Question # 1
Your company’s cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use?
A. Identity Aware-Proxy
B. Cloud NAT
C. TCP/UDP Load Balancing
D. Cloud DNS
Question # 2
Your organization’s Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?
A. Deploy a Cloud NAT Gateway in the service project for the MIG.
B. Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.
C. Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
D. Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
Question # 3
You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name. How should you manage these consumer user accounts with Cloud Identity?
A. Use Google Cloud Directory Sync to convert the unmanaged user accounts.
B. Create a new managed user account for each consumer user account.
C. Use the transfer tool for unmanaged user accounts.
D. Configure single sign-on using a customer's third-party provider.
Question # 4
You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on-premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)
A. Secret Manager
B. Cloud Key Management Service
C. Cloud Data Loss Prevention with cryptographic hashing
D. Cloud Data Loss Prevention with automatic text redaction
E. Cloud Data Loss Prevention with deterministic encryption using AES-SIV
Question # 5
Which type of load balancer should you use to maintain client IP by default while using the standard network tier?
A. SSL Proxy
B. TCP Proxy
C. Internal TCP/UDP
D. TCP/UDP Network
Question # 6
You have created an OS image that is hardened per your organization’s security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.
A. Grant users the compuce.imageUser role in their own projects.
B. Grant users the compuce.imageUser role in the OS image project.
C. Store the image in every project that is spun up in your organization.
D. Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.
E. Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
Question # 7
You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements: The master key must be rotated at least once every 45 days. The solution that stores the master key must be FIPS 140-2 Level 3 validated. The master key must be stored in multiple regions within the US for redundancy. Which solution meets these requirements?
A. Customer-managed encryption keys with Cloud Key Management Service
B. Customer-managed encryption keys with Cloud HSM
C. Customer-supplied encryption keys
D. Google-managed encryption keys
Question # 8
You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?
A. Cloud External Key Manager
B. Customer-managed encryption keys
C. Customer-supplied encryption keys
D. Google default encryption
Question # 9
Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?
A. Cloud DNS with DNSSEC
B. Cloud NAT
C. HTTP(S) Load Balancing
D. Google Cloud Armor
Question # 10
You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data Specifically, your company is concerned about internal Google employees' ability to access your company's data on Google Cloud. What solution should you propose?
A. Use customer-managed encryption keys.
B. Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.
C. Enable Admin activity logs to monitor access to resources.
D. Enable Access Transparency logs with Access Approval requests for Google employees.
Question # 11
Your company’s new CEO recently sold two of the company’s divisions. Your Director asks you to help migrate the Google Cloud projects associated with those divisions to a new organization node. Which preparation steps are necessary before this migration occurs? (Choose two.)
A. Remove all project-level custom Identity and Access Management (1AM) roles.
B. Disallow inheritance of organization policies.
C. Identify inherited Identity and Access Management (1AM) roles on projects to be migrated.
D. Create a new folder for all projects to be migrated.
E. Remove the specific migration projects from any VPC Service Controls perimeters and bridges.
Question # 12
You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements: Export related logs for all projects in the Google Cloud organization. Export logs in near real-time to an external SIEM. What should you do? (Choose two.)
A. Create a Log Sink at the organization level with a Pub/Sub destination.
B. Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.
C. Enable Data Access audit logs at the organization level to apply to all projects.
D. Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.
E. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.
Question # 13
Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements: Only allows communication between the Web and App tiers. Enforces consistent network security when autoscaling the Web and App tiers. Prevents Compute Engine Instance Admins from altering network traffic. What should you do?
1. Configure all running Web and App servers with respective network tags.
2. Create an allow VPC firewall rule that specifies the target/source with respective network
B. 1. Configure all running Web and App servers with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
C. 1. Re-deploy the Web and App servers with instance templates configured with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
D. 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
Question # 14
You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements Each business unit manages access controls for their own projects. Each business unit manages access control permissions at scale. Business units cannot access other business units' projects. Users lose their access if they move to a different business unit or leave the company. Users and access control permissions are managed by the on-premises directory service.What should you do? (Choose two.)
A. Use VPC Service Controls to create perimeters around each business unit's project.
B. Organize projects in folders, and assign permissions to Google groups at the folder level.
C. Group business units based on Organization Units (OUs) and manage permissions based on OUs.
D. Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.
E. Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.
Question # 15
Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?
A. Deterministic encryption
B. Secure, key-based hashes
C. Format-preserving encryption
D. Cryptographic hashing
Question # 16
Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your onpremises LDAP server to onboard hundreds of users. You are required to: Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity. Disable any manually created users in Cloud Identity. You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?
1. Configure the option to suspend domain users not found in LDAP.
2. Set up a recurring GCDS task.
B. 1. Configure the option to delete domain users not found in LDAP. 2. Run GCDS after user and group lifecycle changes.
C. 1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP. 2. Set up a recurring GCDS task.
D. 1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP. 2. Run GCDS after user and group lifecycle changes.
Question # 17
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the “source of truth” directory for identitiesWhich solution meets the organization's requirements?
A. Google Cloud Directory Sync (GCDS)
B. Cloud Identity
C. Security Assertion Markup Language (SAML)
Question # 18
You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)
A. External Key Manager
B. Customer-supplied encryption keys
C. Hardware Security Module
D. Confidential Computing and Istio
E. Client-side encryption
Question # 19
You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run. What should you do? Choose 2 answers
A. Enable Binary Authorization on the existing Kubernetes cluster.
B. Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to the list of allowed Binary Authorization policy names.
C. Set the organization policy constraint constraints/compute.trustedimageProjects to the list of protects that contain the trusted container images.
D. Enable Binary Authorization on the existing Cloud Run service. E. Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.
Question # 20
You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?
A. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow
B. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
C. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
D. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.
Question # 21
You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?
A. Cloud Data Loss Prevention with deterministic encryption using AES-SIV
B. Cloud Data Loss Prevention with format-preserving encryption
C. Cloud Data Loss Prevention with cryptographic hashing
D. Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys
Question # 22
In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-toinstance communications. The app development team is willing to make any changes necessary to comply with the standardWhich options should you recommend to meet the requirements?
A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto
B. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.
C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.
D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.
Question # 23
Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time. What should you do?
A. Run a platform security scanner on all instances in the organization.
B. Notify Google about the pending audit and wait for confirmation before performing the scan.
C. Contact a Google approved security vendor to perform the audit.
D. Identify all external assets by using Cloud Asset Inventory and then run a network security scanner against them.
Question # 24
You work for an organization in a regulated industry that has strict data protection requirements. The organization backs up their data in the cloud. To comply with data privacy regulations, this data can only be stored for a specific length of time and must be deleted after this specific period.You want to automate the compliance with this regulation while minimizing storage costs. What should you do?
A. Store the data in a persistent disk, and delete the disk at expiration time.
B. Store the data in a Cloud Bigtable table, and set an expiration time on the column families.
C. Store the data in a BigQuery table, and set the table's expiration time.
D. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
Question # 25
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements: The Cloud Storage bucket in Project A can only be readable from Project B. The Cloud Storage bucket in Project A cannot be accessed from outside the network. Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket. What should the security team do?
A. Enable domain restricted sharing in an organization policy, and enable uniform bucketlevel access on the Cloud Storage bucket.
B. Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration.
C. Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.
D. Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.
Question # 26
You need to create a VPC that enables your security team to control network resources such as firewall rules. How should you configure the network to allow for separation of duties for network resources?
A. Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the
B. Set up VPC Network Peering, and allow developers to peer their network with a Shared VPC.
C. Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.
D. Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.
Question # 27
You manage your organization’s Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your VPCs based on network logs. However, you want to explore your environment using network payloads and headers. Which Google Cloud product should you use?
A. Cloud IDS
B. VPC Service Controls logs
C. VPC Flow Logs
D. Google Cloud Armor
E. Packet Mirroring
Question # 28
Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution. What should you do?
A. • 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module
(vTPM) and integrity monitoring
• 2 Create a Cloud Run function to check for the VM settings generate metrics and run the
B. • 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium • 2 Monitor the findings in SCC
C. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring • 2 Activate Confidential Computing • 3 Enforce these actions by using organization policies
D. • 1 Use secure hardened images from the Google Cloud Marketplace • 2 When deploying the images activate the Confidential Computing option • 3 Enforce the use of the correct images and Confidential Computing by using organization policies
Question # 29
Your organization processes sensitive health information. You want to ensure that data is encrypted while in use by the virtual machines (VMs). You must create a policy that is enforced across the entire organization. What should you do?
A. Implement an organization policy that ensures that all VM resources created across your
organization use customer-managed encryption keys (CMEK) protection.
B. Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.
C. Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.
D. No action is necessary because Google encrypts data while it is in use by default.
Question # 30
Your organization is moving virtual machines (VMs) to Google Cloud. You must ensure that operating system images that are used across your projects are trusted and meet your security requirements. What should you do?
A. Implement an organization policy to enforce that boot disks can only be created from
images that come from the trusted image project.
B. Create a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository Verify that the image is not deprecated.
C. Implement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.
D. Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.
Question # 31
Your application is deployed as a highly available cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.What should you do?
A. Configure a rate_based_ban action by using Google Cloud Armor and set the
ban_duration_sec parameter to the specified time interval.
B. Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.
C. Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.
D. Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.
Question # 32
Which Google Cloud service should you use to enforce access control policies for applications and resources?
A. Identity-Aware Proxy
B. Cloud NAT
C. Google Cloud Armor
D. Shielded VMs
Question # 33
Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way. What should you do?
A. Create a service account key and add it to the GitHub pipeline configuration file.
B. Create a service account key and add it to the GitHub repository content.
C. Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.
D. Configure workload identity federation to use GitHub as an identity pool provider.
Question # 34
Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?
A. Define an organization policy constraint.
B. Configure packet mirroring policies.
C. Enable VPC Flow Logs on the subnet.
D. Monitor and analyze Cloud Audit Logs.
Question # 35
Your company is storing sensitive data in Cloud Storage. You want a key generated onpremises to be used in the encryption process. What should you do?
A. Use the Cloud Key Management Service to manage a data encryption key (DEK).
B. Use the Cloud Key Management Service to manage a key encryption key (KEK).
C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
D. Use customer-supplied encryption keys to manage the key encryption key (KEK).
Question # 36
You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?
A. Titan Security Keys
B. Google prompt
C. Google Authenticator app
D. Cloud HSM keys
Question # 37
You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?
A. Implement Cloud VPN for the region where the bastion host lives.
B. Implement OS Login with 2-step verification for the bastion host.
C. Implement Identity-Aware Proxy TCP forwarding for the bastion host.
D. Implement Google Cloud Armor in front of the bastion host.
Question # 38
You are responsible for managing your company’s identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user’s access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
A. On the Google Admin console, select the appropriate user account, and generate a
backup code to allow the user to sign in. Ask the user to update their second factor.
B. On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.
C. On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.
D. On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.
Question # 39
Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?
A. Security Reviewer
B. lAP-Secured Tunnel User
C. lAP-Secured Web App User
D. Service Broker Operator
Question # 40
You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)
A. Create an access level in the Google Admin console to prevent super admin from
logging in to Google Cloud.
B. Disable any Identity and Access Management (1AM) roles for super admin at the organization level in the Google Cloud Console
C. Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).
D. Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
E. Provide non-privileged identities to the super admin users for their day-to-day activities.
Question # 41
You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?
A. 1. Create or use an existing key with a unique uniform resource identifier (URI) in your
Google Cloud project.
2. Grant your Google Cloud project access to a supported external key management
B. 1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
C. 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.
D. 1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
Question # 42
Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1. What command should you execute?
A. • organization policy: constraints/gcp.restrictStorageNonCraekServices
• binding at: orgl
• policy type: deny
• policy value: storage.gcogleapis.com
B. • organization policy: constraints/gcp.restrictHonCmekServices • binding at: orgl • policy type: deny • policy value: storage.googleapis.com
C. • organization policy:constraints/gcp.restrictStorageNonCraekServices • binding at: orgl • policy type: allow • policy value: all supported services
D. • organization policy: constramts/gcp.restrictNonCmekServices • binding at: orgl • policy type: allow • policy value: storage.googleapis.com
Question # 43
You are auditing all your Google Cloud resources in the production project. You want to identity all principals who can change firewall rules. What should you do?
A. Use Policy Analyzer lo query the permissions compute, firewalls, create of
compute, firewalls. Create of compute,firewalls.delete.
B. Reference the Security Health Analytics - Firewall Vulnerability Findings in the Security Command Center.
C. Use Policy Analyzer to query the permissions compute, firewalls, get of compute, firewalls, list.
D. Use Firewall Insights to understand your firewall rules usage patterns.
Question # 44
Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company’s on-premises Active Directory with Google Cloud and configure access management? (Choose two.)
A. Use Identity Platform to provision users and groups to Google Cloud.
B. Use Cloud Identity SAML integration to provision users and groups to Google Cloud.
C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.
D. Create Identity and Access Management (1AM) roles with permissions corresponding to each Active Directory group.
E. Create Identity and Access Management (1AM) groups with permissions corresponding to each Active Directory group.
Question # 45
While migrating your organization’s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a wellestablished way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password. What should you do?
A. Manually synchronize the data in Google domain with your existing Active Directory or
B. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
C. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
Question # 46
You are a Cloud Identity administrator for your organization. In your Google Cloud environment groups are used to manage user permissions. Each application team has a dedicated group Your team is responsible for creating these groups and the application teams can manage the team members on their own through the Google Cloud console. You must ensure that the application teams can only add users from within your organization to their groups.What should you do?
A. Change the configuration of the relevant groups in the Google Workspace Admin
console to prevent external users from being added to the group.
B. Set an Identity and Access Management (1AM) policy that includes a condition that restricts group membership to user principals that belong to your organization.
C. Define an Identity and Access Management (IAM) deny policy that denies the assignment of principals that are outside your organization to the groups in scope.
D. Export the Cloud Identity logs to BigQuery Configure an alert for external members added to groups Have the alert trigger a Cloud Function instance that removes the external members from the group.
Question # 47
Your organization must comply with the regulation to keep instance logging data within Europe. Your workloads will be hosted in the Netherlands in region europe-west4 in a new project. You must configure Cloud Logging to keep your data in the country. What should you do?
A. Configure the organization policy constraint gcp.resourceLocations to europe-west4.
B. Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.
C. Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.
D. Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.