Your team needs to make sure that a Compute Engine instance does not have access to the internet or
to any Google APIs or services.Which two settings must remain disabled to meet these requirements?
(Choose two.) - ✔️✔️Public IP
Private Google Access
Which two implied firewall rules are defined on a VPC network? - ✔️✔️A rule that allows all outbound
connections
A rule that denies all inbound connections
A customer needs an alternative to storing their plain text secrets in their source-code management
(SCM) system.How should the customer achieve this using Google Cloud Platform? - ✔️✔️Encrypt the
secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory
Service. Your team wants to manage permissions by AD group membership. What should your team do
to meet these requirements? - ✔️✔️Set up Cloud Directory Sync to sync groups, and set IAM permissions
on the groups.
When creating a secure container image, which two items should you incorporate into the build if
possible? (Choose two.) - ✔️✔️Package a single app as a container.
Remove any unnecessary tools not needed by the app.
A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The
customer's internal compliance requirements dictate that end- user access may only be allowed if the
traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their
application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood
protection.Which product should be used to meet these requirements? - ✔️✔️Cloud Armor
,A company is running workloads in a dedicated server room. They must only be accessed from within
the private company network. You need to connect to these workloads from Compute Engine instances
within a Google Cloud Platform project.Which two approaches can you take to meet the requirements?
(Choose two.) - ✔️✔️Configure the project with Cloud VPN
Configure the project with Cloud Interconnect.
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine.
Their security team wants to add a security layer so that theERP systems only accept traffic from Cloud
Identity-Aware Proxy.What should the customer do to meet these requirements? - ✔️✔️Make sure that
the ERP system can validate the JWT assertion in the HTTP requests.
A company has been running their application on Compute Engine. A bug in the application allowed a
malicious user to repeatedly execute a script that results in the Compute Engine instance crashing.
Although the bug has been fixed, you want to get notified in case this hack re-occurs.What should you
do? - ✔️✔️Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the
number of executions of the script remains below the desired threshold. Enable notifications.
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The
development projects are under the NONPROD organization folder with the test and pre-production
projects. The development projects share the ABC-BILLING billing account with the rest of the
organization.Which logging export strategy should you use to meet the requirements? - ✔️✔️1. Create a
Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in
a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a
malicious site through a man-in-the-middle attack.Which solution should this customer use? - ✔️✔️DNS
Security Extensions
A customer deploys an application to App Engine and needs to check for Open Web Application Security
Project (OWASP) vulnerabilities.Which service should be used to accomplish this? - ✔️✔️Web Security
Scanner
A customer's data science group wants to use Google Cloud Platform (GCP) for their analytics workloads.
Company policy dictates that all data must be company-owned and all user authentications must go
through their own Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). The
,Infrastructure Operations Systems Engineer was trying to set up Cloud Identity for the customer and
realized that their domain was already being used by G Suite. How should you best advise the Systems
Engineer to proceed with the least disruption? - ✔️✔️Ask customer's management to discover any other
uses of Google managed services, and work with the existing Super Administrator.
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP.
The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of
projects.Your team becomes aware of this and wants to take over managing permissions and auditing
the domain resources.Which type of access should your team grant to meet this requirement? -
✔️✔️Organization Administrator
An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket.
Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the
principle of least privilege.Which option meets the requirement of your team? - ✔️✔️Use a service
account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance
metadata.
An organization's typical network and security review consists of analyzing application transit routes,
request handling, and firewall rules. They want to enable their developer teams to deploy new
applications without the overhead of this full review.How should you advise this organization? -
✔️✔️Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce
policies.
An employer wants to track how bonus compensations have changed over time to identify employee
outliers and correct earning disparities. This task must be performed without exposing the sensitive
compensation data for any individual and must be reversible to identify the outlier.Which Cloud Data
Loss Prevention API technique should you use to accomplish this? - ✔️✔️CryptoReplaceFfxFpeConfig
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance
on setting up password requirements for their CloudIdentity account. The organization has a password
policy requirement that corporate employee passwords must have a minimum number of
characters.Which Cloud Identity password guidelines can the organization use to inform their new
requirements? - ✔️✔️Set the minimum length for passwords to be 8 characters.
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at
the application layer.What should you do? - ✔️✔️Generate a data encryption key (DEK) locally to encrypt
, the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the
encrypted data and the encrypted DEK.
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system? -
✔️✔️Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the
SIEM via Dataflow.
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is
authorized.Which two cloud offerings meet this requirement without additional compensating controls?
(Choose two.) - ✔️✔️Compute Engine
Google Kubernetes Engine
A website design company recently migrated all customer sites to App Engine. Some sites are still in
progress and should only be visible to customers and company employees from any location.Which
solution will restrict access to the in-progress sites? - ✔️✔️Enable Cloud Identity-Aware Proxy (IAP), and
allow access to a Google Group that contains the customer and employee user accounts.
When working with agents in the support center via online chat, your organization's customers often
share pictures of their documents with personally identifiable information (PII). Your leadership team is
concerned that this PII is being stored as part of the regular chat logs, which are reviewed by internal or
external analysts for customer service trends.You want to resolve this concern while still maintaining
data utility. What should you do? - ✔️✔️Use the image inspection and redaction actions of the DLP API to
redact PII from the images before storing them for analysis.
A company's application is deployed with a user-managed Service Account key. You want to use Google-
recommended practices to rotate the key.What should you do? - ✔️✔️Create a new key, and use the new
key in the application. Delete the old key from the Service Account.
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the
control over networking resources like firewall rules, subnets, and routes. They also have an on-
premises environment where resources need access back to the GCP resources through a private VPN
connection.The networking resources will need to be controlled by the network security team.Which
type of networking design should your team use to meet these requirements? - ✔️✔️Shared VPC Network
with a host project and service projects
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller VasilyKichigin. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $13.48. You're not tied to anything after your purchase.
