Google Professional-Cloud-Security-Engineer 問題集

質問 1：
Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
The network connection must be encrypted.
The communication between servers must be over private IP addresses.
What should you do?
A. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
B. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
C. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
D. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 2：
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)
A. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
B. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
C. Use the Google Admin console to view which managed users are using a personal account for their recovery email.
D. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
E. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
正解：A,B
解説: (Topexam メンバーにのみ表示されます)

質問 3：
A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads.
Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?
A. Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
B. Register a new domain name, and use that for the new Cloud Identity domain.
C. Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
D. Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 4：
A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned.
What should the customer do?
A. Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.
B. Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.
C. Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.
D. Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 5：
You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization. What should you do?
A. Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.
B. Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.
C. Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.
D. Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.
正解：C

質問 6：
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity- Aware Proxy.
What should the customer do to meet these requirements?
A. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
B. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
C. Make sure that the ERP system can validate the identity headers in the HTTP requests.
D. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 7：
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.
Which Google Cloud Service should be used to achieve this?
A. Cloud Security Scanner
B. Cloud Data Loss Prevention API
C. BigQuery
D. Cloud Key Management Service
正解：B

質問 8：
Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need tojoin user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.
This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?
A. Format-preserving encryption
B. Cryptographic hashing
C. Secure, key-based hashes
D. Deterministic encryption
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 9：
Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud Many teams will use their own instances of the CI/CD workflow It will run on Google Kubernetes Engine (GKE) The CI/CD pipelines must be designed to securely access Google Cloud APIs What should you do?
A. * 1 Create individual service accounts (or each deployment pipeline
*2 Add an identifier for the pipeline in the service account naming convention
*3 Ensure each pipeline runs on dedicated pods
*4 Use workload identity to map a deployment pipeline pod with a service account
B. *1 Create service accounts for each deployment pipeline
*2 Generate private keys for the service accounts
*3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline
C. *1 Create two service accounts one for the infrastructure and one for the application deployment
*2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts
*3 Run the infrastructure and application pipelines in separate namespaces
D. *1 Create a dedicated service account for the CI/CD pipelines
*2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster
*3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs
正解：A