A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.

Which connectivity option should be implemented?

A. VPC peering

B. Cloud VPN

C. Cloud Interconnect

D. Shared VPC

You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software. Which SCC service should you use?

A. Container Threat Detection

B. Web Security Scanner

C. Rapid Vulnerability Detection

D. Virtual Machine Threat Detection

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:

The master key must be rotated at least once every 45 days. The solution that stores the master key must be FIPS 140-2 Level 3 validated. The master key must be stored in multiple regions within the US for redundancy.

Which solution meets these requirements?

A. Customer-managed encryption keys with Cloud Key Management Service

B. Customer-managed encryption keys with Cloud HSM

C. Customer-supplied encryption keys

D. Google-managed encryption keys

Your organization recently activated the Security Command Center {SCO standard tier. There are a few Cloud Storage buckets that were accidentally made accessible to the public. You need to investigate the impact of the incident and remediate it.

What should you do?

A. 1 Remove the Identity and Access Management (IAM) granting access to allusers from the buckets 2 Apply the organization policy storage. unifromBucketLevelAccess to prevent regressions 3 Query the data access logs to report on unauthorized access

B. 1 Change bucket permissions to limit access 2 Query the data access audit logs for any unauthorized access to the buckets 3 After the misconfiguration is corrected mute the finding in the Security Command Center

C. 1 Change permissions to limit access for authorized users 2 Enforce a VPC Service Controls perimeter around all the production projects to immediately stop any unauthorized access 3 Review the administrator activity audit logs to report on any unauthorized access

D. 1 Change the bucket permissions to limit access 2 Query the buckets usage logs to report on unauthorized access to the data 3 Enforce the organization policy storage.publicAccessPrevention to avoid regressions

Which two implied firewall rules are defined on a VPC network? (Choose two.)

A. A rule that allows all outbound connections

B. A rule that denies all inbound connections

C. A rule that blocks all inbound port 25 connections

D. A rule that blocks all outbound connections

E. A rule that allows all inbound port 80 connections

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A. Use Identity Platform to provision users and groups to Google Cloud.

B. Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

D. Create Identity and Access Management (1AM) roles with permissions corresponding to each Active Directory group.

E. Create Identity and Access Management (1AM) groups with permissions corresponding to each Active Directory group.

You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine,

Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub.

Which option should you choose for this implementation?

A. Cloud External Key Manager

B. Customer-managed encryption keys

C. Customer-supplied encryption keys

D. Google default encryption

You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

A. SSO SAML as a third-party IdP

B. Identity Platform

C. OpenID Connect

D. Identity-Aware Proxy

E. Cloud Identity

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.

What should they do?

A. Use Cloud Build to build the container images.

B. Build small containers using small base images.

C. Delete non-used versions from Container Registry.

D. Use a Continuous Delivery tool to deploy the application.

Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT. Everyday, you must patch all VMs with critical OS updates and provide summary reports. What should you do?

A. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM and execute OS specific update commands. Configure the Cloud Scheduler job to update with critical patches daily for daily updates.

B. Copy the latest patches to the Cloud Storage bucket. Log in to each VM, download the patches from the bucket, and install them.

C. Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM, and configure a daily cron job to enable for OS updates at night during low activity periods.

D. Ensure that VM Manager is installed and running on the VMs. In the OS patch management service, configure the patch jobs to update with critical patches dally.