Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

• A.Enable Private Access on the VPC network in the production project.
• B.Remove the Editor role and grant the Compute Admin IAM role to the engineers.
• C.Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
• D.Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Comment: *

Name: *

Email: *

Verification: *

Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users.
What should you do?

• A.1. Manage SAML profile assignments.
  * 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant.
  * 3. Verify the domain.
• B.1. Create a new SAML profile.
  * 2. Upload the X.509 certificate.
  * 3. Enable the change password URL.
  * 4. Configure Entity ID and ACS URL in your IdP.
• C.1- Create a new SAML profile.
  * 2. Populate the sign-in and sign-out page URLs.
  * 3. Upload the X.509 certificate.
  * 4. Configure Entity ID and ACS URL in your IdP
• D.1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant
  * 2. Verify the AD domain.
  * 3. Decide which users should use SAML.
  * 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.

Comment: *

Name: *

Email: *

Verification: *

A company's application is deployed with a user-managed Service Account key. You want to use Google-recommended practices to rotate the key.
What should you do?

• A.Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
• B.Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT --key=NEW_KEY.
• C.Create a new key, and use the new key in the application. Delete the old key from the Service Account.
• D.Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam-account=IAM_ACCOUNT.

Comment: *

Name: *

Email: *

Verification: *

A security team at an e-commerce company wants to define an automatic incident response process for fraudulent credit card usage attempts. The team targets a 10-minute or faster response time for such incidents. The fraudulent card list is updated every 60 seconds. The e- commerce servers log the transaction details in near-real time. Which option should you recommend to the security team?

• A.Define a log-based metric for each fraudulent credit card, and set a Stackdriver alert for these metrics.
• B.Maintain a log ingestion exclusion filter based on the fraudulent credit card lists.
• C.Use AutoML to automatically build models based on the fraudulent credit card lists.
• D.Create a new logging export with a filter to match the transaction and a sink pointing to a Cloud Pub/Sub topic.

Comment: *

Name: *

Email: *

Verification: *

Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud You must implement data residency and operational sovereignty in the EU.
What should you do?
Choose 2 answers

• A.Limit the physical location of a new resource with the Organization Policy Service resource locations constraint."
• B.Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.
• C.Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications
• D.Use identity federation to limit access to Google Cloud resources from non-EU entities.
• E.Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

Comment: *

Name: *

Email: *

Verification: *