Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.
What should you do?

A. Temporarily disable authentication on the Cloud Storage bucket.

B. Use the undelete command to recover the deleted service account.

C. Create a new service account with the same name as the deleted service account.

D. Update the permissions of another existing service account and supply those credentials to the applications.

Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

A. Configure Secret Manager to manage service account keys.

B. Enable an organization policy to disable service accounts from being created.

C. Enable an organization policy to prevent service account keys from being created.

D. Remove the iam.serviceAccounts.getAccessToken permission from users.

Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?

A. Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises.

B. Use Cloud External Key Manager to delete specific encryption keys.

C. Use customer-managed encryption keys to delete specific encryption keys.

D. Use Google default encryption to delete specific encryption keys.

What are the steps to encrypt data using envelope encryption?
✑ Generate a data encryption key (DEK) locally.
✑ Use a key encryption key (KEK) to wrap the DEK.
✑ Encrypt data with the KEK.
✑ Store the encrypted data and the wrapped KEK.
✑ Generate a key encryption key (KEK) locally.
✑ Use the KEK to generate a data encryption key (DEK).
✑ Encrypt data with the DEK.
✑ Store the encrypted data and the wrapped DEK.
✑ Generate a data encryption key (DEK) locally.
✑ Encrypt data with the DEK.
✑ Use a key encryption key (KEK) to wrap the DEK.
✑ Store the encrypted data and the wrapped DEK.
✑ Generate a key encryption key (KEK) locally.
✑ Generate a data encryption key (DEK) locally.
✑ Encrypt data with the KEK.
Store the encrypted data and the wrapped DEK.

You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.
What should you do?

A. Create an HA VPN connection to Google Cloud. Replace the default 0.0.0.0/0 route.

B. Create a routing VM in Compute Engine. Configure the default route with the VM as the next hop.

C. Configure Cloud Interconnect with HA VPN. Replace the default 0.0.0.0/0 route to an on-premises destination.

D. Configure Cloud Interconnect and route traffic through an on-premises firewall.

A service account key has been publicly exposed on multiple public code repositories. After reviewing the logs, you notice that the keys were used to generate short-lived credentials. You need to immediately remove access with the service account.
What should you do?

A. Delete the compromised service account.

B. Disable the compromised service account key.

C. Wait until the service account credentials expire automatically.

D. Rotate the compromised service account key.

Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following:
✑ The services in scope are included in the Google Cloud Data Residency Terms.
✑ The business data remains within specific locations under the same organization.
✑ The folder structure can contain multiple data residency locations.
You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?

A. Folder

B. Resource

C. Project

D. Organization

You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

A. Use multi-factor authentication for admin access to the web application.

B. Use only applications certified compliant with PA-DSS.

C. Move the cardholder data environment into a separate GCP project.

D. Use VPN for all connections between your office and cloud environments.

Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

A. Central management of routes, firewalls, and VPNs for peered networks

B. Non-transitive peered networks; where only directly peered networks can communicate

C. Ability to peer networks that belong to different Google Cloud organizations

D. Firewall rules that can be created with a tag from one peered network to another peered network

E. Ability to share specific subnets across peered networks

Your Security team believes that a former employee of your company gained unauthorized access to Google Cloud resources some time in the past 2 months by using a service account key. You need to confirm the unauthorized access and determine the user activity. What should you do?

A. Use Security Health Analytics to determine user activity.

B. Use the Cloud Monitoring console to filter audit logs by user.

C. Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.

D. Use the Logs Explorer to search for user activity.

You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow the application frontend to access the data in the application's mysql instance on port 3306.
What should you do?

A. Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag “data-tag” that is applied to the mysql Compute Engine VM on port 3306.

B. Configure an ingress firewall rule that allows communication from the frontend’s unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

C. Configure a network tag “fe-tag” to be applied to all instances in subnet A and a network tag “data-tag” to be applied to all instances in subnet

D. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe- tag.

E. Configure a network tag “fe-tag” to be applied to all instances in subnet A and a network tag “data-tag” to be applied to all instances in subnet

F. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

A. Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.

B. Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.

C. Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).

D. Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.

E. Provide non-privileged identities to the super admin users for their day-to-day activities.

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

A. Public IP

B. IP Forwarding

C. Private Google Access

D. Static routes

E. IAM Network User Role

An organization wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use?

A. Cryptographic hashing

B. Redaction

C. Format-preserving encryption

D. Generalization

As adoption of the Cloud Data Loss Prevention (Cloud DLP) API grows within your company, you need to optimize usage to reduce cost. Cloud DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

A. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.

B. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.

C. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.

D. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

A. Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.

B. Configure your Compute Engine instances to use the Google Cloud’s operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.

C. Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE-WEST1 region.

D. Configure a custom retention policy of 12 years on your Google Cloud’s operations suite log bucket in the EUROPE-WEST1 region.

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?

A. Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

B. Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.

C. Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

D. Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud
Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?

A. Set the minimum length for passwords to be 8 characters.

B. Set the minimum length for passwords to be 10 characters.

C. Set the minimum length for passwords to be 12 characters.

D. Set the minimum length for passwords to be 6 characters.

A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?

A. Create a Folder per department under the Organization. For each department’s Folder, assign the Project Viewer role to the Google Group related to that department.

B. Create a Folder per department under the Organization. For each department’s Folder, assign the Project Browser role to the Google Group related to that department.

C. Create a Project per department under the Organization. For each department’s Project, assign the Project Viewer role to the Google Group related to that department.

D. Create a Project per department under the Organization. For each department’s Project, assign the Project Browser role to the Google Group related to that department.

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

A. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2. Subscribe SIEM to the topic.

B. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.

C. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic.

D. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2. Process Cloud Storage objects in SIEM.

You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security
Command Center features should you use to configure these alerts? (Choose two.)

A. Event Threat Detection

B. Container Threat Detection

C. Security Health Analytics

D. Cloud Data Loss Prevention

E. Google Cloud Armor

Your company’s users access data in a BigQuery table. You want to ensure they can only access the data during working hours.
What should you do?

A. Assign a BigQuery Data Viewer role along with an IAM condition that limits the access to specified working hours.

B. Run a gsutil script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

C. Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours.

D. Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraint for BigQuery during the specified working hours.

You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

A. Query Data Access logs.

B. Query Admin Activity logs.

C. Query Access Transparency logs.

D. Query Stackdriver Monitoring Workspace.

A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?

A. Create a firewall rule to block internet traffic from the VM.

B. Provision a NAT Gateway to access the Cloud Storage API endpoint.

C. Enable Private Google Access.

D. Mount a Cloud Storage bucket as a local filesystem on every VM.

Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?

A. Deploy a Cloud NAT Gateway in the service project for the MIG.

B. Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.

C. Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.

D. Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

A. Use Cloud Build to build the container images.

B. Build small containers using small base images.

C. Delete non-used versions from Container Registry.

D. Use a Continuous Delivery tool to deploy the application.

An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in
Google Cloud and where Google's responsibility lies. They are mostly running workloads using Google Cloud's platform-as-a-Service (PaaS) offerings, including
App Engine primarily.
Which area in the technology stack should they focus on as their primary responsibility when using App Engine?

A. Configuring and monitoring VPC Flow Logs

B. Defending against XSS and SQLi attacks

C. Managing the latest updates and security patches for the Guest OS

D. Encrypting all stored data

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:
✑ Scans must run at least once per week
✑ Must be able to detect cross-site scripting vulnerabilities
✑ Must be able to authenticate using Google accounts
Which solution should you use?

A. Google Cloud Armor

B. Web Security Scanner

C. Security Health Analytics

D. Container Threat Detection

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google
Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

A. Use Google default encryption.

B. Manually add users to Google Cloud.

C. Provision users with basic roles using Google’s Identity and Access Management (IAM) service.

D. Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

E. Provide granular access with predefined roles.

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.
What command should you execute?

A. • organization poli-cy:constraints/gcp.restrictStorageNonCmekServices• binding at: org1• policy type: allow• policy value: all supported services

B. • organization policy: con-straints/gcp.restrictNonCmekServices• binding at: org1• policy type: deny• policy value: storage.googleapis.com

C. • organization policy: con-straints/gcp.restrictStorageNonCmekServices• binding at: org1• policy type: deny• policy value: storage.googleapis.com

D. • organization policy: con-straints/gcp.restrictNonCmekServices• binding at: org1• policy type: allow• policy value: storage.googleapis.com

When working with agents in the support center via online chat, your organization's customers often share pictures of their documents with personally identifiable information (PII). Your leadership team is concerned that this PII is being stored as part of the regular chat logs, which are reviewed by internal or external analysts for customer service trends.
You want to resolve this concern while still maintaining data utility. What should you do?

A. Use Cloud Key Management Service to encrypt PII shared by customers before storing it for analysis.

B. Use Object Lifecycle Management to make sure that all chat records containing PII are discarded and not saved for analysis.

C. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.

D. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

A. Google Cloud Armor

B. Cloud NAT

C. Cloud Router

D. Cloud VPN

You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud.
You want to validate these policy changes before they are enforced. What service should you use?

A. Google Cloud Armor’s preconfigured rules in preview mode

B. Prepopulated VPC firewall rules in monitor mode

C. The inherent protections of Google Front End (GFE)

D. Cloud Load Balancing firewall rules

E. VPC Service Controls in dry run mode

You manage a BigQuery analytical data warehouse in your organization. You want to keep data for all your customers in a common table while you also restrict query access based on rows and columns permissions. Non-query operations should not be supported.
What should you do? (Choose two.)

A. Create row-level access policies to restrict the result data when you run queries with the filter expression set to TRUE.

B. Configure column-level encryption by using Authenticated Encryption with Associated Data (AEAD) functions with Cloud Key Management Service (KMS) to control access to columns at query runtime.

C. Create row-level access policies to restrict the result data when you run queries with the filter expression set to FALSE.

D. Configure dynamic data masking rules to control access to columns at query runtime.

E. Create column-level policy tags to control access to columns at query runtime.

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute
Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

A. Enable Private Access on the VPC network in the production project.

B. Remove the Editor role and grant the Compute Admin IAM role to the engineers.

C. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.

D. Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Your organization uses Google Workspace Enterprise Edition for authentication. You are concerned about employees leaving their laptops unattended for extended periods of time after authenticating into Google Cloud. You must prevent malicious people from using an employee's unattended laptop to modify their environment.
What should you do?

A. Create a policy that requires employees to not leave their sessions open for long durations.

B. Review and disable unnecessary Google Cloud APIs.

C. Require strong passwords and 2SV through a security token or Google authenticator.

D. Set the session length timeout for Google Cloud services to a shorter duration.

You are migrating an application into the cloud. The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material.
What should you do?

A. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an IAM deny policy for unauthorized groups.

B. Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket. Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.

C. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.

D. Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises. Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.

You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on- premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)

A. Secret Manager

B. Cloud Key Management Service

C. Cloud Data Loss Prevention with cryptographic hashing

D. Cloud Data Loss Prevention with automatic text redaction

E. Cloud Data Loss Prevention with deterministic encryption using AES-SIV

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to control the key lifecycle.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

A. Customer-supplied encryption keys (CSEK)

B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

C. Encryption by default

D. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.
What should you do?

A. Allow the external project by using the organizational policy, constraints/compute.trustedImageProjects.

B. 1. Update the perimeter.2. Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.3. Configure the egressFrom field to set identityType to ANY_IDENTITY.

C. 1. Update the perimeter.2. Configure the ingressFrom field to set identityType to ANY_IDENTITY.3. Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.

D. 1. Update the perimeter.2. Configure the egressTo field to set identityType to ANY_IDENTITY.3. Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
What should you do?

A. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

B. Create a custom role with the permission compute.instances.list and grant the Service Account this role.

C. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.

D. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.
This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?

A. Deterministic encryption

B. Secure, key-based hashes

C. Format-preserving encryption

D. Cryptographic hashing

An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

A. Organization Administrator

B. Project Creator

C. Billing Account Viewer

D. Billing Account Costs Manager

E. Billing Account User

Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?

A. Network Load Balancing

B. HTTP(S) Load Balancing

C. TCP Proxy Load Balancing

D. SSL Proxy Load Balancing

Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs, but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (IAM) roles at the right resource level for the developers and security team while you ensure least privilege.
What should you do?

A. 1. Grant logging.viewer role to the security team at the organization resource level.2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.

B. 1. Grant logging.viewer role to the security team at the organization resource level.2. Grant logging.admin role to the developer team at the organization resource level.

C. 1. Grant logging.admin role to the security team at the organization resource level.2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.

D. 1. Grant logging.admin role to the security team at the organization resource level.2. Grant logging.admin role to the developer team at the organization resource level.

Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.
What should you do?

A. 1. Use Cloud Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Hide Matching Entries. 4. Make sure the resulting list is empty.

B. 1. Use Cloud Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Show Matching Entries. 4. Make sure the resulting list is empty.

C. 1. In BigQuery, select the related dataset. 2. Make sure that the App Engine Default Service Account is the only account that can write to the dataset.

D. 1. Go to the Identity and Access Management (IAM) section of the project. 2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
✑ The network connection must be encrypted.
✑ The communication between servers must be over private IP addresses.
What should you do?

A. Configure a Cloud VPN connection between your organization’s VPC network and the third party’s that is controlled by VPC firewall rules.

B. Configure a VPC peering connection between your organization’s VPC network and the third party’s that is controlled by VPC firewall rules.

C. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.

D. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

Your organization has on-premises hosts that need to access Google Cloud APIs. You must enforce private connectivity between these hosts, minimize costs, and optimize for operational efficiency.
What should you do?

A. Set up VPC peering between the hosts on-premises and the VPC through the internet.

B. Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

C. Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management Service (KMS) key before you send it over the network.

D. Route all on-premises traffic to Google Cloud through a dedicated or Partner Interconnect to a VPC with Private Google Access enabled.

A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.
How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

A. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

B. Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.

C. Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).

D. Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:
Must be cloud-native -

✑ Must be cost-efficient
✑ Minimize operational overhead
How should you accomplish this? (Choose two.)

A. Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

B. Use a Cloud Function triggered by log events in Google Cloud’s operations suite to automatically scan your container images in Container Registry.

C. Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

D. Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

E. In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.