Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?

• A.Shared VPC Network with a host project and service projects
• B.Grant Compute Admin role to the networking team for each engineering project
• C.VPC peering between all engineering projects using a hub and spoke model
• D.Cloud VPN Gateway between all engineering projects using a hub and spoke model

Comment: *

Name: *

Email: *

Verification: *

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

• A.Customer-supplied encryption keys (CSEK)
• B.Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
• C.Encryption by default
• D.Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

Comment: *

Name: *

Email: *

Verification: *

You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?

• A.Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
• B.Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
• C.Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration.
  Update the perimeter configuration after the access level has been vetted.
• D.Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

Comment: *

Name: *

Email: *

Verification: *

An administrative application is running on a virtual machine (VM) in a managed group at port 5601 inside a Virtual Private Cloud (VPC) instance without access to the internet currently. You want to expose the web interface at port 5601 to users and enforce authentication and authorization Google credentials What should you do?

• A.Modify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.
• B.Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application
• C.Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials Modify the VPC firewall to allow access from IAP network range
• D.Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application

Comment: *

Name: *

Email: *

Verification: *

You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization. What should you do?

• A.Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.
• B.Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.
• C.Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.
• D.Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.

Comment: *

Name: *

Email: *

Verification: *