
[2024年03月] 試験Professional-Cloud-Security-Engineer最新ブレーン専門問題集はここ
無料で使えるProfessional-Cloud-Security-Engineer試験問題集試験点数を伸ばそう
質問 # 54
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?
- A. Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
- B. Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
- C. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.
Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly. - D. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
正解:D
質問 # 55
Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.
What should you do?
- A. Configure Cloud Identity-Aware Proxy for the App Engine Application.
- B. Configure Cloud VPN between your private network and GCP.
- C. Enforce 2-factor authentication in GSuite for all users.
- D. Provision user passwords using GSuite Password Sync.
正解:C
質問 # 56
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)
- A. Use the Google Admin console to view which managed users are using a personal account for their recovery email.
- B. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
- C. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
- D. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
- E. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
正解:A、D
質問 # 57
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?
- A. Pub/Sub
- B. Google Cloud Directory Sync (GCDS)
- C. Security Assertion Markup Language (SAML)
- D. Cloud Identity
正解:B
解説:
Explanation
With Google Cloud Directory Sync (GCDS), you can synchronize the data in your Google Account with your Microsoft Active Directory or LDAP server. GCDS doesn't migrate any content (such as email messages, calendar events, or files) to your Google Account. You use GCDS to synchronize your Google users, groups, and shared contacts to match the information in your LDAP server.
https://support.google.com/a/answer/106368?hl=en
質問 # 58
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict theuse of the default networks in your organization while following Google-recommended best practices. What should you do?
- A. Enable theconstraints/compute.skipDefaultNetworkCreationorganization policy constraint at the organization level.
- B. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
- C. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts thecompute.googleapis.comAPI.
- D. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
正解:A
解説:
Explanation
Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.skipDefaultNetworkCreation This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
質問 # 59
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?
- A. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
- B. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
- C. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
- D. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
正解:C
解説:
Explanation
https://cloud.google.com/dlp/docs/inspecting-storage#sampling
https://cloud.google.com/dlp/docs/best-practices-costs#limit_scans_of_files_in_to_only_relevant_files
質問 # 60
A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?
- A. Cloud Armor
- B. Forseti Security
- C. Cloud Security Scanner
- D. Google Cloud Audit Logs
正解:C
解説:
https://cloud.google.com/security-scanner/
質問 # 61
The security operations team needs access to the security-related logs for all projects in their organization.
They have the following requirements:
Follow the least privilege model by having only view access to logs.
Have access to Admin Activity logs.
Have access to Data Access logs.
Have access to Access Transparency logs.
Which Identity and Access Management (IAM) role should the security operations team be granted?
- A. roles/logging.privateLogViewer
- B. roles/viewer
- C. roles/logging.viewer
- D. roles/logging.admin
正解:A
解説:
Explanation
https://cloud.google.com/logging/docs/access-control#considerations roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.
質問 # 62
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV.
You want to minimize risk. What should you do?
- A. On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.
- B. On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.
- C. On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.
- D. On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.
正解:A
解説:
Explanation
https://support.google.com/a/answer/9176734
Use backup codes for account recovery If you need to recover an account, use backup codes. Accounts are still protected by 2-Step Verification, and backup codes are easy to generate.
質問 # 63
You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?
- A. Customer-supplied encryption keys
- B. Cloud External Key Manager
- C. Customer-managed encryption keys
- D. Google default encryption
正解:C
質問 # 64
A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?
- A. Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
- B. Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
- C. Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.
- D. Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
正解:B
解説:
Explanation
https://cloud.google.com/load-balancing/docs/tcp
TCP Proxy Load Balancing is implemented on GFEs that are distributed globally. If you choose the Premium Tier of Network Service Tiers, a TCP proxy load balancer is global. In Premium Tier, you can deploy backends in multiple regions, and the load balancer automatically directs user traffic to the closest region that has capacity. If you choose the Standard Tier, a TCP proxy load balancer can only direct traffic among backends in a single region.
https://cloud.google.com/load-balancing/docs/load-balancing-overview#tcp-proxy-load-balancing
質問 # 65
Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud You must implement data residency and operational sovereignty in the EU.
What should you do?
Choose 2 answers
- A. Limit the physical location of a new resource with the Organization Policy Service resource locations constraint."
- B. Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.
- C. Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.
- D. Use identity federation to limit access to Google Cloud resources from non-EU entities.
- E. Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications
正解:A、E
解説:
Explanation
https://cloud.google.com/architecture/framework/security/data-residency-sovereignty#manage_your_operational
質問 # 66
You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?
- A. Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.
- B. Enable the constraints/storage.publicAccessPrevention constraint at the organization level.
- C. Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.
- D. Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.
正解:B
質問 # 67
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?
- A. Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
- B. Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
- C. Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
- D. Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.
正解:C
解説:
Explanation
https://cloud.google.com/iam/docs/understanding-roles#project-roles
質問 # 68
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
- A. Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
- B. Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
- C. Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.
- D. Send all logs to the SIEM system via an existing protocol such as syslog.
正解:A
解説:
Scenarios for exporting Cloud Logging data: Splunk This scenario shows how to export selected logs from Cloud Logging to Pub/Sub for ingestion into Splunk. Splunk is a security information and event management (SIEM) solution that supports several ways of ingesting data, such as receiving streaming data out of Google Cloud through Splunk HTTP Event Collector (HEC) or by fetching data from Google Cloud APIs through Splunk Add-on for Google Cloud. Using the Pub/Sub to Splunk Dataflow template, you can natively forward logs and events from a Pub/Sub topic into Splunk HEC. If Splunk HEC is not available in your Splunk deployment, you can use the Add-on to collect the logs and events from the Pub/Sub topic. https://cloud.google.com/solutions/exporting-stackdriver-logging-for-splunk
質問 # 69
You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?
- A. compute.sharedReservationsOwnerProjects
- B. compute.restrictSharedVpcSubnetworks
- C. compute.restrictSharedVpcHostProjects
- D. compute.restrictXpnProjectLienRemoval
正解:D
質問 # 70
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?
- A. Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
- B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
- C. Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.
- D. Use Cloud Source Repositories, and store secrets in Cloud SQL.
正解:B
質問 # 71
You are migrating an application into the cloud The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material.
What should you do?
- A. Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.
- B. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups
- C. Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.
- D. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.
正解:C
解説:
By generating a key in your on-premises environment and storing it in an HSM that you manage, you're ensuring that the key material is fully under your control. Using the key as an external key in Cloud KMS allows you to use the key with Google Cloud services without having the key stored on Google Cloud. Activating Key Access Justifications (KAJ) provides a reason every time the key is accessed, and you can configure the external key system to reject unauthorized access attempts.
質問 # 72
Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.
What should you do?
- A. Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.
- B. Change the load balancer backend configuration to use network endpoint groups instead of instance groups.
- C. Create a Cloud VPN connection between the two regions, and enable Google Private Access.
- D. Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.
正解:A
解説:
https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional
質問 # 73
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?
- A. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
- B. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
- C. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
- D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
正解:A
解説:
Explanation/Reference: https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management- system-with-google-cloud-platform
質問 # 74
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.
Which Google Cloud Service should be used to achieve this?
- A. Cloud Key Management Service
- B. BigQuery
- C. Cloud Security Scanner
- D. Cloud Data Loss Prevention API
正解:D
質問 # 75
......
プロフェッショナル・クラウドセキュリティエンジニア認定資格は、クラウドセキュリティ領域で最も権威のある認定資格の1つであり、Google Cloud Certified認証資格の1つであり、クラウドセキュリティの専門知識を示す世界的な基準です。この認定資格は、保持者がGoogle Cloud Platformでセキュリティソリューションを設計、実装、管理するために必要な知識とスキルを持っていることを示しています。
心強いProfessional-Cloud-Security-EngineerのPDF問題集はProfessional-Cloud-Security-Engineer問題:https://jp.fast2test.com/Professional-Cloud-Security-Engineer-premium-file.html
2024年最新の実際に出るProfessional-Cloud-Security-Engineer問題集には試験のコツがあるPDF試験材料:https://drive.google.com/open?id=1X9r295RbTDgGRTivQGeVVbCfY17L36T1