Professional-Cloud-Security-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Security Engineer」
An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?
正解:D
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data. You need to meet these requirements;
* Manage the data encryption key (DEK) outside the Google Cloud boundary.
* Maintain full control of encryption keys through a third-party provider.
* Encrypt the sensitive data before uploading it to Cloud Storage
* Decrypt the sensitive data during processing in the Compute Engine VMs
* Encrypt the sensitive data in memory while in use in the Compute Engine VMs What should you do?
Choose 2 answers
* Manage the data encryption key (DEK) outside the Google Cloud boundary.
* Maintain full control of encryption keys through a third-party provider.
* Encrypt the sensitive data before uploading it to Cloud Storage
* Decrypt the sensitive data during processing in the Compute Engine VMs
* Encrypt the sensitive data in memory while in use in the Compute Engine VMs What should you do?
Choose 2 answers
正解:B、C
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You have a highly sensitive BigQuery workload that contains personally identifiable information (Pll) that you want to ensure is not accessible from the internet. To prevent data exfiltration only requests from authorized IP addresses are allowed to query your BigQuery tables.
What should you do?
What should you do?
正解:A
解答を投票する
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?
Which type of networking design should your team use to meet these requirements?
正解:D
解答を投票する
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?
What should your team grant to Engineering Group A to meet this requirement?
正解:D
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:
Only allows communication between the Web and App tiers.
Enforces consistent network security when autoscaling the Web and App tiers.
Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?
Only allows communication between the Web and App tiers.
Enforces consistent network security when autoscaling the Web and App tiers.
Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?
正解:C
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?
Which product should be used to meet these requirements?
正解:B
解答を投票する
You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network dev-vpc." You want to minimize implementation and maintenance effort What should you do?
正解:B
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?
Which cost reduction options should you recommend?
正解:D
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?
正解:A
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You are the security admin of your company. Your development team creates multiple GCP projects under the
"implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?
"implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?
正解:A
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements:
The Cloud Storage bucket in Project A can only be readable from Project B.
The Cloud Storage bucket in Project A cannot be accessed from outside the network.
Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket.
What should the security team do?
The Cloud Storage bucket in Project A can only be readable from Project B.
The Cloud Storage bucket in Project A cannot be accessed from outside the network.
Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket.
What should the security team do?
正解:B
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.
What should you do?
What should you do?
正解:D
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?
Which Cloud Data Loss Prevention API technique should you use to accomplish this?
正解:A
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)