You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

• A.Enable Private Google Access on the regional subnets and global dynamic routing mode.
• B.Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.
• C.Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.
• D.Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Comment: *

Name: *

Email: *

Verification: *

Your organization develops software involved in many open source projects and is concerned about software supply chain threats You need to deliver provenance for the build to demonstrate the software is untampered.
What should you do?

• A.* 1- Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build.
  * 2. View the build provenance in the Security insights side panel within the Google Cloud console.
• B.* 1. Review the software process.
  * 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact.
  * 3. Publish the PGP signed attestation to your public web page.
• C.* 1, Publish the software code on GitHub as open source.
  * 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.
• D.* 1. Hire an external auditor to review and provide provenance
  * 2. Define the scope and conditions.
  * 3. Get support from the Security department or representative.

Comment: *

Name: *

Email: *

Verification: *

You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B.
You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?

• A.Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
• B.Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
• C.Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
• D.Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

Comment: *

Name: *

Email: *

Verification: *

You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?

• A.Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.
• B.Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.
• C.Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.
• D.Configure Google Cloud Armor access logs to perform inspection on the log data.

Comment: *

Name: *

Email: *

Verification: *

You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?

• A.1. Set up one VPC with two subnets: one trusted and the other untrusted.
  2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
• B.1. Set up one VPC with two subnets: one trusted and the other untrusted.
  2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
• C.1. Set up two VPC networks: one trusted and the other untrusted, and peer them together.
  2. Configure a custom route on each network pointed to the virtual appliance.
• D.1. Set up two VPC networks: one trusted and the other untrusted.
  2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

Comment: *

Name: *

Email: *

Verification: *