You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

A. Remove Owner roles from end users, and configure Cloud Data Loss Prevention.

B. Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.

C. Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.

D. Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.

A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.

What should you do?

A. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

B. Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

C. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

D. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Your company's new CEO recently sold two of the company's divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)

A. Remove all project-level custom Identity and Access Management (1AM) roles.

B. Disallow inheritance of organization policies.

C. Identify inherited Identity and Access Management (1AM) roles on projects to be migrated.

D. Create a new folder for all projects to be migrated.

E. Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:

Each business unit manages access controls for their own projects.

Each business unit manages access control permissions at scale.

Business units cannot access other business units' projects.

Users lose their access if they move to a different business unit or leave the company.

Users and access control permissions are managed by the on-premises directory service. What should you do? (Choose two.)

A. Use VPC Service Controls to create perimeters around each business unit's project.

B. Organize projects in folders, and assign permissions to Google groups at the folder level.

C. Group business units based on Organization Units (OUs) and manage permissions based on OUs.

D. Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.

E. Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

A. The load balancer must be an external SSL proxy load balancer.

B. Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.

C. The load balancer must use the Premium Network Service Tier.

D. The backend service's load balancing scheme must be EXTERNAL.

E. The load balancer must be an external HTTP(S) load balancer.

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

A. Enable Private Google Access on the regional subnets and global dynamic routing mode.

B. Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

C. Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

D. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

A. Cloud Key Management Service

B. Compute Engine guest attributes

C. Compute Engine custom metadata

D. Secret Manager

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in-scope" Nodes only. These Nodes can only contain the "in-scope" Pods. How should the organization achieve this objective?

A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope:true.

B. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

C. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

D. Run all in-scope Pods in the namespace "in-scope-pci".

The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements:

Follow the least privilege model by having only view access to logs.

Have access to Admin Activity logs.

Have access to Data Access logs.

Have access to Access Transparency logs.

Which Identity and Access Management (IAM) role should the security operations team be granted?

A. roles/logging.privateLogViewer

B. roles/logging.admin

C. roles/viewer

D. roles/logging.viewer

Your organization has on-premises hosts that need to access Google Cloud APIs You must enforce private connectivity between these hosts minimize costs and optimize for operational efficiency What should you do?

A. Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.

B. Set up VPC peering between the hosts on-premises and the VPC through the internet.

C. Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.

D. Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.