Professional-Cloud-Security-Engineer練習問題集で検証済みで更新された178問題あります [Q67-Q85]

Share

Professional-Cloud-Security-Engineer練習問題集で検証済みで更新された178問題あります

更新されたProfessional-Cloud-Security-Engineer試験問題集でPDF問題とテストエンジン


Google Professional-Cloud-Security-Engineer 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Google CloudPlatformで安全なインフラストラクチャを設計および実装する
トピック 2
  • CloudSecurのすべての側面
トピック 3
  • セキュリティのベストプラクティスと業界のセキュリティ要件の理解
トピック 4
  • Googleのセキュリティテクノロジーを活用して安全なインフラストラクチャを管理します

 

質問 # 67
You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

  • A. Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.
  • B. Add the host project containing the Shared VPC to the service perimeter.
  • C. Add the service project where the Compute Engine instances reside to the service perimeter.
  • D. Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.

正解:D


質問 # 68
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?

  • A. CryptoReplaceFfxFpeConfig
  • B. Redaction
  • C. Generalization
  • D. CryptoHashConfig

正解:C

解説:
By bucketing or generalizing, we achieve a reversible pseudonymised data that can still yield the required analysis. https://cloud.google.com/dlp/docs/concepts-bucketing


質問 # 69
Applications often require access to "secrets" - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)

  • A. VPC Flow logs
  • B. System Event logs
  • C. Admin Activity logs
  • D. Data Access logs
  • E. Agent logs

正解:C、D

解説:
Reference:
https://cloud.google.com/kms/docs/secret-management


質問 # 70
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

  • A. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
  • B. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
  • C. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
  • D. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.

正解:C

解説:
https://cloud.google.com/dlp/docs/reference/rest/v2/InspectJobConfig


質問 # 71
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.
How should your team design this network?

  • A. Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
  • B. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
  • C. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
  • D. Create a different subnet for the frontend application and database to ensure network isolation.

正解:A

解説:
Explanation
"However, even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped"


質問 # 72
You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive dat a. Your solution has the following requirements:
Schedule key rotation for sensitive data.
Control which region the encryption keys for sensitive data are stored in.
Minimize the latency to access encryption keys for both sensitive and non-sensitive data.
What should you do?

  • A. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
  • B. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
  • C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
  • D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

正解:B


質問 # 73
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

  • A. DNS Security Extensions
  • B. Cloud Identity-Aware Proxy
  • C. Cloud Armor
  • D. VPC Flow Logs

正解:A

解説:
https://cloud.google.com/blog/products/gcp/dnssec-now-available-in-cloud-dns


質問 # 74
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?

  • A. Update the application code or apply a patch, build a new image, and redeploy it.
  • B. Configure containers to automatically upgrade when the base image is available in Container Registry.
  • C. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
  • D. Use Puppet or Chef to push out the patch to the running container.

正解:C

解説:
Reference:
https://cloud.google.com/kubernetes-engine/docs/security-bulletins


質問 # 75
An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

  • A. Encrypting all stored data
  • B. Configuring and monitoring VPC Flow Logs
  • C. Manage the latest updates and security patches for the Guest OS
  • D. Defending against XSS and SQLi attacks

正解:D


質問 # 76
Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.
What should you do?

  • A. 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
    2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
    3. Click Show Matching Entries.
    4. Make sure the resulting list is empty.
  • B. 1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
    2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
    3. Click Hide Matching Entries.
    4. Make sure the resulting list is empty.
  • C. 1. In BigQuery, select the related dataset.
    2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
  • D. 1. Go to the IAM section on the project.
    2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.

正解:C


質問 # 77
You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

  • A. Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.
  • B. Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
  • C. Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
  • D. Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration.
    Update the perimeter configuration after the access level has been vetted.

正解:A

解説:
Explanation
https://cloud.google.com/vpc-service-controls/docs/dry-run-mode
When using VPC Service Controls, it can be difficult to determine the impact to your environment when a service perimeter is created or modified. With dry run mode, you can better understand the impact of enabling VPC Service Controls and changes to perimeters in existing environments.


質問 # 78
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)

  • A. Configure the project with Cloud Interconnect.
  • B. Configure the project with Shared VPC.
  • C. Configure the project with VPC peering.
  • D. Configure all Compute Engine instances with Private Access.
  • E. Configure the project with Cloud VPN.

正解:C、D

解説:
Reference:
https://cloud.google.com/solutions/secure-data-workloads-use-cases


質問 # 79
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

  • A. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
  • B. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
  • C. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
  • D. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.

正解:C


質問 # 80
You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

  • A. Google Cloud Armor
  • B. Geolocation access controls
  • C. Organization Policy Service constraints
  • D. Access control lists
  • E. Shielded VM instances

正解:C


質問 # 81
You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:
Export related logs for all projects in the Google Cloud organization.
Export logs in near real-time to an external SIEM.
What should you do? (Choose two.)

  • A. Create a Log Sink at the organization level with a Pub/Sub destination.
  • B. Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.
  • C. Enable Data Access audit logs at the organization level to apply to all projects.
  • D. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.
  • E. Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

正解:A、D


質問 # 82
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?

  • A. Organization Administrator
  • B. Organization Policy Administrator
  • C. Security Reviewer
  • D. Organization Role Administrator

正解:B

解説:
https://cloud.google.com/resource-manager/docs/access-control-org


質問 # 83
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

  • A. Ensure that the app does not run as PID 1.
  • B. Package a single app as a container.
  • C. Remove any unnecessary tools not needed by the app.
  • D. Use public container images as a base image for the app.
  • E. Use many container image layers to hide sensitive information.

正解:B、C

解説:
Reference:
https://cloud.google.com/solutions/best-practices-for-building-containers


質問 # 84
You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

  • A. Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.
  • B. Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
  • C. Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
  • D. Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

正解:C


質問 # 85
......


PCSE試験は、ネットワークセキュリティ、データ保護、アイデンティティとアクセス管理、コンプライアンス、インシデントレスポンスなど、クラウドセキュリティに関連する幅広いトピックをカバーしています。この試験は、候補者のGCP上で安全なソリューションを設計および実装し、GCPリソースの持続的な保護を確保するために、セキュリティコントロールを管理および監視する能力を検証するために設計されています。

 

最新(2023)Google Professional-Cloud-Security-Engineer試験問題集:https://www.passtest.jp/Google/Professional-Cloud-Security-Engineer-shiken.html

最適な練習法にはGoogle Professional-Cloud-Security-Engineer試験の素晴らしいProfessional-Cloud-Security-Engineer試験問題PDF:https://drive.google.com/open?id=1eADKLiTuDYf7rkcHG6-I_23h-n9egT5_