Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Google Cloud Security practice sets

Cloud Digital Leader Google Cloud Security • Complete Question Bank

Cloud Digital Leader Google Cloud Security — All Questions With Answers

Complete Cloud Digital Leader Google Cloud Security question bank — all 0 questions with answers and detailed explanations.

79
Questions
Free
No signup
Certifications/Cloud Digital Leader/Practice Test/Google Cloud Security/All Questions
Question 1mediummultiple choice
Read the full VPN explanation →

A company wants to replace its VPN-based remote access with a zero-trust solution that verifies user identity and device health before granting access to internal applications. Which Google Cloud service should they use?

Question 2easymultiple choice
Read the full Cloud Security explanation →

An organization needs to ensure that data stored in Cloud Storage is encrypted using keys that they manage and rotate themselves. Which encryption option should they choose?

Question 3hardmultiple choice
Read the full Cloud Security explanation →

A security team needs to monitor and analyze logs from multiple GCP projects to detect threats across the organization. They require a SIEM solution that can ingest logs from on-premises and other clouds. Which service should they use?

Question 4mediummultiple choice
Read the full Cloud Security explanation →

A company wants to protect its web application running on Google Cloud from DDoS attacks and SQL injection. Which service should they use?

Question 5mediummultiple choice
Read the full Cloud Security explanation →

A data engineering team needs to store and manage database passwords and API keys used by their applications. Which Google Cloud service should they use?

Question 6easymultiple choice
Read the full Cloud Security explanation →

What is the primary purpose of VPC Service Controls?

Question 7hardmultiple choice
Read the full Cloud Security explanation →

A security administrator needs to ensure that Google personnel do not access customer data without explicit authorization. Which service should they use to get logs of Google employee access?

Question 8mediummultiple choice
Read the full Cloud Security explanation →

A company wants to scan its Cloud Storage buckets for sensitive data like credit card numbers and social security numbers. Which service should they use?

Question 9easymultiple choice
Read the full Cloud Security explanation →

Which principle states that a user should be granted only the permissions necessary to perform their job functions?

Question 10mediummultiple choice
Read the full Cloud Security explanation →

A security team wants to find misconfigurations and vulnerabilities across their Google Cloud environment, including VMs, storage, and IAM. Which service provides a unified view of these findings?

Question 11hardmultiple choice
Read the full Cloud Security explanation →

An administrator wants to enforce that all API calls to a specific Cloud Storage bucket must come from a limited range of IP addresses. Which configuration should they use?

Question 12easymultiple choice
Read the full Cloud Security explanation →

Which layer of Google's defence-in-depth security model includes the use of TLS for data in transit?

Question 13mediummulti select
Read the full Cloud Security explanation →

A company wants to implement a zero-trust security model for accessing internal applications. Which TWO Google Cloud services should they use together? (Choose 2)

Question 14hardmulti select
Read the full Cloud Security explanation →

A security team needs to detect and respond to threats across their cloud environment. Which THREE services should they use together? (Choose 3)

Question 15mediummulti select
Read the full Cloud Security explanation →

A company needs to encrypt data at rest using keys that they manage, but they want to reduce operational overhead by having Google Cloud host the key management infrastructure. Which TWO options achieve this? (Choose 2)

Question 16easymultiple choice
Read the full VPN explanation →

A startup wants to secure access to its internal web applications without using a VPN. They need to enforce access based on user identity and device security posture. Which Google Cloud service should they use?

Question 17mediummultiple choice
Read the full Cloud Security explanation →

An organization wants to ensure that all data stored in Cloud Storage is encrypted with customer-managed keys that can be rotated on demand. They also need to log every key use for audit compliance. Which combination of services should they use?

Question 18hardmultiple choice
Read the full Cloud Security explanation →

A security engineer needs to create a VPC Service Controls perimeter that prevents data exfiltration from a project containing sensitive data. The perimeter should allow BigQuery datasets in the project to be accessed only from authorized VMs within the same perimeter. Which step is essential?

Question 19mediummultiple choice
Read the full Cloud Security explanation →

A company wants to detect and prioritize vulnerabilities in their Compute Engine VMs and GKE clusters. They also need a centralized view of security findings across their organization. Which service should they use?

Question 20easymultiple choice
Read the full Cloud Security explanation →

A developer needs to store a database password securely and access it from a Compute Engine VM. The password should be automatically rotated every 90 days. Which Google Cloud service should they use?

Question 21mediummultiple choice
Read the full Cloud Security explanation →

An organization needs to protect a web application hosted on Google Cloud from DDoS attacks and SQL injection attempts. They want a managed security service that integrates with Cloud Load Balancing. Which service should they use?

Question 22hardmultiple choice
Read the full Cloud Security explanation →

A DevOps engineer wants to audit all actions performed by Google personnel on their customer data stored in Cloud Storage. They need to review logs that show access by Google employees and the reason for access. Which logging feature should they enable?

Question 23easymultiple choice
Read the full Cloud Security explanation →

A company wants to enforce the principle of least privilege by granting a service account only the permissions necessary to publish messages to a specific Pub/Sub topic. Which IAM approach should they use?

Question 24mediummultiple choice
Read the full Cloud Security explanation →

A security team needs to detect and alert on suspicious outbound network traffic from their GCP environment, such as data exfiltration attempts. They require a managed service that analyzes traffic for threats. Which service should they use?

Question 25hardmultiple choice
Read the full Cloud Security explanation →

An organization has a compliance requirement to run workloads in specific geographic regions only. They want to prevent any resources from being created outside those regions. Which Google Cloud control should they use?

Question 26mediummultiple choice
Read the full Cloud Security explanation →

A company uses Cloud SQL and wants to encrypt data at rest with a key that they manage and rotate themselves. They also want to ensure that the encryption happens automatically before data is written to disk. Which configuration should they choose?

Question 27easymultiple choice
Read the full Cloud Security explanation →

Which defense-in-depth layer includes measures like access controls, vulnerability management, and intrusion detection systems?

Question 28mediummulti select
Read the full Cloud Security explanation →

A company wants to protect sensitive data stored in Cloud Storage from being downloaded by users outside their organization. They also need to prevent data from being copied to external projects. Which TWO services should they use? (Choose two.)

Question 29hardmulti select
Read the full Cloud Security explanation →

A security team needs to implement a zero-trust architecture for a web application that is accessed by both internal employees and external partners. They require context-aware access that checks device posture and identity. Which THREE components should they use? (Choose three.)

Question 30mediummulti select
Read the full Cloud Security explanation →

A company wants to store encryption keys for encrypting data at rest in Cloud Storage, and also needs to automatically rotate the keys every 30 days. Additionally, they require an audit log of key usage. Which TWO services should they use? (Choose two.)

Question 31easymultiple choice
Read the full VPN explanation →

A company wants to replace its VPN-based remote access with a solution that grants access based on user identity, device security status, and context (e.g., location, IP). Which Google Cloud service should they use?

Question 32mediummultiple choice
Read the full Cloud Security explanation →

An organization wants to enforce that all data stored in Cloud Storage buckets is encrypted with a key that they control and rotate periodically. They also need to audit key usage. Which approach should they take?

Question 33hardmultiple choice
Read the full Cloud Security explanation →

A security engineer needs to analyze network traffic for malicious payloads and anomalies in real-time across multiple VPC networks in a project. The solution must be managed and not require deploying third-party appliances. Which service should they use?

Question 34easymultiple choice
Read the full Cloud Security explanation →

Which Google Cloud service provides a fully managed SIEM solution for log analysis, threat detection, and incident response?

Question 35mediummultiple choice
Read the full Cloud Security explanation →

A company wants to ensure that only API calls from within a specific VPC can access their Cloud Storage buckets, even if the bucket is public. Which Google Cloud feature should they use?

Question 36mediummultiple choice
Read the full Cloud Security explanation →

An engineer needs to store database passwords and API keys securely. The secrets must be encrypted at rest with a customer-managed key and automatically rotated every 90 days. Which service should they use?

Question 37hardmultiple choice
Read the full Cloud Security explanation →

A security team wants to be alerted when Google Cloud personnel access their customer data. They need logs that show the reason for access and what data was accessed. Which service provides this?

Question 38easymultiple choice
Read the full Cloud Security explanation →

Which IAM component determines what actions a user is allowed to perform on a resource?

Question 39mediummultiple choice
Read the full Cloud Security explanation →

A company wants to protect its web application from common web exploits like SQL injection and cross-site scripting. They also need to block traffic from known malicious IP addresses. Which Google Cloud service should they use?

Question 40hardmultiple choice
Read the full Cloud Security explanation →

A DevOps engineer needs to grant a CI/CD pipeline (running on Compute Engine) permissions to deploy a Cloud Run service. The pipeline uses a service account. What is the correct approach to assign the necessary IAM role to the service account?

Question 41easymultiple choice
Read the full Cloud Security explanation →

Which Google Cloud service helps identify and classify sensitive data such as credit card numbers or personal health information in Cloud Storage and BigQuery?

Question 42mediummultiple choice
Read the full Cloud Security explanation →

An organization needs to enforce that developers can only create Compute Engine instances in the us-central1 region. Which IAM approach should they use?

Question 43mediummulti select
Read the full Cloud Security explanation →

A security team needs to detect and respond to threats across their Google Cloud environment. Which THREE services should they use together? (Choose 3)

Question 44mediummulti select
Read the full Cloud Security explanation →

A company wants to ensure data encryption at rest using customer-managed keys for Cloud SQL and Cloud Storage. Which TWO actions must they take? (Choose 2)

Question 45hardmulti select
Read the full Cloud Security explanation →

An engineer needs to prevent data exfiltration from a project by ensuring that Cloud Storage buckets can only be accessed from within a VPC network. Which TWO steps should they take? (Choose 2)

Question 46mediummultiple choice
Read the full VPN explanation →

A company wants to implement a zero-trust security model to replace its legacy VPN for accessing internal web applications. Employees use both company-managed and personal devices. Which Google Cloud service provides context-aware access based on user identity and device posture?

Question 47easymultiple choice
Read the full Cloud Security explanation →

An organization needs to store API keys, database passwords, and certificates securely, with automatic rotation and audit logging. Which Google Cloud service should they use?

Question 48hardmultiple choice
Read the full Cloud Security explanation →

A security engineer needs to ensure that a Compute Engine instance can access a Cloud Storage bucket using its own identity, without embedding service account keys in the instance. What should the engineer do?

Question 49mediummultiple choice
Read the full Cloud Security explanation →

A company uses Cloud Storage to store sensitive data. They want to enforce that all objects uploaded are encrypted with a customer-managed key that they can rotate and control. What should they configure?

Question 50mediummultiple choice
Read the full Cloud Security explanation →

An organization wants to detect and respond to threats across their GCP environment, including finding misconfigurations, vulnerabilities, and potential malicious activity. Which service provides a unified view of security findings?

Question 51easymultiple choice
Read the full Cloud Security explanation →

A small startup wants to protect its web application from common attacks like SQL injection and cross-site scripting (XSS). They also need DDoS protection. Which Google Cloud security service should they use?

Question 52hardmultiple choice
Read the full Cloud Security explanation →

A company wants to ensure that its Google Cloud resources can only be accessed from within a specific VPC network, preventing data exfiltration to the internet. They need to enforce this for Cloud Storage and BigQuery APIs. Which service should they use?

Question 53easymultiple choice
Read the full Cloud Security explanation →

A company needs to audit all actions performed by administrators on their Google Cloud project, including who accessed what resource and when. Which logging feature should they enable?

Question 54mediummultiple choice
Read the full Cloud Security explanation →

A security analyst needs to analyze large volumes of security logs from multiple GCP projects, detect anomalies, and investigate incidents. The solution should support advanced analytics and threat hunting. Which service is best suited?

Question 55mediummultiple choice
Read the full Cloud Security explanation →

A company wants to encrypt sensitive data stored in Cloud Storage with a key that is generated and stored on-premises using a hardware security module (HSM). They do not want Google to have access to the key. Which encryption option should they use?

Question 56hardmultiple choice
Read the full Cloud Security explanation →

A company has a requirement to rotate encryption keys every 90 days. They are using Cloud KMS to manage keys for Cloud Storage. What is the correct way to achieve key rotation with minimal impact to existing encrypted objects?

Question 57easymultiple choice
Read the full Cloud Security explanation →

A developer needs to allow a Compute Engine VM to read from a specific Cloud Storage bucket. Which IAM role should be granted to the VM's service account?

Question 58mediummulti select
Read the full Cloud Security explanation →

A company wants to protect its web application deployed on Google Cloud from OWASP Top 10 attacks and also block traffic from specific geographic regions. Which TWO services should they use together? (Choose 2)

Question 59mediummulti select
Read the full Cloud Security explanation →

A security team needs to implement the principle of least privilege for a group of data scientists who only need to query BigQuery datasets, but not modify or delete them. Which THREE IAM roles should be granted? (Choose 3)

Question 60hardmulti select
Read the full Cloud Security explanation →

An organization needs to ensure that data stored in Cloud Storage is encrypted at rest using keys that are rotated every 30 days. They also need to audit who accesses the keys and when. Which THREE services should they use? (Choose 3)

Question 61easymultiple choice
Read the full Cloud Security explanation →

Which Google Cloud security layer is responsible for protecting data stored on disk using either Google-managed or customer-managed encryption keys?

Question 62mediummultiple choice
Read the full VPN explanation →

A company wants to replace its VPN-based remote access with a solution that grants access to internal web applications based on user identity and device context, without requiring a VPN. Which Google Cloud service should they use?

Question 63mediummultiple choice
Read the full Cloud Security explanation →

A security engineer needs to monitor and analyze security logs from multiple GCP projects and on-premises sources in a centralized SIEM. Which Google Cloud service is designed for log management and security analytics at scale?

Question 64hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets and wants to prevent data exfiltration by restricting access to a Cloud Storage bucket from only resources within a defined perimeter. Which Google Cloud service should they use to create an API perimeter around the bucket?

Question 65easymultiple choice
Read the full Cloud Security explanation →

Which Google Cloud service provides threat intelligence and incident response capabilities, including access to Mandiant expertise?

Question 66mediummultiple choice
Read the full Cloud Security explanation →

A developer needs to store and manage API keys and certificates in a secure, centralized manner, with automatic rotation and integration with Cloud Functions. Which Google Cloud service should they use?

Question 67hardmultiple choice
Read the full Cloud Security explanation →

A company must meet regulatory requirements that restrict where data can be stored and processed. They need to ensure that Google Cloud personnel have limited and audited access to their data. Which combination of services should they use?

Question 68mediummultiple choice
Read the full Cloud Security explanation →

An organization wants to protect its web application from DDoS attacks and SQL injection. Which Google Cloud service should they deploy?

Question 69easymultiple choice
Read the full Cloud Security explanation →

Which IAM concept defines what actions a user can perform on a resource?

Question 70hardmultiple choice
Read the full Cloud Security explanation →

A security team wants to detect and respond to threats across multiple GCP projects, including identifying misconfigurations and vulnerabilities. They need a single pane of glass. Which service provides a unified view of security findings across projects?

Question 71mediummultiple choice
Read the full Cloud Security explanation →

A company uses Cloud KMS to manage encryption keys. They want to rotate keys automatically every 90 days. How can they achieve this?

Question 72mediummulti select
Read the full Cloud Security explanation →

Which TWO services help protect against data exfiltration in Google Cloud? (Choose 2)

Question 73hardmulti select
Read the full Cloud Security explanation →

A company wants to implement the principle of least privilege for a team of developers who need to deploy applications on Compute Engine and monitor logs. Which THREE IAM roles should be granted? (Choose 3)

Question 74mediummulti select
Read the full Cloud Security explanation →

Which TWO statements about encryption in transit in Google Cloud are correct? (Choose 2)

Question 75hardmulti select
Read the full Cloud Security explanation →

A security team needs to detect and respond to threats in real time using network traffic analysis and log correlation. Which THREE services should they use? (Choose 3)

Question 76easymultiple choice
Read the full Cloud Security explanation →

A security engineer wants to ensure that Google personnel cannot access customer data stored in Cloud Storage without explicit customer approval. Which Google Cloud feature should be enabled?

Question 77mediummultiple choice
Read the full VPN explanation →

A company wants to implement a zero-trust access model for its internal applications, eliminating the need for a traditional VPN. Employees should be allowed access based on device posture and user identity, not just network location. Which Google Cloud solution should be used?

Question 78mediummulti select
Read the full Cloud Security explanation →

A financial services company needs to restrict access to its Cloud Storage buckets containing sensitive customer data. The company wants to prevent data exfiltration by ensuring that only authorized VMs in specific VPCs can access the buckets, and that data cannot be copied to unauthorized locations. Which two Google Cloud services should be used together? (Choose two.)

Question 79hardmulti select
Read the full Cloud Security explanation →

A large enterprise wants to enforce the principle of least privilege for its cloud resources. The security team needs to audit all IAM policy changes across the organization and ensure that custom roles are used where predefined roles are too permissive. Which three Google Cloud services or features should be combined to achieve this? (Choose three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

Cloud Digital Leader Practice Test 1 — 25 Questions→Cloud Digital Leader Practice Test 2 — 25 Questions→Cloud Digital Leader Practice Test 3 — 25 Questions→Cloud Digital Leader Practice Test 4 — 25 Questions→Cloud Digital Leader Practice Test 5 — 25 Questions→Cloud Digital Leader Practice Exam 1 — 20 Questions→Cloud Digital Leader Practice Exam 2 — 20 Questions→Cloud Digital Leader Practice Exam 3 — 20 Questions→Cloud Digital Leader Practice Exam 4 — 20 Questions→Free Cloud Digital Leader Practice Test 1 — 30 Questions→Free Cloud Digital Leader Practice Test 2 — 30 Questions→Free Cloud Digital Leader Practice Test 3 — 30 Questions→Cloud Digital Leader Practice Questions 1 — 50 Questions→Cloud Digital Leader Practice Questions 2 — 50 Questions→Cloud Digital Leader Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Why Cloud Technology Can Transform BusinessFundamental Cloud ConceptsGoogle Cloud SecurityHow Google Cloud Resources Are ManagedGoogle Cloud Products and ServicesWhy cloud technology is transforming businessGoogle Cloud products, services, and solutionsScaling with Google Cloud operationsTrust and security with Google Cloud

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Google Cloud Security setsAll Google Cloud Security questionsCloud Digital Leader Practice Hub