
Professional-Cloud-Security-Engineer問題一発合格させる問題集はGoogle Cloud Certified認定で!
Professional-Cloud-Security-Engineer練習テストPDF試験材料
Google Professional-Cloud-Security-Engineer 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
Google Professional-Cloud-Security-Engineer試験は、クラウド上のデータやインフラストラクチャのセキュリティを担当する専門家を対象としたGoogleが提供する認定試験です。この試験は、Google Cloud Platform(GCP)におけるセキュリティコントロールの実装とコンプライアンスの維持に関する候補者の知識とスキルをテストするために設計されています。認定は、セキュリティエンジニア、セキュリティアーキテクト、クラウドセキュリティに関する経験のある他の専門家を対象としています。
質問 # 54
The security operations team needs access to the security-related logs for all projects in their organization.
They have the following requirements:
Follow the least privilege model by having only view access to logs.
Have access to Admin Activity logs.
Have access to Data Access logs.
Have access to Access Transparency logs.
Which Identity and Access Management (IAM) role should the security operations team be granted?
- A. roles/viewer
- B. roles/logging.privateLogViewer
- C. roles/logging.admin
- D. roles/logging.viewer
正解:B
解説:
Explanation
https://cloud.google.com/logging/docs/access-control#considerations roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.
質問 # 55
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?
- A. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
2. Process Cloud Storage objects in SIEM. - B. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
2. Subscribe SIEM to the topic. - C. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
2. Subscribe SIEM to the topic. - D. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
2. Process Cloud Storage objects in SIEM.
正解:A
質問 # 56
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)
- A. Cloud Storage
- B. Cloud Functions
- C. Google Kubernetes Engine
- D. App Engine
- E. Compute Engine
正解:D、E
解説:
Explanation/Reference: https://cloud.google.com/solutions/pci-dss-compliance-in-gcp
質問 # 57
A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads.
Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?
- A. Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
- B. Register a new domain name, and use that for the new Cloud Identity domain.
- C. Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
- D. Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.
正解:C
解説:
Explanation
https://support.google.com/cloudidentity/answer/7389973
質問 # 58
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud.
You want to restrict the use of the default networks in your organization while following Google-recommended best practices.
What should you do?
- A. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
- B. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
- C. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
- D. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
正解:A
解説:
Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.skipDefaultNetworkCreation This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
質問 # 59
You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:
* The master key must be rotated at least once every 45 days.
* The solution that stores the master key must be FIPS 140-2 Level 3 validated.
* The master key must be stored in multiple regions within the US for redundancy.
Which solution meets these requirements?
- A. Customer-managed encryption keys with Cloud HSM
- B. Customer-supplied encryption keys
- C. Google-managed encryption keys
- D. Customer-managed encryption keys with Cloud Key Management Service
正解:A
解説:
Explanation
https://cloud.google.com/docs/security/key-management-deep-dive https://cloud.google.com/kms/docs/faq
質問 # 60
Which encryption algorithm is used with Default Encryption in Cloud Storage?
- A. SHA512
- B. MD5
- C. 3DES
- D. AES-256
正解:D
解説:
A is correct because Cloud Storage encrypts user data at rest using AES-256.
B is not correct because Cloud Storage encrypts user data at rest using AES-256.
C is not correct because Cloud Storage encrypts user data at rest using AES-256.
D is not correct because Cloud Storage encrypts user data at rest using AES-256.
https://cloud.google.com/storage/docs/encryption/default-keys
質問 # 61
You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?
- A. Cloud HSM keys
- B. Titan Security Keys
- C. Google prompt
- D. Google Authenticator app
正解:D
質問 # 62
A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?
- A. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
- B. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
- C. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
- D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
正解:D
解説:
https://cloud.google.com/storage/docs/encryption/customer-supplied-keys
質問 # 63
An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.
What solution would help meet the requirements?
- A. Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
- B. Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.
- C. Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.
- D. Ensure that firewall rules are in place to meet the required controls.
正解:C
解説:
Explanation
https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html Shared responsibility "Security of the Cloud" - GCP is responsible for protecting the infrastructure that runs all of the services offered in the GCP Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run GCP Cloud services.
質問 # 64
Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.
What should you do?
- A. Use the Cloud Key Management Service to manage the key encryption key (KEK).
- B. Use customer-supplied encryption keys to manage the key encryption key (KEK).
- C. Use the Cloud Key Management Service to manage the data encryption key (DEK).
- D. Use customer-supplied encryption keys to manage the data encryption key (DEK).
正解:A
解説:
Explanation
This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest.
https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption
https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms#0
質問 # 65
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?
- A. Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
- B. Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
- C. Use the Admin SDK to create groups and assign IAM permissions from Active Directory.
- D. Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.
正解:B
質問 # 66
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?
- A. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
- B. Perform data masking with the DLP API and store that data in BigQuery for later use.
- C. Perform data inspection with the DLP API and store that data in BigQuery for later use.
- D. Perform data redaction with the DLP API and store that data in BigQuery for later use.
正解:C
解説:
Explanation/Reference: https://towardsdatascience.com/bigquery-pii-and-cloud-data-loss-prevention-dlp-take-it-to-the-next- level-with-data-catalog-c47c31bcf677
質問 # 67
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)
- A. IAM Network User Role
- B. Static routes
- C. IP Forwarding
- D. Public IP
- E. Private Google Access
正解:B、E
解説:
https://cloud.google.com/vpc/docs/configure-private-google-access
質問 # 68
What are the steps to encrypt data using envelope encryption?
- A. Generate a key encryption key (KEK) locally.
Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
Store the encrypted data and the wrapped DEK. - B. Generate a key encryption key (KEK) locally.
Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
Store the encrypted data and the wrapped DEK. - C. Generate a data encryption key (DEK) locally.
Encrypt data with the DEK.
Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK. - D. Generate a data encryption key (DEK) locally.
Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
Store the encrypted data and the wrapped KEK.
正解:C
質問 # 69
You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?
- A. Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.
- B. Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.
- C. Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
- D. Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
正解:C
質問 # 70
A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?
- A. Access Transparency
- B. Data Access
- C. Admin Activity
- D. System Event
正解:B
解説:
Explanation
https://cloud.google.com/logging/docs/audit/#data-access "Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data."
質問 # 71
......
Google Professional-Cloud-Security-Engineer認定試験は、Google Cloud Platform上でアプリケーションを管理およびセキュリティで保護する専門知識を持つ個人を対象として設計されています。この認定は、クラウドベースのソリューションのセキュリティコントロールの実装とコンプライアンスの維持を担当するプロフェッショナルに最適です。この認定を取得することで、個人は、Google Cloud Platform上で安全なインフラストラクチャを設計・実装し、セキュリティポリシーを設定し、コンプライアンスコントロールを管理するスキルを証明できます。
Professional-Cloud-Security-Engineer[2023年05月] 最新リリース] 試験問題あなたを必ず合格させます:https://jp.fast2test.com/Professional-Cloud-Security-Engineer-premium-file.html
Professional-Cloud-Security-Engineer解答Professional-Cloud-Security-Engineer無料サンプルには全てリアル試験:https://drive.google.com/open?id=1IJ4Qa4EaJ1MI5ojJd-PodKgWPUQyDGea