CCNA Configuring access and security Questions

23 of 98 questions · Page 2/2 · Configuring access and security · Answers revealed

76
MCQeasy

A security auditor needs read-only access to Compute Engine instance metadata but should not be able to start or stop instances. Which predefined IAM role should be assigned?

A.roles/compute.instanceAdmin.v1
B.roles/compute.admin
C.roles/compute.networkAdmin
D.roles/compute.viewer
AnswerD

Provides read-only access to Compute Engine resources.

Why this answer

The roles/compute.viewer role grants read-only access to Compute Engine resources, including instance metadata, without allowing write operations such as starting or stopping instances. This matches the requirement for read-only metadata access while preventing instance lifecycle changes.

Exam trap

The trap here is that candidates may confuse 'viewer' with broader roles like instanceAdmin.v1, assuming read-only access is sufficient, but fail to recognize that instanceAdmin.v1 includes write permissions for starting/stopping instances.

How to eliminate wrong answers

Option A is wrong because roles/compute.instanceAdmin.v1 includes permissions to start, stop, and modify instances, which exceeds the required read-only access. Option B is wrong because roles/compute.admin provides full administrative control over all Compute Engine resources, including the ability to start and stop instances. Option C is wrong because roles/compute.networkAdmin focuses on network resources (e.g., firewalls, routes) and does not grant access to instance metadata.

77
MCQhard

A healthcare company stores patient data in Cloud Storage. Compliance requires that even GCP (Google) cannot decrypt this data. The company manages encryption keys entirely on their own infrastructure. Which encryption option satisfies this?

A.Customer-Managed Encryption Keys (CMEK) stored in Cloud KMS
B.Customer-Supplied Encryption Keys (CSEK) provided with each API request
C.Google-managed encryption keys (default) with restricted IAM policies
D.Shielded VM with confidential computing for the VMs that access the data
AnswerB

CSEK requires the customer to supply the encryption key with every API request. GCP uses the key transiently and never stores it — Google cannot access data without the customer providing the key each time.

Why this answer

Option B is correct because Customer-Supplied Encryption Keys (CSEK) allow the customer to provide their own AES-256 encryption key with each API request to Cloud Storage. Google does not store the key; it is used only in memory to encrypt/decrypt the data and then discarded, ensuring that even Google cannot access the plaintext. This meets the compliance requirement that the customer retains exclusive control over the encryption keys.

Exam trap

The trap here is that candidates confuse CMEK with CSEK, assuming that managing keys in Cloud KMS gives the customer exclusive control, but CMEK still allows Google to access the key material via the KMS service, whereas CSEK ensures Google never stores the key.

How to eliminate wrong answers

Option A is wrong because Customer-Managed Encryption Keys (CMEK) are stored in Cloud KMS, which means Google manages the key material in a hardware security module (HSM) and can technically decrypt the data if required by law or internal policy. Option C is wrong because Google-managed encryption keys are fully controlled by Google, and restricting IAM policies does not prevent Google from accessing the keys or decrypting the data. Option D is wrong because Shielded VM with confidential computing protects data in use within VM memory, but does not address encryption at rest in Cloud Storage or key management; the data in Cloud Storage would still be encrypted with keys accessible to Google.

78
MCQmedium

A developer accidentally committed a service account key JSON file to a public GitHub repository. The key was valid for a service account with broad Editor permissions. What should you do FIRST?

A.Remove the committed file from Git history using `git filter-branch` or BFG Repo Cleaner.
B.Immediately delete or disable the service account key in the Cloud Console or via gcloud.
C.Make the GitHub repository private to hide the exposed key.
D.Reduce the service account's permissions to limit the blast radius.
AnswerB

Revoking the key immediately stops any ongoing or future unauthorized use. This is the highest-priority action — stop the bleeding first, then investigate.

Why this answer

Option B is correct because the immediate priority is to revoke the exposed credential to prevent unauthorized access. Deleting or disabling the service account key in the Cloud Console or via `gcloud iam service-accounts keys delete` ensures the key is invalidated within minutes, stopping any attacker from using it to authenticate with Google Cloud APIs. This aligns with the principle of least privilege and incident response best practices: contain the breach before remediation.

Exam trap

Google Cloud often tests the misconception that removing the file from Git history (Option A) is sufficient, but the key remains valid and usable by anyone who already has it, so revocation must come first.

How to eliminate wrong answers

Option A is wrong because removing the file from Git history does not invalidate the already-exposed key; an attacker who has already cloned the repository or accessed the commit can still use the key until it is revoked. Option C is wrong because making the repository private does not revoke the key or prevent attackers who have already seen the public commit from using it; the key remains valid. Option D is wrong because reducing the service account's permissions does not immediately stop an attacker who already has the key from using its current Editor permissions; the key must be disabled first to cut off access.

79
MCQmedium

An application receives the error 'Permission denied on resource project [PROJECT_ID] (or it may not exist)' when making an API call with a service account. The service account has the correct IAM role. What else might be missing?

A.The service account needs the Project Owner role to make any API calls
B.The relevant GCP API is not enabled in the project
C.The service account needs to be in the same organization as the project
D.The service account email must be explicitly allow-listed in the API's configuration
AnswerB

GCP requires the API to be enabled before any service account or user can use it. The error 'or it may not exist' refers to the resource being unreachable because the API is disabled.

Why this answer

The error 'Permission denied on resource project [PROJECT_ID] (or it may not exist)' typically occurs when the service account has the correct IAM role but the API being called is not enabled for the project. Even with proper IAM permissions, GCP requires that the specific API (e.g., Compute Engine API, Cloud Storage API) be enabled in the project before any API calls can succeed. Enabling the API activates the service and allows the service account to use it.

Exam trap

Google Cloud often tests the misconception that IAM roles alone guarantee API access, but the trap here is that candidates overlook the prerequisite of enabling the API service in the project, which is a separate step from assigning IAM permissions.

How to eliminate wrong answers

Option A is wrong because the Project Owner role is not required for making API calls; a service account only needs the specific IAM role granting the necessary permissions, and Project Owner is overly broad and unnecessary. Option C is wrong because service accounts do not need to be in the same organization as the project; they can be created in one project and used in another project within the same or different organization, as long as IAM permissions are granted. Option D is wrong because there is no concept of 'allow-listing' a service account email in an API's configuration; access is controlled entirely through IAM roles and policies, not through an explicit allow list.

80
MCQmedium

Your security team wants to monitor all privileged IAM changes in your GCP organization (e.g., when anyone is granted `roles/owner` or `roles/editor`). They need real-time notifications. Which approach achieves this?

A.Create a Cloud Monitoring alerting policy on the `iam.googleapis.com/SetIamPolicy` log metric.
B.Enable Security Command Center's Event Threat Detection for IAM changes.
C.Run a daily script using `gcloud projects get-iam-policy` and compare with the previous day's output.
D.Use Cloud Asset Inventory with asset feeds to detect IAM policy changes in real-time.
AnswerA, D

A log-based metric that counts `SetIamPolicy` operations with filter on privileged roles, combined with a Cloud Monitoring alert with a notification channel, provides real-time alerting on IAM changes.

Why this answer

Option A is correct because Cloud Monitoring can ingest log-based metrics from the `iam.googleapis.com/SetIamPolicy` audit log entry, and an alerting policy can be configured to trigger in near real-time when that log metric exceeds a threshold. This provides immediate notification of privileged IAM changes such as granting `roles/owner` or `roles/editor`.

Exam trap

The trap here is that candidates may think Cloud Asset Inventory feeds (Option D) provide real-time detection, but asset feeds have a latency of several minutes and are designed for inventory synchronization, not real-time alerting on specific IAM role grants.

How to eliminate wrong answers

Option B is wrong because Security Command Center's Event Threat Detection focuses on threat detection (e.g., compromised credentials, malware) and does not provide real-time alerting for all IAM policy changes; it is not designed for monitoring routine administrative IAM modifications. Option C is wrong because running a daily script using `gcloud projects get-iam-policy` is a batch, non-real-time approach that introduces up to 24 hours of delay, failing the requirement for real-time notifications.

81
MCQhard

You need to ensure that a Cloud Run service can only be invoked by specific Cloud Scheduler jobs and not from the public internet, while still receiving HTTP requests. The Cloud Run service currently allows unauthenticated invocations. What configuration changes are required?

A.Add a Cloud Armor security policy to the Cloud Run service blocking all IPs except Cloud Scheduler.
B.Disable unauthenticated invocations on the Cloud Run service, grant `roles/run.invoker` to the Scheduler SA, and configure Scheduler to use OIDC authentication.
C.Deploy the Cloud Run service in a VPC and use a VPC firewall rule to block all traffic except Cloud Scheduler.
D.Add a secret header to Cloud Scheduler requests and validate it in the Cloud Run application code.
AnswerB

This three-step configuration enforces authentication: Cloud Run requires auth tokens, the Scheduler SA has invoker permission, and Scheduler sends OIDC tokens with each request. No other caller can invoke the service.

Why this answer

Option B is correct because Cloud Run services that require authentication must have unauthenticated invocations disabled, and the Cloud Scheduler service account must be granted the `roles/run.invoker` role. Additionally, Cloud Scheduler must be configured to use OIDC authentication, which allows it to present an identity token signed by Google to the Cloud Run service, ensuring only authorized scheduler jobs can invoke the service.

Exam trap

Google Cloud often tests the misconception that IP-based restrictions (like Cloud Armor or VPC firewall rules) can secure serverless services, when in fact serverless services like Cloud Run require IAM-based authentication for secure, identity-aware access control.

How to eliminate wrong answers

Option A is wrong because Cloud Armor security policies operate at the HTTP(S) load balancer level and cannot be directly attached to a Cloud Run service that is not behind a load balancer; also, Cloud Scheduler does not have a fixed set of IP addresses, so blocking by IP is impractical. Option C is wrong because Cloud Run services cannot be deployed directly into a VPC; they use VPC connectors for outbound traffic, and VPC firewall rules cannot control inbound traffic to a serverless service like Cloud Run. Option D is wrong because relying on a secret header for authentication is not a secure access control mechanism; it can be easily spoofed and does not leverage Google Cloud's IAM-based authentication, which is the recommended approach.

82
MCQhard

An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?

A.Google-managed encryption keys (the default)
B.Customer-managed encryption keys (CMEK) using Cloud KMS
C.Client-side encryption before uploading to Cloud Storage, without using Cloud KMS
D.Shielded VM with vTPM enabled on the storage backend
AnswerB

CMEK keys are created and controlled by the customer in Cloud KMS. GCP encrypts data using these keys, but the customer retains full control — including the ability to revoke access.

Why this answer

Option B is correct because Customer-Managed Encryption Keys (CMEK) with Cloud KMS allow the enterprise to control and manage their own encryption keys, ensuring that Google cannot unilaterally decrypt the data. With CMEK, the encryption keys are stored in Cloud KMS under the customer's control, and Google only has access to the key material for encryption/decryption operations as authorized by the customer. This satisfies the regulatory requirement that the company retains sole control over key material, preventing Google from decrypting data without explicit permission.

Exam trap

The trap here is that candidates often confuse client-side encryption (Option C) as always meeting compliance requirements, but the ACE exam tests that CMEK is the specific Google Cloud service that provides customer-controlled keys with full integration into Cloud Storage's access control and auditing, whereas client-side encryption lacks native key management and audit trails.

How to eliminate wrong answers

Option A is wrong because Google-managed encryption keys are the default where Google generates, stores, and manages the keys, meaning Google can decrypt the data unilaterally, which violates the regulatory mandate. Option C is wrong because client-side encryption before uploading to Cloud Storage, without using Cloud KMS, does not leverage Google's key management infrastructure and may not meet compliance requirements that mandate integration with a managed key service like Cloud KMS for auditing and key rotation; it also places full key management burden on the customer without the controls of CMEK. Option D is wrong because Shielded VM with vTPM is a compute instance security feature that ensures boot integrity and key attestation, not a storage encryption configuration; it does not control encryption keys for Cloud Storage data.

83
MCQmedium

A compliance team needs a log of every time a user or service account accessed data in a BigQuery dataset — specifically read operations. Which Cloud Audit Log type captures this?

A.System event audit logs
B.Admin Activity audit logs
C.Data Access audit logs
D.VPC flow logs
AnswerC

Data Access audit logs record API calls that read data — including BigQuery table reads and query executions. They must be explicitly enabled and can generate high log volume.

Why this answer

Data Access audit logs record API calls that read or modify user-provided data, including BigQuery read operations like SELECT queries. Since the requirement is specifically for read operations on user data, Data Access logs are the correct type. Admin Activity logs cover configuration changes, not data reads, and System Event logs cover Google-managed actions, not user-initiated reads.

Exam trap

Google Cloud often tests the distinction between Admin Activity logs (which capture resource configuration changes) and Data Access logs (which capture data reads/writes), leading candidates to mistakenly choose Admin Activity for any 'access' scenario.

How to eliminate wrong answers

Option A is wrong because System event audit logs capture Google Cloud administrative actions that change resource configurations, not user or service account data reads. Option B is wrong because Admin Activity audit logs record operations that modify metadata or configurations (e.g., creating a dataset), not read operations on the data itself. Option D is wrong because VPC flow logs capture network traffic metadata (IP addresses, ports, protocols) at the subnet level, not application-level data access like BigQuery queries.

84
MCQmedium

An internal web application running on GKE must be accessible only to employees who are authenticated with the company's Google Workspace account — without exposing it to the internet or using a VPN. Which GCP service provides identity-based access without a VPN?

A.VPC Service Controls creating a perimeter around the GKE cluster
B.Cloud Identity-Aware Proxy (IAP) configured on the load balancer in front of the GKE service
C.Firebase Authentication SDK integrated into the web application frontend
D.Cloud Armor with a Google Workspace IP allowlist
AnswerB

IAP enforces Google identity authentication at the load balancer layer. Users must sign in with an authorized Google account — rejecting all unauthenticated requests before they reach the application.

Why this answer

Cloud Identity-Aware Proxy (IAP) is the correct choice because it enforces identity-based access control at the application layer, verifying that users are authenticated via Google Workspace before allowing traffic to reach the GKE service through an HTTPS load balancer. This eliminates the need for a VPN or public internet exposure by leveraging Google's global infrastructure to authenticate and authorize each request based on the user's identity and context.

Exam trap

The trap here is that candidates often confuse network-level controls (VPC Service Controls, Cloud Armor IP allowlists) with identity-based access, or they assume client-side authentication (Firebase) is sufficient for server-side access control, missing that IAP is the only service that combines identity verification with network edge enforcement without a VPN.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls creates perimeters to prevent data exfiltration and restrict access based on network context, but it does not provide per-user authentication or authorization for individual HTTP requests; it operates at the VPC network boundary, not the application layer. Option C is wrong because Firebase Authentication SDK is designed for client-side user authentication in web and mobile apps, but it does not integrate with GKE's ingress or load balancer to control access at the network edge, and it would require exposing the application to the internet for the SDK to function. Option D is wrong because Cloud Armor with a Google Workspace IP allowlist is not feasible, as Google Workspace does not publish a static or predictable set of IP addresses for all employee connections; employees may connect from various networks, including home or mobile, making IP-based allowlisting ineffective for identity-based access.

85
MCQhard

A healthcare company uses GCP to store sensitive patient data in Cloud Storage buckets. Their security policy requires that all data access be logged and that any attempt to access data from outside the corporate network is blocked. They have implemented VPC Service Controls to create a service perimeter around the projects containing the buckets. They have also enabled Data Access audit logs. However, during an audit, they find that a few access attempts from an IP address outside the corporate network succeeded. The logs show that the requests were made using service account credentials. The service account has the storage.objectViewer role on the bucket. The VPC Service Controls perimeter is configured to block all access from outside the perimeter, but the logs show that some requests were allowed. What is the most likely reason?

A.The VPC Service Controls perimeter was configured with an access level that permits certain IP ranges.
B.The bucket is outside the service perimeter.
C.The service account is a member of the perimeter.
D.The VPC Service Controls perimeter does not block requests made by service accounts.
AnswerA

Access levels can allow traffic from specific IPs, so if the external IP is in an allowed range, the request succeeds.

Why this answer

Option A is correct because VPC Service Controls can be configured with access levels that define allowed client IP ranges. If the access level permits the IP addresses from which the service account requests originated, those requests would be allowed even though they come from outside the corporate network. The logs confirm that the requests used service account credentials, and the storage.objectViewer role grants read access, so the only remaining control that could have been bypassed is the VPC Service Controls perimeter — and an overly permissive access level is the most likely cause.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls blocks all traffic from outside the perimeter unconditionally, but the trap here is that access levels can create exceptions that allow specific IP ranges, including non-corporate IPs, to bypass the block.

How to eliminate wrong answers

Option B is wrong because if the bucket were outside the service perimeter, VPC Service Controls would not apply at all, and the question states the perimeter is configured around the projects containing the buckets, so the buckets are inside the perimeter. Option C is wrong because service accounts are not 'members' of a service perimeter; VPC Service Controls perimeters define boundaries around projects, not individual identities, and service accounts inside the perimeter are still subject to the same ingress/egress rules. Option D is wrong because VPC Service Controls does block requests made by service accounts when those requests originate from outside the perimeter, unless an access level or other exception is explicitly configured.

86
MCQhard

An organization needs to allow a third-party SIEM tool to ingest audit logs from their Google Cloud organization. The SIEM tool should only have read access to logs. Which IAM role should be granted?

A.roles/logging.configWriter
B.roles/logging.admin
C.roles/logging.viewer
D.roles/logging.privateLogViewer
AnswerC

Provides read-only access to log entries.

Why this answer

The roles/logging.viewer role grants read-only access to all logs in the Google Cloud organization, including audit logs, which is exactly what the third-party SIEM tool requires. This role allows the SIEM to ingest logs without the ability to modify or delete them, ensuring the principle of least privilege is maintained.

Exam trap

Google Cloud often tests the distinction between roles/logging.viewer and roles/logging.privateLogViewer, where candidates mistakenly choose the latter thinking it is required for audit logs, but privateLogViewer is only needed for logs containing sensitive data like Access Transparency logs, not standard audit logs.

How to eliminate wrong answers

Option A is wrong because roles/logging.configWriter grants write access to log configurations (e.g., creating log sinks and exclusions), not read-only access to logs, and would allow the SIEM to modify logging infrastructure. Option B is wrong because roles/logging.admin provides full administrative control over logging, including the ability to delete logs and modify log buckets, which exceeds the required read-only access. Option D is wrong because roles/logging.privateLogViewer grants read access to private log entries (e.g., those containing sensitive data like Access Transparency logs), which is more permissive than needed and could expose data the SIEM should not see; the standard roles/logging.viewer is sufficient for audit logs.

87
MCQeasy

A small business has a single Google Cloud project with a few Compute Engine instances running a web application. The instances are all in the same VPC and subnet. The security team wants to ensure that only HTTP (port 80) and HTTPS (port 443) traffic from the public internet is allowed to the instances, and that all other inbound traffic is blocked. They have already configured Cloud Armor for the load balancer. However, they notice that SSH traffic (port 22) is still reaching the instances from the internet, even though they do not have any explicit firewall rules allowing SSH. The project was just created and uses the default VPC network. What should they do to resolve this?

A.Create a VPC firewall rule with priority 1000 to deny ingress on port 22 from 0.0.0.0/0.
B.Configure a route to drop traffic destined to the instances on port 22.
C.Remove the SSH public key from the instance metadata.
D.Disable or delete the default-allow-ssh firewall rule in the VPC.
AnswerD

This rule allows SSH from anywhere; disabling it stops SSH traffic from the internet.

Why this answer

Option B is correct because the default VPC includes a default-allow-ssh firewall rule that allows SSH traffic from any source (0.0.0.0/0) on port 22. Disabling this rule will block SSH traffic. Option A is incorrect because creating a deny rule with a lower priority does not override the existing allow rule (allow rules take precedence if a matching allow rule exists).

Option C is incorrect because removing SSH keys does not block network traffic. Option D is incorrect because routes control packet forwarding, not firewall filtering.

88
Multi-Selecthard

A company requires that all service account keys be automatically rotated every 90 days. Which two steps should the administrator take to enforce this? (Choose two.)

Select 2 answers
A.Enable the Service Account Key Rotator in the Google Cloud Console.
B.Use IAM to set a condition that keys must have an expiration date.
C.Use the Service Account API to create keys with a custom expiration time.
D.Use an Organization Policy to disable service account key creation.
E.Use a Cloud Function to monitor key age and delete keys older than 90 days.
AnswersC, E

Keys can be created with expiration in the API, enforcing rotation.

Why this answer

Option C is correct because the Service Account API allows creating keys with a custom expiration time, which enforces automatic rotation by ensuring keys are invalid after 90 days. Option E is correct because a Cloud Function can monitor key age and delete keys older than 90 days, providing a programmatic enforcement mechanism. Both approaches ensure keys are rotated automatically without manual intervention.

Exam trap

Google Cloud often tests the misconception that there is a built-in 'auto-rotate' toggle in the console, but in reality, you must use API-level expiration or custom automation like Cloud Functions to enforce rotation.

89
MCQmedium

A developer is running a batch process on a Compute Engine instance that needs to write logs to Cloud Logging. The instance uses the default Compute Engine service account. What must be done?

A.Ensure the instance's access scopes include logging.write
B.No action needed, the default service account has logging write access
C.Create a custom service account with the required roles
D.Add the Logging Admin role to the service account
AnswerA

Access scopes limit API access; logging.write scope must be set.

Why this answer

The default Compute Engine service account has the `logging.logWriter` role by default, but access scopes act as an additional permission layer on Compute Engine instances. Even if the IAM role is present, the instance must have the `logging.write` access scope enabled to allow the service account to write logs to Cloud Logging. Option A is correct because explicitly setting the access scope ensures the API call to `logging.write` is permitted at the instance level.

Exam trap

Google Cloud often tests the distinction between IAM roles and access scopes, trapping candidates who assume that having the correct IAM role alone is sufficient for a Compute Engine instance to call an API.

How to eliminate wrong answers

Option B is wrong because while the default service account has the `logging.logWriter` IAM role, the instance's access scopes must also include `logging.write`; without it, the API call is blocked at the instance metadata level. Option C is wrong because creating a custom service account is unnecessary—the default service account already has the required IAM role, and the issue is solely about access scopes. Option D is wrong because adding the Logging Admin role (`roles/logging.admin`) grants excessive permissions (e.g., deleting logs) and does not address the access scope restriction; the `logging.logWriter` role is sufficient and already assigned.

90
Multi-Selectmedium

A company uses Cloud Armor to protect an HTTP Load Balancer. They want to allow traffic only from specific IP ranges (198.51.100.0/24 and 203.0.113.0/24) and block common web attacks like SQL injection and XSS. Which TWO actions should they take?

Select 2 answers
A.Set up Cloud NAT to provide outbound internet access for the instances.
B.Configure VPC firewall rules on the subnet to allow only the IP ranges.
C.Enable predefined WAF rules (e.g., OWASP Top 10) in the Cloud Armor security policy.
D.Create a Cloud Armor security policy with an allow rule for the IP ranges and a default deny rule for all other traffic.
E.Enable Cloud CDN to cache static content from the backend.
AnswersC, D

WAF rules block common web attacks like SQL injection and XSS.

Why this answer

Option A creates a security policy with an allow rule for the IP ranges and a deny rule for all other traffic, which is necessary to restrict access. Option C enables WAF rules in Cloud Armor, which blocks common web attacks. Option B (Cloud CDN caching) does not affect access control.

Option D (VPC firewall rules at instance level) is not relevant because Cloud Armor works at the load balancer. Option E (Cloud NAT) is for outbound traffic, not inbound security.

91
MCQmedium

A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?

A.An ingress allow rule for port 443 from 0.0.0.0/0 targeting the 'web-server' tag, relying on the implied deny for other traffic
B.An ingress allow rule for port 443 and a separate egress deny rule for all other ports
C.An ingress deny rule for all ports from 0.0.0.0/0, plus an ingress allow for port 443 with lower priority
D.A Cloud Armor policy allowing only HTTPS requests to port 443
AnswerA

GCP's implied deny-all ingress rule (priority 65535) blocks all traffic not explicitly allowed. A single allow rule for port 443 is all that's needed.

Why this answer

Option A is correct because Google Cloud VPC firewall rules are stateful and have an implicit deny for all traffic that is not explicitly allowed. An ingress allow rule for TCP port 443 from 0.0.0.0/0 applied to instances with the 'web-server' tag permits inbound HTTPS traffic, and the implicit deny blocks all other inbound traffic without needing additional rules.

Exam trap

Google Cloud often tests the misconception that you need explicit deny rules or that egress rules affect inbound traffic, but the key trap here is that candidates may think they need to add a deny rule for other ports, not realizing the implicit deny already blocks everything not allowed.

How to eliminate wrong answers

Option B is wrong because egress deny rules are not needed for inbound traffic control; the implicit deny already blocks all other inbound traffic, and adding an egress deny rule is irrelevant and could interfere with outbound responses. Option C is wrong because an ingress deny rule for all ports from 0.0.0.0/0 would block the HTTPS traffic even if a lower-priority allow rule exists, as deny rules take precedence over allow rules in Google Cloud VPC firewall evaluation. Option D is wrong because Cloud Armor is a web application firewall (WAF) that operates at the HTTP/HTTPS layer, not a VPC firewall rule; it cannot replace the network-level firewall rule required to allow inbound traffic to the instances.

92
Drag & Dropmedium

Order the steps to set up a Cloud IAM policy that grants a user the 'roles/compute.admin' role on a specific project.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Policy binding is applied via gcloud; verification and testing follow.

93
MCQmedium

A team needs to give a third-party vendor read-only access to specific Cloud Storage objects for 48 hours. The vendor uses an AWS account (not a Google account). What is the most secure way to grant this temporary access?

A.Create a GCP service account for the vendor and share the JSON key file with 48-hour expiry
B.Generate a Signed URL for the specific objects with a 48-hour expiration
C.Use Workload Identity Federation with AWS as the identity provider for the vendor
D.Make the objects publicly readable and share the direct Cloud Storage URL
AnswerB

Signed URLs provide time-limited, cryptographically secured access to specific objects — no GCP account required. Access automatically expires after 48 hours.

Why this answer

Option B is correct because a Signed URL provides time-bound, read-only access to specific Cloud Storage objects without requiring the vendor to have a Google account. The URL embeds authentication information and expires after 48 hours, ensuring temporary access while maintaining security by not exposing broader permissions or credentials.

Exam trap

Google Cloud often tests the misconception that sharing a service account key file is acceptable for temporary access, but the trap here is that Signed URLs are the only option that combines time-bound, object-specific, and credential-free access for external users without a Google account.

How to eliminate wrong answers

Option A is wrong because sharing a GCP service account JSON key file violates the principle of least privilege and creates a long-lived credential that could be leaked or misused; even with a 48-hour expiry, the key file itself is a static secret that must be securely transmitted and stored. Option C is wrong because Workload Identity Federation is designed for workloads running in AWS to impersonate a GCP service account, but it requires the vendor to configure an AWS IAM role and trust relationship, which is overly complex for simple read-only object access and does not inherently limit access to 48 hours without additional token expiration controls. Option D is wrong because making objects publicly readable exposes them to anyone on the internet, not just the vendor, and provides no time-bound access control, violating security best practices.

94
Drag & Dropmedium

Arrange the steps to create a Cloud SQL MySQL instance, configure a database, and connect using the Cloud SQL Proxy.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Instance first, then database; proxy provides secure connectivity.

95
Matchingmedium

Match each Cloud Storage storage class to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequently accessed data

Data accessed less than once a month

Data accessed less than once a quarter

Data accessed less than once a year

Automatically transitions objects to optimal class

Why these pairings

Storage classes balance cost and availability based on access frequency.

96
MCQmedium

A security team wants to restrict access to a Google Cloud project such that only virtual machines with a specific tag 'web' can connect to a Compute Engine instance on port 443. Which configuration is required?

A.Create a firewall rule allowing egress from instances with tag 'web' to the target instance on port 443.
B.Create a firewall rule allowing ingress from instances with tag 'web' to the target instance on port 443.
C.Set an IAM condition on the instance to only allow calls from instances with tag 'web'.
D.Use Cloud Armor to filter traffic based on tags.
AnswerB

Firewall ingress rules with source tags can restrict traffic based on sender's tags.

Why this answer

Option B is correct because firewall rules in Google Cloud are stateful and control ingress traffic at the network level. To allow only VMs with tag 'web' to connect to the target instance on port 443, you must create an ingress firewall rule that specifies the source tag 'web', the target instance (or its network tag), and the protocol/port tcp:443. This rule permits incoming HTTPS traffic from any VM that has the 'web' tag, regardless of its IP address.

Exam trap

Google Cloud often tests the distinction between ingress and egress firewall rules, and the trap here is that candidates mistakenly choose an egress rule (Option A) because they think of restricting traffic 'from' the source, but the correct direction for controlling incoming connections to a target is ingress.

How to eliminate wrong answers

Option A is wrong because an egress firewall rule controls outbound traffic from the source, not inbound traffic to the target; the question requires restricting incoming connections to the target instance on port 443, which is an ingress direction. Option C is wrong because IAM conditions control identity-based access (who can perform actions on the instance), not network-level traffic filtering based on VM tags; tags are not evaluated in IAM policies for network access. Option D is wrong because Cloud Armor is a web application firewall (WAF) that protects against application-layer attacks and filters based on IP addresses, geographic regions, or custom rules, but it does not filter traffic based on Compute Engine instance tags.

97
MCQmedium

An application uses the S3-compatible API to interact with Cloud Storage. The team needs credentials compatible with HMAC-based S3 authentication. Which credential type does Cloud Storage support for this?

A.Service account JSON key file — it's compatible with the S3 HMAC authentication format
B.HMAC keys created for a service account in Cloud Storage settings
C.Cloud KMS symmetric keys configured for Cloud Storage access
D.An API key generated in the GCP Console for Cloud Storage
AnswerB

Cloud Storage supports HMAC authentication for S3-compatible API access. HMAC keys are created per service account and provide an access key ID + secret for S3 API authentication.

Why this answer

Cloud Storage supports HMAC keys for service accounts to provide S3-compatible authentication. These keys consist of an access key and a secret key, which are used to sign requests using the HMAC-SHA256 algorithm, matching the AWS S3 signature process. This allows applications using the S3 API to authenticate directly against Cloud Storage without needing a JSON key file or OAuth 2.0 tokens.

Exam trap

Google Cloud often tests the distinction between authentication methods (HMAC vs. OAuth 2.0) and encryption keys (KMS vs. HMAC), leading candidates to confuse a JSON key file or an API key with HMAC credentials.

How to eliminate wrong answers

Option A is wrong because a service account JSON key file is used for OAuth 2.0-based authentication, not for HMAC-based S3 authentication; it contains a private key for signing JWT tokens, not an HMAC access/secret key pair. Option C is wrong because Cloud KMS symmetric keys are used for encryption and decryption of data at rest, not for authentication or signing S3 API requests. Option D is wrong because an API key is a simple identifier used for quota and access control in GCP APIs, but it does not support the HMAC signing mechanism required for S3-compatible authentication.

98
MCQhard

A regulated company requires a log of all actions taken by Google support engineers when they access customer GCP environments during support cases. Which Cloud Audit Log type captures this?

A.Admin Activity audit logs
B.Data Access audit logs with Google-initiated access filter
C.Access Transparency logs
D.System event audit logs with personnel filter
AnswerC

Access Transparency logs specifically record actions by Google employees when they access customer data and GCP environments, providing accountability for Google-side access.

Why this answer

Access Transparency logs are the correct choice because they specifically capture actions taken by Google support engineers when accessing customer data or configurations in GCP. These logs provide near real-time records of Google-initiated access, which is required for regulated companies to audit support personnel activities. Admin Activity logs only record administrative actions by customers, not Google personnel, while Data Access logs with Google-initiated access filter are not a valid log type in Cloud Audit Logs.

Exam trap

The trap here is that candidates confuse 'Data Access logs' with 'Access Transparency logs,' assuming a filter can isolate Google-initiated actions, but Access Transparency is a separate, dedicated log type specifically for Google personnel access, not a subset of Data Access logs.

How to eliminate wrong answers

Option A is wrong because Admin Activity audit logs record actions performed by customers or authorized users within a GCP project (e.g., creating resources), not actions taken by Google support engineers. Option B is wrong because Data Access logs capture API calls that read or modify customer data, but there is no 'Google-initiated access filter' as a distinct log type; Access Transparency logs are the dedicated mechanism for Google-initiated access. Option D is wrong because System event audit logs record GCP system events (e.g., VM live migrations), not personnel actions, and there is no 'personnel filter' in Cloud Audit Logs.

← PreviousPage 2 of 2 · 98 questions total

Ready to test yourself?

Try a timed practice session using only Configuring access and security questions.