Professional-Cloud-Security-Engineer試験無料問題集「Google Cloud Certified - Professional Cloud Security Engineer 認定」

A. Set the reauthentication frequency (or the Google Cloud Session Control to one hour.

B. Set the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one hour and inheritFromParent to false.

C. Set the session duration for the Google session control to one hour.

D. Set the organization policy constraint
constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.

A. SSL Proxy Load Balancing

B. Network Load Balancing

C. NAT Gateway

D. Cloud Armor

A. Cloud Identity-Aware Proxy

B. Cloud Endpoints

C. Cloud VPN

D. Cloud Armor

A. Deploy Assured Workloads.

B. Deploy resources only to regions permitted by data residency requirements

C. Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.

D. Enable Access Transparency Logging.

A. Data Access

B. Admin Activity

C. Access Transparency

D. System Event

A. Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API totransfer their account.

B. Configure GCDS and use GCDS search rules lo sync these users.

C. Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.

D. Use the transfer tool to migrate unmanaged users.

A. Disable the Cloud KMS API.

B. Enable automatic key version rotation on a regular schedule.

C. Manually rotate key versions on an ad hoc schedule.

D. Limit the number of messages encrypted with each key version.

E. Disable and revoke access to compromised keys.

A. Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application

B. Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application

C. Modify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.

D. Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials Modify the VPC firewall to allow access from IAP network range

A. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.

B. Enable theconstraints/compute.skipDefaultNetworkCreationorganization policy constraint at the organization level.

C. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts thecompute.googleapis.comAPI.

D. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.

A. Set the minimum length for passwords to be 6 characters.

B. Set the minimum length for passwords to be 8 characters.

C. Set the minimum length for passwords to be 12 characters.

D. Set the minimum length for passwords to be 10 characters.

A. Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.

B. Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.

C. Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.

D. Register a new domain name, and use that for the new Cloud Identity domain.

A. Use the org policy constraint "Restrict Resource Service Usage'* on your Google Cloud organization node.

B. Use the org policy constraint Google Cloud Platform - Resource Location Restriction" on your Google Cloud organization node.

C. Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.

D. Use Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions

A. Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

B. Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

C. Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

D. In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

E. Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.