Security Questions
Security Questions
environments (prod and dev). The developers need to see all application development
audit logs, but they are not permitted to review production logs. Your security
team can review all logs in production and development environments. You must grant
Identity and Access Management (IAM) roles at the right resource level for the
developers and security team while you ensure least privilege.
Ans - A
Ans - C
235 - You are setting up a new Cloud Storage bucket in your environment that is
encrypted with a customer managed encryption key (CMEK). The CMEK is stored in
Cloud Key Management Service (KMS), in project “prj-a”, and the Cloud Storage
bucket will use project “prj-b”. The key is backed by a Cloud Hardware Security
Module (HSM) and resides in the region europe-west3. Your storage bucket will be
located in the region europe-west1. When you create the bucket, you cannot access
the key, and you need to troubleshoot why.
Ans- D
239 - You control network traffic for a folder in your Google Cloud environment.
Your folder includes multiple projects and Virtual Private Cloud (VPC) networks.
You want to enforce on the folder level that egress connections are limited only to
IP range 10.58.5.0/24 and only from the VPC network “dev-vpc”. You want to minimize
implementation and maintenance effort.
Ans-B
240 - Your customer has an on-premises Public Key Infrastructure (PKI) with a
certificate authority (CA). You need to issue certificates for many HTTP load
balancer frontends. The on-premises PKI should be minimally affected due to many
manual processes, and the solution needs to scale.
Ans-B
241- You are developing a new application that uses exclusively Compute Engine VMs.
Once a day, this application will execute five different batch jobs. Each of the
batch jobs requires a dedicated set of permissions on Google Cloud resources
outside of your application. You need to design a secure access concept for the
batch jobs that adheres to the least-privilege principle.
What should you do?
A. 1. Create a general service account “g-sa” to orchestrate the batch jobs.
2. Create one service account per batch job ‘b-sa-[1-5]’. Grant only the
permissions required to run the individual batch jobs to the service accounts and
generate service account keys for each of these service accounts.
3. Store the service account keys in Secret Manager. Grant g-sa access to Secret
Manager and run the batch jobs with the permissions of b-sa-[1-5].
ANS- D