Practice GCDL Google Cloud Security questions with full explanations on every answer.
Start practicing
Google Cloud Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company wants to replace its VPN-based remote access with a zero-trust solution that verifies user identity and device health before granting access to internal applications. Which Google Cloud service should they use?
2An organization needs to ensure that data stored in Cloud Storage is encrypted using keys that they manage and rotate themselves. Which encryption option should they choose?
3A security team needs to monitor and analyze logs from multiple GCP projects to detect threats across the organization. They require a SIEM solution that can ingest logs from on-premises and other clouds. Which service should they use?
4A company wants to protect its web application running on Google Cloud from DDoS attacks and SQL injection. Which service should they use?
5A data engineering team needs to store and manage database passwords and API keys used by their applications. Which Google Cloud service should they use?
6What is the primary purpose of VPC Service Controls?
7A security administrator needs to ensure that Google personnel do not access customer data without explicit authorization. Which service should they use to get logs of Google employee access?
8A company wants to scan its Cloud Storage buckets for sensitive data like credit card numbers and social security numbers. Which service should they use?
9Which principle states that a user should be granted only the permissions necessary to perform their job functions?
10A security team wants to find misconfigurations and vulnerabilities across their Google Cloud environment, including VMs, storage, and IAM. Which service provides a unified view of these findings?
11An administrator wants to enforce that all API calls to a specific Cloud Storage bucket must come from a limited range of IP addresses. Which configuration should they use?
12Which layer of Google's defence-in-depth security model includes the use of TLS for data in transit?
13A company wants to implement a zero-trust security model for accessing internal applications. Which TWO Google Cloud services should they use together? (Choose 2)
14A security team needs to detect and respond to threats across their cloud environment. Which THREE services should they use together? (Choose 3)
15A company needs to encrypt data at rest using keys that they manage, but they want to reduce operational overhead by having Google Cloud host the key management infrastructure. Which TWO options achieve this? (Choose 2)
16A startup wants to secure access to its internal web applications without using a VPN. They need to enforce access based on user identity and device security posture. Which Google Cloud service should they use?
17An organization wants to ensure that all data stored in Cloud Storage is encrypted with customer-managed keys that can be rotated on demand. They also need to log every key use for audit compliance. Which combination of services should they use?
18A security engineer needs to create a VPC Service Controls perimeter that prevents data exfiltration from a project containing sensitive data. The perimeter should allow BigQuery datasets in the project to be accessed only from authorized VMs within the same perimeter. Which step is essential?
19A company wants to detect and prioritize vulnerabilities in their Compute Engine VMs and GKE clusters. They also need a centralized view of security findings across their organization. Which service should they use?
20A developer needs to store a database password securely and access it from a Compute Engine VM. The password should be automatically rotated every 90 days. Which Google Cloud service should they use?
21An organization needs to protect a web application hosted on Google Cloud from DDoS attacks and SQL injection attempts. They want a managed security service that integrates with Cloud Load Balancing. Which service should they use?
22A DevOps engineer wants to audit all actions performed by Google personnel on their customer data stored in Cloud Storage. They need to review logs that show access by Google employees and the reason for access. Which logging feature should they enable?
23A company wants to enforce the principle of least privilege by granting a service account only the permissions necessary to publish messages to a specific Pub/Sub topic. Which IAM approach should they use?
24A security team needs to detect and alert on suspicious outbound network traffic from their GCP environment, such as data exfiltration attempts. They require a managed service that analyzes traffic for threats. Which service should they use?
25An organization has a compliance requirement to run workloads in specific geographic regions only. They want to prevent any resources from being created outside those regions. Which Google Cloud control should they use?
26A company uses Cloud SQL and wants to encrypt data at rest with a key that they manage and rotate themselves. They also want to ensure that the encryption happens automatically before data is written to disk. Which configuration should they choose?
27Which defense-in-depth layer includes measures like access controls, vulnerability management, and intrusion detection systems?
28A company wants to protect sensitive data stored in Cloud Storage from being downloaded by users outside their organization. They also need to prevent data from being copied to external projects. Which TWO services should they use? (Choose two.)
29A security team needs to implement a zero-trust architecture for a web application that is accessed by both internal employees and external partners. They require context-aware access that checks device posture and identity. Which THREE components should they use? (Choose three.)
30A company wants to store encryption keys for encrypting data at rest in Cloud Storage, and also needs to automatically rotate the keys every 30 days. Additionally, they require an audit log of key usage. Which TWO services should they use? (Choose two.)
31A company wants to replace its VPN-based remote access with a solution that grants access based on user identity, device security status, and context (e.g., location, IP). Which Google Cloud service should they use?
32An organization wants to enforce that all data stored in Cloud Storage buckets is encrypted with a key that they control and rotate periodically. They also need to audit key usage. Which approach should they take?
33A security engineer needs to analyze network traffic for malicious payloads and anomalies in real-time across multiple VPC networks in a project. The solution must be managed and not require deploying third-party appliances. Which service should they use?
34Which Google Cloud service provides a fully managed SIEM solution for log analysis, threat detection, and incident response?
35A company wants to ensure that only API calls from within a specific VPC can access their Cloud Storage buckets, even if the bucket is public. Which Google Cloud feature should they use?
36An engineer needs to store database passwords and API keys securely. The secrets must be encrypted at rest with a customer-managed key and automatically rotated every 90 days. Which service should they use?
37A security team wants to be alerted when Google Cloud personnel access their customer data. They need logs that show the reason for access and what data was accessed. Which service provides this?
38Which IAM component determines what actions a user is allowed to perform on a resource?
39A company wants to protect its web application from common web exploits like SQL injection and cross-site scripting. They also need to block traffic from known malicious IP addresses. Which Google Cloud service should they use?
40A DevOps engineer needs to grant a CI/CD pipeline (running on Compute Engine) permissions to deploy a Cloud Run service. The pipeline uses a service account. What is the correct approach to assign the necessary IAM role to the service account?
41Which Google Cloud service helps identify and classify sensitive data such as credit card numbers or personal health information in Cloud Storage and BigQuery?
42An organization needs to enforce that developers can only create Compute Engine instances in the us-central1 region. Which IAM approach should they use?
43A security team needs to detect and respond to threats across their Google Cloud environment. Which THREE services should they use together? (Choose 3)
44A company wants to ensure data encryption at rest using customer-managed keys for Cloud SQL and Cloud Storage. Which TWO actions must they take? (Choose 2)
45An engineer needs to prevent data exfiltration from a project by ensuring that Cloud Storage buckets can only be accessed from within a VPC network. Which TWO steps should they take? (Choose 2)
46A company wants to implement a zero-trust security model to replace its legacy VPN for accessing internal web applications. Employees use both company-managed and personal devices. Which Google Cloud service provides context-aware access based on user identity and device posture?
47An organization needs to store API keys, database passwords, and certificates securely, with automatic rotation and audit logging. Which Google Cloud service should they use?
48A security engineer needs to ensure that a Compute Engine instance can access a Cloud Storage bucket using its own identity, without embedding service account keys in the instance. What should the engineer do?
49A company uses Cloud Storage to store sensitive data. They want to enforce that all objects uploaded are encrypted with a customer-managed key that they can rotate and control. What should they configure?
50An organization wants to detect and respond to threats across their GCP environment, including finding misconfigurations, vulnerabilities, and potential malicious activity. Which service provides a unified view of security findings?
51A small startup wants to protect its web application from common attacks like SQL injection and cross-site scripting (XSS). They also need DDoS protection. Which Google Cloud security service should they use?
52A company wants to ensure that its Google Cloud resources can only be accessed from within a specific VPC network, preventing data exfiltration to the internet. They need to enforce this for Cloud Storage and BigQuery APIs. Which service should they use?
53A company needs to audit all actions performed by administrators on their Google Cloud project, including who accessed what resource and when. Which logging feature should they enable?
54A security analyst needs to analyze large volumes of security logs from multiple GCP projects, detect anomalies, and investigate incidents. The solution should support advanced analytics and threat hunting. Which service is best suited?
55A company wants to encrypt sensitive data stored in Cloud Storage with a key that is generated and stored on-premises using a hardware security module (HSM). They do not want Google to have access to the key. Which encryption option should they use?
56A company has a requirement to rotate encryption keys every 90 days. They are using Cloud KMS to manage keys for Cloud Storage. What is the correct way to achieve key rotation with minimal impact to existing encrypted objects?
57A developer needs to allow a Compute Engine VM to read from a specific Cloud Storage bucket. Which IAM role should be granted to the VM's service account?
58A company wants to protect its web application deployed on Google Cloud from OWASP Top 10 attacks and also block traffic from specific geographic regions. Which TWO services should they use together? (Choose 2)
59A security team needs to implement the principle of least privilege for a group of data scientists who only need to query BigQuery datasets, but not modify or delete them. Which THREE IAM roles should be granted? (Choose 3)
60An organization needs to ensure that data stored in Cloud Storage is encrypted at rest using keys that are rotated every 30 days. They also need to audit who accesses the keys and when. Which THREE services should they use? (Choose 3)
61Which Google Cloud security layer is responsible for protecting data stored on disk using either Google-managed or customer-managed encryption keys?
62A company wants to replace its VPN-based remote access with a solution that grants access to internal web applications based on user identity and device context, without requiring a VPN. Which Google Cloud service should they use?
63A security engineer needs to monitor and analyze security logs from multiple GCP projects and on-premises sources in a centralized SIEM. Which Google Cloud service is designed for log management and security analytics at scale?
64A company has a VPC with multiple subnets and wants to prevent data exfiltration by restricting access to a Cloud Storage bucket from only resources within a defined perimeter. Which Google Cloud service should they use to create an API perimeter around the bucket?
65Which Google Cloud service provides threat intelligence and incident response capabilities, including access to Mandiant expertise?
66A developer needs to store and manage API keys and certificates in a secure, centralized manner, with automatic rotation and integration with Cloud Functions. Which Google Cloud service should they use?
67A company must meet regulatory requirements that restrict where data can be stored and processed. They need to ensure that Google Cloud personnel have limited and audited access to their data. Which combination of services should they use?
68An organization wants to protect its web application from DDoS attacks and SQL injection. Which Google Cloud service should they deploy?
69Which IAM concept defines what actions a user can perform on a resource?
70A security team wants to detect and respond to threats across multiple GCP projects, including identifying misconfigurations and vulnerabilities. They need a single pane of glass. Which service provides a unified view of security findings across projects?
71A company uses Cloud KMS to manage encryption keys. They want to rotate keys automatically every 90 days. How can they achieve this?
72Which TWO services help protect against data exfiltration in Google Cloud? (Choose 2)
73A company wants to implement the principle of least privilege for a team of developers who need to deploy applications on Compute Engine and monitor logs. Which THREE IAM roles should be granted? (Choose 3)
74Which TWO statements about encryption in transit in Google Cloud are correct? (Choose 2)
75A security team needs to detect and respond to threats in real time using network traffic analysis and log correlation. Which THREE services should they use? (Choose 3)
76A security engineer wants to ensure that Google personnel cannot access customer data stored in Cloud Storage without explicit customer approval. Which Google Cloud feature should be enabled?
77A company wants to implement a zero-trust access model for its internal applications, eliminating the need for a traditional VPN. Employees should be allowed access based on device posture and user identity, not just network location. Which Google Cloud solution should be used?
78A financial services company needs to restrict access to its Cloud Storage buckets containing sensitive customer data. The company wants to prevent data exfiltration by ensuring that only authorized VMs in specific VPCs can access the buckets, and that data cannot be copied to unauthorized locations. Which two Google Cloud services should be used together? (Choose two.)
79A large enterprise wants to enforce the principle of least privilege for its cloud resources. The security team needs to audit all IAM policy changes across the organization and ensure that custom roles are used where predefined roles are too permissive. Which three Google Cloud services or features should be combined to achieve this? (Choose three.)
The Google Cloud Security domain covers the key concepts tested in this area of the GCDL exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all GCDL domains — no account required.
The Courseiva GCDL question bank contains 79 questions in the Google Cloud Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Google Cloud Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included