Question 1

As an online education platform company, which document should you review to identify Google Cloud's inherent controls for PCI compliance evaluation?

Options :

A : Documentation related to Compute Engine product.

B : Guidelines for Cloud Computing by PCI SSC.

C : Security Assessment Procedures and PCI DSS Requirements

D : Matrix of Customer Responsibility in Google Cloud Platform

Answer: D

Question 2

You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket. What should you do?

Options :

A : Set up an ACL with OWNER permission to a scope of allUsers.

B : Set up an ACL with READER permission to a scope of allUsers.

C : Set up a default bucket ACL and manage access for users using IAM

D : Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

Answer: D

Question 3

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements: Schedule key rotation for sensitive data. Control which region the encryption keys for sensitive data are stored in. Minimize the latency to access encryption keys for both sensitive and non-sensitive data. What should you do?

Options :

A : Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

B : Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

C : Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

D : Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Senrice

Answer: D

Question 4

A company has redundant mail servers in different Google Cloud Platform regions and wants to route

customers to the nearest mail server based on location.

How should the company accomplish this?

Options :

A : Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995

B :

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location

C : Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

D : Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Answer: A

Question 5

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

Options :

A : Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

B : Enable the constraints/storage.publicAccessPrevention constraint at the organization level.

C : Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.

D :

Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

Answer: B