An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters. Which Cloud Identity password guidelines can the organization use to inform their new requirements?

Set the minimum length for passwords to be 8 characters.

Set the minimum length for passwords to be 10 characters.

Set the minimum length for passwords to be 12 characters.

Set the minimum length for passwords to be 6 characters.

You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

Customer-managed encryption keys

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.

Use Identity Platform to provision users and groups to Google Cloud.

Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to control the key lifecycle. Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

Customer-supplied encryption keys (CSEK)

Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

You manage one of your organization's Google Cloud projects (Project A). A VPC Service Control (SC) perimeter is blocking API access requests to this project, including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project. Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least privilege. What should you do?

Configure an ingress policy for the perimeter in Project A, and allow access for the service account in Project B to collect messages.

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.

Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery. What should you do?

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems. Provide the raw CSEK as part of the API call.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM). Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

Create a Cloud Key Management Service (KMS) key with imported key material. Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised. What should you do?

Enforce 2-factor authentication in GSuite for all users.

Configure Cloud Identity-Aware Proxy for the App Engine Application.

Provision user passwords using GSuite Password Sync.

Configure Cloud VPN between your private network and GCP.

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?

Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.

Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.

Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements: ✑ Export related logs for all projects in the Google Cloud organization. ✑ Export logs in near real-time to an external SIEM. What should you do? (Choose two.)

Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

Create a Log Sink at the organization level with a Pub/Sub destination.

Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

Enable Data Access audit logs at the organization level to apply to all projects.

Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

You are developing a new application that uses exclusively Compute Engine VMs. Once a day, this application will execute five different batch jobs. Each of the batch jobs requires a dedicated set of permissions on Google Cloud resources outside of your application. You need to design a secure access concept for the batch jobs that adheres to the least-privilege principle. What should you do?

1. Create a general service account “g-sa” to orchestrate the batch jobs. 2. Create one service account per batch job “b-sa-[1-5]”, and grant only the permissions required to run the individual batch jobs to the service accounts. 3. Grant the Service Account Token Creator role to g-sa. Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].

1. Create a general service account “g-sa” to orchestrate the batch jobs. 2. Create one service account per batch job ‘b-sa-[1-5]’. Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts. 3. Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permissions of b-sa-[1-5].

1. Create a general service account “g-sa” to execute the batch jobs. 2. Grant the permissions required to execute the batch jobs to g-sa. 3. Execute the batch jobs with the permissions granted to g-sa.

1. Create a workload identity pool and configure workload identity pool providers for each batch job. 2. Assign the workload identity user role to each of the identities configured in the providers. 3. Create one service account per batch job “b-sa-[1-5]”, and grant only the permissions required to run the individual batch jobs to the service accounts. 4. Generate credential configuration files for each of the providers. Use these files to execute the batch jobs with the permissions of b-sa-[1-5].

Your organization is transitioning to Google Cloud. You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed Container Registry and signed by a trusted authority. What should you do? (Choose two.)

Configure the trusted image organization policy constraint for the project.

Configure the Binary Authorization policy with respective attestations for the project.

Enable Container Threat Detection in the Security Command Center (SCC) for the project.

Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).

Enable PodSecurity standards, and set them to Restricted.

You have a highly sensitive BigQuery workload that contains personally identifiable information (PII) that you want to ensure is not accessible from the internet. To prevent data exfiltration, only requests from authorized IP addresses are allowed to query your BigQuery tables. What should you do?

Use service perimeter and create an access level based on the authorized source IP address as the condition.

Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.

Use the Restrict Resource Service Usage organization policy constraint along with Cloud Data Loss Prevention (DLP).

Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).

A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end- user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection. Which product should be used to meet these requirements?

Cloud Identity and Access Management

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud. What should you do?

Use the Cloud Key Management Service to manage the key encryption key (KEK).

Use the Cloud Key Management Service to manage the data encryption key (DEK).

Your organization uses BigQuery to process highly sensitive, structured datasets. Following the “need to know” principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users: • Business user: must access curated reports. • Data engineer: must administrate the data lifecycle in the platform. • Security operator: must review user activity on the data platform. What should you do?

Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.

Configure data access log for BigQuery services, and grant Project Viewer role to security operator.

Set row-based access control based on the “region” column, and filter the record from the United States for data engineers.

Generate a CSV data file based on the business user's needs, and send the data to their email addresses.

A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK). How should the team complete this task?

Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.

Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.

Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

Confidential Computing and Istio

You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS), in project “prj-a”, and the Cloud Storage bucket will use project “prj-b”. The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key, and you need to troubleshoot why. What has caused the access issue?

The CMEK is in a different region than the Cloud Storage bucket.

A firewall rule prevents the key from being accessible.

Cloud HSM does not support Cloud Storage.

The CMEK is in a different project than the Cloud Storage bucket.

Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud. You must implement data residency and operational sovereignty in the EU. What should you do? (Choose two.)

Limit the physical location of a new resource with the Organization Policy Service "resource locations constraint."

Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications.

Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and inter-VPC communication.

Use identity federation to limit access to Google Cloud resources from non-EU entities.

Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key. What should you do?

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-account=IAM_ACCOUNT.

Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT --key=NEW_KEY.

Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google-recommended practices. What should you do?

Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

Create a new Service account, and give all application users the role of Service Account User.

Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.

Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.

Your organization must comply with the regulation to keep instance logging data within Europe. Your workloads will be hosted in the Netherlands in region europe-west4 in a new project. You must configure Cloud Logging to keep your data in the country. What should you do?

Create a new log bucket in europe-west4, and redirect the _Default bucket to the new bucket.

Configure the organization policy constraint gcp.resourceLocations to europe-west4.

Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.

Set the logging storage region to europe-west4 by using the gcloud CLI logging settings update.

A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time. What should you do?

Use Security Command Center to view all assets across the organization.

Use Resource Manager on the organization level.

Use Forseti Security to automate inventory snapshots.

Use Stackdriver to create a dashboard across all projects.

You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects. What should you do? (Choose two.)

View patch management data in Artifact Registry.

Deploy patches with VM Manager by using OS patch management.

View patch management data in VM Manager by using OS patch management.

View patch management data in a Security Command Center dashboard.

Deploy patches with Security Command Genter by using Rapid Vulnerability Detection.

You plan to synchronize identities to Cloud Identity from a third-party identity provider (IdP). You discovered that some employees used their corporate email address to set up consumer accounts to access Google services. You need to ensure that the organization has control over the configuration, security, and lifecycle of these consumer accounts. What should you do? (Choose two.)

Reconcile accounts that exist in Cloud Identity but not in the third-party IdP.

Use the transfer tool to invite those corporate employees to transfer their unmanaged consumer accounts to the corporate domain.

Mandate that those corporate employees delete their unmanaged consumer accounts.

Evict the unmanaged consumer accounts in the third-party IdP before you sync identities.

Use Google Cloud Directory Sync (GCDS) to migrate the unmanaged consumer accounts' emails as user aliases.

You define central security controls in your Google Cloud environment. For one of the folders in your organization, you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later, you receive an alert about a new VM with an external IP address under that folder. What could have caused this alert?

A project level, the organizational policy control has been overwritten with an "allow" value.

The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

The organizational policy constraint wasn't properly enforced and is running in "dry run" mode.

The policy constraint on the folder level does not have any effect because of an "allow" value for that constraint on the organizational level.

Your company’s users access data in a BigQuery table. You want to ensure they can only access the data during working hours. What should you do?

Assign a BigQuery Data Viewer role along with an IAM condition that limits the access to specified working hours.

Run a gsutil script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours.

Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraint for BigQuery during the specified working hours.

Your company is concerned about unauthorized parties gaining access to the Google Cloud environment by using a fake login page. You must implement a solution to protect against person-in-the-middle attacks. Which security measure should you use?

Text message or phone call code

Google Authenticator application

Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs, but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (IAM) roles at the right resource level for the developers and security team while you ensure least privilege. What should you do?

1. Grant logging.viewer role to the security team at the organization resource level. 2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.

1. Grant logging.viewer role to the security team at the organization resource level. 2. Grant logging.admin role to the developer team at the organization resource level.

1. Grant logging.admin role to the security team at the organization resource level. 2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.

1. Grant logging.admin role to the security team at the organization resource level. 2. Grant logging.admin role to the developer team at the organization resource level.

After completing a security vulnerability assessment, you learned that cloud administrators leave Google Cloud CLI sessions open for days. You need to reduce the risk of attackers who might exploit these open sessions by setting these sessions to the minimum duration. What should you do?

Set the reauthentication frequency for the Google Cloud Session Control to one hour.

Set the session duration for the Google session control to one hour.

Set the organization policy constraint constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.

Set the organization policy constraint constraints/iam.serviceAccountKeyExpiryHours to one hour and inheritFromParent to false. Show Suggested Answer

You are migrating an on-premises data warehouse to BigQuery, Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse. Your company compliance policies mandate that the data warehouse must: • Protect data at rest with full lifecycle management on cryptographic keys. • Implement a separate key management provider from data management. • Provide visibility into all encryption key requests. What services should be included in the data warehouse implementation? (Choose two.)

Customer-managed encryption keys

Access Transparency and Approval

Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time. What should you do?

Identify all external assets by using Cloud Asset Inventory, and then run a network security scanner against them.

Run a platform security scanner on all instances in the organization.

Contact a Google approved security vendor to perform the audit.

Notify Google about the pending audit, and wait for confirmation before performing the scan.

Your organization has on-premises hosts that need to access Google Cloud APIs. You must enforce private connectivity between these hosts, minimize costs, and optimize for operational efficiency. What should you do?

Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

Set up VPC peering between the hosts on-premises and the VPC through the internet.

Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management Service (KMS) key before you send it over the network.

Route all on-premises traffic to Google Cloud through a dedicated or Partner Interconnect to a VPC with Private Google Access enabled.

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization. Which logging export strategy should you use to meet the requirements?

1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic.

1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2. Subscribe SIEM to the topic.

1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.

1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2. Process Cloud Storage objects in SIEM.

Google Professional Security Engineer

Professional Development

•

105 Qs

Similar activities

QUIZZ JAM TAMBAHAN 2 - TEORI KEJURUAN TKJ

KG - Professional Development

•

100 Qs

EXAMEN SIMULACRO

Professional Development

•

100 Qs

TGF1

Professional Development

•

100 Qs

Security Quiz Chapter 12

Professional Development

•

100 Qs

Test Level 1 Basic Computer + Internet

Professional Development

•

100 Qs

ÔN TẬP IC3

Professional Development

•

100 Qs

Calculatoare și rețele de calculatoare

Professional Development

•

100 Qs

untitled

11th Grade - Professional Development

•

100 Qs

Google Professional Security Engineer

Quiz

•

Computers

•

Professional Development

•

Practice Problem

•

Hard

Steven Wong

Used 2+ times

FREE Resource

105 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?

Store the data in a single Persistent Disk, and delete the disk at expiration time

Store the data in a single BigQuery table and set the appropriate table expiration time.

Store the data in a single Cloud Storage bucket and configure the bucket's Time to Live.

Store the data in a single BigTable table and set an expiration time on the column families.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on `in-scope` Nodes only. These Nodes can only contain the
`in-scope` Pods.
How should the organization achieve this objective?

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace ג€in-scope-pciג€.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?

Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.

Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks. You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network “dev-vpc”. You want to minimize implementation and maintenance effort.
What should you do?

1. Leave the network configuration of the VMs in scope unchanged.
2. Create a new project including a new VPC network “new-vpc”.
3. Deploy a network appliance in “new-vpc” to filter access requests and only allow egress connections from “dev-vpc” to 10.58.5.0/24.

1. Leave the network configuration of the VMs in scope unchanged.
2. Enable Cloud NAT for “dev-vpc” and restrict the target range in Cloud NAT to 10.58.5.0/24.

1. Attach external IP addresses to the VMs in scope.
2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-vpc.

1. Attach external IP addresses to the VMs in scope.
2. Configure a VPC Firewall rule in “dev-vpc” that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.
What should you do?

Allow the external project by using the organizational policy, constraints/compute.trustedImageProjects.

1. Update the perimeter.
2. Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.
3. Configure the egressFrom field to set identityType to ANY_IDENTITY.

1. Update the perimeter.
2. Configure the ingressFrom field to set identityType to ANY_IDENTITY.
3. Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.

1. Update the perimeter.
2. Configure the egressTo field to set identityType to ANY_IDENTITY.
3. Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

Use the Cloud Key Management Service to manage a data encryption key (DEK).

Use the Cloud Key Management Service to manage a key encryption key (KEK).

Use customer-supplied encryption keys to manage the data encryption key (DEK).

Use customer-supplied encryption keys to manage the key encryption key (KEK).

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?

Run each tier in its own Project, and segregate using Project labels.

Run each tier with a different Service Account (SA), and use SA-based firewall rules.

Run each tier in its own subnet, and use subnet-based firewall rules.

Run each tier with its own VM tags, and use tag-based firewall rules.

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

100 questions

Fundamentals of Information Systems

Quiz

•

Professional Development

110 questions

C Programming Quiz

Quiz

•

Professional Development

102 questions

BANKING LAW AND PRACTICES QUESTIONS

Quiz

•

Professional Development

Popular Resources on Wayground

5 questions

This is not a...winter edition (Drawing game)

Quiz

•

1st - 5th Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

10 questions

Identify Iconic Christmas Movie Scenes

Interactive video

•

6th - 10th Grade

20 questions

Christmas Trivia

Quiz

•

6th - 8th Grade

18 questions

Kids Christmas Trivia

Quiz

•

KG - 5th Grade

11 questions

How well do you know your Christmas Characters?

Lesson

•

3rd Grade

14 questions

Christmas Trivia

Quiz

•

5th Grade

20 questions

How the Grinch Stole Christmas

Quiz

•

5th Grade

Discover more resources for Computers

26 questions

Christmas Movie Trivia

Lesson

•

8th Grade - Professio...

25 questions

Christmas Movies

Quiz

•

Professional Development

20 questions

Christmas Trivia

Quiz

•

Professional Development

15 questions

Fun Holiday Trivia

Quiz

•

Professional Development

25 questions

Name That Tune - Christmas

Quiz

•

Professional Development

29 questions

Christmas Song Emoji Pictionary

Quiz

•

Professional Development

9 questions

Holiday Movie Trivia

Lesson

•

Professional Development

34 questions

Winter Trivia

Quiz

•

Professional Development

Google Professional Security Engineer

105 questions

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on `in-scope` Nodes only. These Nodes can only contain the`in-scope` Pods.How should the organization achieve this objective?

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.How should the company accomplish this?

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.What should you do?

A customer wants to deploy a large number of 3-tier web applications on Compute Engine.How should the customer ensure authenticated network separation between the different tiers of the application?

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Access all questions and much more by creating a free account

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Computers

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on `in-scope` Nodes only. These Nodes can only contain the
`in-scope` Pods.
How should the organization achieve this objective?

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?