232 - Your organization uses the top-tier folder to separate application

environments (prod and dev). The developers need to see all application development
audit logs, but they are not permitted to review production logs. Your security
team can review all logs in production and development environments. You must grant
Identity and Access Management (IAM) roles at the right resource level for the
developers and security team while you ensure least privilege.

What should you do?

A. 1. Grant logging.viewer role to the security team at the organization resource
level.-------------------------------------------A
2. Grant logging.viewer role to the developer team at the folder resource level
that contains all the dev projects.

B. 1. Grant logging.viewer role to the security team at the organization resource

level.
2. Grant logging.admin role to the developer team at the organization resource
level.

C. 1. Grant logging.admin role to the security team at the organization resource

level.
2. Grant logging.viewer role to the developer team at the folder resource level
that contains all the dev projects.

D. 1. Grant logging.admin role to the security team at the organization resource

level.
2. Grant logging.admin role to the developer team at the organization resource
level.

Ans - A

234 - Your organization uses BigQuery to process highly sensitive, structured

datasets. Following the “need to know” principle, you need to create the Identity
and Access Management (IAM) design to meet the needs of these users:
• Business user: must access curated reports.
• Data engineer: must administrate the data lifecycle in the platform.
• Security operator: must review user activity on the data platform.

What should you do?

A. Configure data access log for BigQuery services, and grant Project Viewer role
to security operator.
B. Set row-based access control based on the “region” column, and filter the record
from the United States for data engineers.
C. Create curated tables in a separate dataset and assign the role
roles/bigquery.dataViewer. Most Voted ---------------------C
D. Generate a CSV data file based on the business user's needs, and send the data
to their email addresses.

Ans - C

235 - You are setting up a new Cloud Storage bucket in your environment that is
encrypted with a customer managed encryption key (CMEK). The CMEK is stored in
Cloud Key Management Service (KMS), in project “prj-a”, and the Cloud Storage
bucket will use project “prj-b”. The key is backed by a Cloud Hardware Security
Module (HSM) and resides in the region europe-west3. Your storage bucket will be
located in the region europe-west1. When you create the bucket, you cannot access
the key, and you need to troubleshoot why.

What has caused the access issue?

A. A firewall rule prevents the key from being accessible.
B. Cloud HSM does not support Cloud Storage.
C. The CMEK is in a different project than the Cloud Storage bucket.
D. The CMEK is in a different region than the Cloud Storage
bucket.---------------------------D

Ans- D

239 - You control network traffic for a folder in your Google Cloud environment.
Your folder includes multiple projects and Virtual Private Cloud (VPC) networks.
You want to enforce on the folder level that egress connections are limited only to
IP range 10.58.5.0/24 and only from the VPC network “dev-vpc”. You want to minimize
implementation and maintenance effort.

What should you do?

A. 1. Leave the network configuration of the VMs in scope unchanged.
2. Create a new project including a new VPC network “new-vpc”.
3. Deploy a network appliance in “new-vpc” to filter access requests and only allow
egress connections from “dev-vpc” to 10.58.5.0/24.

B. 1. Leave the network configuration of the VMs in scope unchanged.

-----------------------B
2. Enable Cloud NAT for “dev-vpc” and restrict the target range in Cloud NAT to
10.58.5.0/24.

C. 1. Attach external IP addresses to the VMs in scope.

2. Define and apply a hierarchical firewall policy on folder level to deny all
egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-
vpc.

D. 1. Attach external IP addresses to the VMs in scope.

2. Configure a VPC Firewall rule in “dev-vpc” that allows egress connectivity to IP
range 10.58.5.0/24 for all source addresses in this network.

Ans-B

240 - Your customer has an on-premises Public Key Infrastructure (PKI) with a
certificate authority (CA). You need to issue certificates for many HTTP load
balancer frontends. The on-premises PKI should be minimally affected due to many
manual processes, and the solution needs to scale.

What should you do?

A. Use Certificate Manager to issue Google managed public certificates and
configure it at HTTP the load balancers in your infrastructure as code (IaC).
B. Use a subordinate CA in the Google Certificate Authority Service from the on-
premises PKI system to issue certificates for the load balancers. -- B
C. Use Certificate Manager to import certificates issued from on-premises PKI and
for the frontends. Leverage the gcloud tool for importing.
D. Use the web applications with PKCS12 certificates issued from subordinate CA
based on OpenSSL on-premises. Use the gcloud tool for importing. Use the External
TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

Ans-B

241- You are developing a new application that uses exclusively Compute Engine VMs.
Once a day, this application will execute five different batch jobs. Each of the
batch jobs requires a dedicated set of permissions on Google Cloud resources
outside of your application. You need to design a secure access concept for the
batch jobs that adheres to the least-privilege principle.
What should you do?
A. 1. Create a general service account “g-sa” to orchestrate the batch jobs.
2. Create one service account per batch job ‘b-sa-[1-5]’. Grant only the
permissions required to run the individual batch jobs to the service accounts and
generate service account keys for each of these service accounts.
3. Store the service account keys in Secret Manager. Grant g-sa access to Secret
Manager and run the batch jobs with the permissions of b-sa-[1-5].

B. 1. Create a general service account “g-sa” to execute the batch jobs.

2. Grant the permissions required to execute the batch jobs to g-sa.
3. Execute the batch jobs with the permissions granted to g-sa.

C. 1. Create a workload identity pool and configure workload identity pool

providers for each batch job.
2. Assign the workload identity user role to each of the identities configured in
the providers.
3. Create one service account per batch job “b-sa-[1-5]”, and grant only the
permissions required to run the individual batch jobs to the service accounts.
4. Generate credential configuration files for each of the providers. Use these
files to execute the batch jobs with the permissions of b-sa-[1-5].

D. 1. Create a general service account “g-sa” to orchestrate the batch jobs.

----------- D
2. Create one service account per batch job “b-sa-[1-5]”, and grant only the
permissions required to run the individual batch jobs to the service accounts.
3. Grant the Service Account Token Creator role to g-sa. Use g-sa to obtain short-
lived access tokens for b-sa-[1-5] and to execute the batch jobs with the
permissions of b-sa-[1-5].

ANS- D