Professional Cloud Security Engineer 実際試験問題と解答 - 模擬練習 - 受験自信を増やす

Question No : 1
You want to prevent users from accidentally deleting a Shared VPC host project .
Which organization-level policy constraint should you enable?

A.compute.restrictSharedVpcHostProjects
B.compute.restrictXpnProjectLienRemoval
C.compute.restrictSharedVpcSubnetworks
D.compute.sharedReservationsOwnerProjects

正解:
Explanation:
Reference: https://cloud.google.com/vpc/docs/provisioning-shared-vpc

Question No : 2
Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.
What should you do?

A.Use the Cloud Key Management Service to manage the data encryption key (DEK).
B.Use the Cloud Key Management Service to manage the key encryption key (KEK).
C.Use customer-supplied encryption keys to manage the data encryption key (DEK).
D.Use customer-supplied encryption keys to manage the key encryption key (KEK).

正解:

Question No : 3
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

A.Send all logs to the SIEM system via an existing protocol such as syslog.
B.Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
C.Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
D.Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.

正解:

Question No : 4
A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer’s requirements?

A.Customer-supplied encryption keys (CSEK)
B.Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
C.Encryption by default
D.Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

正解:
Explanation:
Reference https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek

Question No : 5
A customer’s internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

A.Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
B.Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
C.Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
D.Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

正解:
Explanation:
Reference: https://cloud.google.com/storage/docs/encryption/customer-supplied-keys

Question No : 6
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

A.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DE
B.Store both the encrypted data and the encrypted DE
C.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DE
D.Store both the encrypted data and the KE
E.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DE
F.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KE

正解:
Explanation:
Reference: https://cloud.google.com/kms/docs/envelope-encryption

Question No : 7
You are creating an internal App Engine application that needs to access a user’s Google Drive on the user’s behalf. Your company does not want to rely on the current user’s credentials. It also wants to follow Google- recommended practices.
What should you do?

A.Create a new Service account, and give all application users the role of Service Account User.
B.Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
C.Use a dedicated G Suite Admin account, and authenticate the application’s operations with these G Suite credentials.
D.Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

正解:
Explanation:
https://developers.google.com/admin-sdk/directory/v1/guides/delegation

Question No : 8
A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)

A.Create a project with multiple VPC networks for each environment.
B.Create a folder for each development and production environment.
C.Create a Google Group for the Engineering team, and assign permissions at the folder level.
D.Create an Organizational Policy constraint for each folder environment.
E.Create projects for each environment, and grant IAM rights to each engineering user.

正解:

Question No : 9
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

A.Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
B.Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
C.Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
D.Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

正解:
Explanation:
Reference: https://cloud.google.com/dlp/docs/reference/rest/v2/InspectJobConfig

Question No : 10
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?

A.Shared VPC Network with a host project and service projects
B.Grant Compute Admin role to the networking team for each engineering project
C.VPC peering between all engineering projects using a hub and spoke model
D.Cloud VPN Gateway between all engineering projects using a hub and spoke model

正解:
Explanation:
Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#centralize_network_control

Question No : 11
An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?

A.Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance’s IP address and allows the application to read from the bucket without credentials.
B.Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
C.Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
D.Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.

正解:

Question No : 12
Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?

A.Store the data in a single Persistent Disk, and delete the disk at expiration time.
B.Store the data in a single BigQuery table and set the appropriate table expiration time.
C.Store the data in a single Cloud Storage bucket and configure the bucket’s Time to Live.
D.Store the data in a single BigTable table and set an expiration time on the column families.

正解:

Question No : 13
Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production .
Which method should you use?

A.Define an organization policy constraint.
B.Configure packet mirroring policies.
C.Enable VPC Flow Logs on the subnet.
D.Monitor and analyze Cloud Audit Logs.

正解:
Explanation:
Reference: https://cloud.google.com/architecture/best-practices-vpc-design

Question No : 14
In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

A.Hardware
B.Network Security
C.Storage Encryption
D.Access Policies
E.Boot

正解:

Question No : 15
Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.

正解: C

Google Professional Cloud Security Engineer 問題練習