An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.
Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses Which solution should your team implement to meet these requirements?

• A.Cloud Armor
• B.Network Load Balancing
• C.SSL Proxy Load Balancing
• D.NAT Gateway

Comment: *

Name: *

Email: *

Verification: *

An organization recently began using App Engine to build and host its new web application for its customers. The organization wants to use its existing IAM setup to allow its developer employees to have elevated access to the application remotely. This would allow them to push updates and fixes to the application via an HTTPS connection. Non-developer employees should only get access to the production version without development permissions. Which Google Cloud Platform solution should be used to meet these requirements?

• A.Synchronize the organization's Active Directory using Cloud Identity for employee access via Cloud VPN.
• B.Disable access for non-developer employees by removing their Google Group from the application access control list (ACL).
• C.Set up Cloud Identity-Aware Proxy (Cloud IAP) to manage authentication and different authorization levels for employee access.
• D.Set up Virtual Private Cloud (VPC) firewall rules to manage authentication and different authorization levels for employee access.

Comment: *

Name: *

Email: *

Verification: *

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?

• A.Set up an ACL with OWNER permission to a scope of allUsers.
• B.Set up an ACL with READER permission to a scope of allUsers.
• C.Set up a default bucket ACL and manage access for users using IAM.
• D.Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

Comment: *

Name: *

Email: *

Verification: *

An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.
What solution would help meet the requirements?

• A.Ensure that firewall rules are in place to meet the required controls.
• B.Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
• C.Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.
• D.Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

Comment: *

Name: *

Email: *

Verification: *

What are the steps to encrypt data using envelope encryption?
A.Generate a data encryption key (DEK) locally.
* Use a key encryption key (KEK) to wrap the DEK.
* Encrypt data with the KEK.
* Store the encrypted data and the wrapped KEK.
B.Generate a key encryption key (KEK) locally.
* Use the KEK to generate a data encryption key (DEK).
* Encrypt data with the DEK.
* Store the encrypted data and the wrapped DEK.
C.Generate a data encryption key (DEK) locally.
* Encrypt data with the DEK.
* Use a key encryption key (KEK) to wrap the DEK.
* Store the encrypted data and the wrapped DEK.
D.Generate a key encryption key (KEK) locally.
* Generate a data encryption key (DEK) locally.
* Encrypt data with the KEK.
* Store the encrypted data and the wrapped DEK.

Comment: *

Name: *

Email: *

Verification: *