最新的Google Cloud Certified認證 Professional-Cloud-Security-Engineer考試題庫

問題1

Your organization hosts a financial services application running on Compute Engine instances for a third- party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
The network connection must be encrypted.
The communication between servers must be over private IP addresses.
What should you do?

A. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

B. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

C. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

D. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

正確答案: C

說明：（僅 VCESoft 成員可見）

問題2

Your application is deployed as a highly available cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.
What should you do?

A. Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.

B. Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

C. Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.

D. Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.

正確答案: D

說明：（僅 VCESoft 成員可見）

問題3

You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:
Least-privilege access must be enforced at all times.
The DevOps team must be able to access the required resources only during the deployment issue.
How should you grant access while following Google-recommended best practices?

A. Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.

B. Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.

C. Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.

D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

正確答案: D

說明：（僅 VCESoft 成員可見）

問題4

Your organization wants to be General Data Protection Regulation (GDPR) compliant You want to ensure that your DevOps teams can only create Google Cloud resources in the Europe regions.
What should you do?

A. Use Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions

B. Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.

C. Use the org policy constraint Google Cloud Platform - Resource Location Restriction" on your Google Cloudorganization node.

D. Use the org policy constraint "Restrict Resource Service Usage'* on your Google Cloud organization node.

正確答案: C

說明：（僅 VCESoft 成員可見）

問題5

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.
What could have caused this alert?

A. At project level, the organizational policy control has been overwritten with an 'allow' value.

B. The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

C. The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level.

D. The organizational policy constraint wasn't properly enforced and is running in "dry run mode.

正確答案: A

說明：（僅 VCESoft 成員可見）

問題6

You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?

A. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.

B. Perform data redaction with the DLP API and store that data in BigQuery for later use.

C. Perform data inspection with the DLP API and store that data in BigQuery for later use.

D. Perform data masking with the DLP API and store that data in BigQuery for later use.

正確答案: A

說明：（僅 VCESoft 成員可見）

問題7

You are responsible for the operation of your company's application that runs on Google Cloud. The database for the application will be maintained by an external partner. You need to give the partner team access to the database. This access must be restricted solely to the database and can not extend to any other resources within your company's network. Your solution should follow Google-recommended practices. What should you do?

A. Add a public IP address to the application's database. Create database users for each of the partner's employees. Securely distribute the credentials for these users to the partner team.

B. Configure Workforce Identity Federation for the partner. Connect the identity pool provider to the partner's identity provider. Grant the workforce pool resources access to the database.

C. Create accounts for the partner team in your corporate identity provider. Synchronize these accounts with Google Cloud Identity. Grant the accounts access to the database.

D. Ask the partner team to set up Cloud Identity accounts within their own corporate environment and identity provider. Grant the partner's Cloud Identity accounts access to the database.

正確答案: B

說明：（僅 VCESoft 成員可見）

問題8

Your organization recently activated the Security Command Center {SCO standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.
What should you do?

A. * 1 Change bucket permissions to limit access* 2 Query the data access audit logs for any unauthorized access to the buckets* 3 After the misconfiguration is corrected mute the finding in the Security Command Center

B. * 1 Change permissions to limit access for authorized users* 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access* 3 Review the administrator activity audit logs to report on any unauthorized access

C. * 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets* 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions* 3 Query the data access logs to report on unauthorized access

D. * 1 Change the bucket permissions to limit access* 2 Query the buckets usage logs to report on unauthorized access to the data* 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions

正確答案: A

說明：（僅 VCESoft 成員可見）

問題9

How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

A. Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.

B. Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.

C. Send all logs to the SIEM system via an existing protocol such as syslog.

D. Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.

正確答案: D

說明：（僅 VCESoft 成員可見）

問題10

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

A. Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.

B. Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.
disableServiceAccountCreation organization policy at the project level.

C. Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

D. Create a custom service account for the cluster Enable the constraints/iam.
disableServiceAccountKeyCreation organization policy at the project level.

正確答案: D

說明：（僅 VCESoft 成員可見）

最新的Google Cloud Certified - Professional Cloud Security Engineer - Professional-Cloud-Security-Engineer免費考試真題

最新更新

站內鏈接

聯系我們