최신 Professional-Cloud-Security-Engineer 무료덤프 - Google Cloud Certified

문제1

An organization receives an increasing number of phishing emails.
Which method should be used to protect employee credentials in this situation?

A. Captcha on login pages

B. A strict password policy

C. Encrypted emails

D. Multifactor Authentication

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제2

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on- premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

A. Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

B. Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

C. Enable Private Google Access on the regional subnets and global dynamic routing mode.

D. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제3

You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?

A. On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account. Ask the user to update their second factor, and then re-enable 2SV for this account.

B. On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.

C. On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.

D. On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.

정답: C

설명: (DumpTOP 회원만 볼 수 있음)

문제4

Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:
- Only allows communication between the Web and App tiers.
- Enforces consistent network security when autoscaling the Web and App tiers.
- Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?

A. 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

B. 1. Re-deploy the Web and App servers with instance templates configured with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

C. 1. Configure all running Web and App servers with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

D. 1. Configure all running Web and App servers with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

정답: A

설명: (DumpTOP 회원만 볼 수 있음)

문제5

Developers in an organization are prototyping a few applications on Google Cloud Platform (GCP) and are starting to store sensitive information on GCP. The developers are using their personal/consumer Gmail accounts to set up and manage their projects within GCP. A security engineer identifies this practice as a concern to the organization management because of the lack of centralized project management and access to the data being stored in these accounts.
Which solution should be used to resolve this concern?

A. Enable logging on all GCP projects to track all developer activities.

B. Enforce the setup of Security Keys as the 2SV method for those Gmail accounts.

C. Require the developers to log/store their Gmail passwords with the Security team.

D. Set up Google Cloud Identity and require the developers to use those accounts for GCP work.

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제6

You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data. Specifically, your company is concerned about internal Google employees' ability to access your company's data on Google Cloud.
What solution should you propose?

A. Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.

B. Enable Admin activity logs to monitor access to resources.

C. Enable Access Transparency logs with Access Approval requests for Google employees.

D. Use customer-managed encryption keys.

정답: C

설명: (DumpTOP 회원만 볼 수 있음)

문제7

You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

A. Customer-supplied encryption keys

B. Customer-managed encryption keys

C. Google default encryption

D. Cloud External Key Manager

정답: B

설명: (DumpTOP 회원만 볼 수 있음)

문제8

Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud. You must implement data residency and operational sovereignty in the EU.
What should you do? (Choose two.)

A. Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and inter-VPC communication.

B. Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

C. Limit the physical location of a new resource with the Organization Policy Service "resource locations constraint."

D. Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications.

E. Use identity federation to limit access to Google Cloud resources from non-EU entities.

정답: C,D

설명: (DumpTOP 회원만 볼 수 있음)

문제9

You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

A. Update your sink with the correct bucket destination.

B. Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

C. Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

D. Change the access control model for the bucket

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제10

You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

A. Query Data Access logs.

B. Query Access Transparency logs.

C. Query Admin Activity logs.

D. Query Stackdriver Monitoring Workspace.

정답: C

설명: (DumpTOP 회원만 볼 수 있음)

문제11

Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/owner). The organization contains thousands of Google Cloud projects. Security Command Center Premium has surfaced multiple OPEN_MYSQL_PORT findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations.
What should you do?

A. Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0.0.0.0/0 with priority
0.

B. Create a hierarchical firewall policy configured at the organization to deny all connections from
0.0.0.0/0.

C. Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges.

D. Create a Google Cloud Armor security policy to deny traffic from 0.0.0.0/0.

정답: C

설명: (DumpTOP 회원만 볼 수 있음)

문제12

You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

A. Compute Engine guest attributes

B. Secret Manager

C. Compute Engine custom metadata

D. Cloud Key Management Service

정답: B

설명: (DumpTOP 회원만 볼 수 있음)

문제13

Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA).
You need to issue certificates for many HTTP load balancer frontends.
The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.
What should you do?

A. Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (IaC).

B. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

C. Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends.
Leverage the gcloud tool for importing.

D. Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises. Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

정답: B

문제14

A security team at an e-commerce company wants to define an automatic incident response process for fraudulent credit card usage attempts. The team targets a 10-minute or faster response time for such incidents. The fraudulent card list is updated every 60 seconds. The e- commerce servers log the transaction details in near-real time. Which option should you recommend to the security team?

A. Use AutoML to automatically build models based on the fraudulent credit card lists.

B. Define a log-based metric for each fraudulent credit card, and set a Stackdriver alert for these metrics.

C. Maintain a log ingestion exclusion filter based on the fraudulent credit card lists.

D. Create a new logging export with a filter to match the transaction and a sink pointing to a Cloud Pub/Sub topic.

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제15

You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service Controls mode should you use?

A. Enforced

B. Cloud Run

C. Native

D. Dry run

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제16

Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

A. Enable VPC Flow Logs on the subnet.

B. Define an organization policy constraint.

C. Configure packet mirroring policies.

D. Monitor and analyze Cloud Audit Logs.

정답: A

설명: (DumpTOP 회원만 볼 수 있음)

문제17

A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates.
What should your team do?

A. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.

C. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.

D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

정답: C

설명: (DumpTOP 회원만 볼 수 있음)

문제18

A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

A. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

B. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

C. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

D. Upload the logs to both the shared bucket and the bucket only accessible by the administrator.
Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

정답: B

설명: (DumpTOP 회원만 볼 수 있음)

문제19

An organization recently began using App Engine to build and host its new web application for its customers. The organization wants to use its existing IAM setup to allow its developer employees to have elevated access to the application remotely. This would allow them to push updates and fixes to the application via an HTTPS connection. Non-developer employees should only get access to the production version without development permissions. Which Google Cloud Platform solution should be used to meet these requirements?

A. Set up Cloud Identity-Aware Proxy (Cloud IAP) to manage authentication and different authorization levels for employee access.

B. Synchronize the organization's Active Directory using Cloud Identity for employee access via Cloud VPN.

C. Set up Virtual Private Cloud (VPC) firewall rules to manage authentication and different authorization levels for employee access.

D. Disable access for non-developer employees by removing their Google Group from the application access control list (ACL).

정답: A

설명: (DumpTOP 회원만 볼 수 있음)

문제20

Your organization is using GitHub Actions as a continuous integration and delivery (CI/CD) platform. You must enable access to Google Cloud resources from the CI/CD pipelines in the most secure way.
What should you do?

A. Configure workload identity federation to use GitHub as an identity pool provider.

B. Create a service account key, and add it to the GitHub pipeline configuration file.

C. Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

D. Create a service account key, and add it to the GitHub repository content.

정답: A

설명: (DumpTOP 회원만 볼 수 있음)

최신 Professional-Cloud-Security-Engineer 무료덤프 - Google Cloud Certified - Professional Cloud Security Engineer

우리와 연락하기

유용한 링크

최신 업데이트