Your organization uses Active Directory (AD) to manage user identities. Each user uses this identity for federated access to various on-premises systems. Your security team has adopted a policy that requires users to log into Google Cloud with their AD identity instead of their own login. You want to follow the
Google-recommended practices to implement this policy. What should you do?

1. A. Sync Identities with Cloud Directory Sync, and then enable SAML for single sign-on
2. B. Sync Identities in the Google Admin console, and then enable Oauth for single sign-on
3. C. Sync identities with 3rd party LDAP sync, and then copy passwords to allow simplified login with (he same credentials
4. D. Sync identities with Cloud Directory Sync, and then copy passwords to allow simplified login with the same credentials.

Correct Answer: A

You need to track and verity modifications to a set of Google Compute Engine instances in your Google Cloud project. In particular, you want to verify OS system patching events on your virtual machines (VMs). What should you do?

1. A. Review the Compute Engine activity logs Select and review the Admin Event logs
2. B. Review the Compute Engine activity logs Select and review the System Event logs
3. C. Install the Cloud Logging Agent In Cloud Logging review the Compute Engine syslog logs
4. D. Install the Cloud Logging Agent In Cloud Logging, review the Compute Engine operation logs

Correct Answer: A

Your company has embraced a hybrid cloud strategy where some of the applications are deployed on Google Cloud. A Virtual Private Network (VPN) tunnel connects your Virtual Private Cloud (VPC) in Google Cloud with your company's on-premises network. Multiple applications in Google Cloud need to connect to an on-premises database server, and you want to avoid having to change the IP configuration in all of your applications when the IP of the database changes.
What should you do?

1. A. Configure Cloud NAT for all subnets of your VPC to be used when egressing from the VM instances.
2. B. Create a private zone on Cloud DNS, and configure the applications with the DNS name.
3. C. Configure the IP of the database as custom metadata for each instance, and query the metadata server.
4. D. Query the Compute Engine internal DNS from the applications to retrieve the IP of the database.

Correct Answer: B
Forwarding zones Cloud DNS forwarding zones let you configure target name servers for specific private
zones. Using a forwarding zone is one way to implement outbound DNS forwarding from your VPC network. A Cloud DNS forwarding zone is a special type of Cloud DNS private zone. Instead of creating records within the zone, you specify a set of forwarding targets. Each forwarding target is an IP address of a DNS server, located in your VPC network, or in an on-premises network connected to your VPC network by Cloud VPN or Cloud Interconnect.
https://cloud.google.com/nat/docs/overview
DNS configuration Your on-premises network must have DNS zones and records configured so that Google domain names resolve to the set of IP addresses for either private.googleapis.com or restricted.googleapis.com. You can create Cloud DNS managed private zones and use a Cloud DNS inbound server policy, or you can configure on-premises name servers. For example, you can use BIND or Microsoft Active Directory DNS.
https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config-domain

You are building a product on top of Google Kubernetes Engine (GKE). You have a single GKE cluster. For each of your customers, a Pod is running in that cluster, and your customers can run arbitrary code inside their Pod. You want to maximize the isolation between your customers’ Pods. What should you do?

1. A. Use Binary Authorization and whitelist only the container images used by your customers’ Pods.
2. B. Use the Container Analysis API to detect vulnerabilities in the containers used by your customers’ Pods.
3. C. Create a GKE node pool with a sandbox type configured to gviso
4. D. Add the parameter runtimeClassName: gvisor to the specification of your customers’ Pods.
5. E. Use the cos_containerd image for your GKE node
6. F. Add a nodeSelector with the value cloud.google.com/gke-os-distribution: cos_containerd to the specification of your customers’ Pods.

Correct Answer: C

You need to create a custom IAM role for use with a GCP service. All permissions in the role must be suitable for production use. You also want to clearly share with your organization the status of the custom role. This will be the first version of the custom role. What should you do?

1. A. Use permissions in your role that use the ‘supported’ support level for role permission
2. B. Set the role stage to ALPHA while testing the role permissions.
3. C. Use permissions in your role that use the ‘supported’ support level for role permission
4. D. Set the role stage to BETA while testing the role permissions.
5. E. Use permissions in your role that use the ‘testing’ support level for role permission
6. F. Set the role stage to ALPHA while testing the role permissions.
7. G. Use permissions in your role that use the ‘testing’ support level for role permission
8. H. Set the role stage to BETA while testing the role permissions.

Correct Answer: A
When setting support levels for permissions in custom roles, you can set to one of SUPPORTED, TESTING or NOT_SUPPORTED.
Ref: https://cloud.google.com/iam/docs/custom-roles-permissions-support