Google Professional-Cloud-Security-Engineer 問題集

質問 1：
You work for an organization that handles sensitive customer data. You must secure a series of Google Cloud Storage buckets housing this data and meet these requirements:
- Multiple teams need varying access levels (some read-only, some read- write).
- Data must be protected in storage and at rest.
- It's critical to track file changes and audit access for compliance
purposes.
- For compliance purposes, the organization must have control over the
encryption keys.
What should you do?
A. Assign IAM permissions for all teams at the object level. Implement third-party software to encrypt data at rest. Track data access by using network logs.
B. Create IAM groups for each team and manage permissions at the group level. Employ server-side encryption and Object Versioning by Google Cloud Storage. Configure cloud monitoring tools to alert on anomalous data access patterns.
C. Use predefined IAM roles tailored to each team's access needs, such as Storage Object Viewer and Storage Object User. Utilize customer-supplied encryption keys (CSEK) and enforce TLS encryption. Turn on both Object Versioning and Cloud Audit Logs for the storage buckets.
D. Set individual permissions for each team and apply access control lists (ACLs) to each bucket and file. Enforce TLS encryption for file transfers. Enable Object Versioning and Cloud Audit Logs for the storage buckets.
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 2：
Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution.
What should you do?
A. 1. Use secure hardened images from the Google Cloud Marketplace.
2. When deploying the images, activate the Confidential Computing option.
3. Enforce the use of the correct images and Confidential Computing by using organization policies.
B. 1. Activate Virtual Machine Threat Detection in Security Command Center (SCC) Premium.
2. Monitor the findings in SCC.
C. 1. Use Google Shielded VM including secure boot, Virtual Trusted Platform Module (vTPM), and integrity monitoring.
2. Activate Confidential Computing.
3. Enforce these actions by using organization policies.
D. 1. Use Google Shielded VM including secure boot, Virtual Trusted Platform Module (vTPM), and integrity monitoring.
2. Create a Cloud Run function to check for the VM settings, generate metrics, and run the function regularly.
正解：C

質問 3：
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to- know basis to the Human Resources team. What should you do?
A. Perform data inspection with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
B. Perform data masking with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
C. Perform tokenization for Pseudonymization with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
D. Perform data redaction with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 4：
You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on- premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)
A. Cloud Data Loss Prevention with deterministic encryption using AES-SIV
B. Cloud Data Loss Prevention with cryptographic hashing
C. Secret Manager
D. Cloud Data Loss Prevention with automatic text redaction
E. Cloud Key Management Service
正解：A,E
解説: (Topexam メンバーにのみ表示されます)

質問 5：
Your organization's use of the Google Cloud has grown substantially and there are many different groups using different cloud resources independently. You must identify common misconfigurations and compliance violations across the organization and track findings for remedial action in a dashboard. What should you do?
A. Scan and alert vulnerabilities and misconfigurations by using Secure Health Analytics detectors in Security Command Center Premium.
B. Create a filter set in Cloud Asset Inventory to identify service accounts with high privileges and IAM principals with Gmail domains.
C. Set up filters on Cloud Audit Logs to flag log entries for specific, risky API calls, and display the calls in a Cloud Log Analytics dashboard.
D. Alert and track emerging attacks detected in your environment by using Event Threat Detection detectors.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 6：
You work for an ecommerce company that stores sensitive customer data across multiple Google Cloud regions. The development team has built a new 3-tier application to process orders and must integrate the application into the production environment.
You must design the network architecture to ensure strong security boundaries and isolation for the new application, facilitate secure remote maintenance by authorized third-party vendors, and follow the principle of least privilege. What should you do?
A. Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors. Grant the vendors ownership of that project and the ability to modify the Shared VPC configuration.
B. Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Enable Identity-Aware Proxy (IAP) for remote access to management resources, limiting access to authorized vendors.
C. Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Provide vendors with SSH keys and root access only to the instances within the VPC for maintenance purposes.
D. Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors and grant the network admin role to the vendors.
Deploy a VPN appliance and rely on the vendors' configurations to secure third-party access.
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 7：
Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?
A. Enable VPC Flow Logs on the subnet.
B. Define an organization policy constraint.
C. Configure packet mirroring policies.
D. Monitor and analyze Cloud Audit Logs.
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 8：
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well-established directory service is used to manage user identities and lifecycle management.
This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?
A. Security Assertion Markup Language (SAML)
B. Cloud Identity
C. Google Cloud Directory Sync (GCDS)
D. Pub/Sub
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 9：
You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?
A. Add the host project containing the Shared VPC to the service perimeter.
B. Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
C. Add the service project where the Compute Engine instances reside to the service perimeter.
D. Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.
正解：A
解説: (Topexam メンバーにのみ表示されます)