Professional-Cloud-Security-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Security Engineer」

（A）1. Set up two VPC networks: one trusted and the other untrusted, and peer them together. 2.
Configure a custom route on each network pointed to the virtual appliance.

（B）1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.

（C）1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.

（D）1. Set up two VPC networks: one trusted and the other untrusted. 2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

（A）Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

（B）Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

（C）Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

（D）Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network.
Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.

（A）Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).

（B）Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.

（C）Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.

（D）Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.

（E）Provide non-privileged identities to the super admin users for their day-to-day activities.

（A）Set up VPC peering between the hosts on-premises and the VPC through the internet.

（B）Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management Service (KMS) key before you send it over the network.

（C）Route all on-premises traffic to Google Cloud through a dedicated or Partner Interconnect to a VPC with Private Google Access enabled.

（D）Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

（A）View patch management data in Artifact Registry.

（B）Deploy patches with VM Manager by using OS patch management.

（C）View patch management data in a Security Command Center dashboard.

（D）Deploy patches with Security Command Genter by using Rapid Vulnerability Detection.

（E）View patch management data in VM Manager by using OS patch management.

（A）Security Command Center

（B）VPC Flow Logs

（C）Firewall Insights

（D）Firewall Rules Logging

（A）Create a service account key, and add it to the GitHub repository content.

（B）Create a service account key, and add it to the GitHub pipeline configuration file.

（C）Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

（D）Configure workload identity federation to use GitHub as an identity pool provider.

（A）Use a Cloud Hardware Security Module (Cloud HSM).

（B）Customer-supplied encryption keys (CSEK).

（C）Customer-managed encryption keys (CMEK).

（D）Use Cloud Storage as a federated Data Source.

（A）Use the Logs Explorer to search for user activity.

（B）Use the Cloud Monitoring console to filter audit logs by user.

（C）Use Security Health Analytics to determine user activity.

（D）Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.

（A）Ensure that the app does not run as PID 1.

（B）Use many container image layers to hide sensitive information.

（C）Remove any unnecessary tools not needed by the app.

（D）Use public container images as a base image for the app.

（E）Package a single app as a container.

（A）Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

（B）Create an exact replica of your existing perimeter. Add your new access level to the replica.
Update the original perimeter after the access level has been vetted.

（C）Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

（D）Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

（A）Cloud Router

（B）Cloud VPN

（C）Cloud NAT

（D）Google Cloud Armor

（A）Set up an ACL with OWNER permission to a scope of allUsers.

（B）Set up an ACL with READER permission to a scope of allUsers.

（C）Set up a default bucket ACL and manage access for users using IAM.

（D）Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

（A）A project level, the organizational policy control has been overwritten with an "allow" value.

（B）The organizational policy constraint wasn't properly enforced and is running in "dry run" mode.

（C）The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

（D）The policy constraint on the folder level does not have any effect because of an "allow" value for that constraint on the organizational level.