Cloud Guru: Google Cloud Professional Cloud Security Engineer
Which two of the following statements about Cloud IAM policies are true? A. A policy is a collection of access statements attached to a resource. B. A less restrictive parent policy will not override a more restrictive child resource policy. C. An organizational policy can only be applied to the organization node D. A policy binding binds a list of members to a role.
A. A policy is a collection of access statements attached to a resource. D. A policy binding binds a list of members to a role.
Which two of the following statements about Cloud Storage and IAM permissions are true? A. Access can be granted to Cloud Storage at the organization, folder, project, or bucket levels. B. It is possible to remove a permission from a lower level that was granted at a higher level. C. A user needs permission from both IAM and an ACL in order to access a bucket or object. D. Using IAM permissions alone gives you control over your projects and buckets but does not give you control over individual objects.
A. Access can be granted to Cloud Storage at the organization, folder, project, or bucket levels. D. Using IAM permissions alone gives you control over your projects and buckets but does not give you control over individual objects.
When grouping resources that share the same trust boundary in the GCP hierarchy, how should those resources be organized?" A. At the project level B. At the organization Level C. At the folder level D. At the VPC level
A. At the project level
Which two of the following statements about IAM best practices are true? A. Avoid managing permissions on an individual user basis if possible. B. Users or groups should only be assigned the permissions that they need to do their job, no more. C. Super admin accounts should always be used for day-to-day activities. D. Requiring two-step verification is only recommended for super admin accounts.
A. Avoid managing permissions on an individual user basis if possible. B. Users or groups should only be assigned the permissions that they need to do their job, no more.
What are the 3 options for encryption at rest in GCP? A. CMEK B. TLS C. CSEK D. Encryption by default
A. CMEK C. CSEK D. Encryption by default
You use Cloud Security Scanner to run a vulnerability scan on an application running on GKE. When the scan is complete, you notice the results in the report are missing a number of webpages. The pages that contain mouseover menus are the ones missing from the report. What can you do to make sure the scan completes and captures the menus? A. Change the scan to include additional starting URLs. B. Modify the scan schedule to return new results. C. Verify the excluded URLs. D. Change the Google account on which the scan is running.
A. Change the scan to include additional starting URLs.
Which two of the following statements about Cloud Armor is true? A. Cloud Armor enforces access control based on IPv4 and IPv6 addresses or CIDRs. B. Cloud Armor is a ransomware defense service. C. Cloud Armor protection is delivered at the edge of Google's network. D. Cloud Armor is not currently compatible with any third-party partner security products.
A. Cloud Armor enforces access control based on IPv4 and IPv6 addresses or CIDRs. C. Cloud Armor protection is delivered at the edge of Google's network.
Your company decides that they want to start using GKE in Google Cloud. Your CTO knows that under the shared responsibility model, there are components that Google is responsible for protecting and maintaining. What parts of the Kubernetes cluster in GKE are Google's responsibility when it comes to security? A. Control Plane B. Pods C. Containers D. Worker nodes
A. Control Plane
When implementing Stackdriver Monitoring, what is the first thing you need to do to start monitoring your resources? A. Create a workspace B. Create a new project. C. Stackdriver Monitoring works out of the box; nothing needs to be done. D. Install Stackdriver agents on all instances that need to be monitored
A. Create a workspace
Your organization wants to make sure that packages in container images are analyzed up to date, and prevent those images with known security issues from being pushed out to your production Google Kubernetes Engine environment. Which two security features does Google recommend using to address this issue? A. Deployment policies B. Vulnerability scanning C. Network isolation D. Password policies
A. Deployment policies B. Vulnerability scanning
Which two of the following statements about Google's ability to protect its customers from DDoS attacks are true? A. Google Frontend can detect when an attack is taking place and drop or throttle traffic associated with that attack. B. A single Google data center has many times the bandwidth of even a large DDoS attack, enabling it to simply absorb the extra load. C. A central DoS service will be supported in the near future to add another layer of protection against attacks. D. Application-aware defense is not currently supported on GCP, although support for this is planned in the very near future.
A. Google Frontend can detect when an attack is taking place and drop or throttle traffic associated with that attack. B. A single Google data center has many times the bandwidth of even a large DDoS attack, enabling it to simply absorb the extra load.
GCP products regularly undergo independent verification of security, privacy, and compliance controls. Which security standard outlines the requirements for an information security management system, specifies a set of best practices, details a list of security controls concerning the management of information risks, and protects personally identifiable information (PII)? A. ISO 27XXX B. SOC 1 C. GDPR D. HIPAA
A. ISO 27XXX
Choose the two ways that Google Cloud Platform helps mitigate the risk of DDoS for its customers. A. Internal capacity many times that of any traffic load we can anticipate B. State-of-the-art physical security for hardware and servers C. Isolation servers are available with no external or internal access D. The Google Blacklist API is automatically included with each project
A. Internal capacity many times that of any traffic load we can anticipate B. State-of-the-art physical security for hardware and servers
Your company has multiple servers running in their on-premises data center and wants to back up the application data on those servers to GCP. They are looking for a simple, inexpensive solution. Which of the following would satisfy these requirements? A. Run a scheduled task using gsutil to back up to Cloud Storage. B. Use rsync to back up the on-premises servers to persistent disks in GCP. C. Hire a third-party company to do this for you. D. Use Google's storage appliance in the on-premises data center to back up to Cloud Storage.
A. Run a scheduled task using gsutil to back up to Cloud Storage.
Which one of the following statements about the SSL capabilities of Google Cloud Load Balancing is true? A. The Google-managed profile COMPATIBLE allows clients that support out-of-date. SSL features. B. You must use one of the 3 pre-configured Google-managed profiles to specify the level of compatibility appropriate for your application. C. If no SSL policy is set, the SSL policy is automatically set to the most constrained policy, RESTRICTED. D. Google Cloud load balancers require a Google-managed SSL cert.
A. The Google-managed profile COMPATIBLE allows clients that support out-of-date. SSL features.
A customer has an on-premises key management system and wants to generate, protect, rotate, and audit encryption keys within GCP using those keys. How can the customer protect their data in Cloud Storage with their own encryption keys? A. Upload the encryption keys to the same Cloud Storage bucket. B. Use default encryption at rest on the bucket. C. Use customer-managed encryption keys (CMEKs). D. Use customer-supplied encryption keys (CSEKs).
A. Upload the encryption keys to the same Cloud Storage bucket.
Your organization uses Active Directory for your primary user directory. They want to start developing on GCP. As part of your requirements, your security team wants to use existing tools to view and manage user activity. What should you do to meet all these conditions? A. Use Active Directory as the primary identity provider. Configure Cloud Identity as a SAML 2.0 Service Provider. B. Create users in Cloud Identity using Just-in-Time SAML 2.0 provisioning using the Active Directory as the source. C. Configure a third-party identity provider to handle syncing accounts. D. Use the Cloud Identity to Active Directory synchronization service to automatically sync AD users to Cloud Identity.
A. Use Active Directory as the primary identity provider. Configure Cloud Identity as a SAML 2.0 Service Provider.
Using Google-recommended best practices, how can you guarantee that deployed container images automatically use the latest security patches? A. Use Google-managed base images for all containers. B. Use an update script as part of every container image startup. C. Maintain private images in Container Registry D. Maintain private images in Docker Hub
A. Use Google-managed base images for all containers.
You have defined subnets in a VPC within GCP, and you need multiple projects to create Compute Engine instances with IP addresses from these subnets. What should you do? A. Use Shared VPC to share the subnets with the other projects. B. Configure Cloud VPN between the projects. C. Set up VPC peering between all related projects. D. Change the VPC subnets to enable Private Google Access
A. Use Shared VPC to share the subnets with the other projects.
You have a website hosted on App Engine. After a recent update, you are receiving reports that some portions of the site take up to 20 seconds to load. The slow loading times occurred after the recent update. Which action should you perform to troubleshoot? A. Use Stackdriver Trace and Logging to troubleshoot latency issues with your website and diagnose in a testing environment B. Enable VPC Flow Logs to troubleshoot network traffic C. Use Stackdriver Monitoring to troubleshoot latency issues with your website and diagnose in a testing environment D. Roll back to a previous version of your app using the version management feature in App Engine
A. Use Stackdriver Trace and Logging to troubleshoot latency issues with your website and diagnose in a testing environment
Your organization has just acquired company ABC. As management starts to consolidate assets, they find that all of ABC's infrastructure and applications are in GCP. Your CTO wants to consolidate ABC's GCP environment with that of your company in order to centralize management. Following GCP best practices, how would you achieve this? A. Use a single organization and move all ABC assets to folders/sub-folders under your current company's organization. B. Create a new organization and put both organizations under it. C. Keep the organizations separate and give current users access to the ABC organization node. D. Use a single organization and move all ABC projects under your current company's organization.
A. Use a single organization and move all ABC assets to folders/sub-folders under your current company's organization.
You are currently testing Data Loss Prevention in your development environment and want to scan some objects in Cloud Storage to see if any sensitive data is present. You have been asked to keep costs low and to get results in a short period of time. How would you achieve this? A. Use sampling to restrict the number of bytes inspected. B. Specify the CloudStorageRegexFileSet message. C. Open the files one by one and inspect them for sensitive data. D. Set a budget alert.
A. Use sampling to restrict the number of bytes inspected.
By default, GCP encrypts all data at rest at the storage layer using envelope encryption (the process of encrypting a key with another key). Which of the following correctly describes this process in Google Cloud? A. Using a KEK to wrap a DEK B. Using a KEK to wrap a KEK C. Using a DEK to wrap a DEK D. Using a CMEK to wrap a CSEK
A. Using a KEK to wrap a DEK
Which two of the following statements about VPCs are true? A. VPC firewall rules in GCP are global in scope. B. GCP firewall ALLOW rules by default only affect traffic flowing in one direction. C. A connection is considered active if it has at least one packet sent over a one-hour period. D. Every VPC network functions as a distributed firewall where firewall rules are defined at the network level.
A. VPC firewall rules in GCP are global in scope. D. Every VPC network functions as a distributed firewall where firewall rules are defined at the network level.
What are the 3 disaster recovery patterns according to Google? A. Warm standby B. Hot recovery C. Cold D. Glacier
A. Warm standby B. Hot recovery C. Cold
Who is responsible for upgrading the nodes in your GKE cluster? A. When using node auto-upgrade, upgrading is Google's responsibility. B. It is your responsibility, as auto-upgrade only takes care of the node hardware. C. It is your responsibility, but you must wait for a notice from Cloud Security Scanner. D. When using both manual and auto-upgrade, upgrading is Google's responsibility.
A. When using node auto-upgrade, upgrading is Google's responsibility.
Which two of the following statements about Stackdriver are true? A. You can analyze Stackdriver log data in BigQuery. B. The Stackdriver Logging agent can be installed on both Compute Engine and AWS EC2 instances. C. While Stackdriver Logging is not built-in to most GCP services, you can easily add it for a reasonable fee. D. Stackdriver retains logs for an indefinite period of time.
A. You can analyze Stackdriver log data in BigQuery. B. The Stackdriver Logging agent can be installed on both Compute Engine and AWS EC2 instances.
Which two of the following statements about Cloud Storage and BigQuery best practices are true? A. You should not use any personally identifiable information as object names. B. One option to serve content securely to outside users from Cloud Storage is to use signed URLs. C. BigQuery data can be adequately secured using the default primitive roles available in GCP. D. In most cases, you should use Access Control Lists (ACLs) instead of IAM permissions.
A. You should not use any personally identifiable information as object names. B. One option to serve content securely to outside users from Cloud Storage is to use signed URLs.
A dental office needs to archive records on patients for 5 years. Typically records older than 12 months get accessed only once per quarter for reporting purposes. The dental office stores its records in Cloud Storage. They are looking for a solution that meets their archiving requirements and also reduces storage costs. Which object lifecycle management option should the clinic choose to meet these requirements? A. condition: age: 365, action: type: SetStorageClass, storageClass: COLDLINE B. condition: age: 365, action: type: SetStorageClass, storageClass: NEARLINE C. condition: creationDate: 20181231 action: type: SetStorageClass, storageClass: COLDLINE D. condition: creationDate: 20181231 action: type: SetStorageClass, storageClass: NEARLINE
A. condition: age: 365, action: type: SetStorageClass, storageClass: COLDLINE
By default, what type of encryption does Cloud Storage use? A. IKEv2 B. AES-256 C. 3DES D. MD5
B. AES-256
Your organization has a 3-tier web application deployed in the same network on GCP. Each tier (web, API, and database) scales independently of the others. Network traffic should flow through the web to the API tier, and then on to the database tier. Traffic should not flow between the web tier and the database tier. How should you configure the network? A. Add each tier to a different subnetwork. B. Add tags to each tier and set up firewall rules to allow the desired traffic flow. C. Add tags to each tier and set up routes to allow the desired traffic flow. D. Set up software-based firewalls on individual VMs.
B. Add tags to each tier and set up firewall rules to allow the desired traffic flow.
What is the name of the internally developed, mutual authentication and transport encryption system that Google uses to secure communications within their infrastructure? A. IPSec B. Application Layer Transport Security (ALTS) C. Remote Procedure Call (RPC) D. Transport Layer Security (TLS)
B. Application Layer Transport Security (ALTS)
Which two of the following statements about security in BigQuery and its datasets are true? A. Using IAM, you can grant users granular permissions to BigQuery tables, rows, and columns. B. BigQuery has its own list of assignable IAM roles. C. A BigQuery Authorized View allows administrators to restrict users to viewing only subsets of a dataset. D. It is always better to assign BigQuery roles to individuals, as this will reduce operational overhead.
B. BigQuery has its own list of assignable IAM roles. C. A BigQuery Authorized View allows administrators to restrict users to viewing only subsets of a dataset.
If you wanted to disable ALL inbound and outbound network traffic to a custom VPC, what should you do? A. Create a Deny All inbound internet firewall rule. B. Create a Deny All outbound internet firewall rule. C. Remove external IP addresses from all instances. D. In the VPC network settings, disable network traffic in each subnet
B. Create a Deny All outbound internet firewall rule.
An application log's data—including customer identifiers such as email addresses—needs to be redacted. However, these logs also include the email addresses of internal developers from company.com, and these should not be redacted. Which solution should you use to meet these requirements? A. Create a regular custom dictionary detector to match all email addresses listed in Cloud Identity. B. Create a regular expression (regex) custom infoType detector to match on @company.com. C. Create a regular custom dictionary detector that lists a subset of the developers' email addresses. D. Create a custom infoType called COMPANY_EMAIL to match @company.com.
B. Create a regular expression (regex) custom infoType detector to match on @company.com.
A customer wants to configure access to their application running on Compute Engine so that it only writes to a specific Cloud Storage bucket. How should you grant access? A. Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the bucket level. B. Create a service account for the application, and grant Cloud Storage Object Creator permissions at the bucket level. C. Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the project level. D. Create a service account for the application, and grant Cloud Storage Object Creator permissions to the project.
B. Create a service account for the application, and grant Cloud Storage Object Creator permissions at the bucket level.
Your manager has asked you to give one of your contractors access to a Cloud Storage bucket for the day. The contractor will need read/write access, but you are hesitant to create an account for them, since they only need access for a single day. How should you handle this? A. Grant the contractor public access to the Cloud Storage bucket. B. Generate a signed URL for 86400 seconds. C. Assign a service account to the contractor. D. Assign the proper access control lists (ACLs).
B. Generate a signed URL for 86400 seconds.
The development team in your organization has recently finished an internal application on GCP that is ready to go live for all 500 employees. Employees around the world must have access to the application, but contractors (around 1/4 of your organization's workforce) must not have access. Your CEO wants to roll out access to the application over the weekend. What method would give employees access to the application with the least amount of setup time? A. Creating separate groups and attaching IAM policies B. Implementing Identity-Aware Proxy C. Setting up a VPN tunnel to the application D. Using a bastion host and rolling out private keys to all employees
B. Implementing Identity-Aware Proxy
According to VPC best practices, what should companies do to achieve PCI compliance within GCP? A. Isolate sensitive data within its own project. B. Isolate sensitive data in its own VPC C. Firewall rules are the only resource needed to achieve PCI compliance. D. Keep all data together for the fastest payment processing flow.
B. Isolate sensitive data in its own VPC
Your company wants to try out GCP with as little risk as possible. They want to archive approximately 10 TB of log data to the cloud and test the analytics features natively available on GCP, while also retaining that data as a long-term disaster recovery backup. Which two of the following steps should they take? A. Import the logs into Stackdriver. B. Load the logs into BigQuery. C. Upload the log files to Cloud Storage. D. Load the logs into Firebase. E. Insert the logs into Cloud Bigtable
B. Load the logs into BigQuery. C. Upload the log files to Cloud Storage.
Which IAM roles would you give to an end user who needs the ability to view all components of a GCP organization, including the organization layer itself? A. Project Owner B. Organization Viewer, Project Viewer C. Organization Editor, Project Browser D. Organization Viewer, Project Owner
B. Organization Viewer, Project Viewer
Which two of the following vulnerabilities are scanned for when you use Cloud Security Scanner? A. Insecure logins B. Outdated or insecure libraries C. Personalized data in object names D. Mixed content E. User data in images
B. Outdated or insecure libraries D. Mixed content
App Engine is a great example of what type of service under the Shared Responsibility Model? A. IAAS B. PaaS C. SaaS D. FaaS
B. PaaS
Which two of the following statements about regulatory compliance on Google Cloud Platform are true? A. Contacting your regulatory compliance certification agency is the only way to find out whether Google currently supports a particular standard. B. Proper configuration of encryption and firewalls is not the only requirement for achieving regulatory compliance. C. Google has no plans at this time to expand its already extensive portfolio of regulatory compliance certifications. D. Google's cloud products regularly undergo independent verification of security, privacy, and compliance controls.
B. Proper configuration of encryption and firewalls is not the only requirement for achieving regulatory compliance. D. Google's cloud products regularly undergo independent verification of security, privacy, and compliance controls.
You need to find a way to automatically remove objects older than 120 days from a Cloud Storage bucket. What is the preferred method of doing this? A. Push a lifecycle management policy in PDF format to your storage bucket using gsutil. B. Push a lifecycle management policy in JSON format to your storage bucket using gsutil. C. Create a cron job to delete backups older than 120 days. D. Use Dataprep to prepare and remove data older than 120 days.
B. Push a lifecycle management policy in JSON format to your storage bucket using gsutil.
Disaster recovery (DR) is a subset of business continuity planning. DR planning begins with a business impact analysis that defines two key metrics. What are these two metrics? A. SLA B. RTO C. RPO D. SLO
B. RTO C. RPO
Each key created in Cloud KMS holds a key version, and each key version holds a state. What is the latest state at which a key can be reverted from destruction? A. Archived B. Scheduled for destruction C. Enabled D. Disabled
B. Scheduled for destruction
You are attempting to view Data Access audit logs that are over 30 days old in Stackdriver. When you log in to Stackdriver, you notice that the logs are no longer there. How can you retrieve these logs? A. Call support to help you retrieve the logs. B. The logs have been permanantly deleted and can no longer be retrieved. C. Check the System Event audit logs to find out where they went. D. Upgrade to enterprise support to regain access to the logs.
B. The logs have been permanantly deleted and can no longer be retrieved.
You work for a small cryptocurrency startup and find a feature that may be exactly what you are looking for. You are currently storing data in Cloud Storage, and you determine that the Bucket Lock feature will allow you to achieve the compliance standards you are looking for. You decide to try it out and add a retention policy of 1 year to the bucket with a test file in it and lock the bucket. When you show your manager, he is impressed and tells you to delete the bucket and create a new one with a plan in place. You then notice that you cannot delete the bucket. Why is this not possible? A. You must delete the retention policy first. B. The object in the bucket has not reached its retention period. C. You need to rename the bucket. D. You must delete the objects in the bucket
B. The object in the bucket has not reached its retention period.
Which two of the following statements about the organization policy service are true? A. Only specific GCP services evaluate constraint types B. To define an organization policy, you choose and then define a constraint against either a GCP service or a group of GCP services. C. Descendants of a targeted resource do not inherit the parent's organization policy. D. Organization Policy Services allow centralized control for how your organization's resources can be used.
B. To define an organization policy, you choose and then define a constraint against either a GCP service or a group of GCP services. D. Organization Policy Services allow centralized control for how your organization's resources can be used.
What is the main purpose of Google Cloud Directory Sync? A. To completely replace LDAP or Active Directory B. To simplify the provisioning and de-provisioning of user accounts C. To map admin accounts to GCP from AD/LDAP D. To enable two-way data syncronization between AD/LDAP and GCP accounts
B. To simplify the provisioning and de-provisioning of user accounts
Projects in GCP provide many management features. Which two of the following are features of projects? A. Balance server load between different projects. B. Track and manage quota usage C. Selectively enable specific services and APIs D. Keep on-premises AD/LDAP accounts synced up with users' GCP resources.
B. Track and manage quota usage C. Selectively enable specific services and APIs
Your company is ready to start using Google Cloud. However, they want to use their existing Active Directory domain to manage user identities. What should you do to meet these requirements? A. You must replace your Active Directory domain with Cloud Identity as your primary identity provider. B. Use Google Cloud Directory Sync to sync Active Directory usernames with Cloud Identity. C. Use Cloud Identity-Aware Proxy configured to use the on-premises Active Directory domain controller as an identity provider. D. Create a duplicate of your Active Directory domain controller on Compute Engine and use it as a replica to install Google Cloud Directory Sync.
B. Use Google Cloud Directory Sync to sync Active Directory usernames with Cloud Identity.
You are currently testing Data Loss Prevention in your development environment and want to scan some objects in Cloud Storage to see if any sensitive data is present. You have been asked to keep costs low and to get results in a short period of time. How would you achieve this? A. Open the files one by one and inspect them for sensitive data. B. Use sampling to restrict the number of bytes inspected. C. Set a budget alert. D. Specify the CloudStorageRegexFileSet message.
B. Use sampling to restrict the number of bytes inspected.
What are the two ways that you can change the storage class of an existing object in a bucket? A. Object versioning B. Using object lifecycle management C. Changing the default storage class of the bucket D. Rewriting the object
B. Using object lifecycle management D. Rewriting the object
Which two of the following recommendations are considered Compute Engine best practices? A. Hardened custom images, once added to your organization's resources, are then maintained by Google with automatic security patches and other updates. B. Utilize projects and IAM roles to control access to your VMs. C. Always run critical VMs with default, scope-based service accounts. D. Google Cloud Interconnect or Google Cloud VPN can be used to securely extend your data center network into GCP projects.
B. Utilize projects and IAM roles to control access to your VMs. D. Google Cloud Interconnect or Google Cloud VPN can be used to securely extend your data center network into GCP projects.
Which three of the following are firewall rule parameters? A. Project B. Organization C. Action D. IP address E. Direction F. Source
C. Action E. Direction F. Source
You want to allow access to servers with the tag webservers from external IP addresses over ports 80 and 443. There is currently a firewall rule in place with a priority of 1000 that denies all incoming traffic from an external address on all ports and protocols. You want to allow the desired traffic without deleting the existing rule. What should you do? A. Add an ingress rule that allows traffic over ports 80 and 443 from any external address in the rule prior to the DENY statement. B. Add an egress rule that allows traffic over ports 80 and 443 from any external address to the target network tag webservers with a priority value of 1500. C. Add an ingress rule that allows traffic over ports 80 and 443 from any external address to the target network tag webservers with a priority value of 500. D. Add an egress rule that allows traffic over ports 80 and 443 from any external address in the rules prior to the DENY statement.
C. Add an ingress rule that allows traffic over ports 80 and 443 from any external address to the target network tag webservers with a priority value of 500.
Data in transit and at rest on GCP is FIPS 140-2 validated. This validation was achieved using which library? A. AES-256 B. OpenSSL C. BoringSSL D. Java
C. BoringSSL
Which two of the following statements about Cloud Audit logging are true? A. Unlike Stackdriver logs, you cannot export Cloud Audit log entries to BigQuery. B. Data Access audit logs record data access operations on resources that are publicly shared. C. Cloud Audit Logging maintains three types of logs for each project, folder, and organization. D. Enabling Data Access logs might result in your project being charged for the additional logs usage.
C. Cloud Audit Logging maintains three types of logs for each project, folder, and organization. D. Enabling Data Access logs might result in your project being charged for the additional logs usage.
An organization is working on their PCI compliance strategy. They want to put controls in place to ensure that customer PII is stored in Cloud Storage buckets that prevent the sensitive data from being exposed. Which Google Cloud solution should the organization use to ensure that PII is stored in the correct place without exposing it internally? A. Cloud Security Scanner B. Cloud Storage Bucket Lock C. Cloud Data Loss Prevention API D. Forseti
C. Cloud Data Loss Prevention API
Which of the following statements about Cloud Identity is true? A. A G Suite or Cloud Identity account can be associated with more than one organization. B. Your company must use G Suite to use Cloud Identity. C. Cloud Identity can work with any domain name that is able to receive email. D. You cannot use G Suite and Cloud Identity at the same time to manage all users.
C. Cloud Identity can work with any domain name that is able to receive email.
Your organization uses Cloud Identity as their primary Identity Provider. As part of an IT modernization initiative, managements wants to integrate several SaaS solutions. These solutions need to use Single Sign On (SSO) to authorized access only. How should you integrate these applications into your environment? A. Remove users from the third-party applications, add them to Cloud Identity, and re-sync user accounts to the SaaS applications. B. Remove the duplicate users from Cloud Identity, and sync the user accounts from the third-party apps to Cloud Identity to establish synchronization. C. Configure the third-party SaaS applications to federate authentication and authorization to the GCP Identity Provider. D. Copy all user accounts from Cloud Identity to all third-party applications.
C. Configure the third-party SaaS applications to federate authentication and authorization to the GCP Identity Provider.
You need to allow traffic from specific virtual machines in subnet-a network access to machines in subnet-b without giving the entirety of subnet-a access. How can you accomplish this? A. Relocate the subnet-a machines to a different subnet, and give the new subnet the required access. B. Create a rule to deny all traffic to the entire subnet, then create a second rule with higher priority giving access to tagged VMs in subnet-a. C. Create a firewall rule to allow traffic from resources with specific network tags, then assign the machines in subnet-a the same tags. D. You can only grant firewall access to an entire subnet, not individual VMs inside.
C. Create a firewall rule to allow traffic from resources with specific network tags, then assign the machines in subnet-a the same tags.
A security team at a company that sells products on the internet wants to define an automatic incident response process for fraudulent credit card usage attempts. The team targets a 10-minute or faster response time for such incidents. The fraudulent card list is updated every 60 seconds. The company servers log the transaction details in near-real time. Which option should you recommend to the security team to use? A. Use AutoML to automatically build models based on the fraudulent credit card lists. B. Maintain a log ingestion exclusion filter based on the fraudulent credit card lists. C. Create a new logging export with a filter to match the transaction and a sink pointing to a Cloud Pub/Sub topic. D. Define a log-based metric for each fraudulent credit card, and set a Stackdriver alert for these metrics.
C. Create a new logging export with a filter to match the transaction and a sink pointing to a Cloud Pub/Sub topic.
Your operations team wants to encrypt all persistent disks attached to your VMs in Google Cloud and have decided to use KMS to create and manage their encryption keys (CMEKs). Since this is their first time using KMS, they are unsure where to start. What would you advise your team to do first? A. By default, Compute Engine encrypts data at rest, so there's nothing for you to do. B. Create a keyring C. Enable the Cloud KMS API D. You can immediately create the keys; Google has taken care of everything else for you.
C. Enable the Cloud KMS API
An application has been deployed on an instance in GCP and is using a service account to upload data to a Cloud Storage bucket. To adhere to company security policies, this data must be uploaded to Cloud Storage without traversing the public internet. Which option would satisfy these requirements? A. Using Cloud VPN B. Using the Cloud Storage API C. Enabling Private Google Access D. Using Cloud Interconnect
C. Enabling Private Google Access
As your GCP environment grows, it is starting to become difficult for you to keep track of all of your resources in your environment. Your CTO asks you to provide a report of the current status of all resources in GCP. Taking a DevOps approach, you would like to codify the process and make changes through code using Terraform. What tool should you use to achieve this? A. Cloud Security Command Center B. Cloud Security Scanner C. Forseti D. Identity-Aware Proxy
C. Forseti
Which one of the following statements about Forseti Security is true? A. Forseti Explain shows you where your applications may be inadequately protected from DDoS attacks. B. Forseti Enforcer scans user activity and locks the accounts of users suspected of misusing their access. C. Forseti Scanner looks for any hackers that are trying to infiltrate your environment. D. If something in your system changes unexpectedly, Forseti Security can revert a potentially compromised resource back to a known safe state.
C. Forseti Scanner looks for any hackers that are trying to infiltrate your environment. D. If something in your system changes unexpectedly, Forseti Security can revert a potentially compromised resource back to a known safe state.
Which one of the following statements about Google's built-in security measures is true? A. To protect against DDoS attacks, all Google employee accounts require the use of U2F-compatible security keys. B. To lower the risk of DDoS attacks, an organization's on-premises resources are not allowed to connect to GCP. C. GCP's lower level hardware and software services (apart from customer resources) use only Google-managed encryption keys to verify system integrity. D. Customers have the option of configuring their instances to encrypt all their data while it is at rest within GCP
C. GCP's lower level hardware and software services (apart from customer resources) use only Google-managed encryption keys to verify system integrity.
Which load balancers are supported to implement Cloud Armor's security policies? A. HTTP(S) and SSL/TCP Proxy B. SSL Proxy C. HTTP(S) only D. HTTP(S) and SSL Proxy
C. HTTP(S) only
A cloud development team needs to use service accounts extensively for their local development. You need to provide the team with the keys for these service accounts. You want to follow Google-recommended practices. What should you do? A. Implement a daily key rotation process that generates a new key and commits it to the source code repository every day. B. Create a Google Group with all developers. Assign the group the IAM role of Service Account User, and have developers generate and download their own keys. C. Implement a daily key rotation process, and provide developers with a Cloud Storage bucket from which they can download the new key every day. D. Create a Google Group with all developers. Assign the group the IAM role of Service Account Admin, and have developers generate and download their own keys.
C. Implement a daily key rotation process, and provide developers with a Cloud Storage bucket from which they can download the new key every day.
Your company is committed to moving to GCP but is unsure how to start. They look to you for answers, as they heard that you are well versed in cloud technologies. You tell them that the best approach would be to redesign your application to be cloud-native to take full advantage of the scalability and elasticity of the cloud. They respond by telling you that they are looking for a quick ROI, as they plan to move out of the data center completely within the next 2 quarters. There would not be enough time to rewrite the application, and they want to move the workloads with the fewest changes to the application as possible. What migration strategy would you recommend? A. Leave the application in the data center. There are way too many variables to deal with. B. Improve and Move C. Lift and Shift D. Rip and Replace
C. Lift and Shift
Which two of the following can be used to organize resources in GCP? A. Container B. Instance C. Organization D. Folder E. Member F. Role G. Bucket
C. Organization D. Folder
You are designing a large distributed application with 30 microservices. Each of your microservices needs to connect to a backend database. You want to securely store the database credentials. Where should you store the credentials? A. In an environment variable B. In the source code C. Secret Manager D. In a config file that has access restricted via ACLs
C. Secret Manager
Which two of the following statements about GCP service accounts are true? A. VMs without service accounts cannot run APIs. B. Custom service accounts use scopes to control API access C. Service accounts are a type of identity D. VM instances use service accounts to run API requests on your behalf.
C. Service accounts are a type of identity D. VM instances use service accounts to run API requests on your behalf.
Developers in an organization are prototyping a few applications on GCP and are starting to store sensitive data. The developers are using their personal consumer Gmail accounts to set up and manage their projects within GCP. A security engineer identifies this as a concern because of the lack of centralized management and potential access to the data being stored in these accounts. Which solution should be used to resolve this concern? A. Enforce the use of security keys as the two-step verification method for the Gmail accounts. B. Enable logging on all GCP projects to track all developer activities. C. Set up Google Cloud Identity and require the developers to use those accounts for GCP work. D. Require the developers to log/store their Gmail passwords with the Security team.
C. Set up Google Cloud Identity and require the developers to use those accounts for GCP work.
What is the main purpose of Google Cloud Directory Sync? A. To map admin accounts to GCP from AD/LDAP B. To enable two-way data syncronization between AD/LDAP and GCP accounts C. To simplify the provisioning and de-provisioning of user accounts D. To completely replace LDAP or Active Directory
C. To simplify the provisioning and de-provisioning of user accounts
What is the best practice for separating responsibilities and access to production and development environments? A. Use the same project for both environments but place them in different VPCs. B. Use the same project for both environments and keep track of which resources are in use by which group. C. Use a separate project for each environment and ensure that each team only has access to their project. D. Use a separate project for each environment and give both teams access to both projects.
C. Use a separate project for each environment and ensure that each team only has access to their project.
You are migrating your on-premises application to Google Cloud. You will use the Cloud VPN service to connect your on-premises systems and Google Cloud until the migration is completed. What should you do to make sure that all network resources remain reachable during the migration? A. Use the same IP range on your Google Cloud VPC as you use on premises. B. Use the same IP range on your Google Cloud VPC as you use on premises for your primary IP range, and use a secondary range that does not overlap with the range you use on premises. C. Use an IP range on your Google Cloud VPC that does not overlap with the range you use on premises. D. Use an IP range on your Google Cloud VPC that does not overlap with the range you use on premises for your primary IP range, and use a secondary range with the same IP range as you use on premises.
C. Use an IP range on your Google Cloud VPC that does not overlap with the range you use on premises.
What type of audit logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources? A. Data Access logs B. Access Transparency logs C. System Event logs D. Admin Activity logs
D. Admin Activity logs
Your organization is required to meet a number of strict compliance and audit requirements. As part of this requirements, application files that are uploaded to Cloud Storage must be retained for 10 years. You need to prevent accidental or intentional deletion of these files and remove the ability to alter the retention period. How should you accomplish this? A. Create a lifecycle management policy on the Cloud Storage bucket. Set the Age condition to 10 years and the Action to Delete. B. Use IAM roles to restrict who has access to the affected Cloud Storage bucket. C. Enable a temporary hold and apply a retention period of 5 years to the bucket. D. Apply a retention period of 10 years to the bucket and lock the bucket.
D. Apply a retention period of 10 years to the bucket and lock the bucket.
The encryption key hierarchy protects a chunk of data with a data encryption key (DEK). This DEK is then wrapped with a key encryption key (KEK). Google then stores this key in which of the following? A. Physical safe B. Root KMS C. Cloud Storage D. Cloud Key Management Service (KMS)
D. Cloud Key Management Service (KMS)
Your company is building a large-scale web application. Each team is responsible for its own service component of the application and wants to manage its own individual projects. You want each service to communicate with the other services over RFC 1918 address space. Which of the following should you do? A. Deploy each service into a single project within the same VPC. B. Configure each service to communicate with the others over the HTTPS protocol. C. Configure a global load balancer for each project and communicate between each service using the global load balancer IP addresses. D. Configure a shared VPC and add each project as a service of the shared VPC project.
D. Configure a shared VPC and add each project as a service of the shared VPC project.
Domain Name Server (DNS) poisoning (or spoofing) is a type of cyber-attack that exploits system vulnerabilities in the Domain Name Server to divert traffic away from legitimate servers and direct it toward fake ones. Which of the following features authenticates responses to domain name lookups to prevent attackers from manipulating or poisoning responses to DNS requests? A. Cloud DNS B. DNS Analyzer C. DNS over HTTPS D. DNSSEC
D. DNSSEC
Your customer, working in a small successful e-commerce company, is starting to experience some paranoia in his workplace, as he thinks that his employees are stealing creadit card data. All company systems are in GCP and encrypted using KMS customer-managed encryption keys. He wants to catch the thief in the act but will need time to do so. What should your customer do for piece of mind? A. Check the System Event audit logs for the use of KMS keys. B. Enable Admin Activity audit logging. C. Purchase enterprise support and turn on Access Transparency logs. D. Export the audit logs to BigQuery for real-time analysis.
D. Export the audit logs to BigQuery for real-time analysis.
Your customer wants to extend their on-premises network to Google's network through a highly available, low-latency connection. They are unsure what connection capacity they need, so they want to start with a 5 Gbps connection with the option to scale if they think they need more. They also do not want to maintain any routing equipment at a colocation facility. What would you recommend as the best connection type for their needs? A. Interconnect B. 2 Cloud VPN tunnels C. Cloud VPN D. Partner Interconnect
D. Partner Interconnect
A vulnerability has been found in the operating system that you are running in your fleet of Compute Engine instances. You need to patch the instances right away. You have an image that you used to deploy the instances that is trusted by your security team. What is the most efficient way to patch the instances with the least amount of steps and downtime? A. Use the latest public image (since it's already been patched), and deploy it. B. Create a pipeline to patch the image and redeploy C. Gather all your teammates and assign instances that need to be patched to each person. D. Patch the image and replace the vulnerable instances in batches.
D. Patch the image and replace the vulnerable instances in batches.
Select a best practice to manage varying levels of access to use and maintain an App Engine application using GCP's provided solutions. A. Federate identity between Cloud Identity and Active Directory to synchronize user directories B. Manage access with firewall rules C. Adjust IAM roles for users depending on their necessary level of access. D. Use Cloud Identity-Aware Proxy (Cloud IAP) to manage multiple levels of access.
D. Use Cloud Identity-Aware Proxy (Cloud IAP) to manage multiple levels of access.
Your development team wants to deploy a new application to GCP, but they are not sure which solution to use for secrets management for their asymmetric keys. They want to take a hands-off approach and have it completely managed by the system with automatic, scheduled secrets rotation. The solution must also maintain the same high level of security. Which of the following would be the best solution? A. Store the secrets in a Cloud Storage bucket. B. Store the secrets in code. C. Use Cloud Key Management Service (KMS). D. Use a third-party tool like Hashicorp Vault.
D. Use a third-party tool like Hashicorp Vault.
Your e-commerce customer needs some help with their GKE cluster. They want to restrict specific pod-to-pod communication in the cluster to help them achieve compliance with standards. How would you achieve this using the tools that are already available to you in GKE and GCP? A. Use namespaces B. Use RBAC C.Use firewall rules D. Use network policies
D. Use network policies
