リアルPCCSE問題集でPalo Alto Networks正確な解答2024年最新版を試そう
Cloud Security Engineer PCCSE試験練習問題集
PCCSE認定は世界的に認知され、Prisma Cloudプラットフォームを利用する主要な組織から高く評価されています。この認定は、保持者がPrisma Cloudプラットフォームを使用してクラウドセキュリティソリューションを設計、展開、管理するために必要なスキルと知識を持っていることを示しています。また、保持者が継続的な学習と職業的な発展に取り組んでいることも示しています。
質問 # 53
A customer wants to harden its environment from misconfiguration.
Prisma Cloud Compute Compliance enforcement for hosts covers which three options? (Choose three.)
- A. Host configuration
- B. Docker daemon configuration
- C. Hosts without Defender agents
- D. Docker daemon configuration files
- E. Host cloud provider tags
正解:A、B、D
解説:
Prisma Cloud Compute Compliance enforcement for hosts covers several aspects to ensure a secure and compliant host environment, particularly within containerized environments. These include:
Docker daemon configuration files: Ensuring that Docker daemon configuration files are set up according to best security practices is crucial. These files contain various settings that control the behavior of the Docker daemon, and misconfigurations can lead to security vulnerabilities.
Docker daemon configuration: Beyond just the configuration files, the overall configuration of the Docker daemon itself is critical. This encompasses runtime settings and command-line options that determine how Docker containers are executed and managed on the host.
Host configuration: The security of the underlying host on which Docker and other container runtimes are installed is paramount. This includes the configuration of the host's operating system, network settings, file permissions, and other system-level settings that can impact the security of the containerized applications running on top.
By focusing on these areas, Prisma Cloud ensures that not just the containers but also the environment they run in is secure, adhering to compliance standards and best practices to mitigate risks associated with containerized deployments.
質問 # 54
The development team is building pods to host a web front end, and they want to protect these pods with an application firewall.
Which type of policy should be created to protect this pod from Layer7 attacks?
- A. The development team should create a WAAS rule targeted at the image name of the pods.
- B. The development team should create a runtime policy with networking protections.
- C. The development team should create a WAAS rule for the host where these pods will be running.
- D. The development team should create a WAAS rule targeted at all resources on the host.
正解:D
質問 # 55
A customer does not want alerts to be generated from network traffic that originates from trusted internal networks.
Which setting should you use to meet this customer's request?
- A. Enterprise Alert Disposition
- B. Trusted Alert IP Addresses
- C. Anomaly Trusted List
- D. Trusted Login IP Addresses
正解:B
解説:
Section: (none)
Explanation
質問 # 56
Which statement about build and run policies is true?
- A. Every type of policy has auto-remediation enabled by default.
- B. Build policies enable you to check for security misconfigurations in the IaC templates.
- C. The four main types of policies are: Audit Events, Build, Network, and Run.
- D. Run policies monitor network activities in the environment and check for potential issues during runtime.
正解:B
質問 # 57
A security team has been asked to create a custom policy.
Which two methods can the team use to accomplish this goal? (Choose two.)
- A. add a new policy
- B. disable an out-of-the-box policy
- C. clone an existing policy
- D. edit the query in the out-of-the-box policy
正解:A、C
解説:
To create a custom policy within a cloud security platform like Prisma Cloud, security teams have the flexibility to either add a new policy from scratch or clone an existing one to serve as a foundation for customization. Adding a new policy allows for the creation of a completely tailored rule set based on specific security requirements. Cloning an existing policy, on the other hand, provides a quick start by using the structure of an already established policy, which can then be modified to fit particular needs. This approach is beneficial for maintaining consistency with existing policies while addressing unique security scenarios.
Disabling an out-of-the-box policy (option C) or editing the query in an out-of-the-box policy (option D) are actions that might be taken to customize policy enforcement but do not equate to the creation of a new custom policy.
質問 # 58
Console is running in a Kubernetes cluster, and you need to deploy Defenders on nodes within this cluster.
Which option shows the steps to deploy the Defenders in Kubernetes using the default Console service name?
- A. From the deployment page in Console, choose twistlock-console for Console identifier, and run the curl
| bash script on the master Kubernetes node. - B. From the deployment page in Console, choose pod name for Console identifier, generate DaemonSet file, and apply the DaemonSet to twistlock namespace.
- C. From the deployment page configure the cloud credential in Console and allow cloud discovery to auto-protect the Kubernetes nodes.
- D. From the deployment page in Console, choose twistlock-console for Console identifier, generate DaemonSet file, and apply DaemonSet to the twistlock namespace.
正解:D
質問 # 59
Given an existing ECS Cluster, which option shows the steps required to install the Console in Amazon ECS?
- A. Download and extract the release tarball
Create an EFS file system and mount to each node in the cluster Create the Console task definition Deploy the task definition - B. The console cannot natively run in an ECS cluster. A onebox deployment should be used.
- C. Download and extract release tarball Download task from AWS
Create the Console task definition Deploy the task definition - D. Download and extract the release tarball
Ensure that each node has its own storage for Console data Create the Console task definition Deploy the task definition
正解:A
質問 # 60
The security team wants to enable the "block" option under compliance checks on the host.
What effect will this option have if it violates the compliance check?
- A. Additional hosts will be prevented form starting.
- B. No containers will be allowed to start on that host.
- C. The host will be taken offline.
- D. Containers on a host will be stopped.
正解:A
質問 # 61
Which type of compliance check is available for rules under Defend > Compliance > Containers and Images
> CI?
- A. Container
- B. Functions
- C. Host
- D. Image
正解:C
質問 # 62
Which action would be applicable after enabling anomalous compute provisioning?
- A. It detects potential creation of an unauthorized network of compute instances either accidentally or for cryptojacking.
- B. It detects unusual server port activity or unusual protocol activity from a client within or outside the cloud environment.
- C. It detects the activity caused by the spambot.
- D. It detects potential creation of an unauthorized network of compute instances with AutoFocus.
正解:A
解説:
Enabling anomalous compute provisioning in Prisma Cloud allows for the detection of unusual and potentially unauthorized activities related to the creation of compute instances. This feature is particularly useful for identifying scenarios where an unauthorized network of compute instances might be established, either accidentally due to misconfigurations or maliciously for purposes such as cryptojacking. Cryptojacking involves the unauthorized use of someone else's compute resources to mine cryptocurrency, and anomalous compute provisioning can help in identifying such activities by highlighting unusual patterns in the provisioning of compute resources.
質問 # 63
Which statement accurately characterizes SSO Integration on Prisma Cloud?
- A. An administrator can configure different Identity Providers (IdP) for all the cloud accounts that Prisma Cloud monitors.
- B. An administrator who needs to access the Prisma Cloud API can use SSO after configuration.
- C. Okta, Azure Active Directory. PingID, and others are supported via SAML
- D. Prisma Cloud supports IdP initiated SSO. and its SAML endpoint supports the POST and GET methods
正解:C
質問 # 64
Which two statements apply to the Defender type Container Defender - Linux?
- A. It is incapable of filesystem runtime defense.
- B. It is deployed as a container.
- C. It is implemented as runtime protection in the userspace.
- D. It is deployed as a service.
正解:C、D
質問 # 65
Which three options for hardening a customer environment against misconfiguration are included in Prisma Cloud Compute compliance enforcement for hosts? (Choose three.)
- A. Host configuration
- B. Docker daemon configuration
- C. Hosts without Defender agents
- D. Cloud provider tags
- E. Serverless functions
正解:A、B、C
解説:
Prisma Cloud scans all hosts for compliance issues, provided that a defender is installed or the host is covered by an agentless scan. Among these, the following compliance issues are covered.
-Host configuration
-Docker daemon configuration
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/compliance/host_scanning Prisma Cloud Compute's compliance enforcement capabilities for hosts include ensuring proper configurations of Docker daemons and host operating systems, as well as managing hosts that do not have Defender agents installed. These measures are critical for hardening environments against misconfigurations which could lead to security vulnerabilities.
質問 # 66
An administrator has deployed Console into a Kubernetes cluster running in AWS. The administrator also has configured a load balancer in TCP passthrough mode to listen on the same ports as the default Prisma Compute Console configuration.
In the build pipeline, the administrator wants twistcli to talk to Console over HTTPS. Which port will twistcli need to use to access the Prisma Compute APIs?
- A. 0
- B. 1
- C. 2
- D. 3
正解:A
解説:
When the administrator wants twistcli to communicate with the Console over HTTPS in a Kubernetes cluster, and considering the load balancer is configured in TCP passthrough mode, A. 8084 is typically the port used for secure HTTPS communication with the Prisma Compute Console. This port will allow twistcli to access the Prisma Compute APIs securely.
https://docs.prismacloudcompute.com/docs/compute_edition_21_04/tools/twistcli.html#connectivity-to-console
質問 # 67
Which options show the steps required to upgrade Console when using projects?
- A. Upgrade all Supervisor Consoles Upgrade Central Console
- B. Upgrade Central Console Upgrade all Supervisor Consoles
- C. Upgrade Central Console
Upgrade Central Console Defenders - D. Upgrade Defender Upgrade Central Console
Upgrade Supervisor Consoles
正解:A
質問 # 68
A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.
How should the administrator configure Prisma Cloud Compute to satisfy this requirement?
- A. choose "copy into rule" for the Container, add a ransomWare process into the denied process list, and set the action to "block".
- B. add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to "prevent".
- C. set the Container model to manual relearn and set the default runtime rule to block for process protection.
- D. set the Container model to relearn and set the default runtime rule to prevent for process protection.
正解:B
解説:
To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.
質問 # 69
Order the steps involved in onboarding an AWS Account for use with Data Security feature.
正解:
解説:
質問 # 70
Which three OWASP protections are part of Prisma Cloud Web-Application and API Security (WAAS) rule? (Choose three.)
- A. Suspicious binary
- B. SQL injection
- C. Shellshock
- D. Local file inclusion
- E. DoS Protection
正解:A、B、E
質問 # 71
Which statement accurately characterizes SSO Integration on Prisma Cloud?
- A. An administrator can configure different Identity Providers (IdP) for all the cloud accounts that Prisma Cloud monitors.
- B. Okta, Azure Active Directory, PingID, and others are supported via SAML.
- C. Prisma Cloud supports IdP initiated SSO, and its SAML endpoint supports the POST and GET methods.
- D. An administrator who needs to access the Prisma Cloud API can use SSO after configuration.
正解:C
解説:
Section: (none)
Explanation
質問 # 72
Which API calls can scan an image named myimage: latest with twistcli and then retrieve the results from Console?
- A. $ twistcli images scan \
--address <COMPUTE_CONSOLE> \
--user <COMPUTER_CONSOLE_USER> \
--password <COMPUTER_CONSOLE_PASSWD> \
--console \
myimage: latest - B. $ twistcli images scan \
--address <COMPUTE_CONSOLE> \
--user <COMPUTER_CONSOLE_USER> \
--password <COMPUTER_CONSOLE_PASSWD> \
myimage: latest - C. $ twistcli images scan \
--address <COMPUTE_CONSOLE> \
--user <COMPUTER_CONSOLE_USER> \
--password <COMPUTER_CONSOLE_PASSWD> \
--details \
myimage: latest - D. $ twistcli images scan \
--address <COMPUTE_CONSOLE> \
--user <COMPUTER_CONSOLE_USER> \
--password <COMPUTER_CONSOLE_PASSWD> \
--verbose \
myimage: latest
正解:B
解説:
The API calls that can scan an image named myimage: latest with twistcli and then retrieve the results from Console do not require any additional flags beyond the address, user, and password for the Prisma Cloud Compute console. The --verbose, --details, and --console flags are not necessary for performing the scan and retrieving the results. The twistcli command with the required parameters initiates the scan, and upon completion, the results are available in the Prisma Cloud Compute console for review.
Reference to this process is provided in the Prisma Cloud Compute documentation, which outlines the steps for scanning container images with the twistcli command-line tool and retrieving the results from the Compute Console for analysis and action.
質問 # 73
An administrator of Prisma Cloud wants to enable role-based access control for Docker engine.
Which configuration step is needed first to accomplish this task?
- A. Set Docker's listener type to TCP.
- B. Set Defender's listener type to TCP.
- C. Configure Docker's authentication sequence to first use an identity provider and then Console.
- D. Configure Defender's authentication sequence to first use an identity provider and then Console.
正解:D
質問 # 74
Which three Options are selectable in a CI policy for image scanning with Jenkins or twistcli? (Choose three.)
- A. Credential
- B. Scope - Scans run on a particular host
- C. Grace Period
- D. Apply rule only when vendor fixes are available
- E. Failure threshold
正解:A、B、D
質問 # 75
......
PCCSE試験は、クラウドインフラストラクチャの確保における候補者のスキルと知識を検証するように設計されています。この試験では、クラウドセキュリティアーキテクチャ、クラウドアクセスセキュリティブローカー(CASB)、ネットワークセキュリティ、アイデンティティおよびアクセス管理(IAM)、データ保護、コンプライアンスなど、幅広いトピックをカバーしています。この試験は60の複数選択の質問で構成されており、90分の時間制限があります。試験に合格するには、候補者は最低70%を獲得する必要があります。 PCCSE認定は2年間有効であり、その後、候補者は認定を維持するために再認証試験に合格する必要があります。
PCCSE認定を受けるには、候補者はクラウドセキュリティエンジニアリングの知識とスキルをテストする厳格な認定試験に合格する必要があります。この試験はPalo Alto Networksによって管理されており、Pearson Vueテストセンターでオンラインまたは対面で撮影できます。試験に合格すると、候補者はクラウドセキュリティエンジニアリングの専門知識を実証するPCCSE認定を受け取ります。
PCCSE試験合格を準備するため 今すぐ弊社のCloud Security Engineer試験パッケージお試そう:https://jp.fast2test.com/PCCSE-premium-file.html
PCCSEプレミアム資料でテストPDF無料問題集お試しセット:https://drive.google.com/open?id=1JPPHy5e7qcMlK1BNihCiyygd728JvTiF