A.  

Use Security Health Analytics to determine user activity.

B.  

Use the Cloud Monitoring console to filter audit logs by user.

C.  

Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.

D.  

Use the Logs Explorer to search for user activity.

A.  

Implement at-rest encryption by using customer-managed encryption keys (CMEK) for the pipeline. Implement strict Identity and Access Management (IAM) policies to control access to BigQuery.

B.  

De-identify sensitive data before model training by using Cloud Data Loss Prevention (DLP) APIs, and implement strict Identity and Access Management (IAM) policies to control access to BigQuery.

C.  

Implement Identity-Aware Proxy to enforce context-aware access to BigQuery and models based on user identity and device.

D.  

Deploy the model on Confidential VMs for enhanced protection of data and code while in use. Implement strict Identity and Access Management (IAM) policies to control access to BigQuery.

A.  

SSO SAML as a third-party IdP

B.  

Identity Platform

C.  

OpenID Connect

D.  

Identity-Aware Proxy

E.  

Cloud Identity

A.  

Use Google default encryption.

B.  

Manually add users to Google Cloud.

C.  

Provision users with basic roles using Google's Identity and Access Management (1AM) service.

D.  

Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

E.  

Provide granular access with predefined roles.

A.  

1. Use separate Google Cloud projects to store Production and Non-Production secrets.2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.3. Use customer-managed encryption keys to encrypt secrets.

B.  

1. Use a single Google Cloud project to store both Production and Non-Production secrets.2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.3. Use Google-managed encryption keys to encrypt secrets.

C.  

1. Use separate Google Cloud projects to store Production and Non-Production secrets.2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.3. Use Google-managed encryption keys to encrypt secrets.

D.  

1. Use a single Google Cloud project to store both Production and Non-Production secrets.2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.3. Use customer-managed encryption keys to encrypt secrets.

A.  

Create a project with multiple VPC networks for each environment.

B.  

Create a folder for each development and production environment.

C.  

Create a Google Group for the Engineering team, and assign permissions at the folder level.

D.  

Create an Organizational Policy constraint for each folder environment.

E.  

Create projects for each environment, and grant IAM rights to each engineering user.

A.  

compute.restrictSharedVpcHostProjects

B.  

compute.restrictXpnProjectLienRemoval

C.  

compute.restrictSharedVpcSubnetworks

D.  

compute.sharedReservationsOwnerProjects

A.  

Add a public IP address to the application's database. Create database users for each of the partner's employees. Securely distribute the credentials for these users to the partner team.

B.  

Create accounts for the partner team in your corporate identity provider. Synchronize these accounts with Google Cloud Identity. Grant the accounts access to the database.

C.  

Ask the partner team to set up Cloud Identity accounts within their own corporate environment and identity provider. Grant the partner’s Cloud Identity accounts access to the database.

D.  

Configure Workforce Identity Federation for the partner. Connect the identity pool provider to the partner's identity provider. Grant the workforce pool resources access to the database.

A.  

1. Enable Container Threat Detection in the Security Command Center Premium tier.• 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version.• 3. View and share the results from the Security Command Center

B.  

• 1. Use an open source tool in Cloud Build to scan the images.• 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil• 3. Share the scan report link with your security department.

C.  

• 1. Enable vulnerability scanning in the Artifact Registry settings.• 2. Use Cloud Build to build the images• 3. Push the images to the Artifact Registry for automatic scanning.• 4. View the reports in the Artifact Registry.

D.  

• 1. Get a GitHub subscription.• 2. Build the images in Cloud Build and store them in GitHub for automatic scanning• 3. Download the report from GitHub and share with the Security Team

A.  

• 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets• 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions• 3 Query the data access logs to report on unauthorized access

B.  

• 1 Change bucket permissions to limit access• 2 Query the data access audit logs for any unauthorized access to the buckets• 3 After the misconfiguration is corrected mute the finding in the Security Command Center

C.  

• 1 Change permissions to limit access for authorized users• 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access• 3 Review the administrator activity audit logs to report on any unauthorized access

D.  

• 1 Change the bucket permissions to limit access• 2 Query the buckets usage logs to report on unauthorized access to the data• 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions

A.  

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

B.  

Encrypt non-sensitive data and sensitive data with Cloud Key Management Service

C.  

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

D.  

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

A.  

Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.

B.  

Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.

C.  

Configure the Fluentd agent on each VM Instance within the VP

C.  

D.  

Configure Google Cloud Armor access logs to perform inspection on the log data.

A.  

Cloud Armor

B.  

VPC Firewall Rules

C.  

Cloud Identity and Access Management

D.  

Cloud CDN

A.  

Configure VPC firewall rules to allow the services to access the IP addresses of required external web services.

B.  

Set up a Secure Web Proxy that allows access to the specific external web services. Configure applications to use the proxy for the web service requests.

C.  

Configure Google Cloud Armor to monitor and protect your applications by checking incoming traffic patterns for attack patterns.

D.  

Set up a Cloud NAT instance to allow egress traffic from your VPC.

A.  

Implement a custom script in the Cloud Build pipeline that uses a third-party vulnerability scanning tool. Fail the build if vulnerabilities are found.

B.  

Configure GKE to use only images from a specific, trusted Artifact Registry repository. Manually inspect all images before pushing them to this repository.

C.  

Configure a policy in Binary Authorization to use Artifact Analysis vulnerability scanning to only allow images that pass the scan to deploy to your GKE clusters.

D.  

Enable Artifact Analysis vulnerability scanning and regularly scan images in Artifact Registry. Remove any images that do not meet the vulnerability requirements before deployment.

A.  

Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

B.  

Create a custom role with the permission compute.instances.list and grant the Service Account this role.

C.  

Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.

D.  

Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

A.  

Implement an automated process that scans all identities in your organization and disables any unmanaged accounts.

B.  

Create a Google Cloud identity for all users in your organization. Ensure that new users are added automatically.

C.  

Register a new domain for your Google Cloud resources. Move all existing identities and resources to this domain.

D.  

Switch your corporate email system to another domain to avoid using the same domain for Google Cloud identities and corporate emails.

A.  

Text message or phone call code

B.  

Security key

C.  

Google Authenticator application

D.  

Google prompt

A.  

Grant project-level group permissions by using specific Cloud IAM roles. Use BigQuery authorized views. Cloud Storage uniform bucket-level access, and Cloud SQL database roles.

B.  

Configure an access level to control access to the Google Cloud console for users managing these data services. Require multi-factor authentication for all access attempts.

C.  

Use VPC Service Controls to create security perimeters around the projects for BigQuery. Cloud Storage, and Cloud SQL services. restricting access based on the network origin of the requests.

D.  

Enable project-level data access logs for BigQuery. Cloud Storage, and Cloud SQL. Configure log sinks to export these logs to Security Command Center to identify unauthorized access attempts.

A.  

1. Configure all running Web and App servers with respective network tags.2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

B.  

1. Configure all running Web and App servers with respective service accounts.2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

C.  

1. Re-deploy the Web and App servers with instance templates configured with respective network tags.2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

D.  

1. Re-deploy the Web and App servers with instance templates configured with respective service accounts.2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

A.  

Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.

B.  

Connect to a bastion host in your VPC. Use a network traffic analyzer to determine at which point your requests are being blocked.

C.  

In a pre-production environment, disable all firewall rules individually to determine which one is blocking user traffic.

D.  

Enable VPC Flow Logs in your VPC. Use Logs Explorer to analyze whether the rules are working correctly.

A.  

Create a policy that requires employees to not leave their sessions open for long durations.

B.  

Review and disable unnecessary Google Cloud APIs.

C.  

Require strong passwords and 2SV through a security token or Google authenticate.

D.  

Set the session length timeout for Google Cloud services to a shorter duration.

A.  

• 1- Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build.• 2. View the build provenance in the Security insights side panel within the Google Cloud console.

B.  

• 1. Review the software process.• 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact.• 3. Publish the PGP signed attestation to your public web page.

C.  

• 1, Publish the software code on GitHub as open source.• 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.

D.  

• 1. Hire an external auditor to review and provide provenance• 2. Define the scope and conditions.• 3. Get support from the Security department or representative.• 4. Publish the attestation to your public web page.

A.  

Enable Assured Workloads on the folder level, with the specific control bundle appropriate for your industry's regulations.

B.  

Use Workload Manager with custom Rego policies to continuously scan the environment for misconfigurations on the folder level.C. Create a Posture file by using custom and predefined SHA or organization policies. Enforce the posture on the folder level.

C.  

Create custom organization policies that follow specific business requirements. Enforce the policies on the folder level.

A.  

Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

B.  

Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.

C.  

Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.

D.  

Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

A.  

Secret Manager

B.  

Cloud Key Management Service

C.  

Cloud Data Loss Prevention with cryptographic hashing

D.  

Cloud Data Loss Prevention with automatic text redaction

E.  

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

A.  

Use Google Cloud Directory Sync to convert the unmanaged user accounts.

B.  

Create a new managed user account for each consumer user account.

C.  

Use the transfer tool for unmanaged user accounts.

D.  

Configure single sign-on using a customer's third-party provider.

A.  

External Key Manager

B.  

Customer-supplied encryption keys

C.  

Hardware Security Module

D.  

Confidential Computing and Istio

E.  

Client-side encryption

A.  

Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.

B.  

Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.

C.  

Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.

D.  

Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

A.  

Make the Cloud Run service public by enabling allUsers access. Configure Identity-Aware Proxy (IAP) for authentication and IP-based access control. Use custom SSL certificates for HTTPS.

B.  

Assign a custom domain to the Cloud Run service. Enable HTTPS. Configure IAM to allow allUsers to invoke the service. Use firewall rules and VPC Service Controls for geo-based restriction and traffic filtering.

C.  

Deploy an external HTTP(S) load balancer with a serverless NEG that points to the Cloud Run service. Use a Google-managed certificate for TLS termination. Configure a Cloud Armor policy with geo-based access control.

D.  

Create a Cloud DNS public zone for the Cloud Run URL. Bind a static IP to the service. Use VPC firewall rules to restrict incoming traffic based on IP ranges and threat signatures.

A.  

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

B.  

Cloud Data Loss Prevention with format-preserving encryption

C.  

Cloud Data Loss Prevention with cryptographic hashing

D.  

Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys

A.  

• 1 Update the perimeter• 2 Configure the egressTo field to set identity Type to any_identity.• 3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

B.  

* Allow the external project by using the organizational policyconstraints/compute.trustedlmageProjects.

C.  

• 1 Update the perimeter• 2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.• 3 Configure the egressFrom field to set identity Type to any_idestity.

D.  

• 1 Update the perimeter• 2 Configure the ingressFrcm field to set identityType to an-y_identity.• 3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

A.  

Customer-managed encryption keys with Cloud Key Management Service

B.  

Customer-managed encryption keys with Cloud HSM

C.  

Customer-supplied encryption keys

D.  

Google-managed encryption keys

A.  

Configure a VPC Service Controls perimeter in dry run mode, and enforce strict network segmentation using firewall rules. Use multi-factor authentication (MFA) for user verification.

B.  

Use Cloud Audit Logs to monitor user access to the project resources. Use post-incident analysis to identify unauthorized access attempts.

C.  

Establish a Context-Aware Access policy that specifies the required contextual attributes, and associate the policy with the VPC Service Controls perimeter in dry run mode.

D.  

Use the VPC Service Control Violation dashboard to identify the impact of details about access denials by service perimeters.

A.  

• 1 Identify buckets with record data• 2 Apply a retention policy and set it to retain for seven years• 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs

B.  

• 1 Identify buckets with record data• 2 Apply a retention policy and set it to retain for seven years• 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

C.  

• 1 Identify buckets with record data• 2 Enable the bucket policy only to ensure that data is retained• 3 Enable bucket lock

D.  

* 1 Identify buckets with record data• 2 Apply a retention policy and set it to retain for seven years• 3 Enable bucket lock

A.  

Implement a Cloud Function that scans the environment variables multiple times a day. and creates a finding in Security Command Center if secrets are discovered.

B.  

Implement regular peer reviews to assess the environment variables and identify secrets in your Cloud Functions. Raise a security incident if secrets are discovered.

C.  

Use Sensitive Data Protection to scan the environment variables multiple times per day. and create a finding in Security Command Center if secrets are discovered.

D.  

Integrate dynamic application security testing into the CI/CD pipeline that scans the application code for the Cloud Functions. Fail the build process if secrets are discovered.

A.  

• 1 Create a dedicated service account for the CI/CD pipelines• 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster• 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

B.  

• 1 Create service accounts for each deployment pipeline• 2 Generate private keys for the service accounts• 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

C.  

* 1 Create individual service accounts (or each deployment pipeline• 2 Add an identifier for the pipeline in the service account naming convention• 3 Ensure each pipeline runs on dedicated pods• 4 Use workload identity to map a deployment pipeline pod with a service account

D.  

• 1 Create two service accounts one for the infrastructure and one for the application deployment• 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts• 3 Run the infrastructure and application pipelines in separate namespaces

A.  

Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.

B.  

Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

C.  

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.

D.  

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

A.  

Create an Assured Workloads folder for your required compliance program to apply defined controls and requirements.

B.  

Create a posture.yaml file with the required security compliance posture. Apply the posture with the gcloud sec postures create POSTURE_NAME --posture-from-file=posture.yaml command in Security Command Center Premium.

C.  

Apply an organizational policy constraint at the organization level to limit the location of new resource creation.

D.  

Go to the Compliance page in Security Command Center View the report for your status against the required compliance standard. Triage violations to maintain compliance on a regular basis.

A.  

Change the configuration of the relevant groups in the Google Workspace Admin console to prevent external users from being added to the group.

B.  

Set an Identity and Access Management (1AM) policy that includes a condition that restricts group membership to user principals that belong to your organization.

C.  

Define an Identity and Access Management (IAM) deny policy that denies the assignment of principals that are outside your organization to the groups in scope.

D.  

Export the Cloud Identity logs to BigQuery Configure an alert for external members added to groups Have the alert trigger a Cloud Function instance that removes the external members from the group.

A.  

Use the org policy constraint "Restrict Resource Service Usage'* on your Google Cloud organization node.

B.  

Use Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions

C.  

Use the org policy constraint Google Cloud Platform - Resource Location Restriction" on your Google Cloudorganization node.

D.  

Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.

A.  

Google Cloud Armor's preconfigured rules in preview mode

B.  

Prepopulated VPC firewall rules in monitor mode

C.  

The inherent protections of Google Front End (GFE)

D.  

Cloud Load Balancing firewall rules

E.  

VPC Service Controls in dry run mode

A.  

Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.

B.  

Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.

C.  

Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.

D.  

Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

A.  

1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.2.Subscribe SIEM to the topic.

B.  

1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.2.Process Cloud Storage objects in SIEM.

C.  

1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.2.Subscribe SIEM to the topic.

D.  

1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.2.Process Cloud Storage objects in SIEM.

A.  

Create a Folder per department under the Organization. For each department’s Folder, assign the Project Viewer role to the Google Group related to that department.

B.  

Create a Folder per department under the Organization. For each department’s Folder, assign the Project Browser role to the Google Group related to that department.

C.  

Create a Project per department under the Organization. For each department’s Project, assign the Project Viewer role to the Google Group related to that department.

D.  

Create a Project per department under the Organization. For each department’s Project, assign the Project Browser role to the Google Group related to that department.

A.  

• 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring• 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

B.  

• 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium• 2 Monitor the findings in SCC

C.  

* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring• 2 Activate Confidential Computing• 3 Enforce these actions by using organization policies

D.  

• 1 Use secure hardened images from the Google Cloud Marketplace• 2 When deploying the images activate the Confidential Computing option• 3 Enforce the use of the correct images and Confidential Computing by using organization policies

A.  

Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Provide vendors with SSH keys and root access only to the instances within the VPC for maintenance purposes.

B.  

Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors and grant the network admin role to the vendors. Deploy a VPN appliance and rely on the vendors' configurations to secure third-party access.

C.  

Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Enable Identity-Aware Proxy (IAP) for remote access to management resources, limiting access to authorized vendors.

D.  

Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors. Grant the vendors ownership of that project and the ability to modify the Shared VPC configuration.

A.  

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

B.  

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

C.  

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

D.  

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

A.  

Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).

B.  

Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing

C.  

Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.

D.  

Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

A.  

Audit user activity for suspicious logins by using the audit and investigation tool.

B.  

Conduct a security awareness training session, and set the password expiration settings to require more frequent updates.

C.  

Check the Enforce strong password box, and set the password expiration to occur more frequently.

D.  

Check the Enforce strong password box, and check Enforce password policy at the next sign-in.

A.  

Define a VPC Service Controls perimeter, and restrict the Cloud Storage API. Add an ingress rule to the perimeter to allow access to the Cloud Storage API for the service account from outside of the perimeter.​

B.  

Scan the Cloud Storage bucket with Sensitive Data Protection when new data is added, and automatically mask all customer data.​

C.  

Ensure that all data for the application that is accessed through the relevant service accounts is encrypted at rest by using customer-managed encryption keys (CMEK).​

D.  

Implement a secret management service. Configure the service to frequently rotate the service account key. Configure proper access control to the key, and restrict who can create service account keys.​

A.  

Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.

B.  

Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.

C.  

Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.

D.  

No action is necessary because Google encrypts data while it is in use by default.

A.  

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups

B.  

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.

C.  

Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.

D.  

Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.

A.  

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.

B.  

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.

C.  

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.

D.  

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.

A.  

Use the Cloud Key Management Service to manage a data encryption key (DEK).

B.  

Use the Cloud Key Management Service to manage a key encryption key (KEK).

C.  

Use customer-supplied encryption keys to manage the data encryption key (DEK).

D.  

Use customer-supplied encryption keys to manage the key encryption key (KEK).

A.  

Admin Activity

B.  

System Event

C.  

Access Transparency

D.  

Data Access

A.  

Configuring and monitoring VPC Flow Logs

B.  

Defending against XSS and SQLi attacks

C.  

Manage the latest updates and security patches for the Guest OS

D.  

Encrypting all stored data

A.  

App Engine

B.  

Cloud Functions

C.  

Compute Engine

D.  

Google Kubernetes Engine

E.  

Cloud Storage

A.  

Multifactor Authentication

B.  

A strict password policy

C.  

Captcha on login pages

D.  

Encrypted emails

A.  

Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

B.  

Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

C.  

Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

D.  

Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

A.  

Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

B.  

Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

C.  

Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.

D.  

Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.

A.  

Customer-supplied encryption keys (CSEK)

B.  

Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)

C.  

Encryption by default

D.  

Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

A.  

Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

B.  

Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create ajob trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

C.  

On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

D.  

On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

A.  

Create a new service account with the permissions to run service A and service B. Require authentication for service B. Permit only the new service account to call the backend.

B.  

Create two separate service accounts. Grant one service account the permissions to execute service A, and grant the other service account the permissions to execute service

B.  

B.  

C.  

Use the Compute Engine default service account to run service A and service B. Require authentication for service B. Permit only the default service account to call the backend.

D.  

Create three separate service accounts. Grant one service account the permissions to execute service A. Grant the second service account the permissions to run service B. Grant the third service account the permissions to communicate between both services A and B. Require authentication for service B. Call the back-end by authenticating with a service account key for the third service account.

A.  

Deploy a Cloud NAT Gateway in the service project for the MIG.

B.  

Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.

C.  

Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.

D.  

Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.

A.  

Configure GCDS and use GCDS search rules lo sync these users.

B.  

Use the transfer tool to migrate unmanaged users.

C.  

Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API to transfer their account.

D.  

Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.

A.  

Google Cloud Directory Sync (GCDS)

B.  

Cloud Identity

C.  

Security Assertion Markup Language (SAML)

D.  

Pub/Sub

A.  

Enable Google Cloud Armor's pre-configured WAF rules for OWASP Top 10 vulnerabilities at the backend service.

B.  

Implement a load balancer in front of the web application instances, and enable Adaptive Protection and throttling to mitigate the occurrence of these malicious requests.

C.  

Configure Cloud Next Generation Firewall to block known malicious IP addresses targeting /32 addresses.

D.  

Configure a Cloud Armor security policy with customized and pre-configured WAF rules for OWASP Top 10 vulnerabilities at the load balancer.

A.  

Identity-Aware Proxy

B.  

Cloud NAT

C.  

Google Cloud Armor

D.  

Shielded VMs

A.  

1. Create a general service account **g-sa" to execute the batch jobs.• 2 Grant the permissions required to execute the batch jobs to g-sa.• 3. Execute the batch jobs with the permissions granted to g-sa

B.  

1. Create a general service account "g-sa" to orchestrate the batch jobs.• 2. Create one service account per batch job Mb-sa-[1-5]," and grant only the permissions required to run the individual batch jobs to the service accounts.• 3. Grant the Service Account Token Creator role to g-sa Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].

C.  

1. Create a workload identity pool and configure workload identity pool providers for each batch job• 2 Assign the workload identity user role to each of the identities configured in the providers.• 3. Create one service account per batch job Mb-sa-[1-5]". and grant only the permissions required to run the individual batch jobs to the service accounts• 4 Generate credential configuration files for each of the providers Use these files to ex

D.  

• 1. Create a general service account "g-sa" to orchestrate the batch jobs.• 2 Create one service account per batch job 'b-sa-[1-5)\ Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts• 3. Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permissions of b-sa-[1-5].<

A.  

Configure Secure Web Proxy. Offload the TLS traffic in the load balancer, inspect the traffic, and forward the traffic to the web application.​

B.  

Configure an internal proxy load balancer. Offload the TLS traffic in the load balancer, inspect the traffic, and forward the traffic to the web application.​

C.  

Configure a hierarchical firewall policy. Enable TLS interception by using Cloud Next Generation Firewall (NGFW) Enterprise.​

D.  

Configure a VPC firewall rule. Enable TLS interception by using Cloud Next Generation Firewall (NGFW) Enterprise.​

A.  

Configure Secret Manager to manage service account keys.

B.  

Enable an organization policy to disable service accounts from being created.

C.  

Enable an organization policy to prevent service account keys from being created.

D.  

Remove the iam.serviceAccounts.getAccessToken permission from users.

A.  

• organization policy: constraints/gcp.restrictStorageNonCraekServices• binding at: orgl• policy type: deny• policy value: storage.gcogleapis.com

B.  

• organization policy: constraints/gcp.restrictHonCmekServices• binding at: orgl• policy type: deny• policy value: storage.googleapis.com

C.  

• organization policy:constraints/gcp.restrictStorageNonCraekServices• binding at: orgl• policy type: allow• policy value: all supported services

D.  

• organization policy: constramts/gcp.restrictNonCmekServices• binding at: orgl• policy type: allow• policy value: storage.googleapis.com

A.  

Deploy the OS Config Management agent to your VMs. Use OS Config Management to create patch management jobs and monitor system modifications.

B.  

Enable the metrics explorer in Cloud Monitoring to follow the service account authentication events and build alerts linked on it.

C.  

Use Cloud Audit Logs. Create log export sinks to send these logs to a security information and event management (SIEM) solution for correlation with other event sources.

D.  

Configure Google Cloud Functions to be triggered by changes to IAM policies. Analyze changes by using the policy simulator, send alerts upon risky modifications, and store event details.

A.  

Migrate the cluster infrastructure to a self-managed Kubernetes environment for greater control over the patching process.​

B.  

Develop a custom script to continuously check for patch availability, download patches, and apply the patches across all components of the cluster.​

C.  

Schedule a daily reboot for all nodes to automatically upgrade.​

D.  

Configure node auto-upgrades for node pools in the maintenance windows.​

A.  

Admin Activity logs

B.  

System Event logs

C.  

Data Access logs

D.  

VPC Flow logs

E.  

Agent logs

A.  

Public IP

B.  

IP Forwarding

C.  

Private Google Access

D.  

Static routes

E.  

IAM Network User Role

A.  

Deterministic encryption

B.  

Secure, key-based hashes

C.  

Format-preserving encryption

D.  

Cryptographic hashing

A.  

Implement Cloud VPN for the region where the bastion host lives.

B.  

Implement OS Login with 2-step verification for the bastion host.

C.  

Implement Identity-Aware Proxy TCP forwarding for the bastion host.

D.  

Implement Google Cloud Armor in front of the bastion host.

A.  

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

B.  

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

C.  

In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

D.  

In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.

A.  

Configure Private Google Access on the Compute Engine subnet

B.  

Avoid assigning public IP addresses to the Compute Engine cluster.

C.  

Make sure that the Compute Engine cluster is running on a separate subnet.

D.  

Turn off IP forwarding on the Compute Engine instances in the cluster.

E.  

Configure a Cloud NAT gateway.

A.  

Create a single new OU to configure enforcement of 2SV to certain users but not others.

B.  

Create configuration groups, and enable a phased migration to control the number of individuals in which to enforce 2SV.

C.  

In the Admin console, for each OU, check the checkbox to Allow users to turn on 2-Step Verification and set Enforcement to Off.

D.  

In the Admin console, for each OU. uncheck the checkbox to Allow users to turn on 2-Step Verification and set Enforcement to On

A.  

• 1 Grant logging, viewer rote to the security team at the organization resource level.• 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.

B.  

• 1 Grant logging. viewer rote to the security team at the organization resource level.• 2 Grant logging. admin role to the developer team at the organization resource level.

C.  

• 1 Grant logging.admin role to the security team at the organization resource level.• 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.

D.  

• 1 Grant logging.admin role to the security team at the organization resource level.• 2 Grant logging.admin role to the developer team at the organization resource level.

A.  

Principals have broad IAM roles allowing the creation and management of Compute Engine VMs without a pre-defined hardening process.

B.  

Sensitive data is stored in a Cloud Storage bucket with the uniform bucket-level access setting enabled.

C.  

The security team mandates the use of customer-managed encryption keys (CMEK) for all data classified as sensitive.

D.  

The audit team needs access to Cloud Audit Logs related to managed services like BigQuery.

A.  

Enable Private Access on the VPC network in the production project.

B.  

Remove the Editor role and grant the Compute Admin IAM role to the engineers.

C.  

Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.

D.  

Set up a VPC network with two subnets: one with public IPs and one without public IPs.

A.  

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

B.  

Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

C.  

Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

D.  

Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

A.  

Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.

B.  

Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.

C.  

Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.

D.  

Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.

A.  

Organization

B.  

Resource

C.  

Project

D.  

Folder

A.  

Security Reviewer

B.  

lAP-Secured Tunnel User

C.  

lAP-Secured Web App User

D.  

Service Broker Operator