Free Professional-Cloud-Architect Exam Braindumps

- (Exam Topic 5)
Your company has sensitive data in Cloud Storage buckets. Data analysts have Identity Access Management (IAM) permissions to read the buckets. You want to prevent data analysts from retrieving the data in the buckets from outside the office network. What should you do?

1. A. * 1. Create a VPC Service Controls perimeter that includes the projects with the buckets.* 2. Create an access level with the CIDR of the office network.
2. B. * 1. Create a firewall rule for all instances in the Virtual Private Cloud (VPC) network for source range.* 2. Use the Classless Inter-domain Routing (CIDR) of the office network.
3. C. * 1. Create a Cloud Function to remove IAM permissions from the buckets, and another Cloud Function to add IAM permissions to the buckets.* 2. Schedule the Cloud Functions with Cloud Scheduler to add permissions at the start of business and remove permissions at the end of business.
4. D. * 1. Create a Cloud VPN to the office network.* 2. Configure Private Google Access for on-premises hosts.

Correct Answer: A
For all Google Cloud services secured with VPC Service Controls, you can ensure that: Resources within a perimeter are accessed only from clients within authorized VPC networks using Private Google Access with either Google Cloud or on-premises. https://cloud.google.com/vpc-service-controls/docs/overview
https://cloud.google.com/vpc-service-controls/docs/overview. You create a service control across your VPC and any cloud bucket or any project resource to restrict access. Anything outside of it can't access the resources within service control perimeter

- (Exam Topic 7)
For this question, refer to the TerramEarth case study. A new architecture that writes all incoming data to BigQuery has been introduced. You notice that the data is dirty, and want to ensure data quality on an automated daily basis while managing cost.
What should you do?

1. A. Set up a streaming Cloud Dataflow job, receiving data by the ingestion proces
2. B. Clean the data in a Cloud Dataflow pipeline.
3. C. Create a Cloud Function that reads data from BigQuery and cleans i
4. D. Trigger i
5. E. Trigger the Cloud Function from a Compute Engine instance.
6. F. Create a SQL statement on the data in BigQuery, and save it as a vie
7. G. Run the view daily, and save the result to a new table.
8. H. Use Cloud Dataprep and configure the BigQuery tables as the sourc
9. I. Schedule a daily job to clean the data.

Correct Answer: A

- (Exam Topic 2)
For this question, refer to the TerramEarth case study
Your development team has created a structured API to retrieve vehicle data. They want to allow third parties to develop tools for dealerships that use this vehicle event data. You want to support delegated authorization against this data. What should you do?

1. A. Build or leverage an OAuth-compatible access control system.
2. B. Build SAML 2.0 SSO compatibility into your authentication system.
3. C. Restrict data access based on the source IP address of the partner systems.
4. D. Create secondary credentials for each dealer that can be given to the trusted third party.

Correct Answer: A
https://cloud.google.com/appengine/docs/flexible/go/authorizing-apps https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#delegate_application_autho Delegate application authorization with OAuth2
Cloud Platform APIs support OAuth 2.0, and scopes provide granular authorization over the methods that are supported. Cloud Platform supports both service-account and user-account OAuth, also called three-legged OAuth.
References:
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#delegate_application_autho
https://cloud.google.com/appengine/docs/flexible/go/authorizing-apps

- (Exam Topic 5)
Your company has decided to make a major revision of their API in order to create better experiences for their developers. They need to keep the old version of the API available and deployable, while allowing new customers and testers to try out the new API. They want to keep the same SSL and DNS records in place to serve both APIs. What should they do?

1. A. Configure a new load balancer for the new version of the API.
2. B. Reconfigure old clients to use a new endpoint for the new API.
3. C. Have the old API forward traffic to the new API based on the path.
4. D. Use separate backend pools for each API path behind the load balancer.

Correct Answer: D
https://cloud.google.com/endpoints/docs/openapi/lifecycle-management

- (Exam Topic 3)
For this question, refer to the JencoMart case study.
The JencoMart security team requires that all Google Cloud Platform infrastructure is deployed using a least privilege model with separation of duties for administration between production and development resources. What Google domain and project structure should you recommend?

1. A. Create two G Suite accounts to manage users: one for development/test/staging and one for production.Each account should contain one project for every application.
2. B. Create two G Suite accounts to manage users: one with a single project for all development applications and one with a single project for all production applications.
3. C. Create a single G Suite account to manage users with each stage of each application in its own project.
4. D. Create a single G Suite account to manage users with one project for the development/test/staging environment and one project for the production environment.

Correct Answer: D
Note: The principle of least privilege and separation of duties are concepts that, although semantically different, are intrinsically related from the standpoint of security. The intent behind both is to prevent people from having higher privilege levels than they actually need
Principle of Least Privilege: Users should only have the least amount of privileges required to perform their job and no more. This reduces authorization exploitation by limiting access to resources such as targets, jobs, or monitoring templates for which they are not authorized.
Separation of Duties: Beyond limiting user privilege level, you also limit user duties, or the specific jobs they can perform. No user should be given responsibility for more than one related function. This limits the ability of a user to perform a malicious action and then cover up that action.
References: https://cloud.google.com/kms/docs/separation-of-duties