Your DevOps team uses Packer to build Compute Engine images by using this process:
1 Create an ephemeral Compute Engine VM.
2 Copy a binary from a Cloud Storage bucket to the VM's file system.
3 Update the VM's package manager.
4 Install external packages from the internet onto the VM.
Your security team just enabled the organizational policy. consrraints/compure.vnExtemallpAccess. to restrict the usage of public IP Addresses on VMs. In response your DevOps team updated their scripts to remove public IP addresses on the Compute Engine VMs however the build pipeline is failing due to connectivity issues.
What should you do?
Choose 2 answers
A. Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.
B. Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM
C. Provision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound connectionsfrom the internet to your VM.
D. Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.
E. Update the VPC routes to allow traffic to and from the internet.
正解:A,B
質問 2:
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?
A. Cloud Key Management Service
B. Compute Engine custom metadata
C. Compute Engine guest attributes
D. Secret Manager
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
質問 3:
You have a highly sensitive BigQuery workload that contains personally identifiable information (Pll) that you want to ensure is not accessible from the internet. To prevent data exfiltration only requests from authorized IP addresses are allowed to query your BigQuery tables.
What should you do?
A. Use service perimeter and create an access level based on the authorized source IP address as thecondition.
B. Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).
C. Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the globalHTTPS load balancer.
D. Use the Restrict Resource service usage organization policy constraint along with Cloud Data Loss Prevention (DLP).
正解:A
質問 4:
You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data. You need to meet these requirements;
* Manage the data encryption key (DEK) outside the Google Cloud boundary.
* Maintain full control of encryption keys through a third-party provider.
* Encrypt the sensitive data before uploading it to Cloud Storage
* Decrypt the sensitive data during processing in the Compute Engine VMs
* Encrypt the sensitive data in memory while in use in the Compute Engine VMs What should you do?
Choose 2 answers
A. Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets
B. Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
C. Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs
D. Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.
E. Create Confidential VMs to access the sensitive data.
正解:C,E
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?
A. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
B. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
C. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 6:
You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet.
You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?
A. 1. Set up two VPC networks: one trusted and the other untrusted.
2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.
B. 1. Set up one VPC with two subnets: one trusted and the other untrusted.
2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
C. 1. Set up one VPC with two subnets: one trusted and the other untrusted.
2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
D. 1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.
2. Configure a custom route on each network pointed to the virtual appliance.
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 7:
Your team wants to limit users with administrative privileges at the organization level.
Which two roles should your team restrict? (Choose two.)
A. Organization Administrator
B. Organization Role Viewer
C. GKE Cluster Admin
D. Super Admin
E. Compute Admin
正解:A,D
七沢** -
すごい。
Pass4Testの問題集は助かりました。Professional-Cloud-Security-Engineerの本場試験に合格致しました。