Professional-Cloud-Security-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Security Engineer」

（A）Grant the billing account creator role to the designated DevOps team.

（B）Remove all users from the Project Creator role at the organizational level.

（C）Add a designated group of users to the Project Creator role at the organizational level.

（D）Create an Organization Policy constraint, and apply it at the organizational level.

（E）Grant the Project Editor role at the organizational level to a designated group of users.

（A）Monitor and analyze Cloud Audit Logs.

（B）Define an organization policy constraint.

（C）Enable VPC Flow Logs on the subnet.

（D）Configure packet mirroring policies.

（A）Grant Compute Admin role to the networking team for each engineering project

（B）Cloud VPN Gateway between all engineering projects using a hub and spoke model

（C）VPC peering between all engineering projects using a hub and spoke model

（D）Shared VPC Network with a host project and service projects

（A）Temporarily disable authentication on the Cloud Storage bucket.

（B）Create a new service account with the same name as the deleted service account.

（C）Update the permissions of another existing service account and supply those credentials to the applications.

（D）Use the undelete command to recover the deleted service account.

（A）*1 Identify buckets with record data
*2 Enable the bucket policy only to ensure that data is retained
*3 Enable bucket lock

（B）*1 Identify buckets with record data
*2 Apply a retention policy and set it to retain for seven years
*3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

（C）* 1 Identify buckets with record data
*2 Apply a retention policy and set it to retain for seven years
*3 Enable bucket lock

（D）*1 Identify buckets with record data
*2 Apply a retention policy and set it to retain for seven years
*3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs

（A）1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
2.Process Cloud Storage objects in SIEM.

（B）1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
2.Subscribe SIEM to the topic.

（C）1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
2.Process Cloud Storage objects in SIEM.

（D）1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
2.Subscribe SIEM to the topic.

（A）Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

（B）Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

（C）Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

（D）Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

（A）Use customer-supplied encryption keys to manage the key encryption key (KEK).

（B）Use the Cloud Key Management Service to manage a key encryption key (KEK).

（C）Use the Cloud Key Management Service to manage a data encryption key (DEK).

（D）Use customer-supplied encryption keys to manage the data encryption key (DEK).

（A）Hardware Security Module

（B）Client-side encryption

（C）Customer-supplied encryption keys

（D）External Key Manager

（E）Confidential Computing and Istio

（A）Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is locatedin Project A.

（B）Configure an ingress policy for the perimeter in Project A and allow access for the service account in ProjectB to collect messages.

（C）Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

（D）Create a perimeter bridge between Project A and Project B to allow the required communication betweenboth projects.

（A）1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
2. In Cloud KMS, grant your Google Cloud project access to use the key.

（B）1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.
2. Grant your Google Cloud project access to a supported external key management partner system.

（C）1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.
2. In the external key management partner system, grant access for this key to use your Google Cloud project.

（D）1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
2. In Cloud KMS, grant your Google Cloud project access to use the key.

（A）Enable theconstraints/storage.uniformBucketLevelAccessconstraint at the organization level.

（B）Enable theconstraints/storage.publicAccessPreventionconstraint at the organization level.

（C）Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

（D）Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

（A）Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.

（B）Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

（C）Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

（D）Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.