You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?
A. Perform data masking with the DLP API and store that data in BigQuery for later use.
B. Perform data redaction with the DLP API and store that data in BigQuery for later use.
C. Perform data inspection with the DLP API and store that data in BigQuery for later use.
D. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?
A. Upload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain Pll from the shared bucket.
B. On the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll.
C. On the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain Pll.
D. Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect Pll, have the function move the objects into the shared Cloud Storage bucket.
You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?
A. Security Command Center
B. Firewall Rules Logging
C. VPC Flow Logs
D. Firewall Insights
You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.
Which two actions should you take? (Choose two.)
A. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
B. Use the Google Admin console to view which managed users are using a personal account for their recovery email.
C. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
D. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
E. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.
Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/ owner). The organization contains thousands of Google Cloud Projects
Security Command Center Premium has surfaced multiple cpen_myscl_port findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations.
What should you do?
A. Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0 0 0 0/0 with priority 0.
B. Create a hierarchical firewall policy configured at the organization to deny all connections from 0 0 0 0/0.
C. Create a Google Cloud Armor security policy to deny traffic from 0 0 0 0/0.
D. Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges
You manage one of your organization's Google Cloud projects (Project A). AVPC Service Control (SC) perimeter is blocking API access requests to this project including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least Privilege.
What should you do?
A. Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.
B. Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.
C. Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.
D. Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.
You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)
A. SSO SAML as a third-party IdP
B. Identity Platform
C. OpenID Connect
D. Identity-Aware Proxy
E. Cloud Identity
Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (1AM) roles at the right resource level tor the developers and security team while you ensure least privilege.
What should you do?
A. 1 Grant logging, viewer rote to the security team at the organization resource level. 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.
B. 1 Grant logging. viewer rote to the security team at the organization resource level. 2 Grant logging. admin role to the developer team at the organization resource level.
C. 1 Grant logging.admin role to the security team at the organization resource level. 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.
D. 1 Grant logging.admin role to the security team at the organization resource level. 2 Grant logging.admin role to the developer team at the organization resource level.
You are migrating an on-premises data warehouse to BigQuery Cloud SQL, and Cloud Storage. You need to configure security services in the data warehouse. Your company compliance policies mandate that the data warehouse must:
1.
Protect data at rest with full lifecycle management on cryptographic keys
2.
Implement a separate key management provider from data management
3.
Provide visibility into all encryption key requests
What services should be included in the data warehouse implementation?
Choose 2 answers
A. Customer-managed encryption keys
B. Customer-Supplied Encryption Keys
C. Key Access Justifications
D. Access Transparency and Approval
E. Cloud External Key Manager
You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.
What should you do?
A. Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.
B. Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.
C. Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premises destination.
D. Configure Cloud Interconnect and route traffic through an on-premises firewall.