- (Exam Topic 2)
You are deploying your application on a Compute Engine instance that communicates with Cloud SQL. You will use Cloud SQL Proxy to allow your application to communicate to the database using the service account associated with the application’s instance. You want to follow the Google-recommended best practice of providing minimum access for the role assigned to the service account. What should you do?

1. A. Assign the Project Editor role.
2. B. Assign the Project Owner role.
3. C. Assign the Cloud SQL Client role.
4. D. Assign the Cloud SQL Editor role.

Correct Answer: C
Reference: https://cloud.google.com/sql/docs/mysql/sql-proxy

- (Exam Topic 2)
You developed a JavaScript web application that needs to access Google Drive’s API and obtain permission from users to store files in their Google Drives. You need to select an authorization approach for your application. What should you do?

1. A. Create an API key.
2. B. Create a SAML token.
3. C. Create a service account.
4. D. Create an OAuth Client ID.

Correct Answer: D
Reference: https://developers.google.com/drive/api/v3/about-auth

- (Exam Topic 2)
You are running a containerized application on Google Kubernetes Engine. Your container images are stored in Container Registry. Your team uses CI/CD practices. You need to prevent the deployment of containers with known critical vulnerabilities. What should you do?

1. A. • Use Web Security Scanner to automatically crawl your application• Review your application logs for scan results, and provide an attestation that the container is free of known critical vulnerabilities• Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed
2. B. • Use Web Security Scanner to automatically crawl your application• Review the scan results in the scan details page in the Cloud Console, and provide an attestation that the container is free of known critical vulnerabilities• Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed
3. C. • Enable the Container Scanning API to perform vulnerability scanning• Review vulnerability reporting in Container Registry in the Cloud Console, and provide an attestation that the container is free of known critical vulnerabilities• Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed
4. D. • Enable the Container Scanning API to perform vulnerability scanning• Programmatically review vulnerability reporting through the Container Scanning API, and provide an attestation that the container is free of known critical vulnerabilities• Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed

Correct Answer: D
https://cloud.google.com/binary-authorization/docs/creating-attestations-kritis
https://cloud.google.com/container-analysis/docs/os-overview

- (Exam Topic 2)
Your company has deployed a new API to a Compute Engine instance. During testing, the API is not behaving as expected. You want to monitor the application over 12 hours to diagnose the problem within the application code without redeploying the application. Which tool should you use?

1. A. Cloud Trace
2. B. Cloud Monitoring
3. C. Cloud Debugger logpoints
4. D. Cloud Debugger snapshots

Correct Answer: C
https://cloud.google.com/debugger/docs/using/logpoints
Logpoints allow you to inject logging into running services without restarting or interfering with the normal function of the service

- (Exam Topic 2)
You are designing an application that uses a microservices architecture. You are planning to deploy the application in the cloud and on-premises. You want to make sure the application can scale up on demand and also use managed services as much as possible. What should you do?

1. A. Deploy open source Istio in a multi-cluster deployment on multiple Google Kubernetes Engine (GKE) clusters managed by Anthos.
2. B. Create a GKE cluster in each environment with Anthos, and use Cloud Run for Anthos to deploy your application to each cluster.
3. C. Install a GKE cluster in each environment with Anthos, and use Cloud Build to create a Deployment for your application in each cluster.
4. D. Create a GKE cluster in the cloud and install open-source Kubernetes on-premise
5. E. Use an external load balancer service to distribute traffic across the two environments.

Correct Answer: B
https://cloud.google.com/anthos/run
Integrated with Anthos, Cloud Run for Anthos provides a flexible serverless development platform for hybrid and multicloud environments. Cloud Run for Anthos is Google's managed and fully supported Knative offering, an open source project that enables serverless workloads on Kubernetes.