Google Professional-Cloud-Security-Engineer 問題集

質問 1：
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)
A. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
B. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
C. Use the Google Admin console to view which managed users are using a personal account for their recovery email.
D. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
E. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
正解：A,B
解説: (Topexam メンバーにのみ表示されます)

質問 2：
Your financial services company has an audit requirement under a strict regulatory framework that requires comprehensive, immutable audit trails for all administrative and data access activity that ensures that data is kept for seven years Your current logging is fragmented across individual projects You need to establish a centralized, tamper-proof, long-term logging solution accessible for audits What should you do?
A. Individually configure Cloud Audit Logs for all Google Cloud services in each project Store the logs in regional Cloud Logging buckets with 30-day retention policies
B. Implement Pub/Sub to stream all audit logs from each project in real-time to an external Security Information and Event Management (SIEM) for long-term analysis
C. Enable Security Command Center across the organization to gain centralized visibility into threats and manage compliance posture for all Google Cloud projects
D. Establish organization-level Cloud Logging sinks to export Cloud Audit Logs to a dedicated Cloud Storage bucket with object retention lock
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 3：
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?
A. Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
B. Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
C. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
D. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 4：
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?
A. Cloud Armor
B. DNS Security Extensions
C. Cloud Identity-Aware Proxy
D. VPC Flow Logs
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 5：
A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?
A. Contact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
B. Register a new domain name, and use that for the new Cloud Identity domain.
C. Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
D. Ask Google to provision the data science manager's account as a Super Administrator in the existing domain.
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 6：
Your organization deploys a large number of containerized applications on Google Kubernetes Engine (GKE). Node updates are currently applied manually. Audit findings show that a critical patch has not been installed due to a missed notification. You need to design a more reliable, cloud-first, and scalable process for node updates. What should you do?
A. Schedule a daily reboot for all nodes to automatically upgrade.
B. Develop a custom script to continuously check for patch availability, download patches, and apply the patches across all components of the cluster.
C. Migrate the cluster infrastructure to a self-managed Kubernetes environment for greater control over the patching process.
D. Configure node auto-upgrades for node pools in the maintenance windows.
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 7：
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.
What should you do?
A. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate one-way sync.
B. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate bidirectional sync.
C. Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
D. Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 8：
Your company's users access data in a BigQuery table. You want to ensure they can only access the data during working hours.
What should you do?
A. Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.
B. Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.
C. Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours
D. Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 9：
You are migrating an application into the cloud The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material.
What should you do?
A. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.
B. Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.
C. Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.
D. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups
正解：C
解説: (Topexam メンバーにのみ表示されます)