
Professional-Cloud-Security-Engineer実際の問題解答PDFには100%カバー率リアル試験問題
Professional-Cloud-Security-Engineer試験問題解答
質問 # 150
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre- production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?
- A. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
2. Process Cloud Storage objects in SIEM. - B. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
2. Subscribe SIEM to the topic. - C. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
2. Process Cloud Storage objects in SIEM. - D. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
2. Subscribe SIEM to the topic.
正解:B
解説:
To use the aggregated sink feature, create a sink in a Google Cloud organization or folder and set the sink's includeChildren parameter to True. That sink can then export log entries from the organization or folder, plus (recursively) from any contained folders, billing accounts, or projects.
You can use the sink's filter to specify log entries from projects, resource types, or named logs.
https://cloud.google.com/logging/docs/export/aggregated_sinks
質問 # 151
You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.
What should you do?
- A. Create a site-to-site VPN from your corporate network to Google Cloud.
- B. Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.
- C. Create a jump host instance with public IP Manage the instances by connecting through the jump host.
- D. Configure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.
正解:B
解説:
Using Identity-Aware Proxy (IAP) for managing SSH access to private VMs ensures secure access control and avoids the need for public IPs. IAP allows you to enforce identity-based access control policies.
* Enable IAP: Ensure that IAP is enabled for your project. This can be done via the Google Cloud Console under "Security" -> "Identity-Aware Proxy".
* Set Up Firewall Rule: Create a firewall rule to allow SSH traffic from the IAP IP ranges.
* Navigate to "VPC network" -> "Firewall".
* Create a new rule allowing ingress traffic on port 22 (SSH) from the IAP IP ranges.
* Assign IAP-Secured Tunnel User Role: Grant the roles/iap.tunnelResourceAccessor role to the administrators who need SSH access.
* Go to "IAM & Admin" -> "IAM".
* Assign the IAP-Secured Tunnel User role to the relevant users or groups.
* SSH Using IAP: Administrators can now use IAP to SSH into the instances. This can be done using the gcloud command:
gcloud compute ssh [INSTANCE_NAME] --tunnel-through-iap
References:
* Using Identity-Aware Proxy for TCP forwarding
* Google Cloud Firewall Rules
質問 # 152
You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)
- A. Identity Platform
- B. Cloud Identity
- C. Identity-Aware Proxy
- D. OpenID Connect
- E. SSO SAML as a third-party IdP
正解:D、E
質問 # 153
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects.
The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?
- A. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
2.Process Cloud Storage objects in SIEM. - B. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
2.Process Cloud Storage objects in SIEM. - C. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
2.Subscribe SIEM to the topic. - D. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
2.Subscribe SIEM to the topic.
正解:D
解説:
"Your team needs to obtain a unified log view of all development cloud projects in your SIEM" - This means we are ONLY interested in development projects. "The development projects are under the NONPROD organization folder with the test and pre-production projects" - We will need to filter out development from others i.e test and pre-prod. "The development projects share the ABC-BILLING billing account with the rest of the organization." - This is unnecessary information.
質問 # 154
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?
- A. Use Cloud Build to build the container images.
- B. Build small containers using small base images.
- C. Delete non-used versions from Container Registry.
- D. Use a Continuous Delivery tool to deploy the application.
正解:D
解説:
Explanation/Reference: https://cloud.google.com/solutions/best-practices-for-building-containers
質問 # 155
Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.
What should you do?
- A. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
- B. Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).
- C. Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends.
Leverage the gcloud tool for importing - D. Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.
正解:A
解説:
Explanation
This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google's Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.
質問 # 156
Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allowsmembers from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property.
You attempt to grant access to a project in the Apps folder to the user [email protected].
What is the result of your action and why?
- A. The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder
- B. The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.
- C. The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.
- D. The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily.
正解:B
解説:
Explanation
The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed. The inheritFromParent: false property on the "Apps" folder means that it does not inherit the organization policy from the organization node. Therefore, only the policy set at the folder level applies, which allows only members from the flowlogistic.com organization. As a result, the attempt to grant access to the user [email protected] fails because this user is not a member of the flowlogistic.com organization.
質問 # 157
You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?
- A. 1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
2. In Cloud KMS, grant your Google Cloud project access to use the key. - B. 1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.
2. Grant your Google Cloud project access to a supported external key management partner system. - C. 1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
2. In Cloud KMS, grant your Google Cloud project access to use the key. - D. 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.
2. In the external key management partner system, grant access for this key to use your Google Cloud project.
正解:D
質問 # 158
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity-Aware Proxy.
What should the customer do to meet these requirements?
- A. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
- B. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
- C. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
- D. Make sure that the ERP system can validate the identity headers in the HTTP requests.
正解:B
質問 # 159
A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?
- A. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
- B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
- C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
- D. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
正解:B
解説:
https://cloud.google.com/vpc/docs/firewalls#priority_order_for_firewall_rules
質問 # 160
A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?
- A. Run each tier with a different Service Account (SA), and use SA-based firewall rules.
- B. Run each tier in its own Project, and segregate using Project labels.
- C. Run each tier in its own subnet, and use subnet-based firewall rules.
- D. Run each tier with its own VM tags, and use tag-based firewall rules.
正解:A
解説:
"Isolate VMs using service accounts when possible"
"even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access- controlled, meaning that a specific user must be explicitly authorized to use a service account.
There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped."
https://cloud.google.com/solutions/best-practices-vpc-design#isolate-vms-service-accounts
質問 # 161
Applications often require access to "secrets" - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)
- A. VPC Flow logs
- B. Agent logs
- C. System Event logs
- D. Data Access logs
- E. Admin Activity logs
正解:D、E
質問 # 162
A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?
- A. Customer-supplied encryption keys (CSEK)
- B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
- C. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis
- D. Encryption by default
正解:B
解説:
Explanation/Reference:
Reference https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek
質問 # 163
Your organization is moving virtual machines (VMs) to Google Cloud. You must ensure that operating system images that are used across your projects are trusted and meet your security requirements.
What should you do?
- A. Create a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository Verify that the image is not deprecated.
- B. Implement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.
- C. Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.
- D. Implement an organization policy to enforce that boot disks can only be created from images that come from the trusted image project.
正解:D
解説:
* Define Trusted Image Projects:
* Identify the project or projects where your trusted operating system images are stored.
* Ensure these images meet your organization's security requirements and are regularly updated to mitigate vulnerabilities.
* Create an Organization Policy:
* Navigate to the Organization Policies page in the Google Cloud Console.
* Create a policy constraint that restricts the creation of boot disks to only those images stored in your trusted image project(s).
* The policy constraint to use is constraints/compute.trustedImageProjects.
* Apply the Policy:
* Apply this organization policy at the appropriate level (organization, folder, or project) to enforce that all new VM instances use images from the trusted repository.
* This ensures consistency in the security posture across all projects within the organization.
* Monitor Compliance:
* Regularly monitor the compliance with this policy using audit logs and other monitoring tools.
* Update the trusted images as necessary to ensure they remain secure and compliant with your security standards.
References:
* Organization Policy Service
* Trusted Image Projects Constraint
質問 # 164
You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run.
What should you do? (Choose two.)
- A. Set the organization policy constraint constraints/run.allowedBinaryAuthorizationPolicies to the list or allowed Binary Authorization policy names.
- B. Set the organization policy constraint constraints/compute.trustedImageProjects to the list of projects that contain the trusted container images.
- C. Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.
- D. Enable Binary Authorization on the existing Cloud Run service.
- E. Enable Binary Authorization on the existing Kubernetes cluster.
正解:A、D
解説:
https://cloud.google.com/binary-authorization/docs/run/requiring-binauthz-cloud-run
質問 # 165
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)
- A. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
- B. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
- C. Use the Google Admin console to view which managed users are using a personal account for their recovery email.
- D. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
- E. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
正解:D、E
解説:
Explanation
https://cloud.google.com/architecture/identity/migrating-consumer-accounts#initiating_a_transfer
質問 # 166
Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud You must implement data residency and operational sovereignty in the EU.
What should you do?
Choose 2 answers
- A. Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.
- B. Limit the physical location of a new resource with the Organization Policy Service resource locations constraint."
- C. Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications
- D. Use identity federation to limit access to Google Cloud resources from non-EU entities.
- E. Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.
正解:B、C
解説:
https://cloud.google.com/architecture/framework/security/data-residency-sovereignty#manage_your_operational_sovereignty
質問 # 167
......
Professional-Cloud-Security-Engineer試験練習テスト問題:https://jp.fast2test.com/Professional-Cloud-Security-Engineer-premium-file.html
合格させるProfessional-Cloud-Security-Engineer試験情報と無料練習テスト:https://drive.google.com/open?id=1s7Nzd9QfPmZEaFRlqrWSWbZUTynaeJJ0