CCNA Trust and security with Google Cloud Questions

26 of 101 questions · Page 2/2 · Trust and security with Google Cloud · Answers revealed

76
MCQeasy

A company classifies its data into four sensitivity levels: Public, Internal, Confidential, and Restricted. Which type of data would typically be classified as 'Restricted' and require the highest level of security controls?

A.Public press releases and marketing materials published on the company website.
B.Customer Social Security Numbers, payment card numbers, and employee health records.
C.Internal meeting notes and project status reports shared among employees.
D.Product roadmap documents shared only with the product team.
AnswerB

SSNs (PII), payment cards (PCI DSS), and health records (HIPAA PHI) are Restricted data — subject to strict regulations, requiring maximum security controls and access restrictions.

Why this answer

Option B is correct because Restricted data, under Google Cloud's data classification framework, includes personally identifiable information (PII) such as Social Security Numbers, payment card numbers (PCI DSS), and protected health information (PHI). These require the highest security controls, including encryption at rest and in transit, strict IAM policies, and Data Loss Prevention (DLP) API scanning to prevent unauthorized access or leakage.

Exam trap

Google Cloud often tests the distinction between Confidential and Restricted data, where candidates mistakenly assume that any sensitive business document (like a product roadmap) qualifies as Restricted, but Restricted is reserved for data with legal or regulatory compliance requirements (e.g., PII, PHI, PCI).

How to eliminate wrong answers

Option A is wrong because public press releases and marketing materials are classified as Public data, which requires no access controls and is intended for unrestricted distribution. Option C is wrong because internal meeting notes and project status reports are typically classified as Internal data, which may require basic access controls but not the highest security level. Option D is wrong because product roadmap documents shared only with the product team are typically Confidential data, which requires access restrictions but not the stringent controls (e.g., encryption, DLP, audit logging) mandated for Restricted data.

77
MCQmedium

Refer to the exhibit. A security engineer applies this IAM policy. What is the effect?

A.Access is allowed only from the IP address 203.0.113.1.
B.Access is allowed only to resources tagged with 'production'.
C.Access is allowed only with two-factor authentication.
D.Access is allowed only during business hours.
AnswerA

The condition 'request.host' evaluates the source IP address.

Why this answer

The IAM policy shown in the exhibit includes a condition block that uses the `ipAddress` condition key with the `IpAddress` operator set to `203.0.113.1`. This restricts access to only requests originating from that specific IP address. All other conditions or permissions in the policy are effectively overridden by this explicit allow condition, meaning access is denied from any other IP address.

Exam trap

Google Cloud often tests the distinction between a condition that allows only a specific IP versus a condition that allows access only to a specific resource tag or time window, leading candidates to confuse the condition key used (e.g., `ipAddress` vs. `resource.labels`).

How to eliminate wrong answers

Option B is wrong because the policy does not include any condition referencing resource tags (e.g., `resource.labels` or `resource.tag`); it only uses an IP address condition. Option C is wrong because there is no condition for two-factor authentication (e.g., `gcp:multiFactorAuth` or `authn` context); the policy only checks the source IP. Option D is wrong because the policy lacks any time-based condition (e.g., `request.time` or `DateTime`); it does not restrict access to business hours.

78
MCQmedium

A retail company uses Google Cloud to run an online store. They have a security requirement that all API calls to Cloud Storage must come from the company's on-premises network only. Which Google Cloud security feature should they implement?

A.IAM conditions with source IP constraint
B.VPC Service Controls
C.Cloud Armor
D.Identity-Aware Proxy (IAP)
AnswerB

VPC Service Controls create perimeters to limit access to services like Cloud Storage from approved VPCs or IP ranges.

Why this answer

VPC Service Controls allow you to define perimeters that restrict access to Google Cloud services from specified VPC networks or IP ranges. Cloud Armor is for DDoS and WAF. IAM conditions are for attribute-based access control within a policy.

Identity-Aware Proxy protects web applications, not storage APIs.

79
MCQeasy

A company's employees use Google Workspace for email, documents, and collaboration. The IT team wants to require all employees to use a physical security key (like a YubiKey) as their second authentication factor when signing in — eliminating phishing-vulnerable SMS and authenticator app codes. Which Google Workspace security capability supports this requirement?

A.Google Workspace Advanced Protection Program, which enforces hardware security key requirements for high-risk users
B.Google Workspace 2-Step Verification policy configured to require hardware security keys (FIDO2/WebAuthn) for all employees, making it impossible to sign in without a physical key
C.Google Cloud Identity-Aware Proxy, which enforces hardware key authentication for all Google Workspace apps
D.Cloud Armor, which blocks sign-in attempts that don't come from corporate IP addresses, eliminating the need for 2FA
AnswerB

Google Workspace administrators can configure the 2SV enrollment and method requirements in the Admin Console. Setting the policy to require security keys (and disabling other 2SV methods) enforces hardware key use organization-wide. Hardware keys are phishing-resistant because they cryptographically verify the site they're authenticating to.

Why this answer

Option B is correct because Google Workspace's 2-Step Verification policy allows administrators to enforce the use of hardware security keys (FIDO2/WebAuthn) as the sole second factor. This policy can be configured to require a physical security key for all employees, effectively blocking sign-ins that use SMS or authenticator app codes, which are vulnerable to phishing. The policy directly meets the IT team's requirement to eliminate phishing-vulnerable authentication methods.

Exam trap

Google Cloud often tests the distinction between a user-level program (Advanced Protection Program) and an organization-wide policy (2-Step Verification policy), leading candidates to choose Option A because it mentions hardware security keys, but they miss that it is not a blanket enforcement for all employees.

How to eliminate wrong answers

Option A is wrong because the Advanced Protection Program is designed for high-risk users (e.g., executives, IT admins) and enforces hardware security keys, but it is not a policy that can be applied to all employees by default; it requires manual enrollment per user. Option C is wrong because Cloud Identity-Aware Proxy (IAP) controls access to applications based on identity and context, but it does not enforce hardware key authentication for Google Workspace apps themselves; it is used for securing access to custom or cloud-hosted apps behind a load balancer. Option D is wrong because Cloud Armor is a web application firewall and DDoS protection service that filters traffic based on IP addresses or other criteria, but it does not enforce multi-factor authentication or eliminate the need for 2FA; it cannot replace a second authentication factor.

80
Multi-Selecteasy

A company stores sensitive customer data in Cloud Storage buckets. The security team wants to ensure that only authorized users can access the data, and access is logged for audit. Which two practices should they implement? (Choose two.)

Select 2 answers
A.Use Storage Transfer Service to replicate data to a secured bucket.
B.Apply IAM conditions to restrict access based on user attributes like IP address or time of day.
C.Use Cloud Audit Logs to record all access attempts.
D.Set up Private Google Access to restrict access to the bucket.
E.Enable default encryption on all buckets using CMEK.
AnswersB, C

IAM conditions allow fine-grained access control based on attributes, enhancing security.

Why this answer

Option B is correct because IAM conditions allow fine-grained, attribute-based access control, such as restricting access to Cloud Storage buckets based on the requester's IP address or time of day, ensuring only authorized users can access the data under specific contexts. Option C is correct because Cloud Audit Logs record all access attempts (including successful and denied requests) to the bucket, providing the necessary audit trail for security and compliance.

Exam trap

Google Cloud often tests the distinction between data protection (encryption) and access control (IAM), leading candidates to mistakenly choose encryption options like CMEK when the question asks about restricting access and logging.

81
MCQhard

A multinational corporation uses Cloud Identity-Aware Proxy (IAP) to secure access to applications. They notice that some users outside the corporate network can still reach the applications. What is the most likely misconfiguration?

A.IAP is set to 'allUsers' instead of 'allAuthenticatedUsers'.
B.The firewall rules allow ingress from 0.0.0.0/0.
C.IAP is not enabled on the backend service.
D.The OAuth 2.0 client ID is misconfigured.
AnswerA

allUsers includes unauthenticated users, allowing anyone to access the application.

Why this answer

Option A is correct because setting IAP to 'allUsers' allows unauthenticated access from any user on the internet, bypassing IAP's authentication and authorization checks. IAP should be configured with 'allAuthenticatedUsers' or a more specific set of principals to enforce identity verification before granting access to the application.

Exam trap

Google Cloud often tests the distinction between 'allUsers' (anyone, including unauthenticated users) and 'allAuthenticatedUsers' (any authenticated Google identity), which is a common source of confusion for candidates who assume IAP always requires authentication regardless of the IAM setting.

How to eliminate wrong answers

Option B is wrong because firewall rules allowing ingress from 0.0.0.0/0 are not the root cause; IAP works by intercepting requests at the Google Cloud load balancer level, and firewall rules do not affect IAP's authentication enforcement. Option C is wrong because if IAP were not enabled on the backend service, no IAP authentication would occur at all, but the question states that some users can still reach the applications, implying IAP is partially working. Option D is wrong because a misconfigured OAuth 2.0 client ID would cause authentication failures for all users, not allow some external users to bypass IAP.

82
MCQmedium

A company uses Google Cloud and has a compliance requirement to store certain data only within the European Union and ensure it cannot be accessed from outside the EU, even by Google operations personnel. Which Google Cloud offering specifically addresses this level of data sovereignty?

A.Selecting EU regions for all resources in the Cloud Console.
B.Sovereign Controls offerings (e.g., T-Systems Sovereign Cloud) or Assured Workloads with data residency and personnel access controls.
C.VPC Service Controls — they prevent data from leaving the VPC boundary.
D.Cloud Armor — it blocks requests originating from outside the EU.
AnswerB

Sovereign Controls provide the strictest sovereignty: EU-only data residency enforced contractually, local support operations model restricting Google personnel access, and audit controls — meeting the highest regulatory standards.

Why this answer

Option B is correct because Sovereign Controls offerings (such as T-Systems Sovereign Cloud) and Assured Workloads with data residency and personnel access controls are specifically designed to meet strict data sovereignty requirements. These solutions ensure that data remains within the EU and that Google operations personnel cannot access it, addressing both geographic storage and access restrictions mandated by compliance frameworks like GDPR.

Exam trap

The trap here is that candidates often confuse geographic storage (selecting EU regions) with full data sovereignty, failing to realize that personnel access controls are required to prevent internal Google staff from accessing data from outside the EU.

How to eliminate wrong answers

Option A is wrong because simply selecting EU regions for resources ensures data is stored in the EU, but it does not prevent Google operations personnel from accessing the data from outside the EU, as Google retains administrative access. Option C is wrong because VPC Service Controls restrict data exfiltration by creating security perimeters around VPC resources, but they do not enforce geographic data residency or block access by Google personnel; they focus on preventing unauthorized data movement within Google Cloud. Option D is wrong because Cloud Armor is a web application firewall that filters incoming traffic based on IP addresses or geographic regions, but it does not control data storage location or restrict access by internal Google operations staff; it only blocks external requests at the network edge.

83
MCQmedium

A CISO asks why Google Cloud's security model is described as a 'defense-in-depth' approach. Which explanation best describes this concept in the context of Google Cloud's infrastructure security?

A.Defense in depth means that Google uses a single, very strong encryption algorithm to protect all customer data
B.Defense in depth means security is implemented as multiple independent layers — physical security, hardware attestation, network encryption, hypervisor isolation, and application-level IAM — so that bypassing any single layer does not compromise the entire system
C.Defense in depth means Google deploys security controls only at the network perimeter, creating a strong outer boundary
D.Defense in depth means customers are responsible for all security layers, with Google providing only the physical infrastructure
AnswerB

This correctly describes defense in depth. Google's infrastructure security has independent layers: secure physical facilities, Titan security chips for hardware attestation, hypervisor isolation between tenants, encrypted network traffic, and IAM at the application layer. An attacker must bypass all relevant layers simultaneously — dramatically harder than defeating a single control.

Why this answer

Option B is correct because Google Cloud's defense-in-depth model implements security at multiple independent layers: physical security (e.g., tamper-evident cages), hardware attestation (e.g., Titan chips verifying boot integrity), network encryption (e.g., mTLS between all services), hypervisor isolation (e.g., gVisor or KVM-based sandboxing), and application-level IAM (e.g., Cloud IAM policies). This layered approach ensures that if an attacker bypasses one layer, other layers remain intact to protect the system, aligning with the core principle of defense in depth.

Exam trap

The trap here is that candidates often confuse defense in depth with a single strong control (like encryption) or a perimeter-only approach, failing to recognize that Google Cloud's model requires multiple independent layers that each provide a distinct security function.

How to eliminate wrong answers

Option A is wrong because defense in depth is not about a single encryption algorithm; it relies on multiple overlapping controls, not a single strong mechanism. Option C is wrong because defense in depth extends beyond the network perimeter to include internal controls like hypervisor isolation and IAM, not just a strong outer boundary. Option D is wrong because Google Cloud's shared responsibility model means Google secures the infrastructure (physical, hardware, network, hypervisor), while customers secure their data and access; defense in depth applies to Google's layers, not solely customer responsibility.

84
MCQmedium

An organization uses Google Cloud Identity and Access Management (IAM). A new employee is a data engineer who needs to read BigQuery datasets and run queries but should NOT be able to create new datasets, delete tables, or modify IAM policies. Which IAM role should be assigned?

A.`roles/bigquery.admin`
B.`roles/bigquery.dataViewer` (with `roles/bigquery.jobUser` if needed to run queries)
C.`roles/viewer` (project-level Viewer)
D.`roles/bigquery.dataEditor`
AnswerB

dataViewer grants read-only access to datasets. jobUser allows creating and running query jobs. Together they provide read + query capability without write, delete, or admin access.

Why this answer

Option B is correct because the `roles/bigquery.dataViewer` role grants read access to BigQuery datasets and their contents, while `roles/bigquery.jobUser` allows the user to run query jobs. Together, they satisfy the requirement to read datasets and run queries without permitting dataset creation, table deletion, or IAM policy modification.

Exam trap

The trap here is that candidates often assume the project-level `roles/viewer` (Option C) is sufficient for running queries, but it lacks the `bigquery.jobs.create` permission, causing query execution to fail even though the user can see the data.

How to eliminate wrong answers

Option A is wrong because `roles/bigquery.admin` grants full administrative control over BigQuery resources, including creating and deleting datasets, tables, and modifying IAM policies, which exceeds the required permissions. Option C is wrong because the project-level `roles/viewer` role provides read-only access to all resources in the project, but it does not include the `bigquery.jobs.create` permission needed to run queries, so the user would be unable to execute query jobs. Option D is wrong because `roles/bigquery.dataEditor` allows editing existing datasets and tables (e.g., inserting, updating, deleting data), but it does not include the `bigquery.jobs.create` permission for running queries, and it still permits modifications that the user should not be allowed to perform.

85
MCQmedium

A company's application stores sensitive customer information in Cloud Storage. A security audit finds that one bucket has 'allUsers' access granted (making it publicly accessible on the internet). The security team wants to prevent this from happening in the future. Which control prevents public access from being granted to Cloud Storage buckets?

A.Enable Cloud Armor on all Cloud Storage buckets to block public internet access
B.Apply the 'storage.publicAccessPrevention' organization policy constraint, which prevents allUsers and allAuthenticatedUsers from being granted in Cloud Storage IAM policies organization-wide
C.Enable VPC Service Controls around Cloud Storage to prevent public internet access
D.Configure Cloud Monitoring to alert the security team when a bucket is made public so they can revert it
AnswerB

Public Access Prevention is the correct control. Applied as an org policy, it makes it impossible to grant allUsers or allAuthenticatedUsers access to any bucket in the organization. Attempts to set such policies are rejected by the API. This is the definitive preventive control for accidental public bucket exposure.

Why this answer

Option B is correct because the 'storage.publicAccessPrevention' organization policy constraint is a Google Cloud IAM constraint that, when enforced at the organization, folder, or project level, prevents any IAM policy binding that grants access to 'allUsers' or 'allAuthenticatedUsers' on Cloud Storage buckets. This is a preventive control that blocks the action before it can occur, directly addressing the security team's requirement to prevent public access from being granted in the future.

Exam trap

Google Cloud often tests the distinction between preventive, detective, and corrective controls, and the trap here is that candidates confuse VPC Service Controls (which restrict network-level access) with IAM policy controls (which govern identity-based access), leading them to choose option C instead of the correct preventive IAM constraint.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service for HTTP(S) load balancers, not a service that can be applied to Cloud Storage buckets or block IAM-based public access. Option C is wrong because VPC Service Controls create a security perimeter around Google Cloud services to prevent data exfiltration over the internet, but they do not prevent a bucket from being made publicly accessible via IAM policy changes; they restrict access from outside the perimeter but do not block the 'allUsers' grant itself. Option D is wrong because Cloud Monitoring alerts are a detective control, not a preventive control; they notify the team after the public access has already been granted, which does not prevent the incident from happening.

86
MCQmedium

A company uses service accounts to allow their application running on a Compute Engine VM to access Cloud Storage. Which is the most secure way to configure this service account access?

A.Download the service account key JSON file and store it in the application's source code repository.
B.Attach the service account to the Compute Engine VM; the application obtains credentials automatically via the metadata server with no key files needed.
C.Grant all users the Storage Admin role so the application can access Cloud Storage through their credentials.
D.Create a shared service account key file accessible to all VMs via a Cloud Storage bucket.
AnswerB

VM-attached service accounts provide credentials automatically via the GCE metadata server. No key files are created or stored. ADC discovers these credentials automatically.

Why this answer

Option B is correct because attaching a service account to a Compute Engine VM allows the application to automatically obtain short-lived OAuth 2.0 access tokens from the instance metadata server (http://169.254.169.254). This eliminates the need to download, store, or manage any long-lived service account key files, which are a significant security risk. The metadata server provides credentials that are automatically rotated and scoped to the service account's IAM roles, making this the most secure method for accessing Cloud Storage from a VM.

Exam trap

Cisco often tests the misconception that storing keys in a repository or bucket is acceptable for automation, but the trap here is that any long-lived key file, even if stored in a bucket, is less secure than the automatic, short-lived credentials provided by the Compute Engine metadata server.

How to eliminate wrong answers

Option A is wrong because storing a service account key JSON file in the application's source code repository exposes the private key to anyone with repository access, violating the principle of least privilege and creating a persistent credential that can be leaked. Option C is wrong because granting all users the Storage Admin role is a gross over-privilege that violates the principle of least privilege and does not provide a service account for the application; it relies on user credentials which are not designed for automated workloads and introduces unnecessary security exposure. Option D is wrong because placing a shared service account key file in a Cloud Storage bucket still requires managing long-lived private keys, and any VM or user with read access to that bucket can exfiltrate the key, negating the security benefits of using service accounts on Compute Engine.

87
MCQhard

A security team wants to ensure that only container images built by their approved CI/CD pipeline can run in their GKE cluster. Images built outside the approved process — even by internal engineers — should be blocked. Which Google Cloud security feature enforces this?

A.Cloud Armor — it blocks unauthorized container images at the load balancer.
B.Binary Authorization — requiring cryptographic attestations for container images before they can be deployed to GKE.
C.Cloud IAM — restricting `container.pods.create` permission to only the CI/CD service account.
D.Artifact Registry vulnerability scanning — blocking images with CVEs from being deployed.
AnswerB

Binary Authorization enforces that only images with valid attestations (created by the approved CI/CD pipeline using Cloud KMS keys) can be deployed to GKE. Unsigned or externally built images are blocked at admission.

Why this answer

Binary Authorization is the correct answer because it enforces deployment-time policy by requiring that container images have a valid cryptographic attestation (e.g., from a trusted CI/CD pipeline) before they can be scheduled on GKE. This ensures that only images built and signed by the approved process are allowed to run, blocking all others regardless of who built them.

Exam trap

The trap here is that candidates confuse access control (IAM) with image provenance enforcement, mistakenly thinking that restricting who can create pods (Option C) is sufficient to block unauthorized images, when in reality a CI/CD service account could still deploy an unsigned image if not prevented by Binary Authorization.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall and DDoS protection service that operates at the load balancer layer, not a container image admission controller; it cannot inspect or block container images at the pod-creation level. Option C is wrong because restricting `container.pods.create` permission to only the CI/CD service account would prevent engineers from directly creating pods, but it would not block images built outside the approved pipeline if those images were pushed to a registry and referenced by a pod created by the CI/CD service account; it controls who can create pods, not which images can be used. Option D is wrong because Artifact Registry vulnerability scanning identifies CVEs in images but does not enforce admission policies; it provides security insights but does not block deployment of images lacking attestations.

88
MCQeasy

A company is concerned that employees might accidentally or maliciously upload sensitive personal data (such as credit card numbers or Social Security Numbers) to Cloud Storage buckets. Which Google Cloud product can automatically scan uploaded files and identify sensitive data patterns?

A.Cloud Armor, which inspects incoming HTTP requests for sensitive data patterns
B.Cloud DLP (Data Loss Prevention), which scans Cloud Storage objects for sensitive data types like credit card numbers and SSNs using built-in pattern detection
C.Cloud Logging, which records all file upload events to Cloud Storage
D.Security Command Center, which audits Cloud Storage bucket permissions
AnswerB

Cloud DLP is the correct answer. It has 150+ built-in infoTypes for detecting sensitive data patterns (credit card numbers matching Luhn algorithm, SSN format detection, etc.) and can scan Cloud Storage objects on a scheduled or triggered basis, flagging or de-identifying findings.

Why this answer

Cloud DLP (Data Loss Prevention) is the correct service because it is specifically designed to inspect and classify sensitive data within Cloud Storage objects. It uses built-in detectors (infoTypes) to identify patterns like credit card numbers (Luhn check) and Social Security Numbers, and can trigger automated actions such as redaction or logging when sensitive data is found.

Exam trap

The trap here is confusing a security monitoring or perimeter defense service (Cloud Armor, Security Command Center) with a content-aware data classification service (Cloud DLP), leading candidates to pick a service that audits permissions or logs events rather than one that inspects file contents for sensitive patterns.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects against DDoS and OWASP Top 10 threats by inspecting HTTP/S traffic at the edge, not by scanning stored files for sensitive data patterns. Option C is wrong because Cloud Logging captures and stores audit logs of events (e.g., object uploads) but does not perform content inspection or pattern matching on the uploaded data. Option D is wrong because Security Command Center provides a centralized view of security risks and misconfigurations (e.g., public bucket permissions) but does not scan object contents for sensitive data patterns.

89
Multi-Selecthard

Which THREE are required to achieve HIPAA compliance on Google Cloud?

Select 3 answers
A.Sign a Business Associate Agreement (BAA) with Google
B.Enable Cloud Audit Logs for tracking access to ePHI
C.Use only GCP services that are covered under the BAA
D.Use a dedicated project for all PHI workloads
E.Configure multi-factor authentication for all users
AnswersA, B, C

Correct: A BAA is required for HIPAA compliance.

Why this answer

Option A is correct because HIPAA requires covered entities and their business associates to have a written agreement that establishes the permitted and required uses of protected health information (PHI). Google Cloud provides a standard Business Associate Agreement (BAA) that customers must sign to contractually bind Google to HIPAA obligations, including safeguarding ePHI and reporting breaches. Without a signed BAA, Google is not legally liable as a business associate under HIPAA, making this a foundational requirement for compliance.

Exam trap

Google Cloud often tests the misconception that HIPAA requires dedicated infrastructure (like a separate project) or specific security controls (like MFA), when in fact HIPAA focuses on contractual agreements (BAA), data access logging, and using only services that are contractually covered under the BAA.

90
MCQhard

An organization wants to ensure that Google Cloud services used by its employees cannot be used to exfiltrate data to a competitor's Google Cloud project. For example, they want to prevent copying data from their Cloud Storage bucket to a Storage bucket owned by a competitor. Which Google Cloud security control most directly prevents this type of insider data exfiltration?

A.IAM permissions that restrict users from accessing competitor projects
B.Cloud DLP, by scanning and redacting sensitive data before it can be stored
C.VPC Service Controls, which create a security perimeter around Google Cloud APIs so data cannot be moved to projects outside the defined perimeter
D.Organization Policy constraints that prevent resource creation in competitor accounts
AnswerC

VPC Service Controls are precisely designed for this. A service perimeter defines which projects can exchange data with each other. Even if a user has valid credentials, the API enforces that data cannot be read from inside the perimeter and written outside it — blocking the insider exfiltration pattern described.

Why this answer

VPC Service Controls (C) directly prevent data exfiltration by creating a security perimeter around Google Cloud APIs. This perimeter blocks any data movement to resources outside the defined perimeter, such as a competitor's Cloud Storage bucket, regardless of the user's IAM permissions. It works at the API layer, intercepting requests that attempt to copy data to an unauthorized project.

Exam trap

The trap here is that candidates often confuse IAM permissions with network-level controls, assuming that restricting IAM access to competitor projects is sufficient, but VPC Service Controls are the only mechanism that enforces a boundary at the API layer regardless of user identity.

How to eliminate wrong answers

Option A is wrong because IAM permissions control access to resources within a project, but they do not prevent a user with legitimate access to a source bucket from copying data to a destination bucket in a different project if the user has permissions on that destination. Option B is wrong because Cloud DLP scans and redacts sensitive data but does not block the transfer of data to an external project; it only modifies the content. Option D is wrong because Organization Policy constraints can restrict resource creation in competitor accounts, but they do not prevent data exfiltration from existing resources to already-created competitor projects.

91
Matchingmedium

Match each Google Cloud data service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed relational database (MySQL, PostgreSQL, SQL Server)

Globally distributed, strongly consistent relational database

NoSQL document database for mobile and web apps

NoSQL wide-column database for large analytical workloads

Managed in-memory cache (Redis/Memcached)

Why these pairings

These are the primary managed database services in Google Cloud.

92
MCQmedium

A company has employees who use personal (unmanaged) devices to access corporate applications. The security team wants to prevent sensitive Google Workspace documents from being downloaded to personal devices. Which Google control most directly addresses this data loss prevention requirement for device-based scenarios?

A.Cloud Armor, by blocking requests from IP addresses associated with personal devices
B.Google Workspace context-aware access and endpoint management controls that restrict actions (such as downloads) for users accessing from unmanaged personal devices
C.Enabling two-factor authentication for all users, which prevents unauthorized access
D.Encrypting all Google Drive files so they cannot be read on personal devices
AnswerB

Google Workspace provides device-level context-aware access. Organizations can define policies that restrict capabilities based on device enrollment status — allowing read-only web access on unmanaged devices while blocking downloads, or requiring device enrollment to access sensitive content.

Why this answer

Option B is correct because Google Workspace context-aware access combined with endpoint management allows administrators to create access level policies that restrict specific actions—such as downloading, printing, or copying—based on device trust signals. When a user accesses Google Workspace from an unmanaged personal device, the policy can block the download of sensitive documents directly, addressing the data loss prevention requirement at the action level rather than just the access level.

Exam trap

The trap here is that candidates often confuse network-level controls (like Cloud Armor) or authentication controls (like 2FA) with device-level data loss prevention, failing to recognize that only context-aware access with endpoint management can enforce granular action restrictions based on device trust status.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a network security service that filters traffic at the edge based on IP addresses or geographic regions, but it cannot distinguish between managed and unmanaged devices or control application-level actions like downloads within Google Workspace. Option C is wrong because two-factor authentication (2FA) only verifies user identity at login; it does not enforce device-based restrictions or prevent a legitimate authenticated user from downloading sensitive documents to a personal device. Option D is wrong because encrypting Google Drive files protects data at rest and in transit, but it does not prevent a user with valid decryption keys from downloading and saving those files to an unmanaged device; encryption alone does not enforce download policies.

93
MCQeasy

An organization wants to use Google Cloud for processing healthcare data subject to HIPAA regulations in the United States. Which contractual document must the organization obtain from Google before storing Protected Health Information (PHI) in Google Cloud?

A.A Non-Disclosure Agreement (NDA) to prevent Google from disclosing the existence of the healthcare application
B.A Business Associate Agreement (BAA), which is legally required by HIPAA before any covered entity can process Protected Health Information with a cloud provider
C.A Data Processing Agreement (DPA) as required under GDPR for European data subjects
D.An ISO 27001 certificate issued by Google Cloud demonstrating information security compliance
AnswerB

The BAA is non-negotiable for HIPAA compliance. Google Cloud offers a BAA that covers specific services for HIPAA workloads. Without a BAA in place, any PHI stored in Google Cloud constitutes a HIPAA violation — technical security controls alone do not satisfy the legal requirement.

Why this answer

Under HIPAA, a covered entity or business associate must obtain a Business Associate Agreement (BAA) from any cloud service provider that will create, receive, maintain, or transmit Protected Health Information (PHI). Google Cloud offers a BAA that contractually binds Google to comply with HIPAA Security and Privacy Rules, including safeguarding PHI and reporting breaches. Without a signed BAA, storing PHI in Google Cloud would violate HIPAA regulations.

Exam trap

The trap here is that candidates confuse a generic data protection document (like a DPA or NDA) with the HIPAA-specific BAA, or mistakenly believe that a security certification alone satisfies the contractual requirement for handling PHI.

How to eliminate wrong answers

Option A is wrong because a Non-Disclosure Agreement (NDA) only prevents disclosure of confidential information, but it does not impose the specific HIPAA-required safeguards, breach notification obligations, or permitted use restrictions that a BAA provides. Option C is wrong because a Data Processing Agreement (DPA) is mandated under GDPR for processing personal data of European data subjects, not for HIPAA compliance in the United States; HIPAA requires a BAA, not a DPA. Option D is wrong because an ISO 27001 certificate demonstrates that Google Cloud has an information security management system, but it is a certification, not a contractual document, and does not fulfill the HIPAA requirement for a signed BAA that includes specific privacy and security provisions.

94
MCQhard

A regulated financial services firm must ensure that its data never leaves a specific geographic region (EU) for compliance with GDPR data residency requirements. Which Google Cloud features help enforce this requirement?

A.Select EU regions for all resources and apply the `gcp.resourceLocations` org policy to restrict resource creation to EU regions only.
B.Enable Cloud Armor on all load balancers to block non-EU traffic.
C.Use HTTPS for all connections to ensure data is encrypted when it leaves the EU.
D.Enable Google Workspace's regional storage settings to restrict where emails are stored.
AnswerA

Selecting EU regions keeps data at rest in the EU. The gcp.resourceLocations org policy prevents accidental creation of resources in non-EU regions, enforcing data residency at the policy level.

Why this answer

Option A is correct because the `gcp.resourceLocations` organization policy constraint explicitly restricts the physical location where Google Cloud resources can be created. By setting this policy to allow only EU regions, the organization ensures that no compute, storage, or database resources can be provisioned outside the EU, directly enforcing GDPR data residency requirements. This policy is evaluated at resource creation time and applies to all projects under the organization, providing a hard enforcement boundary.

Exam trap

Cisco often tests the distinction between network-level controls (like Cloud Armor) and data residency controls (like org policies), leading candidates to mistakenly choose a security tool that blocks traffic rather than a policy that restricts resource location.

How to eliminate wrong answers

Option B is wrong because Cloud Armor is a web application firewall that filters HTTP/S traffic based on IP addresses or geo-location, but it does not prevent data from being stored or processed outside the EU; it only controls incoming network requests, not where data resides. Option C is wrong because HTTPS encrypts data in transit, but encryption does not control the geographic location of data at rest or processing; data can still leave the EU while encrypted, violating residency requirements. Option D is wrong because Google Workspace's regional storage settings apply only to Workspace data (e.g., Gmail, Drive), not to the customer's own applications or data stored in Google Cloud services like Compute Engine or Cloud Storage, and the question is about a regulated financial services firm using Google Cloud, not Workspace.

95
MCQhard

A financial services company is designing a multi-cloud architecture with Google Cloud and AWS. They need to encrypt data at rest in Google Cloud using a key stored in their on-premises Hardware Security Module (HSM). What is the best approach?

A.Use default encryption
B.Use Cloud External Key Manager (Cloud EKM)
C.Use Cloud HSM
D.Use Cloud Key Management Service (Cloud KMS) with CMEK
AnswerB

Cloud EKM integrates with external key management systems, including on-prem HSMs, to provide encryption at rest.

Why this answer

Cloud External Key Manager (Cloud EKM) is the correct approach because it allows you to manage encryption keys in an external key management system, such as an on-premises HSM, while using those keys to encrypt data at rest in Google Cloud. This meets the requirement of storing the key in the on-premises HSM, as Cloud EKM integrates with supported external key management partners or directly with your HSM via a key management proxy, ensuring that Google Cloud never has direct access to the raw key material.

Exam trap

The trap here is that candidates often confuse Cloud HSM (which provides hardware-backed keys but within Google's infrastructure) with the ability to use an external on-premises HSM, leading them to select Cloud HSM instead of Cloud EKM.

How to eliminate wrong answers

Option A is wrong because default encryption uses Google-managed keys, which do not allow you to control or store the key in your on-premises HSM. Option C is wrong because Cloud HSM is a Google Cloud service that provides hardware-backed key storage within Google's infrastructure, not in your on-premises HSM, so it does not satisfy the requirement of using a key stored on-premises. Option D is wrong because Cloud KMS with CMEK allows you to manage your own keys, but those keys are stored in Google Cloud (either in Cloud KMS software or Cloud HSM), not in an external on-premises HSM, and CMEK does not support direct integration with external key stores.

96
Drag & Dropmedium

Drag and drop the steps to configure a load balancer for an HTTP application on Compute Engine into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The correct order is: instance group, health check, backend service, URL map, then target proxy and forwarding rule.

97
MCQeasy

A company's security team wants to be alerted when someone with administrative permissions changes an IAM policy in their Google Cloud organization. Which Google Cloud capability enables this detection?

A.Data Access audit logs, which record when data is read from Cloud Storage buckets
B.Admin Activity audit logs combined with Cloud Monitoring log-based alerting, which records and alerts on IAM policy modifications by any principal
C.Cloud Armor, which blocks unauthorized IAM policy changes at the network layer
D.VPC flow logs, which capture all network traffic including IAM API calls
AnswerB

Admin Activity audit logs record all IAM policy changes (SetIamPolicy calls) automatically and cannot be disabled. A log-based metric in Cloud Monitoring can count these events, and an alerting policy triggers a notification whenever an IAM change is detected. This is the standard approach for IAM change monitoring.

Why this answer

Admin Activity audit logs record all changes to IAM policies and other configuration changes in Google Cloud. By combining these logs with Cloud Monitoring log-based alerting, the security team can create a specific alert that triggers whenever an IAM policy is modified by a principal with administrative permissions, enabling real-time detection of unauthorized changes.

Exam trap

Cisco often tests the distinction between audit log types (Admin Activity vs. Data Access) and the specific services that handle control-plane vs. data-plane operations, leading candidates to mistakenly choose Data Access logs or VPC flow logs for IAM policy changes.

How to eliminate wrong answers

Option A is wrong because Data Access audit logs record read/write operations on user-provided data (e.g., Cloud Storage objects), not IAM policy modifications, which are configuration changes. Option C is wrong because Cloud Armor is a web application firewall that protects against network-layer attacks like DDoS and SQL injection; it does not monitor or block IAM policy changes, which are control-plane operations. Option D is wrong because VPC flow logs capture metadata about network traffic (e.g., source/destination IP, ports, protocols) but do not log IAM API calls, which are control-plane operations logged separately in Admin Activity audit logs.

98
Multi-Selecthard

Which THREE practices are recommended for securing a Kubernetes cluster in Google Kubernetes Engine (GKE)?

Select 3 answers
A.Use Binary Authorization to ensure only trusted container images are deployed
B.Enable node auto-repair to automatically fix security vulnerabilities in nodes
C.Enable GKE Sandbox for untrusted workloads to provide an additional layer of isolation
D.Expose the cluster control plane via a public endpoint to allow monitoring
E.Enable Workload Identity to manage access to Google Cloud APIs
AnswersA, C, E

Binary Authorization enforces deployment signing.

Why this answer

Binary Authorization is correct because it enforces deployment-time policy validation, ensuring that only container images signed by trusted authorities (e.g., via KMS) are allowed to run in GKE. This prevents the deployment of untrusted or tampered images, directly addressing supply chain security.

Exam trap

Google Cloud often tests the distinction between operational features (like node auto-repair) and security features, so candidates mistakenly assume auto-repair patches vulnerabilities when it only restores node health, not applies security updates.

99
MCQhard

A multinational corporation operates a hybrid cloud environment with on-premises data centers connected to Google Cloud via Dedicated Interconnect. The company uses Cloud Storage to store sensitive financial data and has enabled Cloud Audit Logs for admin activities. Recently, the security team noticed that an unknown actor accessed a bucket containing customer personally identifiable information (PII). The access occurred from an IP address outside the corporate network. The security team suspects that an employee's Google Cloud credentials were compromised. They need to investigate the incident thoroughly and determine the extent of the breach. The company has enabled VPC Flow Logs, but they are not sure how to correlate the audit logs with network flows. They also want to ensure that similar incidents are prevented in the future. What should the security team do first to investigate the incident?

A.Immediately revoke all service account keys and reissue them, then reset all user passwords.
B.Enable Cloud IDS to detect similar attacks and block the malicious IP address.
C.Use Cloud Logging to analyze Cloud Audit Logs and identify the user who accessed the bucket and the associated context.
D.Export VPC Flow Logs to BigQuery and analyze for the attacker's IP address.
AnswerC

Cloud Audit Logs record all resource access and are the primary source for investigating unauthorized access.

Why this answer

Option A is correct because the first step is to analyze Cloud Audit Logs to identify which identities accessed the bucket and from where. This provides the primary leads for the investigation. Option B is wrong because Cloud IDS detects network threats but does not provide historical logs of who accessed a bucket.

Option C is wrong because revoking keys assumes the compromise was via keys, but the incident involves user credentials, not service account keys. Option D is wrong because VPC Flow Logs show network traffic but do not identify the user or API calls.

100
MCQeasy

A small IT team needs to grant developers the ability to deploy instances in a project but not delete them. Which IAM best practice should they use?

A.Create a custom role with compute.instances.insert and compute.instances.delete permissions.
B.Assign all developers the primitive role of Editor.
C.Use organization policy to restrict deletion of compute instances.
D.Create a service account for each developer and grant it the compute.instanceAdmin role.
AnswerD

Service accounts are not intended for human users; key management is burdensome.

Why this answer

Option D is correct because creating a service account for each developer and granting the `compute.instanceAdmin` role provides the precise permissions needed to deploy instances (via `compute.instances.insert`) without granting the ability to delete them (the `compute.instanceAdmin` role does not include `compute.instances.delete`). This follows the IAM best practice of least privilege, ensuring developers can perform only the required actions.

Exam trap

Google Cloud often tests the misconception that organization policies can replace IAM roles for user-level permission control, but organization policies are for resource constraints, not identity-based access control.

How to eliminate wrong answers

Option A is wrong because creating a custom role with both `compute.instances.insert` and `compute.instances.delete` permissions explicitly grants the delete capability, which violates the requirement to prevent deletion. Option B is wrong because the primitive role of Editor includes broad permissions that allow deleting compute instances, as well as many other resources, which is excessive and insecure. Option C is wrong because organization policies (e.g., constraints/compute.restrictDelete) can restrict deletion at the organization or folder level, but they apply to all users and cannot selectively allow deletion for some developers while blocking it for others; they are not a substitute for IAM roles.

101
MCQmedium

Refer to the exhibit. The IAM policy is applied at the project level. The bucket 'sensitive-data' exists and contains objects. What is the effective access for user alice@example.com?

A.Alice can view objects in all buckets including sensitive-data.
B.Alice can view objects only in non-sensitive buckets, and can view objects in sensitive-data only after 9 AM due to condition.
C.Alice can view objects in all buckets except sensitive-data.
D.Alice can view and modify objects in all buckets.
AnswerA

Alice has the objectViewer role on the project with no condition, so she can list and read objects in any bucket.

Why this answer

The IAM policy grants the 'roles/storage.objectViewer' role to user alice@example.com at the project level. This role allows listing and reading objects in all buckets within the project, including 'sensitive-data'. The condition 'request.time < 9:00 AM' is a denial condition that only applies to the 'sensitive-data' bucket, but because the policy is applied at the project level and the condition is not met (the request is made after 9 AM), the deny effect does not apply, so Alice retains full view access to all buckets.

Exam trap

Google Cloud often tests the nuance that IAM conditions can be used to deny access only when a specific condition is met, and candidates mistakenly assume that any condition automatically restricts access, ignoring that the condition must evaluate to true for the deny to take effect.

How to eliminate wrong answers

Option B is wrong because the condition 'request.time < 9:00 AM' is a deny condition that would block access only if the request occurred before 9 AM; since the scenario does not specify a time, the default assumption is that the request is made at a time when the condition is not met, so Alice can view objects in sensitive-data at any time. Option C is wrong because the IAM policy grants the objectViewer role at the project level, which applies to all buckets, including sensitive-data, unless explicitly denied by a more specific policy; no such denial exists here. Option D is wrong because the assigned role is 'roles/storage.objectViewer', which only allows read (view) access, not write or modify access; modifying objects would require roles like 'roles/storage.objectAdmin' or 'roles/storage.objectCreator'.

← PreviousPage 2 of 2 · 101 questions total

Ready to test yourself?

Try a timed practice session using only Trust and security with Google Cloud questions.