Professional-Cloud-Security-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Security Engineer」

（A）Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM and execute OS specific update commands. Configure the Cloud Scheduler job to update with critical patches daily for daily updates.

（B）Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM, and configure a daily cron job to enable for OS updates at night during low activity periods.

（C）Copy the latest patches to the Cloud Storage bucket. Log in to each VM, download the patches from the bucket, and install them.

（D）Ensure that VM Manager is installed and running on the VMs. In the OS patch management service, configure the patch jobs to update with critical patches dally.

（A）Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

（B）Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.

（C）Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

（D）Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

（A）Enable Private Google Access on the regional subnets and global dynamic routing mode.

（B）Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

（C）Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

（D）Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

（A）Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.

（B）Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

（C）Use Cloud Source Repositories, and store secrets in Cloud SQL.

（D）Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.

（A）Create a group and assign IAM bindings to the group for each bucket that the application needs to access. Assign the VM's service account to the group.

（B）Limit the VMs access to the Cloud Storage buckets by setting the relevant access scope of the VM.

（C）Create IAM bindings for the VM's service account and the required buckets that allow appropriate access to the data stored in the buckets.

（D）Grant the VM's service account access to the required buckets by using domain-wide delegation.

（A）EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, andINTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.

（B）INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.

（C）All load balancer types are denied in accordance with the global node's policy.

（D）EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.

（A）Ensure that the app does not run as PID 1.

（B）Use many container image layers to hide sensitive information.

（C）Remove any unnecessary tools not needed by the app.

（D）Use public container images as a base image for the app.

（E）Package a single app as a container.

（A）On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

（B）Upload the logs to both the shared bucket and the bucket only accessible by the administrator.
Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

（C）Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

（D）On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

（A）roles/logging.admin

（B）roles/logging.viewer

（C）roles/viewer

（D）roles/logging.privateLogViewer

（A）Sync user identities from their existing IdPs to Cloud Identity by using Google Cloud Directory Sync (GCDS).

（B）Create two single sign-on (SSO) profiles for the internal and partner IdPs by using SSO for Cloud Identity.

（C）Create two workforce identity pools for the partner IdPs.

（D）Create users manually by using the Google Cloud console. Assign the users to groups.

（A）In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

（B）Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

（C）Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

（D）In Resource Manager, edit the organization permissions. Add the project ID as member with the role:Compute Image User.

（A）Create a service account for the application, and grant Cloud Storage Object Creator permissions to the project.

（B）Create a service account for the application, and grant Cloud Storage Object Creator permissions at the bucket level.

（C）Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the bucket level.

（D）Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the project leve

（A）Create a Sensitive Data Protection job. Specify the infoType of data to be detected and run the job across all Google Cloud Storage buckets.

（B）Create a log sink with a filter on resourceLocation.currentLocations. Trigger an alert if a log message appears with a non- EUcountry.

（C）Activate Security Command Center Premium. Use compliance monitoring to detect resources that do not follow the applicable healthcare regulation.

（D）Enforce the gcp.resourceLocations organization policy and add "EU" in a custom rule that only applies on resources with the tag "healthcare".

（A）Cloud External Key Manager

（B）Customer-supplied encryption keys.

（C）Customer-managed encryption keys

（D）Google default encryption

（E）Secret Manager

（A）Configure Cloud Intrusion Detection System (Cloud IDS) to monitor incoming connections, deploy Identity-Aware Proxy (IAP) to block common web attacks, and deploy Google Cloud Armor to detect internal traffic anomalies.

（B）Configure Cloud Firewall to permit allow-listed traffic only, deploy Google Cloud Armor with predefined rules for blocking common web attacks, and deploy Cloud Intrusion Detection System (IDS) to detect internal traffic anomalies.

（C）Configure Cloud DNS to secure incoming traffic, deploy Cloud Intrusion Detection System (Cloud IDS) to detect common web attacks, and deploy Google Cloud Armor to detect internal traffic anomalies.

（D）Configure Google Cloud Armor to allow incoming connections, configure DNS Security Extensions (DNSSEC) on Cloud DNS to secure against common web attacks, and deploy Cloud Intrusion Detection System (Cloud IDS) to detect internal traffic anomalies.

（A）Use date shifting with the context set to the unique ID of the test subject.

（B）Extract the date using TimePartConfig from each date field and append a random month and year.

（C）Use the FFX mode of format preserving encryption (FPE) and maintain data consistency.

（D）Use bucketing to shift values to a predetermined date based on the initial value.

（A）Disable and revoke access to compromised keys.

（B）Limit the number of messages encrypted with each key version.

（C）Manually rotate key versions on an ad hoc schedule.

（D）Disable the Cloud KMS API.

（E）Enable automatic key version rotation on a regular schedule.