A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

• A.Use Cloud Build to build the container images.
• B.Build small containers using small base images.
• C.Delete non-used versions from Container Registry.
• D.Use a Continuous Delivery tool to deploy the application.
  Section: (none)
  Explanation

Comment: *

Name: *

Email: *

Verification: *

Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.
What should you do?

• A.1. Go to the IAM section on the project.
  2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.
• B.1. In BigQuery, select the related dataset.
  2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.
• C.1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
  2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
  3. Click Show Matching Entries.
  4. Make sure the resulting list is empty.
• D.1. Use StackDriver Logging and filter on BigQuery Insert Jobs.
  2. Click on the email address in line with the App Engine Default Service Account in the authentication field.
  3. Click Hide Matching Entries.
  4. Make sure the resulting list is empty.

Comment: *

Name: *

Email: *

Verification: *

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?

• A.Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
• B.Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
• C.Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
• D.Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

Comment: *

Name: *

Email: *

Verification: *

An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?

• A.Google Cloud Directory Sync (GCDS)
• B.Cloud Identity
• C.Security Assertion Markup Language (SAML)
• D.Pub/Sub

Comment: *

Name: *

Email: *

Verification: *

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

• A.Use a Continuous Delivery tool to deploy the application.
• B.Delete non-used versions from Container Registry.
• C.Use Cloud Build to build the container images.
• D.Build small containers using small base images.

Comment: *

Name: *

Email: *

Verification: *