Professional-Cloud-Security-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Security Engineer」

（A）1. Leave the network configuration of the VMs in scope unchanged.
2. Create a new project including a new VPC network "new-vpc".
3. Deploy a network appliance in "new-vpc" to filter access requests and only allow egress connections from "dev-vpc" to 10.58.5.0/24.

（B）1. Attach external IP addresses to the VMs in scope.
2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-vpc.

（C）1. Attach external IP addresses to the VMs in scope.
2. Configure a VPC Firewall rule in "dev-vpc" that allows egress connectivity to IP range
10.58.5.0/24 for all source addresses in this network.

（D）1. Leave the network configuration of the VMs in scope unchanged.
2. Enable Cloud NAT for "dev-vpc" and restrict the target range in Cloud NAT to 10.58.5.0/24.

（A）Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

（B）Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

（C）Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

（D）Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

（A）On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

（B）Upload the logs to both the shared bucket and the bucket only accessible by the administrator.
Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

（C）Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

（D）On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

（A）Implement a daily key rotation process that generates a new key and commits it to the source code repository every day.

（B）Create a Google Group with all developers. Assign the group the IAM role of Service Account User, and have developers generate and download their own keys.

（C）Implement a daily key rotation process, and provide developers with a Cloud Storage bucket from which they can download the new key every day.

（D）Create a Google Group with all developers. Assign the group the IAM role of Service Account Admin, and have developers generate and download their own keys.

（A）Create a folder for each development and production environment.

（B）Create a project with multiple VPC networks for each environment.

（C）Create a Google Group for the Engineering team, and assign permissions at the folder level.

（D）Create an Organizational Policy constraint for each folder environment.

（E）Create projects for each environment, and grant IAM rights to each engineering user.

（A）Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

（B）Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.

（C）Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

（D）Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

（A）1. Enable network logs and data access logs for all resources in the "Production" folder.
2. Do not create log sinks to avoid unnecessary costs and latency.
3. Grant the roles "Logs Viewer" and "Browser" at project level to the security operations team.

（B）1. Create a dedicated log sink for each project that is in scope.
2. Use a BigQuery dataset with time partitioning enabled as a destination of the log sinks.
3. Deploy alerts based on log metrics in every project.
4. Grant the role "Monitoring Viewer" to the security operations team in each project.

（C）1. Create one sink for the "Production" folder that includes child resources and one sink for the logs ingested at the organization level that excludes child resources.
2. As destination, use a log bucket with a minimum retention period of 90 days in a project that can be accessed by the security team.
3. Grant the security operations team the role of Security Reviewer at organization level.

（D）1. Create one log sink at the organization level that includes all the child resources.
2. Use as destination a Pub/Sub topic to ingest the logs into the security information and event.
management (SIEM) on-premises, and ensure that the right team can access the SIEM.
3. Grant the Viewer role at organization level to the security operations team.

（A）Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.

（B）Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

（C）Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.

（D）Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

（A）Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket. Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.

（B）Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises. Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.

（C）Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.

（D）Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys.
Configure an IAM deny policy for unauthorized groups.

（A）Admin Activity

（B）Data Access

（C）System Event

（D）Access Transparency

（A）Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).

（B）Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.

（C）Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.

（D）Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.

（E）Provide non-privileged identities to the super admin users for their day-to-day activities.

（A）Change the load balancer backend configuration to use network endpoint groups instead of instance groups.

（B）Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.

（C）Create a Cloud VPN connection between the two regions, and enable Google Private Access.

（D）Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.

（A）INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.

（B）All load balancer types are denied in accordance with the global node's policy.

（C）EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.

（D）EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.

（A）Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

（B）Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

（C）Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.

（D）Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.

（A）Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.

（B）Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the networks.

（C）Set up VPC Network Peering, and allow developers to peer their network with a Shared VPC.

（D）Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.

（A）Create a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository. Verify that the image is not deprecated.

（B）Implement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.

（C）Implement an organization policy to enforce that boot disks can only be created from images that come from the trusted image project.

（D）Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.