Managing Security in Google Cloud
Foundations of Google Cloud Security
Q1. Which ONE of the following statements is TRUE concerning Google’s built-in security measures?
- Customers always have the option to configure their instances to encrypt all of their data while it is “at rest” within Google Cloud.
- Only Google-managed encryption keys are allowed to be used within Google Cloud.
- To guard against phishing attacks, all Google employee accounts require the use of U2F compatible security keys.
- An organization’s on-premises resources are not allowed to connect to Google Cloud in order to lower the risk of DDoS attacks.
Q2. Which TWO of the following statements are TRUE regarding regulatory compliance on Google Cloud?
- Google’s Cloud products regularly undergo independent verification of security, privacy, and compliance controls.
- Proper configuration of encryption and firewalls is not the only requirement for achieving regulatory compliance.
- Contacting your regulatory compliance certification agency is the only way to find out whether Google currently supports that particular standard.
- Google has no plans at this time to expand its already-extensive portfolio of regulatory compliance certifications.
Q3. Which TWO of the following statements are TRUE regarding Google’s ability to protect its customers from DoS attacks?
- Google Front End can detect when an attack is taking place and can drop or throttle traffic associated with that attack.
- A single Google data center has many times the bandwidth of even a large DoS attack, enabling it to simply absorb the extra load.
- Application-aware defense is not currently supported on Google Cloud, although support for this is planned in the very near future.
Q1. Which of the following statements is TRUE for the use of Cloud Identity?
- Cloud Identity can work with any domain name that is able to receive email.
- Your organization must use Google Workspace services in order to use Cloud Identity.
- You cannot use both Cloud Identity and Google Workspace services to manage your users across your domain.
- A Google Workspace or Cloud Identity account can be associated with more than one Organization.
Q2. The main purpose of Google Cloud Directory Sync is to: (choose ONE option below)
- Completely replace an Active Directory or LDAP service.
- Help simplify provisioning and de-provisioning user accounts.
- Enable two-way data synchronization between Google Cloud and AD/LDAP accounts.
Q3. Which TWO of the following are considered authentication “best practices?”
- Organization Admins should never remove the default organization-level permissions from users after account creation.
- Requiring 2-Step Verification (2SV) is only recommended for super-admin accounts.
- You should have no more than three Organization admins.
- Avoid managing permissions on an individual user basis where possible.
Cloud Identity and Access Management (Cloud IAM)
Q1. Which FOUR of the following are Cloud IAM Objects that can be used to organize resources in Google Cloud?
Q2. Projects in Google Cloud provide many management-related features, including the ability to (choose TWO below…)
- Keep on-prem AD/LDAP accounts synced up with user’s Google Cloud resources.
- Balance server load between different Projects.
- Selectively enable specific services and APIs.
- Track and manage quota usage.
Q3. Which TWO of the following statements about Cloud IAM Policies is TRUE?
- A policy is a collection of access statements attached to a resource.
- An organization policy can only be applied to the organization node.
- A less restrictive parent policy will not override a more restrictive child resource policy.
- A Policy binding binds a list of members to a role.
VPCs for Isolation and Security
Q1. Which TWO of the following statements about VPCs is TRUE?
- VPC firewall rules in Google Cloud are global in scope.
- Every VPC network functions as a distributed firewall where firewall rules are defined at the network level.
- Google Cloud Firewall allow rules by default only affect traffic flowing in one direction.
- A connection is considered active if it has at least one packet sent over a one hour period.
Q2. Which THREE of the following are firewall rule parameters?
- IP Address
Q3. Which ONE of the following statements is TRUE when discussing the SSL capabilities of Google Cloud Load Balancer?
- The Google-managed profile, COMPATIBLE, allows clients which support out-of-date SSL features.
- You must use one of the 3 pre-configured “Google-managed profiles” to specify the level of compatibility appropriate for your application.
- Google Cloud Load Balancers require, and will only accept, a Google-managed SSL Cert.
- If no SSL policy is set, the SSL policy is automatically set to the most constrained policy, which is RESTRICTED.