2023年最新のProfessional-Cloud-Security-Engineer問題集レビュー専門クイズ学習材料 [Q90-Q106]

Share

2023年最新のProfessional-Cloud-Security-Engineer問題集レビュー専門クイズ学習材料

Professional-Cloud-Security-Engineerテスト準備トレーニング練習試験問題 練習テスト


Google Professional-Cloud-Security-Engineer認定を獲得することは、クラウドセキュリティ分野でのキャリアを促進する素晴らしい方法です。 潜在的な雇用主に、クラウド環境を確保し、新たな脅威から保護するために必要なスキル、知識、経験を持っていることを示しています。 また、キャリアの進歩とより高い給与のための新しい機会を開きます。


試験は、クラウドセキュリティアーキテクチャ、データ保護、アイデンティティとアクセス管理、ネットワークセキュリティ、コンプライアンスなど、さまざまなトピックをカバーしています。試験形式は、複数選択肢とシナリオベースの問題から構成されており、クラウドセキュリティに関連する実世界の問題を分析し解決する能力を評価しています。試験に合格すると、個人はGoogle Cloud Certified - Professional Cloud Security Engineerとなり、クラウドセキュリティにおける信頼性と能力を証明し、クラウド業界での新しいキャリアチャンスを開拓することができます。


この試験は、セキュリティ管理、コンプライアンス、データ保護、ネットワークセキュリティ、インシデント管理など、広範なトピックをカバーしています。この試験は、候補者がベストプラクティスと業界標準をクラウドベースのインフラストラクチャのセキュリティに適用できる能力をテストするように設計されています。また、この試験は、顧客、規制当局、および内部ステークホルダーなど、さまざまなステークホルダーの要件を満たすセキュリティソリューションを設計および実装できる能力をテストするように設計されています。

 

質問 # 90
A customer wants to grant access to their application running on Compute Engine to write only to a specific Cloud Storage bucket. How should you grant access?

  • A. Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the project leve
  • B. Create a service account for the application, and grant Cloud Storage Object Creator permissions at the bucket level.
  • C. Create a service account for the application, and grant Cloud Storage Object Creator permissions to the project.
  • D. Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the bucket level.

正解:B

解説:
A is not correct because it doesn't restrict the scope to specific bucket.
B is correct because it provides the right permissions and keeps the scope limited to the bucket in question.
C is not correct because using a user account goes against the recommended best practice as it should be a machine/service account that should be handling the writing to bucket.
D is not correct because using a user account goes against the recommended best practice as it should be a machine/service account that should be handling the writing to bucket and it also widens the scope to storage wide which violates minimum required privilege rules.
https://cloud.google.com/iam/docs/understanding-service-
accounts#using_service_accounts_with_compute_engine


質問 # 91
The security operations team needs access to the security-related logs for all projects in their organization.
They have the following requirements:
Follow the least privilege model by having only view access to logs.
Have access to Admin Activity logs.
Have access to Data Access logs.
Have access to Access Transparency logs.
Which Identity and Access Management (IAM) role should the security operations team be granted?

  • A. roles/logging.admin
  • B. roles/logging.privateLogViewer
  • C. roles/logging.viewer
  • D. roles/viewer

正解:B

解説:
Explanation
https://cloud.google.com/logging/docs/access-control#considerations roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.


質問 # 92
You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

  • A. Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
  • B. Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
  • C. Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.
  • D. Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

正解:A

解説:
Explanation
https://youtu.be/MI4iG2GIZMA


質問 # 93
Your team wants to limit users with administrative privileges at the organization level.
Which two roles should your team restrict? (Choose two.)

  • A. GKE Cluster Admin
  • B. Organization Administrator
  • C. Organization Role Viewer
  • D. Compute Admin
  • E. Super Admin

正解:B、E

解説:
Reference:
https://cloud.google.com/resource-manager/docs/creating-managing-organization


質問 # 94
You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

  • A. Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
  • B. Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.
  • C. Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.
  • D. Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

正解:A

解説:
https://youtu.be/MI4iG2GIZMA


質問 # 95
You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

  • A. Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
  • B. Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
  • C. Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
  • D. Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration.
    Update the perimeter configuration after the access level has been vetted.

正解:A

解説:
Explanation
https://cloud.google.com/vpc-service-controls/docs/dry-run-mode
When using VPC Service Controls, it can be difficult to determine the impact to your environment when a service perimeter is created or modified. With dry run mode, you can better understand the impact of enabling VPC Service Controls and changes to perimeters in existing environments.


質問 # 96
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • B. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • C. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
  • D. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

正解:C

解説:
Explanation
There is mention about simulating in Web Security Scanner. "Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions."
https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss


質問 # 97
Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.
What should you do?

  • A. Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API to transfer their account.
  • B. Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.
  • C. Use the transfer tool to migrate unmanaged users.
  • D. Configure GCDS and use GCDS search rules lo sync these users.

正解:B


質問 # 98
You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)

  • A. Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
  • B. Grant users the compuce.imageUser role in their own projects.
  • C. Grant users the compuce.imageUser role in the OS image project.
  • D. Store the image in every project that is spun up in your organization.
  • E. Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.

正解:C、E

解説:
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.trustedImageProjects This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.


質問 # 99
Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?

  • A. Store the data in a single BigTable table and set an expiration time on the column families.
  • B. Store the data in a single Persistent Disk, and delete the disk at expiration time.
  • C. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
  • D. Store the data in a single BigQuery table and set the appropriate table expiration time.

正解:C

解説:
"To support common use cases like setting a Time to Live (TTL) for objects, retaining noncurrent versions of objects, or "downgrading" storage classes of objects to help manage costs, Cloud Storage offers the Object Lifecycle Management feature. This page describes the feature as well as the options available when using it. To learn how to enable Object Lifecycle Management, and for examples of lifecycle policies, see Managing Lifecycles." https://cloud.google.com/storage/docs/lifecycle


質問 # 100
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

  • A. BigQuery using a data pipeline job with continuous updates via Cloud VPN
  • B. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
  • C. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
  • D. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

正解:C

解説:
Explanation/Reference: https://cloud.google.com/solutions/migration-to-google-cloud-building-your-foundation


質問 # 101
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?

  • A. Google Cloud Directory Sync (GCDS)
  • B. Security Assertion Markup Language (SAML)
  • C. Pub/Sub
  • D. Cloud Identity

正解:D

解説:
Explanation
Explanation/Reference: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction


質問 # 102
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

  • A. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
  • B. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • C. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

正解:B

解説:
https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-configuring-single-sign-on


質問 # 103
You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

  • A. 1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.
    2. Grant your Google Cloud project access to a supported external key management partner system.
  • B. 1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
    2. In Cloud KMS, grant your Google Cloud project access to use the key.
  • C. 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.
    2. In the external key management partner system, grant access for this key to use your Google Cloud project.
  • D. 1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
    2. In Cloud KMS, grant your Google Cloud project access to use the key.

正解:C

解説:
Explanation
https://cloud.google.com/kms/docs/ekm#how_it_works
- First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.
- Next, you grant your Google Cloud project access to use the key, in the external key management partner system.
- In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally-managed key.


質問 # 104
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

  • A. Cloud Identity-Aware Proxy
  • B. Cloud Armor
  • C. DNS Security Extensions
  • D. VPC Flow Logs

正解:C

解説:
Reference:
DNSSEC - use a DNS registrar that supports DNSSEC, and enable it. DNSSEC digitally signs DNS communication, making it more difficult (but not impossible) for hackers to intercept and spoof. Domain Name System Security Extensions (DNSSEC) adds security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Having a trustworthy Domain Name System (DNS) that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites. https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns


質問 # 105
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.
What should you do?

  • A. Use Security Command Center to view all assets across the organization.
  • B. Use Forseti Security to automate inventory snapshots.
  • C. Use Resource Manager on the organization level.
  • D. Use Stackdriver to create a dashboard across all projects.

正解:B

解説:
Only Forseti security can have both 'past' and 'present' (i.e. historical) records of the resources. https://forsetisecurity.org/about/


質問 # 106
......

試験問題解答ブレーン問題集でProfessional-Cloud-Security-Engineer試験問題集PDF問題:https://www.passtest.jp/Google/Professional-Cloud-Security-Engineer-shiken.html

Professional-Cloud-Security-Engineer試験問題集、Professional-Cloud-Security-Engineer練習テスト問題:https://drive.google.com/open?id=1KsfqTHx6ITnh84ANUOXsn_tgMS6wwvRW