Professional-Cloud-Security-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Security Engineer」

（A）Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.

（B）Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

（C）Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

（D）Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.

（A）Firewall rules that can be created with a tag from one peered network to another peered network

（B）Central management of routes, firewalls, and VPNs for peered networks

（C）Non-transitive peered networks; where only directly peered networks can communicate

（D）Ability to share specific subnets across peered networks

（E）Ability to peer networks that belong to different Google Cloud Platform organizations

（A）A rule that allows all outbound connections

（B）A rule that blocks all outbound connections

（C）A rule that blocks all inbound port 25 connections

（D）A rule that allows all inbound port 80 connections

（E）A rule that denies all inbound connections

（A）TCP/UDP Network

（B）TCP Proxy

（C）Internal TCP/UDP

（D）SSL Proxy

（A）Product documentation for Compute Engine

（B）PCI DSS Requirements and Security Assessment Procedures

（C）Google Cloud Platform: Customer Responsibility Matrix

（D）PCI SSC Cloud Computing Guidelines

（A）Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key ManagementService (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.

（B）Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS).
Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.

（C）Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.

（D）Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups

（A）Disable and revoke access to compromised keys.

（B）Limit the number of messages encrypted with each key version.

（C）Manually rotate key versions on an ad hoc schedule.

（D）Disable the Cloud KMS API.

（E）Enable automatic key version rotation on a regular schedule.

（A）VPC Service Controls in dry run mode

（B）Prepopulated VPC firewall rules in monitor mode

（C）Cloud Load Balancing firewall rules

（D）The inherent protections of Google Front End (GFE)

（E）Google Cloud Armor's preconfigured rules in preview mode

（A）Use Logs Explorer at the organization level and filter for production project logs.

（B）Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.

（C）Enable Cloud Monitoring workspace, and add the production projects to be monitored.

（D）Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.

（A）Remove Owner roles from end users, and configure Cloud Data Loss Prevention.

（B）Remove*.setIamPolicypermissions from all roles, and enforce domain restricted sharing in an organization policy.

（C）Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.

（D）Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

（A）Compute Shared VPC Admin Role at the service project level.

（B）Compute Network User Role at the host project level.

（C）Compute Shared VPC Admin Role at the host project level.

（D）Compute Network User Role at the subnet level.

（A）Query Data Access logs.

（B）Query Admin Activity logs.

（C）Query Stackdriver Monitoring Workspace.

（D）Query Access Transparency logs.

（A）Cloud Interconnect

（B）Cloud VPN

（C）Shared VPC

（D）VPC peering

（A）Make sure that the Compute Engine cluster is running on a separate subnet.

（B）Avoid assigning public IP addresses to the Compute Engine cluster.

（C）Configure Private Google Access on the Compute Engine subnet

（D）Turn off IP forwarding on the Compute Engine instances in the cluster.

（E）Configure a Cloud NAT gateway.