You are creating an internal App Engine application that needs to access a user’s Google Drive on the user’s behalf. Your company does not want to rely on the current user’s credentials. It also wants to follow Google recommended practices. What should you do?

1. A. Create a new Service account, and give all application users the role of Service Account User.
2. B. Create a new Service account, and add all application users to a Google Grou
3. C. Give this group the role of Service Account User.
4. D. Use a dedicated G Suite Admin account, and authenticate the application’s operations with these G Suite credentials.
5. E. Create a new service account, and grant it G Suite domain-wide delegatio
6. F. Have the application use it to impersonate the user.

Correct Answer: A

When working with agents in a support center via online chat, an organization’s customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for
review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

1. A. Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
2. B. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
3. C. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
4. D. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Correct Answer: D
Reference; https://cloud.google.com/dlp/docs/deidentify-sensitive-data

A customer’s company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.
Which strategy should you use to meet these needs?

1. A. Create an organization node, and assign folders for each business unit.
2. B. Establish standalone projects for each business unit, using gmail.com accounts.
3. C. Assign GCP resources in a project, with a label identifying which business unit owns the resource.
4. D. Assign GCP resources in a VPC for each business unit to separate network access.

Correct Answer: A

Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?

1. A. Store the data in a single Persistent Disk, and delete the disk at expiration time.
2. B. Store the data in a single BigQuery table and set the appropriate table expiration time.
3. C. Store the data in a single Cloud Storage bucket and configure the bucket’s Time to Live.
4. D. Store the data in a single BigTable table and set an expiration time on the column families.

Correct Answer: B

In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard
Which options should you recommend to meet the requirements?

1. A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.
2. B. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.
3. C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.
4. D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

Correct Answer: D