최신Google Cloud Certified - Professional Cloud Security Engineer - Professional-Cloud-Security-Engineer무료샘플문제

A. Configure IAM permissions on individual Model Garden to restrict access to specific models.

B. Regularly audit user activity logs in Vertex AI to identify and revoke access to unapproved models.

C. Train custom models within your Vertex AI project and restrict user access to these models.

D. Implement an organization policy that restricts the vertexai.allowedModels constraint.

A. * 1 Use secure hardened images from the Google Cloud Marketplace* 2 When deploying the images activate the Confidential Computing option* 3 Enforce the use of the correct images and Confidential Computing by using organization policies

B. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring* 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

C. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring* 2 Activate Confidential Computing* 3 Enforce these actions by using organization policies

D. * 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium* 2 Monitor the findings in SCC

A. Organization Policy Administrator

B. Organization Role Administrator

C. Organization Administrator

D. Security Reviewer

A. Use public container images as a base image for the app.

B. Package a single app as a container.

C. Ensure that the app does not run as PID 1.

D. Use many container image layers to hide sensitive information.

E. Remove any unnecessary tools not needed by the app.

A. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.

B. Remove the Editor role and grant the Compute Admin IAM role to the engineers.

C. Set up a VPC network with two subnets: one with public IPs and one without public IPs.

D. Enable Private Access on the VPC network in the production project.

A. Use Google Cloud Directory Sync to convert the unmanaged user accounts.

B. Configure single sign-on using a customer's third-party provider.

C. Use the transfer tool for unmanaged user accounts.

D. Create a new managed user account for each consumer user account.

A. Cloud Identity

B. Pub/Sub

C. Google Cloud Directory Sync (GCDS)

D. Security Assertion Markup Language (SAML)

A. * 1 Create service accounts for each deployment pipeline* 2 Generate private keys for the service accounts* 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

B. * 1 Create two service accounts one for the infrastructure and one for the application deployment* 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts* 3 Run the infrastructure and application pipelines in separate namespaces

C. * 1 Create individual service accounts (or each deployment pipeline* 2 Add an identifier for the pipeline in the service account naming convention* 3 Ensure each pipeline runs on dedicated pods* 4 Use workload identity to map a deployment pipeline pod with a service account

D. * 1 Create a dedicated service account for the CI/CD pipelines* 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster* 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

A. Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.

B. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.

C. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups

D. Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.

A. Create an Organizational Policy constraint for each folder environment.

B. Create a project with multiple VPC networks for each environment.

C. Create projects for each environment, and grant IAM rights to each engineering user.

D. Create a Google Group for the Engineering team, and assign permissions at the folder level.

E. Create a folder for each development and production environment.

A. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

B. Set up a default bucket ACL and manage access for users using IAM.

C. Set up an ACL with OWNER permission to a scope of allUsers.

D. Set up an ACL with READER permission to a scope of allUsers.

A. Create Cloud Storage buckets with object versioning enabled, and use IAM policies to restrict access to the data. Use Data Loss Prevention API (DLP API) on the buckets to scan for sensitive data and generate detection alerts.9

B. Configure Sensitive Data Protection to scan the database for PII using both predefined and custom infoTypes and to mask sensitive data.8

C. Use Cloud KMS to encrypt the database at rest with a customer-managed encryption key (CMEK).
Implement VPC Service Controls.

D. Implement Cloud Armor to protect the database from external threats and configure firewall rules to restrict network access to only authorized internal IP addresses.