Professional-Cloud-Security-Engineer試験無料問題集（343題）「Google Cloud Certified

出題：1

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run.
What should you do? (Choose two.)

A. Enable Binary Authorization on the existing Cloud Run service.

B. Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

C. Enable Binary Authorization on the existing Kubernetes cluster.

D. Set the organization policy constraint constraints/compute.trustedImageProjects to the list of projects that contain the trusted container images.

E. Set the organization policy constraint constraints/run.allowedBinaryAuthorizationPolicies to the list or allowed Binary Authorization policy names.

正解：A,E 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：2

Your organization is migrating a complex application to Google Cloud. The application has multiple internal components that interact with each other across several Google Cloud projects.
Security is a major concern, and you must design an authorization scheme for administrators that aligns with the principles of least privilege and separation of duties. What should you do?

A. Configure multi-factor authentication (MFA) to enforce the use of physical tokens for all users who will migrate the application.

B. No action needed. When a Google Cloud organization is created, the appropriate permissions are automatically assigned to all users in the domain.

C. Identify the users who will migrate the application, revoke the default user roles and assign the users with purposely created custom roles.

D. Use multiple external identity providers (IdP) configured to use different SAML profiles and federate the IdPs for each application component.

正解：C 解答を投票する

出題：3

Your multinational organization is undergoing rapid expansion within Google Cloud. New teams and projects are added frequently. You are concerned about the potential for inconsistent security policy application and permission sprawl across the organization. You must enforce consistent standards while maintaining the autonomy of regional teams. You need to design a strategy to effectively manage IAM and organization policies at scale, ensuring security and administrative efficiency. What should you do?

A. Create detailed organization-wide policies for common scenarios. Instruct teams to apply the policies carefully at the project and resource level as needed.

B. Define a small set of essential organization policies. Supplement these policies with a library of optional policy templates for teams to leverage as needed.

C. Delegate the creation of organization policies to regional teams. Centrally review these policies for compliance before deployment.

D. Use a hierarchical structure of folders. Implement template-based organization policies that cascade down, allowing limited customization by regional teams.

正解：D 解答を投票する

出題：4

Your organization is using GitHub Actions as a continuous integration and delivery (CI/CD) platform. You must enable access to Google Cloud resources from the CI/CD pipelines in the most secure way.
What should you do?

A. Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

B. Create a service account key, and add it to the GitHub pipeline configuration file.

C. Configure workload identity federation to use GitHub as an identity pool provider.

D. Create a service account key, and add it to the GitHub repository content.

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：5

Your organization is preparing to build business services in Google Cloud for the first time. You must determine where to apply appropriate controls or policies. You must also identify what aspects of your cloud deployment are managed by Google. What should you do?

A. Subscribe to the Google Cloud release notes to keep up on product updates and when new services are available. Evaluate new services for appropriate use before enabling their API.

B. Use the Risk Manager tool in the Risk Protection Program to generate a report on your cloud security posture. Obtain cyber insurance coverage.

C. Model your deployment on the Google Enterprise foundations blueprint. Follow the blueprint exactly and rely on the blueprint to maintain the posture necessary for your business.

D. Study the shared responsibilities model. Depending on your business scenario, you might need to consider your responsibilities based on the location of your business offices, your customers, and your data.

正解：D 解答を投票する

出題：6

Customers complain about error messages when they access your organization's website. You suspect that the web application firewall rules configured in Cloud Armor are too strict. You want to collect request logs to investigate what triggered the rules and blocked the traffic. What should you do?

A. Modify the Application Load Balancer backend and increase the tog sample rate to a higher number.

B. Change the configuration of suspicious web application firewall rules in the Cloud Armor policy to preview mode.

C. Create a log sink with a filter for togs containing redirected_by_security_policy and set a BigQuery dataset as destination.

D. Enable logging in the Application Load Balancer backend and set the log level to VERBOSE in the Cloud Armor policy.

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：7

Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?

A. VPC peering between all engineering projects using a hub and spoke model

B. Grant Compute Admin role to the networking team for each engineering project

C. Shared VPC Network with a host project and service projects

D. Cloud VPN Gateway between all engineering projects using a hub and spoke model

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：8

Your organization strives to be a market leader in software innovation. You provided a large number of Google Cloud environments so developers can test the integration of Gemini in Vertex AI into their existing applications or create new projects. Your organization has 200 developers and a five-person security team. You must prevent and detect proper security policies across the Google Cloud environments. What should you do? (Choose two.)

A. Apply a predefined AI-recommended security posture template for Gemini in Vertex AI in Security Command Center Enterprise or Premium tiers.

B. Use Cloud Logging to create log filters to detect misconfigurations. Trigger Cloud Run functions to remediate misconfigurations.

C. Apply organization policy constraints. Detect and monitor drifts by using Security Health Analytics.

D. Implement the least privileged access Identity and Access Management roles to prevent misconfigurations.

E. Publish internal policies and clear guidelines to securely develop applications.

正解：A,C 解答を投票する

出題：9

You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.
What should you do?

A. Create a routing VM in Compute Engine. Configure the default route with the VM as the next hop.

B. Configure Cloud Interconnect with HA VPN. Replace the default 0.0.0.0/0 route to an on-premises destination.

C. Create an HA VPN connection to Google Cloud. Replace the default 0.0.0.0/0 route.

D. Configure Cloud Interconnect and route traffic through an on-premises firewall.

正解：D 解答を投票する

出題：10

A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?

A. Mount a Cloud Storage bucket as a local filesystem on every VM.

B. Enable Private Google Access on the VPC.

C. Create a firewall rule to block internet traffic from the VM.

D. Provision a NAT Gateway to access the Cloud Storage API endpoint.

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：11

Your organization must store highly sensitive data within Google Cloud. You need to design a solution that provides the strongest level of security and control. What should you do?

A. Use Cloud Storage with customer-managed encryption keys (CMEK), Cloud DLP for data classification, and Secret Manager for storing API access tokens.

B. Use Cloud Storage with client-side encryption, Cloud KMS for key management, and Cloud HSM for cryptographic operations.

C. Use Cloud Storage with customer-supplied encryption keys (CSEK), VPC Service Controls for network isolation, and Cloud DLP for data inspection.

D. Use Cloud Storage with server-side encryption, BigQuery with column-level encryption, and IAM roles for access control.

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：12

Your organization processes sensitive health information. You want to ensure that data is encrypted while in use by the virtual machines (VMs). You must create a policy that is enforced across the entire organization.
What should you do?

A. No action is necessary because Google encrypts data while it is in use by default.

B. Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.

C. Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.

D. Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：13

An application log's data, including customer identifiers such as email addresses, needs to be redacted. However, these logs also include the email addresses of internal developers from company.com, and these should NOT be redacted. Which solution should you use to meet these requirements?

A. Create a regular expression (regex) custom infoType detector to match on @company.com.

B. Create a custom infoType called COMPANY_EMAIL to match @company.com.

C. Create a regular custom dictionary detector to match all email addresses listed in Cloud Identity.

D. Create a regular custom dictionary detector that lists a subset of the developers' email addresses.

正解：A 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：14

You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting. Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)

A. Customer-managed encryption keys

B. Secret Manager

C. Cloud External Key Manager

D. Customer-supplied encryption keys.

E. Google default encryption

正解：C,D 解答を投票する

出題：15

Your team maintains 1PB of sensitive data within BigOuery that contains personally identifiable information (PII). You need to provide access to this dataset to another team within your organization for analysis purposes. You must share the BigQuery dataset with the other team while protecting the PII. What should you do?

A. Utilize BigQuery's row-level access policies to mask PII columns based on the other team's user identities.

B. Implement data pseudonymization techniques to replace the PII fields with non-identifiable values.
Grant the other team access to the pseudonymized dataset.

C. Export the BigQuery dataset to Cloud Storage. Create a VPC Service Control perimeter and allow only their team's project access to the bucket.

D. Create a filtered copy of the dataset and replace the sensitive data with hash values in a separate project. Grant the other team access to this new project.

正解：A 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：16

As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

A. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.

B. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.

C. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

D. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.

正解：A 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：17

Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.
What should you do?

A. Configure GCDS and use GCDS search rules to sync these users.

B. Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.

C. Write a custom script to identify existing Google Cloud users and call the Admin SDK: Directory API to transfer their account.

D. Use the transfer tool to migrate unmanaged users.

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：18

Which encryption algorithm is used with Default Encryption in Cloud Storage?

A. 3DES

B. MD5

C. SHA512

D. AES-256

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：19

You work for an ecommerce company that stores sensitive customer data across multiple Google Cloud regions. The development team has built a new 3-tier application to process orders and must integrate the application into the production environment.
You must design the network architecture to ensure strong security boundaries and isolation for the new application, facilitate secure remote maintenance by authorized third-party vendors, and follow the principle of least privilege. What should you do?

A. Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Enable Identity-Aware Proxy (IAP) for remote access to management resources, limiting access to authorized vendors.

B. Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors. Grant the vendors ownership of that project and the ability to modify the Shared VPC configuration.

C. Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors and grant the network admin role to the vendors.
Deploy a VPN appliance and rely on the vendors' configurations to secure third-party access.

D. Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Provide vendors with SSH keys and root access only to the instances within the VPC for maintenance purposes.

正解：A 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

Professional-Cloud-Security-Engineer試験無料問題集「Google Cloud Certified - Professional Cloud Security Engineer 認定」