Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

• A.Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
• B.Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
• C.Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.
• D.Deploy a Cloud NAT Gateway in the service project for the MIG.

Comment: *

Name: *

Email: *

Verification: *

An application log's data, including customer identifiers such as email addresses, needs to be redacted. However, these logs also include the email addresses of internal developers from company.com, and these should NOT be redacted. Which solution should you use to meet these requirements?

• A.Create a regular custom dictionary detector that lists a subset of the developers' email addresses.
• B.Create a regular expression (regex) custom infoType detector to match on @company.com.
• C.Create a regular custom dictionary detector to match all email addresses listed in Cloud Identity.
• D.Create a custom infoType called COMPANY_EMAIL to match @company.com.

Comment: *

Name: *

Email: *

Verification: *

You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

• A.Use multi-factor authentication for admin access to the web application.
• B.Use only applications certified compliant with PA-DSS.
• C.Move the cardholder data environment into a separate GCP project.
• D.Use VPN for all connections between your office and cloud environments.

Comment: *

Name: *

Email: *

Verification: *

A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

• A.Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
• B.Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.
• C.On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
• D.On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Comment: *

Name: *

Email: *

Verification: *

You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?

• A.compute.restrictSharedVpcHostProjects
• B.compute.restrictXpnProjectLienRemoval
• C.compute.restrictSharedVpcSubnetworks
• D.compute.sharedReservationsOwnerProjects

Comment: *

Name: *

Email: *

Verification: *