Question 1

In developing a secure environment for an online grocery delivery service company, what are the two essential components to include in building a secure container image using Google Cloud Services?

Options :

A : Make sure that the app is not executed as PID 1.

B : For the application, it is recommended to utilize public container images as the base image and incorporate multiple container image layers to conceal confidential data.

C : Eliminate any superfluous tools that are not required by the application.

D : Create a container for a single application.

Answer: C,D

Question 2

Your company's users access data in a BigQuery table. You want to ensure they can only access the data during working hours. What should you do?

Options :

A :

Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.

B :

Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.

C :

Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours

D :

Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

Answer: A

Question 3

A company is running workloads in a dedicated server room. They must only be accessed from within the

private company network. You need to connect to these workloads from Compute Engine instances within a

Google Cloud Platform project.

Which two approaches can you take to meet the requirements? (Choose two.)

Options :

A : Configure the project with Cloud VPN.

B : Configure the project with Shared VPC.

C : Configure the project with Cloud Interconnect.

D : Configure the project with VPC peering.

E : Configure all Compute Engine instances with Private Access.

Answer: A,C

Question 4

Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud You must implement data residency and operational sovereignty in the EU. What should you do? Choose 2 answers

Options :

A :

Limit the physical location of a new resource with the Organization Policy Service resource locations constraint."

B :

Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and mter-VPC communication.

C :

Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications

D : Use identity federation to limit access to Google Cloud resources from non-EU entities.

E : Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU

Answer: A,C

Question 5

You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner. What should you do?

Options :

A :

Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.

B : Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a userdefined sink, and select the new log bucket as the sink destination.

C :

Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.

D : Edit the _Default sink, and select the new log bucket as the sink destination.

Answer: D