• A. Configure the organization policy constraint gcp.resourceLocations to europe-west4.

• B. Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.

C. Create a new log bucket in europe-west4, and redirect the _Default bucket to the new bucket.

• D. Set the logging storage region to europe-west4 by using the gcloud CLI logging settings update.

A. Virtual Machine Threat Detection

• B. Container Threat Detection

• C. Rapid Vulnerability Detection

• D. Web Security Scanner

• A. Enable data access logs for IAM APIs.

• B. Limit the number of external identities that can impersonate a service account.

C. Use a dedicated project to manage workload identity pools and providers.

D. Use immutable attributes in attribute mappings

• E. Limit the resources that a service account can access.

• A. Create row-level access policies to restrict the result data when you run queries with the filter expression set to TRUE.

• B. Configure column-level encryption by using Authenticated Encryption with Associated Data (AEAD) functions with Cloud Key Management Service (KMS) to control access to columns at query runtime.

C. Create row-level access policies to restrict the result data when you run queries with the filter expression set to FALSE.

• D. Configure dynamic data masking rules to control access to columns at query runtime.

E. Create column-level policy tags to control access to columns at query runtime.

• A. Provision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound connections from the internet to your VM.

B. Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM.

C. Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.

• D. Update the VPC routes to allow traffic to and from the internet.

• E. Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.

• A. 1. Remove the Identity and Access Management (IAM) granting access to all Users from the buckets.
  2. Apply the organization policy storage.uniformBucketLevelAccess to prevent regressions.
  3. Query the data access logs to report on unauthorized access.

B. 1. Change permissions to limit access for authorized users.
2. Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access.
3. Review the administrator activity audit logs to report on any unauthorized ac

C. 1. Change the bucket permissions to limit access.
2. Query the bucket's usage logs to report on unauthorized access to the data.
3. Enforce the organization policy storage.publicAccessPrevention to avoid regressions.

• D. 1. Change bucket permissions to limit access.
  2. Query the data access audit logs for any unauthorized access to the buckets.
  3. After the misconfiguration is corrected, mute the finding in the Security Command Center.

• A. Enable Container Threat Detection in the Security Command Center (SCC) for the project.

B. Configure the trusted image organization policy constraint for the project.

• C. Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).

• D. Enable PodSecurity standards, and set them to Restricted.

E. Configure the Binary Authorization policy with respective attestations for the project.