Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

• A.Enable Private Access on the VPC network in the production project.
• B.Remove the Editor role and grant the Compute Admin IAM role to the engineers.
• C.Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
• D.Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Comment: *

Name: *

Email: *

Verification: *

Which two implied firewall rules are defined on a VPC network? (Choose two.)

• A.A rule that allows all outbound connections
• B.A rule that denies all inbound connections
• C.A rule that blocks all inbound port 25 connections
• D.A rule that blocks all outbound connections
• E.A rule that allows all inbound port 80 connections

Comment: *

Name: *

Email: *

Verification: *

You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

• A.Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
• B.Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
• C.Change the access control model for the bucket
• D.Update your sink with the correct bucket destination.

Comment: *

Name: *

Email: *

Verification: *

You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

• A.Google Cloud Armor's preconfigured rules in preview mode
• B.Cloud Load Balancing firewall rules
• C.VPC Service Controls in dry run mode
• D.Prepopulated VPC firewall rules in monitor mode
• E.The inherent protections of Google Front End (GFE)

Comment: *

Name: *

Email: *

Verification: *

A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

• A.On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
• B.On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
• C.Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
• D.Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

Comment: *

Name: *

Email: *

Verification: *