Google Professional-Cloud-Security-Engineer 問題集

質問 1：
A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?
A. Customer-supplied encryption keys (CSEK)
B. Encryption by default
C. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis
D. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 2：
Your organization deploys a large number of containerized applications on Google Kubernetes Engine (GKE). Node updates are currently applied manually. Audit findings show that a critical patch has not been installed due to a missed notification. You need to design a more reliable, cloud-first, and scalable process for node updates. What should you do?
A. Schedule a daily reboot for all nodes to automatically upgrade.
B. Develop a custom script to continuously check for patch availability, download patches, and apply the patches across all components of the cluster.
C. Migrate the cluster infrastructure to a self-managed Kubernetes environment for greater control over the patching process.
D. Configure node auto-upgrades for node pools in the maintenance windows.
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 3：
A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?
A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
B. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
C. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 4：
Your company is deploying a large number of containerized applications to GKE The existing CI/CD pipeline uses Cloud Build to construct container images, transfers the images to Artifact Registry, and then deploys the images to GKE You need to ensure that only images that have passed vulnerability scanning and meet specific corporate policies are allowed to be deployed The process needs to be automated and integrated into the existing CI/CD pipeline What should you do?
A. Enable Artifact Analysis vulnerability scanning and regularly scan images in Artifact Registry Remove any images that do not meet the vulnerability requirements before deployment
B. Configure a policy in Binary Authorization to use Artifact Analysis vulnerability scanning to only allow images that pass the scan to deploy to your GKE clusters
C. Configure GKE to use only images from a specific, trusted Artifact Registry repository Manually inspect all images before pushing them to this repository
D. Implement a custom script in the Cloud Build pipeline that uses a third-party vulnerability scanning tool Fail the build if vulnerabilities are found
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 5：
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?
A. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
B. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
C. Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
D. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 6：
Your Security team believes that a former employee of your company gained unauthorized access to Google Cloud resources some time in the past 2 months by using a service account key. You need to confirm the unauthorized access and determine the user activity. What should you do?
A. Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.
B. Use Security Health Analytics to determine user activity.
C. Use the Logs Explorer to search for user activity.
D. Use the Cloud Monitoring console to filter audit logs by user.
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 7：
An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)
A. Organization Administrator
B. Billing Account User
C. Billing Account Viewer
D. Project Creator
E. Billing Account Costs Manager
正解：C,E
解説: (Topexam メンバーにのみ表示されます)

質問 8：
You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects.
What should you do?
Choose 2 answers
A. Deploy patches with VM Manager by using OS patch management
B. View patch management data in VM Manager by using OS patch management.
C. Deploy patches with Security Command Center by using Rapid Vulnerability Detection.
D. View patch management data in a Security Command Center dashboard.
E. View patch management data in Artifact Registry.
正解：A,B

質問 9：
A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.
Which solution will restrict access to the in-progress sites?
A. Upload an .htaccess file containing the customer and employee user accounts to App Engine.
B. Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
C. Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VPC) network.
D. Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
正解：B
解説: (Topexam メンバーにのみ表示されます)