A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

• A.On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
• B.Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
• C.On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
• D.Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Comment: *

Name: *

Email: *

Verification: *

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

• A.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
• B.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
• C.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
• D.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Comment: *

Name: *

Email: *

Verification: *

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)

• A.Configure Private Google Access on the Compute Engine subnet
• B.Turn off IP forwarding on the Compute Engine instances in the cluster.
• C.Make sure that the Compute Engine cluster is running on a separate subnet.
• D.Configure a Cloud NAT gateway.
• E.Avoid assigning public IP addresses to the Compute Engine cluster.

Comment: *

Name: *

Email: *

Verification: *

A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?

• A.Use Puppet or Chef to push out the patch to the running container.
• B.Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
• C.Update the application code or apply a patch, build a new image, and redeploy it.
• D.Configure containers to automatically upgrade when the base image is available in Container Registry.

Comment: *

Name: *

Email: *

Verification: *

A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

• A.Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
• B.Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
• C.Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
• D.Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Comment: *

Name: *

Email: *

Verification: *