[Q36-Q60] 認証トレーニングProfessional-Cloud-Security-Engineer試験問題集テストエンジン [2023]

Share

認証トレーニングProfessional-Cloud-Security-Engineer試験問題集テストエンジン [2023]

2023年05月15日ガイド準備でProfessional-Cloud-Security-Engineer試験合格


Google Professional-Cloud-Security-Engineer認定試験は、GCPソリューションを保護するための専門知識を証明するために、セキュリティ専門家にとって貴重な資格となります。試験は、GCPでセキュリティソリューションを設計、実装、管理するための候補者の知識やスキルを測定し、業界で最も権威ある資格の1つです。試験に合格するには、セキュリティのベストプラクティス、コンプライアンス、規制要件の深い理解が必要であり、各種セキュリティツールと技術の熟練度が求められます。

 

質問 # 36
Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.
What should you do?

  • A. Use customer-supplied encryption keys to manage the data encryption key (DEK).
  • B. Use the Cloud Key Management Service to manage the key encryption key (KEK).
  • C. Use the Cloud Key Management Service to manage the data encryption key (DEK).
  • D. Use customer-supplied encryption keys to manage the key encryption key (KEK).

正解:B

解説:
Explanation
This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest.
https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption
https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms#0


質問 # 37
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.
How should your team design this network?

  • A. Create a different subnet for the frontend application and database to ensure network isolation.
  • B. Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
  • C. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
  • D. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.

正解:B


質問 # 38
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)

  • A. Configure the project with Cloud Interconnect.
  • B. Configure the project with Cloud VPN.
  • C. Configure the project with Shared VPC.
  • D. Configure all Compute Engine instances with Private Access.
  • E. Configure the project with VPC peering.

正解:A、B


質問 # 39
Which two implied firewall rules are defined on a VPC network? (Choose two.)

  • A. A rule that blocks all outbound connections
  • B. A rule that blocks all inbound port 25 connections
  • C. A rule that allows all outbound connections
  • D. A rule that denies all inbound connections
  • E. A rule that allows all inbound port 80 connections

正解:C、D

解説:
Explanation
Implied IPv4 allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination Implied IPv4 deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them.
https://cloud.google.com/vpc/docs/firewalls?hl=en#default_firewall_rules


質問 # 40
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?

  • A. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.
  • B. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.
  • C. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
  • D. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.

正解:C

解説:
Explanation
https://cloud.netapp.com/blog/gcp-cvo-blg-how-to-use-google-cloud-encryption-with-a-persistent-disk


質問 # 41
A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?

  • A. Use Cloud Storage as a federated Data Source.
  • B. Customer-supplied encryption keys (CSEK).
  • C. Customer-managed encryption keys (CMEK).
  • D. Use a Cloud Hardware Security Module (Cloud HSM).

正解:C

解説:
https://cloud.google.com/bigquery/docs/encryption-at-rest


質問 # 42
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?

  • A. Cloud BigQuery
  • B. Compute Engine SSD Disk
  • C. Compute Engine Persistent Disk
  • D. Cloud Bigtable

正解:A

解説:
Explanation/Reference: https://cloud.google.com/bigquery/docs/locations


質問 # 43
In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

  • A. Access Policies
  • B. Boot
  • C. Network Security
  • D. Hardware
  • E. Storage Encryption

正解:A、C

解説:
Explanation
https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-the-shared-responsib


質問 # 44
Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?

  • A. Enable VPC Flow Logs on the subnet.
  • B. Define an organization policy constraint.
  • C. Configure packet mirroring policies.
  • D. Monitor and analyze Cloud Audit Logs.

正解:C

解説:
Explanation
https://cloud.google.com/vpc/docs/packet-mirroring
Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.


質問 # 45
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?

  • A. Cloud Identity
  • B. Google Cloud Directory Sync (GCDS)
  • C. Pub/Sub
  • D. Security Assertion Markup Language (SAML)

正解:A


質問 # 46
Your team creates an ingress firewall rule to allow SSH access from their corporate IP range to a specific bastion host on Compute Engine. Your team wants to make sure that this firewall rule cannot be used by unauthorized engineers who may otherwise have access to manage VMs in the development environment. What should your team do to meet this requirement?

  • A. Create the firewall rule in a Shared VPC with a target of a specific subnet.
  • B. Create the firewall rule with a target of a service account. Centrally manage access to the service account.
  • C. Create the firewall rule with a target of a network tag. Centrally manage access to the tag.
  • D. Create the firewall rule in a Shared VPC with a target of a network tag.

正解:B

解説:
A is not correct because the network tag value can be inferred by examining the Firewall Rule or VM metadata.
B is correct because access to the Service Account is required to use a firewall rule with a target of a Service Account.
C is not correct because the target network tag value can be inferred by examining the Firewall Rule or VM metadata.
D is not correct because the target subnet value can be inferred by examining the Firewall Rule or VM metadata.
https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags


質問 # 47
What are the steps to encrypt data using envelope encryption?

  • A. Generate a data encryption key (DEK) locally.
    Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
    Store the encrypted data and the wrapped KEK.
  • B. Generate a key encryption key (KEK) locally.
    Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
    Store the encrypted data and the wrapped DEK.
  • C. Generate a key encryption key (KEK) locally.
    Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
    Store the encrypted data and the wrapped DEK.
  • D. Generate a data encryption key (DEK) locally.
    Encrypt data with the DEK.
    Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

正解:D


質問 # 48
Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.
What should you do?

  • A. Update the permissions of another existing service account and supply those credentials to the applications.
  • B. Temporarily disable authentication on the Cloud Storage bucket.
  • C. Create a new service account with the same name as the deleted service account.
  • D. Use the undelete command to recover the deleted service account.

正解:D

解説:
https://cloud.google.com/iam/docs/creating-managing-service-
accounts#undeleting_a_service_account


質問 # 49
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?

  • A. Organization Administrator
  • B. Security Reviewer
  • C. Organization Policy Administrator
  • D. Organization Role Administrator

正解:C

解説:
https://cloud.google.com/resource-manager/docs/access-control-org


質問 # 50
You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

  • A. Firewall Insights
  • B. Firewall Rules Logging
  • C. Security Command Center
  • D. VPC Flow Logs

正解:A


質問 # 51
A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?

  • A. Use Cloud Storage as a federated Data Source.
  • B. Customer-supplied encryption keys (CSEK).
  • C. Customer-managed encryption keys (CMEK).
  • D. Use a Cloud Hardware Security Module (Cloud HSM).

正解:C

解説:
Explanation/Reference: https://cloud.google.com/bigquery/docs/encryption-at-rest


質問 # 52
Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

  • A. lAP-Secured Web App User
  • B. Service Broker Operator
  • C. lAP-Secured Tunnel User
  • D. Security Reviewer

正解:A

解説:
Explanation
IAP-Secured Tunnel User: Grants access to tunnel resources that use IAP. IAP-Secured Web App User:
Access HTTPS resources which use Identity-Aware Proxy, Grants access to App Engine, Cloud Run, and Compute Engine resources.
https://cloud.google.com/iap/docs/managing-access#roles


質問 # 53
Your Security team believes that a former employee of your company gained unauthorized access to Google Cloud resources some time in the past 2 months by using a service account key. You need to confirm the unauthorized access and determine the user activity. What should you do?

  • A. Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.
  • B. Use Security Health Analytics to determine user activity.
  • C. Use the Cloud Monitoring console to filter audit logs by user.
  • D. Use the Logs Explorer to search for user activity.

正解:C


質問 # 54
You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)

  • A. Store the image in every project that is spun up in your organization.
  • B. Grant users the compuce.imageUser role in the OS image project.
  • C. Grant users the compuce.imageUser role in their own projects.
  • D. Set up an image access organization policy constraint, and list the security team managed project in the project's allow list.
  • E. Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

正解:C、D


質問 # 55
You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

  • A. Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.
  • B. Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.
  • C. Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
  • D. Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.

正解:A


質問 # 56
You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting. Which Google Cloud encryption solutions should you recommend to this client?
(Choose two.)

  • A. Cloud External Key Manager
  • B. Customer-managed encryption keys
  • C. Customer-supplied encryption keys.
  • D. Google default encryption
  • E. Secret Manager

正解:A、C


質問 # 57
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?

  • A. Perform data masking with the DLP API and store that data in BigQuery for later use.
  • B. Perform data redaction with the DLP API and store that data in BigQuery for later use.
  • C. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
  • D. Perform data inspection with the DLP API and store that data in BigQuery for later use.

正解:D

解説:
Explanation/Reference: https://towardsdatascience.com/bigquery-pii-and-cloud-data-loss-prevention-dlp-take-it-to-the-next- level-with-data-catalog-c47c31bcf677


質問 # 58
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

  • A. Compute Engine guest attributes
  • B. Cloud Key Management Service
  • C. Compute Engine custom metadata
  • D. Secret Manager

正解:B


質問 # 59
A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.
What should you do?

  • A. Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
  • B. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.
  • C. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.
  • D. Create a new key, and use the new key in the application. Delete the old key from the Service Account.

正解:D

解説:
Explanation/Reference: https://cloud.google.com/iam/docs/understanding-service-accounts


質問 # 60
......


Google Professional-Cloud-Security-Engineer試験は、安全なGoogle Cloud Platformソリューションの設計と実装能力を測定する認定試験です。この試験は、クラウドセキュリティ、データ保護、コンプライアンス、およびネットワークセキュリティの候補者の知識と専門知識をテストするように設計されています。この試験は、Google Cloud Platform上のデータとアプリケーションを保護する責任を持つクラウドセキュリティの専門家やエンジニアを対象としています。

 

究極のガイドProfessional-Cloud-Security-Engineer認証試験準備Google Cloud Certified:https://www.passtest.jp/Google/Professional-Cloud-Security-Engineer-shiken.html

無料最新のGoogle Cloud Certified Professional-Cloud-Security-Engineerリアル試験問題と解答:https://drive.google.com/open?id=1YzlAv382jBwu_ACiZ4eyuyY4HnJJ4oYp