Subtask 3.1: Design for security

Your development team spends too much time parsing through raw text logs in Cloud Logging to find application crashes and stack traces. Which TWO actions should you take to improve their troubleshooting efficiency? (Select TWO)

You are reviewing the GCP billing report for a large enterprise. You notice high costs for Compute Engine. The workloads consist of a baseline of 100 VMs that run 24/7, and an additional 50 VMs that scale up and down dynamically based on daily traffic. Which TWO cost optimization strategies should you apply? (Select TWO)

Your SRE team has defined an SLO of 99.9% availability for a critical service. Over the past month, the service has experienced multiple outages, and the error budget has been completely exhausted. According to Google SRE best practices, which THREE actions should the team take? (Select THREE)

CASE STUDY: AutoMakers Inc Company Overview: AutoMakers Inc is a leading vehicle manufacturer transitioning to connected and autonomous vehicles. They need a platform to ingest, process, and analyze telemetry data from millions of cars. Current Technical Environment: - Legacy MQTT brokers on-premises. - Hadoop cluster for batch processing (nightly runs). - 100,000 connected cars sending 1 KB of data every minute. - On-premises data warehouse reaching capacity. Business Requirements: - Support 5 million connected cars within 3 years. - Enable real-time alerting for critical vehicle faults. - Provide predictive maintenance insights to customers. - Monetize anonymized traffic data. Executive Statements: - CEO: "Data is our new engine. We need real-time insights to improve safety." - CFO: "The platform must scale cost-effectively. We only want to pay for what we use." - CTO: "We need a fully managed serverless data pipeline to minimize operational overhead." Technical Requirements: - Ingest up to 1 million messages per second with low latency. - Process data in real-time for anomaly detection. - Store raw telemetry data indefinitely for machine learning model training. - Provide a scalable data warehouse for business intelligence analysts. Constraints: - Strict data privacy regulations (GDPR) require masking of PII. - Limited data engineering staff; prefer managed services. - Must integrate with existing on-premises identity provider (Active Directory). QUESTION: How should you ensure compliance with GDPR requirements for masking Personally Identifiable Information (PII) before the data is stored or analyzed?

CASE STUDY: AutoMakers Inc Company Overview: AutoMakers Inc is a leading vehicle manufacturer transitioning to connected and autonomous vehicles. They need a platform to ingest, process, and analyze telemetry data from millions of cars. Current Technical Environment: - Legacy MQTT brokers on-premises. - Hadoop cluster for batch processing (nightly runs). - 100,000 connected cars sending 1 KB of data every minute. - On-premises data warehouse reaching capacity. Business Requirements: - Support 5 million connected cars within 3 years. - Enable real-time alerting for critical vehicle faults. - Provide predictive maintenance insights to customers. - Monetize anonymized traffic data. Executive Statements: - CEO: "Data is our new engine. We need real-time insights to improve safety." - CFO: "The platform must scale cost-effectively. We only want to pay for what we use." - CTO: "We need a fully managed serverless data pipeline to minimize operational overhead." Technical Requirements: - Ingest up to 1 million messages per second with low latency. - Process data in real-time for anomaly detection. - Store raw telemetry data indefinitely for machine learning model training. - Provide a scalable data warehouse for business intelligence analysts. Constraints: - Strict data privacy regulations (GDPR) require masking of PII. - Limited data engineering staff; prefer managed services. - Must integrate with existing on-premises identity provider (Active Directory). QUESTION: How should you integrate the existing on-premises Active Directory with Google Cloud to manage user access for the data analysts?

CASE STUDY: HealthSecure Company Overview: HealthSecure provides electronic health record (EHR) systems and telemedicine platforms to hospitals across North America. They handle highly sensitive patient data. Current Technical Environment: - Co-located data centers with strict physical security. - Monolithic .NET applications running on Windows Server. - Microsoft SQL Server databases. - Custom-built video streaming solution for telemedicine. Business Requirements: - Migrate to the cloud to improve scalability during telemedicine surges. - Maintain strict compliance with HIPAA and HITECH regulations. - Enable interoperability with other healthcare providers using FHIR standards. Executive Statements: - CEO: "Telemedicine is exploding. We need to scale instantly to meet patient demand." - Chief Risk Officer (CRO): "Security and compliance are our license to operate. A data breach would destroy us." - CTO: "We want to leverage cloud-native AI/ML for medical image analysis in the future." Technical Requirements: - End-to-end encryption for all data at rest and in transit. - Strict network isolation to prevent data exfiltration. - Comprehensive audit logging of all data access. - High availability across multiple regions. Constraints: - Must use Customer-Managed Encryption Keys (CMEK). - Third-party auditors require detailed compliance reports. - Legacy .NET applications cannot be easily containerized without refactoring. QUESTION: To meet the CRO's requirement for strict network isolation and prevent data exfiltration of sensitive patient records, which GCP security feature must be implemented?

CASE STUDY: HealthSecure Company Overview: HealthSecure provides electronic health record (EHR) systems and telemedicine platforms to hospitals across North America. They handle highly sensitive patient data. Current Technical Environment: - Co-located data centers with strict physical security. - Monolithic .NET applications running on Windows Server. - Microsoft SQL Server databases. - Custom-built video streaming solution for telemedicine. Business Requirements: - Migrate to the cloud to improve scalability during telemedicine surges. - Maintain strict compliance with HIPAA and HITECH regulations. - Enable interoperability with other healthcare providers using FHIR standards. Executive Statements: - CEO: "Telemedicine is exploding. We need to scale instantly to meet patient demand." - Chief Risk Officer (CRO): "Security and compliance are our license to operate. A data breach would destroy us." - CTO: "We want to leverage cloud-native AI/ML for medical image analysis in the future." Technical Requirements: - End-to-end encryption for all data at rest and in transit. - Strict network isolation to prevent data exfiltration. - Comprehensive audit logging of all data access. - High availability across multiple regions. Constraints: - Must use Customer-Managed Encryption Keys (CMEK). - Third-party auditors require detailed compliance reports. - Legacy .NET applications cannot be easily containerized without refactoring. QUESTION: How should you implement the encryption requirement to satisfy the constraint of using Customer-Managed Encryption Keys (CMEK)?

You are designing the IAM hierarchy for a new GCP organization. The security team insists on the principle of least privilege. A group of developers needs to view Compute Engine instances, restart them, and view Cloud Storage buckets, but they must not be able to delete instances or create new buckets. How should you assign permissions?

You are configuring a GKE cluster that runs multiple microservices. One specific microservice (Pod A) needs to read data from a Cloud Storage bucket. You want to follow the principle of least privilege and avoid using long-lived service account keys. Which TWO steps are required to implement Workload Identity for this pod? (Select TWO)

You are configuring Security Command Center (SCC) Premium for a large financial institution. The CISO wants to be alerted immediately if a service account key is leaked to a public GitHub repository, and wants to detect if any Compute Engine instances are communicating with known malicious IP addresses (botnets). Which TWO SCC built-in services provide these capabilities? (Select TWO)