You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

• A.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
• B.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
• C.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
• D.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Comment: *

Name: *

Email: *

Verification: *

You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

• A.Security Command Center
• B.Firewall Rules Logging
• C.VPC Flow Logs
• D.Firewall Insights

Comment: *

Name: *

Email: *

Verification: *

Which two implied firewall rules are defined on a VPC network? (Choose two.)

• A.A rule that allows all outbound connections
• B.A rule that denies all inbound connections
• C.A rule that blocks all inbound port 25 connections
• D.A rule that blocks all outbound connections
• E.A rule that allows all inbound port 80 connections

Comment: *

Name: *

Email: *

Verification: *

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

• A.Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
• B.Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
• C.Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
• D.Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Comment: *

Name: *

Email: *

Verification: *

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)

• A.Configure Private Google Access on the Compute Engine subnet
• B.Configure a Cloud NAT gateway.
• C.Make sure that the Compute Engine cluster is running on a separate subnet.
• D.Turn off IP forwarding on the Compute Engine instances in the cluster.
• E.Avoid assigning public IP addresses to the Compute Engine cluster.

Comment: *

Name: *

Email: *

Verification: *