100%合格、売れ筋最上位Professional-Cloud-Security-Engineer試験材料は2023年最新のGoogle練習試験合格させます [Q38-Q58]

Share

100%合格、売れ筋最上位Professional-Cloud-Security-Engineer試験材料は2023年最新のGoogle練習試験合格させます

Google Cloud Certified問題集でProfessional-Cloud-Security-Engineer試験完全版問題、試験学習ガイド

質問 # 38
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?

  • A. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
  • B. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
  • C. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
  • D. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.

正解:A

解説:
Reference:
https://cloud.google.com/logging/docs/logs-based-metrics/


質問 # 39
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?

  • A. Cloud VPN
  • B. Cloud Interconnect
  • C. VPC peering
  • D. Shared VPC

正解:A


質問 # 40
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity- Aware Proxy.
What should the customer do to meet these requirements?

  • A. Make sure that the ERP system can validate the identity headers in the HTTP requests.
  • B. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
  • C. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
  • D. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.

正解:D

解説:
Explanation
Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed object that also contains the user identity data. Your application can verify the digital signature and use the data provided in this object to be certain that it was provided by IAP without alteration.


質問 # 41
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

  • A. IAM Network User Role
  • B. Private Google Access
  • C. Public IP
  • D. Static routes
  • E. IP Forwarding

正解:B、D

解説:
https://cloud.google.com/vpc/docs/configure-private-google-access


質問 # 42
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

  • A. DNS Security Extensions
  • B. Cloud Armor
  • C. VPC Flow Logs
  • D. Cloud Identity-Aware Proxy

正解:A

解説:
Explanation/Reference: https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns


質問 # 43
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

  • A. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
  • B. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
  • C. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
  • D. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

正解:B

解説:
Explanation
https://cloud.google.com/dlp/docs/inspecting-storage#sampling
https://cloud.google.com/dlp/docs/best-practices-costs#limit_scans_of_files_in_to_only_relevant_files


質問 # 44
Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.
Which two tasks should your team perform to handle this request? (Choose two.)

  • A. Add a designated group of users to the Project Creator role at the organizational level.
  • B. Create an Organization Policy constraint, and apply it at the organizational level.
  • C. Grant the Project Editor role at the organizational level to a designated group of users.
  • D. Grant the billing account creator role to the designated DevOps team.
  • E. Remove all users from the Project Creator role at the organizational level.

正解:A、E

解説:
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints


質問 # 45
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
  • B. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
  • C. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • D. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

正解:B

解説:
Explanation
There is mention about simulating in Web Security Scanner. "Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions."
https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss


質問 # 46
You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.
You want to automate the compliance with this regulation while minimizing storage costs. What should you do?

  • A. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
  • B. Store the data in a BigQuery table, and set the table's expiration time.
  • C. Store the data in a Cloud Bigtable table, and set an expiration time on the column families.
  • D. Store the data in a persistent disk, and delete the disk at expiration time.

正解:B


質問 # 47
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?

  • A. CryptoReplaceFfxFpeConfig
  • B. Generalization
  • C. Redaction
  • D. CryptoHashConfig

正解:C


質問 # 48
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

  • A. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
  • B. Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
  • C. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
  • D. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

正解:A

解説:
https://codelabs.developers.google.com/codelabs/cloud-storage-dlp-functions#0 https://www.youtube.com/watch?v=0TmO1f-Ox40


質問 # 49
Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:
Scans must run at least once per week
Must be able to detect cross-site scripting vulnerabilities
Must be able to authenticate using Google accounts
Which solution should you use?

  • A. Google Cloud Armor
  • B. Web Security Scanner
  • C. Container Threat Detection
  • D. Security Health Analytics

正解:B


質問 # 50
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?

  • A. Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
  • B. Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
  • C. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
  • D. Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

正解:A

解説:
https://cloud.google.com/bigquery/docs/scan-with-dlp
Cloud Data Loss Prevention API allows to detect and redact or remove sensitive data before the comments or reviews are published. Cloud DLP will read information from BigQuery, Cloud Storage or Datastore and scan it for sensitive data.


質問 # 51
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?

  • A. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
  • B. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
  • C. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
  • D. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.

正解:C

解説:
Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.skipDefaultNetworkCreation This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.


質問 # 52
You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

  • A. Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
  • B. Update your sink with the correct bucket destination.
  • C. Change the access control model for the bucket
  • D. Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

正解:C

解説:
https://cloud.google.com/logging/docs/export/troubleshoot#errors_exporting_to_cloud_storage
https://cloud.google.com/logging/docs/export/troubleshoot
Unable to grant correct permissions to the destination: Even if the sink was successfully created with the correct service account permissions, this error message displays if the access control model for the Cloud Storage bucket was set to uniform access when the bucket was created. For existing Cloud Storage buckets, you can change the access control model for the first 90 days after bucket creation by using the Permissions tab. For new buckets, select the Fine-grained access control model during bucket creation. For details, see Creating Cloud Storage buckets.


質問 # 53
When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

  • A. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
  • B. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
  • C. Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
  • D. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

正解:D

解説:
Explanation
Explanation/Reference:
Reference; https://cloud.google.com/dlp/docs/deidentify-sensitive-data


質問 # 54
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?

  • A. Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • B. Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
  • C. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • D. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

正解:A

解説:
Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.


質問 # 55
Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

  • A. Configure Secret Manager to manage service account keys.
  • B. Remove the iam.serviceAccounts.getAccessToken permission from users.
  • C. Enable an organization policy to prevent service account keys from being created.
  • D. Enable an organization policy to disable service accounts from being created.

正解:C

解説:
Explanation
https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys
"To prevent unnecessary usage of service account keys, use organization policy constraints: At the root of your organization's resource hierarchy, apply the Disable service account key creation and Disable service account key upload constraints to establish a default where service account keys are disallowed. When needed, override one of the constraints for selected projects to re-enable service account key creation or upload."


質問 # 56
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.
How should your team design this network?

  • A. Create a different subnet for the frontend application and database to ensure network isolation.
  • B. Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
  • C. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
  • D. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.

正解:B

解説:
Explanation
"However, even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped"


質問 # 57
You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.
What should you do?

  • A. Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.
  • B. Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.
  • C. Configure Cloud Interconnect and route traffic through an on-premises firewall.
  • D. Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premises destination.

正解:C


質問 # 58
......


試験は、クラウドセキュリティアーキテクチャ、データ保護、アイデンティティとアクセス管理、ネットワークセキュリティ、コンプライアンスなど、さまざまなトピックをカバーしています。試験形式は、複数選択肢とシナリオベースの問題から構成されており、クラウドセキュリティに関連する実世界の問題を分析し解決する能力を評価しています。試験に合格すると、個人はGoogle Cloud Certified - Professional Cloud Security Engineerとなり、クラウドセキュリティにおける信頼性と能力を証明し、クラウド業界での新しいキャリアチャンスを開拓することができます。


Google Professional-Cloud-Security-Enginer認定試験は、クラウドセキュリティの経験があり、この分野でのスキルと知識を向上させたい専門家向けに設計されています。この認定試験は、GCPでクラウドセキュリティソリューションの設計、実装、および管理を担当するセキュリティ専門家、クラウドアーキテクト、およびIT専門家に最適です。この認定を取得することにより、専門家はクラウドセキュリティに関する専門知識を実証し、キャリアの見通しを高めることができます。

 

正真正銘のベスト試験材料Professional-Cloud-Security-Engineerオンライン練習試験:https://www.passtest.jp/Google/Professional-Cloud-Security-Engineer-shiken.html

Professional-Cloud-Security-Engineerテストエンジン練習試験:https://drive.google.com/open?id=1KsfqTHx6ITnh84ANUOXsn_tgMS6wwvRW