You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on- premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)

B. Cloud Key Management Service

E. Cloud Data Loss Prevention with deterministic encryption using AES-SIV

C. Cloud Data Loss Prevention with cryptographic hashing

D. Cloud Data Loss Prevention with automatic text redaction

You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting. Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)

A. Customer-supplied encryption keys

E. Customer-managed encryption keys

You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

B. Customer-managed encryption keys

C. Customer-supplied encryption keys

D. Google default encryption Hide Solution

Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

D. Service Broker Operator Hide Solution

You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization. After observing the traffic in your custom network, you notice that all instances can communicate freely `" despite tag-based VPC firewall rules in place to segment traffic properly `" with a priority of 1000. What are the most likely reasons for this behavior?

A. All VM instances are missing the respective network tags

D. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999. E . A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001

B. All VM instances are residing in the same network subnet.

C. All VM instances are configured with the same network route.

You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?

A. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.

B. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.

C. Grant your users the IAM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.

D. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks. Hide Solution

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

D. Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

E. Provide granular access with predefined roles

A. Use Google default encryption.

B. Manually add users to Google Cloud.

C. Provision users with basic roles using Google's Identity and Access Management (IAM) service.

You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?

A. Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.

B. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.

C. Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.

D. Configure Google Cloud Armor access logs to perform inspection on the log data. Hide Solution

You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?

A. All load balancer types are denied in accordance with the global node's policy

B. INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.

C. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.

D. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies. Hide Solution

Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: ✑ The Cloud Storage bucket in Project A can only be readable from Project B. ✑ The Cloud Storage bucket in Project A cannot be accessed from outside the network. ✑ Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?

B. Enable VPC Service Controls, create a perimeter around Projects A and B, and include the Cloud Storage API in the Service Perimeter configuration.

A. Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.

C. Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.

D. Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks. Hide Solution

You need to create a VPC that enables your security team to control network resources such as firewall rules. How should you configure the network to allow for separation of duties for network resources?

D. Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.

A. Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the networks.

B. Set up VPC Network Peering, and allow developers to peer their network with a Shared VPC.

C. Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.

You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name. How should you manage these consumer user accounts with Cloud Identity?

C. Use the transfer tool for unmanaged user accounts.

A. Use Google Cloud Directory Sync to convert the unmanaged user accounts.

B. Create a new managed user account for each consumer user account.

D. Configure single sign-on using a customer's third-party provider

You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)

B. Grant users the compute.imageUser role in the OS image project

D. Set up an image access organization policy constraint, and list the security team managed project in the project's allow list.

A. Grant users the compute.imageUser role in their own projects.

C. Store the image in every project that is spun up in your organization.

E. Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements: ✑ Least-privilege access must be enforced at all times. ✑ The DevOps team must be able to access the required resources only during the deployment issue. How should you grant access while following Google-recommended best practices?

D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team

A. Assign the Project Viewer Identity and Access Management (IAM) role to the DevOps team.

B. Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.

C. Create a service account, and grant it the Project Owner IAM role. Give the Service Account User Role on this service account to the DevOps team

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements: ✑ The master key must be rotated at least once every 45 days. ✑ The solution that stores the master key must be FIPS 140-2 Level 3 validated. ✑ The master key must be stored in multiple regions within the US for redundancy. Which solution meets these requirements?

B. Customer-managed encryption keys with Cloud HSM

A. Customer-managed encryption keys with Cloud Key Management Service

C. Customer-supplied encryption keys

D. Google-managed encryption keys

You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

D. Confidential Computing and Istio

B. Customer-supplied encryption keys

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

B. Enable the constraints/storage.publicAccessPrevention constraint at the organization level.

A. Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

C. Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.

D. Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter. Hide Solution

Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?

B. Configure packet mirroring policies

A. Define an organization policy constraint.

C. Enable VPC Flow Logs on the subnet.

D. Monitor and analyze Cloud Audit Logs.

An organization wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier. Which Cloud Data Loss Prevention API technique should you use?

C. Format-preserving encryption

You need to set up a Cloud Interconnect connection between your company’s on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

D. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

A. Enable Private Google Access on the regional subnets and global dynamic routing mode.

B. Create a CNAME to map *. googleapis.com to restricted.googleapis.com , and create A records for restricted.googleapis.com mapped to 199.36.153.8/30.

C. Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

Your organization develops software involved in many open source projects and is concerned about software supply chain threats. You need to deliver provenance for the build to demonstrate the software is untampered. What should you do?

D. 1. Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build. 2. View the build provenance in the Security insights side panel within the Google Cloud console

A. 1. Hire an external auditor to review and provide provenance. 2. Define the scope and conditions. 3. Get support from the Security department or representative. 4. Publish the attestation to your public web page.

B. 1. Review the software process. 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact. 3. Publish the PGP signed attestation to your public web page.

C. 1. Publish the software code on GitHub as open source. 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.

Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT. Everyday, you must patch all VMs with critical OS updates and provide summary reports. What should you do?

D. Ensure that VM Manager is installed and running on the VMs. In the OS patch management service, configure the patch jobs to update with critical patches dally.

A. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM and execute OS specific update commands. Configure the Cloud Scheduler job to update with critical patches daily for daily updates.

B. Copy the latest patches to the Cloud Storage bucket. Log in to each VM, download the patches from the bucket, and install them.

C. Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM, and configure a daily cron job to enable for OS updates at night during low activity periods.

For compliance reporting purposes, the internal audit department needs you to provide the list of virtual machines (VMs) that have critical operating system (OS) security updates available, but not installed. You must provide this list every six months, and you want to perform this task quickly. What should you do?

D. Ensure the OS Config agent is installed on all VMs and extract the patch status dashboard every six months.

A. Run a Security Command Center security scan on all VMs to extract a list of VMs with critical OS vulnerabilities every six months.

B. Run a gcloud CLI command from the Command Line Interface (CLI) to extract the VM's OS version information every six months.

C. Ensure that the Cloud Logging agent is installed on all VMs, and extract the OS last update log date every six months.

Your company conducts clinical trials and needs to analyze the results of a recent study that are stored in BigQuery. The interval when the medicine was taken contains start and stop dates. The interval data is critical to the analysis, but specific dates may identify a particular batch and introduce bias. You need to obfuscate the start and end dates for each row and preserve the interval data. What should you do?

A. Use date shifting with the context set to the unique ID of the test subject.

B. Extract the date using TimePartConfig from each date field and append a random month and year.

C. Use bucketing to shift values to a predetermined date based on the initial value.

D. Use the FFX mode of format preserving encryption (FPE) and maintain data consistency.

You have a highly sensitive BigQuery workload that contains personally identifiable information (PII) that you want to ensure is not accessible from the internet. To prevent data exfiltration, only requests from authorized IP addresses are allowed to query your BigQuery tables. What should you do?

A. Use service perimeter and create an access level based on the authorized source IP address as the condition

B. Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.

C. Use the Restrict Resource Service Usage organization policy constraint along with Cloud Data Loss Prevention (DLP).

D. Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP)

Your organization is moving virtual machines (VMs) to Google Cloud. You must ensure that operating system images that are used across your projects are trusted and meet your security requirements. What should you do?

A. Implement an organization policy to enforce that boot disks can only be created from images that come from the trusted image project.

B. Implement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.

C. Create a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository. Verify that the image is not deprecated.

D. Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter. What should you do?

B. 1. Update the perimeter. 2. Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com . 3. Configure the egressFrom field to set identityType to ANY_IDENTITY.

A. Allow the external project by using the organizational policy, constraints/compute.trustedImageProjects.

C. 1. Update the perimeter. 2. Configure the ingressFrom field to set identityType to ANY_IDENTITY. 3. Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com .

D. 1. Update the perimeter. 2. Configure the egressTo field to set identityType to ANY_IDENTITY. 3. Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com .

A service account key has been publicly exposed on multiple public code repositories. After reviewing the logs, you notice that the keys were used to generate short-lived credentials. You need to immediately remove access with the service account. What should you do?

A. Delete the compromised service account.

B. Disable the compromised service account key.

C. Wait until the service account credentials expire automatically.

D. Rotate the compromised service account key.

A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application. The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?

C. 1. Enable vulnerability scanning in the Artifact Registry settings. 2. Use Cloud Build to build the images. 3. Push the images to the Artifact Registry for automatic scanning. 4. View the reports in the Artifact Registry.

A. 1. Enable Container Threat Detection in the Security Command Center Premium tier. 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version. 3. View and share the results from the Security Command Center.

B. 1. Use an open source tool in Cloud Build to scan the images. 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil. 3. Share the scan report link with your security department.

D. 1. Get a GitHub subscription. 2. Build the images in Cloud Build and store them in GitHub for automatic scanning. 3. Download the report from GitHub and share with the Security Team.

Your application is deployed as a highly available, cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses, but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.

A. Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.

B. Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified lime interval.

C. Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

D. Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.

Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users. What should you do?

A. 1. Create a new SAML profile. 2. Populate the sign-in and sign-out page URLs. 3. Upload the X.509 certificate. 4. Configure Entity ID and ACS URL in your IdP.

B. 1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant. 2. Verify the AD domain. 3. Decide which users should use SAML. 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.

C. 1. Create a new SAML profile. 2. Upload the X.509 certificate. 3. Enable the change password URL. 4. Configure Entity ID and ACS URL in your IdP.

D. 1. Manage SAML profile assignments. 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant. 3. Verify the domain.

Employees at your company use their personal computers to access your organization's Google Cloud console. You need to ensure that users can only access the Google Cloud console from their corporate-issued devices and verify that they have a valid enterprise certificate.

A. Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate. Create an access binding with the access policy just created.

B. Implement a VPC firewall policy. Activate packet inspection and create an allow rule to validate and verify the device certificate.

C. Implement an organization policy to verify the certificate from the access context.

D. Implement an Identity and Access Management (IAM) conditional policy to verify the device certificate. Hide Solution

Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud. Many teams will use their own instances of the CI/CD workflow. It will run on Google Kubernetes Engine (GKE). The CI/CD pipelines must be designed to securely access Google Cloud APIs.

A. 1. Create two service accounts, one for the infrastructure and one for the application deployment. 2. Use workload identities to let the pods run the two pipelines and authenticate with the service accounts. 3. Run the infrastructure and application pipelines in separate namespaces.

B. 1. Create a dedicated service account for the CI/CD pipelines. 2. Run the deployment pipelines in a dedicated nodes pool in the GKE cluster. 3. Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs.

C. 1. Create individual service accounts for each deployment pipeline. 2. Add an identifier for the pipeline in the service account naming convention. 3. Ensure each pipeline runs on dedicated pods. 4. Use workload identity to map a deployment pipeline pod with a service account.

D. 1. Create service accounts for each deployment pipeline. 2. Generate private keys for the service accounts. 3. Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline.

Your organization's Customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (PII) from files that are older than 12 months. Also, you must archive the anonymized files for retention purposes.

B. Create a Cloud Data loss Prevention (DLP) inspection job that de-identifies PII in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.

A. Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PII and moves the files to the archive storage class.

C. Configure the Autoclass feature of the Cloud Storage bucket to de-identify PII. Archive the files that are older than 12 months. Delete the original files.

D. Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing PII to de-identify them. Delete the original keys.

You plan to synchronize identities to Cloud Identity from a third-party identity provider (IdP). You discovered that some employees used their corporate email address to set up consumer accounts to access Google services. You need to ensure that the organization has control over the configuration, security, and lifecycle of these consumer accounts. What should you do?

B. Reconcile accounts that exist in Cloud Identity but not in the third-party IdP.

A. Mandate that those corporate employees delete their unmanaged consumer accounts

C. Evict the unmanaged consumer accounts in the third-party IdP before you sync identities.

D. Use Google Cloud Directory Sync (GCDS) to migrate the unmanaged consumer accounts' emails as user aliases.

E. Use the transfer tool to invite those corporate employees to transfer their unmanaged consumer accounts to the corporate domain. Hide Solution

You are auditing all your Google Cloud resources in the production project. You want to identify all principals who can change firewall rules.

D. Use Policy Analyzer to query the permissions compute.firewalls.create or compute.firewalls.update or compute.firewalls.delete.

A. Use Policy Analyzer to query the permissions compute.firewalls.get or compute.firewalls.list.

B. Use Firewall Insights to understand your firewall rules usage patterns.

C. Reference the Security Health Analytics – Firewall Vulnerability Findings in the Security Command Center.

Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK), but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.

D. Change the encryption type on the bucket to CMEK, and rewrite the objects.

A. Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.

B. Encrypt the files locally, and then use gsutil to upload the files to a new bucket.

C. Copy the files to a new bucket with CMEK enabled in a secondary region.

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run.

A. Enable Binary Authorization on the existing Cloud Run service.

B. Set the organization policy constraint constraints/run.allowedBinaryAuthorizationPolicies to the list or allowed Binary Authorization policy names.

C. Enable Binary Authorization on the existing Kubernetes cluster.

D. Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

E. Set the organization policy constraint constraints/compute.trustedImageProjects to the list of projects that contain the trusted container images.

Your organization has on-premises hosts that need to access Google Cloud APIs. You must enforce private connectivity between these hosts, minimize costs, and optimize for operational efficiency. What should you do?

B. Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

A. Set up VPC peering between the hosts on-premises and the VPC through the internet.

C. Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management Service (KMS) key before you send it over the network.

D. Route all on-premises traffic to Google Cloud through a dedicated or Partner Interconnect to a VPC with Private Google Access enabled.

As part of your organization's zero trust strategy, you use Identity-Aware Proxy (IAP) to protect multiple applications. You need to ingest logs into a Security Information and Event Management (SIEM) system so that you are alerted to possible intrusions.

C. Cloud Identity user log events

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1. What command should you execute?

B. • organization policy: con-straints/gcp.restrictNonCmekServices • binding at: org1 • policy type: deny • policy value: storage.googleapis.com

A. • organization poli-cy:constraints/gcp.restrictStorageNonCmekServices • binding at: org1 • policy type: allow • policy value: all supported services

C. • organization policy: con-straints/gcp.restrictStorageNonCmekServices • binding at: org1 • policy type: deny • policy value: storage.googleapis.com

D. • organization policy: con-straints/gcp.restrictNonCmekServices • binding at: org1 • policy type: allow • policy value: storage.googleapis.com

Your company's Google Cloud organization has about 200 projects and 1,500 virtual machines. There is no uniform strategy for logs and events management, which reduces visibility for your security operations team. You need to design a logs management solution that provides visibility and allows the security team to view the environment's configuration. What should you do?

B. 1. Create one log sink at the organization level that includes all the child resources. 2. Use as destination a Pub/Sub topic to ingest the logs into the security information and event. management (SIEM) on-premises, and ensure that the right team can access the SIEM. 3. Grant the Viewer role at organization level to the security operations team

A. 1. Create a dedicated log sink for each project that is in scope. 2. Use a BigQuery dataset with time partitioning enabled as a destination of the log sinks. 3. Deploy alerts based on log metrics in every project. 4. Grant the role "Monitoring Viewer" to the security operations team in each project.

C. 1. Enable network logs and data access logs for all resources in the "Production" folder. 2. Do not create log sinks to avoid unnecessary costs and latency. 3. Grant the roles "Logs Viewer" and "Browser" at project level to the security operations team.

D. 1. Create one sink for the "Production" folder that includes child resources and one sink for the logs ingested at the organization level that excludes child resources. 2. As destination, use a log bucket with a minimum retention period of 90 days in a project that can be accessed by the security team. 3. Grant the security operations team the role of Security Reviewer at organization level.

Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/owner). The organization contains thousands of Google Cloud projects. Security Command Center Premium has surfaced multiple OPEN_MYSQL_PORT findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations. What should you do?

B. Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges.

A. Create a hierarchical firewall policy configured at the organization to deny all connections from 0.0.0.0/0.

C. Create a Google Cloud Armor security policy to deny traffic from 0.0.0.0/0.

D. Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0.0.0.0/0 with priority 0.

Google Professional Cloud Security Engineer Exam (Part 4)

Authored by Mauricio Ardon

Professional Development

Used 1+ times

Google Professional Cloud Security Engineer Exam (Part 4)

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

51 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?

A. Enable Cloud Monitoring workspace, and add the production projects to be monitored.

sdfB. Use Logs Explorer at the organization level and filter for production project logs.

C. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.

D. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

A. 1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project. 2. Grant your Google Cloud project access to a supported external key management partner system.

B. 1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.

C. 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.

D. 1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

A. Identity Aware-Proxy

B. Cloud NAT

C. TCP/UDP Load Balancing

D. Cloud DNS

Hide Solution

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all
Cloud Storage buckets. What should you do?

A. Remove Owner roles from end users, and configure Cloud Data Loss Prevention.

B. Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

C. Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy

D. Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.

Hide Solution

MULTIPLE SELECT QUESTION

45 sec • 1 pt

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A. Use Identity Platform to provision users and groups to Google Cloud.

B. Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

D. Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.

E. Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

MULTIPLE SELECT QUESTION

45 sec • 1 pt

You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

A. Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.

B. Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.

C. Use a physical token to secure the super admin credentials with multi-factor authentication (MFA)

D. Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.

E. Provide non-privileged identities to the super admin users for their day-to-day activities.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

A. Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

B. Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

C. Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

D. Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

Hide Solution

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

50 questions

SELASAR W1 SEPT 2024

Quiz

•

Professional Development

56 questions

ITF+ Practice Exam #1

Quiz

•

Professional Development

50 questions

ECG Make Up

Quiz

•

Professional Development

54 questions

Una classe inclusiva

Quiz

•

Professional Development

48 questions

Compass

Quiz

•

Professional Development

49 questions

Health and Safety In Construction

Quiz

•

Professional Development

48 questions

Sharepoint Administration Revision

Quiz

•

Professional Development

50 questions

Customer Orientation (MSIB)

Quiz

•

Professional Development

Popular Resources on Wayground

7 questions

History of Valentine's Day

Interactive video

•

4th Grade

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

15 questions

Valentine's Day Trivia

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

Discover more resources for Professional Development

44 questions

Would you rather...

Quiz

•

Professional Development

Google Professional Cloud Security Engineer Exam (Part 4)

You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?

You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?

You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across allCloud Storage buckets. What should you do?

You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Access all questions and much more by creating a free account

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Professional Development

You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all
Cloud Storage buckets. What should you do?