Professional-Cloud-Security-Engineer認定の有効な試験問題集解答学習ガイド!(最新の212問題)
Professional-Cloud-Security-Engineer問題集で時間限定!無料アクセスせよ
この試験では、セキュリティマネジメント、データ保護、ネットワークセキュリティ、コンプライアンス、インシデントマネジメントなど、クラウドセキュリティに関連する広範囲のトピックがカバーされます。候補者は、GCPが提供するセキュリティ機能や機能性に深い理解を持ち、これらの機能をどのように構成し、管理するかを知っていることが期待されています。また、この試験は、業界のベストプラクティスを使用して、GCPで安全なソリューションを設計および実装する能力もテストします。
質問 # 59
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)
- A. Configure the project with Cloud Interconnect.
- B. Configure the project with Cloud VPN.
- C. Configure the project with Shared VPC.
- D. Configure all Compute Engine instances with Private Access.
- E. Configure the project with VPC peering.
正解:D、E
解説:
Explanation/Reference: https://cloud.google.com/solutions/secure-data-workloads-use-cases
質問 # 60
Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
The network connection must be encrypted.
The communication between servers must be over private IP addresses.
What should you do?
- A. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
- B. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
- C. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
- D. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
正解:B
質問 # 61
You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?
- A. INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.
- B. All load balancer types are denied in accordance with the global node's policy.
- C. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.
- D. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.
正解:C
質問 # 62
In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)
- A. Network Security
- B. Access Policies
- C. Hardware
- D. Boot
- E. Storage Encryption
正解:B、E
質問 # 63
Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.
Which two tasks should your team perform to handle this request? (Choose two.)
- A. Add a designated group of users to the Project Creator role at the organizational level.
- B. Grant the Project Editor role at the organizational level to a designated group of users.
- C. Remove all users from the Project Creator role at the organizational level.
- D. Create an Organization Policy constraint, and apply it at the organizational level.
- E. Grant the billing account creator role to the designated DevOps team.
正解:A、C
解説:
Explanation
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
質問 # 64
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?
- A. Use the Cloud Key Management Service to manage a key encryption key (KEK).
- B. Use customer-supplied encryption keys to manage the data encryption key (DEK).
- C. Use the Cloud Key Management Service to manage a data encryption key (DEK).
- D. Use customer-supplied encryption keys to manage the key encryption key (KEK).
正解:B
解説:
This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS.There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest
質問 # 65
Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?
- A. Store the data in a single BigTable table and set an expiration time on the column families.
- B. Store the data in a single Cloud Storage bucket and configure the bucket's Time to Live.
- C. Store the data in a single BigQuery table and set the appropriate table expiration time.
- D. Store the data in a single Persistent Disk, and delete the disk at expiration time.
正解:C
質問 # 66
You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?
- A. Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
- B. Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.
- C. Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
- D. Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.
正解:D
解説:
Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint
質問 # 67
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?
- A. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
- B. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
- C. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
- D. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
正解:B
解説:
https://cloud.google.com/dlp/docs/reference/rest/v2/InspectJobConfig
質問 # 68
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.
What should you do?
- A. Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
- B. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have
"user email address" as the attribute to facilitate bidirectional sync. - C. Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
- D. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have
"user email address" as the attribute to facilitate one-way sync.
正解:D
解説:
Explanation
search rules that have "user email address" as the attribute to facilitate one-way sync. Reference Links:
https://support.google.com/a/answer/6126589?hl=en
質問 # 69
A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?
- A. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
- B. Encryption by default
- C. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis
- D. Customer-supplied encryption keys (CSEK)
正解:A
解説:
Reference:
https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek
質問 # 70
You are working with a client that is concerned about control of their encryption keys for sensitive dat a. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting. Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)
- A. Cloud External Key Manager
- B. Google default encryption
- C. Customer-managed encryption keys
- D. Secret Manager
- E. Customer-supplied encryption keys.
正解:A、E
質問 # 71
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?
- A. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
2. Process Cloud Storage objects in SIEM. - B. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
2. Process Cloud Storage objects in SIEM. - C. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
2. Subscribe SIEM to the topic. - D. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
2. Subscribe SIEM to the topic.
正解:B
質問 # 72
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?
- A. Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
- B. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
- C. Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.
- D. Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
正解:C
質問 # 73
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?
- A. Google Cloud Directory Sync (GCDS)
- B. Cloud Identity
- C. Security Assertion Markup Language (SAML)
- D. Pub/Sub
正解:B
解説:
Explanation
Explanation/Reference: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction
質問 # 74
Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?
- A. Service Broker Operator
- B. Security Reviewer
- C. lAP-Secured Tunnel User
- D. lAP-Secured Web App User
正解:D
解説:
IAP-Secured Tunnel User: Grants access to tunnel resources that use IAP. IAP-Secured Web App User: Access HTTPS resources which use Identity-Aware Proxy, Grants access to App Engine, Cloud Run, and Compute Engine resources.
https://cloud.google.com/iap/docs/managing-access#roles
質問 # 75
Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?
- A. Network Load Balancing
- B. HTTP(S) Load Balancing
- C. SSL Proxy Load Balancing
- D. TCP Proxy Load Balancing
正解:C
解説:
Explanation
https://cloud.google.com/load-balancing/docs/ssl - SSL Proxy Load Balancing is a reverse proxy load balancer that distributes SSL traffic coming from the internet to virtual machine (VM) instances in your Google Cloud VPC network.
質問 # 76
Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?
- A. Identity Aware-Proxy
- B. Cloud DNS
- C. TCP/UDP Load Balancing
- D. Cloud NAT
正解:D
解説:
Explanation
https://cloud.google.com/nat/docs/overview "Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet."
質問 # 77
You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?
- A. Firewall Rules Logging
- B. VPC Flow Logs
- C. Firewall Insights
- D. Security Command Center
正解:C
解説:
https://cloud.google.com/network-intelligence-center/docs/firewall-insights/concepts/overview#shadowed-firewall-rules Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.
質問 # 78
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?
- A. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.
- B. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
- C. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
- D. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
正解:B
質問 # 79
You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?
- A. 1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
2. In Cloud KMS, grant your Google Cloud project access to use the key. - B. 1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.
2. Grant your Google Cloud project access to a supported external key management partner system. - C. 1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
2. In Cloud KMS, grant your Google Cloud project access to use the key. - D. 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.
2. In the external key management partner system, grant access for this key to use your Google Cloud project.
正解:D
解説:
Explanation
https://cloud.google.com/kms/docs/ekm#how_it_works
- First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.
- Next, you grant your Google Cloud project access to use the key, in the external key management partner system.
- In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally-managed key.
質問 # 80
......
Google Professional-Cloud-Security-Engineer試験実践テスト問題:https://www.passtest.jp/Google/Professional-Cloud-Security-Engineer-shiken.html
Professional-Cloud-Security-Engineer問題集で2024年最新のGoogle Professional-Cloud-Security-Engineer試験問題:https://drive.google.com/open?id=1buoquf1ZgpKh0y4BQEycrnD49dC4UP5Q