2024年最新のお手軽に合格させるProfessional-Cloud-Security-Engineer試験にはこちらが提供する問題集PDFテストエンジン [Q73-Q89]

Share

2024年最新のお手軽に合格させるProfessional-Cloud-Security-Engineer試験にはこちらが提供する問題集PDFテストエンジン

Professional-Cloud-Security-EngineerのPDFで合格させるスゴ問題集でProfessional-Cloud-Security-Engineer最新のリアル試験問題

質問 # 73
You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?

  • A. Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
  • B. Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
  • C. Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
  • D. Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

正解:C


質問 # 74
You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

  • A. Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.
  • B. The load balancer must use the Premium Network Service Tier.
  • C. The backend service's load balancing scheme must be EXTERNAL.
  • D. The load balancer must be an external HTTP(S) load balancer.
  • E. The load balancer must be an external SSL proxy load balancer.

正解:C、D

解説:
https://cloud.google.com/armor/docs/security-policy-overview#requirements says: The backend service's load balancing scheme must be EXTERNAL, or EXTERNAL_MANAGED *** if you are using global external HTTP(S) load balancer ***.


質問 # 75
You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive dat a. You need to meet these requirements;
* Manage the data encryption key (DEK) outside the Google Cloud boundary.
* Maintain full control of encryption keys through a third-party provider.
* Encrypt the sensitive data before uploading it to Cloud Storage
* Decrypt the sensitive data during processing in the Compute Engine VMs
* Encrypt the sensitive data in memory while in use in the Compute Engine VMs What should you do?
Choose 2 answers

  • A. Create Confidential VMs to access the sensitive data.
  • B. Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
  • C. Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.
  • D. Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets
  • E. Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

正解:A、E

解説:
https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance#considerations Confidential VM does not support live migration. You can only enable Confidential Computing on a VM when you first create the instance. https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance


質問 # 76
You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.
What could have caused this alert?

  • A. At project level, the organizational policy control has been overwritten with an 'allow' value.
  • B. The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.
  • C. The organizational policy constraint wasn't properly enforced and is running in "dry run mode.
  • D. The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level.

正解:B


質問 # 77
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

  • A. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.2. Process Cloud Storage objects in SIEM.
  • B. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.2. Subscribe SIEM to the topic.
  • C. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.2. Process Cloud Storage objects in SIEM.
  • D. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.2. Subscribe SIEM to the topic.

正解:C


質問 # 78
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?

  • A. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
  • B. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
  • C. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
  • D. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.

正解:B


質問 # 79
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

  • A. Compute Shared VPC Admin Role at the service project level.
  • B. Compute Shared VPC Admin Role at the host project level.
  • C. Compute Network User Role at the host project level.
  • D. Compute Network User Role at the subnet level.

正解:B

解説:
https://cloud.google.com/vpc/docs/shared-vpc


質問 # 80
An organization recently began using App Engine to build and host its new web application for its customers. The organization wants to use its existing IAM setup to allow its developer employees to have elevated access to the application remotely. This would allow them to push updates and fixes to the application via an HTTPS connection. Non-developer employees should only get access to the production version without development permissions. Which Google Cloud Platform solution should be used to meet these requirements?

  • A. Synchronize the organization's Active Directory using Cloud Identity for employee access via Cloud VPN.
  • B. Disable access for non-developer employees by removing their Google Group from the application access control list (ACL).
  • C. Set up Virtual Private Cloud (VPC) firewall rules to manage authentication and different authorization levels for employee access.
  • D. Set up Cloud Identity-Aware Proxy (Cloud IAP) to manage authentication and different authorization levels for employee access.

正解:D

解説:
A is not correct because synchronizing your users to Google Identity does not grant any differentiated access to an app engine application.
B is not correct because app engine IAM roles only specify different levels of administrative access to app engine applications in a project.
C is correct because Cloud IAP allows the organization to establish different levels of access based on user criteria for app engine apps.
D is not correct because VPC firewall rules do not grant different levels of authorization and only allow/block traffic.
https://cloud.google.com/appengine/docs/standard/python/access-control
https://cloud.google.com/iap/docs/concepts-overview


質問 # 81
You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

  • A. Customer-managed encryption keys
  • B. Google default encryption
  • C. Cloud External Key Manager
  • D. Customer-supplied encryption keys

正解:A

解説:
https://cloud.google.com/kms/docs/using-other-products#cmek_integrations https://cloud.google.com/kms/docs/using-other-products#cmek_integrations CMEK is supported for all the listed google services.


質問 # 82
Your company is concerned about unauthorized parties gaming access to the Google Cloud environment by using a fake login page. You must implement a solution to protect against person-in-the-middle attacks.
Which security measure should you use?

  • A. Google prompt
  • B. Text message or phone call code
  • C. Security key
  • D. Google Authenticator application

正解:C

解説:
Explanation
A security key is a physical device that you can use for two-step verification, providing an additional layer of security for your Google Account. Security keys can defend against phishing and man-in-the-middle attacks, making your login process more secure.


質問 # 83
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?

  • A. Set the minimum length for passwords to be 8 characters.
  • B. Set the minimum length for passwords to be 10 characters.
  • C. Set the minimum length for passwords to be 12 characters.
  • D. Set the minimum length for passwords to be 6 characters.

正解:C


質問 # 84
You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

  • A. Google prompt
  • B. Titan Security Keys
  • C. Cloud HSM keys
  • D. Google Authenticator app

正解:D


質問 # 85
You need to implement an encryption at-rest strategy that reduces key management complexity for non-sensitive data and protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule. FIPS 140-2 L1 compliance is required for all data types. What should you do?

  • A. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
  • B. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
  • C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
  • D. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service

正解:C

解説:
Explanation
Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 Level 1 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. To provideflexibility of controlling the key residency and rotation schedule, use google provided key for non-sensitive and encrypt sensitive data with Cloud Key Management Service


質問 # 86
Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:
Scans must run at least once per week
Must be able to detect cross-site scripting vulnerabilities
Must be able to authenticate using Google accounts
Which solution should you use?

  • A. Container Threat Detection
  • B. Security Health Analytics
  • C. Web Security Scanner
  • D. Google Cloud Armor

正解:C

解説:
Reference:
Web Security Scanner identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview


質問 # 87
You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)

  • A. Container Threat Detection
  • B. Cloud Data Loss Prevention
  • C. Security Health Analytics
  • D. Event Threat Detection
  • E. Google Cloud Armor

正解:C、D

解説:
Explanation
https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time.https://cloud.google.com/security-command-center/docs/concepts-security-sources#security-health-analytic


質問 # 88
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?

  • A. Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • B. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • C. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • D. Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.

正解:A

解説:
Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.


質問 # 89
......

Professional-Cloud-Security-Engineer問題集はあなたの合格を必ず保証します:https://jp.fast2test.com/Professional-Cloud-Security-Engineer-premium-file.html

有効なProfessional-Cloud-Security-Engineerテスト解答Professional-Cloud-Security-Engineer試験PDF:https://drive.google.com/open?id=1s7Nzd9QfPmZEaFRlqrWSWbZUTynaeJJ0


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어