A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

• A.VPC Flow Logs
• B.Cloud Armor
• C.DNS Security Extensions
• D.Cloud Identity-Aware Proxy

Comment: *

Name: *

Email: *

Verification: *

You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet.
You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?

• A.1. Set up one VPC with two subnets: one trusted and the other untrusted.
  2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
• B.1. Set up one VPC with two subnets: one trusted and the other untrusted.
  2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
• C.1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.
  2. Configure a custom route on each network pointed to the virtual appliance.
• D.1. Set up two VPC networks: one trusted and the other untrusted.
  2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

Comment: *

Name: *

Email: *

Verification: *

Applications often require access to "secrets" - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)

• A.VPC Flow logs
• B.Data Access logs
• C.Agent logs
• D.Admin Activity logs
• E.System Event logs

Comment: *

Name: *

Email: *

Verification: *

What are the steps to encrypt data using envelope encryption?

• A.Generate a key encryption key (KEK) locally.
  Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
  Store the encrypted data and the wrapped DEK.
• B.Generate a key encryption key (KEK) locally.
  Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
  Store the encrypted data and the wrapped DEK.
• C.Generate a data encryption key (DEK) locally.
  Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
  Store the encrypted data and the wrapped KEK.
• D.Generate a data encryption key (DEK) locally.
  Encrypt data with the DEK.
  Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

Comment: *

Name: *

Email: *

Verification: *

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

• A.Create a custom service account for the cluster Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.
• B.Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
• C.Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
• D.Create a custom service account for the cluster Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

Comment: *

Name: *

Email: *

Verification: *