Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?
A. Configure Secret Manager to manage service account keys.
B. Enable an organization policy to disable service accounts from being created.
C. Enable an organization policy to prevent service account keys from being created.
D. Remove the iam.serviceAccounts.getAccessToken permission from users.
Your organization wants to be continuously evaluated against CIS Google Cloud Computing Foundations Benchmark v1 3 0 (CIS Google Cloud Foundation 1 3). Some of the controls are irrelevant to your organization and must be disregarded in evaluation. You need to create an automated system or process to ensure that only the relevant controls are evaluated.
What should you do?
A. Mark all security findings that are irrelevant with a tag and a value that indicates a security exception Select all marked findings and mute them on the console every time they appear Activate Security Command Center (SCC) Premium.
B. Activate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC so they are not evaluated.
C. Download all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part of CIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for the company.
D. Ask an external audit company to provide independent reports including needed CIS benchmarks. In the scope of the audit clarify that some of the controls are not needed and must be disregarded.
Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?
A. Security Reviewer
B. lAP-Secured Tunnel User
C. lAP-Secured Web App User
D. Service Broker Operator
You have been tasked with inspecting IP packet data for invalid or malicious content. What should you do?
A. Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.
B. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.
C. Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.
D. Configure Google Cloud Armor access logs to perform inspection on the log data.
You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)
A. Grant users the compuce.imageUser role in their own projects.
B. Grant users the compuce.imageUser role in the OS image project.
C. Store the image in every project that is spun up in your organization.
D. Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.
E. Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?
A. ISO 27001
B. ISO 27002
C. ISO 27017
D. ISO 27018
A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?
A. Run each tier in its own Project, and segregate using Project labels.
B. Run each tier with a different Service Account (SA), and use SA-based firewall rules.
C. Run each tier in its own subnet, and use subnet-based firewall rules.
D. Run each tier with its own VM tags, and use tag-based firewall rules.
You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:
1.
Must be cloud-native
2.
Must be cost-efficient
3.
Minimize operational overhead
How should you accomplish this? (Choose two.)
A. Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
B. Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
C. Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
D. Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
E. In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements:
1.
The Cloud Storage bucket in Project A can only be readable from Project B.
2.
The Cloud Storage bucket in Project A cannot be accessed from outside the network.
3.
Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
A. Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.
B. Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration.
C. Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.
D. Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.
You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two
main requirements:
Least-privilege access must be enforced at all times. The DevOps team must be able to access the required resources only during the deployment issue.
How should you grant access while following Google-recommended best practices?
A. Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.
B. Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.
C. Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.
D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services. Which two settings must remain disabled to meet these requirements? (Choose two.)
A. Public IP
B. IP Forwarding
C. Private Google Access
D. Static routes
E. IAM Network User Role
You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?
A. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."
B. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
C. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
D. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.
A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?
A. Admin Activity
B. System Event
C. Access Transparency
D. Data Access
You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting.
Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)
A. Customer-supplied encryption keys.
B. Google default encryption
C. Secret Manager
D. Cloud External Key Manager
E. Customer-managed encryption keys
You want to update your existing VPC Service Controls perimeter with a new access level. You need to avoid breaking the existing perimeter with this change, and ensure the least disruptions to users while minimizing overhead. What should you do?
A. Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.
B. Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.
C. Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.
D. Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.