Professional Cloud Security Engineer: PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

A. Define an organization policy constraint.

B. Configure packet mirroring policies.

C. Enable VPC Flow Logs on the subnet.

D. Monitor and analyze Cloud Audit Logs.

You manage one of your organization's Google Cloud projects (Project A). AVPC Service Control (SC) perimeter is blocking API access requests to this project including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least Privilege.

What should you do?

A. Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.

B. Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.

C. Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.

D. Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

A. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."

B. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.

C. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.

D. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.