Professional Cloud Security Engineer 시험 - Google실제시험문제와 답 - 50문항

Question No : 1

You need to implement an encryption at-rest strategy that reduces key management complexity for non-sensitive data and protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule. FIPS 140-2 L1 compliance is required for all data types.
What should you do?

A.Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
B.Encrypt non-sensitive data and sensitive data with Cloud Key Management Service
C.Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
D.Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

정답:
Explanation:
Objective: Implement an encryption at-rest strategy that balances key management complexity and control for sensitive and non-sensitive data, ensuring FIPS 140-2 L1 compliance.
Solution: Use Google default encryption for non-sensitive data and Cloud Key Management Service (KMS) for sensitive data.
Steps:
Step 1: Store non-sensitive data using Google Cloud’s default encryption, which automatically encrypts data at rest without additional configuration.
Step 2: For sensitive data, use Cloud KMS to create and manage encryption keys.
Step 3: Configure key rotation policies for the keys managed by Cloud KMS to meet compliance requirements.
Step 4: Ensure that all data encryption keys used by Cloud KMS comply with FIPS 140-2 Level 1 standards.
By using Google default encryption for non-sensitive data and Cloud KMS for sensitive data, you can manage encryption efficiently while maintaining control over key residency and rotation for sensitive data.
Reference:
Google Cloud Default Encryption
Cloud Key Management Service
FIPS 140-2 Compliance

Question No : 2

You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine.
Which option should you recommend?

A.Cloud Key Management Service
B.Compute Engine guest attributes
C.Compute Engine custom metadata
D.Secret Manager

정답:
Explanation:
Objective: Store and retrieve sensitive configuration data for an application running on Compute Engine.
Solution: Use Secret Manager to securely store and manage access to sensitive configuration data.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the Secret Manager section.
Step 3: Create a new secret and add the sensitive configuration data.
Step 4: Set appropriate IAM policies to control access to the secret.
Step 5: Update the application to retrieve the secret from Secret Manager using the appropriate client libraries or APIs.
Secret Manager provides a secure and centralized way to manage sensitive information, with fine-grained access control and audit logging capabilities.
Reference:
Secret Manager Documentation
Storing and Accessing Secrets

Question No : 3

You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced.
What service should you use?

A.Google Cloud Armor's preconfigured rules in preview mode
B.Prepopulated VPC firewall rules in monitor mode
C.The inherent protections of Google Front End (GFE)
D.Cloud Load Balancing firewall rules
E.VPC Service Controls in dry run mode

정답:
Explanation:
Objective: Implement external web application protection and validate policy changes before enforcement.
Solution: Use Google Cloud Armor's preconfigured rules in preview mode.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the Google Cloud Armor section.
Step 3: Create or select a security policy.
Step 4: Apply preconfigured rules to the policy.
Step 5: Enable preview mode to simulate the effects of the rules without enforcing them.
Step 6: Monitor the logs to validate the policy changes.
Google Cloud Armor's preview mode allows you to test and validate the impact of security policies on your application traffic before applying them, ensuring that they work as intended without disrupting the service.
Reference:
Google Cloud Armor Documentation
Using Preview Mode

Question No : 4

Your organization has implemented synchronization and SAML federation between Cloud Identity and Microsoft Active Directory. You want to reduce the risk of Google Cloud user accounts being compromised.
What should you do?

A.Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.
B.Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.
C.Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.
D.Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.

정답:
Explanation:
Objective: Reduce the risk of Google Cloud user accounts being compromised.
Solution: Implement strong password policies and post-SSO 2-Step Verification using security keys.
Steps:
Step 1: In Active Directory, configure a domain password policy with strong settings (e.g., complexity, length, expiration).
Step 2: In the Google Admin console, navigate to the Security settings.
Step 3: Enable 2-Step Verification and configure it to use security keys for post-SSO verification.
Step 4: Ensure all users enroll in the 2-Step Verification with security keys.
Using strong password policies in Active Directory along with security keys for 2-Step Verification post-SSO provides enhanced security against account compromises.
Reference:
Active Directory Password Policies
Google Admin Console 2-Step Verification

Question No : 5

You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence.
Which tool should you use?

A.Policy Troubleshooter
B.Policy Analyzer
C.IAM Recommender
D.Policy Simulator

정답:
Explanation:
Objective: Provide evidence of access reviews for an upcoming audit.
Solution: Use Policy Analyzer to review and report on IAM policies.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the Policy Analyzer tool.
Step 3: Select the project for which you need to review access policies.
Step 4: Use the tool to generate reports on IAM roles and permissions.
Step 5: Export the reports as evidence for the audit.
Policy Analyzer provides detailed insights into IAM policies, helping you to review access configurations and generate necessary reports for compliance and auditing purposes.
Reference:
Policy Analyzer Documentation

Question No : 6

You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization.
What should you do?

A.Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.
B.Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.
C.Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.
D.Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.

정답:
Explanation:
Reference: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts
You can use the iam.disableServiceAccountCreation boolean constraint to disable the creation of new service accounts. This allows you to centralize management of service accounts while not restricting the other permissions your developers have on projects. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_creation

Question No : 7

You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team.
What should you do?

A.Perform data masking with the DLP API and store that data in BigQuery for later use.
B.Perform data redaction with the DLP API and store that data in BigQuery for later use.
C.Perform data inspection with the DLP API and store that data in BigQuery for later use.
D.Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.

정답:
Explanation:
Pseudonymization is a de-identification technique that replaces sensitive data values with cryptographically generated tokens. Pseudonymization is widely used in industries like finance and healthcare to help reduce the risk of data in use, narrow compliance scope, and minimize the exposure of sensitive data to systems while preserving data utility and accuracy. https://cloud.google.com/dlp/docs/pseudonymization

Question No : 8

You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?

A.Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
B.Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
C.Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
D.Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

정답:
Explanation:
Objective: Ensure that a Cloud Storage bucket in Project A can only be readable from Project B and prevent data access or copying to Cloud Storage buckets outside the network, even with correct credentials.
Solution: Use VPC Service Controls to create a security perimeter.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the VPC Service Controls page.
Step 3: Create a new service perimeter.
Step 4: Add Project A and Project B to the service perimeter.
Step 5: Include Cloud Storage service in the perimeter configuration.
Step 6: Define access levels to ensure that only resources within the perimeter can access the Cloud Storage bucket.
By setting up a VPC Service Controls perimeter, you can enforce security boundaries that restrict data access and movement to within defined projects, providing an extra layer of protection beyond IAM permissions.
Reference:
VPC Service Controls Overview
Configuring VPC Service Controls

Question No : 9

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

A.Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
B.Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
C.Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
D.Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

정답:
Explanation:
There is mention about simulating in Web Security Scanner. "Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions." https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss
Reference: https://cloud.google.com/security-scanner/docs/remediate-findings

Question No : 10

You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)

A.Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
B.Use the Google Admin console to view which managed users are using a personal account for their recovery email.
C.Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
D.Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
E.Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.

정답:
Explanation:
To manage user accounts and ensure they comply with corporate policies, using Google Cloud Directory Sync (GCDS) allows synchronization between your local identity system and Cloud Identity. The Transfer Tool for Unmanaged Users (TTUU) helps identify and manage conflicting accounts by allowing users to transfer their personal accounts to managed accounts.
Steps:
Synchronize Identities: Use GCDS to sync users from your local identity management system to Cloud Identity, ensuring that all corporate user accounts are managed.
Identify Conflicting Accounts: Use TTUU to find users who have personal Google accounts using corporate email addresses.
Manage Conflicting Accounts: Request users to transfer their personal accounts to managed accounts using TTUU, ensuring all accounts are under corporate control.
Reference:
Google Cloud Directory Sync
Transfer Tool for Unmanaged Users

Question No : 11

You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?

A.Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.
B.Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
C.Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
D.Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.

정답:
Explanation:
Setting up separate service perimeters for dev, staging, and prod environments allows for more granular control and monitoring. Automating the addition of new projects to the respective perimeters ensures that all projects are consistently secured without manual intervention.
Steps:
Set Up Service Perimeters: Use Access Context Manager to define and configure three separate service perimeters for dev, staging, and prod.
Deploy Monitoring Function: Create a Cloud Function that monitors the "implementation" folder for new projects using Stackdriver (Cloud Monitoring) and Cloud Pub/Sub.
Automate Perimeter Updates: Configure the Cloud Function to execute Terraform scripts that automatically add new projects to the appropriate service perimeter.
Reference:
Google Cloud: Access Context Manager
Service perimeter automation

Question No : 12

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?

A.Set up an ACL with OWNER permission to a scope of allUsers.
B.Set up an ACL with READER permission to a scope of allUsers.
C.Set up a default bucket ACL and manage access for users using IA
D.Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IA

정답:
Explanation:
Uniform bucket-level access allows you to manage permissions at the bucket level, rather than at the
object level. This simplifies permission management and ensures that access to objects is controlled consistently via IAM roles, without allowing uploaders full control over the objects.
Steps:
Enable Uniform Bucket-Level Access: In the Google Cloud Console, enable uniform bucket-level access for the Cloud Storage bucket.
Configure IAM Policies: Assign appropriate IAM roles to users and groups to control access to the bucket.
Audit Logging: Enable Cloud Audit Logs to track access and modifications to the bucket.
Reference:
Google Cloud: Uniform bucket-level access
Managing access with IAM

Question No : 13

Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.
What should you do?

A.Change the load balancer backend configuration to use network endpoint groups instead of instance groups.
B.Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.
C.Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.
D.Create a Cloud VPN connection between the two regions, and enable Google Private Access.

정답:
Explanation:
The Standard Tier network only provides regional load balancing, while the Premium Tier supports global load balancing with a single anycast IP address. To distribute requests across multiple regions, you need to use the Premium Tier and update the load balancer configuration accordingly.
Steps:
Upgrade to Premium Tier: Update the load balancer to use the Premium Tier network in the Google Cloud Console.
Add New Instance Group: Add the instance group in the new region (us-east-2) to the backend configuration of the existing load balancer.
Verify Configuration: Ensure that the frontend configuration of the load balancer uses a single
external IP address for global distribution.
Reference:
Google Cloud: Global load balancing

Question No : 14

You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.
What should you do?

A.Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.
B.Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.
C.Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet
D.Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.
E.Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet
F.Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

정답:
Explanation:
To restrict access to the MySQL instance to only the frontend application while other VMs are present in the subnets, creating an ingress firewall rule is the most appropriate approach. This rule will specifically allow traffic from subnet A (where the frontend application resides) to the MySQL instance in subnet B on port 3306, using network tags to target the specific MySQL VM.
Steps:
Create Network Tags: Apply a network tag (e.g., "data-tag") to the MySQL VM in subnet B.
Create Ingress Firewall Rule: Configure an ingress firewall rule with the following settings:
Source IP Range: Subnet A's IP range.
Target Tag: "data-tag".
Allowed Protocol/Ports: TCP:3306 (for MySQL).
This setup ensures that only instances in subnet A can communicate with the MySQL instance on port 3306.
Reference:
Google Cloud: Configuring firewall rules

Question No : 15

You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

A.Query Data Access logs.
B.Query Admin Activity logs.
C.Query Access Transparency logs.
D.Query Stackdriver Monitoring Workspace.

정답:
Explanation:
Admin activity logs are always created to log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.
Reference: https://cloud.google.com/iam/docs/audit-logging/examples-service-accounts

Google Professional Cloud Security Engineer 시험