最新的Google Cloud Certified認證 Professional-Cloud-Security-Engineer考試題庫

問題1

An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?

A. Security Assertion Markup Language (SAML)

B. Google Cloud Directory Sync (GCDS)

C. Cloud Identity

D. Pub/Sub

正確答案: B

說明：（僅 VCESoft 成員可見）

問題2

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive dat a. Your solution has the following requirements:
Schedule key rotation for sensitive data.
Control which region the encryption keys for sensitive data are stored in.
Minimize the latency to access encryption keys for both sensitive and non-sensitive data.
What should you do?

A. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

B. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

D. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

正確答案: C

說明：（僅 VCESoft 成員可見）

問題3

Your organization has on-premises hosts that need to access Google Cloud APIs You must enforce private connectivity between these hosts minimize costs and optimize for operational efficiency What should you do?

A. Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

B. Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.

C. Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.

D. Set up VPC peering between the hosts on-premises and the VPC through the internet.

正確答案: B

說明：（僅 VCESoft 成員可見）

問題4

Your company recently published a security policy to minimize the usage of service account keys. On-premises Windows-based applications are interacting with Google Cloud APIs. You need to implement Workload Identity Federation (WIF) with your identity provider on-premises.
What should you do?

A. Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure a rule to let principals in the pool impersonate the Google Cloud service account.

B. Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure a rule to let principals in the pool impersonate the Google Cloud service account.

C. Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let all principals in the pool impersonate the Google Cloud service account.

D. Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let all principals in the pool impersonate the Google Cloud service account.

正確答案: B

說明：（僅 VCESoft 成員可見）

問題5

Your organization is deploying a serverless web application on Cloud Run that must be publicly accessible over HTTPS To meet security requirements, you need to terminate TLS at the edge, apply threat mitigation, and prepare for geo-based access restrictions What should you do?

A. Deploy an external HTTP(S) load balancer with a serverless NEG that points to the Cloud Run service Use a Google-managed certificate for TLS termination Configure a Cloud Armor policy with geo-based access control

B. Make the Cloud Run service public by enabling allUsers access Configure Identity-Aware Proxy (IAP) for authentication and IP-based access control Use custom SSL certificates for HTTPS

C. Assign a custom domain to the Cloud Run service Enable HTTPS Configure IAM to allow allUsers to invoke the service Use firewall rules and VPC Service Controls for geo-based restriction and traffic filtering

D. Create a Cloud DNS public zone for the Cloud Run URL Bind a static IP to the service Use VPC firewall rules to restrict incoming traffic based on IP ranges and threat signatures

正確答案: A

說明：（僅 VCESoft 成員可見）

問題6

Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property.
You attempt to grant access to a project in the Apps folder to the user [email protected].
What is the result of your action and why?

A. The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.

B. The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder

C. The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily.

D. The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

正確答案: A

說明：（僅 VCESoft 成員可見）

問題7

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)

A. Avoid assigning public IP addresses to the Compute Engine cluster.

B. Turn off IP forwarding on the Compute Engine instances in the cluster.

C. Configure Private Google Access on the Compute Engine subnet

D. Make sure that the Compute Engine cluster is running on a separate subnet.

E. Configure a Cloud NAT gateway.

正確答案: A,C

說明：（僅 VCESoft 成員可見）

問題8

Your financial services company has an audit requirement under a strict regulatory framework that requires comprehensive, immutable audit trails for all administrative and data access activity that ensures that data is kept for seven years Your current logging is fragmented across individual projects You need to establish a centralized, tamper-proof, long-term logging solution accessible for audits What should you do?

A. Individually configure Cloud Audit Logs for all Google Cloud services in each project Store the logs in regional Cloud Logging buckets with 30-day retention policies

B. Enable Security Command Center across the organization to gain centralized visibility into threats and manage compliance posture for all Google Cloud projects

C. Implement Pub/Sub to stream all audit logs from each project in real-time to an external Security Information and Event Management (SIEM) for long-term analysis

D. Establish organization-level Cloud Logging sinks to export Cloud Audit Logs to a dedicated Cloud Storage bucket with object retention lock

正確答案: D

說明：（僅 VCESoft 成員可見）

問題9

Your team wants to limit users with administrative privileges at the organization level.
Which two roles should your team restrict? (Choose two.)

A. Compute Admin

B. Organization Role Viewer

C. Organization Administrator

D. Super Admin

E. GKE Cluster Admin

正確答案: C,D

說明：（僅 VCESoft 成員可見）

問題10

You must ensure that the keys used for at-rest encryption of your data are compliant with your organization's security controls. One security control mandates that keys get rotated every 90 days. You must implement an effective detection strategy to validate if keys are rotated as required. What should you do?

A. Assess the keys in the Cloud Key Management Service by implementing code in Cloud Run. If a key is not rotated after 90 days, raise a finding in Security Command Center.

B. Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.

C. Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.

D. Define a metric that checks for timely key updates by using Cloud Logging. If a key is not rotated after 90 days, send an alert message through your incident notification channel.

正確答案: C

問題11

A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?

A. VPC Firewall Rules

B. Cloud Identity and Access Management

C. Cloud Armor

D. Cloud CDN

正確答案: A

說明：（僅 VCESoft 成員可見）

問題12

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
The network connection must be encrypted.
The communication between servers must be over private IP addresses.
What should you do?

A. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

B. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

C. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

D. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

正確答案: C

說明：（僅 VCESoft 成員可見）

問題13

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?

A. Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.

B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.

C. Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

D. Use Cloud Source Repositories, and store secrets in Cloud SQL.

正確答案: B

說明：（僅 VCESoft 成員可見）

問題14

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

A. Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

B. Use Google default encryption.

C. Provision users with basic roles using Google's Identity and Access Management (1AM) service.

D. Manually add users to Google Cloud.

E. Provide granular access with predefined roles.

正確答案: A,E

說明：（僅 VCESoft 成員可見）

問題15

Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?

A. Cloud DNS with DNSSEC

B. HTTP(S) Load Balancing

C. Google Cloud Armor

D. Cloud NAT

正確答案: A

說明：（僅 VCESoft 成員可見）

問題16

Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:
Only allows communication between the Web and App tiers.
Enforces consistent network security when autoscaling the Web and App tiers.
Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?

A. 1. Configure all running Web and App servers with respective network tags.
2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

B. 1. Re-deploy the Web and App servers with instance templates configured with respective network tags.
2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

C. 1. Configure all running Web and App servers with respective service accounts.
2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

D. 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts.
2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

正確答案: D

說明：（僅 VCESoft 成員可見）

問題17

A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?

A. Run each tier with a different Service Account (SA), and use SA-based firewall rules.

B. Run each tier in its own Project, and segregate using Project labels.

C. Run each tier with its own VM tags, and use tag-based firewall rules.

D. Run each tier in its own subnet, and use subnet-based firewall rules.

正確答案: A

說明：（僅 VCESoft 成員可見）

問題18

You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

A. Query Stackdriver Monitoring Workspace.

B. Query Admin Activity logs.

C. Query Data Access logs.

D. Query Access Transparency logs.

正確答案: B

說明：（僅 VCESoft 成員可見）

最新的Google Cloud Certified - Professional Cloud Security Engineer - Professional-Cloud-Security-Engineer免費考試真題

最新更新

站內鏈接

聯系我們