試験問題解答ブレーン問題集でProfessional-Cloud-Security-Engineer試験問題集PDF問題 [Q103-Q126]

Share

試験問題解答ブレーン問題集でProfessional-Cloud-Security-Engineer試験問題集PDF問題

無料ダウンロードGoogle Professional-Cloud-Security-Engineerリアル試験問題


Google Professional-Cloud-Security-Engineer認定試験は、複数選択形式の問題で構成され、クラウドベースのソリューションをセキュアにする知識とスキルを試すために設計されています。試験は、クラウドセキュリティの基礎、アイデンティティとアクセス管理、ネットワークセキュリティ、データ保護、コンプライアンスなど、幅広いトピックをカバーしています。候補者はGoogle Cloud Platformサービスに深い理解を持ち、その知識を実世界のシナリオに適用できるようにする必要があります。認定試験は、クラウドセキュリティのスキルを検証し、その分野での専門知識を認められる素晴らしい方法です。

 

質問 # 103
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?

  • A. Google Cloud Directory Sync (GCDS)
  • B. Pub/Sub
  • C. Security Assertion Markup Language (SAML)
  • D. Cloud Identity

正解:D

解説:
Explanation
Explanation/Reference: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction


質問 # 104
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE) How should the DevOps team accomplish this?

  • A. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
  • B. Update the application code or apply a patch, build a new image, and redeploy it.
  • C. Configure containers to automatically upgrade when the base image is available in Container Registry.
  • D. Use Puppet or Chef to push out the patch to the running container.

正解:A

解説:
Explanation/Reference: https://cloud.google.com/kubernetes-engine/docs/security-bulletins


質問 # 105
You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.
Which document should you review to find the information?

  • A. PCI SSC Cloud Computing Guidelines
  • B. PCI DSS Requirements and Security Assessment Procedures
  • C. Product documentation for Compute Engine
  • D. Google Cloud Platform: Customer Responsibility Matrix

正解:A


質問 # 106
You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

  • A. The load balancer must use the Premium Network Service Tier.
  • B. The load balancer must be an external SSL proxy load balancer.
  • C. The backend service's load balancing scheme must be EXTERNAL.
  • D. The load balancer must be an external HTTP(S) load balancer.
  • E. Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.

正解:C、D

解説:
Explanation
https://cloud.google.com/armor/docs/security-policy-overview#requirements says: The backend service's load balancing scheme must be EXTERNAL, or EXTERNAL_MANAGED *** if you are using global external HTTP(S) load balancer ***.


質問 # 107
You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

  • A. Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration.
    Update the perimeter configuration after the access level has been vetted.
  • B. Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
  • C. Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
  • D. Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

正解:C

解説:
Explanation
https://cloud.google.com/vpc-service-controls/docs/dry-run-mode
When using VPC Service Controls, it can be difficult to determine the impact to your environment when a service perimeter is created or modified. With dry run mode, you can better understand the impact of enabling VPC Service Controls and changes to perimeters in existing environments.


質問 # 108
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet.
Your team requires an authentication layer in front of the application that supports two-factor authentication Which GCP product should the customer implement to meet these requirements?

  • A. Cloud Endpoints
  • B. Cloud Armor
  • C. Cloud VPN
  • D. Cloud Identity-Aware Proxy

正解:C


質問 # 109
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

  • A. VPC Flow Logs
  • B. Cloud Armor
  • C. DNS Security Extensions
  • D. Cloud Identity-Aware Proxy

正解:C


質問 # 110
You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

  • A. Customer-managed encryption keys
  • B. Google default encryption
  • C. Cloud External Key Manager
  • D. Customer-supplied encryption keys

正解:A


質問 # 111
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.
Which Google Cloud Service should be used to achieve this?

  • A. Cloud Data Loss Prevention API
  • B. BigQuery
  • C. Cloud Key Management Service
  • D. Cloud Security Scanner

正解:A


質問 # 112
You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:
Each business unit manages access controls for their own projects.
Each business unit manages access control permissions at scale.
Business units cannot access other business units' projects.
Users lose their access if they move to a different business unit or leave the company.
Users and access control permissions are managed by the on-premises directory service.
What should you do? (Choose two.)

  • A. Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.
  • B. Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.
  • C. Use VPC Service Controls to create perimeters around each business unit's project.
  • D. Organize projects in folders, and assign permissions to Google groups at the folder level.
  • E. Group business units based on Organization Units (OUs) and manage permissions based on OUs.

正解:A、B


質問 # 113
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?

  • A. Set the minimum length for passwords to be 6 characters.
  • B. Set the minimum length for passwords to be 12 characters.
  • C. Set the minimum length for passwords to be 10 characters.
  • D. Set the minimum length for passwords to be 8 characters.

正解:D

解説:
Default password length is 8 characters. https://support.google.com/cloudidentity/answer/33319?hl=en


質問 # 114
A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?

  • A. Cloud Armor
  • B. Google Cloud Audit Logs
  • C. Cloud Security Scanner
  • D. Forseti Security

正解:C


質問 # 115
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?

  • A. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • B. Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • C. Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
  • D. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

正解:B


質問 # 116
Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?

  • A. HTTP(S) Load Balancing
  • B. Cloud NAT
  • C. Google Cloud Armor
  • D. Cloud DNS with DNSSEC

正解:D


質問 # 117
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?

  • A. In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
  • B. In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
  • C. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
  • D. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

正解:C

解説:
Explanation
https://cloud.google.com/compute/docs/images/restricting-image-access#trusted_images


質問 # 118
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

  • A. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
  • B. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
  • C. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
  • D. Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

正解:A


質問 # 119
Which two security characteristics are related to the use of VPC peering to connect two VPC networks?
(Choose two.)

  • A. Firewall rules that can be created with a tag from one peered network to another peered network
  • B. Central management of routes, firewalls, and VPNs for peered networks
  • C. Ability to share specific subnets across peered networks
  • D. Non-transitive peered networks; where only directly peered networks can communicate
  • E. Ability to peer networks that belong to different Google Cloud Platform organizations

正解:D、E

解説:
Explanation
https://cloud.google.com/vpc/docs/vpc-peering#key_properties


質問 # 120
Your company is deploying their applications on Google Kubernetes Engine. You want to follow Google-recommended practices. What should you do to ensure that the container images used for new deployments contain the latest security patches?

  • A. Use an update script as part of every container image startup.
  • B. Use Container Analysis to detect vulnerabilities in images.
  • C. Use exclusively private images in Container Registry.
  • D. Use Google-managed base images for all containers.

正解:D

解説:
A is correct because Managed base images are base container images that are automatically patched by Google for security vulnerabilities, using the most recent patches available from the project upstream (for example, GitHub).
B is not correct because Container Analysis does not patch the images.
C is not correct because while an update script may help patch on startup, this will significantly increase the amount of time it takes for the instance to become ready for serving workloads.
D is not correct because private images also go out of date and need to be patched manually by the customer.
https://cloud.google.com/container-registry/docs/managed-base-images


質問 # 121
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?

  • A. Set up an ACL with READER permission to a scope of allUsers.
  • B. Set up an ACL with OWNER permission to a scope of allUsers.
  • C. Set up a default bucket ACL and manage access for users using IAM.
  • D. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

正解:B

解説:
Explanation/Reference:
Reference: https://cloud.google.com/storage/docs/access-control/lists


質問 # 122
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

  • A. Google Kubernetes Engine
  • B. Compute Engine
  • C. Cloud Storage
  • D. Cloud Functions
  • E. App Engine

正解:B、E

解説:
Reference:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp


質問 # 123
Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
* The network connection must be encrypted.
* The communication between servers must be over private IP addresses.
What should you do?

  • A. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
  • B. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
  • C. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
  • D. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

正解:C

解説:
Explanation
Google encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. All VM-to-VM traffic within a VPC network and peered VPC networks is encrypted.
https://cloud.google.com/docs/security/encryption-in-transit#cio-level_summary


質問 # 124
You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

  • A. Access control lists
  • B. Google Cloud Armor
  • C. Organization Policy Service constraints
  • D. Shielded VM instances
  • E. Geolocation access controls

正解:C


質問 # 125
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

  • A. Use Cloud Build to build the container images.
  • B. Use a Continuous Delivery tool to deploy the application.
  • C. Delete non-used versions from Container Registry.
  • D. Build small containers using small base images.

正解:D

解説:
Explanation
Small containers usually have a smaller attack surface as compared to containers that use large base images.
https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-how-and-why-to-build-small-container-im


質問 # 126
......

最新のGoogle Professional-Cloud-Security-Engineerリアル試験問題集PDF:https://www.passtest.jp/Google/Professional-Cloud-Security-Engineer-shiken.html

Professional-Cloud-Security-Engineer試験問題集、Professional-Cloud-Security-Engineer練習テスト問題:https://drive.google.com/open?id=1borHktcbClkjVlgc1_ZW9POwlJiZ6_dG