CCNA Configuring access and security Questions

75 of 98 questions · Page 1/2 · Configuring access and security · Answers revealed

1
MCQmedium

Your company runs a microservices application on Google Kubernetes Engine (GKE) with a shared VPC. The security team requires that all pod-to-pod traffic be encrypted using TLS. Additionally, you need to restrict which pods can communicate with each other. The application uses a service mesh with Istio. You have enabled Istio mTLS in STRICT mode, but you notice that some pods are still able to communicate with other pods without TLS. You have verified that all pods have the Istio sidecar injected. What should you do to fix the issue?

A.Enable VPC Flow Logs to identify the unencrypted traffic.
B.Restart all pods to force re-injection of the sidecar.
C.Apply a Kubernetes Network Policy to deny all non-mTLS traffic.
D.Ensure that the GKE cluster has the Istio add-on enabled for all node pools.
AnswerC

Network Policies can restrict traffic to only that going through the sidecar, ensuring mTLS is used.

Why this answer

Option C is correct because Istio mTLS in STRICT mode only enforces encryption between sidecars that are properly configured and have discovered each other via the Istio control plane. However, if a pod bypasses the sidecar (e.g., by using a hostNetwork or a non-sidecar port), or if the sidecar is not enforcing the policy due to a misconfiguration, plaintext traffic can still flow. Applying a Kubernetes Network Policy that explicitly denies all non-mTLS traffic (e.g., by blocking TCP port 80 and allowing only port 443 or the Istio mTLS port) provides a defense-in-depth layer that blocks any unencrypted communication at the network layer, regardless of sidecar behavior.

Exam trap

Google Cloud often tests the misconception that Istio mTLS alone is sufficient to enforce encryption at all layers, but the trap here is that sidecar injection and STRICT mode do not cover traffic that bypasses the sidecar (e.g., via hostNetwork or non-mesh ports), so a Network Policy is needed as a fallback enforcement mechanism.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs only capture metadata about network flows (source, destination, ports, packets) and cannot inspect payload content to determine if TLS is used; they cannot enforce encryption or block traffic. Option B is wrong because restarting pods does not change the underlying Istio configuration or sidecar behavior; if the sidecar is already injected and mTLS is in STRICT mode, a restart will not fix a misconfiguration or a bypass scenario. Option D is wrong because the Istio add-on for GKE node pools is a legacy feature that installs Istio system components; it does not control per-pod mTLS enforcement or fix the issue of pods communicating without TLS when sidecars are already present.

2
MCQmedium

A team's Cloud Storage bucket containing backups has been accidentally made publicly readable. A monitoring alert fires. What is the fastest way to remove public access?

A.Delete the bucket and recreate it with correct permissions
B.Remove the 'allUsers' IAM binding from the bucket using the Console or gcloud/gsutil
C.Enable VPC Service Controls around Cloud Storage to block all external access
D.Apply a Cloud Armor policy to Cloud Storage to block external IPs
AnswerB

Removing the `allUsers:objectViewer` binding immediately revokes public read access without affecting the data or other users' access.

Why this answer

Removing the `allUsers` and `allAuthenticatedUsers` IAM bindings from the bucket removes public access. Alternatively, enabling 'Uniform bucket-level access' and removing the public policy achieves the same. For speed, `gsutil iam ch -d allUsers:objectViewer gs://[BUCKET]` or using the Console's Permissions tab is fastest.

3
MCQmedium

A GCP project needs to allow outbound internet access from VMs that have only private IP addresses, without exposing those VMs to inbound internet traffic. Which GCP service provides this?

A.Cloud VPN connecting the VPC to the internet
B.Cloud NAT configured on the VPC's Cloud Router
C.A VPC firewall rule allowing egress to 0.0.0.0/0 on all ports
D.An internal load balancer with internet routing enabled
AnswerB

Cloud NAT provides outbound internet connectivity for VMs with private IPs through NAT translation, while keeping them unreachable from inbound internet traffic.

Why this answer

Cloud NAT (Network Address Translation) is the correct service because it allows VMs with only private IP addresses to initiate outbound connections to the internet while preventing any inbound connections from the internet. It works by translating the private source IP addresses of outbound packets to a set of ephemeral public IP addresses managed by Google, using the VPC's Cloud Router to dynamically allocate NAT IPs and ports. This meets the requirement of outbound-only internet access without exposing the VMs to inbound traffic.

Exam trap

The trap here is that candidates confuse egress firewall rules (which only permit traffic to leave) with the need for a NAT gateway to provide a routable public source IP for return traffic, leading them to incorrectly select the firewall rule option.

How to eliminate wrong answers

Option A is wrong because Cloud VPN creates an encrypted tunnel to an on-premises network or another cloud, not to the public internet; it does not provide outbound internet access for private VMs. Option C is wrong because a VPC firewall rule allowing egress to 0.0.0.0/0 only permits traffic to leave the VPC, but without a public IP or NAT, the VMs have no routable source IP for internet responses to return, so outbound traffic fails. Option D is wrong because an internal load balancer operates within the VPC and does not provide internet routing; it distributes traffic among backend VMs but cannot translate private IPs to public ones for outbound internet access.

4
MCQhard

A GCP organization mandates that all new Cloud SQL instances must require SSL/TLS for connections. No exceptions are allowed. Which enforcement mechanism ensures this across all projects in the organization?

A.Rely on database administrators to manually enable SSL on each new Cloud SQL instance
B.Use Security Command Center to detect SSL-disabled instances and alert the team
C.Set a Cloud Monitoring alert for new Cloud SQL instances and auto-remediate via Cloud Functions
D.Apply the org policy constraint `constraints/sql.requireSsl` at the organization level to enforce SSL on all Cloud SQL instances
AnswerD

The `constraints/sql.requireSsl` organization policy constraint prevents Cloud SQL instances from being created or modified to allow non-SSL connections — enforced across all projects automatically.

Why this answer

Option D is correct because the organization policy constraint `constraints/sql.requireSsl` is a native, enforceable policy that can be applied at the organization level in GCP. Once set, it prevents the creation of any Cloud SQL instance that does not require SSL/TLS, and it also blocks any attempt to disable SSL on existing instances. This ensures 100% compliance across all projects without relying on manual intervention or reactive detection.

Exam trap

Google Cloud often tests the distinction between preventive controls (org policies) and detective/reactive controls (Security Command Center, Cloud Monitoring), and the trap here is that candidates choose a reactive option (B or C) thinking it 'enforces' compliance, when only a preventive org policy can block non-compliant resource creation entirely.

How to eliminate wrong answers

Option A is wrong because relying on manual enablement by database administrators is error-prone and violates the 'no exceptions' mandate; it does not enforce the policy programmatically. Option B is wrong because Security Command Center can only detect and alert on non-compliant instances after they are created, but it cannot prevent creation or enforce SSL; this is a detective control, not a preventive one. Option C is wrong because Cloud Monitoring alerts and Cloud Functions auto-remediation are reactive and can have a delay, allowing non-compliant instances to exist temporarily; they also cannot block the initial creation of an instance without SSL.

5
MCQmedium

A security review identifies that service account JSON key files are stored on multiple developer laptops, posing a data exfiltration risk. What is the recommended remediation?

A.Rotate the key files every 90 days and redistribute them securely
B.Encrypt the JSON key files using Cloud KMS before distributing
C.Remove the key files and use service account impersonation or Workload Identity for workloads that need GCP access
D.Store the key files in Secret Manager and retrieve them at application startup
AnswerC

Eliminating key files is the recommended approach. GCE VMs use attached service accounts; GKE uses Workload Identity; external systems use Workload Identity Federation — no downloadable keys needed.

Why this answer

Option C is correct because storing service account JSON key files on developer laptops creates a persistent credential that can be exfiltrated. The recommended remediation is to remove these static keys entirely and instead use service account impersonation (via the `iamcredentials.googleapis.com` API) or Workload Identity (for GKE or GCE workloads) to obtain short-lived access tokens. This eliminates the long-lived secret and follows Google's principle of using federated identity rather than distributing static keys.

Exam trap

Google Cloud often tests the misconception that moving a secret to a more secure storage (like Secret Manager or encryption) is sufficient, when the correct answer requires eliminating the static credential entirely through impersonation or workload identity federation.

How to eliminate wrong answers

Option A is wrong because rotating keys every 90 days does not address the fundamental risk of storing static credentials on laptops; the keys remain exfiltratable between rotations and still represent a persistent attack surface. Option B is wrong because encrypting the JSON key files with Cloud KMS does not remove the static credential from the laptop; the encrypted file still contains the key material that can be decrypted by anyone with access to the encryption key, and the distribution process remains a risk. Option D is wrong because storing the key files in Secret Manager and retrieving them at startup still requires the application to possess a long-lived static credential (the JSON key) at runtime, which can be exfiltrated from memory or disk; the goal is to eliminate the static key entirely, not just move its storage location.

6
MCQmedium

An organization needs to ensure that only images from their approved Container Registry (gcr.io/approved-project) can be deployed on GKE clusters in their organization. Which GCP control enforces this?

A.A VPC firewall rule blocking pulls from unauthorized registries
B.Binary Authorization with a policy requiring attestation from the approved registry
C.Cloud Armor rules blocking container pull requests from external sources
D.Manually reviewing all Docker images before deployment
AnswerB

Binary Authorization enforces image deployment policies on GKE clusters — it can require cryptographic attestations from approved registries and block non-compliant images at deploy time.

Why this answer

Binary Authorization enforces deployment-time policies that require images to be signed by trusted authorities. By configuring a policy that requires attestations from the approved registry (gcr.io/approved-project), only images from that registry can be deployed on GKE clusters, directly meeting the requirement.

Exam trap

The trap here is that candidates confuse network-level controls (firewalls, Cloud Armor) with deployment-time policy enforcement, mistakenly believing that blocking network traffic to unauthorized registries is equivalent to restricting which images can be deployed.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules control network traffic at layers 3 and 4 (IP/port), not application-layer operations like container image pulls; they cannot inspect the registry URL in a pull request. Option C is wrong because Cloud Armor is a web application firewall (WAF) that protects against HTTP/S attacks, not a mechanism to restrict container image sources; it operates at the edge, not on GKE node-to-registry traffic. Option D is wrong because manual review is a procedural control, not a GCP technical control; it is error-prone, unscalable, and does not provide automated enforcement at deployment time.

7
MCQhard

A GKE cluster hosts multiple teams' workloads in separate namespaces. One team's pods should not be able to make API calls to Google Cloud services (e.g., they should not call BigQuery or Cloud Storage). The pods currently use the node's service account via the Compute Engine metadata server. How do you restrict these specific pods from accessing GCP APIs while allowing other pods on the same node to continue using GCP APIs?

A.Apply a Kubernetes NetworkPolicy in the team's namespace blocking egress to `169.254.169.254` (the metadata server).
B.Revoke all IAM roles from the node's service account.
C.Set `automountServiceAccountToken: false` on the restricted team's pods.
D.Use a Kubernetes ResourceQuota to limit the team's namespace API access.
AnswerA

The GCE metadata server at 169.254.169.254 is how pods obtain GCP credentials. Blocking egress to this IP prevents those pods from getting any GCP access tokens, while other namespaces remain unaffected.

Why this answer

Option A is correct because the Compute Engine metadata server (169.254.169.254) is the endpoint that provides the node's service account credentials to pods. By applying a Kubernetes NetworkPolicy that blocks egress to this IP in the team's namespace, you prevent those pods from reaching the metadata server, thus denying them access to GCP APIs. Other pods on the same node are unaffected because NetworkPolicy is namespace-scoped and does not apply to them.

Exam trap

Google Cloud often tests the misconception that `automountServiceAccountToken: false` blocks all cloud API access, but it only affects the Kubernetes API token, not the Compute Engine metadata server which provides cloud credentials.

How to eliminate wrong answers

Option B is wrong because revoking all IAM roles from the node's service account would block ALL pods on that node from accessing GCP APIs, not just the restricted team's pods. Option C is wrong because setting `automountServiceAccountToken: false` only prevents the Kubernetes API service account token from being mounted into the pod; it does not affect the pod's ability to reach the Compute Engine metadata server to obtain the node's service account credentials. Option D is wrong because a ResourceQuota limits resource consumption (CPU, memory, etc.) and cannot restrict network access to specific IP addresses or APIs.

8
MCQmedium

You need to prevent developers from creating Compute Engine VMs with external IP addresses in a specific folder. Developers must still be able to create VMs with internal IPs only. Which org policy constraint enforces this?

A.Create a VPC firewall rule blocking all outbound internet traffic.
B.Apply the `compute.vmExternalIpAccess` org policy constraint set to deny all VMs.
C.Remove the `compute.instanceAdmin` role from developers so they cannot configure network interfaces.
D.Configure the default VPC network to use internal-only routes.
AnswerB

This list constraint controls which VMs can have external IPs. An empty or deny-all allowedValues list prevents any VM in the folder from being created with an external IP address.

Why this answer

The `compute.vmExternalIpAccess` organization policy constraint is specifically designed to control whether Compute Engine VMs can be assigned external IP addresses. By setting this constraint to deny all VMs in the folder, developers are prevented from creating VMs with external IPs while still being able to create VMs with only internal IPs. This is the correct, native Google Cloud mechanism for enforcing this requirement at the folder level.

Exam trap

The trap here is that candidates often confuse network-layer controls (firewall rules) with resource-level policies (org policy constraints), leading them to choose a firewall rule instead of the correct org policy constraint that directly governs VM creation.

How to eliminate wrong answers

Option A is wrong because a VPC firewall rule blocks traffic at the network layer, not the creation of VMs with external IPs; developers could still assign an external IP to a VM, and the firewall rule would only block outbound internet traffic after the VM is created. Option C is wrong because removing the `compute.instanceAdmin` role would prevent developers from creating any VMs at all, not just those with external IPs, and it does not selectively restrict external IP assignment. Option D is wrong because configuring the default VPC network to use internal-only routes does not prevent a developer from explicitly assigning an external IP when creating a VM; it only affects routing, not the IP assignment itself.

9
MCQmedium

A Cloud Run service needs to access a database password at runtime. Where should the password be stored according to GCP security best practices?

A.As a plain-text environment variable in the Cloud Run service configuration
B.In a Cloud Storage bucket accessible to the service account
C.In Secret Manager, referenced as a mounted secret or accessed via the API at runtime
D.Baked into the container image at build time
AnswerC

Secret Manager stores secrets encrypted, with IAM access control and full audit trails. Cloud Run can reference secrets as environment variables or volume mounts without exposing the value in configuration.

Why this answer

Secret Manager is the GCP-native service designed to securely store sensitive data like database passwords. It provides encryption at rest and in transit, fine-grained access control via IAM, and supports both mounting secrets as volumes and accessing them via the API at runtime. This aligns with GCP security best practices by avoiding exposure of secrets in plain text, configuration files, or container images.

Exam trap

Google Cloud often tests the misconception that environment variables are secure for secrets because they are not visible in the source code, but the trap here is that environment variables are still exposed in the runtime environment and logs, making them insecure for sensitive data.

How to eliminate wrong answers

Option A is wrong because storing a password as a plain-text environment variable exposes it in the Cloud Run console, logs, and any process that can read environment variables, violating the principle of least privilege and secure secret management. Option B is wrong because Cloud Storage buckets are designed for object storage, not secret management; they lack built-in encryption key rotation, audit logging for secret access, and fine-grained access control specific to secrets, and storing a password there would require additional complexity to secure it. Option D is wrong because baking secrets into a container image at build time embeds them in the image layers, making them accessible to anyone with image pull access and preventing rotation without rebuilding and redeploying the image.

10
MCQmedium

A GCP organization has recently experienced a credential theft incident involving a service account key. The CISO requires that all service account keys in the organization be inventoried and those older than 90 days be rotated. Which tool identifies old service account keys across all projects?

A.Security Command Center — it audits service account key age automatically
B.Cloud Asset Inventory querying all IAM ServiceAccountKey assets across the organization
C.Cloud Monitoring metric for service account key creation date
D.Manually check each service account in each project's IAM & Admin > Service Accounts page
AnswerB

Cloud Asset Inventory's `gcloud asset search-all-resources --asset-types=iam.googleapis.com/ServiceAccountKey` returns all SA keys with creation timestamps — enabling age-based filtering.

Why this answer

Cloud Asset Inventory (CAI) is the correct tool because it can query all IAM ServiceAccountKey assets across the entire organization, including all projects, using a single API call or gcloud command. This allows you to filter by the `validAfterTime` field to identify keys older than 90 days, meeting the CISO's requirement for a comprehensive, automated inventory without manual per-project inspection.

Exam trap

Google Cloud often tests the misconception that Security Command Center handles IAM key lifecycle audits, when in fact Cloud Asset Inventory is the correct service for querying metadata like key creation dates across all projects.

How to eliminate wrong answers

Option A is wrong because Security Command Center (SCC) does not automatically audit service account key age; it focuses on vulnerability and threat detection, not asset inventory of key creation dates. Option C is wrong because Cloud Monitoring metrics do not expose service account key creation dates; metrics are for performance and usage, not IAM resource metadata. Option D is wrong because manually checking each service account in each project's IAM & Admin page is not a tool and is impractical for an organization-wide inventory, violating the requirement for an automated, scalable solution.

11
MCQhard

A security team wants to prevent authorized users from copying BigQuery query results to a dataset in a different GCP project that is outside the team's security boundary — even if the user has valid IAM permissions. Which control enforces this?

A.IAM deny policies restricting cross-project BigQuery operations
B.VPC Service Controls with a perimeter enclosing BigQuery
C.An organization policy preventing resource creation outside specific projects
D.Cloud Armor rules blocking outbound API requests to BigQuery in other projects
AnswerB

VPC Service Controls enforce context-aware access at the API level — data can't leave the perimeter to external projects regardless of IAM permissions, preventing exfiltration.

Why this answer

VPC Service Controls (VPC-SC) create a security perimeter around Google Cloud services, including BigQuery, that prevents data exfiltration to projects outside the perimeter regardless of IAM permissions. By configuring a service perimeter that includes BigQuery and the authorized project, any attempt to copy query results to a dataset in a project outside the perimeter is blocked, even if the user has valid IAM roles. This enforces a data boundary that overrides IAM-based access.

Exam trap

The trap here is that candidates assume IAM deny policies can block data movement across projects, but VPC Service Controls are the only mechanism that enforces data exfiltration boundaries at the network layer, overriding IAM permissions.

How to eliminate wrong answers

Option A is wrong because IAM deny policies can restrict specific operations but they operate at the IAM level and cannot override valid permissions granted to a user; they also do not provide a network-level data exfiltration control that prevents copying results across projects. Option C is wrong because an organization policy preventing resource creation outside specific projects only controls where new resources can be created, not the movement of existing data or query results between projects. Option D is wrong because Cloud Armor is a web application firewall that protects HTTP(S) traffic, not BigQuery API calls, and it cannot block outbound API requests to BigQuery in other projects.

12
MCQmedium

A team wants to grant three developers access to view Cloud SQL instance details and connection strings, but not create, delete, or modify any Cloud SQL instances. Which predefined IAM role is the most appropriate?

A.Cloud SQL Editor
B.Cloud SQL Client
C.Cloud SQL Viewer
D.Project Viewer
AnswerC

Cloud SQL Viewer (roles/cloudsql.viewer) grants read-only access to Cloud SQL instance details, settings, and connection information without any modification rights.

Why this answer

The Cloud SQL Viewer role (roles/cloudsql.viewer) grants read-only permissions to view Cloud SQL instance details, including connection strings, without allowing any create, delete, or modify operations. This matches the requirement precisely, as it provides the necessary visibility while preventing any changes to the instances.

Exam trap

Google Cloud often tests the distinction between roles that grant operational access (like Cloud SQL Client) versus read-only access (like Cloud SQL Viewer), and the trap here is that candidates may confuse 'Client' with 'Viewer' because both sound like they provide access, but only Viewer grants the ability to see instance details and connection strings without modification permissions.

How to eliminate wrong answers

Option A is wrong because Cloud SQL Editor (roles/cloudsql.editor) includes permissions to create, update, and delete Cloud SQL instances, which exceeds the required read-only access. Option B is wrong because Cloud SQL Client (roles/cloudsql.client) primarily grants permissions to connect to Cloud SQL instances (e.g., using the Cloud SQL Proxy or client libraries) but does not include the ability to view instance metadata or connection strings in the console. Option D is wrong because Project Viewer (roles/viewer) provides read-only access to all resources in the project, which is overly broad and not scoped specifically to Cloud SQL; it also does not grant the precise permissions needed for viewing Cloud SQL instance details and connection strings.

13
MCQmedium

You need to grant a third-party monitoring vendor's service account `roles/monitoring.viewer` on your project, but only for the next 90 days. After 90 days, the access should automatically expire. Which IAM feature enables time-limited access?

A.Set a session duration limit in the vendor's service account settings.
B.Add an IAM Condition with a date/time expression that expires the binding after 90 days.
C.Grant the role and set a reminder to manually revoke it in 90 days.
D.Use a temporary service account that is automatically deleted after 90 days via a Cloud Scheduler job.
AnswerB

IAM Conditions support `request.time` comparisons. A condition like `request.time < timestamp('EXPIRY_DATE')` causes the binding to stop granting access after the specified date automatically.

Why this answer

Option B is correct because IAM Conditions allow you to attach a time-based expression to a role binding, such as `request.time < timestamp('2025-01-01T00:00:00Z')`, which automatically revokes the binding after the specified date. This is the native, auditable, and policy-driven way to enforce time-limited access in Google Cloud without manual intervention or resource lifecycle management.

Exam trap

Google Cloud often tests the misconception that session duration limits or service account lifecycle management can enforce time-bound permissions, when in fact only IAM Conditions provide a native, policy-based expiration mechanism for role bindings.

How to eliminate wrong answers

Option A is wrong because session duration limits apply to the maximum time a service account can use a token before re-authentication, not to the overall validity of the IAM role binding; they do not expire the permission itself after 90 days. Option C is wrong because manually revoking access is error-prone, not automated, and violates the requirement for automatic expiration; it is not an IAM feature. Option D is wrong because deleting a service account does not automatically remove its IAM role bindings (orphaned bindings remain), and Cloud Scheduler cannot delete a service account without additional custom logic; this approach is unnecessarily complex and not a built-in IAM feature.

14
MCQeasy

What is the purpose of Cloud Audit Logs' Data Access audit logs, and why are they NOT enabled by default for most services?

A.They record authentication events; they are disabled by default due to privacy regulations.
B.They log API calls that read or write user data; they are off by default due to very high log volume and associated storage costs.
C.They log VM instance creation and deletion; they are disabled by default to avoid noise.
D.They provide real-time threat detection; they are experimental and not yet generally available.
AnswerB

Data Access logs capture every data read/write. On busy services like BigQuery, this generates massive log volume. Enabling them broadly would be cost-prohibitive, so they're opt-in.

Why this answer

Data Access audit logs record every API call that reads or writes user-provided data (e.g., reading a Cloud Storage object or updating a BigQuery table). They are disabled by default because the sheer volume of these operations can generate terabytes of logs per day, leading to significant Cloud Logging storage costs and potential budget overruns. Administrators must explicitly enable them per service or per resource to control cost and log retention.

Exam trap

Google Cloud often tests the misconception that Data Access logs are enabled by default for all services, when in fact they are off by default specifically to prevent runaway storage costs from high-volume user data operations.

How to eliminate wrong answers

Option A is wrong because Data Access logs do not record authentication events; those are captured by Admin Activity logs (for IAM policy changes) and System Event logs (for GCP actions). Option C is wrong because VM instance creation and deletion are recorded by Admin Activity logs, not Data Access logs, and they are enabled by default for free. Option D is wrong because Data Access logs are not experimental—they are GA—and they do not provide real-time threat detection; that is the role of services like Security Command Center or Event Threat Detection.

15
MCQeasy

Which console page would you use to create and manage custom IAM roles?

A.IAM & Admin > Audit Logs
B.IAM & Admin > Roles
C.IAM & Admin > Organization Policies
D.IAM & Admin > Service Accounts
AnswerB

This page is specifically for managing roles.

Why this answer

The IAM & Admin > Roles page in the Google Cloud Console is the dedicated interface for creating, editing, and managing custom IAM roles. Custom roles allow you to define a precise set of permissions that are not available in predefined roles, giving you granular control over access to Google Cloud resources. This page also lists all predefined and custom roles, and allows you to clone, delete, or update role definitions.

Exam trap

Google Cloud often tests the distinction between managing IAM roles (which is done in the Roles page) and managing service accounts (which is done in the Service Accounts page), leading candidates to confuse the two because both involve identity and access management.

How to eliminate wrong answers

Option A is wrong because Audit Logs is used to view and configure audit logs for tracking admin activity, data access, and system events, not for creating or managing IAM roles. Option C is wrong because Organization Policies are used to set constraints on Google Cloud resources at the organization, folder, or project level (e.g., restricting resource locations or disabling service creation), not for defining IAM roles. Option D is wrong because Service Accounts is the page for managing service account identities and their keys, not for creating or managing IAM roles.

16
MCQmedium

A developer accidentally creates a firewall rule allowing all inbound traffic (0.0.0.0/0) on all ports to all instances in a production VPC. The rule has priority 1000. The team has an existing rule allowing only SSH (port 22) from the corporate IP range at priority 999. Which traffic is actually allowed?

A.Only SSH from the corporate range is allowed — the more specific rule takes precedence for all traffic
B.SSH from corporate IP plus all traffic from all IPs — both allow rules match for their respective traffic
C.No traffic is allowed — deny rules override allow rules in GCP
D.All traffic from all IPs is allowed — the priority 1000 allow-all overrides the more specific priority 999 rule
AnswerB

GCP evaluates firewall rules independently. Priority 999 allows corporate SSH. Priority 1000 allows everything else. The allow-all rule represents a critical security vulnerability.

Why this answer

In Google Cloud VPC firewall rules, both allow rules are evaluated independently. The rule at priority 999 allows SSH (TCP port 22) from the corporate IP range, and the rule at priority 1000 allows all traffic from all IPs (0.0.0.0/0) on all ports. Since both rules are allow rules and match the traffic, the result is that SSH traffic from the corporate IP is allowed by the more specific rule, and all other traffic (including SSH from other IPs and all other protocols) is allowed by the broader rule.

There is no implicit deny in GCP firewall rules; only explicit deny rules can block traffic, and no deny rule is present here.

Exam trap

Google Cloud often tests the misconception that a higher-priority (lower number) rule always overrides a lower-priority rule, but in GCP, this only applies when comparing allow vs. deny rules, not between two allow rules.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes that a more specific rule 'takes precedence' over a broader allow rule; in GCP, all matching allow rules are applied, and the more specific rule does not block the broader rule from allowing other traffic. Option C is wrong because it falsely claims that deny rules override allow rules by default; GCP firewall rules are implicitly permissive—if no deny rule matches, traffic is allowed, and there are no deny rules in this scenario. Option D is wrong because it suggests that the priority 1000 rule overrides the priority 999 rule; priority only determines the order of evaluation for conflicting rules (e.g., an allow vs. a deny), but both are allow rules, so both apply to their respective matching traffic.

17
MCQhard

A company uses VPC Service Controls to protect Cloud Storage. They have a service perimeter that includes the storage API and the project where the stored data resides. Users inside the perimeter can access the data, but users outside cannot. However, a group of users outside the perimeter are able to access the data using a signed URL generated by a service inside the perimeter. Why does this happen?

A.VPC Service Controls do not apply to signed URLs.
B.Signed URLs bypass VPC Service Controls.
C.The service perimeter is misconfigured, missing signed URL restrictions.
D.The users have been granted IAM roles that override the perimeter.
AnswerA

Signed URLs are a separate access method not governed by VPC SC.

Why this answer

VPC Service Controls are designed to restrict access to Google Cloud resources based on the network origin of requests, but they do not evaluate or block requests made using signed URLs. Signed URLs are authenticated via cryptographic signatures, not IAM or network context, so they bypass the perimeter check entirely. This is by design, as signed URLs are intended for temporary, out-of-band access.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls are a universal access control mechanism, when in fact they do not apply to signed URLs or public buckets, leading candidates to incorrectly assume a misconfiguration or override.

How to eliminate wrong answers

Option B is wrong because signed URLs do not 'bypass' VPC Service Controls in a technical sense; rather, VPC Service Controls simply do not apply to signed URL requests, as the access decision is based on the signature, not the requester's network or identity. Option C is wrong because there is no 'signed URL restriction' setting in VPC Service Controls; the service perimeter configuration is correct, and the behavior is expected. Option D is wrong because IAM roles are not the mechanism at play here; signed URLs do not require IAM roles to be granted to the end user, and the perimeter does not evaluate IAM for signed URL requests.

18
MCQmedium

A developer reports that a Cloud Function is failing with '403 Forbidden' when calling the BigQuery API. The function's service account has the BigQuery Data Viewer role. What is a likely additional requirement that may be missing?

A.The Cloud Function must be deployed in the same region as the BigQuery dataset
B.The BigQuery API may not be enabled in the Cloud Functions' project
C.Cloud Functions cannot call BigQuery — it must use Dataflow or BigQuery scheduled queries instead
D.The service account needs the BigQuery Admin role instead of Data Viewer to make API calls
AnswerB

Even with the correct IAM role, API calls fail if the target API isn't enabled. Enabling the BigQuery API (`bigquery.googleapis.com`) in the project is a prerequisite.

Why this answer

The 403 Forbidden error indicates that the Cloud Function's service account lacks the necessary permissions to call the BigQuery API. Even with the correct IAM role (BigQuery Data Viewer), the BigQuery API must be explicitly enabled in the project where the Cloud Function is running, as Google Cloud requires APIs to be activated per project before they can be used. Without enabling the API, any API call from the function will be rejected with a 403, regardless of IAM roles.

Exam trap

Google Cloud often tests the distinction between IAM permissions and API enablement, trapping candidates who assume a 403 always means a missing IAM role rather than a disabled API.

How to eliminate wrong answers

Option A is wrong because Cloud Functions and BigQuery datasets can be in different regions; cross-region access is supported via the BigQuery API, and region mismatch does not cause a 403 error. Option C is wrong because Cloud Functions can directly call the BigQuery API using client libraries or REST requests; Dataflow or scheduled queries are alternative tools, not mandatory replacements. Option D is wrong because the BigQuery Data Viewer role is sufficient for read-only API calls like queries; the 403 is not due to insufficient IAM permissions but because the API itself is not enabled.

19
MCQmedium

A GKE cluster hosts both a public-facing web application and an internal data processing service. The data processing service should only accept traffic from the web application Pods, not from the internet. Which Kubernetes feature enforces this policy?

A.A VPC firewall rule blocking external traffic to the data service's Node IPs
B.Kubernetes NetworkPolicy restricting ingress to the data service to only Pods with the web app label
C.IAP (Identity-Aware Proxy) configured on the data service
D.Using a private ClusterIP Service for the data service — it's automatically private
AnswerB

NetworkPolicies provide Pod-level firewall rules based on Pod label selectors. A policy on the data service allowing only ingress from the web app's Pod labels enforces the required isolation.

Why this answer

Kubernetes NetworkPolicy is the native Kubernetes resource that controls traffic flow at the IP address or port level (OSI layer 3 or 4). By defining an ingress rule that allows traffic only from Pods with a specific label (e.g., 'app: web-app'), you can restrict access to the data processing service exclusively to the web application Pods, regardless of whether the service is exposed via ClusterIP, NodePort, or LoadBalancer. This is the correct and recommended approach for pod-level network segmentation within a cluster.

Exam trap

Google Cloud often tests the misconception that a ClusterIP Service is inherently private and restricts access to only certain Pods, but in reality, ClusterIP only limits external exposure; any Pod in the cluster can reach it unless a NetworkPolicy explicitly denies or allows traffic based on labels.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules operate at the infrastructure level (VM/node network interfaces) and cannot distinguish traffic between Pods on the same node or across nodes within the cluster; they would block all external traffic to the node's IPs but would not prevent other Pods (or even the web app Pods) from reaching the data service if it's exposed via NodePort. Option C is wrong because IAP (Identity-Aware Proxy) is a Google Cloud service for controlling access to applications based on user identity and context, not for pod-to-pod network traffic within a GKE cluster; it operates at the application layer and requires an HTTPS load balancer, not a Kubernetes-native policy. Option D is wrong because a private ClusterIP Service is only private in the sense that it is not exposed outside the cluster, but any Pod within the cluster can still reach it by default; it does not restrict which Pods can initiate connections to the service.

20
MCQmedium

You are reviewing a GCP project's IAM policy and find that the `allUsers` principal has `storage.objectViewer` on a Cloud Storage bucket. The bucket contains internal documentation. What are the security implications, and what should you do?

A.This is acceptable if the bucket has Uniform Bucket-Level Access enabled; UBLA encrypts the data.
B.Any person on the internet can read the internal documents; remove the `allUsers` binding immediately and restrict access to authorized identities.
C.This is a read-only permission so it's acceptable — attackers can't modify the documents.
D.Enable Cloud Armor on the bucket to restrict access to your corporate IP range.
AnswerB

allUsers grants unauthenticated public access. Internal documentation should never be public. Removing the binding and enabling Public Access Prevention prevents re-introduction of this misconfiguration.

Why this answer

Option B is correct because granting `storage.objectViewer` to `allUsers` makes the bucket's objects publicly readable by anyone on the internet, including anonymous users. This violates the principle of least privilege and exposes internal documentation to unauthorized access. The immediate remediation is to remove the `allUsers` binding and replace it with specific, authenticated identities (e.g., service accounts or Google Groups) that require access.

Exam trap

The trap here is that candidates might think read-only permissions are safe or that UBLA automatically secures a bucket, but Cisco tests that `allUsers` with any IAM role (even read-only) on a bucket containing sensitive data is a critical security risk that must be removed immediately.

How to eliminate wrong answers

Option A is wrong because Uniform Bucket-Level Access (UBLA) does not encrypt data; it enforces IAM-based access control instead of ACLs, but it does not prevent public access when `allUsers` is granted. Option C is wrong because read-only permissions are not acceptable for internal documents; data confidentiality is breached regardless of write access, and attackers can exfiltrate sensitive information. Option D is wrong because Cloud Armor is a web application firewall for HTTP(S) load balancers, not a service that can be directly applied to Cloud Storage buckets; it cannot restrict access to a bucket's objects.

21
MCQhard

An organization policy at the organization level sets `constraints/compute.requireOsLogin` to enforced (true) on all projects. A specific project needs an exception — VMs there should not require OS Login. How can this exception be configured?

A.Removing the VM from the VPC will bypass the organization policy
B.Set a project-level organization policy overriding `compute.requireOsLogin` to not enforced (if the constraint allows override)
C.Grant the VM's service account the OS Login Admin role to bypass the policy
D.Move the project to a folder that doesn't inherit the organization policy
AnswerB

If the constraint supports project-level override, setting the policy to `not enforced` at the project level creates an exception for that project, overriding the inherited org-level policy.

Why this answer

Option B is correct because organization policies can be overridden at a lower level (project, folder) if the constraint's `inheritFromParent` setting allows it. The `compute.requireOsLogin` boolean constraint supports per-project override, so setting it to `false` at the project level exempts that project's VMs from requiring OS Login while the organization-level policy remains enforced for all other projects.

Exam trap

Google Cloud often tests the misconception that organization policies are absolute and cannot be overridden at lower levels, but many boolean constraints explicitly allow per-project or per-folder overrides when configured correctly.

How to eliminate wrong answers

Option A is wrong because removing a VM from its VPC does not bypass the organization policy; the policy applies to all VMs in the project regardless of VPC membership, and a VM without a VPC cannot function. Option C is wrong because granting the VM's service account the OS Login Admin role does not bypass the `compute.requireOsLogin` policy; that role only allows managing OS Login settings on instances, not overriding the enforcement of OS Login itself. Option D is wrong because moving the project to a folder that doesn't inherit the organization policy is not possible—organization policies at the organization level are inherited by all folders and projects unless explicitly excluded via a policy with `inheritFromParent: false`, and a project cannot be moved outside the organization hierarchy.

22
MCQmedium

Your organization has multiple GCP projects and wants to implement least privilege access for operations teams. Each operations team manages a specific set of projects. You have created custom roles that grant permissions to start and stop Compute Engine instances, view logs, and monitor resources. You are using Google Groups to assign roles to users. Recently, a user from the network operations team was able to modify firewall rules in a project managed by the compute operations team, causing a security incident. During the root cause analysis, you discover that the user is a member of both the network operations group and the compute operations group. The compute operations group is assigned a custom role that does not include firewall permissions. The network operations group is assigned a role that includes firewall admin permissions. How should you redesign the IAM structure to prevent cross-team access while maintaining required permissions?

A.Create a separate project for each team and use VPC Service Controls to isolate.
B.Use IAM conditions to restrict the network operations role to only the network team's projects.
C.Implement organization policies to deny firewall modifications unless a specific condition is met.
D.Remove the user from the network operations group.
AnswerB

IAM conditions can scope role use to specific projects, preventing role abuse in other projects.

Why this answer

Option B is correct because IAM conditions allow you to restrict the network operations team's firewall admin permissions to only their designated projects, preventing a user who is a member of both groups from using those permissions in the compute operations team's projects. This enforces least privilege by scoping the role's effectiveness based on resource attributes, without requiring project-level separation or removing the user from necessary groups.

Exam trap

The trap here is that candidates think removing the user from the group (Option D) or using organization policies (Option C) solves the problem, but they fail to recognize that IAM conditions can scope permissions to specific projects or resources without altering group membership or applying blanket restrictions.

How to eliminate wrong answers

Option A is wrong because creating separate projects and using VPC Service Controls does not address the cross-team access issue; the user would still be a member of both groups and could inherit permissions across projects if roles are assigned at the organization or folder level. Option C is wrong because organization policies deny or allow actions broadly across all projects, and they cannot conditionally restrict permissions based on group membership or project ownership; they are not a substitute for IAM conditions. Option D is wrong because removing the user from the network operations group would break their legitimate need to manage firewall rules in their own projects, violating the principle of least privilege by over-restricting access.

23
MCQhard

Refer to the exhibit. A user attempts to create a Deployment Manager deployment that references a service account. What is the most likely issue?

A.The user does not have deploymentmanager.deployments.create permission
B.The user does not have the roles/iam.serviceAccountUser role on the service account
C.The service account is disabled
D.The service account does not exist
AnswerB

The actAs permission is needed to use a service account in deployments.

Why this answer

When a Deployment Manager deployment references a service account, the user must have the `roles/iam.serviceAccountUser` role on that service account to impersonate it. Without this role, the deployment fails even if the user has `deploymentmanager.deployments.create` permission, because the service account is used to execute the deployment's resources. Option B correctly identifies this missing IAM binding as the most likely issue.

Exam trap

Google Cloud often tests the distinction between having permission to create a deployment versus having permission to use a specific service account within that deployment, leading candidates to mistakenly choose the deployment-level permission error (Option A) instead of the IAM role on the service account (Option B).

How to eliminate wrong answers

Option A is wrong because the user is attempting to create a deployment, and the error would typically be a permissions denial if they lacked `deploymentmanager.deployments.create`, but the question implies the user has that permission and the issue is specifically with the service account reference. Option C is wrong because a disabled service account would produce a different error (e.g., 'service account is disabled'), but the question does not indicate the account is disabled, and the most common issue is missing the `roles/iam.serviceAccountUser` role. Option D is wrong because if the service account did not exist, the error would be a 'not found' or 'does not exist' message, not a permissions-related failure; the question implies the account exists but the user lacks the necessary role to use it.

24
MCQeasy

Refer to the exhibit. After applying this IAM policy to a bucket, what access is granted?

A.Anyone authenticated with a Google account can list and read objects
B.No access is granted because the condition is missing
C.Only users in the same GCP project can read objects
D.Anyone on the internet can list and read objects
AnswerA

'allAuthenticatedUsers' includes all authenticated Google users.

Why this answer

The IAM policy grants the `roles/storage.objectViewer` role to `allAuthenticatedUsers`, which includes any identity authenticated with a Google account (including non-GCP accounts). The condition `resource.name.startsWith('projects/_/buckets/example-bucket/objects/public/')` restricts the grant to objects whose path starts with `public/`, so only those objects can be listed and read. This is why option A is correct.

Exam trap

Google Cloud often tests the distinction between `allUsers` (anyone on the internet, no authentication) and `allAuthenticatedUsers` (requires Google authentication), and candidates frequently confuse the two, thinking `allAuthenticatedUsers` means 'anyone' or 'same project only'.

How to eliminate wrong answers

Option B is wrong because the condition is present and valid; it does not cause the policy to be invalid or grant no access. Option C is wrong because `allAuthenticatedUsers` is not limited to users in the same GCP project; it includes any authenticated Google identity, such as Gmail or Google Workspace accounts. Option D is wrong because `allAuthenticatedUsers` does not include unauthenticated users (i.e., anyone on the internet); it requires authentication with a Google account.

25
MCQeasy

A user needs to view the list of firewall rules in a project but should not be able to create or modify them. Which predefined IAM role should you grant?

A.roles/editor
B.roles/compute.securityAdmin
C.roles/compute.viewer
D.roles/owner
AnswerC

Viewer provides read-only permissions for Compute Engine resources.

Why this answer

The roles/compute.viewer role grants read-only access to Compute Engine resources, including the ability to list firewall rules, without permitting create, update, or delete operations. This aligns with the principle of least privilege for a user who only needs to view firewall configurations.

Exam trap

Google Cloud often tests the distinction between roles/compute.viewer and roles/compute.securityAdmin, where candidates mistakenly choose securityAdmin thinking it is needed for viewing, but it actually grants full write access to firewall rules.

How to eliminate wrong answers

Option A is wrong because roles/editor grants full read/write access to all resources, including the ability to create and modify firewall rules, which exceeds the required permissions. Option B is wrong because roles/compute.securityAdmin specifically allows creating, modifying, and deleting firewall rules and SSL certificates, which is too permissive for a read-only requirement. Option D is wrong because roles/owner provides full administrative access to the project, including all IAM management and resource modifications, far beyond the needed view-only access.

26
MCQeasy

A junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?

A.Editor
B.Owner
C.Viewer
D.Browser
AnswerC

Viewer grants read-only access to all project resources without any modification permissions — the correct minimum role for read-only access.

Why this answer

The Viewer role (roles/viewer) grants read-only access to all GCP resources in a project, including existing and future resources, without allowing any modifications. This is the minimum permissions required for read-only access, as it provides exactly the necessary permissions (e.g., resourcemanager.projects.get, storage.objects.list) without any write or administrative capabilities.

Exam trap

Google Cloud often tests the distinction between Viewer and Browser, where candidates mistakenly choose Browser thinking it is the minimal read-only role, but Browser only provides access to browse the project listing and not to read actual resource data.

How to eliminate wrong answers

Option A is wrong because the Editor role (roles/editor) includes all viewer permissions plus write permissions (e.g., to create, modify, or delete resources), which exceeds the minimum required for read-only access. Option B is wrong because the Owner role (roles/owner) includes all editor permissions plus the ability to manage IAM policies and billing, granting far more than read-only access. Option D is wrong because the Browser role (roles/browser) is a legacy role that provides read-only access to browse the project hierarchy but does not grant read access to all resources (e.g., it lacks permissions to read Compute Engine instances or Cloud Storage objects), making it insufficient for full read-only access.

27
Multi-Selectmedium

A company wants to allow developers to create Compute Engine instances with a specific set of persistent disk types (e.g., only pd-ssd). Which TWO methods can be used to enforce this? (Choose two.)

Select 2 answers
A.Organization policy with constraint compute.requireShieldedVm
B.VPC custom firewall rules
C.Organization policy with constraint compute.restrictDiskTypes
D.Service account permissions
E.IAM conditions on compute.instances.create
AnswersC, E

This constraint limits the allowed disk types.

Why this answer

Option C is correct because the `compute.restrictDiskTypes` organization policy constraint allows administrators to define a list of allowed persistent disk types (e.g., pd-ssd) at the project, folder, or organization level. When set, any Compute Engine instance creation request that specifies a disk type not on the allowed list will be denied by the policy engine, enforcing the restriction without requiring changes to individual IAM roles or scripts.

Exam trap

Google Cloud often tests the distinction between organization policy constraints (which enforce resource-level attributes like disk type) and IAM roles/permissions (which control whether an action is allowed), leading candidates to mistakenly choose service account permissions (Option D) instead of IAM conditions (Option E) for attribute-based restrictions.

28
Multi-Selecthard

Which THREE are valid ways to authenticate a user for gcloud commands? (Choose three.)

Select 3 answers
A.API key
B.OAuth2 access token
C.Application Default Credentials
D.Service account key file
E.IdP token
AnswersB, C, D

Used after 'gcloud auth login' or obtained via other means.

Why this answer

Option B is correct because an OAuth2 access token can be used to authenticate gcloud commands by passing it with the `--access-token-file` flag or via the `gcloud auth print-access-token` command. This token is obtained from an authorization server and provides temporary, scoped access to Google Cloud resources without requiring a long-lived credential like a service account key.

Exam trap

Google Cloud often tests the misconception that API keys are a valid authentication method for gcloud commands, but API keys only identify projects and are not accepted by gcloud for user or service account authentication.

29
MCQmedium

A developer creates a Cloud Storage bucket and sets a uniform bucket-level access policy. What is the implication?

A.Only object ACLs are used
B.Bucket permissions override object ACLs
C.Both bucket IAM and object ACLs are used
D.Object ACLs are disabled
AnswerD

UBLA disables object ACLs; all access is via bucket IAM.

Why this answer

When uniform bucket-level access is enabled on a Cloud Storage bucket, all access control is managed exclusively through IAM policies at the bucket level. Object ACLs are disabled, meaning individual object permissions cannot be set or evaluated. This ensures consistent access control across all objects in the bucket.

Exam trap

Google Cloud often tests the misconception that uniform bucket-level access 'overrides' or 'takes precedence over' object ACLs, when in fact it completely disables them, making any ACL-related operations invalid.

How to eliminate wrong answers

Option A is wrong because object ACLs are not used at all when uniform bucket-level access is enabled; they are disabled, not the sole mechanism. Option B is wrong because bucket IAM permissions do not 'override' object ACLs; instead, object ACLs are completely disabled and ignored. Option C is wrong because both bucket IAM and object ACLs are not used together; uniform bucket-level access disables object ACLs entirely.

30
MCQmedium

A Cloud Storage bucket contains sensitive PII data. You need to ensure that objects in this bucket are encrypted using a key that your security team controls, and that the key can be revoked if needed to render all data inaccessible. Which encryption option should you use?

A.Use Google-managed encryption keys (default).
B.Configure Customer-Managed Encryption Keys (CMEK) using Cloud KMS.
C.Enable Cloud Storage's built-in server-side encryption with AES-256.
D.Use Customer-Supplied Encryption Keys (CSEK) by embedding the key in each API request.
AnswerB

CMEK with Cloud KMS gives your security team full control: key creation, rotation, and revocation (disable/destroy). Disabling the KMS key renders all data encrypted with it inaccessible — cryptographic shredding.

Why this answer

Option B is correct because Customer-Managed Encryption Keys (CMEK) allow you to control and manage the key used for encrypting Cloud Storage objects via Cloud KMS. This enables key revocation, which immediately renders all data encrypted with that key inaccessible, meeting the security team's requirement for revocable control.

Exam trap

Google Cloud often tests the distinction between CMEK and CSEK, where candidates mistakenly choose CSEK thinking it gives more control, but CMEK is the only option that supports centralized key revocation without changing API call patterns.

How to eliminate wrong answers

Option A is wrong because Google-managed encryption keys (default) are controlled by Google, not your security team, and cannot be revoked by you. Option C is wrong because Cloud Storage's built-in server-side encryption with AES-256 is also Google-managed and does not provide customer-controlled key revocation. Option D is wrong because Customer-Supplied Encryption Keys (CSEK) require embedding the key in each API request, which does not allow centralized key management or revocation; the key is supplied per operation and not stored or managed by Cloud KMS.

31
MCQmedium

You need to ensure that Cloud DLP scans all data uploaded to a specific Cloud Storage bucket and redacts any Social Security Numbers (SSNs) before storing the data. Which Cloud DLP feature and trigger enables this pattern?

A.Enable Cloud DLP auto-redaction on the Cloud Storage bucket via the GCS settings.
B.Configure Pub/Sub notifications on the bucket to trigger a Cloud Function that calls Cloud DLP to redact SSNs before the file is readable.
C.Use Cloud DLP's scheduled inspection job to scan the bucket daily and flag SSNs.
D.Apply an org policy that prevents storing SSNs in Cloud Storage.
AnswerB

The standard pattern: GCS object notification → Pub/Sub → Cloud Function → DLP de-identify job (with SSN infoType + redaction transformation) → store redacted result. The original file can be quarantined or deleted.

Why this answer

Option B is correct because Cloud DLP cannot directly intercept and redact data at the point of upload to Cloud Storage. Instead, you must use Pub/Sub notifications on the bucket to trigger a Cloud Function, which calls the Cloud DLP API to inspect and redact SSNs before the file is stored or made readable. This pattern ensures redaction happens in near real-time as part of the upload pipeline.

Exam trap

Google Cloud often tests the misconception that Cloud DLP can be directly attached to a Cloud Storage bucket for automatic redaction, but in reality, you must orchestrate the inspection and redaction via an event-driven compute service like Cloud Functions.

How to eliminate wrong answers

Option A is wrong because Cloud Storage does not have a native 'auto-redaction' setting; Cloud DLP cannot be directly enabled on a bucket via GCS settings to perform real-time redaction. Option C is wrong because a scheduled inspection job only scans existing data periodically and does not redact data in real-time as it is uploaded, leaving a window where SSNs could be exposed. Option D is wrong because org policies cannot inspect or redact content within files; they only enforce structural constraints (e.g., location, encryption) and cannot prevent the storage of specific data patterns like SSNs.

32
MCQhard

Your security team wants to prevent any user or service account from creating firewall rules that allow ingress from `0.0.0.0/0` (the internet) to any VM in your organization. Which approach enforces this without requiring per-project IAM changes?

A.Grant IAM deny policies that prevent the `compute.firewalls.create` permission across the organization.
B.Apply a hierarchical firewall policy at the organization level with a deny rule for ingress from 0.0.0.0/0, set to take precedence over project rules.
C.Use Security Command Center to detect and alert when 0.0.0.0/0 firewall rules are created.
D.Set the `compute.skipDefaultNetworkCreation` org policy constraint across the organization.
AnswerB

Hierarchical firewall policies at the org level can deny specific traffic patterns before project-level rules are evaluated. A deny rule for 0.0.0.0/0 ingress blocks this traffic organization-wide regardless of project-level firewall rules.

Why this answer

Option B is correct because hierarchical firewall policies at the organization level can include a deny rule for ingress from `0.0.0.0/0` with a priority that takes precedence over any project-level firewall rules. This enforces the restriction globally without requiring per-project IAM changes, as the policy is inherited by all projects in the organization.

Exam trap

Google Cloud often tests the distinction between preventive controls (like hierarchical firewall policies) and detective controls (like Security Command Center alerts), leading candidates to choose a detection-based option when the question explicitly asks for enforcement.

How to eliminate wrong answers

Option A is wrong because denying the `compute.firewalls.create` permission across the organization would block all firewall rule creation, not just those allowing ingress from `0.0.0.0/0`, and it would require per-project IAM changes if not applied at the org level via deny policies. Option C is wrong because Security Command Center can only detect and alert on the creation of such rules, not prevent them; it is a detective control, not a preventive one. Option D is wrong because the `compute.skipDefaultNetworkCreation` org policy constraint only prevents the automatic creation of default networks, not the creation of firewall rules that allow ingress from `0.0.0.0/0`.

33
MCQhard

You are configuring Identity-Aware Proxy (IAP) for a web application running on Compute Engine. Users authenticate through IAP and are granted access based on their email addresses. However, some users report that they are prompted to sign in multiple times during the same session. What is the most likely cause?

A.The backend service is missing the IAP session cookie validation.
B.The users are accessing the application via different browsers.
C.The backend service does not support HTTPS.
D.The IAP session timeout is set too low.
AnswerD

IAP session timeout determines how long the authentication session lasts; a short timeout causes frequent prompts.

Why this answer

Option A is correct because IAP has a configurable session timeout; if set too low, users will need to re-authenticate frequently. Option B (HTTPS) is required for IAP but not the cause. Option C (different browsers) is not a common cause.

Option D (cookie validation) is handled by IAP.

34
MCQmedium

You need to allow a Cloud Function to write logs to Cloud Logging. The function uses a default service account. What IAM role should you grant to the service account?

A.roles/logging.logWriter
B.roles/cloudfunctions.serviceAgent
C.roles/logging.admin
D.roles/logging.viewer
AnswerA

This role allows writing log entries, appropriate for the function.

Why this answer

The Cloud Function's default service account needs the `roles/logging.logWriter` role to write logs to Cloud Logging. This role grants the `logging.logEntries.create` permission, which is the minimum required for writing log entries. Without it, the function cannot send logs to Logging, even though it may have other permissions.

Exam trap

Google Cloud often tests the distinction between the Cloud Functions service agent (used for internal orchestration) and the default compute service account (used by the function itself), causing candidates to mistakenly choose `roles/cloudfunctions.serviceAgent` for log writing.

How to eliminate wrong answers

Option B is wrong because `roles/cloudfunctions.serviceAgent` is a predefined role for the Cloud Functions service agent (a Google-managed service account), not for the function's default compute service account; it grants permissions for Cloud Functions to call other services, not to write logs. Option C is wrong because `roles/logging.admin` grants full administrative access to Logging, including deleting logs and configuring sinks, which is excessive and violates the principle of least privilege for a simple log-writing task. Option D is wrong because `roles/logging.viewer` only allows reading logs (via `logging.logEntries.list` and `logging.logs.list`), not writing them.

35
MCQmedium

A GKE Pod needs to call the Cloud Storage API. The team wants to avoid creating and managing service account key files. What is the recommended approach?

A.Mount a service account JSON key file as a Kubernetes Secret and set GOOGLE_APPLICATION_CREDENTIALS
B.Enable Workload Identity on the GKE cluster and bind a Kubernetes ServiceAccount to a GCP IAM ServiceAccount
C.Rely on the GKE node's Compute Engine service account for all Pod authentication
D.Grant the GKE node pool's service account the Storage Admin role to cover all Pod needs
AnswerB

Workload Identity allows Pods to authenticate to GCP APIs through the GKE metadata server, completely eliminating the need for service account key files.

Why this answer

Workload Identity is the recommended approach because it allows a Kubernetes ServiceAccount in GKE to authenticate as a GCP IAM ServiceAccount without managing or storing any service account key files. This eliminates the security risk of key leakage and simplifies credential rotation. By binding the Kubernetes ServiceAccount to a GCP IAM ServiceAccount, Pods can directly call Cloud Storage APIs using the IAM permissions of the linked service account, with automatic token exchange via the GKE metadata server.

Exam trap

Google Cloud often tests the misconception that the node's Compute Engine service account is sufficient for Pod-level authentication, but the trap here is that this approach lacks Pod-level identity isolation and violates least privilege, whereas Workload Identity provides a secure, keyless, and granular solution.

How to eliminate wrong answers

Option A is wrong because mounting a JSON key file as a Kubernetes Secret reintroduces the management and security burden of static keys, which the team explicitly wants to avoid, and violates the principle of keyless authentication. Option C is wrong because relying on the GKE node's Compute Engine service account grants the same permissions to all Pods on the node, violating the principle of least privilege and making it impossible to scope permissions per Pod. Option D is wrong because granting the node pool's service account the Storage Admin role is an overly permissive approach that also applies to all Pods on the node, and it still uses the node's identity rather than a Pod-specific identity, failing to provide fine-grained access control.

36
MCQmedium

A developer accidentally assigned the 'roles/editor' role to a user for a project. After revoking the role, the user still has permissions to modify resources. What is the most likely reason?

A.The user is a member of a group that still has editor role.
B.The user has been granted owner role through another binding.
C.The role revocation takes up to 24 hours to propagate.
D.The user has a more specific role that grants the same permissions.
AnswerA

Group membership persists after direct role revocation, so the user retains permissions via the group.

Why this answer

The most likely reason is that the user is a member of a Google Group that still has the 'roles/editor' role assigned at the project level. In Google Cloud IAM, permissions are inherited from group memberships, and revoking a role from a user directly does not remove permissions granted through group bindings. The user's effective permissions are the union of all roles assigned directly and indirectly via groups.

Exam trap

Google Cloud often tests the misconception that IAM changes have a propagation delay, but in Google Cloud, IAM policy updates are near-instantaneous, and the real cause of lingering permissions is almost always inherited access through groups or resource hierarchy.

How to eliminate wrong answers

Option B is wrong because if the user had been granted the 'roles/owner' role through another binding, they would have even broader permissions than editor, but the question states the user still has 'permissions to modify resources'—owner is a superset, but the scenario does not indicate the user has owner-level access (e.g., billing or project deletion). Option C is wrong because IAM role revocations in Google Cloud are effective within seconds, not up to 24 hours; the 24-hour propagation delay is a common misconception that applies to DNS changes, not IAM policy updates. Option D is wrong because a more specific role (e.g., a custom role with only modify permissions) would not grant the same broad 'modify resources' capability as the editor role unless it explicitly includes those permissions; the editor role is a predefined role with a wide set of permissions, and a more specific role would typically be narrower, not broader.

37
MCQmedium

A network security team wants to capture metadata about all TCP flows entering and leaving VMs in a specific subnet — source IP, destination IP, port, and bytes transferred — for security analysis. Which GCP feature collects this data?

A.Cloud Armor security policies with logging enabled
B.VPC Flow Logs enabled on the subnet
C.Cloud Packet Mirroring — captures all traffic for deep packet inspection
D.Firewall Rules Logging on each firewall rule
AnswerB

VPC Flow Logs record sampled flow metadata (source/destination IPs, ports, protocol, bytes) for all traffic in the subnet — sent to Cloud Logging for analysis or export.

Why this answer

VPC Flow Logs capture metadata (source/destination IP, port, protocol, bytes transferred) for all TCP (and UDP/ICMP) flows entering and leaving VM instances in a subnet. This feature is specifically designed for network monitoring and security analysis, recording flow-level logs without inspecting packet payloads. Enabling VPC Flow Logs on the subnet directly meets the requirement to collect the specified metadata for all TCP flows.

Exam trap

Google Cloud often tests the distinction between metadata-only logging (VPC Flow Logs) and full-packet capture (Cloud Packet Mirroring), causing candidates to mistakenly choose Packet Mirroring when only flow metadata is required.

How to eliminate wrong answers

Option A is wrong because Cloud Armor security policies with logging only log HTTP(S) requests that are evaluated against the policy, not all TCP flows at the subnet level, and they focus on application-layer traffic, not network flow metadata like bytes transferred. Option C is wrong because Cloud Packet Mirroring copies entire packets (including payloads) for deep packet inspection, which is overkill for metadata-only collection and incurs higher cost and complexity; it does not natively produce aggregated flow metadata. Option D is wrong because Firewall Rules Logging logs only connections that match a firewall rule (allow or deny), not all TCP flows in the subnet, and it records connection metadata but not bytes transferred per flow.

38
MCQhard

A public API receives global traffic but has been targeted by both volumetric DDoS attacks and SQL injection attempts in HTTP request parameters. Which single GCP service provides protection against both threats?

A.VPC firewall rules with deny rules for known attacker IPs
B.Cloud NAT to hide backend IP addresses
C.Cloud Armor security policies on the load balancer
D.Identity-Aware Proxy (IAP) to require authentication before accessing the API
AnswerC

Cloud Armor provides both volumetric DDoS protection at Google's global edge and WAF rules (including preconfigured OWASP protection for SQL injection) — addressing both attack types from a single service.

Why this answer

Cloud Armor security policies, when attached to a Google Cloud HTTPS Load Balancer, provide both Layer 7 DDoS protection (via pre-configured WAF rules like 'modsecurity-crs' to block SQL injection) and volumetric DDoS defense (via rate limiting and adaptive protection). This makes it the single GCP service that directly addresses both threats mentioned in the question.

Exam trap

Google Cloud often tests the distinction between network-layer security (VPC firewall rules) and application-layer security (Cloud Armor WAF), leading candidates to mistakenly choose VPC firewall rules because they think 'deny rules' can block attacks, but they cannot inspect HTTP payloads for SQL injection.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules operate at Layer 3/4 and cannot inspect HTTP request parameters for SQL injection patterns; they also rely on static IP deny lists, which are ineffective against volumetric DDoS attacks that use many distributed source IPs. Option B is wrong because Cloud NAT only provides outbound connectivity with source NAT for private instances and does not inspect or filter inbound HTTP traffic, so it cannot block SQL injection or DDoS attacks targeting the public API. Option D is wrong because Identity-Aware Proxy (IAP) enforces authentication and authorization at the application layer but does not provide any DDoS mitigation or SQL injection detection capabilities.

39
Multi-Selectmedium

A systems administrator needs to grant a group of external auditors read-only access to all resources in a GCP project, except for Cloud Storage buckets that contain sensitive data. The auditors should not be able to view the contents of those buckets. Which two IAM policies should the administrator implement? (Choose two.)

Select 2 answers
A.Assign the roles/viewer role at the project level.
B.Assign the roles/storage.objectViewer role at the project level.
C.Assign the roles/viewer role at the project level and create an IAM deny rule to deny storage.objects.list and storage.objects.get on the sensitive buckets.
D.Assign the roles/storage.admin role at the project level.
E.Assign the roles/storage.objectViewer role on the sensitive buckets with a deny condition.
AnswersA, C

Roles/viewer provides read-only access to all resources except for data access in some services.

Why this answer

Option A is correct because the roles/viewer role at the project level grants read-only access to all resources in the project, including Cloud Storage buckets, but it does not grant access to the objects within those buckets. This provides the auditors with the broad read-only access they need, except for the sensitive buckets where object-level access must be explicitly denied.

Exam trap

Google Cloud often tests the distinction between bucket-level and object-level permissions, and the trap here is that candidates mistakenly think roles/viewer alone blocks object access, when in fact it grants storage.objects.list and storage.objects.get, so an explicit deny rule is required to prevent viewing bucket contents.

40
MCQhard

Alice is trying to create a Pub/Sub topic in the us-east1 region using the gcloud command-line tool from her local machine. She has the roles/pubsub.editor role. The command fails with a permission denied error. What is the most likely cause?

A.The Pub/Sub API is not enabled for the project.
B.Alice does not have the roles/pubsub.editor role.
C.Alice lacks the iam.serviceAccounts.actAs permission on the Pub/Sub service account.
D.The IAM role assigned to Alice is conditional and only applies to resources in us-central1.
AnswerD

The condition in the binding restricts the role to resources with location 'us-central1', so creating a topic in us-east1 fails.

Why this answer

Option C is correct because the IAM policy shown in the exhibit includes a condition that restricts the pubsub.editor role to only resources with location 'us-central1'. Since Alice is trying to create a topic in us-east1, the condition does not match and she is denied. Option A is incorrect because if the API were disabled, the error would be different.

Option B is incorrect because the Pub/Sub API does not require the actAs permission; that is for service accounts. Option D is incorrect because 'roles/pubsub.editor' is an appropriate role for creating topics.

41
MCQmedium

A security audit found that several Cloud Storage buckets in your project have `allAuthenticatedUsers` in their IAM policy with `storage.objectViewer`. What does `allAuthenticatedUsers` grant, and why is it a security risk?

A.It grants access only to users within your Google Workspace domain — a minor risk if your domain is small.
B.It grants read access to any person with a Google account — effectively near-public access since Google accounts are free to create.
C.It grants access only to Google service accounts, which is acceptable since those are controlled.
D.It grants access to authenticated GCP users in your organization's IAM policy — this is normal for shared resources.
AnswerB

allAuthenticatedUsers means any Google account holder worldwide. Since Google accounts are free, this is nearly equivalent to public access and is inappropriate for internal data.

Why this answer

`allAuthenticatedUsers` is a special IAM member that includes any person authenticated with a Google account, regardless of whether they belong to your organization or domain. Granting `storage.objectViewer` to this group means anyone with a free Google account (e.g., Gmail) can list and read objects in the bucket, making the data effectively public. This is a significant security risk because it exposes sensitive data to a vast, uncontrolled audience.

Exam trap

Google Cloud often tests the distinction between `allAuthenticatedUsers` and `allUsers`, where candidates mistakenly think `allAuthenticatedUsers` is safe because it requires authentication, but the trap is that any Google account (free or otherwise) qualifies, making it nearly as risky as `allUsers` for sensitive data.

How to eliminate wrong answers

Option A is wrong because `allAuthenticatedUsers` is not restricted to a Google Workspace domain; it includes all Google account holders, not just domain users. Option C is wrong because `allAuthenticatedUsers` includes human users with Google accounts, not just service accounts; service accounts are covered by `allUsers` or specific service account emails. Option D is wrong because `allAuthenticatedUsers` is not limited to users in your organization's IAM policy; it encompasses any authenticated Google identity, including external users.

42
Matchingmedium

Match each Google Cloud security term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Key management service for encryption

Hardware security module for key storage

Security perimeters to prevent data exfiltration

Web application firewall and DDoS protection

Centralized security and risk management platform

Why these pairings

These services provide security controls in GCP.

43
MCQhard

A Cloud KMS key used to encrypt a Cloud Storage bucket's data is being destroyed. What happens to the data in the bucket when the KMS key is destroyed?

A.The data in Cloud Storage is automatically deleted along with the key.
B.The encrypted data becomes permanently inaccessible (cryptographic erasure) since the decryption key no longer exists.
C.Cloud Storage automatically re-encrypts the data using Google-managed keys as a fallback.
D.The key enters a 'disabled' state where data can still be decrypted by Google support.
AnswerB

Without the KMS key, the envelope encryption key protecting the data key cannot be unwrapped. The ciphertext in GCS is permanent but unreadable — effective data deletion without physical deletion.

Why this answer

When a Cloud KMS key is destroyed, the encrypted data in Cloud Storage becomes permanently inaccessible because the cryptographic key material is irrecoverably deleted. This is known as cryptographic erasure: without the key, the ciphertext cannot be decrypted, even though the raw encrypted bytes still exist in the bucket. Cloud Storage does not store a copy of the KMS key, and there is no fallback mechanism to re-encrypt or recover the data.

Exam trap

Google Cloud often tests the misconception that destroying a KMS key triggers automatic data deletion or that Google provides a fallback re-encryption mechanism, when in fact the data remains but is cryptographically erased and unrecoverable.

How to eliminate wrong answers

Option A is wrong because destroying the KMS key does not trigger automatic deletion of the encrypted data objects in Cloud Storage; the objects remain but are unreadable. Option C is wrong because Cloud Storage does not automatically re-encrypt data with Google-managed keys when a customer-managed KMS key is destroyed; the data remains encrypted with the destroyed key and is permanently inaccessible. Option D is wrong because key destruction is irreversible and does not enter a 'disabled' state; Google Support cannot decrypt data after a KMS key is destroyed, as the key material is permanently deleted and no backup exists.

44
MCQmedium

A team wants to grant a contractor the Storage Object Viewer role on a specific bucket path, but only during business hours (Monday–Friday, 9am–5pm local time). Which IAM feature supports these conditions?

A.IAM deny policies scoped to non-business hours
B.IAM Conditions on the role binding
C.VPC Service Controls with a time-based access policy
D.Cloud Scheduler removing and re-adding the IAM binding on a schedule
AnswerB

IAM Conditions allow adding time-based (date/time of day, day of week) and resource-based (resource name prefix) constraints directly to role bindings without modifying the broader IAM policy.

Why this answer

IAM Conditions allow you to define time-based constraints on role bindings using the `request.time` attribute. By setting a condition that restricts access to Monday–Friday, 9am–5pm, the contractor is granted the Storage Object Viewer role only during those hours. This is the native IAM feature designed for such fine-grained, attribute-based access control.

Exam trap

Google Cloud often tests the distinction between IAM Conditions (which are attribute-based and evaluated at runtime) and external scheduling mechanisms like Cloud Scheduler, leading candidates to mistakenly choose the latter as a 'valid' solution despite its lack of native IAM integration and potential for access gaps.

How to eliminate wrong answers

Option A is wrong because IAM deny policies are used to explicitly deny access regardless of other allow policies, but they cannot be scoped to non-business hours in a way that grants access during business hours; they would deny access at all times unless combined with an allow policy, which is not the intended use. Option C is wrong because VPC Service Controls are designed to protect data within a VPC service perimeter based on network context and identity, not to enforce time-based access conditions on IAM roles. Option D is wrong because Cloud Scheduler removing and re-adding IAM bindings on a schedule is an overly complex, error-prone workaround that introduces latency and potential race conditions; it is not an IAM feature and does not provide real-time conditional access.

45
MCQhard

A security team wants to ensure that a service account created for an application cannot create new service accounts or modify IAM policies within the project. Which IAM role restriction achieves this?

A.Grant the service account only the specific roles its application requires — omitting IAM admin roles
B.Create an IAM deny policy blocking iam.serviceAccounts.create and iam.projects.setIamPolicy for the service account
C.Set an organization policy constraint restricting service account creation to admin users only
D.Disable the IAM API for the project so service accounts cannot manage IAM
AnswerA

IAM permissions are additive — not granting `iam.serviceAccountAdmin` and `resourcemanager.projectIamAdmin` naturally prevents the service account from performing those actions. Least privilege is the approach.

Why this answer

Option A is correct because the principle of least privilege dictates that a service account should only be granted the specific roles required for its application's functionality. By deliberately omitting roles that include IAM administrative permissions (such as roles/iam.serviceAccountAdmin or roles/iam.serviceAccountUser with the iam.serviceAccounts.create permission, or roles/resourcemanager.projectIamAdmin), the service account is inherently restricted from creating new service accounts or modifying IAM policies. This approach avoids the complexity of deny policies and aligns with Google Cloud's recommended IAM best practices.

Exam trap

Google Cloud often tests the principle of least privilege by presenting complex alternatives like deny policies or organization constraints, but the simplest and most correct answer is to grant only the necessary roles, which inherently prevents unauthorized IAM administration.

How to eliminate wrong answers

Option B is wrong because IAM deny policies are a valid mechanism but they are not the most straightforward or recommended restriction for this scenario; they require careful management and can be circumvented if not applied at the correct hierarchy level, and the question asks for a restriction that 'achieves' the goal, implying a simpler, built-in approach. Option C is wrong because organization policy constraints (e.g., constraints/iam.disableServiceAccountCreation) apply to all principals in the organization, not specifically to a single service account, and they do not prevent the service account from modifying IAM policies. Option D is wrong because disabling the IAM API for the project would break all IAM operations, including those required by the application itself, making the service account and the application non-functional.

46
MCQmedium

A team enables OS Login on their GKE node pool. What does OS Login provide for SSH access to GKE nodes compared to the default metadata-based SSH key approach?

A.OS Login stores SSH keys in a Cloud KMS-managed keystore for enhanced encryption
B.OS Login links SSH access to IAM roles — access is centrally managed and revocable via IAM without updating VM metadata
C.OS Login automatically generates and rotates SSH key pairs every 24 hours
D.OS Login restricts SSH access to connections from specific IP ranges defined in Cloud Armor
AnswerB

OS Login replaces metadata SSH key management with IAM-based access control. Revoking IAM role immediately revokes SSH access — no per-VM key cleanup needed.

Why this answer

OS Login links SSH access to IAM roles, so access is centrally managed and revocable via IAM without updating VM metadata. This means you can grant or revoke SSH access to GKE nodes by assigning or removing IAM roles (e.g., roles/compute.osLogin) on user or service accounts, eliminating the need to manage SSH keys in instance metadata. This provides a more secure and auditable access control mechanism compared to the default metadata-based SSH key approach.

Exam trap

The trap here is that candidates often confuse OS Login with SSH key management in metadata, thinking it still requires manual key distribution, when in fact it delegates authentication entirely to IAM, making access fully revocable and auditable without metadata updates.

How to eliminate wrong answers

Option A is wrong because OS Login does not store SSH keys in a Cloud KMS-managed keystore; instead, it uses IAM-based authentication and generates temporary SSH keys that are not stored in KMS. Option C is wrong because OS Login does not automatically generate and rotate SSH key pairs every 24 hours; it generates a temporary key per session that is valid only for the duration of the SSH connection. Option D is wrong because OS Login does not restrict SSH access based on IP ranges defined in Cloud Armor; IP-based restrictions are handled separately via VPC firewall rules or Cloud Armor policies, not by OS Login.

47
MCQhard

A compliance requirement mandates that all VM-to-VM traffic within a GCP project must be encrypted in transit, even for internal VPC traffic. Which feature enforces this for Compute Engine?

A.Shielded VMs with Secure Boot enabled
B.VPC firewall rules denying all non-encrypted traffic
C.Mutual TLS (mTLS) enforced at the application layer between VMs
D.Enabling VPC Flow Logs on all subnets
AnswerC

GCP's VPC doesn't automatically encrypt VM-to-VM traffic. mTLS at the application layer (using certificate-based authentication) is the standard method to enforce encrypted communication between services.

Why this answer

Mutual TLS (mTLS) is the correct answer because it enforces encryption in transit for all VM-to-VM traffic within a GCP project, including internal VPC traffic, by requiring both sides to present certificates and establishing a TLS-encrypted session. GCP's internal mTLS feature, when enabled on a VPC network, automatically encrypts traffic between Compute Engine VMs using TLS 1.2 or higher, regardless of the application layer, ensuring compliance with encryption mandates without requiring application changes.

Exam trap

Google Cloud often tests the misconception that VPC firewall rules can enforce encryption, but candidates must remember that firewalls only filter traffic based on headers and cannot inspect or enforce encryption of the payload; mTLS is the only option that provides actual encryption in transit for internal VM-to-VM traffic.

How to eliminate wrong answers

Option A is wrong because Shielded VMs with Secure Boot protect against boot-level malware and ensure firmware integrity, but they do not encrypt VM-to-VM traffic in transit. Option B is wrong because VPC firewall rules control which traffic is allowed or denied based on IP addresses, ports, and protocols, but they cannot inspect or enforce encryption of the traffic payload; they only filter packets at the network layer. Option D is wrong because VPC Flow Logs capture metadata about network flows (e.g., source/destination IP, ports, packet count) for monitoring and troubleshooting, but they do not encrypt traffic or enforce encryption in transit.

48
MCQhard

A security team discovers that a service account key was accidentally committed to a public GitHub repository 48 hours ago. What should be the immediate steps to remediate this incident?

A.Rotate the service account key to generate a new one, keeping the old key active briefly for transition
B.Delete the leaked key immediately, audit Cloud Audit Logs for unauthorized activity using the key, then create a new key or switch to keyless authentication
C.Change the service account's display name and email to invalidate the leaked key
D.Remove all IAM roles from the service account to deny all actions until the investigation completes
AnswerB

Immediate key deletion removes the attacker's access. Audit logs reveal if the key was used maliciously. Creating a replacement key (or preferably switching to Workload Identity) restores the service.

Why this answer

Option B is correct because the immediate priority is to revoke the compromised key's access by deleting it, which invalidates it instantly. Auditing Cloud Audit Logs is essential to detect any unauthorized usage that occurred during the 48-hour exposure window. Finally, creating a new key or switching to keyless authentication (e.g., workload identity federation) restores secure access without relying on long-lived static credentials.

Exam trap

Google Cloud often tests the misconception that rotating a key (generating a new one while keeping the old active) is sufficient, but the trap is that the old key remains valid and must be explicitly deleted to fully remediate a public leak.

How to eliminate wrong answers

Option A is wrong because rotating the key while keeping the old key active briefly violates the principle of least privilege and leaves a window for attackers to continue using the leaked credential. Option C is wrong because changing the service account's display name or email does not invalidate the existing key; keys are tied to the service account's unique ID and remain valid until explicitly deleted or disabled. Option D is wrong because removing all IAM roles from the service account is an overly broad action that could break legitimate services, and it does not immediately revoke the leaked key's ability to authenticate; the key itself remains valid until deleted.

49
MCQeasy

A company has a Compute Engine instance that needs to read files from a Cloud Storage bucket. The instance is running a custom application. What is the recommended way to grant the instance access to the bucket?

A.Generate a signed URL for the bucket and embed it in the application.
B.Create a service account with Storage Object Viewer role and associate it with the instance.
C.Use the default Compute Engine service account with Storage Admin role.
D.Store the bucket credentials in the instance metadata.
AnswerB

Service accounts are the recommended way to grant permissions to instances. This provides least privilege.

Why this answer

Option B is correct because associating a service account with a Compute Engine instance and granting it the Storage Object Viewer role is the recommended IAM-based approach for granting least-privilege access to Cloud Storage. The instance retrieves short-lived OAuth 2.0 access tokens from the metadata server, which the application can use to authenticate API calls without embedding long-lived credentials.

Exam trap

Google Cloud often tests the misconception that the default Compute Engine service account is appropriate for custom applications, when in fact it should be replaced with a dedicated service account with minimal roles to avoid over-permissioning and cross-instance credential sharing.

How to eliminate wrong answers

Option A is wrong because signed URLs provide time-limited access to specific objects, not ongoing read access to a bucket, and embedding them in an application requires manual rotation and exposes the URL in code. Option C is wrong because the default Compute Engine service account with Storage Admin role grants excessive permissions (including delete and update) and violates the principle of least privilege; the default account is also shared across instances in the project. Option D is wrong because storing bucket credentials in instance metadata is insecure—metadata is accessible to any process on the instance and can be exposed via the metadata server without authentication.

50
MCQmedium

A Compute Engine VM with only a private IP address needs to download software updates from the internet (apt-get update). What must be configured in the VPC to enable outbound internet access for private VMs?

A.Enable Private Google Access on the subnet
B.Configure Cloud NAT on the VPC's Cloud Router for the subnet
C.Add an external IP address to the VM temporarily for the update, then remove it
D.Create a VPC firewall rule allowing egress to 0.0.0.0/0 on port 80 and 443
AnswerB

Cloud NAT provides outbound internet connectivity for VMs with private IPs. It translates their private source IP to a shared NAT IP for external connections — enabling apt-get, pip, etc.

Why this answer

Cloud NAT (Network Address Translation) allows private VMs without external IP addresses to initiate outbound connections to the internet. It translates the VM's private IP to a public IP managed by Cloud NAT, enabling apt-get update to reach external repositories. This is the correct and scalable solution for outbound-only internet access from private instances.

Exam trap

Google Cloud often tests the distinction between Private Google Access (for Google APIs only) and Cloud NAT (for general internet access), leading candidates to mistakenly choose Private Google Access when the requirement is for outbound internet access to non-Google endpoints.

How to eliminate wrong answers

Option A is wrong because Private Google Access only enables VMs with private IPs to reach Google APIs and services (e.g., Cloud Storage, BigQuery) via Google's internal network, not general internet destinations like apt repositories. Option C is wrong because temporarily adding an external IP is a manual, non-scalable workaround that violates the requirement for a persistent configuration and exposes the VM to inbound traffic. Option D is wrong because a firewall rule allowing egress to 0.0.0.0/0 on ports 80 and 443 only permits the traffic to leave the VPC; without Cloud NAT or an external IP, the packets have no routable source address and will be dropped by the internet gateway.

51
MCQhard

You need to audit all IAM policy changes in your project. You want to ensure that every change is logged with the identity of the user who made the change. Which type of audit log should you enable?

A.Data Access audit logs
B.Admin Activity audit logs
C.Policy Denied audit logs
D.System Event audit logs
AnswerB

These logs capture all administrative actions, including IAM policy modifications.

Why this answer

Admin Activity audit logs (also known as Cloud Audit Logs) record all API calls that modify the configuration or metadata of resources, including IAM policy changes. These logs capture the identity of the user who made the change, the time of the change, and the specific modification, ensuring full accountability for administrative actions.

Exam trap

Google Cloud often tests the distinction between Admin Activity and Data Access logs, where candidates mistakenly choose Data Access logs because they think 'all changes' include data modifications, but IAM policy changes are administrative, not data-level, operations.

How to eliminate wrong answers

Option A is wrong because Data Access audit logs record API calls that read or modify user-provided data (e.g., reading a Cloud Storage object), not configuration changes like IAM policies. Option C is wrong because Policy Denied audit logs only log access attempts that are denied by IAM policies, not the changes to the policies themselves. Option D is wrong because System Event audit logs capture non-user-initiated events such as system maintenance or resource lifecycle events, not user-driven IAM policy modifications.

52
Multi-Selecteasy

A company wants to ensure that only users from a specific domain (@example.com) can access Cloud Storage buckets in a project. Which two steps should be taken? (Choose two.)

Select 2 answers
A.Use VPC Service Controls to restrict access.
B.Enable domain restricted sharing in Cloud Storage settings.
C.Set an organization policy to restrict allowed domains for IAM.
D.Add an IAM condition to the bucket policy to require that the user's domain is @example.com.
E.Grant access to the bucket to a Cloud Identity group that only includes @example.com users.
AnswersC, E

The 'iam.allowedPolicyMemberDomains' policy restricts which domains can be granted roles.

Why this answer

Option C is correct because the organization policy constraint `iam.allowedPolicyMemberDomains` restricts which domains can be used as members in IAM policies across the entire project. This ensures that only principals from @example.com can be granted access to any resource, including Cloud Storage buckets. Option E is correct because a Cloud Identity group containing only @example.com users can be granted IAM roles on the bucket, and membership in the group is controlled by the domain, effectively limiting access to that domain.

Exam trap

Google Cloud often tests the distinction between organization policies (which enforce constraints globally at the resource hierarchy level) and IAM conditions (which are per-binding and evaluated at access time), leading candidates to incorrectly choose IAM conditions as a domain restriction mechanism.

53
MCQhard

Your organization uses VPC Service Controls to protect BigQuery and Cloud Storage. A data pipeline service account needs to read from a protected Cloud Storage bucket and write results to a protected BigQuery dataset. Both resources are in the same perimeter. The service account is outside the perimeter (it runs in a Cloud Run service in a different project). How do you grant the pipeline access?

A.Add the Cloud Run project to the VPC Service Controls perimeter.
B.Create an Ingress Rule in the VPC-SC perimeter that allows the service account from the external project to access the specific BigQuery and Storage resources.
C.Grant the service account `roles/bigquery.admin` and `roles/storage.admin` to bypass the perimeter restrictions.
D.Move the Cloud Run service into a VPC and set up VPC peering to the perimeter VPC.
AnswerB

Ingress rules in VPC Service Controls allow fine-grained external access: specify the source identity (SA), source project, and which services/resources can be accessed inside the perimeter.

Why this answer

Option B is correct because VPC Service Controls (VPC-SC) allow you to define ingress rules that grant access to protected resources from identities outside the perimeter. In this scenario, the service account running in Cloud Run is outside the perimeter, so an ingress rule must explicitly permit that service account to access the specific BigQuery dataset and Cloud Storage bucket. This approach maintains the security boundary while enabling the required data pipeline access.

Exam trap

Google Cloud often tests the misconception that IAM roles can override VPC Service Controls, but the trap here is that VPC-SC operates independently of IAM and requires explicit ingress or egress rules for cross-perimeter access.

How to eliminate wrong answers

Option A is wrong because adding the entire Cloud Run project to the VPC-SC perimeter would extend the security boundary to include all resources in that project, which is overly permissive and may violate security policies. Option C is wrong because granting `roles/bigquery.admin` and `roles/storage.admin` does not bypass VPC-SC restrictions; VPC-SC enforces access controls at the network layer, and IAM roles alone cannot override perimeter boundaries. Option D is wrong because moving the Cloud Run service into a VPC and setting up VPC peering does not address VPC-SC restrictions; VPC peering operates at the network level and does not grant access to resources protected by VPC-SC.

54
MCQmedium

You want to allow a vendor to upload files to a specific Cloud Storage bucket in your project without creating a GCP account for them. The upload URL should expire after 24 hours. Which mechanism should you use?

A.Create a GCP service account for the vendor and share the key JSON file.
B.Generate a Signed URL with a 24-hour expiration for the specific bucket path.
C.Make the Cloud Storage bucket publicly writable and share the bucket URL.
D.Add the vendor's email to the bucket's IAM policy with Storage Object Creator role.
AnswerB

Signed URLs provide authenticated, time-limited, no-account-required access to Cloud Storage. The vendor can upload directly using the URL until expiration.

Why this answer

Option B is correct because a signed URL allows time-limited, permissionless access to a specific Cloud Storage object or bucket path without requiring a GCP identity. The URL is cryptographically signed using a service account key, and the 24-hour expiration is set via the `expires` parameter. This meets the requirement of allowing the vendor to upload files without creating a GCP account.

Exam trap

Google Cloud often tests the distinction between identity-based access (IAM) and resource-based access (signed URLs), and the trap here is that candidates may confuse adding an email to IAM (which still requires a Google identity) with the truly identity-free, time-limited access provided by a signed URL.

How to eliminate wrong answers

Option A is wrong because creating a GCP service account and sharing the key JSON file effectively gives the vendor a GCP identity, which contradicts the requirement of not creating a GCP account for them; it also introduces long-term credential management risks. Option C is wrong because making the bucket publicly writable allows anyone on the internet to upload files indefinitely, which violates the 24-hour expiration requirement and poses a severe security risk. Option D is wrong because adding the vendor's email to the bucket's IAM policy requires the vendor to have a GCP account (or a Google account) to authenticate, which directly contradicts the requirement of not creating a GCP account for them.

55
MCQmedium

A security team wants to centrally identify misconfigured GCP resources across their organization — such as publicly accessible Cloud Storage buckets, unencrypted disks, and overly permissive firewall rules. Which GCP service provides these findings?

A.Cloud Asset Inventory — query for all resources and write custom checks
B.Security Command Center (SCC) with Security Health Analytics enabled
C.Cloud Monitoring alert policies with metric conditions for firewall rule changes
D.Cloud Logging audit log analysis for admin activity changes
AnswerB

SCC's Security Health Analytics automatically detects and reports security misconfigurations across GCP resources at the organization level — including public buckets, insecure firewall rules, and more.

Why this answer

Security Command Center (SCC) with Security Health Analytics enabled is the correct service because it provides built-in, automated scanning for common misconfigurations such as publicly accessible Cloud Storage buckets, unencrypted disks, and overly permissive firewall rules. Security Health Analytics uses a set of pre-defined detectors (e.g., `PUBLIC_BUCKET_ACL`, `DISK_ENCRYPTION_DISABLED`, `FIREWALL_RULE_OPEN`) to continuously assess resources and surface findings in the SCC dashboard, without requiring custom code or manual queries.

Exam trap

The trap here is that candidates often confuse Cloud Asset Inventory's ability to list all resources with the ability to automatically detect misconfigurations, when in reality it only provides raw resource metadata and requires custom logic to identify security issues.

How to eliminate wrong answers

Option A is wrong because Cloud Asset Inventory is a metadata and history service for querying resource snapshots and changes, but it does not have built-in detectors for security misconfigurations; it requires writing custom checks or exporting data to other tools to identify issues like public buckets or unencrypted disks. Option C is wrong because Cloud Monitoring alert policies with metric conditions can notify on firewall rule changes (e.g., via metric `firewall_rule_count`), but they cannot directly detect the misconfiguration (e.g., overly permissive rules) — they only react to change events, not assess the security posture of the rule itself. Option D is wrong because Cloud Logging audit log analysis for admin activity changes can track who changed a firewall rule or bucket ACL, but it does not evaluate whether the resulting configuration is insecure (e.g., public access or missing encryption); it provides an audit trail, not a security assessment.

56
MCQeasy

A developer accidentally grants the Owner role to a test service account on the production project. The team wants to remove only this specific IAM binding without affecting other members' access. Which gcloud command achieves this?

A.gcloud projects set-iam-policy [PROJECT] --member=serviceAccount:[SA] --role=roles/owner
B.gcloud projects remove-iam-policy-binding [PROJECT] --member=serviceAccount:[SA_EMAIL] --role=roles/owner
C.gcloud iam remove-binding --project=[PROJECT] --member=[SA] --role=owner
D.gcloud projects delete-member [PROJECT] --member=serviceAccount:[SA_EMAIL]
AnswerB

`remove-iam-policy-binding` removes the specified member+role binding atomically without affecting any other bindings in the policy.

Why this answer

Option B is correct because `gcloud projects remove-iam-policy-binding` is the precise command to remove a single IAM binding (member-role pair) from a project's policy without affecting other bindings. It takes the project ID, member (service account email), and role as parameters, ensuring only the specified binding is removed. This command modifies the existing policy by removing only that specific entry, leaving all other IAM bindings intact.

Exam trap

Google Cloud often tests the distinction between commands that modify the entire policy (`set-iam-policy`) versus those that surgically remove a single binding (`remove-iam-policy-binding`), and candidates may confuse the valid command syntax or assume a generic `remove-binding` subcommand exists.

How to eliminate wrong answers

Option A is wrong because `gcloud projects set-iam-policy` replaces the entire IAM policy for the project with a new policy file; it does not remove a single binding and would overwrite all existing permissions if used incorrectly. Option C is wrong because `gcloud iam remove-binding` is not a valid gcloud command; the correct verb is `remove-iam-policy-binding` under the `projects` resource, and the role flag should be `roles/owner` not `owner`. Option D is wrong because `gcloud projects delete-member` is not a valid gcloud command; there is no such subcommand for removing a member from a project.

57
MCQmedium

A Cloud Run service needs to read secrets from Secret Manager. The service is deployed with a custom runtime service account. Which IAM role should be granted to the runtime service account, and on which resource?

A.Grant `roles/secretmanager.admin` on the project.
B.Grant `roles/secretmanager.secretAccessor` on the specific secret resource.
C.Grant `roles/viewer` on the project.
D.Grant `roles/secretmanager.secretVersionManager` on the secret.
AnswerB

secretAccessor on the specific secret resource grants exactly the `secretmanager.versions.access` permission needed to read the secret value, scoped to that one secret only.

Why this answer

The principle of least privilege dictates that the runtime service account should only have the minimum permissions required to access the specific secret. The `roles/secretmanager.secretAccessor` role provides exactly the `secretmanager.versions.access` permission needed to read the secret value, and granting it on the specific secret resource (rather than the project) scopes the permission to that secret only, preventing broader access.

Exam trap

Google Cloud often tests the principle of least privilege by offering broad project-level roles (like `roles/secretmanager.admin`) as distractors, tempting candidates to grant excessive permissions instead of scoping the role to the specific secret resource.

How to eliminate wrong answers

Option A is wrong because `roles/secretmanager.admin` grants full administrative control over all secrets in the project, including creating, updating, and deleting secrets, which violates the principle of least privilege and is unnecessary for a service that only needs to read a secret. Option C is wrong because `roles/viewer` is a basic role that provides read-only access to many Google Cloud resources but does not include the specific `secretmanager.versions.access` permission required to read the secret value from Secret Manager. Option D is wrong because `roles/secretmanager.secretVersionManager` includes permissions to manage secret versions (e.g., add, disable, destroy), which is excessive for a service that only needs to read the secret value.

58
MCQeasy

Your company recently migrated to GCP and you are the new cloud administrator. You need to ensure that only specific members of the DevOps team can perform administrative actions on Compute Engine instances, such as starting, stopping, and resetting instances, but not creating or deleting them. You also want to prevent them from modifying firewall rules or other network settings. The team consists of 10 members. You have already created a custom role with the necessary permissions and assigned it to a Google Group that contains all team members. However, you receive a report that a team member was able to accidentally delete a production instance. Upon investigation, you find that the team member had been granted the roles/compute.instanceAdmin role in addition to your custom role by another administrator. What should be the best course of action to prevent this from happening again while still allowing the team to perform their intended tasks?

A.Remove the compute.instanceAdmin role from the team member and audit all user assignments for role conflicts.
B.Create an organization policy to block deletion of compute instances.
C.Remove the custom role from the team member and keep only the compute.instanceAdmin role.
D.Use IAM conditions on the custom role to enforce that instances can only be stopped during business hours.
AnswerA

This removes the unintended permission and prevents similar issues by auditing.

Why this answer

Option A is correct because the core issue is that the team member had an additional, more permissive role (roles/compute.instanceAdmin) that overrode the restrictions of your custom role. Removing that conflicting role from the specific user and auditing all assignments ensures that only the intended permissions are applied, preventing accidental deletions while preserving the team's ability to start, stop, and reset instances.

Exam trap

Google Cloud often tests the misconception that you can simply 'block' a specific action (like deletion) via a policy or condition, rather than understanding that IAM permissions are additive and the only way to prevent an action is to remove the role that grants it.

How to eliminate wrong answers

Option B is wrong because an organization policy to block deletion of compute instances would prevent all users, including legitimate administrators, from deleting instances, which is overly restrictive and does not address the root cause of conflicting role assignments. Option C is wrong because removing the custom role and keeping only compute.instanceAdmin would grant the team full administrative access, including the ability to create and delete instances and modify firewall rules, which directly violates the requirement to restrict those actions. Option D is wrong because IAM conditions that restrict stopping instances to business hours do not prevent deletion; they address a different constraint and do not resolve the conflict between the custom role and the compute.instanceAdmin role.

59
Multi-Selecteasy

A developer wants to configure a firewall rule to allow HTTP traffic from the internet to a specific Compute Engine instance tagged 'web-server'. Which TWO conditions must be true? (Choose two.)

Select 2 answers
A.The instance must have a public IP address
B.The firewall rule must be of type ingress
C.The firewall rule must be applied to the VPC network
D.The firewall rule must have a target tag of 'web-server'
E.The firewall rule must specify the source IP range 0.0.0.0/0
AnswersB, D

Incoming traffic requires an ingress rule.

Why this answer

Option B is correct because an ingress firewall rule controls incoming traffic to instances. Since the developer wants to allow HTTP traffic from the internet to reach the instance, the rule must be of type ingress to permit inbound connections on port 80.

Exam trap

Google Cloud often tests the misconception that a public IP address is required for internet traffic, but in Google Cloud, traffic can reach instances via Cloud NAT or load balancers without a public IP, and the firewall rule only needs to allow the traffic, not require the instance to have a public IP.

60
MCQmedium

A DevOps engineer creates a service account for a CI/CD pipeline. The pipeline needs to push container images to Artifact Registry. Which role grants the minimum required permission?

A.Artifact Registry Administrator
B.Artifact Registry Writer
C.Storage Object Creator on the underlying Cloud Storage bucket
D.Artifact Registry Reader
AnswerB

Artifact Registry Writer grants the minimum permissions to push (write) artifacts to existing Artifact Registry repositories — the appropriate role for CI/CD pipelines.

Why this answer

Option B is correct because the Artifact Registry Writer role provides the minimal permissions needed to push container images to Artifact Registry, specifically the `artifactregistry.writer` permission. This role allows writing artifacts without granting broader administrative or read-only access, aligning with the principle of least privilege.

Exam trap

Google Cloud often tests the misconception that Artifact Registry is just a wrapper around Cloud Storage, leading candidates to choose Storage Object Creator, but in reality, Artifact Registry uses its own IAM roles and does not expose the underlying bucket for direct permission assignment.

How to eliminate wrong answers

Option A is wrong because Artifact Registry Administrator grants full control over all Artifact Registry resources, including deletion and permission management, which is excessive for a CI/CD pipeline that only needs to push images. Option C is wrong because Artifact Registry does not expose its underlying Cloud Storage bucket directly; permissions must be managed through Artifact Registry roles, not Storage Object Creator, which would not work due to the service's abstraction layer. Option D is wrong because Artifact Registry Reader only allows reading and listing artifacts, not writing or pushing new images.

61
Multi-Selectmedium

You are configuring a VPC with multiple subnets. You need to allow traffic from the internet to a specific instance on port 80, but only if the traffic originates from a set of known IP addresses. Which three resources must be configured? (Choose three.)

Select 3 answers
A.A load balancer with Cloud Armor.
B.A route to the internet gateway.
C.A reserved external IP address for the instance.
D.A Cloud Router.
E.A firewall rule allowing ingress from the IP range to the instance on port 80.
AnswersA, C, E

Cloud Armor can provide IP whitelisting and DDoS protection at the load balancer.

Why this answer

Option A is correct because Cloud Armor is a web application firewall that can be attached to a load balancer to allow or deny traffic based on IP address ranges. This enables you to restrict inbound HTTP traffic on port 80 to only the known IP addresses, while the load balancer distributes traffic to the instance. Without Cloud Armor, a load balancer alone cannot filter by source IP; it relies on backend firewall rules or Cloud Armor policies for such granular access control.

Exam trap

Google Cloud often tests the misconception that a route to the internet gateway alone is sufficient to control inbound traffic, but routes only define the path, not the access policy; you must explicitly configure firewall rules or Cloud Armor to restrict source IPs.

62
MCQeasy

You want to ensure that all Cloud Storage buckets in your organization require customer-managed encryption keys (CMEK). What is the most efficient way to enforce this?

A.Use Cloud Audit Logs to monitor for non-compliant buckets.
B.Create an Organization Policy with constraint 'storage.requireCustomerManagedEncryption'.
C.Use a service account to encrypt all objects with CMEK.
D.Set a bucket policy on each bucket to require CMEK.
AnswerB

Organization Policy can enforce CMEK requirement on all buckets in the organization.

Why this answer

Option B is correct because the Organization Policy constraint 'storage.requireCustomerManagedEncryption' is a centralized, scalable way to enforce CMEK across all Cloud Storage buckets in the organization. This policy is applied at the organization or folder level and automatically prevents the creation of new buckets without CMEK, while also blocking updates to existing non-compliant buckets. It is the most efficient method as it requires no per-bucket configuration or ongoing monitoring.

Exam trap

Google Cloud often tests the distinction between monitoring (Audit Logs) and enforcement (Organization Policies), and the trap here is that candidates may think monitoring is sufficient for compliance, when in fact only a proactive policy constraint can prevent non-compliant resources from being created.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide post-hoc visibility into bucket creation and configuration changes; they do not enforce or prevent non-compliant buckets from being created. Option C is wrong because using a service account to encrypt objects with CMEK does not enforce the requirement at the bucket level—objects can still be uploaded with Google-managed encryption keys if the service account is not used, and it does not prevent creation of buckets without CMEK. Option D is wrong because setting a bucket policy on each bucket is not scalable and does not prevent the creation of new buckets without CMEK; it also requires manual or scripted application to every existing and future bucket, which is inefficient and error-prone.

63
MCQmedium

Two GCP projects, A and B, have VPC peering configured. Project A is peered with B, and Project B is peered with Project C. Can VMs in Project A reach VMs in Project C through Project B?

A.Yes — VPC peering automatically enables transitive routing through intermediate peered networks
B.No — VPC peering is non-transitive; A and C must be directly peered to communicate
C.Yes — if Project B has IP forwarding enabled, it acts as a router between A and C
D.It depends on the firewall rules in Project B's VPC
AnswerB

VPC peering in GCP does not support transitive routing. Project A's peering with B gives A access to B's VPC only — not to networks B is peered with (like C).

Why this answer

Option B is correct because VPC peering in Google Cloud is non-transitive. This means that if Project A is peered with Project B and Project B is peered with Project C, traffic from Project A cannot flow through Project B to reach Project C. Each peering connection is a direct, point-to-point link, and there is no routing of traffic across multiple peered networks unless explicitly configured with a separate mechanism like a VPN or a third-party appliance.

Therefore, VMs in Project A and Project C must be directly peered to communicate.

Exam trap

Google Cloud often tests the misconception that VPC peering behaves like a traditional router or switch, where traffic can be forwarded through intermediate networks, but in Google Cloud, VPC peering is strictly non-transitive, and candidates must remember that direct peering is required for communication between non-adjacent VPCs.

How to eliminate wrong answers

Option A is wrong because VPC peering does not automatically enable transitive routing; it is explicitly non-transitive by design in Google Cloud, and traffic cannot hop through an intermediate peered network. Option C is wrong because IP forwarding on instances in Project B does not enable transitive routing across VPC peering; IP forwarding is used for instances acting as routers or NAT gateways, but VPC peering itself does not support transitive routing regardless of IP forwarding settings. Option D is wrong because the issue is not about firewall rules; even if firewall rules in Project B allow all traffic, the fundamental non-transitive nature of VPC peering prevents communication between A and C through B.

64
MCQhard

You are enabling OS Login for a GCP project to manage SSH access to Compute Engine VMs. A developer cannot SSH to a VM despite having `roles/compute.osLogin` granted. The VM has OS Login enabled. What is the most likely missing configuration?

A.The developer needs `roles/compute.instanceAdmin` in addition to `roles/compute.osLogin`.
B.The VM metadata `enable-oslogin` is not set to `TRUE` at the VM or project level.
C.The developer must generate an SSH key pair and upload the public key to the VM's authorized_keys.
D.The developer's account needs `roles/iam.serviceAccountTokenCreator` to authenticate via SSH.
AnswerB

OS Login is enabled by setting `enable-oslogin=TRUE` in instance or project metadata. Without this metadata key, OS Login is not active on the VM even if the IAM role is granted.

Why this answer

Option B is correct because OS Login requires the VM or project metadata key `enable-oslogin` to be set to `TRUE`. Even if the user has the `roles/compute.osLogin` role, OS Login will not function if this metadata is missing or set to `FALSE`. The metadata enables the OS Login agent on the VM to authenticate users via IAM permissions rather than local SSH keys.

Exam trap

The trap here is that candidates assume granting the IAM role `roles/compute.osLogin` is enough, but they overlook the mandatory metadata flag `enable-oslogin=TRUE` that must be set at the project or VM level to activate the OS Login feature.

How to eliminate wrong answers

Option A is wrong because `roles/compute.instanceAdmin` grants broader management permissions (e.g., start/stop VMs) but is not required for SSH access via OS Login; `roles/compute.osLogin` alone is sufficient when OS Login is enabled. Option C is wrong because OS Login replaces the need for managing SSH keys in `authorized_keys`; authentication is handled by IAM and the OS Login service, not by uploading public keys to the VM. Option D is wrong because `roles/iam.serviceAccountTokenCreator` is used to generate OAuth2 tokens for service accounts, not for SSH authentication; OS Login uses IAM roles and the OS Login API to authorize SSH connections.

65
MCQmedium

Your organization mandates that all service-to-service communication within a GKE cluster must be encrypted in transit using mutual TLS (mTLS). The team does not want to manage certificates or modify application code. Which solution meets these requirements?

A.Configure Kubernetes TLS Secrets and mount them as volumes in each pod.
B.Enable Anthos Service Mesh with mTLS policy set to STRICT mode.
C.Use Cloud Armor to enforce TLS between services within the cluster.
D.Enable GKE node-to-node encryption to encrypt all traffic between nodes.
AnswerB

ASM (based on Istio) injects Envoy sidecars that handle mTLS automatically. In STRICT mode, all service-to-service communication requires mTLS. No application code changes needed — the sidecar handles everything.

Why this answer

Anthos Service Mesh (ASM) with mTLS set to STRICT mode enforces mutual TLS between all services in the mesh without requiring any application code changes or manual certificate management. ASM automatically injects Envoy sidecar proxies that handle certificate issuance, rotation, and encryption, meeting the requirement for encrypted service-to-service communication with mTLS.

Exam trap

Google Cloud often tests the distinction between network-layer encryption (node-to-node) and application-layer mTLS (service-to-service), leading candidates to mistakenly choose node-to-node encryption as a solution for service-level mTLS requirements.

How to eliminate wrong answers

Option A is wrong because mounting Kubernetes TLS Secrets as volumes requires manual certificate management and application code changes to load and use the certificates, which violates the 'do not want to manage certificates or modify application code' requirement. Option C is wrong because Cloud Armor is a web application firewall that protects external HTTP(S) traffic at the edge of the GKE cluster, not internal service-to-service traffic within the cluster. Option D is wrong because GKE node-to-node encryption encrypts traffic between nodes at the network layer (IPsec), not at the application layer between individual pods/services, and does not provide mutual TLS authentication between services.

66
MCQeasy

Which GCP service protects internet-facing applications against SQL injection, cross-site scripting (XSS), and other OWASP Top 10 attacks?

A.Cloud Firewall (VPC firewall rules)
B.Cloud Armor WAF with preconfigured OWASP Core Rule Set
C.Security Command Center's Web Security Scanner
D.Cloud Identity-Aware Proxy (IAP)
AnswerB

Cloud Armor's WAF feature includes preconfigured rules for OWASP Top 10 attacks. These rules inspect HTTP request content and block malicious patterns at the load balancer edge.

Why this answer

Cloud Armor WAF with the preconfigured OWASP Core Rule Set (CRS) is specifically designed to protect internet-facing applications from web application attacks, including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. It operates at the edge of Google's network, inspecting HTTP/HTTPS traffic against a set of rules that match known attack patterns, and can be integrated with Cloud Load Balancing to filter malicious requests before they reach the backend.

Exam trap

Google Cloud often tests the distinction between a WAF that inspects application-layer payloads (Cloud Armor) and network-layer firewalls (VPC firewall rules) or identity-based access controls (IAP), leading candidates to confuse perimeter security with application-layer protection.

How to eliminate wrong answers

Option A is wrong because Cloud Firewall (VPC firewall rules) operates at the network layer (L3/L4) and cannot inspect application-layer payloads such as SQL injection or XSS strings; it only filters based on IP addresses, ports, and protocols. Option C is wrong because Security Command Center's Web Security Scanner is a vulnerability scanning tool that identifies security flaws in web applications, not a real-time protection service that blocks attacks in transit. Option D is wrong because Cloud Identity-Aware Proxy (IAP) provides access control based on identity and context, but it does not inspect or filter HTTP request payloads for malicious content like SQL injection or XSS.

67
MCQhard

A company's security team wants to enforce that all service account keys in production projects are rotated every 30 days and prevent creation of keys that never expire. Which single solution should they implement?

A.Use Cloud Audit Logs to detect keys older than 30 days and manually delete them.
B.Set the organization policy constraint iam.disableServiceAccountKeyCreation.
C.Set the organization policy constraint iam.restrictServiceAccountKeyExpiryHours to 720 hours and use the Service Account Key Manager to schedule automatic rotation.
D.Use IAM conditions to require that key creation only succeeds if an expiration time is set.
AnswerC

The constraint enforces maximum key lifetime, and the Key Manager can rotate keys automatically, ensuring rotation without manual effort.

Why this answer

Option C is correct because the organization policy constraint `iam.restrictServiceAccountKeyExpiryHours` enforces a maximum key lifetime (720 hours = 30 days), and the Service Account Key Manager can automate rotation before expiry. This combination ensures all service account keys are rotated every 30 days and prevents creation of keys that never expire, meeting both requirements with a single solution.

Exam trap

Google Cloud often tests the distinction between detection (Audit Logs) and enforcement (organization policy constraints), and candidates mistakenly choose a logging-based solution because they overlook the requirement to 'prevent creation' of non-expiring keys.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide visibility into key age, not enforcement; manual deletion is not a scalable or reliable solution and does not prevent creation of non-expiring keys. Option B is wrong because `iam.disableServiceAccountKeyCreation` completely blocks creation of all service account keys, which is too restrictive and does not allow legitimate key creation with expiration. Option D is wrong because IAM conditions cannot enforce key expiration during creation; they control access to resources based on attributes but do not interact with service account key properties like expiry time.

68
MCQmedium

A team's Cloud Storage bucket has fine-grained access control (ACLs) enabled. They want to switch to a simpler model where IAM policies alone control access, and object-level ACLs are ignored. What should they enable?

A.Enable Uniform Bucket-Level Access (UBLA) on the bucket
B.Delete all ACLs on each object and set them to 'authenticated-read'
C.Enable VPC Service Controls on the bucket
D.Set the bucket's default object ACL to `projectPrivate` and apply it to all objects
AnswerA

UBLA disables object ACLs and enforces IAM-only access control — simplifying the permission model to bucket-level IAM policies for all objects.

Why this answer

Option A is correct because enabling Uniform Bucket-Level Access (UBLA) on the bucket disables object-level ACLs and enforces IAM policies as the sole access control mechanism. This simplifies management by ignoring any existing ACLs on objects, ensuring that only bucket-level IAM permissions are evaluated for access decisions.

Exam trap

Google Cloud often tests the distinction between modifying ACLs (which does not change the access control model) and enabling UBLA (which fundamentally switches the model), so candidates may incorrectly think that deleting ACLs or changing default ACLs is sufficient to ignore object-level ACLs.

How to eliminate wrong answers

Option B is wrong because deleting ACLs on each object does not disable ACL evaluation; the bucket still has fine-grained access control enabled, and IAM policies will not override object-level ACLs unless UBLA is enabled. Option C is wrong because VPC Service Controls are used to restrict access to Google Cloud services from specific VPC networks or IP ranges, not to switch from ACL-based to IAM-based access control. Option D is wrong because setting the default object ACL to `projectPrivate` only affects new objects and does not ignore existing object-level ACLs; it also does not disable ACL evaluation for the bucket.

69
MCQeasy

A startup wants to grant developers the ability to create and manage Compute Engine instances, but prevent them from deleting instances or changing firewall rules. Which IAM approach should they use?

A.Create a custom role with permissions for instance management but without compute.instances.delete.
B.Assign the roles/compute.instanceAdmin.v1 role.
C.Assign the roles/compute.instanceOperator role.
D.Assign the roles/compute.admin role.
AnswerA

A custom role can be tailored to include only the required permissions, avoiding unintended capabilities.

Why this answer

Option A is correct because creating a custom role allows the startup to grant fine-grained permissions for instance management (e.g., compute.instances.create, compute.instances.start, compute.instances.stop) while explicitly omitting compute.instances.delete and any firewall-related permissions like compute.firewalls.update or compute.firewalls.delete. This ensures developers can manage instances but cannot delete them or alter firewall rules, meeting the exact requirement.

Exam trap

Google Cloud often tests the distinction between predefined roles that sound similar (like instanceAdmin.v1 vs. a non-existent instanceOperator) and the need for custom roles when predefined roles do not match the exact permission set required.

How to eliminate wrong answers

Option B is wrong because roles/compute.instanceAdmin.v1 includes compute.instances.delete and compute.firewalls.update, which would allow developers to delete instances and change firewall rules, violating the requirement. Option C is wrong because roles/compute.instanceOperator does not exist as a predefined role in Google Cloud IAM; this is a distractor that misleads candidates into thinking there is a role with limited permissions. Option D is wrong because roles/compute.admin grants full administrative access to all Compute Engine resources, including deleting instances and modifying firewall rules, which is far too permissive.

70
MCQhard

A regulated financial company must ensure that all GCP API calls made by employees are logged with full request and response payloads for audit purposes. Which combination of Cloud Audit Log types captures this?

A.Admin Activity logs only
B.Admin Activity logs + Data Access logs (DATA_READ and DATA_WRITE)
C.VPC Flow Logs + Cloud Monitoring metrics
D.System event logs + Data Access logs
AnswerB

Enabling both Admin Activity and Data Access audit logs provides complete coverage of all API calls — Admin Activity for configuration changes, Data Access for read/write operations including payload data.

Why this answer

Admin Activity logs capture administrative actions like creating or modifying resources, but not the data within API calls. Data Access logs (DATA_READ and DATA_WRITE) capture the request and response payloads for API calls that read or write data, which is required for full audit logging. Together, they cover both the administrative context and the data-level payloads mandated for regulated financial companies.

Exam trap

Google Cloud often tests the misconception that Admin Activity logs alone are sufficient for audit compliance, when in fact they omit the data-level payloads that regulated audits require, and candidates may overlook the need to explicitly enable Data Access logs with full payload inclusion.

How to eliminate wrong answers

Option A is wrong because Admin Activity logs only record metadata about resource configuration changes (e.g., who created a VM), not the full request/response payloads of API calls that access or modify data. Option C is wrong because VPC Flow Logs capture network metadata (source/destination IP, ports, protocol) but not the application-layer payloads of API calls, and Cloud Monitoring metrics provide aggregated performance data, not audit logs. Option D is wrong because System event logs capture Google Cloud system events (e.g., instance preemption) and do not include API request/response payloads; Data Access logs alone would miss the administrative actions that are also required for a complete audit trail.

71
MCQhard

A team builds a GKE application that processes healthcare data. Regulatory requirements mandate that data in transit between GKE nodes must be encrypted. GKE is running on GCP. What provides encrypted node-to-node traffic within the cluster?

A.GCP automatically encrypts all VM-to-VM traffic in transit within its network
B.GKE node traffic is unencrypted by default — mTLS must be manually configured on every Pod
C.Enable VPC Flow Logs — they activate encryption for logged traffic
D.Install a TLS termination proxy on each GKE node — it encrypts intranode traffic
AnswerA

Google Cloud encrypts data in transit between physical boundaries and virtual machines using encryption at the Google network layer. GKE node-to-node traffic within GCP is covered by this encryption.

Why this answer

GCP automatically encrypts all VM-to-VM traffic in transit at the network layer, including traffic between GKE nodes, using a combination of MACsec (IEEE 802.1AE) and IPsec. This encryption is enabled by default for all traffic within a VPC and between VPCs, without any configuration required. Therefore, node-to-node traffic within a GKE cluster is already encrypted, satisfying the regulatory requirement.

Exam trap

The trap here is that candidates assume Kubernetes traffic is unencrypted by default and that they must manually configure mTLS or a proxy, overlooking that GCP's underlying network infrastructure already provides encryption for all VM-to-VM traffic in transit.

How to eliminate wrong answers

Option B is wrong because GKE node traffic is not unencrypted by default; GCP encrypts all VM-to-VM traffic at the network layer, so no manual mTLS configuration is needed for node-to-node encryption. Option C is wrong because VPC Flow Logs are used for network monitoring and logging, not for enabling encryption; they capture metadata about traffic but do not activate encryption. Option D is wrong because installing a TLS termination proxy on each GKE node is unnecessary and would only encrypt traffic at the application layer, not the underlying node-to-node traffic, which is already encrypted by GCP's infrastructure.

72
MCQhard

A company has multiple projects under an organization. They want to enforce that all service accounts created in any project must use the naming prefix 'sa-'. Which policy should be used?

A.VPC Service Controls
B.Organization policy using a custom constraint
C.Project-level IAM condition
D.Cloud Audit Logs
AnswerB

Custom organization policies can enforce naming patterns.

Why this answer

An organization policy with a custom constraint is the correct approach because it allows you to define a specific rule (e.g., all service accounts must start with 'sa-') that is enforced across all projects in the organization. Custom constraints use the Resource Manager API's `constraints/*` format and are evaluated at resource creation time, making them ideal for naming conventions that must be applied universally.

Exam trap

Google Cloud often tests the distinction between 'enforcement' (organization policies) and 'monitoring' (audit logs) or 'access control' (IAM conditions), leading candidates to confuse a naming convention policy with a logging or access control mechanism.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are designed to protect data within VPCs by controlling exfiltration, not to enforce naming conventions on service accounts. Option C is wrong because project-level IAM conditions control access based on attributes like resource name or timestamp, but they cannot enforce a naming prefix at creation time—they only restrict access to existing resources. Option D is wrong because Cloud Audit Logs record actions for auditing and monitoring, but they do not enforce any policies or prevent non-compliant resources from being created.

73
MCQhard

Your company's compliance policy requires that all customer data stored in Cloud Storage must be encrypted using keys stored in a Hardware Security Module (HSM). The encryption keys must be managed by your security team and must not be exportable. Which configuration meets these requirements?

A.Use Cloud KMS software keys (protection level: SOFTWARE) with Cloud Storage CMEK.
B.Use Cloud KMS HSM-backed keys (protection level: HSM) with Cloud Storage CMEK.
C.Use Customer-Supplied Encryption Keys (CSEK) managed by your security team.
D.Enable Google-managed encryption with HSM by selecting it in Cloud Storage settings.
AnswerB

HSM protection level keys are generated and stored inside FIPS 140-2 Level 3 HSMs. They are non-exportable by design. CMEK with Cloud KMS HSM keys gives your team control while meeting HSM and non-exportability requirements.

Why this answer

Option B is correct because Cloud KMS HSM-backed keys (protection level: HSM) ensure that encryption keys are stored in a Hardware Security Module, are managed by the security team, and are non-exportable by design. When used with Cloud Storage CMEK, this configuration meets the compliance requirement for HSM-based key storage with full customer control and no key export capability.

Exam trap

Google Cloud often tests the distinction between customer-managed keys (CMEK) and customer-supplied keys (CSEK), where candidates mistakenly think CSEK provides HSM-level protection or that Google-managed encryption can be configured to use an HSM, but neither meets the non-exportable, HSM-backed requirement.

How to eliminate wrong answers

Option A is wrong because Cloud KMS software keys (protection level: SOFTWARE) are stored in software, not in an HSM, and thus do not satisfy the requirement for HSM-based encryption. Option C is wrong because Customer-Supplied Encryption Keys (CSEK) are managed by the customer but are not stored in an HSM; they are supplied by the customer and can be exported, violating the non-exportable requirement. Option D is wrong because Google-managed encryption with HSM is not a selectable setting in Cloud Storage; Google-managed encryption uses Google-owned keys, not customer-managed HSM keys, and does not allow the security team to control or restrict key export.

74
MCQmedium

Refer to the exhibit. An application running on this instance is unable to write to a Cloud Storage bucket. What is the most likely cause?

A.The application is using the wrong authentication method
B.The access scopes only allow read access to Cloud Storage
C.The Cloud Storage bucket is in a different project
D.The service account does not have the storage.objectAdmin IAM role
AnswerB

The scope is read_only, so write operations are denied regardless of IAM role.

Why this answer

When an instance is created with access scopes, these scopes restrict the API methods that the instance's credentials can use, regardless of the IAM permissions granted to the attached service account. The exhibit shows that the access scopes are set to 'Read Only' for Cloud Storage, which means the application can only call read methods (e.g., storage.objects.get) and cannot perform write operations (e.g., storage.objects.insert). This overrides any IAM role that would otherwise allow write access.

Exam trap

Google Cloud often tests the distinction between IAM permissions and access scopes, trapping candidates who assume that a service account with the correct IAM role can always perform the action, ignoring that access scopes can override those permissions at the instance level.

How to eliminate wrong answers

Option A is wrong because the authentication method (e.g., using a service account key or metadata server) is not the issue; the access scopes are explicitly limiting the API calls. Option C is wrong because Cloud Storage buckets can be accessed from any project as long as the correct IAM permissions and access scopes are in place; cross-project access is not inherently blocked. Option D is wrong because even if the service account had the storage.objectAdmin IAM role, the access scopes would still restrict the API methods to read-only, making the IAM role irrelevant for write operations.

75
MCQhard

A CI/CD pipeline running outside GCP (on GitHub Actions) needs to authenticate to GCP to push images to Artifact Registry, without storing any long-lived service account key files. Which authentication mechanism achieves this?

A.Store a service account JSON key as a GitHub Actions secret and use it in the workflow
B.Workload Identity Federation with GitHub Actions as the identity provider
C.OAuth 2.0 user credentials from a developer's Google account
D.API keys created for the Artifact Registry service
AnswerB

Workload Identity Federation allows GitHub Actions workflows to authenticate to GCP using the workflow's OIDC token — no service account key file is ever created or stored.

Why this answer

Workload Identity Federation allows a GitHub Actions workflow to exchange a GitHub-issued OIDC token for a GCP access token, enabling authentication to Artifact Registry without storing any long-lived service account keys. This is the recommended approach for non-GCP CI/CD systems because it eliminates the security risk of managing static credentials while still granting fine-grained, short-lived access to GCP resources.

Exam trap

The trap here is that candidates often default to storing a service account key as a secret (Option A) because it's a familiar pattern, failing to recognize that Workload Identity Federation is the modern, keyless alternative specifically designed for external CI/CD providers like GitHub Actions.

How to eliminate wrong answers

Option A is wrong because storing a service account JSON key as a GitHub Actions secret still introduces a long-lived, static credential that must be rotated and managed, violating the requirement to avoid storing any long-lived service account key files. Option C is wrong because OAuth 2.0 user credentials from a developer's Google account are tied to a human user, not a CI/CD pipeline, and would require interactive consent flows, making them unsuitable for automated, non-interactive workflows. Option D is wrong because API keys are a simple, static authentication mechanism that do not support fine-grained IAM roles or short-lived tokens, and they are not designed for service-to-service authentication to Artifact Registry; they also cannot be scoped to a specific service account.

Page 1 of 2 · 98 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Configuring access and security questions.