PCSE 101-150

50問 • 1年前

問題一覧

Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems. This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?

Deterministic encryption

An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

Billing Account Viewer, Billing Account Costs Manager

You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non- Production applications are stored and accessed using service accounts. Your proposed solution must: ✑ Provide granular access to secrets ✑ Give you control over the rotation schedules for the encryption keys that wrap your secrets ✑ Maintain environment separation ✑ Provide ease of management Which approach should you take?

1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.

You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data. Specifically, your company is concerned about internal Google employees' ability to access your company's data on Google Cloud. What solution should you propose?

Enable Access Transparency logs with Access Approval requests for Google employees.

You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

SSO SAML as a third-party IdP, Cloud Identity

You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements: ✑ Each business unit manages access controls for their own projects. ✑ Each business unit manages access control permissions at scale. ✑ Business units cannot access other business units' projects. ✑ Users lose their access if they move to a different business unit or leave the company. ✑ Users and access control permissions are managed by the on-premises directory service. What should you do? (Choose two.)

Organize projects in folders, and assign permissions to Google groups at the folder level., Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements: ✑ Scans must run at least once per week ✑ Must be able to detect cross-site scripting vulnerabilities ✑ Must be able to authenticate using Google accounts Which solution should you use?

Web Security Scanner

An organization is moving applications to Google Cloud while maintaining a few mission-critical applications on-premises. The organization must transfer the data at a bandwidth of at least 50 Gbps. What should they use to ensure secure continued connectivity between sites?

Dedicated Interconnect

Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?

Cloud DNS with DNSSEC

Your Security team believes that a former employee of your company gained unauthorized access to Google Cloud resources some time in the past 2 months by using a service account key. You need to confirm the unauthorized access and determine the user activity. What should you do?

Use the Logs Explorer to search for user activity.

Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

Configure packet mirroring policies.

Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users. You are required to: ✑ Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity. ✑ Disable any manually created users in Cloud Identity. You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?

1. Configure the option to suspend domain users not found in LDAP. 2. Set up a recurring GCDS task.

You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

Add the host project containing the Shared VPC to the service perimeter.

You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

Firewall Insights

The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements: ✑ Follow the least privilege model by having only view access to logs. ✑ Have access to Admin Activity logs. ✑ Have access to Data Access logs. ✑ Have access to Access Transparency logs. Which Identity and Access Management (IAM) role should the security operations team be granted?

roles/logging.privateLogViewer

You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

Change the access control model for the bucket

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

Create a custom service account for the cluster. Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level

You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?

1. Set up two VPC networks: one trusted and the other untrusted. 2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

Implement Identity-Aware Proxy TCP forwarding for the bastion host.

You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service Controls mode should you use?

Dry Run

You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

Packet Mirroring

Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: ✑ Only allows communication between the Web and App tiers. ✑ Enforces consistent network security when autoscaling the Web and App tiers. ✑ Prevents Compute Engine Instance Admins from altering network traffic. What should you do?

1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

You need to connect your organization's on-premises network with an existing Google Cloud environment that includes one Shared VPC with two subnets named Production and Non-Production. You are required to: ✑ Use a private transport link. ✑ Configure access to Google Cloud APIs through private API endpoints originating from on-premises environments. ✑ Ensure that Google Cloud APIs are only consumed via VPC Service Controls. What should you do?

1. Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud. 2. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.

You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?

Cloud Data Loss Prevention with cryptographic hashing

You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution: ✑ Must be cloud-native ✑ Must be cost-efficient ✑ Minimize operational overhead How should you accomplish this? (Choose two.)

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue. , In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

TCP/UDP Network

You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?

compute.restrictXpnProjectLienRemoval

Users are reporting an outage on your public-facing application that is hosted on Compute Engine. You suspect that a recent change to your firewall rules is responsible. You need to test whether your firewall rules are working properly. What should you do?

Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.

You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

The backend service's load balancing scheme must be EXTERNAL., The load balancer must be an external HTTP(S) load balancer.

You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

Cloud NAT

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements: ✑ Export related logs for all projects in the Google Cloud organization. ✑ Export logs in near real-time to an external SIEM. What should you do? (Choose two.)

Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic., Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following: ✑ The services in scope are included in the Google Cloud Data Residency Terms. ✑ The business data remains within specific locations under the same organization. ✑ The folder structure can contain multiple data residency locations. You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?

Project

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on- premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements: ✑ Schedule key rotation for sensitive data. ✑ Control which region the encryption keys for sensitive data are stored in. ✑ Minimize the latency to access encryption keys for both sensitive and non-sensitive data. What should you do?

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS). Which steps should your team take before an incident occurs? (Choose two.)

Enable automatic key version rotation on a regular schedule., Limit the number of messages encrypted with each key version.

Your company's chief information security officer (CISO) is requiring business data to be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on a plan to implement this requirement, you determine the following: ✑ The services in scope are included in the Google Cloud data residency requirements. ✑ The business data remains within specific locations under the same organization. ✑ The folder structure can contain multiple data residency locations. ✑ The projects are aligned to specific locations. You plan to use the Resource Location Restriction organization policy constraint with very granular control. At which level in the hierarchy should you set the constraint?

Project

A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

Data Access

You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?

Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket.

You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period. You want to automate the compliance with this regulation while minimizing storage costs. What should you do?

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)

Event Threat Detection, Security Health Analytics

You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

Titan Security Keys

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements: ✑ The network connection must be encrypted. ✑ The communication between servers must be over private IP addresses. What should you do?

Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)

Identify inherited Identity and Access Management (IAM) roles on projects to be migrated., Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

Organization Policy Service constraints

Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

Enable an organization policy to prevent service account keys from being created.

You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?

On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.

Which Google Cloud service should you use to enforce access control policies for applications and resources?

Identity-Aware Proxy

You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.

PCSE 1-50

Mark Joseph Tinawin · 50問 · 1年前

PCSE 1-50

50問 • 1年前

Mark Joseph Tinawin

PCSE 51-100

Mark Joseph Tinawin · 50問 · 1年前

PCSE 51-100

50問 • 1年前

Mark Joseph Tinawin

PCSE 151-200

Mark Joseph Tinawin · 50問 · 1年前

PCSE 151-200

50問 • 1年前

Mark Joseph Tinawin

PCSE 201-244

Mark Joseph Tinawin · 44問 · 1年前

PCSE 201-244

44問 • 1年前

Mark Joseph Tinawin

問題一覧

Deterministic encryption

Billing Account Viewer, Billing Account Costs Manager

Enable Access Transparency logs with Access Approval requests for Google employees.

SSO SAML as a third-party IdP, Cloud Identity

Organize projects in folders, and assign permissions to Google groups at the folder level., Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

Web Security Scanner

Dedicated Interconnect

Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?

Cloud DNS with DNSSEC

Use the Logs Explorer to search for user activity.

Configure packet mirroring policies.

1. Configure the option to suspend domain users not found in LDAP. 2. Set up a recurring GCDS task.

Add the host project containing the Shared VPC to the service perimeter.

Firewall Insights

roles/logging.privateLogViewer

You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

Change the access control model for the bucket

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

Create a custom service account for the cluster. Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level

1. Set up two VPC networks: one trusted and the other untrusted. 2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

Implement Identity-Aware Proxy TCP forwarding for the bastion host.

You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service Controls mode should you use?

Dry Run

Packet Mirroring

Cloud Data Loss Prevention with cryptographic hashing

Which type of load balancer should you use to maintain client IP by default while using the standard network tier?

TCP/UDP Network

You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?

compute.restrictXpnProjectLienRemoval

Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.

The backend service's load balancing scheme must be EXTERNAL., The load balancer must be an external HTTP(S) load balancer.

Cloud NAT

Project

Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Enable automatic key version rotation on a regular schedule., Limit the number of messages encrypted with each key version.

Project

Data Access

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

Event Threat Detection, Security Health Analytics

Titan Security Keys

Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.

Identify inherited Identity and Access Management (IAM) roles on projects to be migrated., Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

Organization Policy Service constraints

Enable an organization policy to prevent service account keys from being created.

On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.

Which Google Cloud service should you use to enforce access control policies for applications and resources?

Identity-Aware Proxy

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.