최신 Professional-Cloud-Security-Engineer 무료덤프 - Google Cloud Certified

문제1

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

A. Use customer-supplied encryption keys to manage the key encryption key (KEK).

B. Use the Cloud Key Management Service to manage a key encryption key (KEK).

C. Use the Cloud Key Management Service to manage a data encryption key (DEK).

D. Use customer-supplied encryption keys to manage the data encryption key (DEK).

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제2

Your organization uses BigQuery to process highly sensitive, structured datasets. Following the "need to know" principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users:
* Business user must access curated reports.
* Data engineer: must administrate the data lifecycle in the platform.
* Security operator: must review user activity on the data platform.
What should you do?

A. Generate a CSV data file based on the business user's needs, and send the data to their email addresses.

B. Configure data access log for BigQuery services, and grant Project Viewer role to security operators.

C. Set row-based access control based on the "region" column, and filter the record from the United States for data engineers.

D. Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제3

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?

A. Store the data in a single BigTable table and set an expiration time on the column families.

B. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

C. Store the data in a single BigQuery table and set the appropriate table expiration time.

D. Store the data in a single Persistent Disk, and delete the disk at expiration time.

정답: B

설명: (DumpTOP 회원만 볼 수 있음)

문제4

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A. Use Identity Platform to provision users and groups to Google Cloud.

B. Create Identity and Access Management (1AM) roles with permissions corresponding to each Active Directory group.

C. Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

D. Create Identity and Access Management (1AM) groups with permissions corresponding to each Active Directory group.

E. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

정답: D,E

설명: (DumpTOP 회원만 볼 수 있음)

문제5

You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?

A. All load balancer types are denied in accordance with the global node's policy.

B. INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.

C. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.

D. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.

정답: D

문제6

Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes.
What should you do?

A. Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12months ago and archives them to another Cloud Storage bucket. Delete the original files.

B. Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and movesthe files to the archive storage class.

C. Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys ofthe Cloud Storage files containing Pll to de-identify them Delete the original keys.

D. Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are olderthan 12 months Delete the original files.

정답: A

문제7

You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:
Each business unit manages access controls for their own projects.
Each business unit manages access control permissions at scale.
Business units cannot access other business units' projects.
Users lose their access if they move to a different business unit or leave the company.
Users and access control permissions are managed by the on-premises directory service.
What should you do? (Choose two.)

A. Use VPC Service Controls to create perimeters around each business unit's project.

B. Group business units based on Organization Units (OUs) and manage permissions based on OUs.

C. Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.

D. Organize projects in folders, and assign permissions to Google groups at the folder level.

E. Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

정답: D,E

문제8

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects.
The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

A. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
2.Subscribe SIEM to the topic.

B. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
2.Process Cloud Storage objects in SIEM.

C. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
2.Subscribe SIEM to the topic.

D. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
2.Process Cloud Storage objects in SIEM.

정답: A

설명: (DumpTOP 회원만 볼 수 있음)

문제9

Employees at your company use their personal computers to access your organization s Google Cloud console.
You need to ensure that users can only access the Google Cloud console from their corporate-issued devices and verify that they have a valid enterprise certificate What should you do?

A. Implement an organization policy to verify the certificate from the access context.

B. Implement an Identity and Access Management (1AM) conditional policy to verify the device certificate

C. Implement a VPC firewall policy Activate packet inspection and create an allow rule to validate and verify the device certificate.

D. Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate Create an access binding with the access policy just created.

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제10

You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?

A. Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.

B. Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.

C. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.

D. Configure Google Cloud Armor access logs to perform inspection on the log data.

정답: B

설명: (DumpTOP 회원만 볼 수 있음)

문제11

Your organization has implemented synchronization and SAML federation between Cloud Identity and Microsoft Active Directory. You want to reduce the risk of Google Cloud user accounts being compromised.
What should you do?

A. Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.

B. Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.

C. Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.

D. Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.

정답: A

문제12

A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned.
What should the customer do?

A. Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.

B. Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.

C. Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.

D. Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제13

Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.
What should you do?

A. Update the permissions of another existing service account and supply those credentials to the applications.

B. Use the undelete command to recover the deleted service account.

C. Create a new service account with the same name as the deleted service account.

D. Temporarily disable authentication on the Cloud Storage bucket.

정답: B

설명: (DumpTOP 회원만 볼 수 있음)

문제14

Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud Many teams will use their own instances of the CI/CD workflow It will run on Google Kubernetes Engine (GKE) The CI/CD pipelines must be designed to securely access Google Cloud APIs What should you do?

A. *1 Create two service accounts one for the infrastructure and one for the application deployment
*2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts
*3 Run the infrastructure and application pipelines in separate namespaces

B. * 1 Create individual service accounts (or each deployment pipeline
*2 Add an identifier for the pipeline in the service account naming convention
*3 Ensure each pipeline runs on dedicated pods
*4 Use workload identity to map a deployment pipeline pod with a service account

C. *1 Create service accounts for each deployment pipeline
*2 Generate private keys for the service accounts
*3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

D. *1 Create a dedicated service account for the CI/CD pipelines
*2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster
*3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

정답: B

문제15

Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

A. Cloud DNS

B. TCP/UDP Load Balancing

C. Identity Aware-Proxy

D. Cloud NAT

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제16

You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

A. Add the service project where the Compute Engine instances reside to the service perimeter.

B. Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.

C. Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

D. Add the host project containing the Shared VPC to the service perimeter.

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제17

You will create a new Service Account that should be able to list the Compute Engine instances in the project.
You want to follow Google-recommended practices.
What should you do?

A. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

B. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

C. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.

D. Create a custom role with the permission compute.instances.list and grant the Service Account this role.

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제18

You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

A. VPC Flow Logs

B. Google Cloud Armor Deep Packet Inspection

C. Marketplace IDS

D. Packet Mirroring

E. VPC Service Controls logs

정답: D

문제19

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?

A. Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.

B. Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

C. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.

D. Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제20

You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

A. Prepopulated VPC firewall rules in monitor mode

B. The inherent protections of Google Front End (GFE)

C. Cloud Load Balancing firewall rules

D. Google Cloud Armor's preconfigured rules in preview mode

E. VPC Service Controls in dry run mode

정답: D

최신 Professional-Cloud-Security-Engineer 무료덤프 - Google Cloud Certified - Professional Cloud Security Engineer

우리와 연락하기

유용한 링크

최신 업데이트