A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates.
What should your team do?

• A.Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
• B.Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than
  1000.
• C.Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than
  1000.
• D.Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than
  1000.

Comment: *

Name: *

Email: *

Verification: *

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

• A.VPC Flow Logs
• B.Cloud Armor
• C.DNS Security Extensions
• D.Cloud Identity-Aware Proxy

Comment: *

Name: *

Email: *

Verification: *

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
What should you do?

• A.Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
• B.Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
• C.Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
• D.Create a custom role with the permission compute.instances.list and grant the Service Account this role.

Comment: *

Name: *

Email: *

Verification: *

Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

• A.Compute Network User Role at the host project level.
• B.Compute Network User Role at the subnet level.
• C.Compute Shared VPC Admin Role at the host project level.
• D.Compute Shared VPC Admin Role at the service project level.

Comment: *

Name: *

Email: *

Verification: *

You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

• A.Use multi-factor authentication for admin access to the web application.
• B.Use only applications certified compliant with PA-DSS.
• C.Move the cardholder data environment into a separate GCP project.
• D.Use VPN for all connections between your office and cloud environments.

Comment: *

Name: *

Email: *

Verification: *