For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on “in- scope” Nodes only. These Nodes can only contain the “in-scope” Pods.
How should the organization achieve this objective?

1. A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
2. B. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
3. C. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
4. D. Run all in-scope Pods in the namespace “in-scope-pci”.

Correct Answer: C

An organization’s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?

1. A. Use Forseti with Firewall filters to catch any unwanted configurations in production.
2. B. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforcepolicies.
3. C. Route all VPC traffic through customer-managed routers to detect malicious patterns in production.
4. D. All production applications will run on-premise
5. E. Allow developers free rein in GCP as their dev and QA platforms.

Correct Answer: B

A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources.
Which type of access should your team grant to meet this requirement?

1. A. Organization Administrator
2. B. Security Reviewer
3. C. Organization Role Administrator
4. D. Organization Policy Administrator

Correct Answer: C

Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

1. A. Central management of routes, firewalls, and VPNs for peered networks
2. B. Non-transitive peered networks; where only directly peered networks can communicate
3. C. Ability to peer networks that belong to different Google Cloud Platform organizations
4. D. Firewall rules that can be created with a tag from one peered network to another peered network
5. E. Ability to share specific subnets across peered networks

Correct Answer: AD

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to manage and rotate the encryption keys.
Which boot disk encryption solution should you use on the cluster to meet this customer’s requirements?

1. A. Customer-supplied encryption keys (CSEK)
2. B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
3. C. Encryption by default
4. D. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

Correct Answer: B
Reference https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek