Google (PCSE) Exam Questions And Answers page 10
Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?
How should your team meet these requirements?
Remove the Editor role and grant the Compute Admin IAM role to the engineers.
Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
Set up a VPC network with two subnets: one with public IPs and one without public IPs.
Google Cloud Identity and Access Management (IAM)
Google Cloud Networking Security
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?
What should you do?
Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.
Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.
Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.
Google Cloud Identity and Access Management (IAM)
Google Cloud Data Security
You want to evaluate GCP for PCI compliance. You need to identify Google s inherent controls.
Which document should you review to find the information?
Which document should you review to find the information?
Google Cloud Platform: Customer Responsibility Matrix
PCI DSS Requirements and Security Assessment Procedures
PCI SSC Cloud Computing Guidelines
Product documentation for Compute Engine
Google Cloud Identity and Access Management (IAM)
Google Cloud Data Security
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?
What should you do?
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
Google Cloud Networking Security
Google Cloud Data Security
You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
What should you do?
What should you do?
Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
Create a custom role with the permission compute.instances.list and grant the Service Account this role.
Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
Google Cloud Identity and Access Management (IAM)
Comments