloud.google.com/dlp/docs/pseudonymization#supported-methods

Selected Answer: D
Cryptographic hash (CryptoHashConfig) maintains referential integrity.
"Determinist encryption" is not a transformation method.
https://cloud.google.com/dlp/docs/transformations-reference

A correct - https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-datausable-without-sacrificing-privacy

Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.
This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?

the link you post talking about Permissions required to ACCESS billing documentsn not to link project to a billing account you should have the Billing Account User role, the good answer is D,E

Selected Answer: CD
Ans C,D.
C. Billing Account Viewer :responsible for matching payments to invoices
https://cloud.google.com/billing/docs/how-to/get-invoice#required-permissions
Access billing documents:"Billing Account Administrator" or "Billing Account Viewer"
D. Billing Account Costs Manager : creating billing alerts
https://cloud.google.com/billing/docs/how-to/budgets-notification-recipients
"To create or modify a budget for your Cloud Billing account, you need the Billing Account Costs Manager role or the Billing Account Administrator role on the Cloud Billing account."
and "If you want the recipients of the alert emails to be able to view the budget, email recipients need permissions on the Cloud Billing account. At a minimum, ensure email recipients are added to the Billing Account Viewer role on the Cloud Billing account that owns the budget. See View a list of budgets for additional information."

Selected Answer: CD
Billing Account Costs Administrator to create budgets (aka alerts)
Billing Account Viewer to view costs (to be able to match them to invoices)

yes, it does: https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager

Billing Account Costs Manager - does not exist! ?!

Answer: CD
https://cloud.google.com/billing/docs/how-to/budgets

Selected Answer: DE
Billing Account User: This role has very restricted permissions, so you can grant it broadly. When granted in combination with Project Creator, the two roles allow a user to create new projects linked to the billing account on which the Billing Account User role is granted. Or, when granted in combination with the Project Billing Manager role, the two roles allow a user to link and unlink projects on the billing account on which the Billing Account User role is granted.

Billing Account Costs Manager: Create, edit, and delete budgets, view billing account cost information and transactions, and manage the export of billing cost data to BigQuery. Does not confer the right to export pricing data or view custom pricing in the Pricing page. Also, does not allow the linking or unlinking of projects or otherwise managing the properties of the billing account

Selected Answer: CD
C. Billing Account Viewer
D. Billing Account Costs Manager

Selected Answer: CD
CD is the answer.

https://cloud.google.com/billing/docs/how-to/billing-access#overview-of-cloud-billing-roles-in-cloud-iam

Billing Account Costs Manager (roles/billing.costsManager)
- Manage budgets and view and export cost information of billing accounts (but not pricing information)

Billing Account Viewer (roles/billing.viewer)
- View billing account cost information and transactions.

An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

.css-1hohgv6{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;gap:0px;}Exam.css-1cp477w{color:#4285F4;}Prepper

Exam
Prepper