Question 1

You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?

Options :

A : Perform data masking with the DLP API and store that data in BigQuery for later use

B : Perform data redaction with the DLP API and store that data in BigQuery for later use

C : Perform data inspection with the DLP API and store that data in BigQuery for later use.

D : Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.

Answer: D

Question 2

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices. What should you do?

Options :

A :

Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

B : Create a custom role with the permission compute.instances.list and grant the Service Account this role.

C : Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances

D : Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Answer: B

Question 3

What type of networking design should an electric vehicle manufacturer company use on Google Cloud Platform (GCP) to centralize control over networking resources like firewall rules, subnets, and routes, and allow on-premises resources access back to GCP resources through a private VPN connection while enabling the network security team to control the networking resources?

Options :

A : Implementing a hub and spoke model for VPC peering across all engineering projects.

B : Implement a hub and spoke model by creating a Cloud VPN Gateway that connects all engineering projects.

C : The networking team should be given Compute Admin role for every engineering project.

D : A Shared VPC Network consists of a host project and multiple service projects.

Answer: D

Question 4

You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?

Options :

A : All load balancer types are denied in accordance with the global node-s policy.

B : INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder-s policy.

C : EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project-s policy.

D : EXTERNAL TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project-s policies.

Answer: D

Question 5

You are migrating an application into the cloud The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material. What should you do?

Options :

A :

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups

B :

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.

C :

Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses

D :

Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key ManagementService (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.

Answer: C