Professional-Cloud-Security-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Security Engineer」

（A）Access control lists

（B）Geolocation access controls

（C）Shielded VM instances

（D）Organization Policy Service constraints

（E）Google Cloud Armor

（A）Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

（B）Create Confidential VMs to access the sensitive data.

（C）Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

（D）Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

（E）Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

（A）Google prompt

（B）Text message or phone call code

（C）Security key

（D）Google Authenticator application

（A）Enable theconstraints/storage.uniformBucketLevelAccessconstraint at the organization level.

（B）Enable theconstraints/storage.publicAccessPreventionconstraint at the organization level.

（C）Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

（D）Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

（A）Cloud Bigtable

（B）Cloud BigQuery

（C）Compute Engine Persistent Disk

（D）Compute Engine SSD Disk

（A）Google prompt

（B）Cloud HSM keys

（C）Titan Security Keys

（D）Google Authenticator app

（A）Run each tier with a different Service Account (SA), and use SA-based firewall rules.

（B）Run each tier in its own subnet, and use subnet-based firewall rules.

（C）Run each tier with its own VM tags, and use tag-based firewall rules.

（D）Run each tier in its own Project, and segregate using Project labels.

（A）Cloud NAT

（B）Shielded VMs

（C）Identity-Aware Proxy

（D）Google Cloud Armor

（A）Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

（B）Customer-supplied encryption keys (CSEK)

（C）Encryption by default

（D）Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

（A）Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.

（B）Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

（C）Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

（D）Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.

（A）Enable Access Transparency Logging.

（B）Deploy Assured Workloads.

（C）Deploy resources only to regions permitted by data residency requirements

（D）Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.

（A）*1 Use secure hardened images from the Google Cloud Marketplace
*2 When deploying the images activate the Confidential Computing option
*3 Enforce the use of the correct images and Confidential Computing by using organization policies

（B）* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
*2 Activate Confidential Computing
*3 Enforce these actions by using organization policies

（C）*1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
*2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

（D）*1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium
*2 Monitor the findings in SCC

（A）Activate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC sothey are not evaluated.

（B）Download all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part ofCIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for thecompany.

（C）Mark all security findings that are irrelevant with a tag and a value that indicates a security exception Selectall marked findings and mute them on the console every time they appear Activate Security CommandCenter (SCC) Premium.

（D）Ask an external audit company to provide independent reports including needed CIS benchmarks. In thescope of the audit clarify that some of the controls are not needed and must be disregarded.

（A）Grant Compute Admin role to the networking team for each engineering project

（B）Cloud VPN Gateway between all engineering projects using a hub and spoke model

（C）VPC peering between all engineering projects using a hub and spoke model

（D）Shared VPC Network with a host project and service projects

（A）Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.

（B）Use the org policy constraint Google Cloud Platform - Resource Location Restriction" on your Google Cloud organization node.

（C）Use the org policy constraint "Restrict Resource Service Usage'* on your Google Cloud organization node.

（D）Use Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions

（A）VPC Service Controls in dry run mode

（B）Prepopulated VPC firewall rules in monitor mode

（C）Cloud Load Balancing firewall rules

（D）The inherent protections of Google Front End (GFE)

（E）Google Cloud Armor's preconfigured rules in preview mode

（A）Add the host project containing the Shared VPC to the service perimeter.

（B）Add the service project where the Compute Engine instances reside to the service perimeter.

（C）Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

（D）Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.