You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

• A.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
• B.Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
• C.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
• D.Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Comment: *

Name: *

Email: *

Verification: *

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.
How should the company accomplish this?

• A.Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
• B.Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
• C.Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.
• D.Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

Comment: *

Name: *

Email: *

Verification: *

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

• A.Delete non-used versions from Container Registry.
• B.Build small containers using small base images.
• C.Use a Continuous Delivery tool to deploy the application.
• D.Use Cloud Build to build the container images.

Comment: *

Name: *

Email: *

Verification: *

Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?

• A.Network Load Balancing
• B.HTTP(S) Load Balancing
• C.TCP Proxy Load Balancing
• D.SSL Proxy Load Balancing

Comment: *

Name: *

Email: *

Verification: *

You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?

• A.Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.
• B.Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.
• C.Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
• D.Create a KeyRing per persistent disk, with each Keying containing a single Key. Manage the IAM permissions at the Key level.

Comment: *

Name: *

Email: *

Verification: *