Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

• A.Use the Cloud Key Management Service to manage a data encryption key (DEK).
• B.Use the Cloud Key Management Service to manage a key encryption key (KEK).
• C.Use customer-supplied encryption keys to manage the data encryption key (DEK).
• D.Use customer-supplied encryption keys to manage the key encryption key (KEK).

Comment: *

Name: *

Email: *

Verification: *

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

• A.Use Google default encryption.
• B.Manually add users to Google Cloud.
• C.Provision users with basic roles using Google's Identity and Access Management (1AM) service.
• D.Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.
• E.Provide granular access with predefined roles.

Comment: *

Name: *

Email: *

Verification: *

Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:
Only allows communication between the Web and App tiers.
Enforces consistent network security when autoscaling the Web and App tiers.
Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?

• A.1. Re-deploy the Web and App servers with instance templates configured with respective network tags.
  2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
• B.1. Re-deploy the Web and App servers with instance templates configured with respective service accounts.
  2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
• C.1. Configure all running Web and App servers with respective service accounts.
  2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
• D.1. Configure all running Web and App servers with respective network tags.
  2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

Comment: *

Name: *

Email: *

Verification: *

A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?

• A.Use Puppet or Chef to push out the patch to the running container.
• B.Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
• C.Update the application code or apply a patch, build a new image, and redeploy it.
• D.Configure containers to automatically upgrade when the base image is available in Container Registry.

Comment: *

Name: *

Email: *

Verification: *

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

• A.Enable Private Access on the VPC network in the production project.
• B.Remove the Editor role and grant the Compute Admin IAM role to the engineers.
• C.Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
• D.Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Comment: *

Name: *

Email: *

Verification: *