The JencoMart security team requires that all Google Cloud Platform infrastructure is deployed using a least privilege model
with separation of duties for administration between production and development resources.
What Google domain and project structure should you recommend?
Note: The principle of least privilege and separation of duties are concepts that, although semantically different, are
intrinsically related from the standpoint of security. The intent behind both is to prevent people from having higher privilege
levels than they actually need
Principle of Least Privilege: Users should only have the least amount of privileges required to perform their job and no
more. This reduces authorization exploitation by limiting access to resources such as targets, jobs, or monitoring templates
for which they are not authorized.
Separation of Duties: Beyond limiting user privilege level, you also limit user duties, or the specific jobs they can perform.
No user should be given responsibility for more than one related function. This limits the ability of a user to perform a
malicious action and then cover up that action. Reference: https://cloud.google.com/kms/docs/separation-of-duties
A few days after JencoMart migrates the user credentials database to Google Cloud Platform and shuts down the old server,
the new database server stops responding to SSH connections. It is still serving database requests to the application servers
What three steps should you take to diagnose the problem? (Choose three.)
C D F
D: Handling "Unable to connect on port 22" error message Possible causes include:
There is no firewall rule allowing SSH access on the port. SSH access on port 22 is enabled on all Compute Engine
instances by default. If you have disabled access, SSH from the Browser will not work. If you run sshd on a port other than
22, you need to enable the access to that port with a custom firewall rule.
The firewall rule allowing SSH access is enabled, but is not configured to allow connections from GCP Console services.
Source IP addresses for browser-based SSH sessions are dynamically allocated by GCP Console and can vary from
session to session.
F: Handling "Could not connect, retrying..." error
You can verify that the daemon is running by navigating to the serial console output page and looking for output lines
prefixed with the accounts-from-metadata: string. If you are using a standard image but you do not see these output prefixes
in the serial console output, the daemon might be stopped. Reboot the instance to restart the daemon.
Reference: https://cloud.google.com/compute/docs/ssh-in-browser https://cloud.google.com/compute/docs/ssh-in-browser
JencoMart has decided to migrate user profile storage to Google Cloud Datastore and the application servers to Google
Compute Engine (GCE). During the migration, the existing infrastructure will need access to Datastore to upload the data.
What service account key-management strategy should you recommend?
Migrating data to Google Cloud Platform
Lets say that you have some data processing that happens on another cloud provider and you want to transfer the
processed data to Google Cloud Platform. You can use a service account from the virtual machines on the external cloud to
push the data to Google Cloud Platform. To do this, you must create and download a service account key when you create
the service account and then use that key from the external process to call the Cloud Platform APIs.
JencoMart has built a version of their application on Google Cloud Platform that serves traffic to Asia. You want to measure
success against their business and technical goals.
Which metrics should you track?
Business Requirements include: Expand services into Asia
Technical Requirements include: Decrease latency in Asia
The migration of JencoMarts application to Google Cloud Platform (GCP) is progressing too slowly. The infrastructure is
shown in the diagram. You want to maximize throughput.
What are three potential bottlenecks? (Choose three.)
A C E
JencoMart wants to move their User Profiles database to Google Cloud Platform.
Which Google Database should they use?
Common workloads for Google Cloud Datastore:
Reference: https://cloud.google.com/storage-options/ https://cloud.google.com/datastore/docs/concepts/overview
Mountkirk Games wants you to design their new testing strategy. How should the test coverage differ from their existing
backends on the other platforms?
A few of their games were more popular than expected, and they had problems scaling their application servers, MySQL
databases, and analytics tools.
Requirements for Game Analytics Platform include: Dynamically scale up or down based on game activity
Mountkirk Games has deployed their new backend on Google Cloud Platform (GCP). You want to create a through testing
process for new versions of the backend before they are released to the public. You want the testing environment to scale in
an economical way. How should you design the process?
From scenario: Requirements for Game Backend Platform
1. Dynamically scale up or down based on game activity
2. Connect to a managed NoSQL database service
3. Run customize Linux distro
Mountkirk Games wants to set up a continuous delivery pipeline. Their architecture includes many small services that they
want to be able to update and roll back quickly. Mountkirk Games has the following requirements:
Services are deployed redundantly across multiple regions in the US and Europe
Only frontend services are exposed on the public internet
They can provide a single frontend IP for their fleet of services
Deployment artifacts are immutable
Which set of products should they use?
Mountkirk Games gaming servers are not automatically scaling properly. Last month, they rolled out a new feature, which
suddenly became very popular. A record number of users are trying to use the service, but many of them are getting 503
errors and very slow response times. What should they investigate first?
503 is service unavailable error. If the database was online everyone would get the 503 error.