2023年最新のProfessional-Cloud-Security-Engineer実際問題集には試験のコツがあるPDF試験材料 [Q42-Q67]

Share

2023年最新のProfessional-Cloud-Security-Engineer実際問題集には試験のコツがあるPDF試験材料

心強いProfessional-Cloud-Security-EngineerのPDF問題集問題


Google Professional-Cloud-Security-Engineer認定を獲得することは、クラウドセキュリティでのキャリアを促進しようとする専門家にとって貴重な資産になります。この認定は、専門家がクラウド環境を確保する際の専門知識を実証し、Googleクラウドプラットフォーム上のアプリケーションとインフラストラクチャのセキュリティを効果的に管理するために必要なスキルと知識を提供するのに役立ちます。

 

質問 # 42
You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B.
You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?

  • A. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
  • B. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
  • C. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
  • D. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.

正解:A

解説:
Explanation
https://cloud.google.com/vpc-service-controls/docs/overview#isolate


質問 # 43
You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.
You want to automate the compliance with this regulation while minimizing storage costs. What should you do?

  • A. Store the data in a BigQuery table, and set the table's expiration time.
  • B. Store the data in a Cloud Bigtable table, and set an expiration time on the column families.
  • C. Store the data in a persistent disk, and delete the disk at expiration time.
  • D. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

正解:D

解説:
Explanation
To miminize costs, it's always GCS even though BQ comes as a close 2nd. But, since the question did not specify what kind of data it is (raw files vs tabular data), it is safe to assume GCS is the preferred option with LifeCycle enablement.


質問 # 44
Which two implied firewall rules are defined on a VPC network? (Choose two.)

  • A. A rule that blocks all outbound connections
  • B. A rule that blocks all inbound port 25 connections
  • C. A rule that denies all inbound connections
  • D. A rule that allows all inbound port 80 connections
  • E. A rule that allows all outbound connections

正解:C、E

解説:
Explanation
Implied IPv4 allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination Implied IPv4 deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them.
https://cloud.google.com/vpc/docs/firewalls?hl=en#default_firewall_rules


質問 # 45
You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.
Which document should you review to find the information?

  • A. Product documentation for Compute Engine
  • B. PCI DSS Requirements and Security Assessment Procedures
  • C. Google Cloud Platform: Customer Responsibility Matrix
  • D. PCI SSC Cloud Computing Guidelines

正解:D

解説:
Explanation/Reference: https://cloud.google.com/solutions/pci-dss-compliance-in-gcp


質問 # 46
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?

  • A. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
  • B. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
  • C. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
  • D. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.

正解:D


質問 # 47
You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

  • A. Prepopulated VPC firewall rules in monitor mode
  • B. The inherent protections of Google Front End (GFE)
  • C. Cloud Load Balancing firewall rules
  • D. Google Cloud Armor's preconfigured rules in preview mode
  • E. VPC Service Controls in dry run mode

正解:D

解説:
Reference:
You can preview the effects of a rule without enforcing it. In preview mode, actions are noted in Cloud Monitoring. You can choose to preview individual rules in a security policy, or you can preview every rule in the policy. https://cloud.google.com/armor/docs/security-policy-overview#preview_mode


質問 # 48
You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive dat a. Your solution has the following requirements:
Schedule key rotation for sensitive data.
Control which region the encryption keys for sensitive data are stored in.
Minimize the latency to access encryption keys for both sensitive and non-sensitive data.
What should you do?

  • A. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
  • B. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
  • C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
  • D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

正解:B


質問 # 49
A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?

  • A. Cloud Armor
  • B. Cloud CDN
  • C. Cloud Identity and Access Management
  • D. VPC Firewall Rules

正解:A


質問 # 50
You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

  • A. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
  • B. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."
  • C. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
  • D. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

正解:D

解説:
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy The domain restriction constraint is a type of list constraint. Google Workspace customer IDs can be added and removed from the allowed_values list of a domain restriction constraint. The domain restriction constraint does not support denying values, and an organization policy can't be saved with IDs in the denied_values list. All domains associated with a Google Workspace account listed in the allowed_values will be allowed by the organization policy. All other domains will be denied by the organization policy.


質問 # 51
You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

  • A. Confidential Computing and Istio
  • B. Customer-supplied encryption keys
  • C. Hardware Security Module
  • D. Client-side encryption
  • E. External Key Manager

正解:A、D

解説:
Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio. https://cloud.google.com/docs/security/encryption-in-transit


質問 # 52
An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?

  • A. Route all VPC traffic through customer-managed routers to detect malicious patterns in production.
  • B. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.
  • C. All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.
  • D. Use Forseti with Firewall filters to catch any unwanted configurations in production.

正解:B

解説:
Explanation


質問 # 53
In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard Which options should you recommend to meet the requirements?

  • A. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.
  • B. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.
  • C. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.
  • D. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

正解:C

解説:
Explanation
https://cloud.google.com/security/compliance/fips-140-2-validated
Google Cloud Platform uses a FIPS 140-2 validated encryption module called BoringCrypto (certificate 3318) in our production environment. This means that both data in transit to the customer and between data centers, and data at rest are encrypted using FIPS 140-2 validated encryption. The module that achieved FIPS 140-2 validation is part of our BoringSSL library.


質問 # 54
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication Which GCP product should the customer implement to meet these requirements?

  • A. Cloud Identity-Aware Proxy
  • B. Cloud Endpoints
  • C. Cloud VPN
  • D. Cloud Armor

正解:C


質問 # 55
A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)

  • A. Create a Google Group for the Engineering team, and assign permissions at the folder level.
  • B. Create a project with multiple VPC networks for each environment.
  • C. Create a folder for each development and production environment.
  • D. Create projects for each environment, and grant IAM rights to each engineering user.
  • E. Create an Organizational Policy constraint for each folder environment.

正解:C、E


質問 # 56
Which Google Cloud service should you use to enforce access control policies for applications and resources?

  • A. Cloud NAT
  • B. Shielded VMs
  • C. Google Cloud Armor
  • D. Identity-Aware Proxy

正解:D


質問 # 57
An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?

  • A. Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
  • B. Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
  • C. Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
  • D. Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

正解:D

解説:
Explanation
If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code.
https://cloud.google.com/docs/authentication/production#passing_the_path_to_the_service_account_key_in_cod


質問 # 58
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

  • A. Compute Engine
  • B. App Engine
  • C. Cloud Storage
  • D. Google Kubernetes Engine
  • E. Cloud Functions

正解:A、B

解説:
Explanation/Reference: https://cloud.google.com/solutions/pci-dss-compliance-in-gcp


質問 # 59
You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

  • A. Access control lists
  • B. Organization Policy Service constraints
  • C. Shielded VM instances
  • D. Geolocation access controls
  • E. Google Cloud Armor

正解:B

解説:
https://cloud.google.com/resource-manager/docs/organization-policy/using-constraints#list-constraint


質問 # 60
You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

  • A. Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.
  • B. Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).
  • C. Provide non-privileged identities to the super admin users for their day-to-day activities.
  • D. Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
  • E. Disable any Identity and Access Management (1AM) roles for super admin at the organization level in the Google Cloud Console.

正解:B、C

解説:
Explanation
https://cloud.google.com/resource-manager/docs/super-admin-best-practices#discourage_super_admin_account_
- Use a security key or other physical authentication device to enforce two-step verification - Give super admins a separate account that requires a separate login


質問 # 61
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

  • A. Compute Engine guest attributes
  • B. Compute Engine custom metadata
  • C. Cloud Key Management Service
  • D. Secret Manager

正解:D

解説:
Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud. https://cloud.google.com/secret-manager


質問 # 62
Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

  • A. Configure packet mirroring policies.
  • B. Monitor and analyze Cloud Audit Logs.
  • C. Define an organization policy constraint.
  • D. Enable VPC Flow Logs on the subnet.

正解:D


質問 # 63
Which encryption algorithm is used with Default Encryption in Cloud Storage?

  • A. MD5
  • B. AES-256
  • C. 3DES
  • D. SHA512

正解:B

解説:
A is correct because Cloud Storage encrypts user data at rest using AES-256.
B is not correct because Cloud Storage encrypts user data at rest using AES-256.
C is not correct because Cloud Storage encrypts user data at rest using AES-256.
D is not correct because Cloud Storage encrypts user data at rest using AES-256.
https://cloud.google.com/storage/docs/encryption/default-keys


質問 # 64
A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?

  • A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
  • B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
  • C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
  • D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than
    1000.

正解:A

解説:
Explanation
https://cloud.google.com/vpc/docs/firewalls#priority_order_for_firewall_rules


質問 # 65
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

  • A. Use a Continuous Delivery tool to deploy the application.
  • B. Build small containers using small base images.
  • C. Use Cloud Build to build the container images.
  • D. Delete non-used versions from Container Registry.

正解:A

解説:
Section: (none)
Explanation


質問 # 66
Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
The network connection must be encrypted.
The communication between servers must be over private IP addresses.
What should you do?

  • A. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
  • B. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
  • C. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
  • D. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

正解:B


質問 # 67
......


認定試験は、アクセス制御、データ保護、アイデンティティ管理、コンプライアンス、監査ログなど、クラウドセキュリティのさまざまな側面に関する候補者の知識をテストします。試験はまた、GCPツールとサービスを使用したセキュリティソリューションの実装能力と、GCPソリューションのセキュリティポリシーの設計と実装能力も評価します。

 

結果を保証するには2023年10月最新の無料版提供しています:https://jp.fast2test.com/Professional-Cloud-Security-Engineer-premium-file.html

正真正銘のProfessional-Cloud-Security-Engineer問題集で無料PDF問題で合格させる:https://drive.google.com/open?id=1s7Nzd9QfPmZEaFRlqrWSWbZUTynaeJJ0


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어