Google Professional-Cloud-Security-Engineer 問題集

質問 1：
You need to connect your organization's on-premises network with an existing Google Cloud environment that includes one Shared VPC with two subnets named Production and Non-Production. You are required to:
Use a private transport link.
Configure access to Google Cloud APIs through private API endpoints originating from on-premises environments.
Ensure that Google Cloud APIs are only consumed via VPC Service Controls.
What should you do?
A. 1. Set up a Partner Interconnect link between the on-premises environment and Google Cloud.
2. Configure private access using the private.googleapis.com domains in on-premises DNS configurations.
B. 1. Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud.
2. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.
C. 1. Set up a Direct Peering link between the on-premises environment and Google Cloud.
2. Configure private access for both VPC subnets.
D. 1. Set up a Cloud VPN link between the on-premises environment and Google Cloud.
2. Configure private access using the restricted googleapis.com domains in on-premises DNS configurations.
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 2：
You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data. You need to meet these requirements;
* Manage the data encryption key (DEK) outside the Google Cloud boundary.
* Maintain full control of encryption keys through a third-party provider.
* Encrypt the sensitive data before uploading it to Cloud Storage
* Decrypt the sensitive data during processing in the Compute Engine VMs
* Encrypt the sensitive data in memory while in use in the Compute Engine VMs What should you do?
Choose 2 answers
A. Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
B. Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.
C. Create Confidential VMs to access the sensitive data.
D. Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets
E. Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs
正解：C,E
解説: (Topexam メンバーにのみ表示されます)

質問 3：
You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)
A. Manually add users to Google Cloud.
B. Use Google default encryption.
C. Provide granular access with predefined roles.
D. Provision users with basic roles using Google's Identity and Access Management (1AM) service.
E. Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.
正解：C,E
解説: (Topexam メンバーにのみ表示されます)

質問 4：
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?
A. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.
B. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
C. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.
D. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 5：
You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?
A. Cloud Router
B. Google Cloud Armor
C. Cloud NAT
D. Cloud VPN
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 6：
Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need tojoin user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.
This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?
A. Format-preserving encryption
B. Cryptographic hashing
C. Secure, key-based hashes
D. Deterministic encryption
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 7：
Which type of load balancer should you use to maintain client IP by default while using the standard network tier?
A. SSL Proxy
B. TCP/UDP Network
C. TCP Proxy
D. Internal TCP/UDP
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 8：
Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
The network connection must be encrypted.
The communication between servers must be over private IP addresses.
What should you do?
A. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
B. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
C. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
D. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 9：
You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:
Must be cloud-native
Must be cost-efficient
Minimize operational overhead
How should you accomplish this? (Choose two.)
A. Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
B. Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
C. Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
D. Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
E. In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.
正解：A,E