Exam Question 31
What is the best strategy for assigning permission for a new application that needs secure access to Google Cloud Platform services from a component running on your local servers?
A. Set up a VPN between your own servers and GCP to communicate in a secure manner.
B. Generate a key file using gcloud for the application service that has appropriate permissions.
C. Configure your service account credentials in the application.
D. Set up new user account permission in the IAM and administrative console and then use these from within the application.
Correct Answer:
B. Generate a key file using gcloud for the application service that has appropriate permissions.
Answer Description:
Generate a key file using gcloud for the application service that has appropriate permissions. This can automate management for the application. A VPN only connects your infrastructure and does not provide access to the service. Directly adding credentials to the configuration files creates a security risk. Configuring new service account credentials is more difficult to manage than key files.
Exam Question 32
What is the best approach for consolidating payment methods for services to a single credit card?
A. Set up a new billing account in the GCP console and add the desired payment method.
B. Contact [email protected] to set up a new account.
C. Move all the projects to a root Organization from within the GCP resource manager.
D. Generate a support ticket with the appropriate details.
Correct Answer:
A. Set up a new billing account in the GCP console and add the desired payment method.
Answer Description:
Set up a new billing account in the GCP console and add the desired payment method. Contacting [email protected] and generating a support ticket are not automated. Moving all the projects to the root Organization will not update the payment method.
Exam Question 33
What is the best approach for scaling the memory in a virtual machine with two vCPUs and 7.5 GB of memory to 15 GB of memory?
A. Stop the VM, increase the memory to 8 GB and then start the VM.
B. Stop the VM, change the machine type to N1-standard-4 and then start the VM.
C. Use live migration to migrate to a VM with more memory.
D. Update the memory size variable from within the GCP console.
Correct Answer:
B. Stop the VM, change the machine type to N1-standard-4 and then start the VM.
Answer Description:
Stop the VM, change the machine type to N1-standard-4 and then start the VM. You need to adopt a new instance, and, in this case, the N1-standard-4 corresponds to more memory. You cannot directly increase the memory using variables or settings and it is not possible to adjust memory setting for a VM from within the GCP console.
Exam Question 34
What is the best way to add a new team for viewing billing reports for a project?
A. Add the team’s group to the roles/billing project/manager role.
B. Add the team’s group to the roles/billing viewer role.
C. Add the team’s group to the roles/billing admin role.
D. Add the team’s group to the roles/billing user role.
Correct Answer:
D. Add the team’s group to the roles/billing user role.
Answer Description:
Add the team’s group to the roles/billing user role. The viewer and admin roles grant the group too many permissions. “Billing project/manager” is not the appropriate format.
Exam Question 35
What is the best way to ensure a Google Kubernetes Engine cluster runs the latest stable and supported version of Kubernetes?
A. Configure the node image for the GKE cluster to use the Container-Optimized OS (cos).
B. Configure the GKE cluster to use the latest available version of Kubernetes.
C. Turn on the Node Auto-Upgrades flag for the cluster.
D. Turn on the Node Auto-Repair flag for the cluster.
Correct Answer:
C. Turn on the Node Auto-Upgrades flag for the cluster.
Answer Description:
Turn on the Node Auto-Upgrades flag for the cluster. Auto-Repair will just fix the cluster if a failure occurs. Simply configuring the latest available version will not update when new versions are released. The Container-Optimized OS option will not update to the latest stable and supported version.
Exam Question 36
Which of the following is not a potential shadow IoT device?
A. Medical device
B. Drone
C. Smartphone
D. Wireless thumb drive
Correct Answer:
C. Smartphone
Answer Description:
Although smartphones can serve as a way to control IoT devices and applications, they are not considered IoT devices. Smartphones and PCs serve as general purpose devices, but IoT devices have dedicated functions such as measuring temperature. With the growing number of connected devices used in personal and work environments, shadow IoT has become a security risk that organizations must not ignore. Employees often connect devices, such as medical devices, drones or wireless thumb drives, to enterprise networks without approval. IT admins can’t monitor and protect connections unsanctioned for use if they don’t know about them.
Exam Question 37
_________ are physical devices or software programs that route inbound or outbound data between controllers, sensors and devices and the cloud or servers and provide an additional layer of security for IoT data while in transit.
A. IoT actuators
B. IoT portcullis
C. IoT sensors
D. IoT gateways
Correct Answer:
D. IoT gateways
Answer Description:
IoT gateways manage the transfer of IoT data and add an extra security layer because they only transmit authorized data. If an attacker hacks an IoT device, gateways block the data from the network.
Exam Question 38
What is the difference between IoT authentication and authorization?
A. Authentication is the process of device identification, and authorization provides permissions.
B. Authentication provides an undisputed connection, and authorization is the process of writing identification.
C. Authentication gives permissions to human users, but authorization gives permissions to devices.
D. Authentication is when technology confirms you are not a robot, and authorization is when an OS confirms your login information.
Correct Answer:
A. Authentication is the process of device identification, and authorization provides permissions.
Answer Description:
IT admins use device authentication and authorization as components of their cybersecurity strategy. Devices must be authenticated to determine that the device is what it declares it is by checking if its credentials match the credentials in a database or server of authorized users. Authorization gives IoT devices or users permission to do or have something. Both processes ensure IoT devices only have access and permission to do what they need to do.
Exam Question 39
Which of the following is not an authentication method for IoT devices?
A. Two-factor authentication
B. Trusted execution environment
C. Endpoint trust response
D. Hardware root of trust
Correct Answer:
C. Endpoint trust response
Answer Description:
IT admins have many IoT authentication methods to choose from, including two-factor authentication (2FA), trusted execution environment (TEE), hardware root of trust (RoT) and Trusted Platform Module (TPM). In 2FA, devices request two factors to confirm the identity of the device, such as biometrics or a Bluetooth beacon. Hardware RoT has a separate computing engine to manage devices’ cryptographic processors. TEE uses higher level encryption to isolate authentication data from the IoT device’s main processor. TPM is a device chip that stores unique hardware encryption keys, which software can’t access.
Exam Question 40
_________ is an IoT threat defined by its collection of hijacked devices used to launch massive attacks on networks.
A. IoT ransomware
B. IoT malware
C. Shadow IoT
D. IoT botnet
Correct Answer:
D. IoT botnet
Answer Description:
IoT botnet orchestrators have increasingly targeted IoT devices because of their weak security configurations and the massive number of devices in use. IoT devices don’t have the same standards for security built in and IT administrators can more easily overlook device patches and updates. Attackers might use malware to co-opt devices into the botnet and then use DDoS attacks on a target.