Professional-Cloud-Security-Engineer 試験問題を無料オンラインアクセス

Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.
What should you do?
Choose 2 answers

• A.Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).
• B.Configure the trusted image organization policy constraint for the project.
• C.Enable Container Threat Detection in the Security Command Center (SCC) for the project.
• D.Enable Pod Security standards and set them to Restricted.
• E.Configure the Binary Authorization policy with respective attestations for the project.

Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud Many teams will use their own instances of the CI/CD workflow It will run on Google Kubernetes Engine (GKE) The CI/CD pipelines must be designed to securely access Google Cloud APIs What should you do?

• A.* 1 Create a dedicated service account for the CI/CD pipelines* 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster* 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs
• B.* 1 Create service accounts for each deployment pipeline* 2 Generate private keys for the service accounts* 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline
• C.* 1 Create two service accounts one for the infrastructure and one for the application deployment* 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts* 3 Run the infrastructure and application pipelines in separate namespaces
• D.* 1 Create individual service accounts (or each deployment pipeline* 2 Add an identifier for the pipeline in the service account naming convention* 3 Ensure each pipeline runs on dedicated pods* 4 Use workload identity to map a deployment pipeline pod with a service account

Your organization recently activated the Security Command Center {SCO standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.
What should you do?

• A.* 1 Change bucket permissions to limit access* 2 Query the data access audit logs for any unauthorized access to the buckets* 3 After the misconfiguration is corrected mute the finding in the Security Command Center
• B.* 1 Change permissions to limit access for authorized users* 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access* 3 Review the administrator activity audit logs to report on any unauthorized access
• C.* 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets* 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions* 3 Query the data access logs to report on unauthorized access
• D.* 1 Change the bucket permissions to limit access* 2 Query the buckets usage logs to report on unauthorized access to the data* 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions

You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting. Which Google Cloud encryption solutions should you recommend to this client?
(Choose two.)

• A.Google default encryption
• B.Customer-supplied encryption keys.
• C.Customer-managed encryption keys
• D.Secret Manager
• E.Cloud External Key Manager

What is the most effective way to automatically scan environment variables in Cloud Functions for sensitive data and create security findings?

• A.Implement a Cloud Function that scans the environment variables multiple times a day. and creates a finding in Security Command Center if secrets are discovered.
• B.Use Sensitive Data Protection to scan the environment variables multiple times per day. and create a finding in Security Command Center if secrets are discovered.
• C.Implement regular peer reviews to assess the environment variables and identify secrets in your Cloud Functions. Raise a security incident if secrets are discovered.
• D.Integrate dynamic application security testing into the CI/CD pipeline that scans the application code for the Cloud Functions. Fail the build process if secrets are discovered.