練習問題

問題 1

(2つ選択)

Your company operates a single Google Cloud organization with 10 folders and 150 projects, and the SOC requires that all Google Cloud Console sign-in events and API calls that change resource configurations be streamed to an external SIEM in under 60 seconds, with coverage for all existing and future projects. Requirements:

Collect and export the relevant logs for the entire organization hierarchy (folders and projects).
Deliver logs to the SIEM in near real time (<60 seconds).
Include Console login events and admin activity that modifies configurations. What should you do? (Choose two.)

問題分析

Core concept: This question tests organization-wide logging architecture using Cloud Logging sinks and Cloud Audit Logs, and how to stream security-relevant events to an external SIEM with low latency. It also tests understanding of what “Google Cloud Console sign-in events” actually are and where they originate. Why the answer is correct: To cover all existing and future projects across an organization hierarchy, you should create an organization-level aggregated log sink with includeChildren enabled. This ensures logs from all folders and projects (present and future) are captured without per-project configuration. For near real-time delivery (<60 seconds), Pub/Sub is the correct sink destination because it supports streaming consumption patterns and low-latency delivery to external systems. Cloud Storage is primarily batch/archival and does not meet the near-real-time requirement. Console sign-in events are not Cloud Audit Logs “Admin Activity” entries. Interactive sign-ins to the Cloud Console are identity events typically recorded in Google Workspace (or Cloud Identity) audit logs. To route those into Cloud Logging so they can be exported via the same org-level sink to Pub/Sub, you must enable export of Google Workspace audit logs to Cloud Logging. This provides the required coverage for Console login events. Key features and best practices: - Organization-level sinks with includeChildren provide centralized governance and scale for 150+ projects and future growth. - Pub/Sub sinks are the standard pattern for SIEM streaming; the SIEM can pull or receive pushed messages via a subscriber/connector. - Admin Activity audit logs are enabled by default and capture configuration-changing API calls; they are retained and cannot be disabled. - Aligns with Google Cloud Architecture Framework “Operational Excellence” and “Security, Privacy, and Compliance” by centralizing telemetry and enabling rapid detection. Common misconceptions: Many assume Cloud Audit Logs already include Console sign-in events; they generally do not. Another trap is enabling Data Access logs (often expensive and high-volume) when the requirement is specifically configuration-changing activity (Admin Activity) plus sign-ins. Exam tips: When you see “all projects including future,” think org-level sink + includeChildren. When you see “<60 seconds to SIEM,” think Pub/Sub (or sometimes BigQuery for analytics, but not streaming). Distinguish between Cloud Audit Logs (API activity) and identity sign-in logs (Workspace/Cloud Identity).

問題 2

You lead network security for a fintech trading platform on Google Cloud. You currently detect anomalies using VPC Flow Logs exported to BigQuery with a 5-minute aggregation interval across three VPCs. A red team exercise now requires examining full packet payloads and L4/L7 headers for east-west traffic between two production subnets (10.20.0.0/24 and 10.20.1.0/24) in a single VPC and forwarding a copy of up to 8 Gbps of this traffic to a third-party NIDS running on a Compute Engine VM, without altering original packets. Which Google Cloud product should you use?

問題 3

Your company has a three-level resource hierarchy: Organization > Business Unit folders > Team folders, and you are onboarding 12 platform squads that each receive a dedicated Terraform provisioner service account; each squad must be able to create and fully manage projects only under its assigned team folder (for example, folders/789012345678) while adhering to least privilege and preventing project creation in any other location; you need a scalable, centrally managed approach that supports Infrastructure as Code and avoids granting broad administrative control at the folder or organization level; what should you do?

問題分析

Core concept: This question tests Google Cloud IAM design for resource hierarchy governance (Organization > Folders > Projects), specifically controlling project creation location using least privilege. It also touches IAM Conditions (conditional role bindings) and scalable, centrally managed access patterns suitable for Terraform-based provisioning. Why the answer is correct: To let each squad create and fully manage projects only under its own team folder, you need two things: (1) the ability to create projects, and (2) a hard boundary preventing creation elsewhere. Granting roles/resourcemanager.projectCreator at the organization level provides the project creation permission (resourcemanager.projects.create). Adding an IAM Condition that checks the target parent (for example, resource.parent == "folders/789012345678") constrains where that permission can be exercised. This is scalable because you can manage a consistent pattern centrally (org-level bindings) while still scoping each squad to a specific folder via the condition. It also avoids giving broad folder/organization admin privileges. Key features and best practices: - IAM Conditions allow attribute-based access control on IAM bindings, enabling “create only under this folder” constraints. - Centralized governance: org-level binding + condition is easier to audit and standardize across 12 squads than delegating folder admin. - Least privilege: projectCreator is narrower than folderAdmin/editor and avoids granting permissions to modify folder structure or IAM broadly. - For “fully manage projects,” you typically pair this with project-level roles granted after creation (often via automation): e.g., roles/resourcemanager.projectIamAdmin and/or predefined admin roles on the newly created project. The question’s key requirement is preventing creation outside the assigned folder; conditional projectCreator is the control that enforces that boundary. Common misconceptions: - “Just grant folderAdmin on the team folder” seems to scope correctly, but it grants extensive folder management capabilities (including moving resources, deleting folders, and potentially manipulating hierarchy) beyond what’s needed for project provisioning. - “Use editor at org” is overly broad and violates least privilege; it also doesn’t enforce location constraints. - “Give folder IAM admin” enables changing IAM policies, which can lead to privilege escalation and does not directly grant project creation. Exam tips: - For controlling where projects can be created, think roles/resourcemanager.projectCreator plus IAM Conditions on resource.parent. - Prefer conditional, centrally managed bindings for scalable multi-team governance. - Watch for privilege escalation: roles that allow setting IAM (folderIamAdmin, projectIamAdmin) are powerful and should be tightly controlled. - Map requirements to the minimal role that grants the needed permission, then add conditions to enforce boundaries aligned with the Google Cloud Architecture Framework’s security principle of least privilege and centralized policy management.

問題 4

Your retail analytics platform runs on two Compute Engine instances behind a load balancer and authenticates to Google APIs using a user-managed service account key stored in Secret Manager (secret name: retail-sa-key), and your security policy mandates rotation every 90 days with no more than 2 minutes of reduced capacity. To follow Google-recommended practices when rotating this user-managed service account key, what should you do?

問題 5

Your compliance team is launching an internal meeting-notes summarization pipeline on Google Cloud that uses a generative model to create summaries from audio transcripts, it must process up to 3,000 transcripts per day (average 1 MB each) with under 200 ms filtering latency per request, and company policy mandates that no personally identifiable information (PII)—such as names, email addresses, phone numbers, or government IDs—may appear in either the prompts sent to the model or the summaries returned, so you need a managed, scalable control that detects and automatically redacts PII on both ingress and egress before any storage or display; what should you do?

問題分析

Core Concept: This question tests managed data protection controls for compliance—specifically detecting and de-identifying PII in content flowing into and out of a generative AI summarization pipeline. In Google Cloud, the primary managed service for PII discovery and redaction is Cloud Data Loss Prevention (Cloud DLP). Why the Answer is Correct: Option B is correct because Cloud DLP can inspect text for sensitive data types (names, emails, phone numbers, government IDs, etc.) and then automatically de-identify (mask, redact, replace, tokenize, or format-preserve) the detected findings. The requirement explicitly states that PII must not appear in prompts sent to the model (ingress) nor in summaries returned (egress), and that the control must be managed, scalable, and applied before storage or display. Cloud DLP is designed for exactly this: programmatic inspection + de-identification as part of an application workflow. Key Features / How to Implement: - Use Cloud DLP inspect + de-identify APIs in the request path before calling the model (prompt construction) and again on model output before persisting or rendering. - Configure infoTypes (built-in and custom), likelihood thresholds, and exclusion rules to reduce false positives. - Choose transformations: masking/redaction for strict removal, or tokenization/crypto-based pseudonymization when you need consistent replacements. - For performance, keep processing regional where possible and design for horizontal scale (e.g., Cloud Run/GKE calling DLP). The stated throughput (3,000 x 1 MB/day) is modest; the key is meeting per-request latency targets by minimizing extra hops and tuning inspection scope. Common Misconceptions: Encryption (A) protects confidentiality at rest but does not remove PII from prompts or summaries. VPC Service Controls (C) reduces data exfiltration risk but cannot detect/redact PII within allowed flows. Third-party tools (D) may work but are not the most appropriate managed native control and add supply-chain/compliance complexity. Exam Tips: When the requirement is “detect and redact PII” (especially for compliance) think Cloud DLP first. Pair it with IAM least privilege, logging, and boundary controls as defense-in-depth, but DLP is the control that actually enforces “no PII in content” on ingress/egress. Map such requirements to the Google Cloud Architecture Framework’s security and compliance principles: data classification, prevention controls, and automated policy enforcement.

外出先でもすべての問題を解きたいですか？

Cloud Passを無料でダウンロード — 模擬試験、学習進捗の追跡などを提供します。

問題 6

Your organization uses a Shared VPC where net-hub-prod is the host project, and all firewall rules, subnets, and an HA VPN with Cloud Router are configured in the host; you need to let the Data Science Blue group attach Compute Engine VMs in service project ml-svc-02 only to the us-central1 subnetwork 172.16.20.0/24 and prevent attachment to any other subnet—what should you grant to the group to meet this requirement?

問題 7

Your production Google Cloud project runs a managed instance group behind an external HTTP(S) load balancer; a team of 10 release engineers must roll out new application versions by updating instance templates and triggering deployments via Cloud Build, but they must not be able to create, update, or delete any VPC firewall rules in the shared network; only a 2-person NetOps group may change firewall rules, and auditors require least privilege with clear separation of duties and auditable assignments. What should you do?

問題分析

Core Concept: This question tests IAM least privilege and separation of duties in Google Cloud. The goal is to allow release engineers to deploy (update instance templates and trigger managed instance group rollouts via Cloud Build) while preventing them from administering shared VPC firewall rules. It also emphasizes auditable, role-based access aligned to compliance expectations. Why the Answer is Correct: Creating two custom IAM roles cleanly separates deployment permissions from network security administration. A “deployer” role can include only the permissions required to update instance templates, update/roll managed instance groups, and run Cloud Build (and any required service account impersonation). A separate “network security” role can include only Compute Engine firewall rule permissions (e.g., compute.firewalls.create/update/delete) and be granted exclusively to the NetOps group. This directly enforces least privilege and provides clear, auditable assignments (group membership + IAM policy bindings) that satisfy auditors. Key Features / Best Practices: - Use Google Groups for the 10 release engineers and 2 NetOps engineers, then bind roles to groups for auditability and operational simplicity. - Prefer predefined roles where possible (e.g., compute.instanceAdmin.v1, compute.loadBalancerAdmin, cloudbuild.builds.editor) but use custom roles when you must exclude sensitive permissions like firewall administration. - In Shared VPC, firewall rules typically live in the host project; ensure the release engineers have no firewall permissions in the host project while still having needed permissions in the service project(s). - Aligns with Google Cloud Architecture Framework: “Security, privacy, and compliance” (least privilege, separation of duties, centralized governance). Common Misconceptions: People often think “Network Admin + policy/process” is acceptable, but auditors require technical enforcement. Others confuse Access Context Manager (context-based access) with authorization; it can restrict where access comes from, not replace least-privilege permissions. Deny policies can help, but granting broad roles like Editor is still poor practice and can create other unintended privileges. Exam Tips: When you see “must not be able to” + “auditors require least privilege and separation of duties,” default to IAM role design (custom roles and group-based bindings) rather than procedural controls. Use the host/service project boundary in Shared VPC to ensure network controls remain with NetOps while app teams retain deployment autonomy.

問題 8

(2つ選択)

Your retail chain streams point-of-sale logs every 5 minutes from 300 branches via Pub/Sub into a Dataflow pipeline that writes to Cloud Bigtable for fraud analytics, and you discover that two PII fields (national ID numbers and phone numbers) are included; you must obfuscate these fields during ingestion to prevent analysts from seeing raw values, yet be able to re-identify the original values for regulatory investigations within 7 years while maintaining consistent tokens to enable joins and group-bys; which two components should you use? (Choose two.)

問題分析

Core concept: This question tests tokenization/pseudonymization of PII during streaming ingestion while preserving analytic utility (joins/group-bys) and enabling later re-identification. In Google Cloud, this is commonly implemented with Cloud DLP de-identification using deterministic encryption, backed by customer-managed keys in Cloud KMS. Why the answer is correct: You must (1) obfuscate national ID and phone numbers so analysts cannot see raw values, (2) keep tokens consistent so the same input always maps to the same output (enabling joins and aggregations), and (3) be able to recover the original values for up to 7 years. Cloud DLP deterministic encryption using AES-SIV produces stable ciphertext for the same plaintext (given the same key/context), which functions as a consistent token. Unlike hashing, deterministic encryption is reversible, satisfying re-identification requirements. Cloud KMS provides the cryptographic key management needed to protect, rotate, and audit access to the key material used for encryption/decryption over the 7-year period. Key features / configurations / best practices: - Use Cloud DLP de-identification transform: deterministic encryption (AES-SIV) on the two PII fields in the Dataflow pipeline before writing to Bigtable. - Store and manage the wrapping/KEK in Cloud KMS (CMEK). Control access via IAM, separation of duties, and audit via Cloud Audit Logs. - Plan for long retention: ensure key lifecycle policies, backups, and rotation strategy that does not break re-identification (rotation must be handled carefully; keep prior key versions available for decrypting historical data). - Consider using DLP with KMS-wrapped keys so only a tightly controlled investigation workflow can decrypt. Common misconceptions: - Cryptographic hashing in DLP seems to provide consistent tokens, but it is not reversible, so it fails the re-identification requirement. - Automatic text redaction removes data entirely and breaks joins/group-bys and investigations. - Secret Manager stores secrets but is not a cryptographic key management system for encryption operations and does not provide the same key lifecycle controls as KMS. Exam tips: When you see “consistent token for analytics” + “must re-identify later,” think deterministic encryption/tokenization (not redaction, not hashing). When you see “7 years,” “regulatory investigations,” and “control/audit of keys,” pair the de-identification method with Cloud KMS for CMEK, IAM control, and auditability. This aligns with the Google Cloud Architecture Framework’s data protection principles: strong encryption, centralized key management, and least privilege access.

問題 9

(2つ選択)

Your company runs 20 CI pipelines in GitHub Actions and Azure DevOps outside Google Cloud that deploy to 8 Google Cloud projects using workload identity federation; service account keys are prohibited by policy. You must prevent attackers from spoofing another pipeline's identity (for example, by manipulating mutable claims like email or display name) to obtain unauthorized access to Google Cloud resources, while keeping existing federation flows and token lifetimes (1 hour) unchanged. What should you do? (Choose two.)

問題分析

Core concept: This question tests secure configuration of Workload Identity Federation (WIF) for external CI/CD systems (GitHub Actions, Azure DevOps) and how to prevent identity spoofing during Security Token Service (STS) token exchange and service account impersonation. The key is to bind access to stable, non-user-editable identifiers and enforce least privilege on the resulting Google identity. Why the answer is correct: (D) is the primary control to prevent one pipeline from impersonating another by manipulating mutable claims (email, display name, branch name, etc.). In WIF, you map external token claims into Google attributes (including google.subject) and then use IAM principalSet/principal bindings and provider attribute conditions to allow only specific identities. If you base authorization on mutable claims, an attacker who can influence those claims could satisfy the condition and impersonate a different pipeline. Using immutable identifiers (e.g., GitHub repository_id, workflow_ref with pinned refs, environment IDs, or Azure AD object_id / application (client) ID) makes spoofing materially harder because those values are stable and controlled by the identity provider. (E) complements D by limiting blast radius if any single pipeline identity is compromised. Even with strong identity binding, a stolen OIDC token or compromised runner could still impersonate that pipeline for up to the unchanged 1-hour lifetime. Least-privilege IAM on the target service accounts and resources ensures the attacker cannot laterally move across projects or access unrelated assets. Key features and best practices: Use provider attribute mapping to set google.subject to an immutable claim and optionally map custom attributes (attribute.repository_id, attribute.aud, attribute.actor_id). Then enforce provider attribute conditions and IAM bindings using principalSet://.../attribute.* selectors. Combine with per-pipeline (or per-repo/environment) service accounts and narrowly scoped roles (resource-level IAM where possible). This aligns with Google Cloud Architecture Framework principles: least privilege, strong identity, and defense in depth. Common misconceptions: Centralizing pools (C) improves manageability but does not inherently prevent spoofing if mappings/conditions still rely on mutable attributes. Audit logs (A) help detection/forensics, not prevention. Artificial caps (B) are not a standard IAM/WIF control and don’t address claim spoofing. Exam tips: For WIF questions, look for “attribute mapping/conditions” and “immutable identifiers” as the prevention mechanism, and pair it with least privilege to reduce impact. Logging is usually a secondary control unless the question asks for detection/monitoring.

問題 10

A media analytics company performs a 7-day manual security review for every new service that verifies service-to-service transit paths, request handling, and VPC firewall rules across 3 projects and 2 Shared VPCs. With 12 squads releasing about 25 GKE and Cloud Run services per month, this process delays releases and consumes security bandwidth. They want teams to deploy without the full manual review while ensuring that violations (for example, 0.0.0.0/0 on TCP:22, publicly readable Cloud Storage buckets, or egress to restricted RFC1918 ranges) are prevented before merge/deploy rather than detected in production. They already use GitHub and Cloud Build and cannot fund a dedicated security reviewer per squad. What should you recommend?

Practice Test #2

3重AI検証済み解答＆解説

練習問題

合格体験記(6)

他の模擬試験

Practice Test #1

Practice Test #3

今すぐ学習を始める