You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

• A.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
• B.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
• C.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
• D.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Comment: *

Name: *

Email: *

Verification: *

While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

• A.Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
• B.Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
• C.Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
• D.Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Comment: *

Name: *

Email: *

Verification: *

You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?

• A.Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
• B.Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
• C.In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
• D.In Resource Manager, edit the organization permissions. Add the project ID as member with the role:
  Compute Image User.

Comment: *

Name: *

Email: *

Verification: *

Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?

• A.Use the Admin SDK to create groups and assign IAM permissions from Active Directory.
• B.Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
• C.Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
• D.Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.

Comment: *

Name: *

Email: *

Verification: *

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

• A.Enable Private Access on the VPC network in the production project.
• B.Remove the Editor role and grant the Compute Admin IAM role to the engineers.
• C.Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
• D.Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Comment: *

Name: *

Email: *

Verification: *