Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Trust and security with Google Cloud practice sets

Cloud Digital Leader Trust and security with Google Cloud • Complete Question Bank

Cloud Digital Leader Trust and security with Google Cloud — All Questions With Answers

Complete Cloud Digital Leader Trust and security with Google Cloud question bank — all 0 questions with answers and detailed explanations.

101
Questions
Free
No signup
Certifications/Cloud Digital Leader/Practice Test/Trust and security with Google Cloud/All Questions
Question 1easymultiple choice
Read the full Trust and security with Cloud explanation →

Google Cloud encrypts all customer data at rest by default without any configuration required. A customer asks: 'Do we need to do anything special to encrypt our data stored in Cloud Storage?' What is the correct answer?

Question 2mediummultiple choice
Read the full Trust and security with Cloud explanation →

A security architect wants to implement a 'never trust, always verify' security approach where no user or service is assumed to be trustworthy based on network location alone. Every access request must be authenticated and authorized regardless of whether it comes from inside or outside the corporate network. Which security model describes this approach?

Question 3easymultiple choice
Read the full Trust and security with Cloud explanation →

A company is concerned about which security responsibilities belong to Google versus which belong to them when using Google Cloud's managed database service (Cloud SQL). In the shared responsibility model, which security tasks does Google handle?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company needs to store patient data in Google Cloud and must comply with HIPAA (Health Insurance Portability and Accountability Act). Which statement correctly describes how Google Cloud helps them achieve HIPAA compliance?

Question 5mediummultiple choice
Read the full Trust and security with Cloud explanation →

An organization uses Google Cloud Identity and Access Management (IAM). A new employee is a data engineer who needs to read BigQuery datasets and run queries but should NOT be able to create new datasets, delete tables, or modify IAM policies. Which IAM role should be assigned?

Question 6hardmultiple choice
Read the full Trust and security with Cloud explanation →

A company wants to ensure that sensitive data (credit card numbers, SSNs) stored in BigQuery is automatically identified and protected. They also want ongoing scanning to detect if any new data violates their data governance policies. Which Google Cloud service provides these capabilities?

Question 7easymultiple choice
Read the full Trust and security with Cloud explanation →

When data is transmitted between a user's browser and a Google Cloud-hosted web application over HTTPS, which security protection does this provide?

Question 8mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company is evaluating Google Cloud and wants to know: what is Access Transparency, and how does it benefit customers with stringent governance requirements?

Question 9mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company stores its data in Google Cloud. The security team asks: can Google employees access our customer data without our knowledge or consent? What does Google's commitment ensure?

Question 10hardmultiple choice
Read the full Trust and security with Cloud explanation →

A regulated financial services firm must ensure that its data never leaves a specific geographic region (EU) for compliance with GDPR data residency requirements. Which Google Cloud features help enforce this requirement?

Question 11easymultiple choice
Read the full NAT/PAT explanation →

What compliance certification verifies that an organization's Information Security Management System (ISMS) meets internationally recognized standards for managing information security risks?

Question 12mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company uses Google Workspace for identity. They want employees to use their Google Workspace credentials to access third-party applications (Salesforce, Slack, etc.) without separate passwords for each app. Which technology enables this?

Question 13easymultiple choice
Read the full Trust and security with Cloud explanation →

A company's security policy requires all employees to verify their identity using more than just a password when accessing Google Cloud resources. What security feature enforces this requirement?

Question 14mediummultiple choice
Read the full Trust and security with Cloud explanation →

Google's physical data center security includes multiple layers of protection. Which of the following is NOT a physical security measure Google uses at its data centers?

Question 15hardmultiple choice
Read the full Trust and security with Cloud explanation →

A company has a requirement from their security auditor to demonstrate that all administrative actions performed in Google Cloud (such as creating VMs, modifying IAM policies, and deleting storage buckets) are logged and tamper-evident. Which Cloud Logging log type fulfills this requirement?

Question 16mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company wants to ensure that even if an attacker compromises an employee's password and passes MFA, the attacker cannot access sensitive Google Cloud resources from an unmanaged personal laptop. Which Google security feature enforces device trust as part of access decisions?

Question 17easymultiple choice
Read the full Trust and security with Cloud explanation →

A company stores customer data in Google Cloud and wants to ensure data confidentiality in the event that hardware is decommissioned and returned by Google. How does Google protect customer data when storage hardware reaches end of life?

Question 18mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company uses Google Cloud and has a compliance requirement to store certain data only within the European Union and ensure it cannot be accessed from outside the EU, even by Google operations personnel. Which Google Cloud offering specifically addresses this level of data sovereignty?

Question 19hardmultiple choice
Read the full Trust and security with Cloud explanation →

A security team wants to get a comprehensive, organization-wide view of security misconfigurations (such as publicly accessible storage buckets, VMs without firewalls, and IAM overprivilege), vulnerabilities in container images, and active threats across all Google Cloud projects. Which Google Cloud service provides this unified security posture management?

Question 20mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company wants to know: if Google Cloud experiences a data breach that exposes customer data, what are Google's notification obligations under standard Cloud service terms?

Question 21easymultiple choice
Read the full Trust and security with Cloud explanation →

The principle of least privilege is a fundamental security concept applied to IAM in Google Cloud. Which statement best describes this principle?

Question 22mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company uses service accounts to allow their application running on a Compute Engine VM to access Cloud Storage. Which is the most secure way to configure this service account access?

Question 23mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company stores encryption keys in Cloud KMS to protect sensitive data. What does Cloud KMS provide that standard application-layer encryption does not?

Question 24easymultiple choice
Read the full Trust and security with Cloud explanation →

A company classifies its data into four sensitivity levels: Public, Internal, Confidential, and Restricted. Which type of data would typically be classified as 'Restricted' and require the highest level of security controls?

Question 25hardmultiple choice
Read the full Trust and security with Cloud explanation →

A security team wants to ensure that only container images built by their approved CI/CD pipeline can run in their GKE cluster. Images built outside the approved process — even by internal engineers — should be blocked. Which Google Cloud security feature enforces this?

Question 26mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company wants to allow a third-party security firm to conduct a penetration test against their Google Cloud environment to identify vulnerabilities. What is Google Cloud's policy on penetration testing?

Question 27easymultiple choice
Read the full Trust and security with Cloud explanation →

Which Google Cloud feature provides reports on how Google processes government requests for customer data and how often Google challenges overly broad requests?

Question 28mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company's application stores user passwords. Their security team says passwords must be stored as hashes, never in plaintext. They want to ensure this requirement is met even if a database is compromised. Why is password hashing (with salt) the correct approach?

Question 29hardmultiple choice
Read the full Trust and security with Cloud explanation →

An organization's security team reviews their Google Cloud environment and finds that several Cloud Storage buckets have `allAuthenticatedUsers` bindings, and multiple service accounts have the Owner role. Which Google Cloud tool automatically identifies these types of high-risk IAM configurations?

Question 30mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company's security architect wants to implement 'privacy by design' principles when building a new customer data platform on Google Cloud. What does privacy by design mean in this context?

Question 31easymultiple choice
Read the full Trust and security with Cloud explanation →

A company's security team wants to ensure that only approved corporate devices can access Google Cloud resources, regardless of whether the user has valid credentials. Which Google Cloud security capability enforces device-level access requirements?

Question 32mediummultiple choice
Read the full Trust and security with Cloud explanation →

A financial services company is subject to regulations requiring them to demonstrate that their cloud provider's employees cannot access customer data without the customer's explicit approval. Which Google Cloud feature most directly addresses this requirement?

Question 33mediummultiple choice
Read the full Trust and security with Cloud explanation →

A security team is reviewing a developer's request to be granted the 'Owner' role on a production Google Cloud project 'just in case they need broad access.' The security team rejects this and instead grants a more specific role. Which security principle does the security team's decision enforce?

Question 34hardmultiple choice
Read the full Trust and security with Cloud explanation →

A company is moving a regulated workload to Google Cloud and must ensure that their encryption keys are stored in a hardware security module (HSM) that meets FIPS 140-2 Level 3 validation. Which Google Cloud key management option satisfies this requirement?

Question 35mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company has employees who use personal (unmanaged) devices to access corporate applications. The security team wants to prevent sensitive Google Workspace documents from being downloaded to personal devices. Which Google control most directly addresses this data loss prevention requirement for device-based scenarios?

Question 36easymultiple choice
Read the full Trust and security with Cloud explanation →

A startup is building a web application and wants to protect it from common web attacks like SQL injection and cross-site scripting. Which Google Cloud product provides web application firewall (WAF) capabilities?

Question 37hardmultiple choice
Read the full Trust and security with Cloud explanation →

An organization wants to ensure that Google Cloud services used by its employees cannot be used to exfiltrate data to a competitor's Google Cloud project. For example, they want to prevent copying data from their Cloud Storage bucket to a Storage bucket owned by a competitor. Which Google Cloud security control most directly prevents this type of insider data exfiltration?

Question 38mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company has migrated sensitive customer data to Google Cloud. The legal team asks: 'If Google is hosting our data, who is responsible for ensuring that data is not improperly accessed by unauthorized users through our application?' Under the shared responsibility model, how should the CTO answer?

Question 39easymultiple choice
Read the full Trust and security with Cloud explanation →

A company's security policy requires that all cloud-to-cloud communication between services must be encrypted in transit. An auditor asks how Google Cloud handles encryption for network traffic between Google services within its network. What is Google's default approach to encryption in transit within its infrastructure?

Question 40hardmultiple choice
Read the full Trust and security with Cloud explanation →

A CISO is evaluating Google Cloud's security posture and asks about independent third-party validation of Google's security practices. Which types of certifications and audit reports most directly provide this independent assurance?

Question 41easymultiple choice
Read the full Trust and security with Cloud explanation →

A company's security team wants to be alerted when someone with administrative permissions changes an IAM policy in their Google Cloud organization. Which Google Cloud capability enables this detection?

Question 42mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company must ensure that personal data of European citizens stored in Google Cloud cannot be accessed by or transferred to systems outside the European Union, as required by GDPR data residency requirements. Which Google Cloud controls most directly enforce this?

Question 43hardmultiple choice
Read the full Trust and security with Cloud explanation →

A security audit finds that a company's application service accounts have been granted broad IAM roles (e.g., Storage Admin on the entire project) when they only need to read specific Cloud Storage buckets. The auditor recommends following the principle of least privilege. What is the most precise way to implement this for the Cloud Storage use case?

Question 44mediummultiple choice
Read the full NAT/PAT explanation →

An enterprise's security team is implementing a strategy to protect against 'credential stuffing' attacks — where attackers use lists of username/password combinations from previous data breaches to try to log in to the company's applications. Which authentication control most effectively mitigates this threat?

Question 45easymultiple choice
Read the full Trust and security with Cloud explanation →

A developer accidentally commits an application's Google Cloud service account key to a public GitHub repository. The key is valid and grants access to production resources. What is the correct immediate response?

Question 46mediummultiple choice
Read the full NAT/PAT explanation →

A CISO asks why Google Cloud's security model is described as a 'defense-in-depth' approach. Which explanation best describes this concept in the context of Google Cloud's infrastructure security?

Question 47hardmultiple choice
Read the full Trust and security with Cloud explanation →

A company runs a multi-tenant SaaS application on Google Cloud where each customer's data must be strictly isolated from other customers'. A security architect is evaluating approaches: (A) logical isolation using application-level tenant IDs in a shared database, (B) IAM-based separation using separate service accounts per tenant, or (C) infrastructure-level isolation with separate Google Cloud projects per tenant. Which approach provides the strongest isolation guarantee?

Question 48mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company's compliance team asks what evidence they can provide to regulators to demonstrate that Google Cloud services meet industry security standards. Which type of documentation most directly provides this evidence?

Question 49easymultiple choice
Read the full NAT/PAT explanation →

A company is concerned that employees might accidentally or maliciously upload sensitive personal data (such as credit card numbers or Social Security Numbers) to Cloud Storage buckets. Which Google Cloud product can automatically scan uploaded files and identify sensitive data patterns?

Question 50hardmultiple choice
Read the full Trust and security with Cloud explanation →

A CISO is implementing a Zero Trust security architecture for the company's Google Cloud environment. Under Zero Trust, which fundamental assumption about network traffic changes compared to traditional perimeter-based security?

Question 51mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company is moving its financial reporting application to Google Cloud. The CFO asks: 'If Google Cloud experiences a data breach and our financial data is exposed, who is financially liable?' How should the cloud architect answer this question?

Question 52easymultiple choice
Read the full Trust and security with Cloud explanation →

An organization wants to use Google Cloud for processing healthcare data subject to HIPAA regulations in the United States. Which contractual document must the organization obtain from Google before storing Protected Health Information (PHI) in Google Cloud?

Question 53hardmultiple choice
Read the full Trust and security with Cloud explanation →

A CISO is designing an identity strategy for Google Cloud that follows Zero Trust principles. She proposes that no long-lived credentials (API keys, service account keys) should be used for any automated workloads. What Google Cloud mechanism replaces service account keys for authenticating workloads running on Google Cloud infrastructure?

Question 54mediummultiple choice
Read the full NAT/PAT explanation →

A security team is conducting a threat model for their Google Cloud environment. They identify 'insider threat' — a malicious authorized employee who intentionally exfiltrates or destroys data — as a key risk. Which combination of Google Cloud controls most effectively mitigates this risk?

Question 55easymultiple choice
Read the full Trust and security with Cloud explanation →

A company wants to ensure that their confidential data stored in BigQuery cannot be shared outside the company's Google Cloud organization. Which Google Cloud security capability prevents data from being shared with external Google accounts (outside the organization)?

Question 56mediummultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that when an employee is terminated, their access to all cloud resources must be revoked immediately — including any active sessions. Which approach most comprehensively achieves this in a Google Cloud environment integrated with Google Workspace?

Question 57hardmultiple choice
Read the full Trust and security with Cloud explanation →

A company's risk management team wants to understand Google Cloud's approach to supply chain security — specifically, how Google ensures that the hardware and firmware running in its data centers have not been tampered with. Which Google security initiative addresses hardware supply chain integrity?

Question 58mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company's application stores sensitive customer information in Cloud Storage. A security audit finds that one bucket has 'allUsers' access granted (making it publicly accessible on the internet). The security team wants to prevent this from happening in the future. Which control prevents public access from being granted to Cloud Storage buckets?

Question 59easymultiple choice
Read the full NAT/PAT explanation →

A company's employees use Google Workspace for email, documents, and collaboration. The IT team wants to require all employees to use a physical security key (like a YubiKey) as their second authentication factor when signing in — eliminating phishing-vulnerable SMS and authenticator app codes. Which Google Workspace security capability supports this requirement?

Question 60hardmultiple choice
Read the full Trust and security with Cloud explanation →

A security architect is evaluating Google Cloud's approach to securing customer data against both external attackers and potential internal Google personnel access. She identifies four distinct controls: (1) encryption at rest by default, (2) Access Transparency logs, (3) Customer-Managed Encryption Keys (CMEK), and (4) Access Approval. How do these four controls work together to provide layered data protection?

Question 61mediumdrag order
Read the full Trust and security with Cloud explanation →

Drag and drop the steps to configure a load balancer for an HTTP application on Compute Engine into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 62mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to set up a Cloud NAT for private Compute Engine instances to access the internet in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 63mediummatching
Read the full Trust and security with Cloud explanation →

Match each Google Cloud data service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed relational database (MySQL, PostgreSQL, SQL Server)

Globally distributed, strongly consistent relational database

NoSQL document database for mobile and web apps

NoSQL wide-column database for large analytical workloads

Managed in-memory cache (Redis/Memcached)

Question 64mediummatching
Read the full Trust and security with Cloud explanation →

Match each Google Cloud storage class to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequently accessed data, low latency

Data accessed less than once a month

Data accessed less than once a quarter

Data accessed less than once a year

Automatic placement of objects into appropriate classes

Question 65easymultiple choice
Read the full Trust and security with Cloud explanation →

A small IT team needs to grant developers the ability to deploy instances in a project but not delete them. Which IAM best practice should they use?

Question 66mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company must store PHI in Cloud Storage. They require encryption at rest and in transit, and need to comply with HIPAA. Which combination of Google Cloud features should they implement?

Question 67hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses Cloud Identity-Aware Proxy (IAP) to secure access to applications. They notice that some users outside the corporate network can still reach the applications. What is the most likely misconfiguration?

Question 68easymultiple choice
Read the full Trust and security with Cloud explanation →

A company wants to enforce that all Cloud Storage buckets in a project have uniform bucket-level access enabled. Which Google Cloud tool should they use?

Question 69mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company's security team wants to detect and remediate public exposure of Cloud SQL instances. Which service should they use?

Question 70hardmultiple choice
Read the full Trust and security with Cloud explanation →

An organization stores sensitive data in BigQuery. They need to restrict access to specific columns based on user role, while allowing analysis at the dataset level. Which feature should they use?

Question 71easymultiple choice
Read the full Trust and security with Cloud explanation →

A startup wants to automatically rotate encryption keys used for Cloud Storage objects every 90 days. Which service should they use?

Question 72mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company uses Cloud Load Balancing to distribute traffic to Compute Engine VMs. They want to protect against SQL injection and cross-site scripting attacks. Which service should they enable?

Question 73hardmultiple choice
Read the full Trust and security with Cloud explanation →

A financial services company needs to ensure that all access to sensitive data in Cloud Storage is logged with information about the user and the reason for access. Which feature should they enable?

Question 74mediummulti select
Read the full Trust and security with Cloud explanation →

Which TWO Google Cloud services help prevent data exfiltration from virtual machines?

Question 75mediummulti select
Read the full Trust and security with Cloud explanation →

Which TWO actions are the customer's responsibility under the GCP shared responsibility model?

Question 76hardmulti select
Read the full Trust and security with Cloud explanation →

Which THREE are required to achieve HIPAA compliance on Google Cloud?

Question 77mediummultiple choice
Read the full Trust and security with Cloud explanation →

Refer to the exhibit. A security engineer applies this IAM policy. What is the effect?

Exhibit

Refer to the exhibit.
```
gcloud projects set-iam-policy my-project policy.yaml
```
policy.yaml:
```
{
  "bindings": [
    {
      "role": "roles/compute.admin",
      "members": [
        "user:admin@example.com"
      ],
      "condition": {
        "title": "workstation_ip",
        "expression": "request.host == '203.0.113.1'"
      }
    }
  ]
}
```
Question 78hardmultiple choice
Read the full Trust and security with Cloud explanation →

Refer to the exhibit. A developer receives this error when trying to create a Compute Engine instance. The developer is authenticated as a user with Project Editor role. What is the most likely cause?

Exhibit

Refer to the exhibit.
```
Error:
# gcloud compute instances create my-instance --zone us-central1-a
ERROR: (gcloud.compute.instances.create) Could not fetch resource:
 - Account 'my-service-account@project-id.iam.gserviceaccount.com' requires permission 'compute.instances.create' on project 'my-project'
```
Question 79easymultiple choice
Read the full Trust and security with Cloud explanation →

Refer to the exhibit. A security administrator reviews this Cloud Audit Logs entry. What does this entry indicate?

Exhibit

Refer to the exhibit.
```
$ gcloud logging read "resource.type=project AND severity=ERROR" --limit 5
timestamp: 2023-10-05T10:30:00Z
protoPayload:
  methodName: "storage.objects.get"
  authenticationInfo:
    principalEmail: "user@example.com"
  resourceName: "projects/_/buckets/my-bucket/objects/secret.pdf"
```
Question 80easymultiple choice
Read the full NAT/PAT explanation →

A startup is building a mobile health app that stores sensitive patient data in Cloud Storage. They want to ensure data is encrypted at rest using a key they manage themselves and rotate monthly. Which encryption approach should they use?

Question 81mediummultiple choice
Read the full Trust and security with Cloud explanation →

A retail company uses Google Cloud to run an online store. They have a security requirement that all API calls to Cloud Storage must come from the company's on-premises network only. Which Google Cloud security feature should they implement?

Question 82hardmultiple choice
Read the full Trust and security with Cloud explanation →

A financial services company is designing a multi-cloud architecture with Google Cloud and AWS. They need to encrypt data at rest in Google Cloud using a key stored in their on-premises Hardware Security Module (HSM). What is the best approach?

Question 83easymultiple choice
Read the full Trust and security with Cloud explanation →

A company wants to grant a data analyst read-only access to specific BigQuery datasets, but only if the request comes from within the corporate network. Which two Google Cloud tools should they combine to enforce this?

Question 84mediummultiple choice
Read the full Trust and security with Cloud explanation →

A security engineer notices that a Compute Engine instance is running a VM with a public IP that should not be accessible from the internet. They want to ensure this configuration is prevented by default for all future projects in the organization. What should they do?

Question 85hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must comply with data residency requirements that prohibit storing data outside specific geographic regions. They plan to use BigQuery for analytics. How can Google Cloud help enforce this requirement?

Question 86easymultiple choice
Read the full Trust and security with Cloud explanation →

A cloud architect wants to ensure that only certain users in the finance team can access a Cloud Storage bucket containing invoices. They also want to log all access attempts. Which two services should they use?

Question 87mediummultiple choice
Read the full Trust and security with Cloud explanation →

A company uses Cloud SQL for MySQL and wants to ensure that data is encrypted at rest using customer-managed keys. They also need to rotate the key every 90 days. What should they do?

Question 88hardmultiple choice
Read the full Trust and security with Cloud explanation →

An organization uses Security Command Center (SCC) premium tier and wants to automatically remediate a specific finding type by disabling public access to Cloud Storage buckets. What is the recommended approach?

Question 89mediummulti select
Read the full Trust and security with Cloud explanation →

Which TWO statements about Cloud Identity-Aware Proxy (IAP) are correct?

Question 90hardmulti select
Read the full Trust and security with Cloud explanation →

Which THREE practices are recommended for securing a Kubernetes cluster in Google Kubernetes Engine (GKE)?

Question 91easymulti select
Read the full Trust and security with Cloud explanation →

Which TWO features are part of Cloud Data Loss Prevention (Cloud DLP)?

Question 92hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company runs its critical application on Google Cloud. The application uses Cloud SQL for patient records, Cloud Storage for medical images, and Pub/Sub for data ingestion. The security team requires that all data at rest be encrypted with a key that is managed and rotated by their on-premises HSM. They also need to ensure that any potential data exfiltration is immediately detected and prevented. Recently, a vulnerability scan revealed that a Cloud SQL instance had a public IP. The team wants to enforce that no Cloud SQL instance can be created with a public IP across the entire organization. Additionally, they need to implement a solution to monitor and alert on any suspicious activity, such as a large download from Cloud Storage. They have a limited budget and cannot afford complex custom solutions. Which combination of Google Cloud services should they use to meet these requirements?

Question 93easymultiple choice
Read the full Trust and security with Cloud explanation →

A company is migrating its on-premises applications to Google Cloud. The security team requires that all data be encrypted both in transit and at rest. Which approach meets these requirements with minimal operational overhead?

Question 94mediummultiple choice
Read the full Trust and security with Cloud explanation →

A healthcare company must comply with HIPAA and store all protected health information (PHI) only in the United States. They use Google Cloud and want to prevent any accidental data storage outside the US. Which two services should they implement?

Question 95hardmulti select
Read the full Trust and security with Cloud explanation →

Which TWO of the following are best practices for securing a Google Cloud environment? (Choose two.)

Question 96hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation operates a hybrid cloud environment with on-premises data centers connected to Google Cloud via Dedicated Interconnect. The company uses Cloud Storage to store sensitive financial data and has enabled Cloud Audit Logs for admin activities. Recently, the security team noticed that an unknown actor accessed a bucket containing customer personally identifiable information (PII). The access occurred from an IP address outside the corporate network. The security team suspects that an employee's Google Cloud credentials were compromised. They need to investigate the incident thoroughly and determine the extent of the breach. The company has enabled VPC Flow Logs, but they are not sure how to correlate the audit logs with network flows. They also want to ensure that similar incidents are prevented in the future. What should the security team do first to investigate the incident?

Question 97mediummultiple choice
Read the full Trust and security with Cloud explanation →

A technology company runs its containerized microservices on Google Kubernetes Engine (GKE). The development team frequently pushes new container images to Container Registry, and those images are deployed to a production cluster. The security team recently discovered that a few running containers have critical vulnerabilities from outdated base images. They want to enforce a policy that only vulnerability-scanned and approved images can be deployed in the production cluster. The team uses Cloud Build for CI/CD and Container Analysis for vulnerability scanning. Which solution should they implement to meet this requirement?

Question 98easymultiple choice
Read the full Trust and security with Cloud explanation →

A small e-commerce company runs its website on Compute Engine instances behind a Global External HTTP(S) Load Balancer. They are concerned about application-layer DDoS attacks, such as SQL injection and cross-site scripting (XSS), that could compromise customer data and degrade performance. The company wants a managed solution that provides both DDoS protection and web application firewall (WAF) capabilities without requiring constant manual updates. They have a limited budget and prefer a solution that is easy to configure and does not require extensive infrastructure changes. What should they implement?

Question 99easymulti select
Read the full Trust and security with Cloud explanation →

A company stores sensitive customer data in Cloud Storage buckets. The security team wants to ensure that only authorized users can access the data, and access is logged for audit. Which two practices should they implement? (Choose two.)

Question 100mediummultiple choice
Read the full Trust and security with Cloud explanation →

Refer to the exhibit. The IAM policy is applied at the project level. The bucket 'sensitive-data' exists and contains objects. What is the effective access for user alice@example.com?

Exhibit

Refer to the exhibit.

{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "user:bob@example.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "user:carol@example.com"
      ],
      "condition": {
        "title": "restrict_to_sensitive_bucket",
        "expression": "resource.name.startsWith('projects/_/buckets/sensitive-data/objects/')"
      }
    }
  ],
  "etag": "BwW3ZJf4G7A="
}
Question 101hardmultiple choice
Read the full Trust and security with Cloud explanation →

A healthcare organization is migrating a HIPAA-covered application to Google Cloud. The application processes electronic protected health information (ePHI) and must maintain strict data residency within a specific geographic region. The organization has already signed a Business Associate Agreement (BAA) with Google Cloud. During a compliance review, the security team discovers that one of the Cloud Storage buckets containing ePHI is located in the 'US' multi-region, but the organization's data residency policy requires data to be stored only in the United States region (e.g., us-central1). The bucket was created without any enforcement of organization policies. The team also finds that several Compute Engine instances in the us-central1 zone have public IP addresses and are accessible over the internet via SSH, which could expose ePHI in transit. The security team needs to remediate these issues while minimizing downtime and without violating the BAA. Which course of action should the security team take first?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

Cloud Digital Leader Practice Test 1 — 10 Questions→Cloud Digital Leader Practice Test 2 — 10 Questions→Cloud Digital Leader Practice Test 3 — 10 Questions→Cloud Digital Leader Practice Test 4 — 10 Questions→Cloud Digital Leader Practice Test 5 — 10 Questions→Cloud Digital Leader Practice Exam 1 — 20 Questions→Cloud Digital Leader Practice Exam 2 — 20 Questions→Cloud Digital Leader Practice Exam 3 — 20 Questions→Cloud Digital Leader Practice Exam 4 — 20 Questions→Free Cloud Digital Leader Practice Test 1 — 30 Questions→Free Cloud Digital Leader Practice Test 2 — 30 Questions→Free Cloud Digital Leader Practice Test 3 — 30 Questions→Cloud Digital Leader Practice Questions 1 — 50 Questions→Cloud Digital Leader Practice Questions 2 — 50 Questions→Cloud Digital Leader Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Why cloud technology is transforming businessFundamental cloud conceptsGoogle Cloud products, services, and solutionsScaling with Google Cloud operationsTrust and security with Google Cloud

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Trust and security with Google Cloud setsAll Trust and security with Google Cloud questionsCloud Digital Leader Practice Hub