Professional-Cloud-Security-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Security Engineer」

（A）Implement a VPC firewall policy Activate packet inspection and create an allow rule to validate and verify the device certificate.

（B）Implement an Identity and Access Management (1AM) conditional policy to verify the device certificate

（C）Implement an organization policy to verify the certificate from the access context.

（D）Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate Create an access binding with the access policy just created.

（A）Use customer-supplied encryption keys to manage the key encryption key (KEK).

（B）Use the Cloud Key Management Service to manage a key encryption key (KEK).

（C）Use the Cloud Key Management Service to manage a data encryption key (DEK).

（D）Use customer-supplied encryption keys to manage the data encryption key (DEK).

（A）*1 Identify buckets with record data
*2 Enable the bucket policy only to ensure that data is retained
*3 Enable bucket lock

（B）*1 Identify buckets with record data
*2 Apply a retention policy and set it to retain for seven years
*3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

（C）* 1 Identify buckets with record data
*2 Apply a retention policy and set it to retain for seven years
*3 Enable bucket lock

（D）*1 Identify buckets with record data
*2 Apply a retention policy and set it to retain for seven years
*3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs

（A）Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP-secured Tunnel User to the administrators.

（B）Create a jump host instance with public IP Manage the instances by connecting through the jump host.

（C）Create a site-to-site VPN from your corporate network to Google Cloud.

（D）Configure server instances with public IP addresses Create a firewall rule to only allow traffic from yourcorporate IPs.

（A）Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

（B）Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

（C）Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

（D）Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

（A）TCP Proxy Load Balancing

（B）Network Load Balancing

（C）SSL Proxy Load Balancing

（D）HTTP(S) Load Balancing

（A）*1 Grant logging.admin role to the security team at the organization resource level.
*2 Grant logging.admin role to the developer team at the organization resource level.

（B）*1 Grant logging, viewer rote to the security team at the organization resource level.
*2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.

（C）*1 Grant logging.admin role to the security team at the organization resource level.
*2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.

（D）*1 Grant logging. viewer rote to the security team at the organization resource level.
*2 Grant logging. admin role to the developer team at the organization resource level.

（A）Enable an organization policy to disable service accounts from being created.

（B）Enable an organization policy to prevent service account keys from being created.

（C）Configure Secret Manager to manage service account keys.

（D）Remove theiam.serviceAccounts.getAccessTokenpermission from users.

（A）* 1. Enable vulnerability scanning in the Artifact Registry settings.
* 2. Use Cloud Build to build the images
* 3. Push the images to the Artifact Registry for automatic scanning.
* 4. View the reports in the Artifact Registry.

（B）* 1. Get a GitHub subscription.
* 2. Build the images in Cloud Build and store them in GitHub for automatic scanning
* 3. Download the report from GitHub and share with the Security Team

（C）1. Enable Container Threat Detection in the Security Command Center Premium tier.
* 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version.
* 3. View and share the results from the Security Command Center

（D）* 1. Use an open source tool in Cloud Build to scan the images.
* 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil
* 3. Share the scan report link with your security department.

（A）Use Resource Manager on the organization level.

（B）Use Forseti Security to automate inventory snapshots.

（C）Use Stackdriver to create a dashboard across all projects.

（D）Use Security Command Center to view all assets across the organization.

（A）On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.

（B）On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.

（C）On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.

（D）On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.

（A）Create a folder for each development and production environment.

（B）Create a project with multiple VPC networks for each environment.

（C）Create a Google Group for the Engineering team, and assign permissions at the folder level.

（D）Create an Organizational Policy constraint for each folder environment.

（E）Create projects for each environment, and grant IAM rights to each engineering user.

（A）Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts thecompute.googleapis.comAPI.

（B）Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.

（C）Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.

（D）Enable theconstraints/compute.skipDefaultNetworkCreationorganization policy constraint at the organization level.

（A）1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
2. In Cloud KMS, grant your Google Cloud project access to use the key.

（B）1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.
2. Grant your Google Cloud project access to a supported external key management partner system.

（C）1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.
2. In the external key management partner system, grant access for this key to use your Google Cloud project.

（D）1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
2. In Cloud KMS, grant your Google Cloud project access to use the key.

（A）Identity Aware-Proxy

（B）Cloud DNS

（C）TCP/UDP Load Balancing

（D）Cloud NAT

（A）Run a platform security scanner on all instances in the organization.

（B）Notify Google about the pending audit and wait for confirmation before performing the scan.

（C）Contact a Google approved security vendor to perform the audit.

（D）Identify all external assets by using Cloud Asset Inventory and then run a network security scanner againstthem.

（A）Organization Policy Administrator

（B）Organization Administrator

（C）Security Reviewer

（D）Organization Role Administrator