Applications often require access to "secrets" - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)

• A.Admin Activity logs
• B.System Event logs
• C.Data Access logs
• D.VPC Flow logs
• E.Agent logs

Comment: *

Name: *

Email: *

Verification: *

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

• A.Use the Cloud Key Management Service to manage a key encryption key (KEK).
• B.Use customer-supplied encryption keys to manage the data encryption key (DEK).
• C.Use customer-supplied encryption keys to manage the key encryption key (KEK).
• D.Use the Cloud Key Management Service to manage a data encryption key (DEK).

Comment: *

Name: *

Email: *

Verification: *

While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

• A.Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
• B.Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
• C.Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
• D.Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Comment: *

Name: *

Email: *

Verification: *

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

• A.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
• B.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
• C.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
• D.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

Comment: *

Name: *

Email: *

Verification: *

You want to protect the default VPC network from all inbound and outbound internet traffic. What action should you take?

• A.Create a Deny All inbound internet firewall rule.
• B.Create a Deny All outbound internet firewall rule.
• C.Create a new subnet in the VPC network with private Google access enabled.
• D.Create instances without external IP addresses only.

Comment: *

Name: *

Email: *

Verification: *