Google Professional-Cloud-Security-Engineer 問題集

質問 1：
Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (1AM) roles at the right resource level tor the developers and security team while you ensure least privilege.
What should you do?
A. *1 Grant logging. viewer rote to the security team at the organization resource level.
*2 Grant logging. admin role to the developer team at the organization resource level.
B. *1 Grant logging.admin role to the security team at the organization resource level.
*2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.
C. *1 Grant logging.admin role to the security team at the organization resource level.
*2 Grant logging.admin role to the developer team at the organization resource level.
D. *1 Grant logging, viewer rote to the security team at the organization resource level.
*2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.
正解：D

質問 2：
Your DevOps team uses Packer to build Compute Engine images by using this process:
1 Create an ephemeral Compute Engine VM.
2 Copy a binary from a Cloud Storage bucket to the VM's file system.
3 Update the VM's package manager.
4 Install external packages from the internet onto the VM.
Your security team just enabled the organizational policy. consrraints/compure.vnExtemallpAccess. to restrict the usage of public IP Addresses on VMs. In response your DevOps team updated their scripts to remove public IP addresses on the Compute Engine VMs however the build pipeline is failing due to connectivity issues.
What should you do?
Choose 2 answers
A. Provision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound connectionsfrom the internet to your VM.
B. Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM
C. Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.
D. Update the VPC routes to allow traffic to and from the internet.
E. Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.
正解：B,C

質問 3：
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in- scope" Nodes only. These Nodes can only contain the "in-scope" Pods.
How should the organization achieve this objective?
A. Run all in-scope Pods in the namespace "in-scope-pci".
B. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
C. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
D. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 4：
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?
A. Cloud Armor
B. DNS Security Extensions
C. Cloud Identity-Aware Proxy
D. VPC Flow Logs
正解：B

質問 5：
Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
The network connection must be encrypted.
The communication between servers must be over private IP addresses.
What should you do?
A. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
B. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
C. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
D. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 6：
You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?
A. Add the host project containing the Shared VPC to the service perimeter.
B. Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
C. Add the service project where the Compute Engine instances reside to the service perimeter.
D. Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 7：
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)
A. Configure the project with Cloud Interconnect.
B. Configure the project with VPC peering.
C. Configure all Compute Engine instances with Private Access.
D. Configure the project with Cloud VPN.
E. Configure the project with Shared VPC.
正解：A,D
解説: (Topexam メンバーにのみ表示されます)

質問 8：
You will create a new Service Account that should be able to list the Compute Engine instances in the project.
You want to follow Google-recommended practices.
What should you do?
A. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
B. Create a custom role with the permission compute.instances.list and grant the Service Account this role.
C. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
D. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 9：
Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.
What should you do?
A. Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends.
Leverage the gcloud tool for importing
B. Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).
C. Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.
D. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
正解：D
解説: (Topexam メンバーにのみ表示されます)