Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)
APublic IP
BIP Forwarding
CPrivate Google Access
DStatic routes
EIAM Network User Role
Which two implied firewall rules are defined on a VPC network? (Choose two.)
AA rule that allows all outbound connections
BA rule that denies all inbound connections
CA rule that blocks all inbound port 25 connections
DA rule that blocks all outbound connections
EA rule that allows all inbound port 80 connections
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)
AEnsure that the app does not run as PID 1.
BPackage a single app as a container.
CRemove any unnecessary tools not needed by the app.
DUse public container images as a base image for the app.
EUse many container image layers to hide sensitive information.
A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end- user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?
ACloud Armor
BVPC Firewall Rules
CCloud Identity and Access Management
DCloud CDN
A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.
Which two approaches can you take to meet the requirements? (Choose two.)
AConfigure the project with Cloud VPN.
BConfigure the project with Shared VPC.
CConfigure the project with Cloud Interconnect.
DConfigure the project with VPC peering.
EConfigure all Compute Engine instances with Private Access.
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the
ERP systems only accept traffic from Cloud Identity-Aware Proxy.
What should the customer do to meet these requirements?
AMake sure that the ERP system can validate the JWT assertion in the HTTP requests.
BMake sure that the ERP system can validate the identity headers in the HTTP requests.
CMake sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
DMake sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?
AVPC Flow Logs
BCloud Armor
CDNS Security Extensions
DCloud Identity-Aware Proxy
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?
A
Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
B
Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
C
Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
D
Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2. Process Cloud Storage objects in SIEM.
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud
Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?
ASet the minimum length for passwords to be 8 characters.
BSet the minimum length for passwords to be 10 characters.
CSet the minimum length for passwords to be 12 characters.
DSet the minimum length for passwords to be 6 characters.
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?
AUse Cloud Source Repositories, and store secrets in Cloud SQL.
BEncrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
CRun the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
DDeploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)
AApp Engine
BCloud Functions
CCompute Engine
DGoogle Kubernetes Engine
ECloud Storage
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.
Which Google Cloud Service should be used to achieve this?
ACloud Key Management Service
BCloud Data Loss Prevention API
CBigQuery
DWeb Security Scanner
A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.
What should you do?
ACreate an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
BCreate an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
CLog every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
DLog every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.
A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads. Company policy dictates that all data must be company-owned and all user authentications must go through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The
Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and realized that their domain was already being used by G Suite.
How should you best advise the Systems Engineer to proceed with the least disruption?
AContact Google Support and initiate the Domain Contestation Process to use the domain name in your new Cloud Identity domain.
BRegister a new domain name, and use that for the new Cloud Identity domain.
CAsk Google to provision the data science manager's account as a Super Administrator in the existing domain.
DAsk customer's management to discover any other uses of Google managed services, and work with the existing Super Administrator.
Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.
What should you do?
AEnforce 2-factor authentication in GSuite for all users.
BConfigure Cloud Identity-Aware Proxy for the App Engine Application.
CProvision user passwords using GSuite Password Sync.
DConfigure Cloud VPN between your private network and GCP.
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?
AMigrate the application into an isolated project using a ג€Lift & Shiftג€ approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
BMigrate the application into an isolated project using a ג€Lift & Shiftג€ approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
CRefactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
DRefactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?
AOrganization Administrator
BSecurity Reviewer
COrganization Role Administrator
DOrganization Policy Administrator
A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?
AConfigure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
BCreate a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
CUse Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
DUse Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?
ACompute Network User Role at the host project level.
BCompute Network User Role at the subnet level.
CCompute Shared VPC Admin Role at the host project level.
DCompute Shared VPC Admin Role at the service project level.
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.
What should you do?
AUse Resource Manager on the organization level.
BUse Forseti Security to automate inventory snapshots.
CUse Stackdriver to create a dashboard across all projects.
DUse Security Command Center to view all assets across the organization.
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google-recommended practices.
What should you do?
ACreate a new Service account, and give all application users the role of Service Account User.
BCreate a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
CUse a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.
DCreate a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)
ACreate a project with multiple VPC networks for each environment.
BCreate a folder for each development and production environment.
CCreate a Google Group for the Engineering team, and assign permissions at the folder level.
DCreate an Organizational Policy constraint for each folder environment.
ECreate projects for each environment, and grant IAM rights to each engineering user.
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?
ACloud Bigtable
BCloud BigQuery
CCompute Engine SSD Disk
DCompute Engine Persistent Disk
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?
AUse multi-factor authentication for admin access to the web application.
BUse only applications certified compliant with PA-DSS.
CMove the cardholder data environment into a separate GCP project.
DUse VPN for all connections between your office and cloud environments.
A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?
AUse Cloud Storage as a federated Data Source.
BUse a Cloud Hardware Security Module (Cloud HSM).
Preview
