CCNA Design for security and compliance Questions

74 questions · Design for security and compliance · All types, answers revealed

1
MCQhard

A healthcare organization stores Protected Health Information (PHI) in Cloud SQL. They have implemented encryption at rest using CMEK and enforce TLS for all connections. To meet HIPAA compliance, they need to ensure that PHI cannot be exfiltrated from the Cloud SQL instance even if an application is compromised. The Cloud SQL instance is accessed by Compute Engine instances in the same VPC using private IPs. The security team wants to add an additional layer of defense against data exfiltration. What should they do?

A.Deploy Cloud Armor and apply a WAF rule to block suspicious traffic to the Cloud SQL instance.
B.Use the Cloud SQL Auth proxy from all applications to enforce IAM-based authentication.
C.Configure VPC Service Controls with a service perimeter that includes the Cloud SQL instance and uses Private Service Connect.
D.Enable customer-managed encryption keys (CMEK) on the Cloud SQL instance.
AnswerC

VPC SC restricts data access to authorized networks and prevents exfiltration via internet.

Why this answer

Option A is correct because using VPC Service Controls with Private Service Connect for Cloud SQL creates a service perimeter that prevents data from being exfiltrated beyond the allowed network. Option B is wrong because Cloud SQL Auth proxy provides authentication but does not prevent exfiltration. Option C is wrong because CMEK protects data at rest, not exfiltration in transit.

Option D is wrong because Cloud Armor is for HTTP(S) load balancers, not Cloud SQL connections.

2
MCQhard

The firewall rule 'allow-ssh' was not created. According to the audit log, what is the most likely reason?

A.The user is not authenticated.
B.The user has the compute.securityAdmin role but not compute.firewalls.create.
C.The user does not have the compute.firewalls.create permission.
D.The firewall rule already exists and cannot be duplicated.
AnswerC

AuthorizationInfo shows granted: false for that permission.

Why this answer

The authorizationInfo indicates that the permission compute.firewalls.create was granted false, meaning the user lacked that permission. Option A is incorrect because the log shows admin@example.com. Option C is incorrect because the firewall already exists? The log says insert, and status is permission denied.

Option D is incorrect because the specific permission is denied.

3
MCQmedium

A financial services company runs a multi-tier application on Compute Engine. They need to restrict network access so that only the web tier can communicate with the application tier, and only the application tier can access the database tier. All VMs are in the same VPC network. What is the most secure way to implement this?

A.Use Identity-Aware Proxy (IAP) to manage network access between tiers.
B.Use VPC firewall rules with target tags to allow traffic between specific tiers.
C.Create separate VPC networks for each tier and use VPC peering.
D.Assign a unique service account to each tier and use IAM conditions to restrict traffic.
AnswerB

VPC firewall rules with tags are the simplest and most secure way to enforce network segmentation within a VPC.

Why this answer

VPC firewall rules with target tags allow you to precisely control ingress and egress traffic between VM instances based on their assigned tags. By tagging web tier VMs with a tag like 'web-tier' and application tier VMs with 'app-tier', you can create a firewall rule that allows traffic from 'web-tier' to 'app-tier' on the required port (e.g., TCP 8080) and another rule allowing traffic from 'app-tier' to 'db-tier' on the database port (e.g., TCP 3306). This approach enforces the principle of least privilege within a single VPC network without introducing unnecessary complexity or breaking network isolation.

Exam trap

The trap here is that candidates often confuse IAM conditions or service accounts with network-layer access control, or they overcomplicate the solution by suggesting separate VPC networks when the simplest and most secure method within a single VPC is using firewall rules with target tags.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) is designed for user-level authentication and authorization to access applications and VMs via HTTPS or SSH/RDP tunnels, not for controlling network traffic between VM tiers within a VPC. Option C is wrong because creating separate VPC networks for each tier and using VPC peering would allow all traffic between the peered networks unless additional firewall rules are applied, and it adds unnecessary complexity; the question explicitly states all VMs are in the same VPC network, making this approach less secure and more complex than using tags. Option D is wrong because service accounts and IAM conditions control API-level permissions (e.g., who can create or delete resources), not network-layer traffic between VM instances; they cannot restrict which VMs can communicate with each other over the network.

4
Multi-Selecthard

Which THREE services can be used to audit changes to resources in a Google Cloud project?

Select 3 answers
A.Security Command Center
B.Cloud Monitoring
C.Cloud Asset Inventory
D.Cloud Endpoints
E.Cloud Audit Logs
AnswersA, C, E

SCC provides event findings and anomaly detection for changes.

Why this answer

Cloud Audit Logs record admin activities; Cloud Asset Inventory tracks resource changes; Security Command Center provides findings and event monitoring. Option A is for runtime visibility; Option E is for host-based monitoring.

5
MCQmedium

An e-commerce platform uses Cloud SQL for MySQL to store user profiles and order history. The security team wants to ensure that database administrators (DBAs) cannot view plaintext credit card numbers stored in the database. They also want to minimize application changes. What should they do?

A.Implement column-level encryption using Cloud KMS in the application layer.
B.Grant DBAs the Cloud SQL Viewer role to restrict access to data.
C.Use Cloud SQL Proxy to encrypt connections and limit DBA access.
D.Use Cloud DLP with de-identification and re-identification transforms on the Cloud SQL database.
AnswerD

Cloud DLP can automatically detect and tokenize sensitive data, with re-identification for authorized apps.

Why this answer

Cloud DLP can be used to de-identify sensitive data like credit card numbers at rest in Cloud SQL, using deterministic or reversible transformations (e.g., format-preserving encryption or tokenization) that allow re-identification only by authorized applications. This approach minimizes application changes because DLP can scan and transform the data directly in the database, and the application can use re-identification transforms via the DLP API when needed, without modifying existing queries or schema.

Exam trap

The trap here is that candidates often confuse Cloud DLP's de-identification capabilities with simple encryption or access control, assuming that encrypting connections (Cloud SQL Proxy) or restricting IAM roles (Cloud SQL Viewer) protects data at rest from privileged users.

How to eliminate wrong answers

Option A is wrong because implementing column-level encryption in the application layer would require significant application code changes to encrypt and decrypt data, contradicting the requirement to minimize application changes. Option B is wrong because the Cloud SQL Viewer role only grants read-only access to instance metadata and logs, not to the actual data in the database; it does not prevent DBAs from querying tables directly if they have database-level access. Option C is wrong because Cloud SQL Proxy only encrypts connections in transit and does not restrict DBA access to the data at rest; DBAs can still connect and view plaintext credit card numbers.

6
MCQeasy

After executing the command, a security review reveals that the service account sa-bucket-reader can also list buckets in the project, which was not intended. What is the most likely cause?

A.The etag was incorrect, causing a concurrent modification.
B.The service account has a project-level role that includes storage.list.
C.The policy update failed due to a missing condition.
D.The service account also has bucket-level IAM roles.
AnswerB

Project-level roles like roles/storage.objectAdmin or roles/viewer include storage.buckets.list.

Why this answer

The etag in the policy file was used, but the command replaces the entire policy. If the previous policy had a role like roles/storage.objectAdmin or roles/viewer that included bucket listing, and the new policy only set objectViewer, the service account might still have inherited permissions from a higher-level role (e.g., at project level). Option A is incorrect because there is no bucket-level IAM applied here.

Option B is incorrect because the policy was updated. Option C is incorrect because the service account is in the same project.

7
Multi-Selectmedium

Which TWO of the following are valid methods to enforce data residency at rest in Google Cloud?

Select 2 answers
A.Use a VPC Service Controls perimeter with restricted API access.
B.Use Cloud VPN to encrypt data in transit.
C.Set bucket locations at creation time and use Object Lifecycle Management to prevent cross-region replication.
D.Configure Organization Policies to restrict resource locations via `gcp.resource-locations` constraint.
E.Enable Data Loss Prevention (DLP) API to mask sensitive data.
AnswersC, D

Setting bucket location and disabling replication ensures data remains in the chosen region.

8
Multi-Selecthard

Which THREE are valid methods to protect sensitive data in BigQuery?

Select 3 answers
A.Enable customer-managed encryption keys (CMEK) to encrypt sensitive columns.
B.Apply Cloud DLP de-identification transforms during data ingestion.
C.Create authorized views that query only non-sensitive columns.
D.Use BigQuery column-level security to restrict access to sensitive columns.
E.Use IAM roles to grant access at the dataset level, which automatically masks sensitive data.
AnswersB, C, D

Cloud DLP can automatically de-identify data before loading into BigQuery.

Why this answer

Cloud DLP de-identification transforms can be applied during data ingestion to automatically mask, tokenize, or redact sensitive data before it is stored in BigQuery. This ensures that sensitive information is protected at rest and is not accessible to unauthorized users, aligning with data security best practices.

Exam trap

The trap here is that candidates often confuse encryption (CMEK) with data masking or de-identification, assuming that encrypting the entire dataset protects sensitive columns, when in fact column-level security or DLP transforms are required for granular protection.

9
MCQhard

A company is using Cloud SQL with automatic backups enabled. They want to ensure that backups are encrypted with a customer-managed key (CMEK) and that the key used for backups is different from the one used for the database itself. How can they achieve this?

A.When creating the Cloud SQL instance, specify a CMEK for the database using 'root.encryptionKeyName' and a different CMEK for backups using 'backup.encryptionKeyName'.
B.Create a Cloud KMS key ring with two keys, and use one key for the database and the other for backups, but Cloud SQL does not support separate keys.
C.Use the same CMEK for both the database and backups, as separate keys are not supported.
D.Enable CMEK on the Cloud SQL instance, and the backups will automatically use the same key.
AnswerA

Cloud SQL API allows separate encryption keys for the database and backups.

Why this answer

Option D is correct because Cloud SQL allows you to specify a CMEK for the database and a separate CMEK for backups via the 'backup.encryptionKeyName' setting when creating the instance or later via patch. Option A is wrong because one master key wraps both; you cannot use two different CMEKs for the same instance unless using separate backups key. Option B is wrong because CMEK is supported, but you need to set the backup key separately.

Option C is wrong because you can specify a different key for backups in the Cloud SQL API.

10
MCQmedium

A company stores sensitive customer data in Cloud Storage buckets. They want to ensure that access to these buckets is only allowed from within their VPC network. Which configuration should they use?

A.Bucket IAM policies with condition on service account
B.Cloud Armor WAF rules
C.Private Google Access for on-premises
D.VPC Service Controls with a service perimeter
AnswerD

Restricts access to authorized VPCs and prevents data exfiltration.

Why this answer

VPC Service Controls can restrict access to Cloud Storage to authorized VPC networks, preventing data exfiltration and public internet access. IAM alone does not enforce network restrictions; Private Google Access is for on-prem; Cloud Armor is for HTTP LB.

11
MCQhard

A healthcare organization uses Cloud Storage to store protected health information (PHI). They have a compliance requirement to ensure that all objects in the bucket are encrypted with a customer-managed key (CMK) that is rotated every 90 days. They also need to log all access to the bucket and detect anomalous access patterns. Which combination of Google Cloud services should they use?

A.Cloud Storage with default encryption, Cloud Audit Logs, and Security Command Center
B.Cloud Storage with CMEK via Cloud HSM, Cloud Audit Logs, and Cloud DLP
C.Cloud Storage with CSEK, Cloud Audit Logs, and Security Command Center
D.Cloud Storage with CMEK via Cloud KMS, Cloud Audit Logs, and Chronicle
AnswerD

CMEK uses Cloud KMS for key management, Cloud Audit Logs for logging, and Chronicle for anomaly detection.

Why this answer

Option D is correct because Cloud Storage with CMEK via Cloud KMS allows the organization to use a customer-managed key that can be rotated every 90 days, meeting the compliance requirement. Cloud Audit Logs capture all access to the bucket, and Chronicle provides advanced security analytics to detect anomalous access patterns, fulfilling the logging and detection needs.

Exam trap

The trap here is confusing the key management options (CMEK vs. CSEK vs. default encryption) and the security analytics tools (Security Command Center vs. Chronicle), where candidates often pick Security Command Center for anomaly detection when Chronicle is specifically designed for log-based threat detection.

How to eliminate wrong answers

Option A is wrong because default encryption uses Google-managed keys, not a customer-managed key (CMK), and Security Command Center provides vulnerability scanning but not the specific anomalous access pattern detection required. Option B is wrong because Cloud HSM is a hardware security module service for key management, but the question specifies CMEK via Cloud KMS, and Cloud DLP is for data loss prevention, not for logging or detecting anomalous access patterns. Option C is wrong because CSEK (customer-supplied encryption keys) requires the customer to manage the key material directly, which does not support automatic rotation every 90 days as needed, and Security Command Center is not designed for real-time anomalous access pattern detection like Chronicle.

12
MCQhard

An organization has set the IAM policy constraint 'constraints/iam.allowedPolicyMemberDomains' with the values shown. Which of the following users can be granted an IAM role on a project in this organization?

A.service-account@project-id.iam.gserviceaccount.com
B.external@otherdomain.com
C.admin@another-customer-domain.com
D.user@example.com
AnswerA, D

Service accounts within the organization are allowed.

Why this answer

The constraint 'constraints/iam.allowedPolicyMemberDomains' restricts IAM role grants to members from specified domains. The value 'gserviceaccount.com' is implicitly allowed for service accounts because they are managed by Google and are not subject to domain restrictions. Therefore, service-account@project-id.iam.gserviceaccount.com can be granted an IAM role on a project in this organization.

Exam trap

Google Cloud often tests the misconception that all service accounts are exempt from domain restrictions, but only Google-managed service accounts (those ending in 'gserviceaccount.com') are exempt; customer-managed service accounts from other domains are still subject to the constraint.

How to eliminate wrong answers

Option B is wrong because 'external@otherdomain.com' is from a domain not listed in the constraint, and the constraint explicitly denies granting roles to users from unlisted domains. Option C is wrong because 'admin@another-customer-domain.com' is from a domain that is not allowed by the constraint, and the constraint applies to all IAM members except Google-managed service accounts.

13
Multi-Selecthard

An organization is implementing a data loss prevention (DLP) strategy for sensitive data stored in Cloud Storage. They want to automatically detect and redact credit card numbers in CSV files uploaded to a specific bucket. Which TWO Google Cloud services should they combine to achieve this?

Select 2 answers
A.Cloud Dataflow
B.Cloud Run
C.Cloud DLP
D.Cloud Functions
E.BigQuery
AnswersC, D

Cloud DLP provides inspection and redaction of sensitive data types like credit card numbers.

Why this answer

Cloud DLP (option C) is correct because it provides native content inspection and de-identification (redaction) of sensitive data like credit card numbers using built-in infoType detectors. Cloud Functions (option D) is correct because it can be triggered by Cloud Storage events (e.g., finalize/create) to invoke the DLP API on newly uploaded CSV files, enabling serverless, event-driven processing without managing infrastructure.

Exam trap

The trap here is that candidates may choose Cloud Dataflow (option A) thinking it is required for large-scale DLP processing, but the question specifies 'uploaded to a specific bucket' which implies per-file, event-driven processing where Cloud Functions is the simpler and correct serverless choice.

14
Multi-Selectmedium

Which TWO controls should a financial services company implement to comply with PCI DSS requirement related to protecting cardholder data stored in Cloud SQL? (Choose two.)

Select 2 answers
A.Use Cloud DLP to redact cardholder data in logs.
B.Enable Cloud Audit Logs to monitor access to the database.
C.Enable Cloud SQL encryption with Customer-Managed Encryption Keys (CMEK).
D.Configure VPC Service Controls to restrict egress from the Cloud SQL instance.
E.Implement column-level encryption for PAN fields before inserting into the database.
AnswersC, E

CMEK ensures data is encrypted at rest with a key managed by the organization.

Why this answer

Options A and C are correct. PCI DSS Requirement 3.4 requires rendering cardholder data unreadable via encryption. Cloud SQL supports CMEK for encryption at rest, and Column-level encryption ensures only encrypted data is stored.

Option B is wrong because VPC Service Controls prevent exfiltration but do not encrypt data. Option D is wrong because DLP can redact data but does not replace encryption for stored data. Option E is wrong because Cloud Audit Logs are for monitoring, not protection.

15
MCQeasy

A company wants to ensure that only Compute Engine instances with a specific service account can access a Cloud Storage bucket. Which IAM condition should they use?

A.Condition: 'request.auth == "serviceAccount:sa@project.iam.gserviceaccount.com"'
B.Condition: 'origin.serviceAccount == "sa@project.iam.gserviceaccount.com"'
C.Condition: 'resource.serviceAccount == "sa@project.iam.gserviceaccount.com"'
D.Condition: 'iam.serviceAccount == "sa@project.iam.gserviceaccount.com"'
AnswerD

The condition 'iam.serviceAccount' matches the service account used by the caller.

Why this answer

Option D is correct because the `iam.serviceAccount` condition attribute in IAM conditions allows you to restrict access based on the service account identity of the caller. When a Compute Engine instance uses a service account, the condition `iam.serviceAccount == "sa@project.iam.gserviceaccount.com"` ensures that only requests authenticated with that specific service account are allowed to access the Cloud Storage bucket. This is the standard IAM condition attribute for matching the service account of the requesting principal.

Exam trap

The trap here is confusing the caller's service account (`iam.serviceAccount`) with the resource's service account (`resource.serviceAccount`), leading candidates to pick Option C, which would incorrectly check the service account attached to the Cloud Storage bucket (which does not exist) instead of the requesting instance's identity.

How to eliminate wrong answers

Option A is wrong because `request.auth` is not a valid IAM condition attribute; the correct attribute for checking the authenticated identity is `iam.serviceAccount` or `principal` attributes. Option B is wrong because `origin.serviceAccount` is not a recognized IAM condition attribute; `origin` attributes are used for VPC Network or Cloud Armor conditions, not for IAM policies. Option C is wrong because `resource.serviceAccount` refers to the service account associated with the resource (e.g., a Compute Engine instance's attached service account), not the caller's service account; this would incorrectly check the target resource's identity instead of the requester's identity.

16
MCQhard

A security engineer is configuring VPC Service Controls to protect a project containing BigQuery datasets with PII. They want to prevent data exfiltration while allowing authorized users to query the data from outside the perimeter. Which configuration meets these requirements?

A.Create a perimeter that includes the project, and set the 'allowed external access' flag to true.
B.Create a perimeter and enable the 'exfiltration exception' for BigQuery.
C.Create a perimeter that includes only Compute Engine instances, and use a separate perimeter for BigQuery.
D.Create a perimeter that includes the project, and use an access level from Access Context Manager to grant access to authorized users.
AnswerD

Access levels allow fine-grained access from outside the perimeter.

Why this answer

Option C is correct because Access Context Manager (ACM) can define access levels based on user identity or device status, and VPC Service Controls perimeters can be configured with access levels that allow access from outside the perimeter for authorized users. Option A is wrong because allowing all traffic from outside the perimeter defeats the purpose of the perimeter. Option B is wrong because there is no 'exfiltration exception' flag; you must use access levels.

Option D is wrong because perimeters can apply to projects with BigQuery datasets, not just compute.

17
MCQmedium

A company runs a Kubernetes cluster on GKE. They need to ensure that pods cannot access Google Cloud APIs unless explicitly allowed through a service account. Which GKE feature should they use?

A.Network Policies
B.Pod Security Policies
C.Cloud Audit Logs
D.Workload Identity
AnswerD

Maps Kubernetes SA to Google SA for fine-grained IAM.

Why this answer

Workload Identity allows each pod to have its own IAM service account, preventing use of the node's default service account. Pod Security Policies control container security contexts; Network Policies control pod traffic; Audit Logs are for tracking.

18
MCQmedium

A company has a fleet of Compute Engine instances that need to access a Cloud Storage bucket. The security team requires that only instances in specific VPC networks can access the bucket, and that the data is encrypted in transit. How can this be achieved?

A.Use a Cloud Storage bucket with encryption at rest using CSEK.
B.Use Cloud Armor with IP allowlists and enable TLS for the bucket.
C.Create a VPC Service Controls perimeter with access levels, and require HTTPS for the bucket.
D.Use a Cloud Storage bucket with encryption at rest using CMEK.
AnswerC

VPC Service Controls restrict access by network, and HTTPS ensures encryption in transit.

Why this answer

VPC Service Controls with perimeter rules and usage of HTTPS for Cloud Storage ensures in-transit encryption. Option A provides encryption but not network restriction. Option C provides encryption but not network restriction.

Option D provides network restriction but not encryption in transit.

19
Multi-Selectmedium

Which TWO are recommended practices for securing a Kubernetes Engine (GKE) cluster?

Select 2 answers
A.Disable HTTP load balancing to reduce attack surface.
B.Enable Binary Authorization to ensure only signed container images are deployed.
C.Use the default Compute Engine service account for all GKE nodes.
D.Use Workload Identity to bind Kubernetes service accounts to IAM service accounts.
E.Enable basic authentication for easier access management.
AnswersB, D

Binary Authorization enforces deployment of trusted images.

Why this answer

Option B is correct because Binary Authorization enforces that only container images signed by trusted authorities (e.g., during a CI/CD pipeline) can be deployed to the cluster. This integrates with Google Cloud's Attestation Authority and ensures supply chain security by verifying signatures against a policy before admission.

Exam trap

Google Cloud often tests the misconception that disabling features like HTTP load balancing is a security best practice, when in reality it breaks functionality and security should be layered (e.g., using HTTPS, IAP, or network policies) rather than removing features.

20
MCQmedium

A company is using Cloud Load Balancing to expose a web application. They want to protect against common web attacks like SQL injection and cross-site scripting. Which Google Cloud service should they configure?

A.VPC Firewall rules
B.Identity-Aware Proxy
C.Cloud Armor
D.Cloud CDN
AnswerC

Cloud Armor offers WAF capabilities including preconfigured rules for OWASP top 10.

Why this answer

Cloud Armor provides WAF rules that can detect and block SQLi and XSS. Cloud CDN is for caching; IAP is for authentication; VPC Firewall rules work at IP/port level.

21
MCQhard

A financial institution deploys a containerized application on GKE with Binary Authorization enabled. They want to ensure that only images signed by their internal CI/CD pipeline are deployed, and they also need to allow a break-glass procedure using a specific image from a curated registry. How should they configure Binary Authorization?

A.Create a policy with an evaluation mode to allow all images, but use a whitelist of approved registries.
B.Use Cloud Run instead, which has built-in image verification.
C.Create a policy with an evaluation mode to require all images to be signed, and configure a Cloud Build attestor.
D.Create a policy with a default deny rule, and add a custom rule to allow images from the curated registry.
AnswerD

Default deny ensures only signed images are allowed, except those from the curated registry break-glass.

Why this answer

Binary Authorization allows a default deny rule with an exception for the curated registry. Option A does not allow break-glass. Option B would allow all unsigned images.

Option D is not a valid attestor.

22
MCQeasy

What is the effective access of the service account sa@project.iam.gserviceaccount.com to the bucket?

A.Full admin access to objects
B.Owner access
C.Read-only access
D.No access
AnswerA

objectAdmin provides full control over objects.

Why this answer

The service account is a member of roles/storage.objectAdmin, which grants full control (read, write, delete) over objects. It is not in the viewer or owner roles.

23
Multi-Selecthard

Which TWO of the following are valid methods to control access to Google Cloud resources using Identity and Access Management (IAM)?

Select 2 answers
A.Attach an IAM policy to an organization
B.Attach an IAM policy to a project
C.Attach an IAM policy to a user
D.Assign an IAM role directly to a user
E.Attach an IAM policy to a service account
AnswersA, B

IAM policies can be attached at the organization level.

Why this answer

Attaching an IAM policy to an organization (option A) is a valid method because it allows you to set organization-wide policies that apply to all projects and resources within that organization. This is a fundamental feature of Google Cloud's hierarchical resource management, where policies can be inherited from the organization node down to folders and projects, enabling centralized control over access.

Exam trap

Google Cloud often tests the distinction between attaching a policy to a resource versus assigning a role to an identity, where candidates mistakenly think that attaching a policy to a user or service account is valid, when in fact policies are always attached to resources, not to identities.

24
Multi-Selectmedium

Which TWO practices improve the security of a Cloud Run service?

Select 2 answers
A.Enable Cloud Armor for the service.
B.Use Identity-Aware Proxy (IAP) to authenticate users.
C.Run the service in a VPC with firewall rules.
D.Use a canary deployment strategy.
E.Require client-side TLS certificates.
AnswersA, B

Cloud Armor provides WAF and DDoS protection.

Why this answer

Use of Cloud Armor for DDoS protection and Identity-Aware Proxy for authentication are correct. Option C is for containers not specific to security; Option D is for infrastructure; Option E is for end-to-end encryption but Cloud Run already uses HTTPS.

25
MCQmedium

Your company has a production environment on Google Cloud that includes Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Security policies require that all data at rest is encrypted with CMEK, and audit logs must be retained for 7 years. The current configuration uses Google-managed encryption keys. You have been asked to transition to CMEK for all resources. After enabling CMEK for new resources, you discover that the existing resources are not re-encrypted. To comply with the policy, you need to re-encrypt the existing data. What should you do?

A.Enable CMEK on the existing resources by modifying the resource's encryption settings. This will automatically re-encrypt the data.
B.Delete the existing resources and recreate them with CMEK enabled. Then restore data from backups.
C.Enable Data Loss Prevention (DLP) API to scan and re-encrypt data automatically.
D.For Compute Engine: create new disks with CMEK, attach them, and copy data. For Cloud Storage: rewrite objects with CMEK. For BigQuery: copy datasets to new datasets with CMEK.
AnswerD

This correctly re-encrypts existing data for each service.

Why this answer

Option D is correct because CMEK is applied at the resource creation level for Compute Engine disks, Cloud Storage buckets, and BigQuery datasets. Existing resources encrypted with Google-managed keys cannot be re-encrypted in place; you must create new resources with CMEK enabled and migrate the data. For Compute Engine, this means creating new disks with CMEK, attaching them, and copying data.

For Cloud Storage, you rewrite objects to a new bucket or use the rewrite API with CMEK. For BigQuery, you copy datasets to new datasets that have CMEK configured.

Exam trap

Google Cloud often tests the misconception that you can simply toggle encryption settings on existing resources to apply CMEK, when in reality CMEK must be configured at creation time and data must be migrated to new resources.

How to eliminate wrong answers

Option A is wrong because modifying encryption settings on existing resources does not trigger automatic re-encryption; CMEK must be specified at creation time for disks, buckets, and datasets, and there is no in-place re-encryption mechanism. Option B is wrong because deleting and recreating resources from backups would require the backups themselves to be encrypted with CMEK, and this approach is unnecessarily destructive and risks data loss; a more controlled migration is preferred. Option C is wrong because the DLP API is designed for content inspection and de-identification, not for re-encrypting data at rest with CMEK; it cannot change the underlying encryption key of a Cloud Storage object or BigQuery table.

26
MCQhard

A security architect is designing a zero-trust network for applications running on Compute Engine. They want to enforce that all traffic between VMs must be encrypted and authenticated, regardless of the VPC network. Which approach meets this requirement?

A.Configure each VM to use IPsec tunnels to every other VM.
B.Deploy Anthos Service Mesh with mTLS enabled.
C.Use Cloud VPN to encrypt all inter-VM traffic.
D.Enable VPC Flow Logs and use firewall rules to allow only encrypted traffic.
AnswerB

Service mesh with mTLS provides both encryption and authentication between services.

Why this answer

Mutual TLS (mTLS) with service mesh provides encryption and authentication at application level. Option A only encrypts, not authenticates. Option B encrypts but not authenticates.

Option D is not a standard approach.

27
MCQeasy

A financial services company is migrating a sensitive customer data application to Google Cloud. The application runs on Compute Engine VMs in a VPC. The security team requires that all data at rest in Cloud Storage and BigQuery must be encrypted with customer-managed encryption keys (CMEK). Additionally, the keys must be stored in a different project than the data, and access to the keys must be audited. The operations team has set up a CMEK key in Cloud KMS in a separate project, assigned the Cloud KMS CryptoKey Encrypter/Decrypter role to the data project's Compute Engine service account, and enabled Cloud Storage and BigQuery to use CMEK. However, when the application tries to read from Cloud Storage, it fails with 'Access Denied.' The Cloud KMS key is in project 'kms-proj' and the data is in project 'data-proj'. What is the most likely cause?

A.The Compute Engine service account used by the VM does not have the Cloud KMS Decrypter role.
B.The VPC firewall rules are blocking egress to Cloud KMS.
C.The Cloud KMS key has been disabled due to an Organization Policy.
D.The Cloud Storage service agent in 'data-proj' does not have the Cloud KMS CryptoKey Encrypter/Decrypter role.
AnswerD

Cloud Storage requires its service agent to have KMS permissions to encrypt/decrypt using CMEK. The team only granted permission to the Compute Engine service account.

28
MCQhard

A financial services company must comply with PCI DSS. They use Cloud SQL for MySQL for transaction processing. They need to ensure that all data at rest is encrypted with keys generated and stored in a Hardware Security Module (HSM) and that key rotation occurs every 90 days. Which configuration should they use?

A.Use Cloud External Key Manager (EKM) to integrate with on-premises HSM
B.Use Cloud SQL with customer-supplied encryption keys (CSEK) and automate rotation with Cloud Scheduler
C.Use Cloud SQL with CMEK backed by Cloud HSM, and set automatic rotation period of 90 days
D.Use Cloud SQL's default encryption with organization policy requiring rotation
AnswerC

CMEK with Cloud HSM provides customer-controlled, HSM-backed keys with automatic rotation.

Why this answer

Cloud SQL CMEK with Cloud HSM allows HSM-backed keys and automatic rotation. Default encryption uses Google-managed keys; CSEK is for disks; EKM is for external KMS but adds complexity.

29
Matchingmedium

Match each GCP compute service to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual machines with full control

Managed Kubernetes clusters

Serverless containers

Platform as a Service (PaaS)

Event-driven serverless functions

Why these pairings

These are the main compute options in GCP.

30
Multi-Selectmedium

Which TWO security best practices should be applied when configuring Cloud Functions that process sensitive data? (Choose two.)

Select 2 answers
A.Enable VPC connector and set ingress to internal to avoid public internet exposure.
B.Disable all inbound network traffic to the function.
C.Enable Cloud KMS customer-managed encryption for the function's environment variables.
D.Use the default Compute Engine default service account for simplicity.
E.Store secrets in Secret Manager and reference them from the function without hardcoding.
AnswersA, E

VPC connector allows the function to send traffic only via internal IPs, reducing exposure.

Why this answer

Options B and D are correct. Using internal traffic only (via VPC connector) ensures data does not traverse the public internet. Encrypting environment variables with CMEK protects sensitive configuration.

Option A is wrong because the default service account often has excessive permissions; use a least-privilege identity. Option C is wrong because disabling ingress is not possible; you control egress. Option E is wrong because Cloud Functions support CMEK for environment variables, but not automatically; you must use Secret Manager.

31
MCQmedium

A company is deploying a multi-tier web application on Google Cloud. The application must comply with PCI DSS. Which combination of Google Cloud services should be used to restrict access to the database tier to only the application tier, while also encrypting data at rest and in transit?

A.Use Cloud Spanner with private IP and SSL/TLS, and enable Google-managed encryption keys
B.Use Cloud SQL with public IP and SSL/TLS, and enable Google-managed encryption keys
C.Use Cloud Datastore with secure WebSocket connections and enable customer-managed encryption keys
D.Use Cloud SQL with private IP and SSL/TLS, and enable Cloud Key Management Service (KMS) to create a key ring and customer-managed encryption key (CMEK)
AnswerD

Private IP isolates the database, SSL/TLS encrypts in transit, CMEK encrypts at rest with customer-managed keys.

Why this answer

Option D is correct because it meets all PCI DSS requirements: Cloud SQL with private IP ensures the database tier is not exposed to the public internet, restricting access to only the application tier within the same VPC. SSL/TLS encrypts data in transit, and using Cloud KMS with a customer-managed encryption key (CMEK) provides control over encryption keys for data at rest, which is often required for compliance.

Exam trap

The trap here is that candidates often assume Google-managed encryption keys are sufficient for PCI DSS, but the standard often requires customer-managed keys (CMEK) to demonstrate control over key lifecycle, and they overlook that public IP (even with SSL) fails the network access restriction requirement.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner with private IP and SSL/TLS does encrypt data in transit and restricts network access, but it uses Google-managed encryption keys by default, which may not satisfy PCI DSS requirements for customer control over encryption keys. Option B is wrong because Cloud SQL with public IP exposes the database to the internet, violating the requirement to restrict access to only the application tier, even with SSL/TLS. Option C is wrong because Cloud Datastore is a NoSQL document database that does not support secure WebSocket connections for encryption in transit (it uses gRPC/HTTP with TLS), and customer-managed encryption keys are not available for Cloud Datastore; it uses Google-managed keys only.

32
MCQmedium

A company is migrating its on-premises workloads to Google Cloud. They have strict compliance requirements that all data at rest must be encrypted with customer-managed encryption keys (CMEK). Which Google Cloud service should they use to manage the lifecycle of these keys?

A.Secret Manager
B.Cloud External Key Manager (Cloud EKM)
C.Cloud Key Management Service (Cloud KMS)
D.Cloud Hardware Security Module (Cloud HSM)
AnswerC

Cloud KMS is the correct service for managing CMEK.

Why this answer

Cloud KMS is the correct service because it provides centralized management of customer-managed encryption keys (CMEK) for Google Cloud services. It allows you to create, rotate, destroy, and set permissions on symmetric and asymmetric keys, and integrates directly with services like Cloud Storage, BigQuery, and Compute Engine to enforce encryption at rest with keys you control.

Exam trap

The trap here is that candidates often confuse Cloud HSM as a key management service, but Cloud HSM is a key storage backend for Cloud KMS, not a replacement for lifecycle management; you must use Cloud KMS to control key creation, rotation, and destruction even when using HSM-backed keys.

How to eliminate wrong answers

Option A is wrong because Secret Manager is designed to store and manage secrets such as API keys, passwords, and certificates, not to manage encryption keys for data-at-rest encryption under CMEK. Option B is wrong because Cloud External Key Manager (Cloud EKM) allows you to manage keys using an external key management system outside Google Cloud, but it does not provide native lifecycle management within Google Cloud; it relies on an external partner for key operations. Option D is wrong because Cloud HSM is a hardware security module service that provides FIPS 140-2 Level 3 validated key storage and cryptographic operations, but it is an additional protection layer for keys stored in Cloud KMS, not a standalone key lifecycle management service; you still use Cloud KMS to manage the key lifecycle.

33
Multi-Selecthard

A company uses Cloud KMS to encrypt sensitive data. They need to ensure that encryption key usage is audited and that keys are rotated automatically every 30 days. Which two actions should they take? (Choose two.)

Select 2 answers
A.Enable Data Access audit logs for the Cloud KMS API
B.Create a Cloud Trigger to manually rotate the key every month
C.Enable Cloud Key Management Service's key usage monitoring
D.Use Cloud External Key Manager to rotate keys externally
E.Enable key rotation on the key by setting a rotation period of 30 days
AnswersA, E

Data Access audit logs record every encrypt/decrypt operation for compliance.

Why this answer

Option A is correct because enabling Data Access audit logs for the Cloud KMS API captures detailed information about every encryption key usage, including who accessed the key, when, and what operation was performed. This meets the auditing requirement by recording all key usage events in Cloud Audit Logs, which can be reviewed for compliance and security analysis.

Exam trap

The trap here is that candidates often confuse 'key rotation' with 'key usage monitoring' or assume that manual triggers or external managers can satisfy the automatic rotation requirement, when in fact Cloud KMS provides a native rotation period setting that must be used.

34
MCQhard

A security administrator wants to ensure that a Cloud Storage bucket named `gs://my-bucket` is only accessible by service accounts, not user accounts. Which action should they take?

A.Remove the user from the `roles/storage.objectViewer` binding and add a condition to deny user access.
B.Add a bucket IAM condition that requires `resource.name.startsWith("projects/_/buckets/my-bucket/objects/")`
C.Use a VPC Service Controls perimeter to block user access.
D.Create a new IAM policy that removes all user members and adds a service account member with `roles/storage.objectAdmin`.
AnswerD

Removing user members ensures only service accounts have access, and granting objectAdmin to a service account meets the requirement.

35
MCQeasy

A startup wants to grant a new employee read-only access to view all Compute Engine instances in a project. What is the minimum IAM role they should assign?

A.roles/owner
B.roles/compute.viewer
C.roles/iam.securityReviewer
D.roles/compute.admin
AnswerB

Viewer role provides read-only access to compute resources.

Why this answer

roles/compute.viewer provides read-only access to Compute Engine resources. compute.admin is full access; iam.securityReviewer gives read access to a wider set of resources; owner has full control.

36
MCQhard

A healthcare organization is storing sensitive patient data in Cloud Storage. They need to ensure that all objects are encrypted with a key managed by their on-premises HSM. Which encryption approach should they use?

A.Use Customer-Supplied Encryption Keys (CSEK) and store the key in a Secret Manager accessible only from the on-premises HSM.
B.Use Cloud External Key Manager (EKM) with a key hosted on the on-premises HSM.
C.Use Customer-Managed Encryption Keys (CMEK) with a Cloud KMS key that is generated from the on-premises HSM.
D.Encrypt each object client-side with a key from the on-premises HSM before uploading to Cloud Storage.
AnswerB

EKM allows you to use an external key management partner, including on-premises HSMs, to wrap the Google-managed encryption key.

Why this answer

Option D is correct because Cloud External Key Manager (EKM) allows you to use an external key management system (like on-premises HSM) to wrap a Google-managed key. The data is encrypted with a Google-managed key, which is then encrypted with the external key. Option A is wrong because CSEK is deprecated and does not support on-premises key rotation.

Option B is wrong because CMEK uses Cloud KMS, not an external HSM directly. Option C is wrong because CSEK requires supplying the key with each request, not managed by an HSM.

37
MCQeasy

A data scientist needs read-only access to a Cloud Storage bucket containing training data. What is the least privileged IAM role to grant at the bucket level?

A.roles/storage.objectAdmin
B.roles/storage.objectCreator
C.roles/storage.admin
D.roles/storage.objectViewer
AnswerD

ObjectViewer grants read-only access to objects.

Why this answer

The roles/storage.objectViewer role grants read access to objects without listing or other permissions. Option A is too broad (project-level). Option C allows listing but is more than read-only.

Option D includes identity and access management permissions.

38
MCQeasy

A company is deploying a web application on Compute Engine. They want to ensure that only authenticated users can access the application. Which Google Cloud service should they use?

A.Identity-Aware Proxy
B.Cloud Load Balancing
C.Cloud CDN
D.Cloud DNS
AnswerA

IAP uses identity and context to enforce access control.

Why this answer

Identity-Aware Proxy (IAP) is the correct choice because it enforces access control at the edge of Google's network, verifying user identity and context before allowing traffic to reach the Compute Engine instance. IAP uses OAuth 2.0 and signed headers to authenticate users, ensuring only authorized requests are forwarded to the backend, without requiring any changes to the application itself.

Exam trap

The trap here is that candidates often confuse network-level services like Cloud Load Balancing or Cloud CDN with security controls, assuming they provide authentication simply because they sit in front of the application, but they lack any identity verification mechanism.

How to eliminate wrong answers

Option B (Cloud Load Balancing) is wrong because it distributes traffic across instances but does not authenticate users; it operates at Layer 4 or Layer 7 without any built-in identity verification. Option C (Cloud CDN) is wrong because it caches content at edge locations to reduce latency, but it does not enforce user authentication; it can be combined with IAP but alone provides no access control. Option D (Cloud DNS) is wrong because it translates domain names to IP addresses and has no mechanism for user authentication or authorization.

39
MCQmedium

A company has a multi-project Google Cloud environment with strict compliance requirements. They need to ensure that all projects enforce a uniform set of constraints, such as requiring CMEK for Compute Engine disk encryption and blocking the use of public IPs on VMs. They have defined these constraints using Organization Policies at the organization level. However, the security team discovers that some projects are not enforcing the constraints because they have been overridden at the project level by the respective project owners. The security team wants a solution that prevents project-level overrides while maintaining the ability to apply exceptions at a folder level when approved. What should they do?

A.Deploy Forseti Security to automatically remediate when projects override policies.
B.Use Cloud Asset Inventory to monitor for non-compliant projects and alert the security team.
C.Manually remove the overridden policies in each project and set the constraints at the organization level again.
D.Move all projects under a common folder and set the Organization Policies at that folder level with 'enforce: true'.
AnswerD

Folder-level policies cannot be overridden by project-level policies, ensuring enforcement while allowing folder-level exceptions.

Why this answer

Option B is correct because setting the Organization Policy at the folder level (e.g., a 'compliance' folder that contains all projects) with the 'enforce: true' setting on constraints ensures that project-level overrides are not possible unless explicitly allowed by the folder policy. Option A is wrong because removing overrides manually is not scalable and does not prevent future overrides. Option C is wrong because Cloud Asset Inventory is for auditing, not enforcement.

Option D is wrong because Forseti is a security tool but does not provide the policy enforcement mechanism of Organization Policies.

40
Matchingmedium

Match each GCP data processing service to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stream and batch data processing (Apache Beam)

Managed Hadoop and Spark clusters

Asynchronous messaging for event ingestion

Visual data integration pipelines

Workflow orchestration (Apache Airflow)

Why these pairings

These are data processing services in GCP.

41
MCQeasy

An engineer runs the above command and sees two firewall rules that allow SSH access. A security review requires that SSH access be allowed only from the bastion subnet 10.0.1.0/24. What should the engineer do to meet the requirement?

A.Add a firewall rule with priority 500 that denies SSH from all IPs
B.Change the priority of allow-ssh-ingress to 2000
C.Delete the allow-ssh-ingress rule
D.Remove the target tag 'ssh-allowed' from allow-ssh-from-bastion
AnswerC

Deleting the overly permissive rule leaves only the bastion-specific rule, meeting the requirement.

Why this answer

The correct answer is C because the allow-ssh-ingress rule has a higher priority (lower number) than the allow-ssh-from-bastion rule, allowing SSH from any source IP. Deleting this rule ensures that only the lower-priority rule (allow-ssh-from-bastion) remains, which restricts SSH access to the bastion subnet 10.0.1.0/24. In Google Cloud VPC firewall rules, lower priority numbers indicate higher precedence, so the allow-ssh-ingress rule (priority 1000) overrides the allow-ssh-from-bastion rule (priority 2000) for any traffic matching both.

Exam trap

Google Cloud often tests the misconception that adding a deny rule with a higher priority (lower number) will block unwanted traffic while preserving the allow rule, but candidates forget that the deny rule would also block the intended bastion traffic, breaking the requirement.

How to eliminate wrong answers

Option A is wrong because adding a deny rule with priority 500 would block SSH from all IPs, including the bastion subnet, since deny rules take precedence over allow rules at the same or lower priority; this would break the requirement to allow SSH from the bastion. Option B is wrong because changing the priority of allow-ssh-ingress to 2000 would make it equal to the allow-ssh-from-bastion rule, but both would still allow SSH from all IPs (since allow-ssh-ingress has no source restriction), and with equal priority the evaluation order is undefined, potentially still allowing unwanted access. Option D is wrong because removing the target tag 'ssh-allowed' from allow-ssh-from-bastion would prevent that rule from applying to any instances, effectively blocking all SSH access, including from the bastion subnet.

42
MCQmedium

Which traffic will this rule allow?

A.Outbound TCP traffic on ports 80 and 443 from instances with tag 'web-server' to IP ranges
B.Inbound TCP traffic on ports 80 and 443 from IP ranges to all instances
C.Inbound TCP traffic on ports 80 and 443 from any IP address to instances with tag 'web-server'
D.Inbound TCP traffic on ports 80 and 443 from IP ranges to instances with tag 'web-server'
AnswerD

Matches the rule definition exactly.

Why this answer

The rule allows inbound TCP on ports 80 and 443 from the specified IP ranges to instances tagged 'web-server'. It does not apply to all instances and is not outbound.

43
MCQeasy

A company wants to restrict data exfiltration from its Google Cloud projects by preventing resources from copying data to external IP addresses. Which service should they use?

A.HTTPS Load Balancer
B.VPC Service Controls
C.Cloud Armor
D.Cloud NAT
AnswerB

VPC Service Controls create a security perimeter around resources to prevent data exfiltration.

Why this answer

VPC Service Controls provide a security perimeter to reduce data exfiltration risk. Option A is wrong because Cloud Armor is for DDoS/ WAF protection. Option B is wrong because Cloud NAT allows outbound connectivity, not restriction.

Option D is wrong because HTTPS load balancers do not prevent data exfiltration.

44
MCQmedium

A company wants to allow developers to create service accounts in a project but prevent them from granting the 'roles/iam.serviceAccountUser' role to any user. Which organization policy constraint should they set?

A.Set the constraint 'iam.restrictGrantableRoles' to ['roles/iam.serviceAccountUser'].
B.Set the constraint 'iam.allowedPolicyMemberDomains' to include only the company's domain.
C.Set the constraint 'iam.disableServiceAccountKeyCreation' to True.
D.Set the constraint 'iam.workloadIdentityPoolProviders' to deny all.
AnswerA

This constraint prevents granting the specified role, even if the user has permission to grant roles.

Why this answer

Option A is correct because 'iam.disableServiceAccountKeyCreation' disables service account key creation, not role granting. Option B is correct because 'iam.allowedPolicyMemberDomains' restricts which domains can be granted roles. Actually the correct constraint to prevent granting roles is 'iam.restrictGrantableRoles'.

Wait, let's think: The question asks to prevent developers from granting a specific role. The correct constraint is 'iam.restrictGrantableRoles' which allows you to restrict the roles that can be granted. Option B is about domains.

Option D is about denying usage of service account impersonation? Actually, the correct answer is 'Workload Identity pools' not a constraint. The correct constraint is 'iam.restrictGrantableRoles'. So I need to pick the right one.

Let's correct: Option A: iam.disableServiceAccountKeyCreation - that prevents creating keys, not granting roles. Option B: iam.allowedPolicyMemberDomains - limits which domains can be members. Option C: iam.restrictGrantableRoles - limits which roles can be granted.

Option D: iam.workloadIdentityPoolProviders - for workload identity. So the correct is Option C. I need to adjust the JSON accordingly.

Actually in the JSON below I had a mistake. I'll correct now.

45
Multi-Selecteasy

A company is designing a data processing pipeline in Google Cloud that must be HIPAA compliant. Which three security features should they implement? (Choose three.)

Select 3 answers
A.Encrypt data in transit using TLS
B.Enable Data Loss Prevention (DLP) for data classification
C.Use Cloud CDN for faster delivery
D.Implement VPC Service Controls to prevent data exfiltration
E.Use Cloud HSM for encryption keys
AnswersA, D, E

Required by HIPAA for data in transit.

Why this answer

HIPAA requires encryption of data in transit and at rest. Using Cloud HSM for CMEK provides strong encryption at rest. VPC Service Controls help restrict data access.

DLP is useful for identifying PHI but not mandatory; CDN is not a security feature.

46
Multi-Selecthard

A financial services company must meet PCI DSS compliance requirements for a Google Kubernetes Engine (GKE) cluster processing credit card data. Which TWO actions are required to help achieve PCI DSS compliance? (Choose two.)

Select 2 answers
A.Enable GKE Dataplane V2 for network policy enforcement.
B.Enable Shielded GKE nodes.
C.Configure Cloud Audit Logs for the cluster.
D.Use GKE Sandbox for all untrusted workloads.
E.Enable Binary Authorization on the cluster.
AnswersB, E

Shielded nodes provide verifiable integrity of the node's boot and kernel, a PCI DSS requirement.

Why this answer

Options B and D are correct. Binary Authorization ensures only signed container images are deployed, meeting code integrity requirements. Shielded GKE nodes provide verifiable integrity of the node's boot and kernel, ensuring the underlying infrastructure is secure.

Option A is wrong because GKE Dataplane V2 is a network policy enforcement mechanism but not a specific PCI DSS requirement. Option C is wrong because GKE Sandbox is for workload isolation but not explicitly required by PCI DSS. Option E is wrong because Cloud Audit Logs are already enabled by default and not an additional requirement.

47
Multi-Selectmedium

A company is migrating to Google Cloud and needs to implement a least-privilege access model. Which THREE Google Cloud services or features support this goal? (Choose three.)

Select 3 answers
A.Cloud IAM Conditions
B.Cloud Audit Logs
C.VPC Service Controls
D.Cloud NAT
E.Organization Policy Service
AnswersA, C, E

Allow access based on attributes like time, IP, or resource type, enabling least privilege.

Why this answer

Options A, C, and D are correct. Cloud IAM Conditions enable fine-grained, attribute-based access control. VPC Service Controls restrict data exfiltration by limiting access to APIs.

Organization Policy allows setting constraints that enforce least privilege at the org level. Option B is wrong because Cloud Audit Logs are detective, not preventive. Option E is wrong because Cloud NAT is a network service for outbound connectivity, not access control.

48
Drag & Dropmedium

Drag and drop the steps to set up a shared VPC in Google Cloud for a multi-project environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The host project holds the VPC network. Service projects use the subnets. IAM roles control who can use the subnets.

49
Multi-Selectmedium

A company needs to ensure that only approved machine images can be used to create Compute Engine instances to meet security compliance. Which two methods should they use? (Choose two.)

Select 2 answers
A.Use VPC Service Controls to prevent creation from unauthorized images
B.Use a custom role with permissions restricted to specific image families
C.Use Cloud Asset Inventory to detect non-compliant images and trigger remediation
D.Use IAM conditions on compute.instances.create to require a specific family label
E.Use Organization Policy constraint compute.trustedImageProjects
AnswersB, E

Custom roles can limit which images a user can use by granting permissions on specific image projects.

Why this answer

The organization policy constraint compute.trustedImageProjects restricts allowed image projects. Creating a custom role with permissions limited to specific image projects also works. IAM conditions on instance creation are not effective; VPC Service Controls don't apply to images; detection alone is not prevention.

50
MCQeasy

A small company wants to store sensitive files in Cloud Storage and ensure they are encrypted with a key that they control and rotate automatically every 90 days. They are currently using the default encryption provided by Google Cloud. They need a solution that is easy to manage and does not require manual key rotation. What should they do?

A.Use Cloud HSM to generate a key and handle encryption outside of Cloud Storage.
B.Create a Cloud KMS key ring and key with CMEK, set a rotation period of 90 days, and configure the bucket to use that key.
C.Use Customer-Supplied Encryption Keys (CSEK) and write a script to rotate the key every 90 days.
D.Continue using default encryption as it is automatically rotated by Google.
AnswerB

CMEK with automatic rotation meets the requirement of customer-controlled keys with no manual effort.

Why this answer

Option B is correct because Customer-Managed Encryption Keys (CMEK) in Cloud KMS support automatic rotation with a specified rotation period (e.g., 90 days). Option A is wrong because CSEK requires manual key management and rotation. Option C is wrong because default encryption uses Google-managed keys, not customer-controlled.

Option D is wrong because Cloud HSM provides hardware-backed keys but still requires CMEK configuration; automatic rotation is possible with CMEK regardless of HSM.

51
MCQmedium

An organization is implementing a data loss prevention (DLP) strategy for Cloud Storage. They want to automatically scan new objects uploaded to a specific bucket and redact sensitive data. Which service and configuration should they use?

A.Configure Cloud Armor with a WAF rule to inspect and redact data as it enters the bucket.
B.Enable Security Command Center (SCC) premium tier and configure it to scan the bucket for sensitive data.
C.Use Cloud DLP with a BigQuery external table to scan the bucket contents periodically.
D.Use Cloud Functions triggered by Cloud Storage events to call Cloud DLP API for each new object, and then store the redacted version.
AnswerD

Cloud Functions can process events from Cloud Storage and apply DLP transformations.

Why this answer

Option C is correct because Cloud DLP can be triggered by Cloud Functions when a Cloud Storage event occurs (e.g., object finalize), and the function can send the object to DLP for inspection and redaction. Option A is wrong because BigQuery is for structured data, not storage. Option B is wrong because SCC provides security posture management, not DLP scanning.

Option D is wrong because there is no Cloud Armor for storage.

52
MCQhard

A company manages secrets for multiple microservices using Secret Manager. They need to ensure that each service can access only its own secrets, and that all access is logged. What is the best IAM architecture?

A.Create custom roles with secrets.get permission and bind to each service account at the individual secret resource.
B.Grant each service account the roles/secretmanager.secretAccessor role at the project level.
C.Use a single service account for all microservices with access to all secrets.
D.Grant each service account the roles/secretmanager.admin role at the secret level.
AnswerA

Custom roles allow fine-grained access; binding at secret level ensures least privilege.

Why this answer

Using custom roles with fine-grained permissions and audit logs on the secret level provides least privilege. Option A grants too much access (project-wide). Option B gives full access.

Option D does not control access per service.

53
MCQhard

An organization has a security policy that prohibits the use of external IP addresses on Compute Engine instances to reduce attack surface. They want to enforce this policy across all new and existing projects. Which approach should they use?

A.Use Organization Policy with constraint compute.vmExternalIpAccess
B.Use IAM conditions to prevent creation of instances with external IPs
C.Use Cloud Security Command Center to detect and alert on external IPs
D.Use VPC Firewall rules to block traffic to external IPs
AnswerA

This constraint explicitly prevents creation of VMs with external IPs and can be applied at org level.

Why this answer

Organization policy with constraint constraints/compute.vmExternalIpAccess can be set to block external IPs. IAM conditions are not effective for this; firewall rules do not prevent the IP assignment; and SCC only detects violations after creation.

54
MCQhard

A large e-commerce company runs its production workloads on Google Cloud. The security team has implemented a VPC Service Controls perimeter around the production project to prevent data exfiltration. The perimeter includes the project, and access is allowed only from an access level that requires the user to be on the corporate network (192.0.2.0/24). Recently, the DevOps team reported that their CI/CD pipeline, which runs on Cloud Build with a VPC connector attached to a shared VPC in a different project, is failing to deploy to Cloud Run. The pipeline uses a service account with roles/run.admin on the production project. The Cloud Build worker IPs are ephemeral and not in the corporate IP range. The pipeline's deployment step times out with permission errors. Which action will resolve the issue while maintaining security compliance?

A.Add the Cloud Build service account as a member of the access level used in the perimeter, so that it is not restricted by IP.
B.Remove the VPC Service Controls perimeter from the production project and rely solely on IAM permissions.
C.Add the Cloud Build worker IP range (0.0.0.0/0) to the access level's IP condition to allow all IPs.
D.Create a new service account for Cloud Build with roles/iam.serviceAccountUser and roles/run.admin, and assign it to the Cloud Run service.
AnswerA

Access levels can include service accounts as members, allowing them to bypass IP restrictions.

Why this answer

Option C is correct. Adding the Cloud Build service account to the access level's members allows it to bypass the IP restriction while still being subject to the perimeter. Option A is wrong because adding the worker IP range is not feasible (ephemeral) and weakens security.

Option B is wrong because removing the perimeter defeats the security requirement. Option D is wrong because changing the service account does not change the IP address of the Cloud Build workers.

55
MCQeasy

A company wants to ensure that all access to their Cloud Storage bucket is logged for compliance purposes. Which type of audit log should they enable?

A.Admin Activity audit logs
B.Data Access audit logs
C.System Event audit logs
D.Access Transparency logs
AnswerB

Data Access logs capture read and write operations on data.

Why this answer

Data Access audit logs record every access to user data. Admin Activity logs record administrative actions; System Event logs record GCP actions; Access Transparency logs record Google support access.

56
MCQeasy

A company is deploying a web application on Google Kubernetes Engine (GKE) and needs to ensure that the application's service account can only pull images from a specific Container Registry repository. What is the best practice to enforce this?

A.Use Workload Identity and grant the Kubernetes service account's associated Google service account the roles/storage.objectViewer role on the registry bucket.
B.Grant the Compute Engine default service account the roles/storage.objectViewer role on the registry bucket.
C.Set an IAM policy on the pod directly using the 'gke-default' service account.
D.Create an IAM condition on the node pool's service account that limits access to the registry bucket.
AnswerA

Workload Identity binds pod identity to a GSA, and bucket-level IAM restricts access.

Why this answer

Option B is correct because Workload Identity allows you to bind a Kubernetes service account to a Google service account, and you can then grant the GSA only the roles/storage.objectViewer role on the specific registry bucket. Option A is wrong because IAM conditions on the node pool affect the nodes, not the pods. Option C is wrong because granting access at the project level is too broad.

Option D is wrong because there is no direct IAM for the pod.

57
MCQeasy

A startup wants to encrypt data at rest in Cloud Storage using Customer-Managed Encryption Keys (CMEK). They have already created a Cloud KMS key ring and key. What additional step is required to enable CMEK for a new Cloud Storage bucket?

A.Enable the Cloud KMS API in the project where the bucket will reside.
B.Create a Cloud HSM key instead, as CMEK requires HSM.
C.Add a label to the key ring to associate it with the bucket.
D.Grant the Cloud Storage service account the Cloud KMS CryptoKey Encrypter/Decrypter role on the key.
AnswerD

The service account that Cloud Storage uses must be authorized to use the key.

Why this answer

Option A is correct because the Cloud Storage service account needs permission to encrypt and decrypt with the CMEK key. Option B is wrong because the key ring does not require a label. Option C is wrong because Cloud HSM is not required for CMEK, though it can be used.

Option D is wrong because no API enablement is needed beyond what is already done.

58
MCQhard

A multinational corporation operates in multiple regions and must comply with GDPR. They use Cloud Load Balancing to distribute traffic across regional backends. Their security team wants to block traffic from specific countries (e.g., non-EU countries) at the edge. What should they use?

A.Configure Cloud CDN to serve content only to EU-based users.
B.Use Cloud Armor security policies with geographic-based denylist rules.
C.Set VPC firewall rules to allow traffic only from EU IP ranges.
D.Configure Identity-Aware Proxy (IAP) to require user authentication from allowed countries.
AnswerB

Cloud Armor can block traffic from specific countries at the Google Cloud edge.

Why this answer

Cloud Armor security policies support geographic-based access control using denylist or allowlist rules that match client IP addresses against country-level geolocation data. This allows the security team to block traffic from specific countries at the edge, before it reaches the backend, which is the most efficient and compliant approach for GDPR enforcement.

Exam trap

The trap here is that candidates often confuse VPC firewall rules (which filter by IP ranges) with Cloud Armor's geolocation-based policies, or they assume Cloud CDN or IAP can enforce geographic access control, when in fact only Cloud Armor provides native country-level blocking at the edge.

How to eliminate wrong answers

Option A is wrong because Cloud CDN caches content but does not enforce geographic access control; it can serve cached content to any user regardless of location, and its 'geo restrictions' are only for signed URLs, not for blocking traffic at the edge. Option C is wrong because VPC firewall rules operate at the network layer and cannot reliably block traffic based on country-level geolocation; they only filter by IP ranges, which are not accurate for country-level blocking due to IP reassignment and lack of granularity. Option D is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context, not on the geographic origin of the IP address; it cannot block traffic at the edge based solely on country.

59
MCQhard

Your company runs a multi-region web application on Google Kubernetes Engine (GKE) with pods that process sensitive user data. The application uses Cloud SQL for PostgreSQL as the backend database. Your security team has implemented the following controls: 1) All traffic to the database is encrypted using SSL/TLS. 2) The GKE cluster uses Workload Identity to bind Kubernetes service accounts to IAM service accounts. 3) The Cloud SQL instance is configured with a public IP address and authorized networks to allow only the GKE cluster's node IP ranges. 4) The database credentials are stored in Secret Manager and mounted as volumes in the pods. Recently, a security audit revealed that a pod was compromised due to a container vulnerability. The attacker was able to exfiltrate sensitive data directly from the Cloud SQL database using the credentials from Secret Manager. The security team wants to prevent such exfiltration in the future while minimizing changes to the application code. Which course of action should you recommend?

A.Deploy Cloud SQL Auth Proxy as a sidecar container in each pod, and configure IAM database authentication to replace static credentials.
B.Migrate the database to Cloud Spanner, which has built-in IAM integration and automatic encryption.
C.Rotate the database password and store the new password in Secret Manager, then update the application to fetch the password from Secret Manager at startup.
D.Change the Cloud SQL instance to use a private IP address and disable public access, ensuring only the GKE cluster can reach it via VPC peering.
AnswerA

Cloud SQL Auth Proxy with IAM authentication removes static credentials and uses IAM roles to control access, preventing credential exfiltration.

Why this answer

Option A is correct because deploying Cloud SQL Auth Proxy as a sidecar container enforces IAM-based authentication, eliminating static credentials that can be exfiltrated. The proxy also handles SSL/TLS encryption automatically and allows fine-grained access control via IAM permissions, so even if a pod is compromised, the attacker cannot reuse stolen credentials because they are tied to the pod's identity via Workload Identity. This approach requires minimal code changes since the application connects to localhost instead of the Cloud SQL public IP.

Exam trap

Google Cloud often tests the misconception that network-level controls (like private IPs) are sufficient to prevent data exfiltration from a compromised pod, but the real vulnerability is the use of static credentials that can be stolen and reused regardless of network isolation.

How to eliminate wrong answers

Option B is wrong because migrating to Cloud Spanner is a significant architectural change that requires rewriting application code and data modeling, which violates the requirement to minimize changes to the application code. Option C is wrong because rotating the password and storing it in Secret Manager does not prevent exfiltration; if a pod is compromised, the attacker can still read the new password from the mounted volume and reuse it to access the database directly. Option D is wrong because using a private IP and disabling public access only restricts network-level access; it does not prevent an attacker who has compromised a pod within the cluster from using the stored credentials to connect to the database over the private network.

60
MCQmedium

A company is designing a VPC Service Controls perimeter to protect data stored in Google Cloud. They need to allow access from their on-premises network via a Cloud VPN tunnel while blocking all internet-based access. What is the most secure and manageable approach?

A.Configure firewall rules to only allow traffic from the on-premises CIDR to the VPC.
B.Use Cloud VPN and Private Google Access to allow on-premises access without public IPs.
C.Configure a VPC Service Controls perimeter and create an access level that includes the on-premises CIDR range.
D.Use Cloud IAP (Identity-Aware Proxy) to restrict access based on identity and context.
AnswerC

VPC Service Controls with an access level effectively restricts API access to the allowed CIDR, preventing data exfiltration via the internet.

Why this answer

Option C is correct because VPC Service Controls can create a service perimeter that includes the on-premises CIDR via an access level, ensuring data is not exfiltrated to the internet. Option A is wrong because firewall rules do not prevent data exfiltration via API calls. Option B is wrong because IAP is for user identity, not network-level control.

Option D is wrong because Private Google Access does not restrict API access from the internet.

61
MCQmedium

A data engineer needs to analyze data in BigQuery but must mask personally identifiable information (PII) based on user roles. Which service should they use?

A.BigQuery column-level security
B.Cloud Key Management Service
C.Cloud Data Catalog
D.Cloud Data Loss Prevention (DLP)
AnswerA

BigQuery column-level security with data masking can restrict PII based on roles.

Why this answer

BigQuery column-level security with data masking allows conditional masking. Option A provides classification but not role-based masking. Option B is for tokenization but not integrated with BigQuery.

Option D is for data catalog.

62
MCQeasy

A security team wants to receive alerts when a user attempts to grant the 'roles/owner' role to a member outside of the organization's domain. Which log filter should they use to create a log-based metric?

A.Filter on Admin Activity log type with 'protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND NOT protoPayload.request.policy.bindings: member: "example.com"'.
B.Filter on Data Access log type with 'protoPayload.methodName="google.iam.v1.IAMPolicy.SetIamPolicy"'.
C.Filter on Admin Activity logs for 'resource.type="gce_instance" AND protoPayload.methodName="compute.instances.setServiceAccount"'.
D.Filter on System Event logs with a query for 'resource.type="project" AND protoPayload.response.status.code=7'.
AnswerA

This filter catches IAM policy changes where members are not from the allowed domain.

Why this answer

Option B is correct because Cloud Audit Logs for Admin Activity capture all IAM policy changes. The filter checks for setIamPolicy on the project and that the binding includes a member with a domain outside the allowed list. Option A is wrong because Data Access logs do not include admin activity.

Option C is wrong because it only checks for allAuthenticatedUsers. Option D is wrong because it checks for compute instances, not IAM.

63
MCQhard

A multinational corporation must comply with GDPR and requires that all customer data stored in BigQuery be encrypted using customer-managed encryption keys (CMEK) and that the keys are stored in a specific region. Which combination of steps should they take?

A.Enable default encryption at rest in BigQuery and use Organization Policies to restrict key location
B.Create a Cloud KMS key ring and crypto key in the desired region, then associate the BigQuery dataset with the CMEK key using DDL
C.Create a Cloud HSM key, then use Cloud DLP to automatically encrypt the data before loading into BigQuery
D.Use Cloud External Key Manager (EKM) to integrate with an on-premises key management system
AnswerB

This is the standard procedure for CMEK in BigQuery.

Why this answer

BigQuery CMEK requires creating a Cloud KMS key in the desired region and associating it with the dataset using DDL. Default encryption uses Google-managed keys; Cloud DLP is for de-identification; EKM is for on-prem key integration.

64
MCQeasy

A company is migrating sensitive customer data to Google Cloud. They need to ensure data is encrypted at rest and in transit. Which Google Cloud service provides a centralized way to manage encryption keys used by Google Cloud services?

A.Cloud HSM
B.Cloud External Key Manager (Cloud EKM)
C.Cloud Key Management Service (Cloud KMS)
D.Secret Manager
AnswerC

Cloud KMS provides centralized management of encryption keys used by Google Cloud services.

Why this answer

Cloud KMS is the correct choice because it provides a centralized, managed service for creating, rotating, and destroying encryption keys used by Google Cloud services. It integrates directly with services like Cloud Storage, BigQuery, and Compute Engine to enforce encryption at rest, and it supports customer-managed encryption keys (CMEK) for granular control. For data in transit, Cloud KMS can be used to manage keys for TLS or application-level encryption, though Google Cloud automatically encrypts all network traffic by default.

Exam trap

Google Cloud often tests the distinction between Cloud KMS as the centralized key management service and Cloud HSM as a hardware-backed option within Cloud KMS, leading candidates to choose Cloud HSM when the question asks for the centralized service.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module service that provides dedicated, FIPS 140-2 Level 3 validated hardware for key operations, but it is not the centralized key management service; it is an option within Cloud KMS for higher security requirements. Option B is wrong because Cloud External Key Manager (Cloud EKM) allows you to manage keys outside of Google Cloud using an external key management partner, but it is not a centralized Google Cloud service for managing encryption keys used by Google Cloud services; it is for keys stored externally. Option D is wrong because Secret Manager is designed to store and manage secrets such as API keys, passwords, and certificates, not encryption keys for encrypting data at rest or in transit across Google Cloud services.

65
MCQhard

When will the key be automatically rotated?

A.Every 180 days
B.Only when manually triggered
C.Every 30 days
D.Every 90 days
AnswerD

7776000s = 90 days.

Why this answer

The rotationPeriod is 7776000 seconds, which equals 90 days. The nextRotationTime is set to 2024-04-01, 90 days after creation, confirming automatic rotation every 90 days.

66
Drag & Dropmedium

Drag and drop the steps to configure a Cloud Load Balancer with a backend service consisting of Compute Engine instances into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Health checks ensure traffic only goes to healthy instances; URL map defines routing; forwarding rule exposes the IP.

67
MCQmedium

A company wants to restrict access to a Cloud Storage bucket so that only objects encrypted with a specific Cloud KMS key can be read. Which approach should they use?

A.Enable Key Access Justifications on the Cloud KMS key and allow access only for justified requests.
B.Set a bucket policy that denies access if the object's encryption type is not CMEK.
C.Use IAM conditions with the resource name condition 'resource.name.startsWith("projects/_/buckets/example-bucket/objects/")' and 'resource.hasTag("kmsKeyName", "projects/p/locations/l/keyRings/kr/cryptoKeys/ck")'.
D.Configure VPC Service Controls to include the bucket and the Cloud KMS key resource.
AnswerC

IAM conditions can check object metadata such as 'kmsKeyName' to restrict access to objects encrypted with a specific key.

Why this answer

Option D is correct because Cloud Storage Object has a 'kmsKeyName' condition that can be used in IAM conditions to require objects to be encrypted with a specific KMS key. Option A is wrong because VPC Service Controls prevent data exfiltration but do not enforce encryption at the object level. Option B is wrong because bucket policies do not directly examine encryption key metadata.

Option C is wrong because Key Access Justifications only provide reasons for key access but do not restrict object access based on encryption key.

68
Multi-Selecthard

Which THREE Google Cloud services can be used to implement a zero-trust architecture for network security? (Choose three.)

Select 3 answers
A.Cloud Armor
B.Access Context Manager (ACM)
C.Identity-Aware Proxy (IAP)
D.VPC Networks
E.Cloud VPN
AnswersA, B, C

Cloud Armor provides WAF and DDoS protection at the edge, enforcing security policies.

Why this answer

Options A, B, and C are correct. Cloud Armor enforces security policies at the edge, Identity-Aware Proxy (IAP) verifies identity and context before granting access, and Access Context Manager defines access levels based on device, IP, etc., to enforce fine-grained access. Option D is wrong because Cloud VPN is for network connectivity, not zero-trust security.

Option E is wrong because VPC Networks are the underlying network, but zero-trust requires beyond network perimeters.

69
MCQmedium

Alice needs to read objects in the bucket 'secret-bucket'. Based on the IAM policy, what is her effective access?

A.Alice cannot read objects because the deny rule overrides all allow bindings.
B.Alice can read objects only if she also has objectCreator role.
C.Alice can read objects because objectAdmin grants read access and is not denied.
D.Alice cannot read objects because the deny rule removes objectViewer and she has no other read access.
AnswerC

objectAdmin includes read, and the deny only applies to objectViewer.

Why this answer

The deny rule denies objectViewer specifically on secret-bucket, but she also has objectAdmin which overrides (deny does not block other roles). So she can read via objectAdmin. Option B is incorrect because deny rules only remove the specified role.

Option C is incorrect because objectAdmin includes read. Option D is incorrect.

70
MCQeasy

A company wants to use Cloud Armor to protect their HTTP load balancer from SQL injection attacks. Which rule action should they configure to block malicious requests?

A.Use a pre-configured WAF rule that includes 'evaluatePreconfiguredExpr('sqli-stable')' with action 'deny(403)'.
B.Configure a rate-limiting rule with action 'rateLimit' to throttle traffic from suspicious IPs.
C.Create a rule that redirects traffic to a reCAPTCHA challenge for validation.
D.Set a security policy rule with action 'deny(403)' and a simple condition on the user-agent header.
AnswerA

Cloud Armor's pre-configured WAF rules detect common SQL injection signatures.

Why this answer

Option B is correct because Cloud Armor's pre-configured WAF rules include 'sqli' to detect SQL injection patterns. Option A is wrong because 'deny(403)' alone does not inspect the request body. Option C is wrong because 'rateLimit' limits request rate but does not inspect for SQL injection.

Option D is wrong because 'redirect' does not block.

71
Multi-Selecteasy

Which TWO methods can be used to encrypt data at rest in BigQuery?

Select 2 answers
A.Use a Cloud Storage bucket with bucket-level default encryption.
B.Use Customer-Managed Encryption Keys (CMEK) via Cloud KMS.
C.Use Cloud SQL with encryption at rest.
D.Use Customer-Supplied Encryption Keys (CSEK).
E.Use Cloud Bigtable with encryption at rest.
AnswersB, D

BigQuery tables can use CMEK.

Why this answer

BigQuery supports both CMEK (Cloud KMS key) and CSEK (customer-supplied encryption key) for data at rest encryption. Option C is for Cloud Storage, not BigQuery. Option D is for Cloud SQL.

Option E is for Bigtable.

72
MCQeasy

A company wants to automatically rotate cryptographic keys on a schedule without manual intervention. Which service should they use?

A.Cloud Key Management Service (KMS)
B.Secret Manager
C.Cloud Audit Logs
D.Cloud IAM
AnswerA

Cloud KMS allows automatic key rotation.

Why this answer

Cloud KMS supports automatic key rotation. Option A is for managing secrets. Option C is for access control.

Option D is for auditing.

73
MCQmedium

A company uses Google Cloud Armor to protect their HTTP load balancer from OWASP Top 10 attacks. After deploying a security policy with pre-configured WAF rules, they notice that some legitimate user requests are being blocked because they match a rule incorrectly. The security team wants to fine-tune the rules to reduce false positives while maintaining strong protection. They also want to evaluate the impact of changes before enforcing them. What should they do?

A.Disable the WAF rules entirely and implement IP-based allowlists.
B.Set the WAF rules to 'preview' mode to test their impact without blocking traffic, then adjust thresholds or exclusions based on logs.
C.Add a higher priority allow rule to permit the traffic that is being incorrectly blocked.
D.Remove the WAF rules and rely solely on rate limiting to protect the application.
AnswerB

Preview mode allows safe testing of rule modifications without disrupting legitimate traffic.

Why this answer

Option A is correct because Cloud Armor allows setting a rule to 'preview' mode, which logs matched requests without blocking them. This enables analysis of rule effectiveness before enforcement. Option B is wrong because adding a higher priority allow rule could bypass security.

Option C is wrong because rate limiting does not address WAF false positives. Option D is wrong because disabling WAF removes protection entirely.

74
MCQmedium

A company hosts a web application on Google Kubernetes Engine (GKE) and wants to protect against SQL injection attacks. Which service should they configure?

A.Identity-Aware Proxy (IAP)
B.Cloud Armor
C.Cloud Audit Logs
D.Container Analysis
AnswerB

Cloud Armor provides WAF capabilities to block SQL injection.

Why this answer

Cloud Armor with WAF rules can block SQL injection. Option B is for identity. Option C is for container scanning.

Option D is for audit logs.

Ready to test yourself?

Try a timed practice session using only Design for security and compliance questions.