Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

• A.Compute Network User Role at the subnet level.
• B.Compute Shared VPC Admin Role at the host project level.
• C.Compute Shared VPC Admin Role at the service project level.
• D.Compute Network User Role at the host project level.

Comment: *

Name: *

Email: *

Verification: *

While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

• A.Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
• B.Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
• C.Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
• D.Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

Comment: *

Name: *

Email: *

Verification: *

You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

• A.Cloud VPN
• B.Google Cloud Armor
• C.Cloud Router
• D.Cloud NAT

Comment: *

Name: *

Email: *

Verification: *

You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google- recommended practices.
What should you do?

• A.Create a new Service account, and give all application users the role of Service Account User.
• B.Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
• C.Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.
• D.Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

Comment: *

Name: *

Email: *

Verification: *

Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.
What should you do?

• A.1. In BigQuery, select the related dataset.
  2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
• B.1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
  2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
  3. Click Show Matching Entries.
  4. Make sure the resulting list is empty.
• C.1. Go to the IAM section on the project.
  2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.
• D.1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
  2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
  3. Click Hide Matching Entries.
  4. Make sure the resulting list is empty.

Comment: *

Name: *

Email: *

Verification: *