CCNA Ace Access Security Questions

25 of 100 questions · Page 2/2 · Ace Access Security topic · Answers revealed

76
MCQhard

A company is using Cloud NAT to allow private Compute Engine instances to access the internet. They notice that traffic from some instances is not being NATed. What is the most likely cause?

A.The instances have external IP addresses assigned.
B.The Cloud Router is not configured correctly.
C.The firewall rules block egress traffic.
D.The instances are in a different region than the Cloud NAT gateway.
AnswerA

Instances with external IPs do not use Cloud NAT; they directly connect using their external IP.

Why this answer

Cloud NAT only applies to instances that do not have external IP addresses. If an instance has an external IP, it will use that IP for outbound traffic and bypass Cloud NAT.

77
Multi-Selectmedium

A company needs to allow a group of external auditors to view Cloud Audit Logs for a project but not modify any resources. Which two steps should be taken? (Choose 2)

Select 2 answers
A.Grant the auditors the roles/iam.securityReviewer role.
B.Create a log sink to forward logs to a bucket the auditors can access.
C.Grant the auditors the roles/logging.viewer role on the project.
D.Grant the auditors the roles/logging.logWriter role.
E.Enable Data Access audit logs.
AnswersB, C

This is an alternative to directly granting view access in Logging; auditors can then access the bucket.

Why this answer

The auditors need the roles/logging.viewer to view logs, and they should be granted access at the project level for the logs to be visible.

78
MCQmedium

A security engineer needs to ensure that Compute Engine instances in a VPC can only communicate with each other on port 443 and cannot receive traffic from the internet. The VPC has a default network with default firewall rules. What should the engineer do?

A.Create a firewall rule with priority 2000 denying ingress from 0.0.0.0/0 and a rule allowing ingress from 10.0.0.0/16 on port 443 with priority 1000.
B.Create a firewall rule with priority 1000 allowing ingress from 0.0.0.0/0 on port 443 and deny all other traffic.
C.Delete all default firewall rules and create a rule allowing ingress from the VPC's subnet range (e.g., 10.0.0.0/16) on port 443.
D.Modify the default-allow-internal rule to only allow port 443.
AnswerC

Correct: Deleting default rules removes internet ingress and the default allow-all-internal rule. New rule restricts internal communication to port 443.

Why this answer

The default VPC includes default firewall rules that allow ingress from the internet and allow all internal traffic. To restrict communication, the engineer must first delete the default ingress rule that allows all traffic from the internet (allow-ssh, allow-icmp, allow-rdp, and allow-http/https can be deleted), then create a new rule that allows ingress only from the VPC's IP range on port 443. The default internal rule allows all traffic within the network; to restrict to port 443, a new rule with higher priority can override it, or the default rule can be deleted and a new one created.

79
MCQeasy

What is the primary benefit of using a Google-managed SSL certificate for an HTTPS Load Balancer?

A.It is free of charge.
B.It automatically renews the certificate before expiration.
C.It can be used with any type of load balancer.
D.It provides stronger encryption than self-managed certificates.
AnswerB

Google-managed certificates handle provisioning and renewal automatically.

Why this answer

Google-managed certificates automatically provision and renew SSL/TLS certificates, reducing manual effort and preventing expiration issues.

80
Multi-Selecthard

An engineer needs to create a service account and grant it the ability to impersonate other service accounts. Which two permissions are required? (Choose 2)

Select 2 answers
A.iam.serviceAccounts.setIamPolicy
B.resourcemanager.projects.setIamPolicy
C.iam.serviceAccounts.getAccessToken
D.iam.serviceAccounts.actAs
E.iam.serviceAccounts.create
AnswersD, E

This permission is included in roles/iam.serviceAccountUser and allows impersonation.

Why this answer

The roles/iam.serviceAccountUser role allows impersonation, and the roles/iam.serviceAccountAdmin role allows creating service accounts.

81
Multi-Selectmedium

A developer wants to automate the creation of a service account and assign it a role using the gcloud command-line tool. Which TWO commands are needed? (Choose 2 answers.)

Select 2 answers
A.gcloud projects add-iam-policy-binding
B.gcloud iam service-accounts keys create
C.gcloud projects set-iam-policy
D.gcloud iam service-accounts create
E.gcloud iam roles create
AnswersA, D

Grants a role to the service account on the project.

Why this answer

First, you create the service account with `gcloud iam service-accounts create`. Then, you grant a role to the service account by adding an IAM policy binding to the project.

82
MCQeasy

Which IAM role should be granted to a service account to allow it to access a secret stored in Secret Manager?

A.roles/secretmanager.secretAccessor
B.roles/secretmanager.admin
C.roles/iam.serviceAccountUser
D.roles/secretmanager.viewer
AnswerA

This role allows accessing secret values.

Why this answer

The role 'secretmanager.secretAccessor' grants access to read secret versions.

83
MCQeasy

A developer wants to store a database password securely and make it accessible to a Compute Engine instance. Which Google Cloud service should be used?

A.Secret Manager
B.Cloud Storage
C.Cloud Filestore
D.Cloud KMS
AnswerA

Correct: Secret Manager securely stores secrets and provides access control and versioning.

Why this answer

Secret Manager is designed for storing secrets like passwords, API keys, and certificates. Cloud KMS is for encryption key management. Cloud Storage is not secure for secrets.

Cloud Filestore is for file storage.

84
MCQmedium

A company wants to use Customer-Managed Encryption Keys (CMEK) for encrypting data in a Cloud Storage bucket. They have created a key in Cloud KMS. Which step is required when creating the bucket to use CMEK?

A.Specify the key using the --kms-key flag in gsutil mb.
B.Use the --encryption-key flag in gcloud compute instances create.
C.No additional steps; Cloud Storage automatically uses CMEK if a key exists in the project.
D.Enable CMEK by setting the bucket's IAM policy.
AnswerA

Correct: --kms-key specifies the Cloud KMS key for CMEK.

Why this answer

To use CMEK on a bucket, the '--default-encryption-key' flag is used during 'gsutil mb' or 'gcloud storage buckets create'. The key must be specified as the resource name.

85
MCQmedium

An engineer creates a firewall rule allowing ingress on port 8080 from source range 10.0.0.0/8 with priority 1000. Another rule denies ingress on port 8080 from source range 10.0.0.0/24 with priority 500. What is the effective behavior for traffic from 10.0.0.1?

A.Traffic is denied only if the source is exactly 10.0.0.1; otherwise allowed.
B.Traffic is denied because the deny rule has a higher priority (lower number).
C.Traffic is allowed because the allow rule covers a larger range.
D.Traffic is allowed because both rules match and the default is to allow.
AnswerB

Correct: The deny rule (priority 500) takes precedence over the allow rule (priority 1000).

Why this answer

Firewall rules are evaluated in order of priority; lower numbers have higher priority. The deny rule (priority 500) has higher priority than the allow rule (priority 1000), so traffic from 10.0.0.1 (within 10.0.0.0/24) will be denied.

86
MCQhard

An organization wants to enable Data Access audit logs for all Cloud Storage buckets in a project. Which step is necessary?

A.Use gcloud logging to create a log sink for Cloud Storage.
B.Enable Data Access logs in each bucket's settings.
C.Configure an organization policy or IAM audit config to enable Data Access logs for Cloud Storage.
D.Add an IAM binding with the roles/logging.admin role to a user.
AnswerC

Data Access audit logs are enabled via IAM audit config at the project or organization level, specifying which services to audit.

Why this answer

Data Access audit logs must be enabled at the organization or project level using IAM audit config, and can be scoped to specific services like Cloud Storage.

87
Multi-Selecthard

Which THREE configurations are required to enable Private Google Access for Compute Engine instances in a custom VPC subnet? (Select 3 correct answers)

Select 3 answers
A.Create a Cloud Router to advertise routes to Google.
B.Create a subnet with the --enable-private-ip-google-access flag.
C.Create a VPC network.
D.Launch Compute Engine instances in the subnet.
E.Configure Cloud NAT to route traffic to Google APIs.
AnswersB, C, D

Private Google Access must be enabled on the subnet.

Why this answer

Private Google Access is enabled on a subnet. Instances in that subnet can reach Google APIs using internal IPs. It does not require Cloud NAT, Cloud VPN, or internet access.

The three required elements are: a VPC network, a subnet with Private Google Access enabled, and instances in that subnet.

88
MCQmedium

A security team wants to ensure that all Compute Engine instances in a project are created with a specific custom service account attached. What is the most effective way to enforce this?

A.Use a firewall rule to block instances without the required service account.
B.Enable Shielded VMs on the project.
C.Create a custom role with `compute.instances.create` and assign it to all users.
D.Configure an organization policy with the constraint `compute.setServiceAccount` to restrict the service accounts that can be used.
AnswerD

This org policy constraint ensures instances are created only with specified service accounts.

Why this answer

Using an organization policy with a constraint on `compute.requireOsLogin` is unrelated. The best approach is to use a custom IAM role that includes the `compute.instances.create` permission with a condition requiring the service account, or use an organization policy with the `constraints/compute.setServiceAccount` constraint to enforce that instances use a specific service account.

89
MCQeasy

Which command is used to view the current IAM policy for a Google Cloud project in JSON format?

A.gcloud compute instances get-iam-policy [INSTANCE]
B.gcloud organizations get-iam-policy [ORG_ID]
C.gcloud projects get-iam-policy [PROJECT_ID] --format json
D.gcloud iam service-accounts get-iam-policy [SERVICE_ACCOUNT]
AnswerC

Correct command.

Why this answer

The 'gcloud projects get-iam-policy' command retrieves the IAM policy for a project. The '--format json' flag outputs it in JSON. The other options are for other resources or wrong scope.

90
MCQhard

A company uses Cloud SQL with Customer-Managed Encryption Keys (CMEK). The security team wants to rotate the encryption key. What is the impact on the Cloud SQL instance?

A.The instance becomes unavailable until the key rotation is complete.
B.All data in the instance is re-encrypted immediately.
C.The instance must be stopped and restarted after the key rotation.
D.There is no impact; the instance automatically uses the new key version.
AnswerC

Cloud SQL requires a restart to begin using the new key version.

Why this answer

When rotating a CMEK for Cloud SQL, the instance must be restarted to use the new key version. Data remains encrypted at all times.

91
MCQmedium

A DevOps team needs to grant a CI/CD service account the ability to create secrets in Secret Manager. Which role should be assigned?

A.roles/secretmanager.admin
B.roles/secretmanager.secretCreator
C.roles/secretmanager.secretAccessor
D.roles/secretmanager.viewer
AnswerA

Admin role includes permission to create secrets.

Why this answer

The roles/secretmanager.admin role grants full control, including creating secrets. roles/secretmanager.secretCreator does not exist; the admin role includes create permission.

92
MCQmedium

A security engineer needs to ensure that all VMs in a subnet use Private Google Access to reach Google APIs without external IP addresses. What must be enabled?

A.A firewall rule allowing egress to 0.0.0.0/0.
B.VPC Flow Logs on the subnet.
C.Cloud NAT on the VPC.
D.Private Google Access on the subnet.
AnswerD

Enabling Private Google Access on the subnet allows VMs to reach Google APIs without external IPs.

Why this answer

Private Google Access on a subnet allows VMs with only internal IP addresses to reach Google APIs and services through the default internet gateway.

93
MCQhard

A company has multiple firewall rules. Rule A (priority 1000) allows TCP 80 from 0.0.0.0/0. Rule B (priority 500) denies TCP 80 from 10.0.0.0/8. An instance with IP 10.0.0.1 tries to connect to TCP 80. What happens?

A.The result depends on the order of creation.
B.Traffic is allowed because Rule A allows all sources.
C.Both rules are applied and traffic is allowed.
D.Traffic is denied because Rule B has higher priority.
AnswerD

Rule B's priority 500 is lower numerically than 1000, so it takes precedence and denies.

Why this answer

Firewall rules are evaluated in order of priority (lower number = higher priority). Rule B with priority 500 will be evaluated first and denies the traffic, so Rule A is not applied.

94
MCQeasy

What is the purpose of creating a Cloud NAT gateway?

A.To enable private instances to reach the internet for updates and patches.
B.To allow VPN connections to on-premises networks.
C.To provide a static IP address for inbound traffic.
D.To provide DNS resolution for VPC networks.
AnswerA

Cloud NAT enables outbound internet access for private instances.

Why this answer

Cloud NAT allows instances without external IP addresses to access the internet for outbound connections, while preventing inbound connections from the internet.

95
MCQhard

An engineer created a VPC with a subnet in us-central1 and enabled Private Google Access on that subnet. Compute Engine instances in that subnet can reach Google APIs and services using internal IPs. However, the instances cannot reach external IP addresses on the internet. What should the engineer configure to allow internet access while minimizing cost and management overhead?

A.Create a Cloud NAT gateway using a Cloud Router
B.Disable Private Google Access and assign external IPs to the instances
C.Add a NAT instance (a Compute Engine VM configured as a NAT gateway)
D.Create a Cloud VPN tunnel to a third-party NAT service
AnswerA

Correct: Cloud NAT provides outbound internet access for private instances.

Why this answer

Since the instances need to access the internet (not just Google APIs), a Cloud NAT is the appropriate solution. It allows outbound internet traffic from private instances without assigning external IPs. Private Google Access only covers Google APIs.

A NAT gateway instance would be more expensive and require management. A VPN is unnecessary.

96
Multi-Selectmedium

A company wants to ensure that a Compute Engine instance can access only a specific Cloud Storage bucket and no other resources in the project. Which TWO steps should the engineer take? (Select 2 correct answers)

Select 2 answers
A.Grant the roles/storage.admin role at the bucket level.
B.Grant the roles/storage.objectViewer role at the project level to the service account.
C.Use the default Compute Engine service account.
D.Attach the service account to the Compute Engine instance at creation.
E.Create a custom service account.
AnswersD, E

Attaching the service account enables the instance to use its permissions.

Why this answer

To restrict an instance to a specific bucket, create a custom service account with the Storage Object Viewer role only on that bucket (via IAM binding on the bucket), then attach that service account to the instance. Granting role at project level is too broad. Using the default service account gives broader permissions.

97
MCQhard

An organization uses Secret Manager to store database credentials. A new application runs on Compute Engine and needs to access a secret. The application uses the default compute engine service account. What is the most secure way to grant access to the secret?

A.Hardcode the secret in the application configuration file
B.Create a new service account with the secretAccessor role, create a key, and store it on the instance
C.Grant the roles/editor role to the default compute engine service account
D.Grant the roles/secretmanager.secretAccessor role to the compute engine default service account
AnswerD

Correct: least privilege access via IAM.

Why this answer

The most secure approach is to grant the secretmanager.secretAccessor role to the compute engine service account. This avoids downloading keys or hardcoding secrets. The role provides access to secrets without granting broader permissions.

98
MCQeasy

An engineer needs to grant a user the ability to create and manage service accounts in a project, but not delete them. Which predefined IAM role should be assigned?

A.roles/iam.serviceAccountAdmin
B.roles/iam.serviceAccountDeleter
C.roles/iam.serviceAccountCreator
D.roles/iam.serviceAccountUser
AnswerA

Correct: includes permissions to create and manage service accounts, but not delete.

Why this answer

The roles/iam.serviceAccountAdmin role grants permissions to create, update, and manage service accounts, but not delete them. roles/iam.serviceAccountUser allows using service accounts but not creating them. roles/iam.serviceAccountCreator is not a predefined role. roles/iam.serviceAccountDeleter does not exist.

99
MCQeasy

Which command creates a Google-managed SSL certificate for the domain 'example.com'?

A.gcloud compute ssl-certificates create my-cert --domains example.com
B.gcloud compute addresses create my-cert --global
C.gcloud compute ssl-policies create my-policy
D.gcloud compute target-https-proxies create my-proxy --ssl-certificates my-cert
AnswerA

Correct command for a Google-managed certificate.

Why this answer

Google-managed certificates are created with 'gcloud compute ssl-certificates create' with the '--domains' flag. The other commands are for different purposes.

100
MCQhard

A developer created a service account with the roles/storage.admin role and wants to use it from a Compute Engine instance without downloading a key file. What is the best practice?

A.Download the service account key and store it on the instance's persistent disk.
B.Use gcloud auth activate-service-account on the instance with the service account email.
C.Attach the service account to the instance using the --service-account flag when creating the instance.
D.Store the service account email in an instance metadata and use gcloud commands.
AnswerC

This enables the instance to use the service account's permissions via the metadata server without any key file.

Why this answer

The best practice is to attach the service account to the Compute Engine instance at creation time using the --service-account flag. This allows the instance to automatically obtain credentials via the metadata server, avoiding the need to download and manage a service account key file. Downloading keys should be avoided due to security risks.

← PreviousPage 2 of 2 · 100 questions total

Ready to test yourself?

Try a timed practice session using only Ace Access Security questions.

CCNA Ace Access Security Questions — Page 2 of 2 | Courseiva