A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?

1. A. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucke
2. B. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
3. C. Upload the logs to both the shared bucket and the bucket only accessible by the administrato
4. D. Create a job trigger using the Cloud Data Loss Prevention AP
5. E. Configure the trigger to delete any files from theshared bucket that contain PII.
6. F. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
7. G. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploade
8. H. Use Cloud Functions to capture the trigger and delete such files.

Correct Answer: C

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

1. A. Enable Private Access on the VPC network in the production project.
2. B. Remove the Editor role and grant the Compute Admin IAM role to the engineers.
3. C. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
4. D. Set up a VPC network with two subnets: one with public IPs and one without public IPs.

Correct Answer: C

While migrating your organization’s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

1. A. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
2. B. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
3. C. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberoscompliant identity provider.
4. D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Correct Answer: B

A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?

1. A. Use Cloud Storage as a federated Data Source.
2. B. Use a Cloud Hardware Security Module (Cloud HSM).
3. C. Customer-managed encryption keys (CMEK).
4. D. Customer-supplied encryption keys (CSEK).

Correct Answer: C

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer’s requirements?

1. A. Customer-supplied encryption keys (CSEK)
2. B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
3. C. Encryption by default
4. D. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

Correct Answer: B
Reference https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek