Professional-Cloud-Security-Engineer 무료 덤프문제 온라인 액세스

A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

• A.On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
• B.Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
• C.Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
• D.On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.
How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

• A.Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
• B.Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
• C.Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
• D.Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).

You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?

• A.Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
• B.Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.
• C.Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
• D.Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.

You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

• A.1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
  2. In Cloud KMS, grant your Google Cloud project access to use the key.
• B.1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.
  2. In the external key management partner system, grant access for this key to use your Google Cloud project.
• C.1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.
  2. Grant your Google Cloud project access to a supported external key management partner system.
• D.1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
  2. In Cloud KMS, grant your Google Cloud project access to use the key.

You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.
What should you do?

• A.Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.
• B.Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.
• C.Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.
• D.Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.