Google Professional Cloud Security Engineer 시험

Question No : 1

You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources.
Which VPC Service Controls mode should you use?

• A.Cloud Run
• B.Native
• C.Enforced
• D.Dry run

답을 확인하기

정답:
Explanation:
Reference: https://cloud.google.com/vpc-service-controls/docs/service-perimeters
In dry run mode, requests that violate the perimeter policy are not denied, only logged. Dry run mode is used to test perimeter configuration and to monitor usage of services without preventing access to resources. https://cloud.google.com/vpc-service-controls/docs/dry-run-mode

Question No : 2

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site.
How should you enable this access?

• A.Implement Cloud VPN for the region where the bastion host lives.
• B.Implement OS Login with 2-step verification for the bastion host.
• C.Implement Identity-Aware Proxy TCP forwarding for the bastion host.
• D.Implement Google Cloud Armor in front of the bastion host.

답을 확인하기

정답:

Question No : 3

You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments.
How should you design the network to inspect the traffic?

• A.1. Set up one VPC with two subnets: one trusted and the other untrusted.2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
• B.1. Set up one VPC with two subnets: one trusted and the other untrusted.2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
• C.1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.2. Configure a custom route on each network pointed to the virtual appliance.
• D.1. Set up two VPC networks: one trusted and the other untrusted.2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

답을 확인하기

정답:
Explanation:
Multiple network interfaces. The simplest way to connect multiple VPC networks through a virtual appliance is by using multiple network interfaces, with each interface connecting to one of the VPC networks. Internet and on-premises connectivity is provided over one or two separate network interfaces. With many NGFW products, internet connectivity is connected through an interface marked as untrusted in the NGFW software.
https://cloud.google.com/architecture/best-practices-vpc-design#l7
This architecture has multiple VPC networks that are bridged by an L7 next-generation firewall (NGFW) appliance, which functions as a multi-NIC bridge between VPC networks. An untrusted, outside VPC network is introduced to terminate hybrid interconnects and internet-based connections that terminate on the outside leg of the L7 NGFW for inspection. There are many variations on this design, but the key principle is to filter traffic through the firewall before the traffic reaches trusted VPC networks.

Question No : 4

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party.
What should you do?

• A.Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
• B.Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
• C.Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.
• D.Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

답을 확인하기

정답:
Explanation:
Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint

Question No : 5

You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies.
How should you resolve this error?

• A.Change the access control model for the bucket
• B.Update your sink with the correct bucket destination.
• C.Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
• D.Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

답을 확인하기

정답:
Explanation:
https://cloud.google.com/logging/docs/export/troubleshoot#errors_exporting_to_cloud_storage
https://cloud.google.com/logging/docs/export/troubleshoot
Unable to grant correct permissions to the destination: Even if the sink was successfully created with the correct service account permissions, this error message displays if the access control model for the Cloud Storage bucket was set to uniform access when the bucket was created. For existing Cloud Storage buckets, you can change the access control model for the first 90 days after bucket creation by using the Permissions tab. For new buckets, select the Fine-grained access control model during bucket creation. For details, see Creating Cloud Storage buckets.

Question No : 6

The security operations team needs access to the security-related logs for all projects in their organization.
They have the following requirements:
Follow the least privilege model by having only view access to logs.
Have access to Admin Activity logs.
Have access to Data Access logs.
Have access to Access Transparency logs.
Which Identity and Access Management (IAM) role should the security operations team be granted?

• A.roles/logging.privateLogViewer
• B.roles/logging.admin
• C.roles/viewer
• D.roles/logging.viewer

답을 확인하기

정답:
Explanation:
https://cloud.google.com/logging/docs/access-control#considerations roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.

Question No : 7

You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience.
What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

• A.Security Command Center
• B.Firewall Rules Logging
• C.VPC Flow Logs
• D.Firewall Insights

답을 확인하기

정답:
Explanation:
https://cloud.google.com/network-intelligence-center/docs/firewall-insights/concepts/overview#shadowed-firewall-rules
Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.

Question No : 8

You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter.
What should you do?

• A.Add the host project containing the Shared VPC to the service perimeter.
• B.Add the service project where the Compute Engine instances reside to the service perimeter.
• C.Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VP
• D.Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

답을 확인하기

정답:

Question No : 9

Run GCDS after user and group lifecycle changes.

답을 확인하기

정답: A

Question No : 10

Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production.
Which method should you use?

• A.Define an organization policy constraint.
• B.Configure packet mirroring policies.
• C.Enable VPC Flow Logs on the subnet.
• D.Monitor and analyze Cloud Audit Logs.

답을 확인하기

정답:

Question No : 11

Your Security team believes that a former employee of your company gained unauthorized access to Google Cloud resources some time in the past 2 months by using a service account key. You need to confirm the unauthorized access and determine the user activity.
What should you do?

• A.Use Security Health Analytics to determine user activity.
• B.Use the Cloud Monitoring console to filter audit logs by user.
• C.Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.
• D.Use the Logs Explorer to search for user activity.

답을 확인하기

정답:
Explanation:
Objective: Ensure that a Cloud Storage bucket in Project A can only be readable from Project B and prevent data access or copying to Cloud Storage buckets outside the network, even with correct credentials.
Solution: Use VPC Service Controls to create a security perimeter.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the VPC Service Controls page.
Step 3: Create a new service perimeter.
Step 4: Add Project A and Project B to the service perimeter.
Step 5: Include Cloud Storage service in the perimeter configuration.
Step 6: Define access levels to ensure that only resources within the perimeter can access the Cloud Storage bucket.
By setting up a VPC Service Controls perimeter, you can enforce security boundaries that restrict data access and movement to within defined projects, providing an extra layer of protection beyond IAM permissions.
Reference: VPC Service Controls Overview
Configuring VPC Service Controls

Question No : 12

Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups.
Which Google Cloud service should you use?

• A.Cloud DNS with DNSSEC
• B.Cloud NAT
• C.HTTP(S) Load Balancing
• D.Google Cloud Armor

답을 확인하기

정답:
Explanation:
Cloud DNS with DNSSEC (Domain Name System Security Extensions) provides authentication for DNS responses, ensuring that they are legitimate and have not been tampered with. DNSSEC helps protect against DNS spoofing and cache poisoning attacks, which are common techniques used in DDoS attacks.
Steps:
Enable DNSSEC: In the Google Cloud Console, navigate to Cloud DNS and enable DNSSEC for your managed zones.
Configure Key Signing: Set up key signing keys (KSK) and zone signing keys (ZSK) to sign your DNS records.
Monitor DNSSEC Status: Regularly monitor the DNSSEC status and logs to ensure it is functioning correctly.
Reference: Cloud DNS documentation

Question No : 13

An organization is moving applications to Google Cloud while maintaining a few mission-critical applications on-premises. The organization must transfer the data at a bandwidth of at least 50 Gbps.
What should they use to ensure secure continued connectivity between sites?

• A.Dedicated Interconnect
• B.Cloud Router
• C.Cloud VPN
• D.Partner Interconnect

답을 확인하기

정답:
Explanation:
Dedicated Interconnect provides a high-bandwidth (up to 80 Gbps per connection) and secure connection between your on-premises network and Google Cloud. It ensures reliable and high-speed data transfer, meeting the requirement of at least 50 Gbps bandwidth.
Steps:
Set Up Dedicated Interconnect: Order a Dedicated Interconnect connection through the Google Cloud Console.
Configure VLAN Attachments: Set up VLAN attachments to segment traffic between your on-premises network and Google Cloud.
Establish BGP Sessions: Configure BGP sessions for dynamic routing and failover.
Reference: Dedicated Interconnect documentation

Question No : 14

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application.
The solution has the following requirements:
Scans must run at least once per week
Must be able to detect cross-site scripting vulnerabilities
Must be able to authenticate using Google accounts
Which solution should you use?

• A.Google Cloud Armor
• B.Web Security Scanner
• C.Security Health Analytics
• D.Container Threat Detection

답을 확인하기

정답:
Explanation:
Web Security Scanner is designed to scan your web applications deployed on Google Cloud for common vulnerabilities, including cross-site scripting (XSS). It can authenticate using Google accounts and can be scheduled to run scans regularly.
Steps:
Enable Web Security Scanner: In the Google Cloud Console, enable Web Security Scanner for your project.
Configure Scan: Set up the scan configuration, specifying the target URLs, authentication details (Google accounts), and scan frequency (at least once per week).
Run and Monitor Scans: Run the scans and monitor the results for vulnerabilities, addressing any issues found.
Reference: Web Security Scanner documentation

Question No : 15

You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit.
You have the following requirements:
Each business unit manages access controls for their own projects.
Each business unit manages access control permissions at scale.
Business units cannot access other business units' projects.
Users lose their access if they move to a different business unit or leave the company.
Users and access control permissions are managed by the on-premises directory service.
What should you do? (Choose two.)

• A.Use VPC Service Controls to create perimeters around each business unit's project.
• B.Organize projects in folders, and assign permissions to Google groups at the folder level.
• C.Group business units based on Organization Units (OUs) and manage permissions based on OUs.
• D.Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.
• E.Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

답을 확인하기

정답:
Explanation:
To delegate management of access control permissions to each business unit effectively, organizing projects into folders and assigning permissions to Google groups at the folder level allows for scalable and manageable access control. Using Google Cloud Directory Sync (GCDS) to synchronize users and groups from the on-premises directory service ensures that access controls are maintained and updated automatically as users change roles or leave the company.
Steps:
Organize Projects in Folders: Create a folder structure in the Google Cloud Resource Manager to organize projects by business unit.
Assign Permissions to Google Groups: Use IAM to assign necessary permissions to Google Groups at the folder level, ensuring each business unit can manage access controls for their own projects.
Synchronize Users and Groups: Use GCDS to sync users and group memberships from your on-premises directory service to Google Cloud Identity, ensuring that changes in the on-premises directory are reflected in Google Cloud.
Reference: Google Cloud Resource Manager
Google Cloud Directory Sync