Professional-Cloud-Security-Engineer試験無料問題集（268題）「Google Cloud Certified

出題：1

Your organization is using Vertex AI Workbench Instances. You must ensure that newly deployed instances are automatically kept up-to-date and that users cannot accidentally alter settings in the operating system. What should you do?

A. Assign the AI Notebooks Runner and AI Notebooks Viewer roles to the users of the AI Workbench Instances.

B. Implement a firewall rule that prevents Secure Shell access to the corresponding Google Compute Engine instances by using tags.

C. Enable the VM Manager and ensure the corresponding Google Compute Engine instances are added.

D. Enforce the disableRootAccess and requireAutoUpgradeSchedule organization policies for newly deployed instances.

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：2

An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?

A. All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

B. Use Forseti with Firewall filters to catch any unwanted configurations in production.

C. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

D. Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：3

Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

A. Enable VPC Flow Logs on the subnet.

B. Monitor and analyze Cloud Audit Logs.

C. Configure packet mirroring policies.

D. Define an organization policy constraint.

正解：C 解答を投票する

出題：4

You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.
What should you do?

A. Create a jump host instance with public IP Manage the instances by connecting through the jump host.

B. Create a site-to-site VPN from your corporate network to Google Cloud.

C. Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.

D. Configure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：5

You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization. What should you do?

A. Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.

B. Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.

C. Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.

D. Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：6

Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

A. Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.

B. Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.

C. Deploy a Cloud NAT Gateway in the service project for the MIG.

D. Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：7

In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard Which options should you recommend to meet the requirements?

A. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

B. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

C. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

D. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：8

You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

A. Cloud HSM keys

B. Titan Security Keys

C. Google Authenticator app

D. Google prompt

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：9

You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software.
Which SCC service should you use?

A. Web Security Scanner

B. Virtual Machine Threat Detection

C. Rapid Vulnerability Detection

D. Container Threat Detection

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：10

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:
Export related logs for all projects in the Google Cloud organization.
Export logs in near real-time to an external SIEM.
What should you do? (Choose two.)

A. Enable Data Access audit logs at the organization level to apply to all projects.

B. Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

C. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

D. Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

E. Create a Log Sink at the organization level with a Pub/Sub destination.

正解：A,D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：11

Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?

A. Use Google default encryption to delete specific encryption keys.

B. Use customer-managed encryption keys to delete specific encryption keys.

C. Use Cloud External Key Manager to delete specific encryption keys.

D. Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：12

You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

A. Cloud Key Management Service

B. Compute Engine guest attributes

C. Secret Manager

D. Compute Engine custom metadata

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

Professional-Cloud-Security-Engineer試験無料問題集「Google Cloud Certified - Professional Cloud Security Engineer 認定」