PCSE 1-50

50問 • 1年前

問題一覧

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services. Which two settings must remain disabled to meet these requirements? (Choose two.)

Private Google Access, Public IP

Which two implied firewall rules are defined on a VPC network? (Choose two.)

A rule that allows all outbound connections, A rule that denies all inbound connections

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system. How should the customer achieve this using Google Cloud Platform?

Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.

Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership. What should your team do to meet these requirements?

Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.

When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

Package a single app as a container., Remove any unnecessary tools not needed by the app.

A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end- user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection. Which product should be used to meet these requirements?

Cloud Armor

A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project. Which two approaches can you take to meet the requirements? (Choose two.)

Configure the project with Cloud VPN., Configure the project with Cloud Interconnect.

A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity-Aware Proxy. What should the customer do to meet these requirements?

Make sure that the ERP system can validate the JWT assertion in the HTTP requests.

A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs. What should you do?

Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization. Which logging export strategy should you use to meet the requirements?

1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack. Which solution should this customer use?

DNS Security Extensions

A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities. Which service should be used to accomplish this?

Web Security Scanner

A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite. How should you best advise the Systems Engineer to proceed with the least disruption?

Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.

A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects. Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources. Which type of access should your team grant to meet this requirement?

Organization Administrator

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege. Which option meets the requirement of your team?

Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review. How should you advise this organization?

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use to accomplish this?

CryptoReplaceFfxFpeConfig

An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters. Which Cloud Identity password guidelines can the organization use to inform their new requirements?

Set the minimum length for passwords to be 8 characters.

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer. What should you do?

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized. Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

Compute Engine, Google Kubernetes Engine

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location. Which solution will restrict access to the in-progress sites?

Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.

When working with agents in the support center via online chat, your organization's customers often share pictures of their documents with personally identifiable information (PII). Your leadership team is concerned that this PII is being stored as part of the regular chat logs, which are reviewed by internal or external analysts for customer service trends. You want to resolve this concern while still maintaining data utility. What should you do?

Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.

A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key. What should you do?

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team. Which type of networking design should your team use to meet these requirements?

Shared VPC Network with a host project and service projects

An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud. What solution would help meet the requirements?

Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.

A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions. Which strategy should you use to meet these needs?

Create an organization node, and assign folders for each business unit.

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location. How should the company accomplish this?

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.

Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet. What should your team grant to Engineering Group A to meet this requirement?

Compute Network User Role at the subnet level.

A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time. What should you do?

Use Security Command Center to view all assets across the organization.

An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on- premises for an indefinite time. The organization wants a scalable and cost-efficient solution. Which GCP solution should the organization use?

Cloud Storage using a scheduled task and gsutil

You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google-recommended practices. What should you do?

Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to control the key lifecycle. Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud. What should you do?

Use the Cloud Key Management Service to manage the key encryption key (KEK).

You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards. What should you do?

Move the cardholder data environment into a separate GCP project.

A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published. Which Google Cloud Service should be used to achieve this?

Cloud Data Loss Prevention API

A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior. What should you do to meet these requirements?

Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.

A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK). How should the team complete this task?

Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects. Which two steps should the company take to meet these requirements? (Choose two.)

Create a folder for each development and production environment., Create a Google Group for the Engineering team, and assign permissions at the folder level.

You want to evaluate your organization's Google Cloud instance for PCI compliance. You need to identify Google's inherent controls. Which document should you review to find the information?

Google Cloud Platform: Customer Responsibility Matrix

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation. What should you do?

Store the data in a single Cloud Storage bucket and configure the bucket's Time to Live.

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container. What should they do?

Build small containers using small base images.

While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password. What should you do?

Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised. What should you do?

Enforce 2-factor authentication in GSuite for all users.

A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery. What technique should the institution use?

Customer-managed encryption keys (CMEK).

A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places. Which Storage solution are they allowed to use?

Cloud BigQuery

A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online. What should they do?

Configure an SSL Certificate on an L7 Load Balancer and require encryption.

Applications often require access to `secrets` - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of `who did what, where, and when?` within their GCP projects. Which two log streams would provide the information that the administrator is looking for? (Choose two.)

Admin Activity Logs, Data Access Logs

You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk. What should you do?

Migrate the application into an isolated project using a ג€Lift & Shiftג€ approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer. What type of Load Balancing should you use?

SSL Proxy Load Balancing

PCSE 51-100

Mark Joseph Tinawin · 50問 · 1年前

PCSE 51-100

50問 • 1年前

Mark Joseph Tinawin

PCSE 101-150

Mark Joseph Tinawin · 50問 · 1年前

PCSE 101-150

50問 • 1年前

Mark Joseph Tinawin

PCSE 151-200

Mark Joseph Tinawin · 50問 · 1年前

PCSE 151-200

50問 • 1年前

Mark Joseph Tinawin

PCSE 201-244

Mark Joseph Tinawin · 44問 · 1年前

PCSE 201-244

44問 • 1年前

Mark Joseph Tinawin

問題一覧

Private Google Access, Public IP

Which two implied firewall rules are defined on a VPC network? (Choose two.)

A rule that allows all outbound connections, A rule that denies all inbound connections

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system. How should the customer achieve this using Google Cloud Platform?

Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.

Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.

When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

Package a single app as a container., Remove any unnecessary tools not needed by the app.

Cloud Armor

Configure the project with Cloud VPN., Configure the project with Cloud Interconnect.

Make sure that the ERP system can validate the JWT assertion in the HTTP requests.

Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack. Which solution should this customer use?

DNS Security Extensions

A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities. Which service should be used to accomplish this?

Web Security Scanner

Ask customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.

Organization Administrator

Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

CryptoReplaceFfxFpeConfig

Set the minimum length for passwords to be 8 characters.

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer. What should you do?

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.

Compute Engine, Google Kubernetes Engine

Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.

Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.

A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key. What should you do?

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

Shared VPC Network with a host project and service projects

Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.

Create an organization node, and assign folders for each business unit.

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location. How should the company accomplish this?

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.

Compute Network User Role at the subnet level.

Use Security Command Center to view all assets across the organization.

Cloud Storage using a scheduled task and gsutil

Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

Use the Cloud Key Management Service to manage the key encryption key (KEK).

Move the cardholder data environment into a separate GCP project.

Cloud Data Loss Prevention API

Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.

Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

Create a folder for each development and production environment., Create a Google Group for the Engineering team, and assign permissions at the folder level.

You want to evaluate your organization's Google Cloud instance for PCI compliance. You need to identify Google's inherent controls. Which document should you review to find the information?

Google Cloud Platform: Customer Responsibility Matrix

Store the data in a single Cloud Storage bucket and configure the bucket's Time to Live.

Build small containers using small base images.

Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

Enforce 2-factor authentication in GSuite for all users.

Customer-managed encryption keys (CMEK).

Cloud BigQuery

Configure an SSL Certificate on an L7 Load Balancer and require encryption.

Admin Activity Logs, Data Access Logs

SSL Proxy Load Balancing