CCNA Google Cloud Security Questions

75 of 79 questions · Page 1/2 · Google Cloud Security · Answers revealed

1
MCQhard

A company has a VPC with multiple subnets and wants to prevent data exfiltration by restricting access to a Cloud Storage bucket from only resources within a defined perimeter. Which Google Cloud service should they use to create an API perimeter around the bucket?

A.VPC Service Controls
B.Cloud Armor
C.Cloud NAT
D.VPC firewall rules
AnswerA

VPC Service Controls creates perimeters that restrict data movement across projects and networks.

Why this answer

VPC Service Controls allows you to define perimeters around Google Cloud services like Cloud Storage, preventing data exfiltration to networks outside the perimeter. VPC firewall rules control network traffic but not API access. Cloud Armor is for DDoS protection.

Cloud NAT is for outbound internet access.

2
Multi-Selecthard

A security team needs to detect and respond to threats in real time using network traffic analysis and log correlation. Which THREE services should they use? (Choose 3)

Select 3 answers
A.Cloud KMS
B.Chronicle
C.Cloud IDS
D.Cloud Armor
E.Security Command Center
AnswersB, C, E

Correlates logs and provides SIEM analytics.

Why this answer

Cloud IDS provides network threat detection. Chronicle offers SIEM capabilities for log correlation and analysis. Security Command Center provides overall threat detection and response orchestration.

Cloud Armor is for web protection, not network traffic analysis. Cloud KMS is for key management.

3
MCQeasy

A developer needs to store a database password securely and access it from a Compute Engine VM. The password should be automatically rotated every 90 days. Which Google Cloud service should they use?

A.IAM
B.Cloud Storage with server-side encryption
C.Cloud KMS
D.Secret Manager
AnswerD

Secret Manager stores secrets and supports automatic rotation.

Why this answer

Secret Manager is designed to store secrets like passwords, API keys, and certificates. It supports automatic rotation of secrets. Cloud KMS is for encryption keys, not secrets.

Cloud Storage is not secure for secrets. IAM does not store secrets.

4
MCQmedium

A company uses Cloud KMS to manage encryption keys. They want to rotate keys automatically every 90 days. How can they achieve this?

A.Use a cron job to call the Google Cloud API
B.Use the gcloud kms keys set-rotation-schedule command
C.Set the key's rotationPeriod in the Cloud Console when creating the key
D.Manually create a new key version every 90 days
AnswerB

This command sets a rotation schedule for a key, enabling automatic rotation.

Why this answer

Cloud KMS supports automatic key rotation by setting a rotation period. Keys do not rotate automatically by default; you must configure a rotation schedule. The question asks how to achieve automatic rotation.

5
MCQmedium

A company wants to protect its web application from common web exploits like SQL injection and cross-site scripting. They also need to block traffic from known malicious IP addresses. Which Google Cloud service should they use?

A.Security Command Center
B.reCAPTCHA Enterprise
C.Cloud IDS
D.Cloud Armor
AnswerD

Cloud Armor is a WAF that protects against web exploits and can filter by IP reputation.

Why this answer

Cloud Armor provides WAF capabilities to protect against web exploits and DDoS, and can block traffic based on IP reputation.

6
MCQhard

A security engineer needs to ensure that a Compute Engine instance can access a Cloud Storage bucket using its own identity, without embedding service account keys in the instance. What should the engineer do?

A.Create a service account, grant it the required IAM roles on the bucket, and attach the service account to the Compute Engine instance.
B.Create a service account and download its key. Store the key in Cloud Storage and have the instance download it at startup.
C.Create a service account, generate a key, and use the gcloud auth activate-service-account command on the instance.
D.Use the default Compute Engine service account and grant it roles on the bucket; no additional steps needed.
AnswerA

The instance uses the attached service account's credentials automatically.

Why this answer

Attaching a service account to the Compute Engine instance allows it to authenticate using instance metadata without keys.

7
MCQeasy

An organization needs to ensure that data stored in Cloud Storage is encrypted using keys that they manage and rotate themselves. Which encryption option should they choose?

A.Customer-managed encryption keys (CMEK)
B.Default encryption at rest
C.Customer-supplied encryption keys (CSEK)
D.Google-managed encryption keys
AnswerA

CMEK allows customers to create and manage keys in Cloud KMS.

Why this answer

CMEK allows customers to manage their own keys via Cloud KMS. CSEK requires customer-supplied keys but has operational overhead. Google-managed keys are default but not customer-managed.

8
MCQmedium

A security team wants to find misconfigurations and vulnerabilities across their Google Cloud environment, including VMs, storage, and IAM. Which service provides a unified view of these findings?

A.Cloud IDS
B.Security Command Center
C.Assured Workloads
D.Cloud Audit Logs
AnswerB

SCC provides a dashboard of vulnerabilities and threats across GCP.

Why this answer

Security Command Center provides a centralized view of vulnerabilities and misconfigurations. Cloud Audit Logs are for auditing actions. Cloud IDS is for network threats.

Assured Workloads is for compliance.

9
MCQmedium

A company wants to implement a zero-trust access model for its internal applications, eliminating the need for a traditional VPN. Employees should be allowed access based on device posture and user identity, not just network location. Which Google Cloud solution should be used?

A.Security Command Center
B.Cloud VPN
C.Identity-Aware Proxy (IAP)
D.BeyondCorp Enterprise
AnswerD

BeyondCorp Enterprise is the comprehensive zero-trust solution that replaces VPNs with identity and context-aware access.

Why this answer

BeyondCorp Enterprise provides a zero-trust access model that uses identity and context to grant access without a VPN. Identity-Aware Proxy (IAP) is a component that enforces access policies based on identity and context.

10
MCQmedium

A security analyst needs to analyze large volumes of security logs from multiple GCP projects, detect anomalies, and investigate incidents. The solution should support advanced analytics and threat hunting. Which service is best suited?

A.Chronicle
B.Cloud Logging
C.BigQuery
D.Security Command Center
AnswerA

Chronicle is a SIEM for log analysis and threat hunting.

Why this answer

Chronicle is a cloud-native SIEM that ingests logs, provides analytics, and supports threat hunting.

11
MCQmedium

A data engineering team needs to store and manage database passwords and API keys used by their applications. Which Google Cloud service should they use?

A.Cloud KMS
B.Secret Manager
C.Cloud Key Management Service
D.Cloud Storage
AnswerB

Secret Manager securely stores secrets such as passwords and API keys.

Why this answer

Secret Manager is designed to store secrets like passwords and API keys. Cloud KMS is for encryption keys. Cloud Key Management Service is for creating and managing cryptographic keys, not storing secrets.

Cloud Storage is for objects.

12
MCQhard

A security engineer needs to create a VPC Service Controls perimeter that prevents data exfiltration from a project containing sensitive data. The perimeter should allow BigQuery datasets in the project to be accessed only from authorized VMs within the same perimeter. Which step is essential?

A.Create a separate perimeter for each VM and use IAM conditions
B.Add the project to a perimeter and create an egress rule to allow access from authorized VMs
C.Add the project to a perimeter and set an ingress policy that allows access from the authorized VMs' service accounts
D.Use Cloud Armor to whitelist the VMs' IP addresses for BigQuery access
AnswerC

This correctly allows the VMs (via their service accounts) to access BigQuery within the perimeter.

Why this answer

VPC Service Controls use perimeters to restrict access to Google-managed services. To allow access only from authorized VMs, you must create an ingress policy that specifies the source VPC network and the allowed identities (e.g., service accounts of the VMs). Simply adding the project to a perimeter blocks all external access; an ingress rule is needed to grant access from the specified VMs.

13
MCQeasy

A startup wants to secure access to its internal web applications without using a VPN. They need to enforce access based on user identity and device security posture. Which Google Cloud service should they use?

A.Identity-Aware Proxy (IAP)
B.Cloud VPN
C.VPC Service Controls
D.Cloud Armor
AnswerA

IAP is the correct service; it verifies identity and context before granting access to applications, aligning with zero-trust principles.

Why this answer

BeyondCorp Enterprise is Google's zero-trust solution that replaces VPNs by using identity and context (device, location) to grant access. Identity-Aware Proxy (IAP) is a component of BeyondCorp that enforces access at the application layer.

14
MCQmedium

A security engineer needs to monitor and analyze security logs from multiple GCP projects and on-premises sources in a centralized SIEM. Which Google Cloud service is designed for log management and security analytics at scale?

A.Cloud Logging
B.Chronicle
C.Security Command Center
D.Cloud IDS
AnswerB

Chronicle is a cloud-native SIEM that ingests and analyzes logs for threat detection.

Why this answer

Chronicle is Google Cloud's SIEM platform that ingests logs from various sources and provides security analytics. Security Command Center is for vulnerability management, not a SIEM. Cloud Logging is for log storage and basics, but not a full SIEM.

15
MCQmedium

A company wants to protect its web application running on Google Cloud from DDoS attacks and SQL injection. Which service should they use?

A.reCAPTCHA Enterprise
B.Cloud Armor
C.Cloud CDN
D.VPC firewall rules
AnswerB

Cloud Armor provides DDoS protection and a web application firewall (WAF).

Why this answer

Cloud Armor provides DDoS protection and WAF capabilities (including SQL injection prevention). Cloud CDN caches content but does not protect against attacks. VPC firewall rules are network-level only. reCAPTCHA protects against bots but not SQL injection.

16
MCQmedium

A company wants to replace its VPN-based remote access with a solution that grants access to internal web applications based on user identity and device context, without requiring a VPN. Which Google Cloud service should they use?

A.Access Transparency
B.Cloud Identity
C.Identity-Aware Proxy (IAP)
D.Cloud VPN
AnswerC

IAP uses identity and context to control access to cloud and on-premises applications, eliminating the need for VPN.

Why this answer

Identity-Aware Proxy (IAP) provides context-aware access to applications without a VPN, verifying user identity and device context. BeyondCorp Enterprise is a framework that includes IAP, but the question asks for the service that directly enforces access based on identity and context.

17
Multi-Selectmedium

A company wants to implement a zero-trust security model for accessing internal applications. Which TWO Google Cloud services should they use together? (Choose 2)

Select 2 answers
A.Cloud Identity
B.Cloud Armor
C.Identity-Aware Proxy (IAP)
D.BeyondCorp Enterprise
E.Cloud VPN
AnswersC, D

IAP enforces access decisions based on identity and context.

Why this answer

BeyondCorp Enterprise provides the zero-trust framework, and IAP enforces identity and context-based access to applications. Cloud VPN is not zero-trust. Cloud Identity is an identity provider but not sufficient alone.

Cloud Armor is for DDoS protection.

18
Multi-Selectmedium

Which TWO services help protect against data exfiltration in Google Cloud? (Choose 2)

Select 2 answers
A.Cloud Armor
B.Sensitive Data Protection (DLP)
C.Cloud Data Loss Prevention (DLP)
D.VPC Service Controls
E.Cloud IDS
AnswersC, D

DLP can inspect and de-identify sensitive data to prevent accidental leaks.

Why this answer

VPC Service Controls allow you to create perimeters that prevent data from leaving specified networks. Cloud DLP (Sensitive Data Protection) helps detect and redact sensitive data, but does not prevent exfiltration. Cloud IDS detects intrusions.

Cloud Armor protects against DDoS. Data exfiltration prevention is primarily done via VPC Service Controls and DLP.

19
MCQeasy

A developer needs to allow a Compute Engine VM to read from a specific Cloud Storage bucket. Which IAM role should be granted to the VM's service account?

A.roles/storage.objectViewer
B.roles/storage.legacyBucketReader
C.roles/storage.admin
D.roles/storage.objectCreator
AnswerA

ObjectViewer grants read access to objects.

Why this answer

The roles/storage.objectViewer role grants read access to objects in a bucket.

20
Multi-Selectmedium

A company wants to protect its web application deployed on Google Cloud from OWASP Top 10 attacks and also block traffic from specific geographic regions. Which TWO services should they use together? (Choose 2)

Select 2 answers
A.Cloud Load Balancing
B.Cloud CDN
C.Cloud Armor
D.Cloud IDS
E.reCAPTCHA Enterprise
AnswersB, C

Cloud CDN can serve cached content and integrate with Cloud Armor.

Why this answer

Cloud Armor provides WAF rules for OWASP Top 10 and geo-blocking. Cloud CDN caches content and can be used with Cloud Armor for edge protection.

21
MCQmedium

A developer needs to store and manage API keys and certificates in a secure, centralized manner, with automatic rotation and integration with Cloud Functions. Which Google Cloud service should they use?

A.Cloud Storage
B.Cloud KMS
C.Secret Manager
D.Cloud Asset Inventory
AnswerC

Secret Manager is designed for storing and managing secrets, with built-in rotation and integration.

Why this answer

Secret Manager stores secrets like API keys, passwords, and certificates, and integrates with Cloud Functions for secure access. Cloud KMS manages encryption keys, not secrets. Cloud Storage is not designed for secret management.

Cloud Asset Inventory tracks resources.

22
Multi-Selectmedium

Which TWO statements about encryption in transit in Google Cloud are correct? (Choose 2)

Select 2 answers
A.Google Cloud uses TLS for all external traffic to its APIs.
B.Data in transit between Google Cloud regions is encrypted by default.
C.Users must configure TLS certificates for all Google Cloud services.
D.Data in transit between Google Cloud and the internet is encrypted by default for all services.
E.Encryption in transit uses AES-256.
AnswersA, B

All Google Cloud API endpoints require TLS.

Why this answer

Google Cloud uses TLS for all external and internal traffic by default between data centers. Encryption is applied automatically. The question asks for correct statements.

23
MCQhard

A security team wants to detect and respond to threats across multiple GCP projects, including identifying misconfigurations and vulnerabilities. They need a single pane of glass. Which service provides a unified view of security findings across projects?

A.Cloud Operations
B.Security Command Center
C.Cloud Audit Logs
D.Chronicle
AnswerB

Security Command Center aggregates security findings from across projects and services.

Why this answer

Security Command Center provides a unified dashboard for security findings across projects, including vulnerability scanning, threat detection, and misconfiguration alerts. Chronicle is a SIEM for log analysis but not a unified view of findings. Cloud Audit Logs provide logs but not aggregation.

Cloud Operations is for monitoring and logging, not security-specific findings.

24
MCQmedium

An organization needs to enforce that developers can only create Compute Engine instances in the us-central1 region. Which IAM approach should they use?

A.Use Organization Policy to restrict allowed regions
B.Create a custom role with permission restricted to us-central1
C.Grant the Compute Instance Admin role with an IAM condition on resource.location
D.Create a separate project for each region
AnswerC

IAM conditions allow fine-grained access control based on attributes like region.

Why this answer

IAM conditions allow setting regional constraints on roles, such as granting the Compute Instance Admin role with a condition on resource.location == 'us-central1'.

25
MCQmedium

A security team needs to detect and alert on suspicious outbound network traffic from their GCP environment, such as data exfiltration attempts. They require a managed service that analyzes traffic for threats. Which service should they use?

A.Cloud Armor
B.Security Command Center
C.Cloud IDS
D.Chronicle
AnswerC

Cloud IDS inspects network traffic for threats, including outbound anomalies.

Why this answer

Cloud IDS (Intrusion Detection System) monitors network traffic for threats like malware and data exfiltration. It integrates with VPC flow logs and provides threat detection. Cloud Armor is for inbound DDoS/WAF.

Security Command Center is a broader security management platform. Chronicle is a SIEM for log analysis, not real-time network traffic inspection.

26
MCQeasy

Which IAM component determines what actions a user is allowed to perform on a resource?

A.Authorization
B.Audit Logging
C.Authentication
D.Encryption
AnswerA

Authorization defines allowed actions via roles and permissions.

Why this answer

Authorization is the process of determining what actions a user can perform; IAM roles and permissions define this.

27
MCQhard

A company must meet regulatory requirements that restrict where data can be stored and processed. They need to ensure that Google Cloud personnel have limited and audited access to their data. Which combination of services should they use?

A.Access Transparency and VPC Service Controls
B.Assured Workloads and Access Transparency
C.Cloud KMS and Cloud Audit Logs
D.VPC Service Controls and Cloud Audit Logs
AnswerB

Assured Workloads enforces location and access restrictions; Access Transparency logs Google personnel access.

Why this answer

Assured Workloads provides regulatory compliance controls and access restrictions for specific regions. Access Transparency logs Google personnel access. Cloud Audit Logs track user activity.

The question asks for a combination that restricts personnel access and provides audit logs.

28
MCQeasy

An organization needs to store API keys, database passwords, and certificates securely, with automatic rotation and audit logging. Which Google Cloud service should they use?

A.Cloud Storage with encryption
B.Cloud KMS
C.Cloud HSM
D.Secret Manager
AnswerD

Secret Manager stores secrets securely and supports rotation and auditing.

Why this answer

Secret Manager is designed to store secrets like API keys and passwords, with built-in rotation and audit logging.

29
MCQmedium

An organization wants to ensure that all data stored in Cloud Storage is encrypted with customer-managed keys that can be rotated on demand. They also need to log every key use for audit compliance. Which combination of services should they use?

A.Cloud KMS with Customer-Supplied Encryption Keys (CSEK)
B.Google-managed encryption keys with Access Transparency
C.Cloud KMS with Customer-Managed Encryption Keys (CMEK) and Cloud Audit Logs
D.Secret Manager with encryption keys and Cloud Logging
AnswerC

CMEK via Cloud KMS gives control over keys; Cloud Audit Logs can track key usage.

Why this answer

Cloud KMS allows creation and management of customer-managed encryption keys (CMEK) for Cloud Storage. Cloud Audit Logs can be used to log key usage (e.g., via Data Access audit logs). CSEK is deprecated; Secret Manager is for secrets, not encryption keys for storage.

30
MCQmedium

A company wants to encrypt sensitive data stored in Cloud Storage with a key that is generated and stored on-premises using a hardware security module (HSM). They do not want Google to have access to the key. Which encryption option should they use?

A.Google-managed encryption keys
B.Customer-managed encryption keys (CMEK)
C.Cloud HSM
D.Customer-supplied encryption keys (CSEK)
AnswerD

CSEK uses keys provided by the customer; Google does not have access.

Why this answer

Customer-Supplied Encryption Keys (CSEK) allow customers to provide their own keys; Google does not store the key and has no access to it.

31
MCQmedium

A company wants to implement a zero-trust security model to replace its legacy VPN for accessing internal web applications. Employees use both company-managed and personal devices. Which Google Cloud service provides context-aware access based on user identity and device posture?

A.Cloud VPN
B.Identity-Aware Proxy (IAP)
C.Cloud Armor
D.VPC Service Controls
AnswerB

IAP uses identity and context to control access, replacing VPN.

Why this answer

Identity-Aware Proxy (IAP) verifies user identity and context (device security, location, etc.) before granting access to applications, enabling zero-trust without a VPN.

32
Multi-Selecthard

An engineer needs to prevent data exfiltration from a project by ensuring that Cloud Storage buckets can only be accessed from within a VPC network. Which TWO steps should they take? (Choose 2)

Select 2 answers
A.Set an ingress policy to allow access only from the VPC network
B.Use IAM conditions to restrict access to the VPC
C.Enable Private Google Access on the VPC subnets
D.Create a VPC Service Controls perimeter
E.Create a firewall rule that denies all traffic to Cloud Storage
AnswersA, D

Ingress rules specify allowed sources, such as the VPC.

Why this answer

Create a VPC Service Controls perimeter that includes the project and restricts access to the VPC, and set ingress rules to allow traffic from the VPC.

33
MCQmedium

An organization wants to protect its web application from DDoS attacks and SQL injection. Which Google Cloud service should they deploy?

A.Cloud DNS
B.Security Command Center
C.Cloud IDS
D.Cloud Armor
AnswerD

Cloud Armor provides DDoS protection and WAF rules against SQL injection.

Why this answer

Cloud Armor provides DDoS protection and Web Application Firewall (WAF) capabilities to block attacks like SQL injection. Cloud IDS is for intrusion detection. Security Command Center is for vulnerability management.

Cloud DNS is for DNS resolution.

34
MCQhard

A security team needs to monitor and analyze logs from multiple GCP projects to detect threats across the organization. They require a SIEM solution that can ingest logs from on-premises and other clouds. Which service should they use?

A.Security Command Center
B.Cloud IDS
C.Chronicle
D.Cloud Logging
AnswerC

Chronicle is a cloud-native SIEM for log analysis and threat detection.

Why this answer

Chronicle is a Google Cloud SIEM that ingests logs from various sources, including on-premises and other clouds, and provides threat detection. Security Command Center is for vulnerability scanning, not SIEM.

35
MCQmedium

A company uses Cloud SQL and wants to encrypt data at rest with a key that they manage and rotate themselves. They also want to ensure that the encryption happens automatically before data is written to disk. Which configuration should they choose?

A.Enable default Google-managed encryption
B.Store the encryption key in Secret Manager and configure Cloud SQL to use it
C.Use a Customer-Managed Encryption Key (CMEK) from Cloud KMS
D.Use a Customer-Supplied Encryption Key (CSEK)
AnswerC

CMEK provides customer control over the key and automatic encryption at rest.

Why this answer

Cloud SQL supports CMEK (Customer-Managed Encryption Keys) via Cloud KMS. The key is created in Cloud KMS and specified when creating the Cloud SQL instance. The data is automatically encrypted with the key at rest.

CSEK is deprecated and not supported by Cloud SQL. Google-managed keys do not allow customer control. Secret Manager is for secrets.

36
MCQhard

A DevOps engineer wants to audit all actions performed by Google personnel on their customer data stored in Cloud Storage. They need to review logs that show access by Google employees and the reason for access. Which logging feature should they enable?

A.Cloud Audit Logs
B.Cloud Logging
C.Access Transparency
D.VPC Flow Logs
AnswerC

Access Transparency logs all Google personnel access to customer data.

Why this answer

Access Transparency provides logs of Google personnel accessing customer data. It shows the time, reason, and data accessed. Cloud Audit Logs track actions performed by users and services within the customer's project, not Google personnel.

VPC Flow Logs are for network flows. Cloud Logging is the general platform but does not specifically capture Google personnel access without Access Transparency.

37
MCQeasy

A company wants to replace its VPN-based remote access with a solution that grants access based on user identity, device security status, and context (e.g., location, IP). Which Google Cloud service should they use?

A.BeyondCorp Enterprise
B.Cloud Armor
C.Identity-Aware Proxy (IAP)
D.Cloud VPN
AnswerA

BeyondCorp Enterprise is Google's zero-trust solution that replaces VPN with identity- and context-aware access.

Why this answer

BeyondCorp Enterprise provides zero-trust remote access without a VPN, using identity and context-aware access policies.

38
MCQhard

A security engineer needs to analyze network traffic for malicious payloads and anomalies in real-time across multiple VPC networks in a project. The solution must be managed and not require deploying third-party appliances. Which service should they use?

A.Security Command Center
B.Cloud Armor
C.Cloud IDS
D.VPC Flow Logs
AnswerC

Cloud IDS is a managed intrusion detection service that analyzes traffic payloads for threats.

Why this answer

Cloud IDS provides managed intrusion detection across VPC networks, analyzing traffic for threats like malware and anomalies.

39
MCQhard

An administrator wants to enforce that all API calls to a specific Cloud Storage bucket must come from a limited range of IP addresses. Which configuration should they use?

A.Cloud Armor security policy
B.Identity-Aware Proxy (IAP)
C.VPC Service Controls with an access level that includes the IP range
D.VPC firewall rules
AnswerC

VPC Service Controls can restrict API access based on context including IP address.

Why this answer

VPC Service Controls can restrict access based on IP addresses via access levels. IAP is for user authentication. Cloud Armor is for HTTP(S) load balancing.

Firewall rules apply to network traffic, not API access to Cloud Storage.

40
Multi-Selectmedium

A company wants to protect sensitive data stored in Cloud Storage from being downloaded by users outside their organization. They also need to prevent data from being copied to external projects. Which TWO services should they use? (Choose two.)

Select 2 answers
A.IAM conditions with access levels
B.Cloud DLP
C.VPC Service Controls
D.Cloud KMS
E.Cloud Armor
AnswersA, C

Correct. IAM conditions can restrict access to authorized users (e.g., those from your domain).

Why this answer

VPC Service Controls create a perimeter around the Cloud Storage buckets to prevent data exfiltration to external projects and unauthorized networks. IAM conditions can restrict access based on identity, but alone cannot prevent data copying to external projects. Cloud DLP can redact sensitive data but does not prevent exfiltration.

Cloud Armor is for HTTP(S) traffic. Cloud KMS encrypts data but does not control access.

41
MCQeasy

Which defense-in-depth layer includes measures like access controls, vulnerability management, and intrusion detection systems?

A.Data security
B.Physical security
C.Operational security
D.Infrastructure security
AnswerC

Operational security includes access management, vulnerability management, and monitoring.

Why this answer

Operational security involves the policies and procedures to protect data and systems during operation, including access controls, vulnerability scanning, and intrusion detection. Physical security covers hardware and facilities; infrastructure security covers network and platform; data security covers encryption and data loss prevention.

42
Multi-Selectmedium

A company needs to encrypt data at rest using keys that they manage, but they want to reduce operational overhead by having Google Cloud host the key management infrastructure. Which TWO options achieve this? (Choose 2)

Select 2 answers
A.Secret Manager
B.Google-managed encryption keys
C.Customer-supplied encryption keys (CSEK)
D.Cloud HSM
E.Customer-managed encryption keys (CMEK)
AnswersD, E

Cloud HSM is a managed HSM that can be used with CMEK for key storage.

Why this answer

CMEK uses Cloud KMS to manage keys, which Google hosts. CSEK requires the customer to supply and manage keys outside Google. Google-managed keys are not customer-managed.

Cloud HSM is a hardware security module that can be used with CMEK. Secret Manager is for secrets, not encryption keys.

43
MCQeasy

What is the primary purpose of VPC Service Controls?

A.To control ingress and egress traffic at the network level
B.To detect network intrusions
C.To prevent data exfiltration from Google Cloud services
D.To protect against DDoS attacks
AnswerC

VPC Service Controls create perimeters around services to reduce the risk of data theft.

Why this answer

VPC Service Controls create perimeters around Google Cloud services to prevent data exfiltration. VPC firewall rules control network traffic. Cloud Armor is for DDoS.

Cloud IDS is for intrusion detection.

44
MCQhard

A security administrator needs to ensure that Google personnel do not access customer data without explicit authorization. Which service should they use to get logs of Google employee access?

A.Access Transparency
B.Cloud Audit Logs
C.Security Command Center
D.Assured Workloads
AnswerA

Access Transparency logs Google personnel access to customer data.

Why this answer

Access Transparency provides logs of Google personnel actions on customer data. Cloud Audit Logs track user activities within the customer's project. Assured Workloads is for regulatory compliance.

Security Command Center is for threat detection.

45
Multi-Selecthard

A company wants to implement the principle of least privilege for a team of developers who need to deploy applications on Compute Engine and monitor logs. Which THREE IAM roles should be granted? (Choose 3)

Select 3 answers
A.roles/iam.serviceAccountUser
B.roles/compute.networkAdmin
C.roles/logging.viewer
D.roles/compute.instanceAdmin
E.roles/compute.admin
AnswersA, C, D

Allows developers to use service accounts with instances.

Why this answer

roles/compute.instanceAdmin provides permissions to manage instances. roles/logging.viewer provides read access to logs. roles/iam.serviceAccountUser allows attaching service accounts to instances. roles/compute.networkAdmin is too broad for developers. roles/compute.admin is a full admin role, violating least privilege.

46
MCQeasy

A small startup wants to protect its web application from common attacks like SQL injection and cross-site scripting (XSS). They also need DDoS protection. Which Google Cloud security service should they use?

A.Security Command Center
B.Cloud IDS
C.reCAPTCHA Enterprise
D.Cloud Armor
AnswerD

Cloud Armor includes WAF and DDoS protection.

Why this answer

Cloud Armor provides web application firewall (WAF) rules to block SQL injection and XSS, plus DDoS protection.

47
Multi-Selecthard

A security team needs to implement a zero-trust architecture for a web application that is accessed by both internal employees and external partners. They require context-aware access that checks device posture and identity. Which THREE components should they use? (Choose three.)

Select 3 answers
A.Identity-Aware Proxy (IAP)
B.VPC firewall rules
C.Access levels (context-aware conditions)
D.BeyondCorp Enterprise
E.Cloud Armor
AnswersA, C, D

Correct. IAP enforces access based on identity and context.

Why this answer

BeyondCorp Enterprise provides the zero-trust framework, including device and identity verification. Identity-Aware Proxy (IAP) is a key component that enforces access based on context. Access levels in IAP define conditions (e.g., device posture, IP range) that must be met for access.

Cloud Armor is for DDoS/WAF, not context-aware access. VPC firewall rules are network-level, not user-level. Chronicle is a SIEM.

48
MCQeasy

Which Google Cloud service provides a fully managed SIEM solution for log analysis, threat detection, and incident response?

A.Chronicle
B.Security Command Center
C.Operations Suite
D.Cloud Logging
AnswerA

Chronicle is Google Cloud's SIEM platform for log analysis and threat detection.

Why this answer

Chronicle is Google's SIEM offering that ingests logs and telemetry for security analytics.

49
MCQeasy

Which Google Cloud security layer is responsible for protecting data stored on disk using either Google-managed or customer-managed encryption keys?

A.Operational security
B.Infrastructure security
C.Data security
D.Hardware security
AnswerC

Data security includes encryption at rest, encryption in transit, and data loss prevention.

Why this answer

Data encryption at rest is a core component of data security, ensuring data stored on disk is encrypted. Google Cloud encrypts all data at rest by default using Google-managed keys, with options for CMEK and CSEK.

50
MCQmedium

An organization wants to enforce that all data stored in Cloud Storage buckets is encrypted with a key that they control and rotate periodically. They also need to audit key usage. Which approach should they take?

A.Use Customer-Supplied Encryption Keys (CSEK)
B.Use Customer-Managed Encryption Keys (CMEK) with Cloud KMS
C.Use default Google-managed encryption keys
D.Use Cloud External Key Manager (Cloud EKM)
AnswerB

CMEK allows customers to manage keys in Cloud KMS, rotate them, and audit usage.

Why this answer

Customer-Managed Encryption Keys (CMEK) via Cloud KMS allow customers to control and rotate keys and audit usage via Cloud Audit Logs.

51
Multi-Selecthard

A large enterprise wants to enforce the principle of least privilege for its cloud resources. The security team needs to audit all IAM policy changes across the organization and ensure that custom roles are used where predefined roles are too permissive. Which three Google Cloud services or features should be combined to achieve this? (Choose three.)

Select 3 answers
A.IAM Recommender
B.Cloud Key Management Service
C.Cloud Audit Logs
D.Organization Policies
E.Security Command Center
AnswersA, C, D

IAM Recommender analyzes usage and suggests least-privilege roles, helping to reduce over-privileged access.

Why this answer

Cloud Audit Logs track IAM policy changes. Organization policies can enforce constraints like restricting the use of predefined roles. IAM Recommender provides recommendations to reduce permissions.

Cloud Asset Inventory can also be used for IAM policy auditing. Security Command Center is for threat detection, not IAM auditing. Policy Analyzer helps understand access, but the combination of Audit Logs, Organization Policies, and IAM Recommender is most direct.

52
MCQmedium

A company wants to scan its Cloud Storage buckets for sensitive data like credit card numbers and social security numbers. Which service should they use?

A.Security Command Center
B.Sensitive Data Protection
C.reCAPTCHA Enterprise
D.Web Risk API
AnswerB

Sensitive Data Protection (DLP API) can discover and classify sensitive data.

Why this answer

Sensitive Data Protection (DLP API) is used to inspect and de-identify sensitive data. Security Command Center is for vulnerabilities. Web Risk API checks URLs against threat lists. reCAPTCHA is for bot protection.

53
Multi-Selectmedium

A company wants to store encryption keys for encrypting data at rest in Cloud Storage, and also needs to automatically rotate the keys every 30 days. Additionally, they require an audit log of key usage. Which TWO services should they use? (Choose two.)

Select 2 answers
A.Cloud HSM
B.Secret Manager
C.Cloud KMS
D.Cloud Audit Logs
E.Cloud Storage
AnswersC, D

Correct. Cloud KMS manages keys and supports automatic rotation.

Why this answer

Cloud KMS allows creating and managing keys with automatic rotation (via rotation period). Cloud Audit Logs can be configured to log every use of the key (Data Access audit logs). Secret Manager is for secrets, not encryption keys.

Cloud HSM provides hardware-backed keys but is part of Cloud KMS. Cloud Storage itself does not manage key rotation.

54
MCQmedium

A company uses Cloud Storage to store sensitive data. They want to enforce that all objects uploaded are encrypted with a customer-managed key that they can rotate and control. What should they configure?

A.Use customer-supplied encryption keys (CSEK) for each upload.
B.Use Cloud HSM to generate a key and import it to Cloud KMS.
C.Set default encryption on the bucket to use a CMEK key from Cloud KMS.
D.Enable default encryption with a Google-managed key.
AnswerC

CMEK uses customer-managed keys in Cloud KMS.

Why this answer

Customer-Managed Encryption Keys (CMEK) allow customers to manage their own keys using Cloud KMS.

55
Multi-Selecthard

An organization needs to ensure that data stored in Cloud Storage is encrypted at rest using keys that are rotated every 30 days. They also need to audit who accesses the keys and when. Which THREE services should they use? (Choose 3)

Select 3 answers
A.Cloud HSM
B.Cloud Audit Logs
C.Secret Manager
D.Cloud Storage
E.Cloud KMS
AnswersB, D, E

Logs key access events.

Why this answer

Cloud KMS manages key rotation. Cloud Audit Logs record key access. Cloud Storage stores the data.

Cloud HSM can be used but is not required for the scenario.

56
Multi-Selectmedium

A company wants to ensure data encryption at rest using customer-managed keys for Cloud SQL and Cloud Storage. Which TWO actions must they take? (Choose 2)

Select 2 answers
A.Create a key ring and cryptographic key in Cloud KMS
B.Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the service accounts
C.Enable CMEK in the project settings
D.Configure Cloud SQL and Cloud Storage to use the CMEK key
E.Upload a custom key to Cloud HSM
AnswersA, D

Keys must be created in Cloud KMS before use.

Why this answer

Create a key ring and key in Cloud KMS, then configure each service to use that key (CMEK).

57
MCQmedium

A company wants to ensure that only API calls from within a specific VPC can access their Cloud Storage buckets, even if the bucket is public. Which Google Cloud feature should they use?

A.VPC firewall rules
B.Cloud Armor
C.IAM conditions
D.VPC Service Controls
AnswerD

VPC Service Controls enable API perimeters to restrict access to services like Cloud Storage.

Why this answer

VPC Service Controls allow creating perimeters that restrict access to Google Cloud services to trusted VPCs and IP ranges.

58
Multi-Selectmedium

A financial services company needs to restrict access to its Cloud Storage buckets containing sensitive customer data. The company wants to prevent data exfiltration by ensuring that only authorized VMs in specific VPCs can access the buckets, and that data cannot be copied to unauthorized locations. Which two Google Cloud services should be used together? (Choose two.)

Select 2 answers
A.VPC Service Controls
B.Private Google Access
C.Cloud Armor
D.Identity-Aware Proxy (IAP)
E.Cloud NAT
AnswersA, B

VPC Service Controls allow you to define perimeters that restrict access to Cloud Storage to authorized VPCs.

Why this answer

VPC Service Controls create perimeters around Google Cloud resources like Cloud Storage, preventing data exfiltration to unauthorized networks. Cloud Armor provides DDoS protection and WAF capabilities but does not restrict data access. Cloud NAT is for outbound connectivity, not data exfiltration prevention.

Identity-Aware Proxy (IAP) is for application-level access, not storage-level restrictions.

59
MCQhard

A company has a requirement to rotate encryption keys every 90 days. They are using Cloud KMS to manage keys for Cloud Storage. What is the correct way to achieve key rotation with minimal impact to existing encrypted objects?

A.Manually rotate the key every 90 days by generating a new key version.
B.Enable automatic rotation on the key with a 90-day period.
C.Use Cloud HSM to generate a new key and update the bucket default encryption.
D.Create a new key and re-encrypt all existing objects using the new key.
AnswerB

Automatic rotation creates new key versions; old data remains accessible.

Why this answer

Cloud KMS supports automatic rotation based on a schedule. When a key is rotated, a new version is created, and new data is encrypted with the new version while old data remains decryptable with the old version.

60
MCQeasy

Which IAM concept defines what actions a user can perform on a resource?

A.Permissions
B.Authentication
C.Authorization
D.Roles
AnswerC

Authorization determines what actions are permitted.

Why this answer

Authorization defines what actions are allowed. Authentication verifies identity. Roles and permissions are part of authorization.

The question asks for the concept that defines actions.

61
MCQeasy

A company needs to audit all actions performed by administrators on their Google Cloud project, including who accessed what resource and when. Which logging feature should they enable?

A.Cloud Monitoring
B.Access Transparency
C.VPC Flow Logs
D.Cloud Audit Logs
AnswerD

Audit logs provide a record of who did what and when.

Why this answer

Cloud Audit Logs record admin activity, data access, and system events for compliance and auditing.

62
Multi-Selectmedium

A security team needs to implement the principle of least privilege for a group of data scientists who only need to query BigQuery datasets, but not modify or delete them. Which THREE IAM roles should be granted? (Choose 3)

Select 3 answers
A.roles/bigquery.dataEditor
B.roles/bigquery.dataViewer
C.roles/bigquery.admin
D.roles/bigquery.user
E.roles/bigquery.jobUser
AnswersB, D, E

Allows viewing dataset metadata and querying data.

Why this answer

BigQuery Data Viewer allows querying datasets. BigQuery Job User allows running jobs. BigQuery User is a broader role that includes querying but also other permissions.

The combination of these allows read-only querying.

63
MCQhard

A DevOps engineer needs to grant a CI/CD pipeline (running on Compute Engine) permissions to deploy a Cloud Run service. The pipeline uses a service account. What is the correct approach to assign the necessary IAM role to the service account?

A.Create a new service account, grant the Cloud Run Deployer role, and export a key file to the instance
B.Grant the Cloud Run Deployer role to the Compute Engine default service account
C.Use the Cloud Run service agent with the roles/run.serviceAgent role
D.Grant the Cloud Run Admin role to the user account running the pipeline
AnswerB

Attach a service account to the instance and grant it the Cloud Run Deployer role to allow deployment.

Why this answer

The best practice is to attach the service account to the Compute Engine instance and grant the Cloud Run Deployer role to that service account.

64
MCQmedium

An organization wants to detect and respond to threats across their GCP environment, including finding misconfigurations, vulnerabilities, and potential malicious activity. Which service provides a unified view of security findings?

A.Mandiant
B.Chronicle
C.Cloud Audit Logs
D.Security Command Center
AnswerD

Security Command Center provides a unified view of security findings across GCP.

Why this answer

Security Command Center is a central dashboard for security findings including vulnerabilities, misconfigurations, and threats.

65
MCQeasy

Which Google Cloud service provides threat intelligence and incident response capabilities, including access to Mandiant expertise?

A.Security Command Center
B.Chronicle
C.Mandiant
D.Cloud IDS
AnswerC

Mandiant offers threat intelligence and incident response services, including expert consulting.

Why this answer

Mandiant is Google Cloud's threat intelligence and incident response service. Security Command Center provides vulnerability scanning but not Mandiant expertise. Chronicle is a SIEM.

Cloud IDS is network intrusion detection.

66
MCQmedium

A company wants to detect and prioritize vulnerabilities in their Compute Engine VMs and GKE clusters. They also need a centralized view of security findings across their organization. Which service should they use?

A.Cloud IDS
B.Web Risk API
C.Security Command Center
D.Chronicle
AnswerC

SCC provides vulnerability scanning and centralized security management.

Why this answer

Security Command Center (SCC) is the central vulnerability and threat detection service for GCP. It finds misconfigurations, vulnerabilities, and threats across services like Compute Engine and GKE, and provides a dashboard for prioritization. Chronicle is a SIEM for log analysis, not vulnerability scanning.

Cloud IDS is for network intrusion detection. Web Risk API is for checking URLs against threat lists.

67
MCQeasy

Which layer of Google's defence-in-depth security model includes the use of TLS for data in transit?

A.Data security
B.Operational security
C.Deployment security
D.Physical security
AnswerA

Data security includes encryption in transit (TLS) and at rest.

Why this answer

Data security covers encryption of data at rest and in transit. Physical security is about data centers. Operational security covers processes.

Deployment security is about secure infrastructure deployment.

68
Multi-Selectmedium

A security team needs to detect and respond to threats across their Google Cloud environment. Which THREE services should they use together? (Choose 3)

Select 3 answers
A.Mandiant
B.Cloud Logging
C.Cloud Armor
D.Security Command Center
E.Chronicle
AnswersA, D, E

Threat intelligence and incident response capabilities.

Why this answer

Security Command Center for vulnerability scanning and threat detection, Chronicle for SIEM and incident response, and Mandiant for threat intelligence and forensic investigation.

69
MCQeasy

A company wants to enforce the principle of least privilege by granting a service account only the permissions necessary to publish messages to a specific Pub/Sub topic. Which IAM approach should they use?

A.Grant the roles/editor role to the service account at the project level
B.Grant the roles/pubsub.subscriber role to the service account at the topic level
C.Grant the roles/pubsub.publisher role to the service account at the topic level
D.Grant the roles/pubsub.publisher role to the service account at the project level
AnswerC

This restricts the permission to only the specified topic.

Why this answer

IAM allows granting roles at specific resource levels. To grant only publish permission on a specific topic, you should add the service account as a member and assign the Pub/Sub Publisher role (roles/pubsub.publisher) directly on that topic. Granting the role at the project level would give too broad access.

Using a custom role with only the required permission is also correct but more complex; however, the simplest correct approach among the options is to assign a predefined role at the topic level.

70
MCQmedium

An engineer needs to store database passwords and API keys securely. The secrets must be encrypted at rest with a customer-managed key and automatically rotated every 90 days. Which service should they use?

A.Cloud Secret Manager
B.Cloud KMS
C.Datastore
D.Cloud Storage with encryption
AnswerA

Secret Manager stores secrets, supports rotation, and can use CMEK via Cloud KMS.

Why this answer

Secret Manager is designed for storing secrets like API keys and passwords, with built-in rotation and integration with Cloud KMS for CMEK.

71
MCQmedium

An organization needs to protect a web application hosted on Google Cloud from DDoS attacks and SQL injection attempts. They want a managed security service that integrates with Cloud Load Balancing. Which service should they use?

A.Cloud IDS
B.reCAPTCHA Enterprise
C.Cloud Armor
D.VPC firewall rules
AnswerC

Cloud Armor provides DDoS protection and WAF capabilities.

Why this answer

Cloud Armor is Google's managed DDoS protection and Web Application Firewall (WAF) service. It integrates with Cloud Load Balancing to filter traffic based on IP, geo, and HTTP headers, and includes preconfigured rules (e.g., OWASP) to block SQL injection. Cloud IDS is for network intrusion detection. reCAPTCHA Enterprise is for bot detection.

VPC firewall rules are for network-level access control.

72
MCQeasy

Which principle states that a user should be granted only the permissions necessary to perform their job functions?

A.Principle of least privilege
B.Defence in depth
C.Separation of duties
D.Zero trust
AnswerA

Least privilege means giving only the permissions needed to perform a job.

Why this answer

The principle of least privilege is the security concept of granting minimal required permissions. Separation of duties divides tasks among multiple people. Zero trust is a broader security model.

Defence in depth is layered security.

73
Multi-Selecthard

A security team needs to detect and respond to threats across their cloud environment. Which THREE services should they use together? (Choose 3)

Select 3 answers
A.Security Command Center
B.Cloud IDS
C.Cloud Audit Logs
D.Mandiant
E.Chronicle
AnswersA, D, E

SCC provides visibility into vulnerabilities and threats.

Why this answer

Security Command Center provides vulnerability and threat detection. Chronicle is a SIEM for log analysis and threat detection. Mandiant offers threat intelligence and incident response.

Cloud IDS is network-based. Cloud Audit Logs are for auditing, not detection.

74
MCQhard

A security team wants to be alerted when Google Cloud personnel access their customer data. They need logs that show the reason for access and what data was accessed. Which service provides this?

A.Cloud Audit Logs
B.Access Transparency
C.Security Command Center
D.Cloud Logging
AnswerB

Access Transparency logs show actions taken by Google personnel on customer data.

Why this answer

Access Transparency logs provide detailed records of Google personnel access to customer data, including reason and scope.

75
MCQeasy

A security engineer wants to ensure that Google personnel cannot access customer data stored in Cloud Storage without explicit customer approval. Which Google Cloud feature should be enabled?

A.Access Transparency
B.Data Loss Prevention API
C.VPC Service Controls
D.Cloud Audit Logs
AnswerA

Access Transparency is designed to log and provide transparency into Google personnel access to customer data.

Why this answer

Access Transparency logs provide detailed records of actions taken by Google personnel on customer data, enabling customers to monitor and approve such access.

Page 1 of 2 · 79 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Google Cloud Security questions.