A. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

• B. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

• C. In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

• D. In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.

A. Remove all users from the Project Creator role at the organizational level.

• B. Create an Organization Policy constraint, and apply it at the organizational level.

• C. Grant the Project Editor role at the organizational level to a designated group of users.

D. Add a designated group of users to the Project Creator role at the organizational level.

• E. Grant the billing account creator role to the designated DevOps team.

A. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally

• B. Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.

• C. Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).

• D. Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

A. Create an ingress firewall rule to allow access only from the application to the database using firewall tags

• B. Create a different subnet for the frontend application and database to ensure network isolation.

• C. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.

• D. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.

Hide Solution  Discussion  17

A. Multifactor Authentication

• B. A strict password policy

• C. Captcha on login pages

• D. Encrypted emails

A. VPC peering

• B. Cloud VPN

• C. Cloud Interconnect

• D. Shared VPC

• A. Enable Private Access on the VPC network in the production project.

• B. Remove the Editor role and grant the Compute Admin IAM role to the engineers.

C. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances

• D. Set up a VPC network with two subnets: one with public IPs and one without public IPs.