Google Professional Cloud Security Engineer (PCSE) 덤프 및 해설

Your company operates a single Google Cloud organization with 10 folders and 150 projects, and the SOC requires that all Google Cloud Console sign-in events and API calls that change resource configurations be streamed to an external SIEM in under 60 seconds, with coverage for all existing and future projects. Requirements: - Collect and export the relevant logs for the entire organization hierarchy (folders and projects). - Deliver logs to the SIEM in near real time (<60 seconds). - Include Console login events and admin activity that modifies configurations. What should you do? (Choose two.)

Your healthcare analytics startup is building a multi-region telemetry pipeline on Google Cloud that spans Compute Engine VMs, a GKE Autopilot cluster, Cloud Storage buckets, BigQuery datasets (~50 TB), and Pub/Sub topics processing ~80,000 messages per second. Under your GDPR data protection by design program, the security review mandates that: (1) you—not Google—must control key creation, 90-day rotation, and IAM-scoped usage of encryption keys; (2) keys must reside in Google Cloud KMS/HSM with no dependency on external key stores; and (3) a single key management approach must be supported uniformly across all listed services. Which option should you choose to meet these requirements?

You lead network security for a fintech trading platform on Google Cloud. You currently detect anomalies using VPC Flow Logs exported to BigQuery with a 5-minute aggregation interval across three VPCs. A red team exercise now requires examining full packet payloads and L4/L7 headers for east-west traffic between two production subnets (10.20.0.0/24 and 10.20.1.0/24) in a single VPC and forwarding a copy of up to 8 Gbps of this traffic to a third-party NIDS running on a Compute Engine VM, without altering original packets. Which Google Cloud product should you use?

You deploy a Cloud Run job in us-central1 that executes every 4 hours for ~20 minutes to compress and upload up to 500 MB of log archives into a Cloud Storage bucket named cr-logs-archive; the job must have write-only access (no read, list, or delete) to the bucket during execution, you want to avoid long-lived credentials, and you must grant only the minimum permissions required to complete the uploads—what should you do?

A media-streaming startup must launch a public REST API on Cloud Run behind an external HTTP(S) Load Balancer within 48 hours, and the security team mandates minimizing the container image’s attack surface (target image size under 200 MB, no interactive shell or package manager, and only required runtime files) without changing networking or deployment tools; what should the team do to meet this requirement?