CCNA Trust and security with Google Cloud Questions

75 of 101 questions · Page 1/2 · Trust and security with Google Cloud · Answers revealed

1
MCQeasy

A startup is building a web application and wants to protect it from common web attacks like SQL injection and cross-site scripting. Which Google Cloud product provides web application firewall (WAF) capabilities?

A.Cloud Firewall, which controls network-level traffic based on IP and port rules
B.Cloud Armor, which provides WAF rules to detect and block SQL injection, XSS, and other OWASP Top 10 attacks
C.VPC Service Controls, which prevent data exfiltration from Google Cloud services
D.Security Command Center, which detects security misconfigurations across Google Cloud resources
AnswerB

Cloud Armor is Google Cloud's WAF. It includes preconfigured rule sets for OWASP Top 10 vulnerabilities including SQL injection and XSS, and operates at the application layer (Layer 7) where it can inspect HTTP requests. It also provides DDoS protection.

Why this answer

Cloud Armor is Google Cloud's web application firewall (WAF) service that provides pre-configured rules to detect and block common web attacks, including SQL injection and cross-site scripting (XSS), as well as other OWASP Top 10 threats. It integrates with Cloud Load Balancing and allows you to create custom security policies with rate limiting, IP allow/deny lists, and managed rule sets. This makes it the correct choice for protecting a web application at the application layer.

Exam trap

The trap here is confusing network-layer firewalls (Cloud Firewall) with application-layer WAFs (Cloud Armor), leading candidates to choose Option A because both contain 'Firewall' in the name, but they operate at completely different layers of the OSI model.

How to eliminate wrong answers

Option A is wrong because Cloud Firewall operates at the network layer (Layer 3/4) controlling traffic based on IP addresses, ports, and protocols, and does not inspect application-layer payloads for SQL injection or XSS. Option C is wrong because VPC Service Controls are designed to prevent data exfiltration by creating perimeters around Google Cloud services, not to inspect HTTP/HTTPS traffic for web attacks. Option D is wrong because Security Command Center is a security management and vulnerability detection platform that identifies misconfigurations and threats across resources, but it does not provide inline WAF rule enforcement to block malicious requests in real time.

2
MCQhard

A company is moving a regulated workload to Google Cloud and must ensure that their encryption keys are stored in a hardware security module (HSM) that meets FIPS 140-2 Level 3 validation. Which Google Cloud key management option satisfies this requirement?

A.Cloud KMS software-backed keys, which are managed by Google and stored in Google's secure key management infrastructure
B.Customer-supplied encryption keys (CSEK), where the customer provides the key with each API request
C.Cloud HSM, which stores and manages keys in FIPS 140-2 Level 3 validated hardware security modules
D.Secret Manager, which stores API keys and credentials with automatic rotation
AnswerC

Cloud HSM specifically addresses the FIPS 140-2 Level 3 requirement. Keys generated and stored in Cloud HSM never leave the HSM in plaintext form, and all cryptographic operations occur within the certified hardware. This is the correct answer for workloads requiring hardware-backed key storage at the highest FIPS level.

Why this answer

Cloud HSM is the correct choice because it provides a dedicated HSM service that stores and manages encryption keys in FIPS 140-2 Level 3 validated hardware security modules. This directly meets the regulatory requirement for a hardware security module with that specific validation level, as opposed to software-backed or customer-supplied key options.

Exam trap

The trap here is that candidates often confuse Cloud KMS software-backed keys (which are FIPS 140-2 Level 1) with Cloud HSM (Level 3), or they assume that any Google-managed key service automatically meets high-level FIPS validation, ignoring the specific Level 3 requirement for hardware-based protection.

How to eliminate wrong answers

Option A is wrong because Cloud KMS software-backed keys are stored in Google's secure key management infrastructure but are not backed by a dedicated HSM, and they do not meet FIPS 140-2 Level 3 validation (they meet Level 1). Option B is wrong because Customer-Supplied Encryption Keys (CSEK) are provided by the customer with each API request and are not stored in a Google-managed HSM; they are used for client-side encryption and do not satisfy the requirement for HSM-based key storage. Option D is wrong because Secret Manager is designed for storing secrets like API keys and passwords, not for managing encryption keys in an HSM, and it does not provide FIPS 140-2 Level 3 validated hardware security modules.

3
MCQmedium

An enterprise's security team is implementing a strategy to protect against 'credential stuffing' attacks — where attackers use lists of username/password combinations from previous data breaches to try to log in to the company's applications. Which authentication control most effectively mitigates this threat?

A.Requiring longer, more complex passwords to make credentials harder to guess
B.Multi-Factor Authentication (MFA/2SV), which requires a second verification factor beyond the password that attackers don't have even when they possess the stolen credentials
C.Encrypting passwords in the company's database using bcrypt to prevent the stolen passwords from being usable
D.Implementing HTTPS on the login page to prevent credentials from being intercepted in transit
AnswerB

MFA is the definitive defense against credential stuffing. The stolen credentials work for the first factor (password), but the attack fails at the second factor (authenticator app TOTP, push notification, hardware security key). Attackers would need both the credentials AND access to the user's second factor device — a much higher bar.

Why this answer

Multi-Factor Authentication (MFA/2SV) is the most effective control against credential stuffing because it requires an additional verification factor (e.g., a one-time code from an authenticator app, a hardware token, or a biometric) that the attacker does not possess, even if they have valid username/password pairs from a breach. This renders the stolen credentials useless for authentication, as the attacker cannot complete the second factor challenge. In Google Cloud, this is commonly enforced via Identity Platform or Cloud Identity with security keys or TOTP.

Exam trap

Cisco often tests the misconception that password hashing (like bcrypt) or encryption protects against credential stuffing, but candidates must recognize that the attacker already has the plaintext passwords from a prior breach, so hashing the database is irrelevant to this attack vector.

How to eliminate wrong answers

Option A is wrong because requiring longer, more complex passwords does not prevent credential stuffing; attackers already have the exact passwords from breaches, so complexity does not stop them from using those stolen credentials. Option C is wrong because encrypting passwords with bcrypt protects the database from offline cracking, but in a credential stuffing attack, the attacker already possesses the plaintext passwords from a previous breach and does not need to crack the database. Option D is wrong because HTTPS protects credentials in transit from interception, but credential stuffing uses stolen credentials that the attacker already has, so encrypting the login channel does not prevent the attacker from submitting them.

4
MCQeasy

A company wants to ensure that their confidential data stored in BigQuery cannot be shared outside the company's Google Cloud organization. Which Google Cloud security capability prevents data from being shared with external Google accounts (outside the organization)?

A.Enabling BigQuery data encryption with CMEK to prevent external parties from decrypting shared data
B.The 'Domain Restricted Sharing' organization policy constraint, which prevents IAM policies from granting access to users outside specified trusted domains
C.BigQuery row-level security policies that restrict rows based on user email domain
D.Disabling external IP addresses on all Google Cloud resources to prevent data from leaving the organization's network
AnswerB

Domain Restricted Sharing is the correct control. It's an org policy constraint that makes it impossible to add external users (gmail.com accounts or accounts from other Google Cloud organizations) to any IAM policy in the organization. This prevents accidental or intentional sharing of resources outside the company's domain.

Why this answer

Option B is correct because the 'Domain Restricted Sharing' organization policy constraint (constraints/iam.allowedPolicyMemberDomains) explicitly prevents IAM policies from granting access to principals outside of specified trusted domains. This directly blocks sharing BigQuery data with external Google accounts by enforcing that all IAM members belong to the allowed domains, such as the company's own Google Workspace domain.

Exam trap

The trap here is that candidates often confuse data-at-rest encryption (CMEK) or data filtering (row-level security) with access control, failing to realize that only an organization policy constraint can prevent the initial IAM grant that shares data with external accounts.

How to eliminate wrong answers

Option A is wrong because CMEK (Customer-Managed Encryption Keys) controls encryption at rest but does not prevent data sharing; it only ensures that external parties cannot decrypt the data if they already have access, but it does not block the IAM grant that shares the data. Option C is wrong because BigQuery row-level security policies restrict which rows a user can see within a table based on user attributes like email domain, but they do not prevent the table from being shared with external accounts via IAM; they only filter data after access is granted. Option D is wrong because disabling external IP addresses prevents network-level egress but does not affect data sharing through BigQuery's API or IAM; data can still be shared with external accounts via authorized views, datasets, or IAM roles without any external IP traffic.

5
MCQhard

A security team wants to get a comprehensive, organization-wide view of security misconfigurations (such as publicly accessible storage buckets, VMs without firewalls, and IAM overprivilege), vulnerabilities in container images, and active threats across all Google Cloud projects. Which Google Cloud service provides this unified security posture management?

A.Cloud Monitoring — it detects security anomalies through metric analysis.
B.Security Command Center (SCC) — unified security posture management across all GCP projects.
C.Cloud Audit Logs — they show all API calls that could indicate security issues.
D.Cloud DLP — it scans all resources for sensitive data exposure.
AnswerB

SCC provides org-wide asset inventory, misconfiguration findings, vulnerability scanning, threat detection, and compliance posture assessment — the single pane of glass for GCP security.

Why this answer

Security Command Center (SCC) is the correct answer because it is Google Cloud's native, unified security and risk management platform that provides continuous monitoring for misconfigurations (e.g., publicly accessible storage buckets, VMs without firewalls, IAM overprivilege), vulnerability scanning for container images, and threat detection across all projects in an organization. It aggregates findings from services like Cloud Asset Inventory, Web Security Scanner, and Event Threat Detection into a single dashboard, enabling comprehensive security posture management.

Exam trap

Cisco often tests the distinction between a security monitoring service (Cloud Monitoring) and a dedicated security posture management service (Security Command Center), leading candidates to pick Cloud Monitoring because they confuse metric-based anomaly detection with comprehensive security posture assessment.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring is focused on collecting metrics, logs, and events for performance and availability monitoring, not on scanning for security misconfigurations, vulnerabilities, or active threats; it lacks the built-in security findings engine and posture management capabilities of SCC. Option C is wrong because Cloud Audit Logs record API call activity for compliance and forensic analysis but do not actively scan for misconfigurations, vulnerabilities, or provide a unified security posture dashboard; they are a data source, not a management service. Option D is wrong because Cloud DLP specializes in discovering, classifying, and protecting sensitive data (e.g., PII, credit card numbers) using inspection and de-identification techniques, not in assessing security misconfigurations, container vulnerabilities, or active threats across cloud resources.

6
MCQmedium

A company uses Cloud SQL for MySQL and wants to ensure that data is encrypted at rest using customer-managed keys. They also need to rotate the key every 90 days. What should they do?

A.Use customer-supplied encryption keys (CSEK) with Cloud SQL
B.Use default Google-managed encryption and rotate the key using Cloud KMS
C.Enable CMEK on the Cloud SQL instance and rotate the key in Cloud KMS
D.Bring your own key (BYOK) without using Cloud KMS
AnswerC

Cloud SQL can be configured with a CMEK key from Cloud KMS, and the key can be rotated as needed.

Why this answer

Option C is correct because Cloud SQL supports Customer-Managed Encryption Keys (CMEK) via integration with Cloud KMS. By enabling CMEK on the Cloud SQL instance, you can use a key you create and manage in Cloud KMS, and you can set a rotation period (e.g., 90 days) on that key in Cloud KMS. This ensures data at rest is encrypted with a key you control and that is automatically rotated according to your schedule.

Exam trap

The trap here is that candidates confuse CSEK (Compute Engine/Cloud Storage) with CMEK (Cloud SQL, BigQuery, etc.) and assume any customer-managed key option works for Cloud SQL, or they think default Google-managed keys can be rotated by the customer.

How to eliminate wrong answers

Option A is wrong because Cloud SQL does not support customer-supplied encryption keys (CSEK); CSEK is a feature of Compute Engine and Cloud Storage, not Cloud SQL. Option B is wrong because default Google-managed encryption cannot be rotated by the customer; rotation of Google-managed keys is handled internally by Google and not configurable by the user. Option D is wrong because BYOK without Cloud KMS is not a supported mechanism for Cloud SQL; Cloud SQL requires the use of Cloud KMS to manage customer-managed keys for encryption at rest.

7
MCQmedium

A company's security policy requires that when an employee is terminated, their access to all cloud resources must be revoked immediately — including any active sessions. Which approach most comprehensively achieves this in a Google Cloud environment integrated with Google Workspace?

A.Manually reviewing and removing the employee's IAM bindings across all Google Cloud projects one by one
B.Disabling the employee's Google Workspace account (which immediately invalidates all active sessions and prevents new authentication), then auditing for and revoking any service account keys they created
C.Changing the employee's password immediately — they can no longer log in with the old password
D.Waiting until the end of the business day to revoke access to avoid disrupting active workflows
AnswerB

This is the comprehensive approach. Disabling the Workspace identity immediately invalidates all active OAuth tokens and prevents new sign-ins — all GCP access based on that identity stops instantly. Auditing for service account keys they created closes the remaining gap (keys are separate credentials not tied to the user account).

Why this answer

Disabling the Google Workspace account immediately invalidates all active sessions and prevents new authentication because Google Cloud IAM relies on the Workspace identity for user-based access. This single action revokes access across all Google Cloud projects and services that use that identity, including Cloud Console, gcloud CLI, and API sessions. Auditing and revoking service account keys the user created is necessary because those keys are not tied to the user's Workspace account and remain valid until explicitly deleted.

Exam trap

Cisco often tests the misconception that changing a password or removing IAM roles is sufficient for immediate session termination, when in fact only disabling the identity account (or revoking tokens) stops active sessions — OAuth tokens are not invalidated by password changes or role removals.

How to eliminate wrong answers

Option A is wrong because manually reviewing and removing IAM bindings across projects is slow, error-prone, and does not terminate active sessions — the user's existing tokens and sessions remain valid until they expire. Option C is wrong because changing the password only prevents new logins; it does not invalidate existing OAuth 2.0 access tokens or refresh tokens, so active sessions and API calls continue until token expiry (typically 1 hour). Option D is wrong because waiting until the end of the business day violates the security policy requirement for immediate revocation and leaves a window for unauthorized access or data exfiltration.

8
MCQmedium

A company's application stores user passwords. Their security team says passwords must be stored as hashes, never in plaintext. They want to ensure this requirement is met even if a database is compromised. Why is password hashing (with salt) the correct approach?

A.Hashing passwords allows the application to recover the original password when users forget it.
B.Hashing with salt makes stored passwords irreversible — even if the database is stolen, attackers cannot recover the original passwords without computationally intensive per-user brute force.
C.Storing passwords as hashes allows sharing them between systems for single sign-on.
D.Google Cloud automatically encrypts all database contents, making password hashing unnecessary.
AnswerB

One-way hashing means compromised databases expose only hashes. Salting defeats precomputed attacks. Cracking each individually is computationally expensive, protecting users even after a breach.

Why this answer

Password hashing with salt is the correct approach because it transforms passwords into irreversible digests. Even if the database is compromised, an attacker cannot recover the original passwords without performing a computationally expensive brute-force attack on each salted hash individually. This ensures the plaintext password is never stored or recoverable, meeting the security requirement.

Exam trap

The trap here is that candidates may confuse encryption (which is reversible) with hashing (which is one-way), or assume that cloud encryption alone satisfies the requirement, ignoring the application's own storage logic.

How to eliminate wrong answers

Option A is wrong because hashing is a one-way function; the application cannot recover the original password from the hash — it can only verify a candidate password by re-hashing and comparing. Option C is wrong because password hashes are not designed for sharing between systems for single sign-on; SSO typically uses tokens or federated identity protocols (e.g., SAML, OAuth), not raw password hashes. Option D is wrong because Google Cloud's encryption-at-rest protects data in storage but does not prevent the application from storing plaintext passwords; the requirement is about the application's own storage practice, not infrastructure encryption.

9
MCQhard

A security architect is evaluating Google Cloud's approach to securing customer data against both external attackers and potential internal Google personnel access. She identifies four distinct controls: (1) encryption at rest by default, (2) Access Transparency logs, (3) Customer-Managed Encryption Keys (CMEK), and (4) Access Approval. How do these four controls work together to provide layered data protection?

A.All four controls are redundant and address the same threat — customers only need to enable one of them
B.The four controls form complementary layers: default encryption protects physical storage, CMEK gives cryptographic customer control (revocable), Access Transparency provides visibility into Google personnel access, and Access Approval gives customers veto power — together addressing infrastructure attacks, insider threats, and provider access concerns
C.These controls are only relevant for government or military workloads; commercial enterprises don't need this level of protection
D.CMEK alone provides complete data protection — the other three controls are unnecessary if customer-managed keys are in use
AnswerB

This correctly describes the layered defense. Default encryption: protects against physical media theft. CMEK: customer controls the key — can cryptographically revoke Google's ability to decrypt. Access Transparency: audit trail of provider access. Access Approval: proactive veto before access. Together they provide defense at every layer of the provider access concern.

Why this answer

Option B is correct because these four controls form a defense-in-depth strategy for data protection on Google Cloud. Default encryption at rest secures data on physical storage, CMEK provides cryptographic control with the ability to revoke access, Access Transparency logs offer visibility into Google personnel actions, and Access Approval gives customers the ability to veto access requests. Together, they address threats from infrastructure attacks, insider threats, and provider access concerns, creating a layered security model.

Exam trap

Google Cloud often tests the misconception that encryption alone is sufficient for data protection, ignoring the need for access transparency and approval mechanisms to address insider threats and provider access concerns.

How to eliminate wrong answers

Option A is wrong because the controls are not redundant; each addresses a distinct threat vector (e.g., encryption at rest protects against physical theft, while Access Approval controls administrative access). Option C is wrong because these controls are applicable to all workloads, not just government or military; Google Cloud recommends them for any organization needing compliance or data sovereignty. Option D is wrong because CMEK alone does not provide complete protection; it lacks visibility (Access Transparency) and veto capability (Access Approval) for Google personnel access, and does not cover default encryption for all data.

10
MCQeasy

A startup is building a mobile health app that stores sensitive patient data in Cloud Storage. They want to ensure data is encrypted at rest using a key they manage themselves and rotate monthly. Which encryption approach should they use?

A.Use customer-supplied encryption keys (CSEK)
B.Use default Google-managed encryption keys
C.Use customer-managed encryption keys (CMEK) with Cloud KMS
D.Use server-side encryption with customer-provided keys (SSE-C)
AnswerC

Correct: CMEK allows the customer to manage and rotate keys monthly.

Why this answer

Cloud Key Management Service (Cloud KMS) with a customer-managed encryption key (CMEK) allows customers to control and rotate keys. CSEK is deprecated and less flexible. SSE-C is not available in Cloud Storage.

Default encryption is Google-managed and cannot be rotated by the customer.

11
MCQmedium

A company stores encryption keys in Cloud KMS to protect sensitive data. What does Cloud KMS provide that standard application-layer encryption does not?

A.Faster encryption performance because Google's hardware is optimized for cryptographic operations.
B.Centralized key lifecycle management with IAM-controlled access, audit logs, rotation policies, and optional HSM-backed key protection.
C.The ability to encrypt data without any performance impact on the application.
D.Free unlimited encryption for all data stored in Google Cloud.
AnswerB

Cloud KMS provides key governance: who can use which key is IAM-controlled and audited; keys can be automatically rotated; HSM protection ensures keys never leave secure hardware. These are enterprise security requirements that application-layer encryption cannot provide.

Why this answer

Cloud KMS provides centralized key lifecycle management, including IAM-based access control, audit logging, automatic key rotation, and optional HSM-backed key protection. Standard application-layer encryption typically embeds keys within the application code or configuration, lacking these governance and security controls. This separation of key management from application logic is a core security best practice.

Exam trap

The trap here is that candidates assume Cloud KMS is just a faster or cheaper way to do encryption, when the real value is the centralized governance, auditability, and HSM-backed security that standard application-layer encryption lacks.

How to eliminate wrong answers

Option A is wrong because Cloud KMS does not inherently provide faster encryption performance; in fact, using a remote key management service can introduce network latency compared to local encryption, and Google's hardware optimization is not a primary benefit over application-layer encryption. Option C is wrong because any encryption, including Cloud KMS, introduces some performance overhead due to cryptographic operations and network calls; it cannot be completely free of performance impact. Option D is wrong because Cloud KMS is not free; it has a pay-per-use pricing model based on key operations and storage, and there is no unlimited free tier for encryption.

12
MCQeasy

A company is migrating its on-premises applications to Google Cloud. The security team requires that all data be encrypted both in transit and at rest. Which approach meets these requirements with minimal operational overhead?

A.Use HTTPS for all traffic and enable default encryption at rest with Google-managed keys.
B.Implement a third-party encryption tool for both transit and at rest.
C.Set up a VPN between on-premises and Google Cloud and rely on that for encryption.
D.Restrict physical access to Google Cloud data centers.
AnswerA

Google Cloud encrypts data at rest by default; HTTPS provides encryption in transit.

Why this answer

Option A is correct because HTTPS provides encryption in transit using TLS, and default encryption at rest with Google-managed keys encrypts data stored in Google Cloud services like Cloud Storage and Compute Engine disks without requiring any manual key management. This approach meets the security requirements with minimal operational overhead since Google handles key rotation and lifecycle management automatically.

Exam trap

Google Cloud often tests the misconception that a VPN alone satisfies both encryption in transit and at rest requirements, but candidates must remember that VPNs only cover transit encryption and do not address data at rest within the cloud provider's infrastructure.

How to eliminate wrong answers

Option B is wrong because implementing a third-party encryption tool introduces additional complexity, cost, and operational overhead for both transit and at rest encryption, which contradicts the requirement for minimal operational overhead. Option C is wrong because a VPN only encrypts traffic between on-premises and Google Cloud but does not provide encryption at rest for data stored within Google Cloud services. Option D is wrong because restricting physical access to data centers addresses physical security but does not provide any encryption for data in transit or at rest.

13
MCQeasy

Which Google Cloud feature provides reports on how Google processes government requests for customer data and how often Google challenges overly broad requests?

A.Cloud Audit Logs — they record all API calls including government data requests.
B.Google's Transparency Report — publishing data about government requests and legal compliance.
C.Security Command Center — it alerts when government agencies access customer data.
D.Access Transparency logs — they record every time any external entity accesses customer data.
AnswerB

Google's Transparency Report (transparency.google/reports) details government data requests by country, compliance rates, and legal challenges. It provides verifiable evidence of Google's approach to data requests.

Why this answer

Google's Transparency Report is the correct answer because it specifically publishes data on government requests for user data, including how Google processes these requests and how often it challenges overly broad or legally questionable demands. This report is designed to provide public visibility into government actions, not to log individual API calls or access events.

Exam trap

Cisco often tests the distinction between internal access logs (Access Transparency) and external government request reporting (Transparency Report), so the trap here is confusing operational audit trails with public transparency reporting about legal demands.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs record API calls made within a Google Cloud project, not government data requests to Google as a company; they are for internal auditing of customer resources. Option C is wrong because Security Command Center is a security and risk management platform that detects threats and vulnerabilities in cloud resources, not a tool for reporting on government requests for customer data. Option D is wrong because Access Transparency logs record every time a Google Cloud employee or support engineer accesses customer data, not external government entities; they are about internal access, not government requests.

14
MCQeasy

The principle of least privilege is a fundamental security concept applied to IAM in Google Cloud. Which statement best describes this principle?

A.All users should have read-only access to prevent accidental changes.
B.Users and services should be granted only the minimum permissions required for their specific function, nothing more.
C.Administrators should have full access so they can respond to any emergency quickly.
D.All employees should share the same IAM role to simplify permission management.
AnswerB

Least privilege limits access to what's actually needed. A developer deploying Cloud Run doesn't need BigQuery admin access. Minimizing permissions reduces the impact of credential compromise.

Why this answer

Option B is correct because the principle of least privilege in Google Cloud IAM dictates that identities (users, groups, or service accounts) should be granted only the permissions necessary to perform their intended tasks. This minimizes the attack surface and limits the blast radius of a compromised credential. In Google Cloud, this is implemented by assigning predefined or custom roles with the exact set of permissions required, rather than using broad roles like Owner or Editor.

Exam trap

Google Cloud often tests the misconception that 'least privilege' means 'everyone gets read-only' or that 'administrators need full access for emergencies,' but the correct interpretation is granular, role-specific permissions with temporary elevation for break-glass scenarios.

How to eliminate wrong answers

Option A is wrong because read-only access is not universally appropriate; some users or services need write, create, or delete permissions to perform their functions, and enforcing read-only for all would break operational workflows. Option C is wrong because granting administrators full access at all times violates least privilege; emergency access should be obtained through just-in-time (JIT) or break-glass mechanisms, such as using Google Cloud's Access Approval or temporary privilege elevation, not standing permissions. Option D is wrong because sharing the same IAM role across all employees ignores the need for role-based access control (RBAC); different job functions require different permissions, and a single role would either over-permission some users or under-permission others, creating security or operational gaps.

15
MCQeasy

A company is concerned about which security responsibilities belong to Google versus which belong to them when using Google Cloud's managed database service (Cloud SQL). In the shared responsibility model, which security tasks does Google handle?

A.Google controls who can access the database and what data can be stored.
B.Google handles physical security, hardware maintenance, and OS and database software patching.
C.Google is responsible for backing up customer data and ensuring data recovery.
D.Google determines which compliance certifications the customer's application must meet.
AnswerB

For managed services, Google manages the entire infrastructure layer: physical security, hardware, hypervisor, and service software updates. Customers manage their configuration and data.

Why this answer

In the shared responsibility model for Google Cloud services like Cloud SQL, Google is responsible for security 'of' the cloud, which includes physical security of data centers, hardware maintenance, and patching the underlying operating system and database software. This ensures the infrastructure hosting Cloud SQL instances is secure, while the customer remains responsible for securing their data, access policies, and application-level configurations.

Exam trap

The trap here is that candidates often confuse Google's responsibility for patching the database software (which Google handles) with the customer's responsibility for managing database access controls and backup configurations, leading them to incorrectly select options A or C.

How to eliminate wrong answers

Option A is wrong because Google does not control who accesses the database or what data is stored; those are customer responsibilities under IAM and data classification. Option C is wrong because while Google provides backup and recovery capabilities as a feature, the customer is responsible for configuring and enabling backups, and for verifying recovery procedures. Option D is wrong because Google does not determine which compliance certifications the customer's application must meet; the customer must assess their own compliance requirements and choose Google Cloud services that align with those certifications.

16
Drag & Dropmedium

Drag and drop the steps to set up a Cloud NAT for private Compute Engine instances to access the internet in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The setup requires a VPC, Cloud Router, NAT gateway, appropriate firewall rules, and verification.

17
MCQhard

A CISO is evaluating Google Cloud's security posture and asks about independent third-party validation of Google's security practices. Which types of certifications and audit reports most directly provide this independent assurance?

A.Google's internal security policies and self-assessment reports published on its website
B.Third-party audit certifications such as ISO 27001, SOC 2 Type II, PCI DSS, and FedRAMP, which independently verify that Google's security controls meet defined international and industry standards
C.Google's Bug Bounty program, which shows that the public can report security vulnerabilities
D.Customer testimonials from large enterprises that use Google Cloud for sensitive workloads
AnswerB

These certifications are the gold standard for independent assurance. ISO 27001 and SOC 2 Type II involve rigorous independent audits. PCI DSS is required for payment data handling. FedRAMP provides US government-validated cloud security. A CISO can review these certifications as credible evidence that Google's security controls have been independently verified.

Why this answer

Option B is correct because independent third-party validation of Google Cloud's security posture is most directly provided by certifications and audit reports such as ISO 27001, SOC 2 Type II, PCI DSS, and FedRAMP. These are issued by accredited external auditors who verify that Google's security controls, processes, and infrastructure meet rigorous, internationally recognized standards. This gives customers objective assurance beyond Google's own claims.

Exam trap

Google Cloud often tests the distinction between internal self-assessments or informal programs (like bug bounties or testimonials) and formal, independent third-party audit certifications that provide legally defensible assurance of security controls.

How to eliminate wrong answers

Option A is wrong because internal security policies and self-assessment reports are not independent; they lack external verification and are considered first-party attestations, not third-party validation. Option C is wrong because the Bug Bounty program is a vulnerability disclosure mechanism that encourages ethical hacking, but it does not provide a systematic, audited certification of overall security controls or compliance with standards like ISO 27001 or SOC 2. Option D is wrong because customer testimonials, while valuable for reputation, are anecdotal and not a formal, audited certification; they do not constitute independent third-party validation of security practices.

18
MCQmedium

A company's security team wants to detect and remediate public exposure of Cloud SQL instances. Which service should they use?

A.Cloud Armor
B.Security Command Center
C.Cloud Data Loss Prevention (DLP)
D.VPC Service Controls
AnswerB

Security Command Center can find misconfigurations like public Cloud SQL instances.

Why this answer

Security Command Center (SCC) is the correct service because it provides centralized visibility and monitoring of Google Cloud resources, including the ability to detect and alert on public exposure of Cloud SQL instances. SCC's built-in vulnerability and threat detection findings, such as 'Public SQL instance,' directly identify misconfigured Cloud SQL instances that are accessible from the internet, enabling the security team to remediate the exposure.

Exam trap

The trap here is that candidates often confuse services that enforce security (like VPC Service Controls or Cloud Armor) with services that detect and alert on misconfigurations, leading them to pick a tool that blocks or filters traffic rather than one that provides visibility and detection.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service that operates at the edge of Google Cloud, protecting HTTP(S) load-balanced applications, not detecting or remediating public exposure of Cloud SQL instances. Option C is wrong because Cloud Data Loss Prevention (DLP) is a service for inspecting, classifying, and de-identifying sensitive data within content, not for detecting network-level exposure of Cloud SQL instances. Option D is wrong because VPC Service Controls is a security perimeter service that prevents data exfiltration from managed services by defining perimeters around VPC networks, but it does not actively detect or alert on public exposure of Cloud SQL instances; it enforces access boundaries but does not provide visibility into existing public configurations.

19
MCQmedium

A company uses Cloud Load Balancing to distribute traffic to Compute Engine VMs. They want to protect against SQL injection and cross-site scripting attacks. Which service should they enable?

A.Identity-Aware Proxy (IAP)
B.Cloud Armor
C.Cloud CDN
D.VPC Service Controls
AnswerB

Cloud Armor includes WAF rules to block common web attacks.

Why this answer

Cloud Armor is the correct service because it provides web application firewall (WAF) capabilities that can inspect HTTP/S traffic for malicious patterns, including SQL injection and cross-site scripting (XSS) signatures. It integrates directly with Cloud Load Balancing to filter requests before they reach backend Compute Engine VMs, using pre-configured rules from the ModSecurity Core Rule Set (CRS) to block these common OWASP Top 10 threats.

Exam trap

The trap here is that candidates confuse Identity-Aware Proxy (IAP) with a security filter for application-layer attacks, but IAP only authenticates and authorizes users, not inspects traffic for malicious payloads like SQL injection or XSS.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context (e.g., OAuth, device state), but it does not inspect HTTP request payloads for attack patterns like SQL injection or XSS. Option C is wrong because Cloud CDN caches content at edge locations to improve latency and reduce load, but it does not provide a WAF or inspect traffic for malicious payloads. Option D is wrong because VPC Service Controls create a security perimeter around Google Cloud APIs and services (e.g., preventing data exfiltration via VPC peering), but they do not filter application-layer attacks like SQL injection or XSS.

20
MCQmedium

A healthcare company must store PHI in Cloud Storage. They require encryption at rest and in transit, and need to comply with HIPAA. Which combination of Google Cloud features should they implement?

A.Cloud Storage with SSE-C, HTTP for in-transit, and enable HIPAA compliance flag.
B.Use Cloud Storage with CSEK and disable public access.
C.Cloud Storage with SSE-GCP and use HTTPS, sign BAA with Google.
D.Use Cloud Storage with CMEK and use VPN for transit.
AnswerC

SSE-GCP provides encryption at rest, HTTPS provides encryption in transit, and a BAA is required for HIPAA compliance.

Why this answer

Option C is correct because Cloud Storage with server-side encryption (SSE-GCP) provides encryption at rest by default, HTTPS ensures encryption in transit, and signing a Business Associate Agreement (BAA) with Google is a mandatory contractual requirement for HIPAA compliance. This combination satisfies all stated requirements: encryption at rest, encryption in transit, and HIPAA compliance.

Exam trap

The trap here is that candidates often confuse encryption mechanisms (SSE-C, CSEK, CMEK, SSE-GCP) with HIPAA compliance requirements, mistakenly thinking that any encryption method plus disabling public access or using a VPN is sufficient, when in fact a signed BAA is the non-negotiable contractual requirement for HIPAA compliance with Google Cloud.

How to eliminate wrong answers

Option A is wrong because SSE-C (Server-Side Encryption with Customer-Provided Keys) is a valid encryption-at-rest option, but HTTP does not encrypt data in transit, and there is no 'HIPAA compliance flag' to enable in Cloud Storage—HIPAA compliance requires a signed BAA. Option B is wrong because CSEK (Customer-Supplied Encryption Keys) is a valid encryption-at-rest method, but disabling public access alone does not ensure encryption in transit (HTTPS is required) and does not address HIPAA compliance (a signed BAA is needed). Option D is wrong because CMEK (Customer-Managed Encryption Keys) provides encryption at rest, but using a VPN for transit does not guarantee HTTPS for Cloud Storage access; Cloud Storage requires HTTPS for encryption in transit, and a VPN alone does not satisfy the HIPAA requirement for a signed BAA.

21
Multi-Selecteasy

Which TWO features are part of Cloud Data Loss Prevention (Cloud DLP)?

Select 2 answers
A.Classification of sensitive data such as credit card numbers
B.De-identification of data through masking, tokenization, and encryption
C.Network vulnerability scanning
D.Removal of malware from uploaded files
E.Creation of IAM policies
AnswersA, B

Cloud DLP can detect and classify sensitive data types.

Why this answer

Cloud DLP is specifically designed to inspect, classify, and protect sensitive data. Option A is correct because Cloud DLP uses over 150 built-in infoType detectors to automatically identify sensitive data types, such as credit card numbers (matching Luhn algorithm and PAN format), Social Security numbers, and passport numbers, enabling organizations to understand where their sensitive data resides.

Exam trap

Google Cloud often tests the distinction between data-level security (Cloud DLP) and infrastructure-level security (vulnerability scanning, malware removal, IAM) to see if candidates confuse Cloud DLP's content inspection capabilities with broader security services.

22
MCQhard

A company's risk management team wants to understand Google Cloud's approach to supply chain security — specifically, how Google ensures that the hardware and firmware running in its data centers have not been tampered with. Which Google security initiative addresses hardware supply chain integrity?

A.Google uses third-party antivirus software to scan all hardware components for tampering before installation
B.Google's Titan security chip, embedded in Google's servers, cryptographically attests boot firmware integrity and machine identity — providing hardware-level supply chain security assurance
C.Google relies on hardware manufacturers' security certifications to ensure supply chain integrity
D.Google encrypts all hardware components with AES-256 to prevent tampering
AnswerB

Titan is Google's hardware root of trust for supply chain security. It generates a cryptographic identity for the machine, verifies boot firmware hasn't been tampered with (preventing firmware attacks), and provides attestation that can be verified throughout the machine's lifecycle. This is a core component of Google's defense-in-depth security architecture.

Why this answer

Option B is correct because Google's Titan security chip is a dedicated hardware root of trust that cryptographically verifies the boot firmware integrity and machine identity at every startup. This ensures that only Google-signed firmware runs on servers, preventing tampering during manufacturing, shipping, or deployment. Titan provides a hardware-anchored attestation chain that validates the entire supply chain from chip fabrication to rack installation.

Exam trap

The trap here is that candidates often confuse supply chain security with data protection mechanisms (like encryption) or rely on third-party certifications, missing that Google's proprietary hardware root of trust (Titan) is the specific initiative for hardware integrity.

How to eliminate wrong answers

Option A is wrong because Google does not use third-party antivirus software to scan hardware components; antivirus software operates at the OS level and cannot verify hardware or firmware integrity at the supply chain level. Option C is wrong because Google does not rely solely on hardware manufacturers' security certifications; instead, Google implements its own hardware security controls like Titan to independently verify integrity, as manufacturer certifications can be compromised or insufficient. Option D is wrong because AES-256 encryption protects data at rest or in transit, not hardware components themselves; encrypting hardware components would not prevent tampering with firmware or the physical device.

23
MCQmedium

A company is evaluating Google Cloud and wants to know: what is Access Transparency, and how does it benefit customers with stringent governance requirements?

A.Access Transparency shows customers which Google Cloud services are available in their region.
B.Access Transparency logs when Google Cloud personnel access customer content, providing an audit trail for governance.
C.Access Transparency is a feature that makes all customer data visible to Google for quality improvement.
D.Access Transparency provides customers with real-time dashboards of their application's security vulnerabilities.
AnswerB

Access Transparency near-real-time logs capture: what Google personnel accessed, why (business justification), and when — giving enterprises visibility and audit evidence for sovereign data governance requirements.

Why this answer

Access Transparency logs are a Google Cloud feature that provides customers with near real-time logs whenever Google personnel access their data. This creates a detailed audit trail, which is essential for customers with stringent governance or compliance requirements, as it allows them to monitor and verify that access is only for authorized purposes.

Exam trap

Cisco often tests the distinction between 'logging access' and 'providing visibility into data' — the trap here is confusing Access Transparency (an audit log of Google personnel actions) with a feature that exposes or shares customer data with Google.

How to eliminate wrong answers

Option A is wrong because Access Transparency does not show which Google Cloud services are available in a region; that is the function of the Google Cloud region and service listing pages. Option C is wrong because Access Transparency does not make customer data visible to Google for quality improvement; it logs when Google personnel access data, and customers must opt in to share data for quality improvement through separate programs. Option D is wrong because Access Transparency does not provide real-time dashboards of security vulnerabilities; that is the role of services like Security Command Center or Web Security Scanner.

24
MCQmedium

A company is moving its financial reporting application to Google Cloud. The CFO asks: 'If Google Cloud experiences a data breach and our financial data is exposed, who is financially liable?' How should the cloud architect answer this question?

A.Google Cloud bears full financial liability for all data breaches involving customer data on its platform
B.Liability depends on where the breach originated: Google is responsible for failures in its infrastructure security; the customer is responsible for breaches resulting from misconfiguration, application vulnerabilities, or inadequate access controls in areas under their responsibility
C.The customer bears all liability for any breach because they chose to use cloud services
D.No party is liable because data breaches in cloud are force majeure events similar to natural disasters
AnswerB

This accurately describes the shared responsibility reality. If Google's physical security or hypervisor is breached, Google bears responsibility. If a misconfigured IAM policy exposes data (customer responsibility), the customer bears the consequences. The customer should also have cyber insurance to manage residual risk.

Why this answer

Option B is correct because the Google Cloud Shared Responsibility Model explicitly delineates liability: Google is responsible for the security of the cloud (e.g., physical infrastructure, hypervisor, network controls), while the customer is responsible for security in the cloud (e.g., IAM policies, application code, data encryption). In a breach, liability is determined by where the failure occurred—if Google’s infrastructure (e.g., GKE node isolation) fails, Google bears liability; if the customer misconfigures a Cloud Storage bucket or leaves a Compute Engine firewall open, the customer bears liability. This aligns with the CFO’s question about financial liability, which is not absolute but contingent on the breach’s origin.

Exam trap

The trap here is that candidates assume Google Cloud automatically assumes all liability for any data breach, ignoring the Shared Responsibility Model’s clear division of accountability based on the breach’s origin (infrastructure vs. customer-managed layers).

How to eliminate wrong answers

Option A is wrong because Google Cloud does not bear full financial liability; the Shared Responsibility Model assigns liability based on the breach’s origin, and customers retain responsibility for their own configurations, applications, and access controls. Option C is wrong because the customer does not bear all liability; Google is liable for breaches caused by failures in its infrastructure security (e.g., hypervisor escapes, physical data center breaches). Option D is wrong because data breaches are not force majeure events; they are foreseeable risks addressed in Google Cloud’s SLA and contractual terms, and liability is governed by the Cloud Terms of Service, not natural disaster clauses.

25
MCQhard

A CISO is designing an identity strategy for Google Cloud that follows Zero Trust principles. She proposes that no long-lived credentials (API keys, service account keys) should be used for any automated workloads. What Google Cloud mechanism replaces service account keys for authenticating workloads running on Google Cloud infrastructure?

A.Using long-lived API keys stored in Secret Manager instead of environment variables — the keys are the same but stored more securely
B.Attaching a service account to the Compute Engine VM or GKE workload, allowing the workload to obtain short-lived access tokens from the metadata server automatically — no key files required
C.Rotating service account keys every 24 hours to minimize the exposure window
D.Using OAuth 2.0 user accounts instead of service accounts for all automated workloads
AnswerB

This is the correct Zero Trust-aligned approach. A service account is attached to the VM or GKE pod. The workload calls the metadata server (169.254.169.254) to get a short-lived (1-hour) access token automatically. No key file is created, stored, or managed — eliminating the key compromise risk entirely. Workload Identity in GKE extends this to Kubernetes service accounts.

Why this answer

Option B is correct because Google Cloud's default service account attached to Compute Engine VMs or GKE nodes uses the metadata server to automatically obtain short-lived OAuth 2.0 access tokens (typically valid for 1 hour). This eliminates the need for any long-lived key files, aligning with Zero Trust principles by reducing credential exposure and enabling automatic rotation.

Exam trap

Cisco often tests the misconception that rotating keys or storing them securely (e.g., in Secret Manager) is sufficient for Zero Trust, when the core principle is to eliminate long-lived credentials entirely by using metadata-server-based token generation.

How to eliminate wrong answers

Option A is wrong because it still relies on long-lived API keys (even if stored in Secret Manager), which violates the Zero Trust requirement of no long-lived credentials. Option C is wrong because rotating service account keys every 24 hours still uses long-lived key files that can be exfiltrated and reused within that window, failing to eliminate the underlying risk. Option D is wrong because OAuth 2.0 user accounts are designed for interactive human users, not automated workloads, and would require storing user credentials or refresh tokens, which introduces security and manageability issues.

26
MCQmedium

A security team is reviewing a developer's request to be granted the 'Owner' role on a production Google Cloud project 'just in case they need broad access.' The security team rejects this and instead grants a more specific role. Which security principle does the security team's decision enforce?

A.Defense in depth, by ensuring multiple security layers protect the project
B.Separation of duties, by ensuring no single person has too many responsibilities
C.Principle of least privilege, by granting only the minimum permissions necessary for the developer's specific role and tasks
D.Zero trust networking, by treating the developer's device as untrusted
AnswerC

The Principle of Least Privilege is the core concept here. Owner role is far broader than necessary. By granting a specific role matching actual requirements, the security team limits the blast radius if the developer's account is compromised and reduces the risk of accidental destructive actions.

Why this answer

The security team's decision to reject the overly broad 'Owner' role and grant a more specific role directly enforces the principle of least privilege. This principle dictates that users should be granted only the minimum permissions necessary to perform their job functions, reducing the risk of accidental or malicious misuse of elevated access. In Google Cloud, this is implemented by assigning predefined or custom IAM roles with precisely scoped permissions rather than broad roles like Owner.

Exam trap

Google Cloud often tests the principle of least privilege by presenting a scenario where a broad role is requested 'just in case,' and candidates may confuse it with separation of duties or defense in depth, but the key is that the decision limits permissions to the minimum needed for the task.

How to eliminate wrong answers

Option A is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, encryption, monitoring) across the infrastructure, not the granularity of a single IAM role assignment. Option B is wrong because separation of duties ensures that critical tasks are divided among multiple individuals to prevent fraud or error, whereas this scenario is about limiting permissions for a single developer, not splitting responsibilities. Option D is wrong because zero trust networking focuses on verifying every request as if it originates from an untrusted network, often through device authentication and network segmentation, not on the scope of IAM roles granted to a user.

27
MCQeasy

A small e-commerce company runs its website on Compute Engine instances behind a Global External HTTP(S) Load Balancer. They are concerned about application-layer DDoS attacks, such as SQL injection and cross-site scripting (XSS), that could compromise customer data and degrade performance. The company wants a managed solution that provides both DDoS protection and web application firewall (WAF) capabilities without requiring constant manual updates. They have a limited budget and prefer a solution that is easy to configure and does not require extensive infrastructure changes. What should they implement?

A.Enable Cloud Armor with preconfigured WAF rules and configure it on the load balancer.
B.Configure VPC firewall rules to block suspicious IP addresses.
C.Set up Cloud NAT to route all traffic through a single IP address.
D.Use Cloud VPN to connect users to the load balancer.
AnswerA

Cloud Armor offers DDoS protection and WAF rules that can be easily applied to a load balancer.

Why this answer

Cloud Armor is a managed, Google Cloud-native service that provides both DDoS protection and a web application firewall (WAF) with preconfigured rules for SQL injection and XSS. It integrates directly with the Global External HTTP(S) Load Balancer, requires no manual updates (rules are maintained by Google), and is cost-effective because it charges based on policy usage rather than infrastructure overhead. This meets the company's need for easy configuration, minimal infrastructure changes, and managed security.

Exam trap

The trap here is that candidates confuse network-layer security tools (VPC firewall rules, Cloud NAT, Cloud VPN) with application-layer security, assuming any Google Cloud networking feature can block web attacks, but only Cloud Armor provides managed WAF and DDoS protection at the application layer.

How to eliminate wrong answers

Option B is wrong because VPC firewall rules operate at the network layer (Layer 3/4) and cannot inspect application-layer payloads like SQL injection or XSS; they only block IP addresses, not malicious content. Option C is wrong because Cloud NAT is used for outbound internet access from private instances, not for inbound traffic protection or application-layer filtering; it does not provide DDoS or WAF capabilities. Option D is wrong because Cloud VPN creates an encrypted tunnel for site-to-site connectivity, not for protecting public-facing web traffic from application-layer attacks; it does not inspect HTTP/HTTPS payloads or mitigate DDoS.

28
Multi-Selectmedium

Which TWO actions are the customer's responsibility under the GCP shared responsibility model?

Select 2 answers
A.Managing user accounts and authentication
B.Encryption of data at rest by default
C.Configuring IAM policies to control access
D.Network infrastructure maintenance
E.Physical security of data centers
AnswersA, C

Correct: Customers manage their users and authentication methods.

Why this answer

Options B and D are correct. Configuring IAM policies and managing user accounts are customer responsibilities. Physical data center security and network infrastructure maintenance are Google's responsibilities.

Encrypting data at rest using default settings is Google's responsibility, but customer can choose additional encryption.

29
MCQeasy

Google Cloud encrypts all customer data at rest by default without any configuration required. A customer asks: 'Do we need to do anything special to encrypt our data stored in Cloud Storage?' What is the correct answer?

A.Yes, customers must enable encryption in the Cloud Storage bucket settings for each bucket.
B.No, Google Cloud encrypts all data at rest automatically using AES-256 — no configuration is needed.
C.Only data in premium storage tiers is encrypted; Standard storage requires manual encryption.
D.Customers must purchase the Security Command Center Premium tier to enable data encryption.
AnswerB

All Google Cloud storage services encrypt data at rest by default with AES-256. Customers receive encryption without any setup, and can optionally use CMEK for key management control.

Why this answer

Option B is correct because Google Cloud automatically encrypts all customer data at rest using AES-256 encryption, with no configuration required. This default encryption applies to all Cloud Storage buckets, regardless of storage class or region, and the encryption keys are managed by Google Cloud unless the customer chooses to use Customer-Managed Encryption Keys (CMEK) or Customer-Supplied Encryption Keys (CSEK).

Exam trap

The trap here is that candidates may assume encryption requires explicit action (like enabling a setting or purchasing an add-on) because many cloud providers or on-premises systems require manual configuration, but Google Cloud encrypts all data at rest by default with no customer effort.

How to eliminate wrong answers

Option A is wrong because it implies that encryption must be manually enabled per bucket, but Google Cloud encrypts all data at rest by default without any bucket-level configuration. Option C is wrong because it falsely claims that only premium storage tiers are encrypted; in reality, all storage tiers—including Standard, Nearline, Coldline, and Archive—are encrypted at rest by default. Option D is wrong because it suggests that encryption requires purchasing Security Command Center Premium, which is a security and threat detection service, not a prerequisite for data encryption.

30
MCQmedium

A company stores its data in Google Cloud. The security team asks: can Google employees access our customer data without our knowledge or consent? What does Google's commitment ensure?

A.Google employees have unrestricted access to all customer data as part of the infrastructure service agreement.
B.Google commits that customer data is not accessed without authorization, with access logged via Access Transparency and governed by contractual data processing commitments.
C.Google uses customer data to train its global AI models to improve services.
D.Customer data stored in Google Cloud is automatically accessible by government agencies on request.
AnswerB

Google's contractual commitments (Cloud Data Processing Addendum), Access Transparency logging, and technical controls ensure customer data is only accessed for authorized purposes, with full auditability.

Why this answer

Option B is correct because Google Cloud's Access Transparency feature logs all data access attempts by Google personnel, and contractual data processing commitments under the Cloud Data Processing Addendum (CDPA) prohibit unauthorized access. This ensures that customer data is not accessed without explicit authorization, and any access is logged and auditable, aligning with the security team's concern about knowledge and consent.

Exam trap

Cisco often tests the misconception that cloud providers have unfettered access to customer data or use it for model training, but the correct answer hinges on understanding that Google Cloud's contractual and technical controls (like Access Transparency) explicitly prevent unauthorized access and do not use customer data for AI training.

How to eliminate wrong answers

Option A is wrong because Google employees do not have unrestricted access; access is strictly controlled, logged via Access Transparency, and governed by contractual commitments. Option C is wrong because Google Cloud explicitly prohibits using customer data to train its global AI models; this is a common misconception, and Google's AI training uses publicly available data or data with explicit consent, not customer data. Option D is wrong because customer data is not automatically accessible by government agencies; any government request must follow legal processes, and Google provides transparency reports and notifies customers where legally permitted.

31
MCQmedium

A company wants to allow a third-party security firm to conduct a penetration test against their Google Cloud environment to identify vulnerabilities. What is Google Cloud's policy on penetration testing?

A.Customers must submit a formal request to Google and wait for written approval before any penetration testing.
B.Customers are authorized to penetration test their own GCP resources without prior Google approval, within the Acceptable Use Policy.
C.Penetration testing is illegal in cloud environments and customers should use vulnerability scanners instead.
D.Google automatically performs penetration testing on all customer resources monthly and shares the report.
AnswerB

GCP customers can test their own resources (VMs, apps, APIs) without notifying Google. Tests must comply with Google's AUP — targeting other customers' resources or Google's core infrastructure is prohibited.

Why this answer

Google Cloud's policy explicitly authorizes customers to conduct penetration testing on their own GCP resources without prior approval from Google, as long as the testing complies with the Acceptable Use Policy. This is because Google treats the customer's environment as their own responsibility, and the shared responsibility model places security testing under the customer's control. Option B correctly reflects this policy, which is documented in Google Cloud's security testing guidelines.

Exam trap

The trap here is that candidates may assume all cloud providers require prior approval (like AWS's old policy), but Google Cloud explicitly allows testing without approval, making Option A a common distractor.

How to eliminate wrong answers

Option A is wrong because Google Cloud does not require customers to submit a formal request or wait for written approval before penetration testing; instead, testing is authorized as long as it adheres to the Acceptable Use Policy. Option C is wrong because penetration testing is not illegal in cloud environments; Google Cloud explicitly permits it for customer resources, and vulnerability scanners are a complementary tool, not a replacement. Option D is wrong because Google does not automatically perform penetration testing on all customer resources monthly; the shared responsibility model means customers are responsible for testing their own resources, and Google does not share such reports with customers.

32
MCQeasy

A company's security policy requires that all cloud-to-cloud communication between services must be encrypted in transit. An auditor asks how Google Cloud handles encryption for network traffic between Google services within its network. What is Google's default approach to encryption in transit within its infrastructure?

A.Google does not encrypt internal traffic by default; customers must configure TLS for all service-to-service communication
B.Google encrypts all traffic between its data centers and internal services by default, with no customer configuration required
C.Google only encrypts traffic that crosses the public internet; internal network traffic is unencrypted for performance
D.Encryption in transit is the customer's responsibility for all traffic, including traffic within Google's network
AnswerB

Google uses Application Layer Transport Security (ALTS) to authenticate and encrypt all traffic between Google services and between data centers by default. This is a core Google infrastructure security commitment, not an optional feature customers must enable.

Why this answer

Google Cloud encrypts all network traffic between its data centers and internal services by default, using application-layer (e.g., gRPC with TLS) and link-layer encryption (e.g., MACsec or similar). This is a foundational security measure that requires no customer configuration, ensuring data is protected in transit even within Google's own infrastructure.

Exam trap

The trap here is that candidates often assume internal cloud provider networks are unencrypted for performance reasons, but Google Cloud encrypts all inter-service traffic by default, making options that require customer action or that claim no encryption incorrect.

How to eliminate wrong answers

Option A is wrong because Google does encrypt internal traffic by default; customers do not need to configure TLS for service-to-service communication within Google's network. Option C is wrong because Google encrypts not only traffic crossing the public internet but also internal network traffic between data centers and services, so performance is not a reason to leave it unencrypted. Option D is wrong because encryption in transit within Google's network is Google's responsibility and is handled automatically, not the customer's.

33
MCQeasy

When data is transmitted between a user's browser and a Google Cloud-hosted web application over HTTPS, which security protection does this provide?

A.It prevents unauthorized users from accessing the Google Cloud Console.
B.It encrypts data in transit between the user's browser and the server, preventing eavesdropping and tampering.
C.It encrypts data stored in the server's database.
D.It authenticates the user and verifies their permissions to use the application.
AnswerB

HTTPS/TLS encrypts the connection, ensuring data cannot be intercepted or modified as it travels between the user and the application. This is encryption in transit.

Why this answer

HTTPS (HTTP over TLS) encrypts the communication channel between the user's browser and the web server using Transport Layer Security (TLS). This ensures that any data transmitted, such as login credentials or API requests, is protected from eavesdropping and tampering while in transit. It does not protect data at rest or control access to cloud management interfaces.

Exam trap

Cisco often tests the distinction between encryption in transit (HTTPS) and encryption at rest (database encryption), leading candidates to incorrectly select an option about stored data or access control.

How to eliminate wrong answers

Option A is wrong because HTTPS does not control access to the Google Cloud Console; that is managed by IAM (Identity and Access Management) policies and authentication mechanisms like OAuth 2.0. Option C is wrong because HTTPS only encrypts data in transit, not data stored in the server's database; database encryption is handled by techniques like Cloud SQL encryption at rest or customer-managed encryption keys (CMEK). Option D is wrong because HTTPS does not authenticate the user or verify their permissions; user authentication and authorization are handled by the application layer (e.g., using Firebase Authentication or IAM), not by the TLS protocol itself.

34
MCQmedium

A company's security architect wants to implement 'privacy by design' principles when building a new customer data platform on Google Cloud. What does privacy by design mean in this context?

A.Privacy by design means the platform must refuse to collect any personal data from customers.
B.Privacy by design means privacy protections (encryption, data minimization, access controls, retention policies) are architected into the system from the start, not added after deployment.
C.Privacy by design is a legal requirement that mandates using only on-premises systems for customer data.
D.Privacy by design means storing all data in an encrypted format and using a VPN for all access.
AnswerB

Privacy by design makes privacy a foundational design principle: choosing which data to collect, how to protect it, who can access it, and when to delete it are designed before the first line of code — not discovered at audit time.

Why this answer

Privacy by design is a foundational principle that requires embedding privacy controls—such as encryption, data minimization, access controls, and retention policies—into the architecture of a system from the initial design phase, rather than retrofitting them after deployment. In the context of Google Cloud, this means using services like Cloud KMS for encryption, IAM for fine-grained access control, and data lifecycle policies to minimize data collection and enforce retention limits from the start. Option B correctly captures this proactive, integrated approach.

Exam trap

The trap here is that candidates often confuse privacy by design with a single technical control (like encryption or VPNs) or assume it prohibits data collection entirely, when in fact it is a holistic architectural approach that integrates multiple privacy controls from the outset.

How to eliminate wrong answers

Option A is wrong because privacy by design does not mandate refusing to collect any personal data; rather, it emphasizes collecting only the minimum necessary data (data minimization) and implementing protections around it. Option C is wrong because privacy by design is not a legal requirement that mandates on-premises systems; Google Cloud supports privacy by design through cloud-native services like Confidential VMs and Data Loss Prevention (DLP) that comply with regulations like GDPR. Option D is wrong because privacy by design is broader than just encryption and VPNs; it encompasses data minimization, purpose limitation, retention policies, and access controls, not just technical safeguards.

35
MCQmedium

A healthcare company must comply with HIPAA and store all protected health information (PHI) only in the United States. They use Google Cloud and want to prevent any accidental data storage outside the US. Which two services should they implement?

A.VPC Service Controls and Organization Policies
B.Data Loss Prevention API
C.Identity-Aware Proxy
D.Cloud Armor
AnswerA

VPC Service Controls create a data security perimeter, and Organization Policies restrict resource locations.

Why this answer

VPC Service Controls create a security perimeter around Google Cloud resources, preventing data from being copied or moved outside allowed regions. Organization Policies allow you to set a constraint (e.g., `gcp.resourceLocations`) that restricts where resources like Cloud Storage buckets or BigQuery datasets can be created, ensuring PHI remains in the US. Together, they enforce both data exfiltration prevention and location-based resource creation restrictions.

Exam trap

Google Cloud often tests the distinction between data *protection* (DLP, IAP, Cloud Armor) and data *residency enforcement* (VPC Service Controls, Organization Policies), leading candidates to confuse content inspection or access control with geographic restriction.

How to eliminate wrong answers

Option B (Data Loss Prevention API) is wrong because it is a content inspection and redaction tool, not a data residency enforcement mechanism; it scans for sensitive data patterns but does not prevent storage outside a geographic boundary. Option C (Identity-Aware Proxy) is wrong because it controls user access to applications based on identity and context, not data location or storage restrictions. Option D (Cloud Armor) is wrong because it is a web application firewall (WAF) that protects against DDoS and OWASP Top 10 threats, with no capability to enforce data residency or prevent storage in non-US regions.

36
Multi-Selecthard

Which TWO of the following are best practices for securing a Google Cloud environment? (Choose two.)

Select 2 answers
A.Use the same SSH key for all Compute Engine instances.
B.Grant minimal permissions to users and services using IAM roles.
C.Export service account keys and use them in on-premises applications for authentication.
D.Rotate service account keys every month.
E.Enable VPC Flow Logs for all subnets.
AnswersB, E

Least privilege reduces the impact of a compromised account.

Why this answer

Option B is correct because the principle of least privilege is a foundational security best practice in Google Cloud. By granting minimal permissions using IAM roles, you limit the attack surface and reduce the risk of unauthorized access or accidental data exposure. This aligns with Google Cloud's security model where roles are predefined or custom, and permissions are additive, never implicit.

Exam trap

Google Cloud often tests the misconception that service account key rotation is a best practice, but the trap here is that the real best practice is to avoid using service account keys altogether in favor of workload identity federation or short-lived credentials.

37
MCQeasy

A company's security team wants to ensure that only approved corporate devices can access Google Cloud resources, regardless of whether the user has valid credentials. Which Google Cloud security capability enforces device-level access requirements?

A.Cloud Armor, which filters incoming requests based on IP allowlists and denylists
B.Access Context Manager, which enforces device-level access requirements as part of context-aware access control policies
C.Identity-Aware Proxy (IAP), which provides application-level authentication but without device checks
D.VPC Service Controls, which restrict access to Google APIs based on network perimeter membership
AnswerB

Access Context Manager is precisely the service for this. It allows security teams to define access levels (policies) that include device attribute requirements — managed/enrolled devices, disk encryption, screen lock. These conditions must be met in addition to valid credentials for access to be granted.

Why this answer

Access Context Manager is the correct choice because it allows security teams to define context-aware access policies that include device-level attributes such as device OS type, device ID, and whether the device is managed (e.g., via endpoint verification or third-party EMM). This enforces device-level access requirements even if the user has valid credentials, directly addressing the scenario.

Exam trap

The trap here is that candidates confuse IAP's role in user authentication with device-level enforcement, not realizing that IAP delegates device context checks to Access Context Manager via access levels.

How to eliminate wrong answers

Option A is wrong because Cloud Armor filters traffic based on IP addresses (allowlists/denylists) and other network-layer attributes, not device-level identity or management status. Option C is wrong because Identity-Aware Proxy (IAP) provides authentication and authorization at the application layer but does not natively enforce device-level checks; it relies on Access Context Manager for such context. Option D is wrong because VPC Service Controls restrict access to Google APIs based on network perimeter (e.g., VPC, IP ranges) and do not evaluate device-level attributes.

38
MCQmedium

A company wants to ensure that even if an attacker compromises an employee's password and passes MFA, the attacker cannot access sensitive Google Cloud resources from an unmanaged personal laptop. Which Google security feature enforces device trust as part of access decisions?

A.Cloud Armor — it inspects device fingerprints on incoming requests.
B.Access Context Manager with device policy conditions requiring managed, compliant devices.
C.Cloud Firewall rules that allow only corporate office IP ranges.
D.Two-step verification — the second factor proves the device is trusted.
AnswerB

Access Context Manager defines access levels with device conditions (managed enrollment, encrypted disk, OS version). These levels are enforced in VPC Service Controls and IAP policies — blocking access from unmanaged devices.

Why this answer

Access Context Manager allows you to define device policy conditions that require devices to be managed (e.g., via endpoint verification) and compliant with corporate security policies. When an attacker attempts to access sensitive Google Cloud resources from an unmanaged personal laptop, the access level will not be satisfied, and access is denied even if the user's password and MFA are valid. This enforces device trust as a distinct attribute in the access decision, separate from user authentication.

Exam trap

Cisco often tests the distinction between authentication (MFA) and device trust, so the trap here is that candidates confuse two-step verification (MFA) with device trust, thinking that a second factor inherently proves the device is trusted, when in reality MFA only proves the user's identity, not the device's security posture.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall that inspects HTTP/S traffic and can use device fingerprints (e.g., via reCAPTCHA or WAF rules), but it does not enforce device trust as a condition for access to Google Cloud resources; it operates at the network edge, not as an identity-aware access control. Option C is wrong because Cloud Firewall rules that allow only corporate office IP ranges restrict access based on network origin, not device trust; an attacker could still use a managed laptop from a corporate IP if they compromise it, and an unmanaged personal laptop from a corporate IP would bypass the intent. Option D is wrong because two-step verification (MFA) verifies the user's identity via a second factor (e.g., TOTP, push notification), but it does not prove the device is trusted; an attacker who has compromised the password and MFA (e.g., via session hijacking or phishing) can still access resources from any device.

39
MCQhard

A healthcare organization is migrating a HIPAA-covered application to Google Cloud. The application processes electronic protected health information (ePHI) and must maintain strict data residency within a specific geographic region. The organization has already signed a Business Associate Agreement (BAA) with Google Cloud. During a compliance review, the security team discovers that one of the Cloud Storage buckets containing ePHI is located in the 'US' multi-region, but the organization's data residency policy requires data to be stored only in the United States region (e.g., us-central1). The bucket was created without any enforcement of organization policies. The team also finds that several Compute Engine instances in the us-central1 zone have public IP addresses and are accessible over the internet via SSH, which could expose ePHI in transit. The security team needs to remediate these issues while minimizing downtime and without violating the BAA. Which course of action should the security team take first?

A.Remove public IPs from all Compute Engine instances and enforce firewall rules to block SSH from the internet.
B.Configure VPC Service Controls to create a secure perimeter around the project and restrict data movement.
C.Enable customer-managed encryption keys (CMEK) on the bucket to encrypt all objects at rest.
D.Move the bucket to a regional location (e.g., us-central1) using the 'gcloud storage buckets update' command and set the location constraint.
AnswerD

Moving the bucket to a regional location ensures data stays within the US, satisfying the data residency requirement. This should be done first to avoid further violation.

Why this answer

Option D is correct because the immediate priority is to resolve the data residency violation by moving the bucket from the 'US' multi-region to a specific regional location like us-central1. The 'gcloud storage buckets update' command with the '--location' flag can change the bucket's location, but only if the bucket is empty; since the bucket contains ePHI, the security team must first copy the data to a new regional bucket and then delete the original. This directly addresses the compliance requirement without violating the BAA, as the BAA is already in place and does not restrict location changes.

Exam trap

Google Cloud often tests the misconception that security controls like encryption or network perimeters can substitute for geographic compliance, but data residency is a location-based requirement that can only be fixed by moving the data to the correct region.

How to eliminate wrong answers

Option A is wrong because removing public IPs and blocking SSH from the internet addresses network exposure but does not fix the data residency violation of the bucket being in a multi-region. Option B is wrong because VPC Service Controls create a security perimeter to prevent data exfiltration but do not change the physical location of the bucket, so the data residency policy is still violated. Option C is wrong because enabling CMEK encrypts objects at rest but does not alter the bucket's geographic location, leaving the data residency non-compliance unresolved.

40
MCQmedium

A healthcare company needs to store patient data in Google Cloud and must comply with HIPAA (Health Insurance Portability and Accountability Act). Which statement correctly describes how Google Cloud helps them achieve HIPAA compliance?

A.Storing data in Google Cloud automatically makes an application HIPAA-compliant.
B.Google offers HIPAA-eligible services and signs a Business Associate Agreement (BAA), but customers must implement their own technical safeguards and access controls.
C.HIPAA compliance is impossible on public cloud; healthcare data must stay on-premises.
D.Google Cloud's automatic data encryption fully satisfies all HIPAA technical safeguard requirements.
AnswerB

Google provides HIPAA-eligible cloud infrastructure and signs BAAs. However, HIPAA compliance requires customer actions: access control, audit logging, workforce training, and breach procedures — all customer responsibilities.

Why this answer

Option B is correct because Google Cloud provides HIPAA-eligible services and offers a Business Associate Agreement (BAA) to covered entities, but compliance is a shared responsibility. Customers must configure their own technical safeguards, such as access controls, audit logging, and encryption key management, to meet HIPAA requirements. Google Cloud does not automatically make an application compliant; the customer must implement the necessary controls.

Exam trap

Cisco often tests the shared responsibility model by presenting options that imply full vendor responsibility (like automatic compliance) or full customer responsibility (like impossibility), and the trap here is assuming that encryption alone satisfies all HIPAA technical safeguards, ignoring access control and audit requirements.

How to eliminate wrong answers

Option A is wrong because storing data in Google Cloud does not automatically make an application HIPAA-compliant; compliance requires the customer to implement technical safeguards and access controls, and to sign a BAA. Option C is wrong because HIPAA compliance is achievable on public cloud platforms like Google Cloud when using HIPAA-eligible services and signing a BAA, and many healthcare organizations successfully run workloads in the cloud. Option D is wrong because Google Cloud's automatic data encryption addresses only one aspect of HIPAA's technical safeguards; it does not satisfy all requirements, such as access control, audit controls, and integrity controls, which the customer must implement.

41
MCQhard

A CISO is implementing a Zero Trust security architecture for the company's Google Cloud environment. Under Zero Trust, which fundamental assumption about network traffic changes compared to traditional perimeter-based security?

A.Zero Trust assumes that internal network traffic is more secure than external traffic because it has passed through the corporate firewall
B.Zero Trust assumes no traffic is trusted by default regardless of network origin — every request must be explicitly authenticated and authorized based on identity, device posture, and context
C.Zero Trust assumes all traffic is malicious and blocks all requests by default, requiring explicit allowlisting for each connection
D.Zero Trust eliminates the need for encryption since all traffic is assumed to be on secure internal networks
AnswerB

This is the core Zero Trust principle: 'never trust, always verify.' A request from inside the VPC receives the same verification scrutiny as a request from the public internet. This model is more appropriate for cloud environments where the network perimeter no longer has clear meaning — employees, services, and attackers can all be inside the 'perimeter.'

Why this answer

Option B is correct because Zero Trust fundamentally shifts from implicit trust based on network location to explicit verification of every request. In Google Cloud, this means every API call, regardless of whether it originates from within the VPC or the internet, must be authenticated (e.g., using OAuth 2.0 or service account keys) and authorized based on identity, device posture, and context, as enforced by tools like Identity-Aware Proxy (IAP) and VPC Service Controls.

Exam trap

The trap here is that candidates often confuse Zero Trust's 'never trust, always verify' with a blanket denial of all traffic (Option C), when in reality it requires explicit verification for each request, not static allowlisting.

How to eliminate wrong answers

Option A is wrong because Zero Trust explicitly rejects the assumption that internal network traffic is more secure; it treats all traffic as untrusted, including traffic within the same VPC or subnet, and does not rely on a corporate firewall for trust. Option C is wrong because Zero Trust does not assume all traffic is malicious and block by default; it assumes no implicit trust but allows traffic after explicit authentication and authorization, not via static allowlisting. Option D is wrong because Zero Trust does not eliminate the need for encryption; in fact, it mandates encryption in transit (e.g., TLS 1.3) and at rest for all traffic, as internal networks are no longer considered trusted boundaries.

42
MCQmedium

A company's compliance team asks what evidence they can provide to regulators to demonstrate that Google Cloud services meet industry security standards. Which type of documentation most directly provides this evidence?

A.Google Cloud's marketing materials and product documentation describing security features
B.Third-party audit reports and compliance certifications (SOC 2 Type II, ISO 27001, PCI DSS) available through Google Cloud's Compliance Reports Manager, which provide independent verification of security controls
C.The company's own internal security policies that reference using Google Cloud
D.A Google Cloud support ticket confirming that the company's account is in good standing
AnswerB

These reports are the correct evidence. SOC 2 Type II demonstrates security controls operated effectively over a period. ISO 27001 certification shows a comprehensive ISMS is in place. PCI DSS attestation covers payment card security. These are issued by qualified independent auditors and accepted by regulators globally.

Why this answer

Compliance reports and audit certifications from independent third parties (SOC 2 Type II reports, ISO 27001 certificates, PCI DSS attestation) are the most credible evidence for regulators. These documents represent independent auditors certifying that specific controls were in place and operating effectively during the audit period. Google Cloud makes these reports available to customers through the Compliance Reports Manager.

43
MCQeasy

A company stores customer data in Google Cloud and wants to ensure data confidentiality in the event that hardware is decommissioned and returned by Google. How does Google protect customer data when storage hardware reaches end of life?

A.Google transfers customer data to new hardware first, then ships the old hardware to the customer for self-destruction.
B.Google uses approved data erasure and physical destruction processes (shredding, degaussing) for decommissioned storage media before hardware leaves its facilities.
C.Customer data on decommissioned hardware is automatically encrypted, making it safe to discard without wiping.
D.Customers must pay a data destruction fee to ensure their data is wiped from decommissioned hardware.
AnswerB

Google's documented hardware decommission process includes verified data erasure and physical destruction of storage media. This is covered in Google's security whitepaper and audited by third parties.

Why this answer

Option B is correct because Google Cloud follows strict data destruction policies for decommissioned storage media. Before any hardware leaves Google's facilities, it undergoes approved data erasure (e.g., NIST SP 800-88 compliant wiping) followed by physical destruction (e.g., shredding, degaussing) to ensure customer data cannot be recovered. This process guarantees data confidentiality even if the hardware is returned or recycled.

Exam trap

The trap here is that candidates assume encryption alone (Option C) is sufficient for decommissioned hardware, but Google's policy requires physical destruction or verified erasure to prevent data recovery from encrypted drives if keys are later compromised.

How to eliminate wrong answers

Option A is wrong because Google does not ship decommissioned hardware to customers; instead, Google retains and destroys the hardware internally to prevent any data leakage. Option C is wrong because while data at rest is encrypted, encryption alone is not sufficient for decommissioned hardware—Google still performs secure erasure and physical destruction to protect against future decryption or key compromise. Option D is wrong because data destruction is included as a standard part of Google's hardware lifecycle management at no additional cost to customers.

44
MCQmedium

A security architect wants to implement a 'never trust, always verify' security approach where no user or service is assumed to be trustworthy based on network location alone. Every access request must be authenticated and authorized regardless of whether it comes from inside or outside the corporate network. Which security model describes this approach?

A.Perimeter security model
B.Zero Trust security model
C.Defense in depth model
D.Principle of least privilege
AnswerB

Zero Trust requires authentication and authorization for every request, regardless of network origin. 'Never trust, always verify' is the defining principle of Zero Trust.

Why this answer

The Zero Trust security model (Option B) is correct because it explicitly enforces the 'never trust, always verify' principle, requiring authentication and authorization for every access request regardless of network location. In Google Cloud, this aligns with BeyondCorp, which uses identity-aware proxy (IAP) and context-aware access to verify each request based on user identity, device posture, and other attributes, rather than trusting based on IP address or network perimeter.

Exam trap

The trap here is that candidates often confuse 'defense in depth' (Option C) with Zero Trust because both involve multiple security layers, but defense in depth does not inherently require every request to be verified regardless of network location, which is the defining characteristic of Zero Trust.

How to eliminate wrong answers

Option A is wrong because the perimeter security model assumes trust inside the corporate network (e.g., VPN or firewall boundaries), which violates the 'never trust, always verify' approach. Option C is wrong because defense in depth is a layered security strategy (e.g., firewalls, IDS, encryption) but does not inherently require every request to be authenticated and authorized regardless of network location; it can still rely on perimeter trust. Option D is wrong because the principle of least privilege limits permissions to the minimum necessary but does not address the core requirement of verifying every access request based on location independence; it is a complementary concept, not the model described.

45
MCQhard

Refer to the exhibit. A developer receives this error when trying to create a Compute Engine instance. The developer is authenticated as a user with Project Editor role. What is the most likely cause?

A.The project has reached its compute instance quota.
B.The developer does not have the compute.instances.create permission.
C.The service account used for the instance lacks IAM permissions.
D.The VPC network has insufficient IP addresses.
AnswerC

The error indicates the service account (my-service-account) lacks compute.instances.create on the project.

Why this answer

Option C is correct because the error occurs when the Compute Engine instance creation fails due to insufficient IAM permissions on the service account attached to the instance. Even though the developer has the Project Editor role (which includes compute.instances.create), the service account used by the instance must have the necessary IAM roles (e.g., roles/iam.serviceAccountUser) to be used. Without these permissions, the API call to create the instance is denied, resulting in the error.

Exam trap

Google Cloud often tests the distinction between user-level permissions (e.g., Project Editor) and service account-level permissions (e.g., roles/iam.serviceAccountUser), tricking candidates into thinking the user's role is sufficient when the error is actually about the service account's IAM bindings.

How to eliminate wrong answers

Option A is wrong because a quota error would produce a specific 'quota exceeded' message, not a generic permission error, and the Project Editor role can view quotas but not bypass them. Option B is wrong because the Project Editor role includes the compute.instances.create permission, so the developer does have that permission; the error is not about the user's permissions but about the service account's permissions. Option D is wrong because insufficient IP addresses would cause a different error related to resource exhaustion (e.g., 'IP address space exhausted'), not an IAM permission error.

46
Multi-Selectmedium

Which TWO Google Cloud services help prevent data exfiltration from virtual machines?

Select 2 answers
A.Access Transparency
B.Security Command Center
C.Cloud Armor
D.Cloud Data Loss Prevention (DLP)
E.VPC Service Controls
AnswersD, E

Correct: DLP can inspect data and prevent sensitive data from leaving.

Why this answer

Cloud Data Loss Prevention (DLP) is correct because it enables inspection of data at rest and in motion for sensitive content (e.g., PII, credit card numbers) using predefined or custom infoTypes. When integrated with VPC Service Controls, it can block or redact sensitive data before it leaves the virtual machine's network boundary, directly preventing data exfiltration.

Exam trap

Google Cloud often tests the distinction between monitoring/logging services (like Access Transparency and Security Command Center) and active data exfiltration prevention controls (like VPC Service Controls and Cloud DLP), leading candidates to select options that only provide visibility rather than enforcement.

47
MCQmedium

A company has migrated sensitive customer data to Google Cloud. The legal team asks: 'If Google is hosting our data, who is responsible for ensuring that data is not improperly accessed by unauthorized users through our application?' Under the shared responsibility model, how should the CTO answer?

A.Google is fully responsible because they host the data and control the infrastructure
B.The customer is responsible for application access controls, authentication, and IAM policies that protect data from unauthorized application-layer access, while Google secures the underlying infrastructure
C.Both Google and the customer share equal 50/50 responsibility for all data access controls
D.No one is responsible because cloud computing inherently cannot prevent unauthorized access
AnswerB

This is the correct shared responsibility answer. Google secures the infrastructure layer — physical hardware, network, hypervisor. The customer must secure their application layer: who can access the application, how they authenticate, what permissions their service accounts have, and whether the application has vulnerabilities.

Why this answer

Option B is correct because under the Google Cloud shared responsibility model, the customer is responsible for securing access to their application and data, including authentication, authorization, and IAM policies, while Google is responsible for the security of the underlying infrastructure (physical security, network, hypervisor). The legal team's question specifically asks about unauthorized access through the customer's application, which falls under the customer's responsibility for application-layer controls.

Exam trap

The trap here is that candidates often assume the cloud provider is fully responsible for all security aspects, but the shared responsibility model explicitly places application-layer access controls, authentication, and IAM on the customer, especially when the question specifies 'through our application'.

How to eliminate wrong answers

Option A is wrong because it incorrectly states Google is fully responsible for all data access; Google secures the infrastructure but the customer must manage application-layer access controls, IAM, and authentication. Option C is wrong because responsibility is not a fixed 50/50 split; it is a shared model where Google secures the infrastructure and the customer secures their data, applications, and access policies. Option D is wrong because cloud computing can prevent unauthorized access through proper implementation of security controls like IAM, encryption, and network policies; it is not inherently incapable of preventing unauthorized access.

48
MCQhard

A company has a requirement from their security auditor to demonstrate that all administrative actions performed in Google Cloud (such as creating VMs, modifying IAM policies, and deleting storage buckets) are logged and tamper-evident. Which Cloud Logging log type fulfills this requirement?

A.Data Access audit logs — they capture all read and write operations.
B.Admin Activity audit logs — always-on, tamper-resistant logs of all administrative API calls.
C.System Event audit logs — they capture all Google Cloud operations.
D.Cloud Monitoring logs — they track all changes to monitored resources.
AnswerB

Admin Activity audit logs are automatically enabled for all services, cannot be disabled, and cannot be deleted by any user. They capture all resource creation, modification, and deletion — exactly what auditors require.

Why this answer

Admin Activity audit logs are always-on, tamper-resistant logs that record all administrative API calls, such as creating VMs, modifying IAM policies, and deleting storage buckets. They cannot be disabled or modified by users, ensuring tamper-evident logging for security auditor requirements.

Exam trap

The trap here is that candidates confuse Data Access audit logs (which require enabling and capture data-level operations) with Admin Activity audit logs (which are always-on and capture administrative actions), leading them to incorrectly select option A.

How to eliminate wrong answers

Option A is wrong because Data Access audit logs capture read and write operations on user data, not administrative actions like creating VMs or modifying IAM policies, and they are not always-on (they must be explicitly enabled). Option C is wrong because System Event audit logs capture Google Cloud system events (e.g., automatic maintenance), not administrative actions performed by users. Option D is wrong because Cloud Monitoring logs track metrics and alerts for resource performance, not administrative API calls, and they are not tamper-resistant logs.

49
MCQhard

An organization's security team reviews their Google Cloud environment and finds that several Cloud Storage buckets have `allAuthenticatedUsers` bindings, and multiple service accounts have the Owner role. Which Google Cloud tool automatically identifies these types of high-risk IAM configurations?

A.Cloud Audit Logs — reviewing all recent IAM changes.
B.Security Command Center (SCC) with IAM Recommender and Security Health Analytics.
C.Cloud Billing reports — they flag expensive configurations that indicate security issues.
D.Cloud Monitoring — it alerts when IAM policies are modified.
AnswerB

SCC's Security Health Analytics automatically detects high-risk configurations: public bucket access, Owner/Editor role grants, overly permissive service accounts. IAM Recommender suggests permission reductions based on actual usage.

Why this answer

Security Command Center (SCC) with Security Health Analytics and IAM Recommender is the correct tool because it automatically scans for high-risk IAM configurations, such as `allAuthenticatedUsers` bindings on Cloud Storage buckets and service accounts with the Owner role. Security Health Analytics detects misconfigurations against CIS benchmarks and Google Cloud best practices, while IAM Recommender provides actionable recommendations to reduce excessive permissions. This combination proactively identifies and helps remediate these specific security risks without requiring manual log review or billing analysis.

Exam trap

The trap here is that candidates often confuse Cloud Audit Logs or Cloud Monitoring with proactive security scanning tools, not realizing that those services only provide raw data or alerts on changes, whereas SCC with Security Health Analytics and IAM Recommender actively analyzes the configuration state to detect high-risk IAM bindings.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only record historical IAM changes and require manual review to identify high-risk configurations; they do not automatically detect or flag misconfigurations like `allAuthenticatedUsers` bindings. Option C is wrong because Cloud Billing reports focus on cost analysis and do not have the capability to identify IAM security misconfigurations or excessive permissions. Option D is wrong because Cloud Monitoring can alert on policy changes via logs-based metrics, but it does not natively analyze the content of IAM policies to detect high-risk bindings like `allAuthenticatedUsers` or Owner roles on service accounts.

50
MCQmedium

A multinational company must ensure that personal data of European citizens stored in Google Cloud cannot be accessed by or transferred to systems outside the European Union, as required by GDPR data residency requirements. Which Google Cloud controls most directly enforce this?

A.Enabling HTTPS for all data transmission to ensure data is encrypted during transfer
B.Configuring organization policy to restrict resource creation to EU regions, using VPC Service Controls to prevent data movement outside the EU perimeter, and establishing a GDPR-compliant Data Processing Agreement with Google
C.Using Customer-Managed Encryption Keys (CMEK) where the encryption keys are stored outside Google's infrastructure
D.Training developers about GDPR requirements and requiring manual approval for any cross-region data transfers
AnswerB

This combination addresses GDPR data residency: org policy constraints prevent resources from being created outside EU regions; VPC Service Controls prevent data from being read out of the EU perimeter; the DPA provides contractual compliance assurance. Together they form a comprehensive GDPR data residency control framework.

Why this answer

Option B is correct because it combines three essential controls that directly enforce GDPR data residency: Organization Policies restrict resource creation to EU regions, VPC Service Controls create a data perimeter preventing exfiltration outside the EU, and a GDPR-compliant Data Processing Agreement (DPA) establishes the legal framework for data handling. These controls work together to ensure data at rest and in transit remains within the EU boundary, directly addressing the residency requirement.

Exam trap

Google Cloud often tests the misconception that encryption (HTTPS or CMEK) alone satisfies data residency requirements, when in fact residency is about geographic location of data, not its confidentiality during transit or at rest.

How to eliminate wrong answers

Option A is wrong because HTTPS only encrypts data in transit; it does not restrict where data is stored or prevent it from being transferred to systems outside the EU, so it fails to enforce data residency. Option C is wrong because CMEK controls encryption key management, not data location; keys stored outside Google's infrastructure do not prevent data from being moved or stored outside the EU, and GDPR residency is about physical location, not key custody. Option D is wrong because training and manual approval are procedural controls, not technical enforcement mechanisms; they rely on human compliance and cannot guarantee that data never leaves the EU, especially at scale or in automated environments.

51
MCQeasy

A company wants to grant a data analyst read-only access to specific BigQuery datasets, but only if the request comes from within the corporate network. Which two Google Cloud tools should they combine to enforce this?

A.IAM and VPC Service Controls
B.IAM and Cloud IAP
C.Cloud Armor and IAM
D.Organization Policies and Cloud Audit Logs
AnswerA

IAM grants roles (e.g., BigQuery Data Viewer) and VPC Service Controls restrict access to the corporate network.

Why this answer

IAM defines the read-only role (e.g., roles/bigquery.dataViewer) for the data analyst, while VPC Service Controls create a security perimeter that restricts access to the BigQuery API from only the corporate network IP range. Together, they ensure the request is both authorized by IAM and originates from within the allowed VPC perimeter, blocking any access from outside the corporate network even if the IAM role is granted.

Exam trap

Google Cloud often tests the distinction between network-level access control (VPC Service Controls) and identity-level access control (IAP), leading candidates to incorrectly pair IAM with IAP for API-based services like BigQuery.

How to eliminate wrong answers

Option B is wrong because Cloud IAP (Identity-Aware Proxy) is designed for controlling access to web applications and SSH/RDP to VMs, not for restricting API-level access to BigQuery datasets based on network origin. Option C is wrong because Cloud Armor is a web application firewall (WAF) that protects HTTP(S) load-balanced applications, not a tool for enforcing network-level access control to BigQuery APIs. Option D is wrong because Organization Policies are used to set constraints on Google Cloud resources (e.g., resource location), and Cloud Audit Logs are for logging and monitoring, not for enforcing network-based access restrictions.

52
MCQmedium

A security team is conducting a threat model for their Google Cloud environment. They identify 'insider threat' — a malicious authorized employee who intentionally exfiltrates or destroys data — as a key risk. Which combination of Google Cloud controls most effectively mitigates this risk?

A.Strong external firewall rules, because insider threats come from internal network actors who must be blocked at the perimeter
B.Least privilege IAM (limiting access to only necessary resources), comprehensive audit logging (detecting anomalous access), VPC Service Controls (preventing data exfiltration to external projects), and separation of duties for critical actions
C.Encrypting all data at rest with CMEK, since encryption prevents authorized users from reading data
D.Requiring all employees to pass annual security training to prevent insider threats
AnswerB

This layered approach addresses insider threat from multiple angles: least privilege limits what a malicious insider can access; audit logs detect anomalous behavior (bulk data access, unusual hours); VPC Service Controls prevent copying data to personal or competitor GCP projects; separation of duties requires collusion for the most dangerous actions.

Why this answer

Option B is correct because it combines least privilege IAM to limit the blast radius, comprehensive audit logging (e.g., Cloud Audit Logs) to detect anomalous access patterns, VPC Service Controls to prevent data exfiltration via VPC perimeter enforcement, and separation of duties (e.g., using Cloud IAM Conditions) to ensure no single insider can perform critical actions alone. This layered defense addresses both prevention and detection of malicious insider activity.

Exam trap

The trap here is that candidates often assume encryption (CMEK) or training alone can stop insider threats, but they fail to realize that an authorized insider can still read or exfiltrate data unless data exfiltration controls (like VPC Service Controls) and audit logging are in place.

How to eliminate wrong answers

Option A is wrong because strong external firewall rules block external traffic but do not mitigate an insider threat, which originates from within the network and already has valid credentials. Option C is wrong because encrypting data at rest with CMEK does not prevent an authorized user with decryption keys from reading or exfiltrating data; encryption protects against unauthorized access, not insider misuse. Option D is wrong because annual security training is a preventative awareness measure but does not provide technical controls to stop or detect a determined malicious insider who already has access.

53
MCQeasy

What compliance certification verifies that an organization's Information Security Management System (ISMS) meets internationally recognized standards for managing information security risks?

A.SOC 2 Type II
B.ISO/IEC 27001
C.PCI DSS
D.FedRAMP
AnswerB

ISO 27001 certifies an organization's ISMS meets internationally accepted information security management standards. Google Cloud holds this certification, audited by independent third parties.

Why this answer

ISO/IEC 27001 is the international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It provides a systematic approach to managing sensitive company information, ensuring it remains secure through risk management processes. This certification is recognized globally and is the primary standard for ISMS compliance.

Exam trap

The trap here is that candidates often confuse SOC 2 Type II (which focuses on service organization controls) with ISO/IEC 27001 (which is the specific international standard for an ISMS), leading them to select SOC 2 Type II when the question explicitly asks for an ISMS certification.

How to eliminate wrong answers

Option A is wrong because SOC 2 Type II is an auditing procedure that evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy based on the AICPA Trust Services Criteria, not an ISMS standard. Option C is wrong because PCI DSS is a security standard specifically for organizations that handle branded credit cards, focusing on cardholder data protection, not a general ISMS framework. Option D is wrong because FedRAMP is a U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, not an international ISMS certification.

54
MCQhard

A financial services company needs to ensure that all access to sensitive data in Cloud Storage is logged with information about the user and the reason for access. Which feature should they enable?

A.Cloud Data Loss Prevention (DLP)
B.Security Command Center
C.Cloud Audit Logs
D.Access Transparency
AnswerD

Access Transparency logs provide details on data access, including reason and user identity.

Why this answer

Access Transparency provides detailed logs of actions taken by Google Cloud support and engineering personnel when accessing customer data, including the specific user and the business reason for access. This meets the requirement for logging all access to sensitive data in Cloud Storage with user identity and reason, as it covers both Google and customer-side access.

Exam trap

The trap here is that candidates confuse Cloud Audit Logs with Access Transparency, assuming that standard audit logs capture the reason for access, but Cloud Audit Logs only record the action and user, not the business justification, which is a key differentiator for Access Transparency.

How to eliminate wrong answers

Option A is wrong because Cloud Data Loss Prevention (DLP) is a service for inspecting, classifying, and masking sensitive data, not for logging access events with user and reason details. Option B is wrong because Security Command Center is a security and risk management platform that provides threat detection and vulnerability findings, but it does not natively log individual data access events with user identity and reason. Option C is wrong because Cloud Audit Logs record administrative and data access activities within Google Cloud, but they do not include the business reason for access, which is a specific requirement of Access Transparency.

55
MCQeasy

A company wants to enforce that all Cloud Storage buckets in a project have uniform bucket-level access enabled. Which Google Cloud tool should they use?

A.Use Cloud Audit Logs to monitor and alert on non-compliant buckets.
B.Define an Organization Policy with a constraint on uniform bucket-level access.
C.Set an IAM policy to deny access to buckets without uniform access.
D.Use Cloud Key Management Service to rotate keys.
AnswerB

Organization Policy can enforce constraints like 'storage.uniformBucketLevelAccess'.

Why this answer

Organization Policies in Google Cloud allow administrators to enforce constraints across the entire resource hierarchy. The constraint `constraints/storage.uniformBucketLevelAccess` can be applied at the project, folder, or organization level to require uniform bucket-level access on all Cloud Storage buckets, preventing any bucket from being created or updated without it.

Exam trap

Google Cloud often tests the distinction between monitoring/logging tools (like Audit Logs) and enforcement tools (like Organization Policies), leading candidates to choose a reactive solution instead of a proactive, policy-based one.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide logging and monitoring for historical or real-time events; they cannot enforce or prevent non-compliant configurations, only alert after the fact. Option C is wrong because IAM policies grant or deny access to resources based on identities and roles, but they cannot enforce a configuration setting like uniform bucket-level access on a bucket itself. Option D is wrong because Cloud Key Management Service (KMS) manages encryption keys, not access control policies for bucket-level access settings.

56
Matchingmedium

Match each Google Cloud storage class to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequently accessed data, low latency

Data accessed less than once a month

Data accessed less than once a quarter

Data accessed less than once a year

Automatic placement of objects into appropriate classes

Why these pairings

These are Cloud Storage classes for different access patterns.

57
MCQmedium

A security engineer notices that a Compute Engine instance is running a VM with a public IP that should not be accessible from the internet. They want to ensure this configuration is prevented by default for all future projects in the organization. What should they do?

A.Set an IAM policy to deny compute.instances.create with public IP
B.Define an Organization Policy with the constraint compute.vmExternalIpAccess
C.Create a VPC firewall rule to deny all traffic from the internet to the VM
D.Use Cloud Security Scanner to identify and remediate
AnswerB

This organization policy restricts public IP assignment on VMs across the organization.

Why this answer

Option B is correct because Organization Policies in Google Cloud allow you to set constraints at the organization, folder, or project level to enforce security controls. The `compute.vmExternalIpAccess` constraint specifically prevents VMs from being created with external IP addresses, ensuring that no future Compute Engine instances in the organization can have public IPs by default. This is a preventive control that applies to all new VM creations, unlike IAM policies or firewall rules which are more granular or reactive.

Exam trap

The trap here is that candidates often confuse IAM policies with Organization Policies, thinking that IAM can restrict resource configurations (like public IPs) when it only controls who can perform actions, not the attributes of the resources created.

How to eliminate wrong answers

Option A is wrong because IAM policies control who can perform actions (like `compute.instances.create`), but they cannot restrict the configuration of a resource (such as whether a public IP is assigned) — IAM does not support conditional constraints on resource attributes like external IP assignment. Option C is wrong because a VPC firewall rule can block traffic to the VM, but it does not prevent the VM from having a public IP address; the VM would still be reachable from the internet if the firewall rule is misconfigured or not applied, and it does not enforce a default policy for future projects. Option D is wrong because Cloud Security Scanner is a tool for finding vulnerabilities in web applications (like XSS or CSRF), not for enforcing organizational policies on VM public IP assignment; it is a detective control, not a preventive one.

58
MCQhard

A healthcare company runs its critical application on Google Cloud. The application uses Cloud SQL for patient records, Cloud Storage for medical images, and Pub/Sub for data ingestion. The security team requires that all data at rest be encrypted with a key that is managed and rotated by their on-premises HSM. They also need to ensure that any potential data exfiltration is immediately detected and prevented. Recently, a vulnerability scan revealed that a Cloud SQL instance had a public IP. The team wants to enforce that no Cloud SQL instance can be created with a public IP across the entire organization. Additionally, they need to implement a solution to monitor and alert on any suspicious activity, such as a large download from Cloud Storage. They have a limited budget and cannot afford complex custom solutions. Which combination of Google Cloud services should they use to meet these requirements?

A.Use CMEK with Cloud KMS for encryption, set an Organization Policy to restrict public IPs on Cloud SQL, and configure Cloud Audit Logs with alerting via Cloud Monitoring to detect data exfiltration.
B.Use Cloud External Key Manager (EKM) for encryption, define an Organization Policy constraint to prohibit public IPs on Cloud SQL, deploy Security Command Center with Event Threat Detection to monitor for data exfiltration, and implement VPC Service Controls to limit data access.
C.Use default encryption with Google-managed keys, set an IAM condition to deny public IP on Cloud SQL, and configure Cloud Data Loss Prevention to detect sensitive data exfiltration.
D.Use Cloud HSM for encryption, create a VPC firewall rule to block all incoming traffic to Cloud SQL, and use Cloud Armor to protect against data exfiltration.
AnswerB

EKM integrates with on-prem HSM; Organization Policy enforces no public IPs; SCC with Event Threat Detection detects exfiltration; VPC Service Controls prevent exfiltration.

Why this answer

Option B is correct because Cloud External Key Manager (EKM) allows you to use an external key management system (on-premises HSM) for encrypting data at rest in Google Cloud services like Cloud SQL, Cloud Storage, and Pub/Sub. The Organization Policy constraint `constraints/sql.restrictPublicIp` can enforce that no Cloud SQL instance is created with a public IP. Security Command Center with Event Threat Detection provides out-of-the-box monitoring and alerting for suspicious activities like large downloads from Cloud Storage, while VPC Service Controls adds a data exfiltration prevention layer by restricting data movement outside a defined service perimeter.

Exam trap

Google Cloud often tests the distinction between key management options (CMEK vs. EKM vs. Cloud HSM) and the difference between detection (Cloud Audit Logs, Event Threat Detection) and prevention (VPC Service Controls), leading candidates to choose a solution that only detects but does not prevent data exfiltration.

How to eliminate wrong answers

Option A is wrong because CMEK with Cloud KMS uses keys managed within Google Cloud, not an on-premises HSM, and Cloud Audit Logs with Cloud Monitoring alone cannot prevent data exfiltration—they only provide logging and alerting, not active prevention. Option C is wrong because default encryption uses Google-managed keys, not customer-managed keys from an on-premises HSM, and IAM conditions cannot enforce a restriction on Cloud SQL public IPs at the organization level (that requires an Organization Policy). Option D is wrong because Cloud HSM is a Google-managed HSM service, not an on-premises HSM, and VPC firewall rules cannot block public IP assignment on Cloud SQL (they control network traffic, not resource configuration), while Cloud Armor is a web application firewall, not a data exfiltration detection or prevention tool.

59
MCQmedium

A technology company runs its containerized microservices on Google Kubernetes Engine (GKE). The development team frequently pushes new container images to Container Registry, and those images are deployed to a production cluster. The security team recently discovered that a few running containers have critical vulnerabilities from outdated base images. They want to enforce a policy that only vulnerability-scanned and approved images can be deployed in the production cluster. The team uses Cloud Build for CI/CD and Container Analysis for vulnerability scanning. Which solution should they implement to meet this requirement?

A.Use Cloud Security Scanner to scan the production cluster for vulnerabilities.
B.Enable Cloud Asset Inventory to monitor image vulnerabilities across projects.
C.Configure Cloud Build to run a vulnerability scan step before pushing images to Container Registry.
D.Enable Binary Authorization with a policy that requires attestations from Container Analysis for all deployments in the production cluster.
AnswerD

Binary Authorization ensures only verified images are deployed by requiring attestations from approved authorities like Container Analysis.

Why this answer

Binary Authorization enforces deployment-time policies that require signed attestations from trusted authorities (like Container Analysis) before an image can be deployed on GKE. By configuring a policy that mandates an attestation from Container Analysis (which performs vulnerability scanning), only images that have been scanned and approved can be deployed, directly meeting the requirement to block containers with critical vulnerabilities.

Exam trap

The trap here is that candidates confuse scanning images (which only identifies vulnerabilities) with enforcing a policy that blocks deployment of vulnerable images, leading them to choose a scanning-only option (like C) instead of the policy enforcement mechanism (Binary Authorization).

How to eliminate wrong answers

Option A is wrong because Cloud Security Scanner is designed to find web application vulnerabilities (e.g., XSS, SQLi) in App Engine, Compute Engine, and GKE services, not to enforce deployment policies or scan container images for OS-level vulnerabilities. Option B is wrong because Cloud Asset Inventory provides a historical view of cloud resources and their metadata (including vulnerability findings from Container Analysis), but it cannot enforce a policy that blocks deployments; it is a monitoring and inventory tool, not a policy enforcement mechanism. Option C is wrong because running a vulnerability scan step before pushing images to Container Registry only ensures images are scanned at build time, but it does not prevent a developer from bypassing the scan or deploying an older, unscanned image; it lacks the deployment-time enforcement that Binary Authorization provides.

60
MCQhard

An organization stores sensitive data in BigQuery. They need to restrict access to specific columns based on user role, while allowing analysis at the dataset level. Which feature should they use?

A.BigQuery row-level security
B.Column-level access control using authorized views or taxonomy policies
C.IAM roles at the dataset level with fine-grained permissions
D.Cloud Data Loss Prevention (DLP) to mask data
AnswerB

Authorized views can restrict column access, and BigQuery column-level security with taxonomy policies can be used.

Why this answer

Option B is correct because BigQuery column-level access control, implemented through authorized views or taxonomy policies (via Data Catalog), allows restricting access to specific columns while preserving dataset-level analysis permissions. Authorized views use SQL logic to expose only permitted columns, and taxonomy policies apply fine-grained access controls at the column level without requiring separate datasets.

Exam trap

Google Cloud often tests the distinction between row-level and column-level access controls, and the trap here is that candidates confuse row-level security (which filters rows) with column-level security (which restricts columns), or mistakenly think IAM dataset-level roles can achieve fine-grained column restrictions.

How to eliminate wrong answers

Option A is wrong because BigQuery row-level security restricts access to specific rows based on filters, not columns, and does not address column-level restrictions. Option C is wrong because IAM roles at the dataset level provide coarse-grained access to entire tables or datasets, but cannot restrict access to individual columns within a table. Option D is wrong because Cloud Data Loss Prevention (DLP) is used for data discovery, classification, and masking of sensitive data, but it does not enforce persistent column-level access control for ongoing query access; it is a scanning and transformation tool, not an access control mechanism.

61
MCQeasy

A developer accidentally commits an application's Google Cloud service account key to a public GitHub repository. The key is valid and grants access to production resources. What is the correct immediate response?

A.Delete the commit from GitHub history using git rebase; the key is safe once removed from the repository
B.Immediately revoke/delete the exposed service account key in Google Cloud IAM, review Cloud Audit Logs for unauthorized access, and generate a new key distributed through secure channels
C.Change the service account's permissions to read-only to limit the damage from potential misuse
D.Send an internal email informing the security team and wait for their guidance before taking any action
AnswerB

This is the complete correct response: (1) Revoke the key immediately to stop any ongoing unauthorized access. (2) Review Admin Activity and Data Access audit logs to determine if the key was used after exposure. (3) Issue a new key through a secure distribution channel (ideally Secret Manager, not environment variables). Time to revocation is critical.

Why this answer

Option B is correct because the immediate priority is to invalidate the exposed credential to prevent unauthorized access to production resources. Revoking the key in Google Cloud IAM ensures it can no longer be used for authentication, while reviewing Cloud Audit Logs helps identify any potential misuse. Generating a new key and distributing it securely restores access for legitimate applications.

Exam trap

The trap here is that candidates may think removing the key from the repository (Option A) is sufficient, but they overlook that the key remains valid in Google Cloud and can still be used by anyone who already obtained it.

How to eliminate wrong answers

Option A is wrong because deleting the commit from GitHub history does not invalidate the key; anyone who already cloned or forked the repository still has access to the key, and the key remains valid in Google Cloud until explicitly revoked. Option C is wrong because changing the service account's permissions to read-only does not prevent an attacker from using the key to authenticate; the key itself is still valid and could be used for any action the service account is allowed, including reading sensitive data. Option D is wrong because waiting for guidance delays the critical step of revoking the exposed key, increasing the window of opportunity for unauthorized access; immediate action is required to contain the breach.

62
MCQhard

An organization uses Security Command Center (SCC) premium tier and wants to automatically remediate a specific finding type by disabling public access to Cloud Storage buckets. What is the recommended approach?

A.Use Cloud Pub/Sub alone to listen for SCC findings and then manually remediate
B.Use IAM to deny all users except project owners from making buckets public
C.Set up a Cloud Function triggered by SCC findings to remove public access
D.Configure a Cloud Scheduler job to run a script that checks and removes public access
AnswerC

SCC can publish findings to Pub/Sub, which triggers a Cloud Function to remediate.

Why this answer

Option C is correct because Security Command Center (SCC) premium tier can publish findings to Cloud Pub/Sub, which can trigger a Cloud Function via a push subscription. The Cloud Function can then use the Google Cloud Storage API (specifically, the `storage.buckets.setIamPolicy` method) to remove the `allUsers` or `allAuthenticatedUsers` bindings that grant public access, enabling automated, event-driven remediation without manual intervention.

Exam trap

Google Cloud often tests the distinction between event-driven automation (Cloud Functions + Pub/Sub) and scheduled or manual approaches, so candidates mistakenly choose Cloud Scheduler or IAM deny policies because they think 'automation' means periodic checks or preventive controls, rather than reactive, real-time remediation.

How to eliminate wrong answers

Option A is wrong because using Cloud Pub/Sub alone only delivers the finding notification; it does not perform any remediation action, so manual steps are still required, which defeats the goal of automation. Option B is wrong because IAM deny policies cannot retroactively remove public access from buckets that already have public bindings; they only prevent future grants, and they do not automatically remediate existing public buckets. Option D is wrong because Cloud Scheduler runs on a fixed schedule, not in response to SCC findings, so it introduces latency and cannot provide real-time remediation when a finding is generated.

63
MCQmedium

A company uses Google Workspace for identity. They want employees to use their Google Workspace credentials to access third-party applications (Salesforce, Slack, etc.) without separate passwords for each app. Which technology enables this?

A.VPN — employees connect to the corporate VPN which provides access to all apps.
B.Single Sign-On (SSO) using SAML 2.0 or OIDC with Google Workspace as the Identity Provider.
C.Cloud Armor — blocks unauthorized access attempts to applications.
D.Shared service account — all employees use the same credential.
AnswerB

Google Workspace as IdP federates identity to third-party apps via SAML 2.0 or OIDC. Employees authenticate once with their Google credentials and access all federated apps without separate passwords.

Why this answer

Option B is correct because Single Sign-On (SSO) using SAML 2.0 or OIDC allows Google Workspace to act as the Identity Provider (IdP), issuing authentication tokens that third-party applications (like Salesforce and Slack) trust. This eliminates the need for separate passwords, as users authenticate once with Google Workspace and the IdP handles subsequent access via security assertions or ID tokens.

Exam trap

Google Cloud often tests the distinction between network-level access (VPN) and identity-level federation (SSO), so candidates mistakenly choose VPN because they think it 'provides access to all apps' without realizing it does not solve the separate-password problem.

How to eliminate wrong answers

Option A is wrong because a VPN provides network-layer access to corporate resources but does not eliminate separate application passwords; users still need to authenticate to each app individually. Option C is wrong because Cloud Armor is a web application firewall and DDoS protection service that blocks malicious traffic at the edge, not an identity federation or SSO technology. Option D is wrong because a shared service account violates the principle of least privilege and non-repudiation; all employees using the same credential would create severe security and audit issues, and it does not enable passwordless access to third-party apps.

64
MCQeasy

Refer to the exhibit. A security administrator reviews this Cloud Audit Logs entry. What does this entry indicate?

A.The user attempted to read the object 'secret.pdf' and the request resulted in an error.
B.The user updated the IAM policy on the bucket.
C.The user attempted to delete the object 'secret.pdf'.
D.The user successfully read the object 'secret.pdf'.
AnswerA

The method is 'get' and severity ERROR shows a failed read attempt.

Why this answer

Option A is correct because the log entry shows a 'storage.objects.get' method with the resource name of a specific object, indicating that user@example.com read the object. Option B is wrong because the method is 'get', not 'delete'. Option C is wrong because the severity is ERROR, but that could be due to the object being private or other reasons; the log shows a successful read? Actually, the severity is ERROR but the method is get, meaning the request resulted in an error? The exhibit doesn't show the status.

However, the question is ambiguous. To make it clear, we should specify that the log shows an attempt to read an object that resulted in an error (e.g., 404). But since the log shows the method, we can interpret it as an access attempt.

Let's adjust the options to reflect that it shows an attempt. Better: We'll assume the log shows a read attempt that was denied. For clarity, we'll add that the severity is ERROR, meaning the request failed.

Then correct answer: The user attempted to read a secret document. Options: A) The user successfully read the object; B) The user attempted to delete the object; C) The user attempted to read the object; D) The user changed permissions. Correct: C (attempted read).

Explanation: The method is 'get', and severity ERROR indicates failure, so it's an attempt. Option A is wrong because success would be lower severity. Option B is wrong because method is get.

Option D is wrong because method is not setIamPolicy.

65
MCQmedium

Google's physical data center security includes multiple layers of protection. Which of the following is NOT a physical security measure Google uses at its data centers?

A.Biometric authentication and badge access controls at multiple security perimeters.
B.24/7 on-site security personnel who monitor the facility continuously.
C.Customers can schedule tours of Google data centers to verify security practices directly.
D.Secure hardware destruction procedures for decommissioned storage devices.
AnswerC

Google data centers are not open to customer tours — they are high-security facilities with strict access controls. Google provides third-party audit reports (ISO 27001, SOC 2) as security verification instead of physical tours.

Why this answer

Option C is correct because Google does not offer public tours of its data centers. Allowing customers to schedule tours would introduce unnecessary security risks and is not part of Google's physical security model. Instead, Google provides transparency through third-party audit reports and certifications (e.g., SOC 2, ISO 27001) to verify security practices.

Exam trap

Cisco often tests the misconception that Google offers data center tours as a transparency measure, but in reality, Google relies on independent third-party audits and certifications rather than allowing physical access to customers.

How to eliminate wrong answers

Option A is wrong because biometric authentication and badge access controls are indeed used by Google at multiple security perimeters, including the outer fence, building entrance, and server floor doors. Option B is wrong because 24/7 on-site security personnel are a standard physical security measure at Google data centers, monitoring CCTV and responding to incidents. Option D is wrong because secure hardware destruction procedures, such as degaussing, shredding, or pulverizing decommissioned storage devices, are a critical part of Google's data sanitization process to prevent data recovery.

66
MCQmedium

A company wants to know: if Google Cloud experiences a data breach that exposes customer data, what are Google's notification obligations under standard Cloud service terms?

A.Google has no obligation to notify customers of data breaches — customers must discover breaches themselves.
B.Google will notify affected customers of personal data breaches without undue delay per its Data Processing Addendum, enabling customers to meet their own regulatory notification obligations.
C.Google will notify all media outlets immediately upon breach detection to maximize transparency.
D.Breach notification is only available to customers with Premium support tier.
AnswerB

Google's Cloud DPA commits to breach notification. This enables customers to fulfill their own obligations (GDPR requires notifying authorities within 72 hours and affected individuals without undue delay).

Why this answer

Option B is correct because Google Cloud's standard Data Processing Addendum (DPA) contractually obligates Google to notify affected customers of personal data breaches without undue delay after confirmation. This enables customers to fulfill their own regulatory notification requirements under laws like GDPR or CCPA, as the customer remains the data controller responsible for end-user notifications.

Exam trap

The trap here is that candidates assume breach notification is optional or premium-only, but Google Cloud's standard DPA makes it a contractual right for all customers, regardless of support tier.

How to eliminate wrong answers

Option A is wrong because Google Cloud's DPA explicitly includes breach notification obligations, so customers are not left to discover breaches themselves. Option C is wrong because Google notifies affected customers, not media outlets; notifying media is not a standard contractual obligation and would violate data confidentiality. Option D is wrong because breach notification is a standard feature included in the DPA for all customers, not gated behind a Premium support tier.

67
MCQeasy

A startup wants to automatically rotate encryption keys used for Cloud Storage objects every 90 days. Which service should they use?

A.Use Cloud Secret Manager to store and rotate encryption keys
B.Use default Cloud Storage encryption (SSE-GCP)
C.Use Cloud HSM to store keys and rotate manually
D.Use Cloud Key Management Service (KMS) with automatic rotation schedule
AnswerD

Cloud KMS allows setting a rotation period for customer-managed keys.

Why this answer

Option D is correct because Cloud KMS supports automatic key rotation with a configurable rotation period (e.g., every 90 days). When you create a key ring and key in Cloud KMS, you can set a rotation schedule, and Cloud KMS will automatically generate a new key version on the specified date. This allows the startup to meet the 90-day rotation requirement without manual intervention, and the new key version is used for encrypting new Cloud Storage objects while old versions remain available for decrypting existing data.

Exam trap

The trap here is that candidates often confuse Cloud Secret Manager (which stores secrets but does not rotate encryption keys automatically) with Cloud KMS (which provides automatic key rotation), or they assume that default Google-managed encryption (SSE-GCP) allows customer-controlled rotation schedules, which it does not.

How to eliminate wrong answers

Option A is wrong because Cloud Secret Manager is designed to store and manage secrets (e.g., API keys, passwords), not to rotate encryption keys for Cloud Storage objects; it lacks native automatic rotation scheduling for encryption keys. Option B is wrong because default Cloud Storage encryption (SSE-GCP) uses Google-managed keys that are rotated automatically by Google, but the customer cannot control or schedule the rotation period (e.g., 90 days); the rotation frequency is not configurable. Option C is wrong because Cloud HSM provides hardware-backed key storage but does not support automatic rotation; keys stored in Cloud HSM must be rotated manually, which contradicts the requirement for automatic rotation every 90 days.

68
MCQeasy

A cloud architect wants to ensure that only certain users in the finance team can access a Cloud Storage bucket containing invoices. They also want to log all access attempts. Which two services should they use?

A.IAM and Cloud Audit Logs
B.Cloud NAT and Cloud Audit Logs
C.Cloud NAT and Cloud Load Balancing
D.IAM and Cloud CDN
AnswerA

IAM controls access; Cloud Audit Logs provide data access logging.

Why this answer

IAM (Identity and Access Management) is used to grant specific users (e.g., finance team members) granular access to the Cloud Storage bucket via roles like roles/storage.objectViewer. Cloud Audit Logs (specifically Admin Activity and Data Access audit logs) capture all access attempts, including who accessed the bucket, when, and from which IP address, meeting the logging requirement.

Exam trap

Google Cloud often tests the distinction between network-level services (like Cloud NAT, Cloud Load Balancing, Cloud CDN) and identity/audit services (IAM, Cloud Audit Logs), so candidates mistakenly choose networking options when the question explicitly asks about user access control and logging.

How to eliminate wrong answers

Option B is wrong because Cloud NAT (Network Address Translation) is used to enable outbound internet connectivity for private instances, not for controlling user access to Cloud Storage or logging access attempts. Option C is wrong because Cloud NAT and Cloud Load Balancing are networking services that do not provide identity-based access control or audit logging for Cloud Storage. Option D is wrong because Cloud CDN (Content Delivery Network) is used to cache content for low-latency delivery, not to restrict access to a bucket based on user identity or to log access attempts.

69
MCQmedium

A financial services company is subject to regulations requiring them to demonstrate that their cloud provider's employees cannot access customer data without the customer's explicit approval. Which Google Cloud feature most directly addresses this requirement?

A.Customer-Managed Encryption Keys (CMEK), where the customer controls the encryption key and can revoke access
B.Access Transparency and Access Approval, which log and require explicit customer approval for Google personnel access to customer content
C.Cloud Audit Logs, which record all customer actions within Google Cloud
D.VPC Service Controls, which prevent Google employees from accessing resources inside the service perimeter
AnswerB

Access Transparency logs all Google personnel access to customer content with justification codes. Access Approval requires Google to request explicit customer approval before accessing customer data. Together they directly address the regulatory requirement for customer oversight of provider access to their data.

Why this answer

Access Transparency and Access Approval directly address the regulatory requirement by providing near real-time logs of Google personnel actions on customer content and requiring explicit customer approval before such access can occur. Access Transparency logs every access attempt by Google employees, while Access Approval allows customers to approve or deny those requests, ensuring no unauthorized access without customer consent.

Exam trap

Cisco often tests the distinction between encryption key control (CMEK) and access governance (Access Transparency/Approval), leading candidates to mistakenly choose CMEK because they conflate key management with personnel access control.

How to eliminate wrong answers

Option A is wrong because Customer-Managed Encryption Keys (CMEK) give customers control over encryption keys but do not log or require approval for Google personnel access to customer content; they protect data at rest but do not govern access by Google employees. Option C is wrong because Cloud Audit Logs record actions taken by customers within their own projects, not actions by Google personnel accessing customer content. Option D is wrong because VPC Service Controls create a security perimeter to prevent data exfiltration by customers or their resources, but they do not prevent Google employees from accessing resources inside the perimeter; they are designed to control data movement, not Google personnel access.

70
Multi-Selectmedium

Which TWO statements about Cloud Identity-Aware Proxy (IAP) are correct?

Select 2 answers
A.IAP encrypts data at rest by default
B.IAP can be used to protect access to Compute Engine VMs via SSH and RDP without a VPN
C.IAP only works with Google Cloud applications
D.IAP uses the identity of the user and the context of the request to decide whether to allow access
E.IAP requires using a third-party identity provider
AnswersB, D

IAP allows SSH/RDP without public IPs or VPNs.

Why this answer

Option B is correct because Cloud IAP enables identity-based access to Compute Engine instances via SSH and RDP without requiring a VPN or bastion host. IAP uses the user's identity and request context to create a secure tunnel, forwarding traffic to the instance over HTTPS and verifying the user's credentials before allowing the connection.

Exam trap

Google Cloud often tests the misconception that IAP is limited to Google Cloud services or that it requires a third-party identity provider, when in fact IAP supports hybrid access and can use Google-managed identities without external IdPs.

71
MCQhard

A security audit finds that a company's application service accounts have been granted broad IAM roles (e.g., Storage Admin on the entire project) when they only need to read specific Cloud Storage buckets. The auditor recommends following the principle of least privilege. What is the most precise way to implement this for the Cloud Storage use case?

A.Grant the Storage Admin role at the project level but add a condition that limits it to specific operations
B.Grant Storage Object Viewer (read-only) at the specific bucket level for each service account that needs read access — not at the project level
C.Create a custom IAM role that combines all permissions from all predefined roles but removes the most dangerous ones
D.Use the same broad Storage Admin role but rotate the service account key every 90 days to reduce the window of exposure
AnswerB

This is the most precise least-privilege implementation. Storage Object Viewer grants read access to objects within a bucket. Binding it at the bucket level (not project) means the service account can only read from that specific bucket — not create buckets, not access other buckets, not delete objects. This minimizes blast radius if the service account is compromised.

Why this answer

Option B is correct because it grants the minimal required permission (Storage Object Viewer) at the specific bucket level, adhering to the principle of least privilege. This ensures the service account can only read objects in that bucket and cannot perform any other storage operations, even accidentally. Granting roles at the resource level (bucket) rather than the project level eliminates unnecessary broad access.

Exam trap

The trap here is that candidates often think project-level roles with conditions are sufficient, but conditions do not restrict the scope of resources the role applies to—only the actions or attributes—so the role still applies to all resources in the project.

How to eliminate wrong answers

Option A is wrong because granting Storage Admin at the project level, even with a condition, still grants the role's full permissions (including delete and update) on all buckets in the project, violating least privilege. Option C is wrong because creating a custom role by combining all permissions from predefined roles and removing 'dangerous' ones is imprecise and error-prone; the correct approach is to start with the minimal permissions needed (e.g., storage.objects.get) rather than removing from a broad set. Option D is wrong because rotating keys does not reduce the permissions granted; the service account still retains the overly broad Storage Admin role, which is the core security issue.

72
MCQeasy

A company's security policy requires all employees to verify their identity using more than just a password when accessing Google Cloud resources. What security feature enforces this requirement?

A.Password complexity requirements — enforcing long, complex passwords.
B.Multi-factor authentication (MFA) / Two-step verification (2SV).
C.IP allowlisting — only allowing access from office IP addresses.
D.Session timeout — automatically logging out users after 30 minutes of inactivity.
AnswerB

MFA requires a second factor beyond the password — physical security keys, TOTP apps, or other verifiers. Even if a password is stolen, the second factor prevents unauthorized access.

Why this answer

Multi-factor authentication (MFA) / Two-step verification (2SV) is the correct answer because it explicitly requires users to provide two or more verification factors (e.g., something you know, something you have, something you are) to access Google Cloud resources. This directly enforces the policy of verifying identity beyond just a password, as MFA/2SV adds an additional layer of security by requiring a second factor such as a time-based one-time password (TOTP) from an authenticator app, a hardware security key (e.g., FIDO2), or a push notification. Google Cloud Identity Platform supports this via security key enforcement and 2SV policies, ensuring that password compromise alone is insufficient for access.

Exam trap

The trap here is that candidates confuse 'stronger authentication' with 'stronger passwords' (Option A) or 'access restrictions' (Option C), failing to recognize that the core requirement is adding an independent second factor, not just hardening the single password factor.

How to eliminate wrong answers

Option A is wrong because password complexity requirements only enforce stronger passwords (e.g., length, character types) but do not add a second verification factor; they still rely solely on something you know, which does not meet the 'more than just a password' requirement. Option C is wrong because IP allowlisting restricts access based on network origin (e.g., office IP addresses) but does not verify the user's identity beyond the password; it is a network-level control, not an authentication factor. Option D is wrong because session timeout automatically ends an inactive session after a set period (e.g., 30 minutes) but does not require any additional identity verification beyond the initial password-based login; it addresses session management, not authentication strength.

73
MCQhard

A company wants to ensure that sensitive data (credit card numbers, SSNs) stored in BigQuery is automatically identified and protected. They also want ongoing scanning to detect if any new data violates their data governance policies. Which Google Cloud service provides these capabilities?

A.Security Command Center — it scans BigQuery for sensitive data automatically.
B.Cloud Data Loss Prevention (Cloud DLP) with BigQuery inspection jobs.
C.Cloud Monitoring custom dashboards with SQL queries that search for PII patterns.
D.Cloud Audit Logs — they record all BigQuery queries and can identify when sensitive columns are accessed.
AnswerB

Cloud DLP natively scans BigQuery tables to identify sensitive data using built-in and custom infoTypes. Scheduled jobs provide continuous governance monitoring; de-identification transforms protect identified data.

Why this answer

Cloud DLP with BigQuery inspection jobs is the correct choice because it provides both automated identification of sensitive data (such as credit card numbers and SSNs) within BigQuery tables and ongoing scanning capabilities via scheduled inspection jobs. Cloud DLP uses built-in infoType detectors to match patterns like credit card numbers (Luhn check) and SSNs, and can trigger actions or alerts when new data violates governance policies.

Exam trap

The trap here is that candidates confuse Security Command Center's broad security scanning with Cloud DLP's specific data-level inspection, or assume that logging or monitoring tools can perform content analysis without specialized pattern-matching engines.

How to eliminate wrong answers

Option A is wrong because Security Command Center does not natively scan BigQuery for sensitive data; it provides security posture and threat detection for cloud resources, not data-level inspection. Option C is wrong because Cloud Monitoring custom dashboards with SQL queries cannot automatically identify PII patterns; they rely on manual query construction and lack the built-in pattern matching and classification capabilities of Cloud DLP. Option D is wrong because Cloud Audit Logs record access and query activity, not the content of the data; they cannot identify or protect sensitive data within BigQuery tables.

74
MCQhard

A company runs a multi-tenant SaaS application on Google Cloud where each customer's data must be strictly isolated from other customers'. A security architect is evaluating approaches: (A) logical isolation using application-level tenant IDs in a shared database, (B) IAM-based separation using separate service accounts per tenant, or (C) infrastructure-level isolation with separate Google Cloud projects per tenant. Which approach provides the strongest isolation guarantee?

A.Logical isolation using application-level tenant IDs, because it is the most cost-efficient and sufficient for regulated workloads
B.Separate Google Cloud projects per tenant, which provides the strongest isolation: separate IAM boundaries, separate resource namespaces, separate audit logs, and no shared database instances with other tenants
C.IAM-based separation using separate service accounts per tenant within a shared project, because IAM provides cryptographically enforced access control
D.All three approaches provide equivalent isolation because Google Cloud's hypervisor ensures complete tenant separation at the hardware level
AnswerB

Project-level isolation is the gold standard for multi-tenant isolation. Each project is a completely independent security boundary. Separate IAM means no privilege escalation between tenants. Separate databases mean no shared infrastructure where bugs could leak data. Separate audit logs make compliance reporting per-tenant straightforward.

Why this answer

Option B is correct because separate Google Cloud projects provide the strongest isolation guarantee by creating independent IAM boundaries, resource namespaces, audit logs, and network configurations. This approach ensures that no shared database instances or other resources exist between tenants, eliminating any risk of cross-tenant data leakage through application bugs or misconfigurations. In contrast, logical isolation (A) relies on application-level tenant IDs which can be bypassed by software vulnerabilities, and IAM-based separation (C) still shares the underlying project infrastructure, including the same database and network.

Exam trap

Cisco often tests the misconception that logical isolation (e.g., tenant IDs) or IAM alone is sufficient for multi-tenant data separation, when in reality only infrastructure-level isolation (separate projects) provides the strongest guarantee against cross-tenant data breaches in a shared cloud environment.

How to eliminate wrong answers

Option A is wrong because logical isolation using application-level tenant IDs in a shared database does not provide strong isolation; it is vulnerable to SQL injection, application bugs, or misconfigured queries that could expose one tenant's data to another, and it is not sufficient for regulated workloads that require strict data separation. Option C is wrong because IAM-based separation using separate service accounts per tenant within a shared project still shares the same resource namespace, database instances, and audit logs, meaning a compromised service account or a misconfigured IAM policy could allow cross-tenant access, and IAM does not enforce data-level isolation. Option D is wrong because Google Cloud's hypervisor ensures VM-level isolation but does not provide tenant separation for shared services like Cloud SQL, Cloud Storage, or application-level data; the hypervisor does not isolate data within a shared database or application layer.

75
MCQhard

A multinational corporation must comply with data residency requirements that prohibit storing data outside specific geographic regions. They plan to use BigQuery for analytics. How can Google Cloud help enforce this requirement?

A.Use Cloud Audit Logs to detect and alert on cross-region data storage
B.Use Cloud Data Loss Prevention to redact cross-region data
C.Use VPC Service Controls to block access to BigQuery APIs from other regions
D.Use BigQuery’s location parameter to set dataset location and enforce via Organization Policy
AnswerD

BigQuery datasets are location-scoped, and Organization Policies like gcp.resourceLocations can restrict allowed locations.

Why this answer

Option D is correct because BigQuery datasets are created with a specific location parameter (e.g., `us-central1` or `EU`), and Google Cloud Organization Policies can be used to restrict where datasets can be created. By defining a constraint like `constraints/bigquery.locationRestriction`, administrators can enforce that datasets must reside only in approved geographic regions, preventing any data from being stored outside those boundaries. This directly addresses data residency requirements without relying on detection or blocking mechanisms that don't control storage location.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls can enforce data residency by blocking cross-region API calls, but in reality, VPC Service Controls control network access, not where data is physically stored, making it ineffective for this requirement.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only record actions after they occur; they cannot prevent data from being stored in a prohibited region, only alert on it after the fact, which fails to enforce a proactive residency requirement. Option B is wrong because Cloud Data Loss Prevention (DLP) is designed to inspect and redact sensitive data (e.g., PII) within content, not to control or restrict the geographic location where data is stored. Option C is wrong because VPC Service Controls block API access from specified networks or identities, but they do not restrict the physical location of data storage; a dataset could still be created in a non-compliant region if the API call originates from an allowed network.

Page 1 of 2 · 101 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Trust and security with Google Cloud questions.