01. A cloud customer has an on-premises key management system and wants to generate, protect, rotate, and audit encryption keys with it.
How can the customer use Cloud Storage with their own encryption keys?
a) Declare usage of default encryption at rest in the audit report on compliance
b) Upload encryption keys to the same Cloud Storage bucket
c) Use Customer Managed Encryption Keys (CMEK)
d) Use Customer-Supplied Encryption Keys (CSEK)
02. A customer wants to grant access to their application running on Compute Engine to write only to a specific Cloud Storage bucket.
How should you grant access?
a) Create a service account for the application, and grant Cloud Storage Object Creator permissions to the project.
b) Create a service account for the application, and grant Cloud Storage Object Creator permissions at the bucket level.
c) Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the bucket level.
d) Create a user account, authenticate with the application, and grant Google Storage Admin permissions at the project level.
03. Which encryption algorithm is used with Default Encryption in Cloud Storage?
04. You have defined subnets in a VPC within Google Cloud Platform. You need multiple projects to create Compute Engine instances with IP addresses from these subnets. What should you do?
a) Configure Cloud VPN between the projects.
b) Set up VPC peering between all related projects.
c) Change the VPC subnets to enable private Google access.
d) Use Shared VPC to share the subnets with the other projects.
05. Your company is deploying their applications on Google Kubernetes Engine. You want to follow Google-recommended practices.
What should you do to ensure that the container images used for new deployments contain the latest security patches?
a) Use an update script as part of every container image startup.
b) Use Container Analysis to detect vulnerabilities in images.
c) Use Google-managed base images for all containers.
d) Use exclusively private images in Container Registry.
06. A Cloud Development team needs to use service accounts extensively in their local development. You need to provide the team with the keys for these service accounts. You want to follow Google-recommended practices.
What should you do?
a) Implement a daily key rotation process that generates a new key and commits it to the source code repository every day.
b) Implement a daily key rotation process, and provide developers with a Cloud Storage bucket from which they can download the new key every day.
c) Create a Google Group with all developers. Assign the group the IAM role of Service Account User, and have developers generate and download their own keys.
d) Create a Google Group with all developers. Assign the group the IAM role of Service Account Admin, and have developers generate and download their own keys.
07. An organization is working on their GDPR compliance strategy. It wants to ensure that controls are in place to ensure that customer PII is stored in Cloud Storage buckets without third-party exposure.
Which Google Cloud solution should the organization use to verify that PII is stored in the correct place without exposing PII internally?
a) Cloud Storage Bucket Lock
b) VPC Service Controls
c) Cloud Data Loss Prevention API
d) Cloud Security Scanner
08. You are responsible for implementing a payment processing environment that will use Kubernetes and need to apply proper security controls.
What should you do?
a) Implement and enforce two-factor authentication.
b) Activate a firewall to prevent all egress traffic.
c) Establish minimum password length requirements for all systems.
d) Require file integrity monitoring and antivirus scans of pods and nodes.
09. You want to protect the default VPC network from all inbound and outbound internet traffic. What action should you take?
a) Create a Deny All inbound internet firewall rule.
b) Create a Deny All outbound internet firewall rule.
c) Create a new subnet in the VPC network with private Google access enabled.
d) Create instances without external IP addresses only.
10. Your company is storing files on Cloud Storage. To comply with local regulations, you want to ensure that uploaded files cannot be deleted within the first 5 years.
It should not be possible to lower the retention period after it has been set. What should you do?
a) Apply a retention period of 5 years to the bucket, and lock the bucket.
b) Enable Temporary hold and apply a retention period of 5 years to the bucket.
c) Use Cloud IAM to ensure that nobody has an IAM role that has the permissions to delete files from Cloud Storage.
d) Create an object lifecycle rule using the Age condition and the Delete action. Set the Age condition to 5 years.