Professional-Cloud-Security-Engineer問題集、Google実際の試験問題

質問 1

Your organization is using Vertex AI Workbench Instances. You must ensure that newly deployed instances are automatically kept up-to-date and that users cannot accidentally alter settings in the operating system. What should you do?

A. Enable the VM Manager and ensure the corresponding Google Compute Engine instances are added.

B. Implement a firewall rule that prevents Secure Shell access to the corresponding Google Compute Engine instances by using tags.

C. Enforce the disableRootAccess and requireAutoUpgradeSchedule organization policies for newly deployed instances.

D. Assign the AI Notebooks Runner and AI Notebooks Viewer roles to the users of the AI Workbench Instances.

正解: C

解説: (PassTest メンバーにのみ表示されます)

質問 2

A centralized security service has been implemented by your company All applications running in Google Cloud are required to send data to this service You need to ensure that developers have high autonomy to configure firewall rules within their projects, while preventing accidental blockage of access to the central security service What should you do?

A. Use Terraform to automate the creation of the required firewall rule in all projects Restrict rule change permissions solely to the Terraform service account

B. Create a central project to manage Shared VPC networks which will be accessible to all other projects Administer all firewall rules centrally within this project

C. Deploy a central Secure Web Proxy and connect it to all VPC networks Create a Secure Web Proxy policy to allow traffic to the central security service

D. Implement a hierarchical firewall policy that prioritizes the central security service by allowing its connections and directing all other traffic to the subsequent firewall level

正解: D

解説: (PassTest メンバーにのみ表示されます)

質問 3

You need to create a VPC that enables your security team to control network resources such as firewall rules. How should you configure the network to allow for separation of duties for network resources?

A. Set up VPC Network Peering, and allow developers to peer their network with a Shared VPC.

B. Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.

C. Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.

D. Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the networks.

正解: C

解説: (PassTest メンバーにのみ表示されます)

質問 4

You manage one of your organization's Google Cloud projects (Project A). AVPC Service Control (SC) perimeter is blocking API access requests to this project including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least Privilege.
What should you do?

A. Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.

B. Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

C. Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.

D. Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.

正解: A

解説: (PassTest メンバーにのみ表示されます)

質問 5

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud.
What should you do?

A. * 1. Get a GitHub subscription.
* 2. Build the images in Cloud Build and store them in GitHub for automatic scanning
* 3. Download the report from GitHub and share with the Security Team

B. * 1. Enable vulnerability scanning in the Artifact Registry settings.
* 2. Use Cloud Build to build the images
* 3. Push the images to the Artifact Registry for automatic scanning.
* 4. View the reports in the Artifact Registry.

C. * 1. Use an open source tool in Cloud Build to scan the images.
* 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil
* 3. Share the scan report link with your security department.

D. 1. Enable Container Threat Detection in the Security Command Center Premium tier.
* 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version.
* 3. View and share the results from the Security Command Center

正解: B

解説: (PassTest メンバーにのみ表示されます)

質問 6

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

A. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

B. BigQuery using a data pipeline job with continuous updates via Cloud VPN

C. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

D. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

正解: A

解説: (PassTest メンバーにのみ表示されます)

質問 7

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

A. Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

B. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

C. Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

D. Enable Private Google Access on the regional subnets and global dynamic routing mode.

正解: B

解説: (PassTest メンバーにのみ表示されます)

質問 8

You need to implement an encryption at-rest strategy that reduces key management complexity for non-sensitive data and protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule. FIPS 140-2 L1 compliance is required for all data types. What should you do?

A. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

B. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

C. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service

D. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

正解: A

解説: (PassTest メンバーにのみ表示されます)

質問 9

Your organization has 3 TB of information in BigQuery and Cloud SQL You need to develop a cost-effective, scalable, and secure strategy to anonymize the personally identifiable information (PII) that exists today What should you do?

A. Export all 3TB of data from BigQuery and Cloud SQL to Cloud Storage Use Cloud Sensitive Data Protection to anonymize the exported data Re-import the anonymized data back into BigQuery and Cloud SQL

B. Scan your BigQuery and Cloud SQL data using the Cloud DLP data profiling feature Use the data profiling results to create a de-identification strategy with either Cloud Sensitive Data Protection's de-identification templates or custom configurations

C. Create a new BigQuery dataset and Cloud SQL instance Copy a small subset of the data to these new locations Use Cloud Data Loss Prevention API to scan this subset for PII Based on the results, create a custom anonymization script and apply the script to the entire 3 TB dataset in the original locations

D. Inspect a representative sample of the data in BigQuery and Cloud SQL to identify PII Based on this analysis, develop a custom script to anonymize the identified PII

正解: B

解説: (PassTest メンバーにのみ表示されます)

質問 10

Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution.
What should you do?

A. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
* 2 Activate Confidential Computing
* 3 Enforce these actions by using organization policies

B. * 1 Use secure hardened images from the Google Cloud Marketplace
* 2 When deploying the images activate the Confidential Computing option
* 3 Enforce the use of the correct images and Confidential Computing by using organization policies

C. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
* 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

D. * 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium
* 2 Monitor the findings in SCC

正解: A

解説: (PassTest メンバーにのみ表示されます)

質問 11

Your organization is using Vertex AI Workbench Instances. You must ensure that newly deployed instances are automatically kept up-to-date and that users cannot accidentally alter settings in the operating system. What should you do?

A. Enable the VM Manager and ensure the corresponding Google Compute Engine instances are added.

B. Implement a firewall rule that prevents Secure Shell access to the corresponding Google Compute Engine instances by using tags.

C. Enforce the disableRootAccess and requireAutoUpgradeSchedule organization policies for newly deployed instances.

D. Assign the AI Notebooks Runner and AI Notebooks Viewer roles to the users of the AI Workbench Instances.

正解: C

解説: (PassTest メンバーにのみ表示されます)

質問 12

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.
What command should you execute?

A. * organization policy: constraints/gcp.restrictStorageNonCraekServices
* binding at: orgl
* policy type: deny
* policy value: storage.gcogleapis.com

B. * organization policy: constramts/gcp.restrictNonCmekServices
* binding at: orgl
* policy type: allow
* policy value: storage.googleapis.com

C. * organization policy:constraints/gcp.restrictStorageNonCraekServices
* binding at: orgl
* policy type: allow
* policy value: all supported services

D. * organization policy: constraints/gcp.restrictHonCmekServices
* binding at: orgl
* policy type: deny
* policy value: storage.googleapis.com

正解: B

解説: (PassTest メンバーにのみ表示されます)

Google Cloud Certified - Professional Cloud Security Engineer - Professional-Cloud-Security-Engineer 模擬練習