CCNA Pca Security Compliance Questions

75 of 96 questions · Page 1/2 · Pca Security Compliance topic · Answers revealed

1
Multi-Selectmedium

A security team needs to detect and redact personally identifiable information (PII) in documents stored in Cloud Storage before sharing them with external partners. Which two Google Cloud services should they use together? (Choose two.)

Select 2 answers
A.Cloud Data Loss Prevention (DLP) API
B.Cloud Storage
C.Cloud KMS
D.Cloud Dataflow
E.Cloud NAT
AnswersA, B

DLP can inspect and de-identify PII in Cloud Storage.

Why this answer

Cloud DLP can scan Cloud Storage for PII and de-identify the data. The scanned and de-identified results can be written back to Cloud Storage. Cloud Dataflow is not needed for this simple use case; Cloud Function can trigger DLP jobs.

2
MCQeasy

A company needs to grant a data scientist read-only access to BigQuery datasets in the project 'analytics-prod' without granting permissions to any other resources. Which IAM role should be assigned at the project level?

A.roles/viewer
B.roles/bigquery.user
C.roles/bigquery.dataViewer
D.roles/bigquery.jobUser
AnswerC

BigQuery Data Viewer grants read-only access to datasets and tables.

Why this answer

The BigQuery Data Viewer role (roles/bigquery.dataViewer) grants read access to BigQuery datasets and tables. Assigning at the project level applies to all datasets in that project.

3
MCQmedium

A security team wants to prevent data exfiltration from a GKE cluster to external storage. They need to restrict access to Cloud Storage buckets from the cluster without using private IPs. Which solution should they implement?

A.Configure firewall rules to block outbound traffic to Cloud Storage
B.Enable Cloud Armor on the GKE cluster
C.Use Private Google Access for on-premises access
D.Implement VPC Service Controls with a service perimeter
AnswerD

VPC Service Controls create perimeters around GCP resources (e.g., Cloud Storage) to block data exfiltration to unauthorized networks.

Why this answer

VPC Service Controls use service perimeters to protect resources and prevent data exfiltration from authorized networks, including GKE clusters, to external resources.

4
MCQeasy

A developer wants to store a database password that is used by a Cloud Function. The password must be automatically rotated every 30 days and accessed securely without storing it in the source code. Which GCP service should they use?

A.Cloud KMS
B.Cloud Runtime Configuration
C.Secret Manager
D.Firestore
AnswerC

Secret Manager is designed for storing and managing secrets with rotation capabilities.

Why this answer

Secret Manager stores secrets like API keys and passwords. It supports automatic rotation via Cloud Scheduler and Cloud Functions, and provides fine-grained access control.

5
MCQeasy

An engineer needs to grant a user the ability to create and manage service accounts in a project. Which predefined IAM role provides these permissions?

A.roles/owner
B.roles/iam.serviceAccountAdmin
C.roles/editor
D.roles/iam.workloadIdentityUser
AnswerB

This role grants full control over service accounts.

Why this answer

The roles/iam.serviceAccountAdmin role includes permissions to create, delete, and manage service accounts.

6
MCQmedium

An organization uses Active Directory (AD) on-premises and wants to synchronize user identities to Google Cloud Identity so that users can access G Suite and GCP resources with their existing credentials. Which service should they use?

A.Cloud Identity-Aware Proxy (IAP)
B.Federation with Google Identity Platform
C.Cloud Directory Sync
D.SAML SSO
AnswerC

Cloud Directory Sync synchronizes identities from on-premises LDAP/AD to Cloud Identity.

Why this answer

Cloud Directory Sync (formerly Google Cloud Directory Sync) synchronizes users and groups from LDAP-compliant directories like Active Directory to Cloud Identity. It allows single sign-on and identity management.

7
MCQhard

A company uses Cloud Armor to protect an HTTP(S) Load Balancer. They want to block traffic from a specific IP address range during off-peak hours but allow it during peak hours. How can they achieve this?

A.Implement a Cloud Function that updates the security policy on a schedule
B.Use a Cloud Armor security policy rule with a condition on the IP address and a time condition
C.Create two separate security policies and switch between them using Cloud Load Balancer URL maps
D.Use VPC firewall rules to block the IP range during off-peak hours
AnswerB

Cloud Armor supports rule conditions that can check the request time, allowing time-based blocking.

Why this answer

Cloud Armor security policies can use rules with conditions based on IP addresses and can also have time-based conditions (e.g., via headers or custom conditions). However, natively, Cloud Armor does not support scheduled rules. An alternative is to use a Cloud Function to modify the security policy based on time.

But the simplest approach is to configure a rule with a condition that evaluates the request time using the `request.time` attribute if supported; else, use a Cloud Function to update rules. Given the options, the closest is using a rule that includes a time condition via `request.time` but that is not a standard feature. Actually, Cloud Armor rules can use expressions including `request.time` to match time windows.

So the correct answer is a rule with a time condition.

8
MCQmedium

A company wants to use their own HSM to hold encryption keys for Google Cloud services, but they want Google Cloud to perform cryptographic operations without exposing the keys. Which service should they use?

A.Cloud KMS (software)
B.CSEK
C.Cloud HSM
D.Secret Manager
AnswerC

Why this answer

Cloud HSM is a cloud-hosted HSM that allows customers to manage keys in FIPS 140-2 Level 3 HSMs, with Google performing operations without exposing key material.

9
Multi-Selectmedium

A company wants to use Cloud Key Management Service (Cloud KMS) to manage encryption keys for multiple applications. They have the following requirements: 1) Keys must be automatically rotated every 90 days. 2) Different applications should have access only to their own keys. 3) All key operations must be logged for audit purposes. Which THREE steps should they take? (Choose three.)

Select 3 answers
A.Grant the roles/cloudkms.admin role to each application's service account
B.Enable Cloud Audit Logs for the Cloud KMS API
C.Store the keys in Cloud HSM
D.Create a key ring for each application
E.Set a rotation period of 90 days on each key
AnswersB, D, E

Audit logs capture all key operations for compliance.

Why this answer

Cloud KMS supports key rotation schedules, IAM for access control, and Cloud Audit Logs for logging.

10
Multi-Selecteasy

Which two GCP audit log types are available by default? (Choose TWO).

Select 2 answers
A.Admin Activity audit logs
B.System Event audit logs
C.Cloud Audit Logs
D.Policy Denied audit logs
E.Data Access audit logs
AnswersA, B

Enabled by default, record administrative actions.

Why this answer

Admin Activity and System Event audit logs are enabled by default. Data Access logs must be explicitly enabled.

11
MCQeasy

A security team wants to ensure that all Compute Engine instances in a project are launched with a specific custom encryption key (CMEK) stored in Cloud KMS. What is the correct way to enforce this policy?

A.Set a service account with permissions to use the CMEK.
B.Use the organization policy constraint constraints/compute.requireCmek.
C.Create a firewall rule to block unencrypted traffic.
D.Configure the VPC Service Perimeter to block non-CMEK instances.
AnswerB

This constraint requires all persistent disks to be encrypted with a CMEK.

Why this answer

Using organization policy constraints, specifically constraints/compute.requireCmek, enforces that all new disks are encrypted with a CMEK from Cloud KMS. Other options do not enforce encryption at a project level.

12
MCQhard

A company deploys a Kubernetes workload in GKE that needs to access Cloud Storage. They want to avoid managing service account keys. What is the recommended approach?

A.Use the default Compute Engine service account on the node.
B.Store a service account key in a Kubernetes secret and mount it.
C.Use Workload Identity to map the Kubernetes service account to a GCP service account.
D.Use Cloud Key Management Service to encrypt the service account key.
AnswerC

Why this answer

Workload Identity allows you to bind a Kubernetes service account to a GCP service account, so pods can authenticate using the GCP service account without managing keys.

13
MCQmedium

A company has multiple GCP projects under a folder. They want to define a custom IAM role that can be reused across all projects. Where should the custom role be defined?

A.At the folder level
B.At the project level
C.At the organization level
D.At the resource level
AnswerA

Folder-level roles apply to all projects in that folder.

Why this answer

Custom roles can be defined at the organization level, folder level, or project level. To reuse across all projects, the role should be defined at the organization level or at the folder level if the folder contains all projects.

14
MCQeasy

An organization wants to enforce that all container images deployed to Google Kubernetes Engine (GKE) clusters are signed by an authorized authority and only those images are allowed to run. Which GCP service should they use?

A.Cloud Key Management Service (Cloud KMS)
B.Binary Authorization
C.Cloud Build
D.Artifact Registry
AnswerB

Binary Authorization is the correct service for requiring signed container images.

Why this answer

Binary Authorization enforces deployment-time policies that require container images to be signed by trusted authorities before they can be deployed to GKE.

15
MCQmedium

A developer needs to securely store a database password that will be used by a Compute Engine instance. The password must be rotated automatically every 30 days. Which service should they use?

A.Cloud KMS
B.Cloud Storage with encryption
C.Environment variables
D.Secret Manager
AnswerD

Secret Manager stores secrets and supports automatic rotation every 30 days.

Why this answer

Secret Manager is designed for storing secrets like API keys and passwords, and it supports automatic rotation schedules. Cloud KMS is for encryption keys, not generic secrets. Cloud Storage can store encrypted data but does not natively support rotation.

Environment variables are insecure and not managed.

16
MCQeasy

An organization wants to enforce that all container images deployed to Google Kubernetes Engine (GKE) are signed and approved via an attestation authority. Which GCP service should they use?

A.Binary Authorization
B.Container Registry
C.Cloud Armor
D.Cloud Security Scanner
AnswerA

Binary Authorization provides attestation-based policy enforcement for container images on GKE.

Why this answer

Binary Authorization enforces deployment-time policies that require container images to be signed by trusted authorities. It integrates with GKE and Cloud Build to ensure only signed images are deployed.

17
Multi-Selectmedium

A security team needs to restrict access to a set of Cloud Storage buckets so that only Compute Engine instances with a specific service account can read objects. Which TWO steps should they take? (Choose two.)

Select 2 answers
A.Grant the service account the 'roles/storage.objectViewer' role on the bucket
B.Grant the user who owns the instances the 'roles/storage.admin' role
C.Configure VPC Service Controls to allow access only from the VPC where the instances reside
D.Create a bucket ACL that allows read access for the service account
E.Add a firewall rule allowing ingress from the service account to the bucket's IP range
AnswersA, C

This IAM role allows the service account to read objects.

Why this answer

IAM permissions control who can access resources; firewall rules control network access. Both are needed for complete restriction.

18
MCQmedium

An organization uses Active Directory (AD) on-premises. They want to synchronize user accounts and groups to Google Cloud Identity so that users can sign in with their existing AD credentials. Which service should they use?

A.Cloud Identity Platform
B.Google Cloud Directory Sync
C.Cloud Identity-Aware Proxy
D.Security Command Center
AnswerB

GCDS syncs users and groups from AD to Cloud Identity.

Why this answer

Google Cloud Directory Sync (GCDS) is the tool that synchronizes users and groups from an existing LDAP directory, such as Active Directory, to Cloud Identity. It does not handle SAML SSO directly.

19
MCQeasy

A company wants to give a new employee read-only access to all projects in their GCP organization. Which IAM role should they assign at the organization level to grant this access?

A.roles/owner
B.roles/editor
C.roles/viewer
D.roles/orgadmin
AnswerC

Viewer provides read-only access to all resources.

Why this answer

The Viewer primitive role (roles/viewer) grants read-only access to all resources in the organization. Owner and Editor roles are too broad. Organization Viewer is not a valid role.

20
MCQmedium

A company wants to enforce that all data stored in Cloud Storage buckets is encrypted with a key that they manage and rotate quarterly. They also want to ensure that the key is stored in a hardware security module (HSM). Which combination of services should they use?

A.Customer-Supplied Encryption Keys (CSEK) with Cloud Storage
B.Cloud KMS with a key backed by Cloud HSM, and set the bucket's default encryption to use that key (CMEK)
C.Cloud External Key Manager (Cloud EKM)
D.Cloud HSM with default Google-managed keys
AnswerB

Cloud KMS with HSM key provides customer-managed, HSM-backed encryption keys for Cloud Storage.

Why this answer

Cloud HSM provides HSM-backed keys, and Cloud KMS allows you to create and manage those keys. CMEK (Customer-Managed Encryption Keys) with Cloud KMS (backed by HSM) meets the requirements.

21
Multi-Selecthard

A company wants to use Binary Authorization to enforce that only images signed by their internal CI/CD pipeline can be deployed to their GKE clusters. They have set up Cloud Build to sign images. Which THREE steps are required to configure this? (Choose 3)

Select 3 answers
A.Create an attestation for each container image using Cloud Build
B.Create a Binary Authorization policy that requires attestations for the GKE cluster
C.Create an attestor in Binary Authorization
D.Store the signing keys in Cloud HSM
E.Grant the GKE service account the roles/container.deployer role
AnswersA, B, C

Attestations are the signed metadata proving the image was verified.

Why this answer

To use Binary Authorization, you need to create an attestor that represents the signing authority, create an attestation (signed metadata) for each image, and create a policy that requires attestations. The policy can be cluster-specific. Granting the attestor the Cloud KMS signer role is needed to sign, but the question asks for steps to configure; storing keys in Cloud KMS is a prerequisite but not listed as a step here.

22
MCQeasy

An organization wants to enforce that all container images deployed to their Google Kubernetes Engine (GKE) clusters are signed and have passed a vulnerability scan. Which GCP service should they use to enforce this policy?

A.Cloud Build
B.Artifact Registry
C.IAM
D.Binary Authorization
AnswerD

Binary Authorization is the correct service for enforcing attestation-based policies on container images deployed to GKE.

Why this answer

Binary Authorization enforces policies that require container images to be signed by trusted authorities and optionally pass vulnerability scans before deployment. Cloud Build can be used to sign images, but the enforcement is done by Binary Authorization. Artifact Registry stores images, and IAM controls access but does not enforce signing policies.

23
MCQeasy

A developer wants to allow a Compute Engine VM to authenticate to Google Cloud APIs without embedding service account keys in the VM image. What is the recommended approach?

A.Use Cloud KMS to encrypt a service account key and store it in a bucket
B.Use a service account impersonation flow
C.Attach a service account to the VM instance
D.Create a service account key and store it in the VM's startup script
AnswerC

The VM can then use the default service account credentials via the metadata server.

Why this answer

Attaching a service account to the Compute Engine VM allows it to automatically obtain credentials via the metadata server, avoiding key management.

24
MCQhard

An organization needs to run workloads that are subject to ITAR (International Traffic in Arms Regulations) in Google Cloud. Which region should they use to ensure compliance with ITAR requirements?

A.europe-west1
B.us-central1
C.us-military-east4
D.us-east1
AnswerC

us-military-east4 is part of Assured Workloads for Government and supports ITAR.

Why this answer

Assured Workloads for Government provides controlled regions that are compliant with ITAR. The us-central1 region is not ITAR-compliant. The us-military regions (e.g., us-military-east4) are part of Assured Workloads for Government and support ITAR.

25
MCQmedium

A company wants to allow users to authenticate to a web application running on Compute Engine using their existing corporate Active Directory credentials without exposing the application to the public internet. Which approach should they use?

A.Configure a Cloud VPN and allow only corporate IP addresses in firewall rules
B.Set up Identity-Aware Proxy (IAP) and sync Active Directory to Cloud Identity
C.Use Cloud Load Balancing with SSL and client certificates
D.Configure Cloud NAT and assign static IPs to users
AnswerB

IAP uses Cloud Identity for authentication, and Cloud Directory Sync can sync AD users.

Why this answer

Identity-Aware Proxy (IAP) provides zero-trust access to applications by verifying identity and context. It integrates with Cloud Identity, which can be synced with Active Directory via Cloud Directory Sync.

26
MCQeasy

A startup wants to grant a contractor limited access to a single Cloud Storage bucket. The contractor should be able to view and download objects, but not delete or overwrite them. Which IAM role should be assigned?

A.roles/storage.admin
B.roles/storage.objectAdmin
C.roles/storage.objectCreator
D.roles/storage.objectViewer
AnswerD

Correct: read-only access to objects.

Why this answer

The roles/storage.objectViewer role grants read-only access to objects in a bucket, including listing and downloading objects, but does not allow modification or deletion.

27
MCQmedium

A security engineer wants to prevent data exfiltration from a project 'prod-data' by ensuring that only approved VPC networks can access BigQuery datasets. Which GCP service should be used?

A.Private Google Access
B.Cloud Armor
C.Cloud NAT
D.VPC Service Controls
AnswerD

VPC Service Controls creates perimeters to prevent data exfiltration from managed services like BigQuery.

Why this answer

VPC Service Controls create service perimeters that protect resources by restricting access from outside the perimeter. They can be used to limit BigQuery access to specific VPC networks or IP ranges.

28
MCQmedium

A company wants to encrypt data at rest in Cloud Storage using their own keys stored on-premises. They need to rotate the key every 30 days. Which encryption option should they use?

A.Default encryption with Google-managed keys
B.Customer-Managed Encryption Keys (CMEK) with Cloud KMS
C.Customer-Supplied Encryption Keys (CSEK)
D.Cloud HSM
AnswerC

CSEK allows customers to supply their own keys, which are used server-side but not stored by Google.

Why this answer

Customer-Supplied Encryption Keys (CSEK) allow users to provide their own keys for encrypting Cloud Storage objects. The keys are managed on-premises and can be rotated as needed.

29
MCQeasy

Which GCP service can be used to detect and redact sensitive data such as credit card numbers in text files stored in Cloud Storage?

A.Security Command Center
B.Cloud Key Management Service
C.Cloud Audit Logs
D.Cloud Data Loss Prevention (DLP)
AnswerD

Cloud DLP inspects and de-identifies sensitive data.

Why this answer

Cloud DLP provides built-in detectors for many sensitive data types and can redact or tokenize them.

30
MCQmedium

A company needs to encrypt data at rest in Cloud Storage using their own keys. They require that the keys are stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 certified. Which key management option should they choose?

A.Google-managed encryption keys
B.Customer-Supplied Encryption Keys (CSEK)
C.Customer-Managed Encryption Keys (CMEK) with Cloud HSM
D.Customer-Managed Encryption Keys (CMEK) with Cloud KMS
AnswerC

Cloud HSM provides FIPS 140-2 Level 3 HSM for CMEK keys.

Why this answer

Cloud HSM is a FIPS 140-2 Level 3 certified HSM service that allows you to manage your own encryption keys for CMEK. CSEK requires you to supply keys yourself, but they are not stored in an HSM. Cloud KMS without HSM is only Level 1.

Google-managed keys do not use customer keys.

31
MCQeasy

A security engineer needs to restrict access to a Google Cloud project so that only a specific set of IP addresses can reach Cloud Storage buckets. Which feature should be configured?

A.VPC Service Controls
B.IAM Conditions
C.Firewall Rules
D.Cloud Armor
AnswerA

Why this answer

VPC Service Controls allow you to define perimeters that restrict access based on context, including IP addresses via access levels.

32
Multi-Selecthard

A company wants to allow a Kubernetes pod in GKE to authenticate to Google Cloud APIs without storing service account keys in the cluster. Which three components need to be configured to enable Workload Identity? (Choose three.)

Select 3 answers
A.Google Cloud service account
B.Kubernetes service account with annotation
C.Firewall rule to allow traffic to metadata server
D.IAM policy binding granting the GCP SA roles/iam.workloadIdentityUser on the GCP SA
E.Cloud NAT for outbound access
AnswersA, B, D

The GCP SA that the pod will impersonate.

Why this answer

Workload Identity requires: (1) a Google Cloud IAM service account (GCP SA), (2) a Kubernetes service account (KSA) annotated with the GCP SA email, and (3) an IAM policy binding between the KSA and GCP SA to allow impersonation.

33
Multi-Selectmedium

An organization wants to protect an HTTPS load-balanced web application from common web attacks, such as SQL injection and cross-site scripting (XSS), as well as rate-limit traffic from specific IPs. Which three capabilities should they use together? (Choose three.)

Select 3 answers
A.Cloud Armor rate limiting
B.Cloud CDN
C.Cloud Armor WAF rules
D.Cloud Load Balancing logging
E.Cloud Armor IP blacklist/whitelist
AnswersA, C, E

Rate limiting can throttle traffic from specific IPs.

Why this answer

Cloud Armor provides WAF rules (preconfigured rules for SQLi, XSS, etc.), rate limiting, and IP blacklisting/whitelisting. All three are part of Cloud Armor security policies.

34
MCQhard

An engineer is configuring Cloud Armor security policies for an HTTPS Load Balancer. They want to block requests from a specific IP range but allow all other traffic. What is the correct way to configure this?

A.Create a rule with priority 1000 to allow all traffic, and a rule with priority 100 to deny the IP range
B.Create a single rule with the IP range and action 'deny'
C.Create a rule with priority 100 to deny the IP range, and a rule with priority 1000 to allow all traffic
D.Create a rule with priority 1000 to deny the IP range, and no allow rule
AnswerC

The deny rule with lower priority number is evaluated first, blocking the IP range, then the allow rule permits everything else.

Why this answer

Cloud Armor security policies use rules with a 'deny' action for blocking and 'allow' for permitting. Rules are evaluated in order of priority, with lower numbers having higher priority.

35
Multi-Selecthard

An organization wants to implement a zero-trust architecture for a web application running on Compute Engine. They require: - All traffic must be authenticated and authorized at the application layer. - Access decisions must consider the user's identity, device security posture, and IP address. - Session hijacking must be mitigated. Which THREE services or features should they use? (Choose three.)

Select 3 answers
A.IAP's signed headers (X-Goog-Authenticated-User-Email)
B.Cloud Armor with adaptive protection
C.Identity-Aware Proxy (IAP)
D.Cloud Armor with security policies that include access from certain IP ranges
E.VPC Service Controls
AnswersA, C, D

Signed headers ensure that requests come from IAP, preventing session hijacking.

Why this answer

IAP provides identity-aware access, Cloud Armor can enforce context-based access, and IAP signed headers prevent session hijacking.

36
MCQmedium

An organization needs to store API keys and database passwords securely in Google Cloud. They want to automatically rotate secrets every 30 days. Which service should they use?

A.Cloud Storage with bucket-level encryption
B.Cloud Key Management Service (Cloud KMS)
C.Secret Manager
D.Cloud Runtime Configurator
AnswerC

Secret Manager is designed for storing API keys, passwords, and other secrets, and supports rotation.

Why this answer

Secret Manager supports automatic rotation with a rotation period and can trigger a Cloud Function to generate a new secret version.

37
MCQhard

An organization needs to encrypt data at rest in BigQuery using keys that are rotated every 90 days. They want to manage the keys themselves but cannot store keys on-premises. Which encryption approach should they use?

A.Default Google-managed encryption
B.Customer-Managed Encryption Keys (CMEK) with Cloud KMS
C.Cloud HSM
D.Customer-Supplied Encryption Keys (CSEK)
AnswerB

CMEK allows customers to control key rotation and manage keys in Cloud KMS.

Why this answer

CMEK with Cloud KMS allows customers to manage their own keys (including rotation) while keys are stored in Google's Cloud KMS.

38
MCQmedium

A company wants to allow a Kubernetes pod in GKE to access a Cloud Storage bucket using a specific service account without storing long-lived credentials. Which method should be used?

A.Assign the service account directly to the GKE node pool
B.Create a JSON key for a service account and mount it as a secret in the pod
C.Use Workload Identity to bind the Kubernetes service account to a Google Cloud service account
D.Use Application Default Credentials on the pod
AnswerC

Workload Identity provides secure, automated authentication without static keys.

Why this answer

Workload Identity allows a Kubernetes service account to act as a Google Cloud service account by binding them. This eliminates the need for static keys and uses short-lived tokens.

39
MCQmedium

A security engineer needs to allow a Compute Engine instance with the service account 'sa-prod@project.iam.gserviceaccount.com' to connect to a Cloud SQL instance over a private IP. The VPC has no firewall rules allowing this traffic. What is the MOST secure way to grant access?

A.Add a firewall rule with source service account 'sa-prod@project.iam.gserviceaccount.com' and target service account 'cloud-sql-sa@project.iam.gserviceaccount.com'
B.Grant the IAM role 'cloudsql.client' to the service account 'sa-prod@project.iam.gserviceaccount.com'
C.Add a firewall rule with source tag 'prod' and target tag 'cloud-sql'
D.Create a VPC peering connection between the Compute Engine VPC and the Cloud SQL VPC
AnswerA

Using service accounts in firewall rules is the secure method, as it ties the rule directly to the identity of the instances.

Why this answer

Firewall rules can target service accounts directly, allowing fine-grained access without relying on network tags. This avoids managing tags and reduces attack surface.

40
MCQmedium

An organization needs to grant a third-party auditor read-only access to view all resources in a project, including sensitive data like IAM policies and logs. Which role should be assigned?

A.Security Reviewer
B.Logs Viewer
C.Viewer
D.Monitoring Viewer
AnswerC

Why this answer

The Viewer primitive role provides read-only access to all resources in a project, including IAM policies and logs.

41
Multi-Selecthard

A company needs to ensure that data stored in Cloud Storage is encrypted with customer-managed keys that are rotated every 90 days. Which two steps must be taken to achieve this? (Choose TWO).

Select 2 answers
A.Set a rotation period of 90 days on the Cloud KMS key
B.Enable CSEK on the bucket
C.Grant the Cloud Storage service account access to the Cloud KMS key
D.Create a key ring and a key in Cloud KMS
E.Set the default encryption key on the Cloud Storage bucket to the Cloud KMS key
AnswersD, E

A CMEK key is created in Cloud KMS.

Why this answer

A CMEK key must be created in Cloud KMS, and the Cloud Storage bucket must be configured to use that CMEK key.

42
Multi-Selectmedium

A company wants to deploy a web application behind an HTTPS Load Balancer and only allow authenticated users from their corporate Active Directory. Which two services should they use together? (Choose two.)

Select 2 answers
A.Identity-Aware Proxy (IAP)
B.VPC Service Controls
C.Cloud NAT
D.Cloud Identity
E.Cloud Armor
AnswersA, D

Why this answer

Identity-Aware Proxy (IAP) provides authentication and authorization for applications. Cloud Identity (or Cloud Directory Sync) integrates with Active Directory to provide user identities.

43
Multi-Selectmedium

A company wants to use Cloud DLP to scan a Cloud Storage bucket for personally identifiable information (PII) and de-identify the data before storing it in another bucket. Which TWO actions should they take? (Choose 2)

Select 2 answers
A.Use DLP de-identification templates to transform data and write to a target bucket
B.Export the inspection results to BigQuery for analysis
C.Set up a Cloud Dataflow pipeline to stream data
D.Grant the Cloud DLP service account the roles/storage.objectViewer role on the source bucket
E.Create a DLP inspection job to scan the source bucket
AnswersA, E

De-identification transforms the data, and the output can be written to another bucket.

Why this answer

Cloud DLP can inspect the data and de-identify it using techniques like masking. The output is typically stored in a different bucket. Exporting to BigQuery is optional and not required for de-identification.

IAM roles for DLP are needed to create jobs.

44
Multi-Selecthard

A company wants to centrally manage firewall rules for all projects in an organization using hierarchical firewall policies. Which three resources can be used in conjunction with hierarchical firewall policies? (Choose three.)

Select 3 answers
A.Compute Engine instance
B.Organization node
C.Project
D.VPC network
E.Folder
AnswersB, C, E

Why this answer

Hierarchical firewall policies can be applied to the organization, folders, and projects. They cannot be applied to VPC networks or individual resources directly.

45
MCQhard

A company uses Cloud Armor to protect an HTTPS Load Balancer. They want to allow traffic only from users who have passed a reCAPTCHA challenge. Cloud Armor supports which feature for this?

A.WAF rules with reCAPTCHA
B.Preconfigured WAF rules
C.Adaptive Protection
D.Rate limiting
AnswerA

Cloud Armor supports reCAPTCHA token-based enforcement as a WAF feature.

Why this answer

Cloud Armor security policies can include rules that use reCAPTCHA tokens to block or allow traffic based on the challenge outcome.

46
MCQeasy

An organization wants to ensure that only container images signed by an authorized CI/CD pipeline can be deployed to their GKE clusters. Which GCP service should they use?

A.Artifact Registry
B.Binary Authorization
C.Cloud Security Scanner
D.Cloud Build
AnswerB

Why this answer

Binary Authorization is a GCP service that enforces attestation-based policies, ensuring only signed container images are deployed to GKE.

47
MCQeasy

An engineer needs to grant a service account the ability to create and manage VMs in a specific project, but only those VMs with a certain label. Which IAM feature should they use?

A.Primitive roles
B.Custom roles
C.Service account impersonation
D.IAM conditions
AnswerD

IAM conditions allow you to apply attribute-based access control, e.g., only VMs with a specific label.

Why this answer

IAM conditions allow you to grant conditional access based on resource attributes such as labels, name, or creation time. Custom roles are a collection of permissions but do not enforce conditions. Service account impersonation is used to act as another service account.

Primitive roles are broad and do not support conditions.

48
MCQmedium

A company wants to restrict network access to Cloud SQL instances such that only applications running in a specific VPC can connect. Which GCP feature should they use?

A.Private Service Connect
B.Private Service Access
C.VPC peering
D.Private Services Access
AnswerA

Private Service Connect enables private connectivity to managed services from VPC networks.

Why this answer

Private Service Connect allows private connectivity from VPC networks to Google-managed services like Cloud SQL.

49
Multi-Selecthard

A company needs to store secrets used by multiple GCP services. They require automatic rotation of secrets every 30 days and integration with Cloud Functions. Which two GCP services should they use? (Choose TWO).

Select 2 answers
A.Cloud Run
B.Cloud Functions
C.Secret Manager
D.Cloud KMS
E.Cloud Scheduler
AnswersB, C

Cloud Functions can integrate with Secret Manager to retrieve secrets.

Why this answer

Secret Manager stores secrets and supports rotation. Cloud Functions can access secrets via the Secret Manager API or by mounting them as volumes.

50
MCQmedium

A company needs to ensure that only applications running in a specific GKE namespace can access a Cloud Storage bucket. Which approach should they use?

A.Use Workload Identity to bind the Kubernetes service account to a GCP service account with appropriate IAM roles
B.Use VPC Service Controls to restrict the bucket to only the GKE cluster's VPC
C.Use firewall rules to allow traffic only from the GKE cluster's pod CIDR
D.Use Cloud Armor to restrict access based on source IP
AnswerA

Workload Identity allows mapping a KSA to a GSA, enabling fine-grained access control based on namespace.

Why this answer

Workload Identity allows binding a Kubernetes service account to a GCP service account. Then, IAM can be granted to that GCP service account for the Cloud Storage bucket.

51
MCQhard

A financial services company must store customer data in a GCP region that is certified for FedRAMP High. They also need to ensure that only authorized personnel can access the data, and that access logs are kept for 10 years. Which combination of services meets these requirements?

A.Cloud HSM and Cloud Audit Logs
B.VPC Service Controls with Cloud DLP
C.Cloud KMS with CMEK and Cloud Audit Logs
D.Assured Workloads with Cloud Audit Logs and IAM
AnswerD

Assured Workloads provides the required compliance boundaries, Cloud Audit Logs retain logs for 10 years, and IAM controls access.

Why this answer

Assured Workloads provides a FedRAMP High environment with specific regions. Cloud Audit Logs can be configured for extended retention. IAM controls access.

CMEK is not required for compliance in this case. DLP is for data classification, not access control.

52
MCQhard

A company has a VPC Service Perimeter that protects a project containing BigQuery datasets. They want to allow an external customer's BigQuery job to query data across the perimeter boundary using a private connection. Which configuration is required?

A.Remove the project from the service perimeter temporarily.
B.Create an ingress rule in the service perimeter that allows access from the external customer's VPC network.
C.Use Access Transparency to log cross-perimeter access.
D.Grant the external customer's service account the BigQuery User role.
AnswerB

Ingress rules allow traffic from specified sources into the perimeter.

Why this answer

To allow access from outside the perimeter, you can use VPC Service Controls with ingress rules. Additionally, the external customer must use a private connection, such as Cloud VPN or Dedicated Interconnect, to access the perimeter. The ingress rule specifies the source and resources.

53
MCQmedium

A developer wants to store a database password securely and have it automatically rotated every 30 days. The password is used by a Compute Engine instance. Which Google Cloud service should they use?

A.Secret Manager
B.Cloud Storage with customer-supplied encryption keys
C.Cloud Key Management Service (Cloud KMS)
D.Environment variables in Compute Engine
AnswerA

Secret Manager stores secrets and supports automatic rotation.

Why this answer

Secret Manager can store secrets and has built-in rotation capabilities. You can set a rotation period and a rotation function (e.g., Cloud Function) to generate a new password. This is the recommended service.

54
MCQhard

An organization needs to restrict access to a Cloud Storage bucket so that only resources in a specific VPC network can read the data. They want to prevent data exfiltration via the internet. Which combination of services should they use?

A.Firewall Rules and Cloud VPN
B.Cloud Armor and Cloud NAT
C.VPC Service Controls and Private Google Access
D.IAM Conditions and Cloud CDN
AnswerC

VPC Service Controls create a perimeter around Cloud Storage, and Private Google Access allows access from VMs using private IPs.

Why this answer

VPC Service Controls create service perimeters that protect Cloud Storage and other services. Private Google Access allows on-premises or VM access via private IP. Together they restrict access to the VPC network.

55
Multi-Selectmedium

An organization wants to use VPC Service Controls to protect a Cloud Storage bucket and a BigQuery dataset from data exfiltration. They want to allow access from a specific on-premises network via a Cloud VPN. Which TWO components are required? (Choose 2)

Select 2 answers
A.A service perimeter that includes the Cloud Storage bucket and BigQuery dataset
B.An access level that includes the IP range of the on-premises network
C.Cloud Interconnect (Dedicated or Partner)
D.VPC firewall rules allowing traffic from on-premises
E.Private Google Access enabled on the VPC subnet
AnswersA, B

The service perimeter defines the protected resources.

Why this answer

VPC Service Controls use access levels (often based on IP address) to allow or deny access. A service perimeter defines the protected resources. Cloud VPN provides the encrypted connection from on-premises.

Cloud Interconnect is an alternative but not required. Private Google Access is for VMs in the VPC, not on-premises. VPC firewall rules do not apply to Google Cloud services.

56
Multi-Selecthard

An organization wants to use Cloud KMS to manage encryption keys for data in Cloud Storage and BigQuery. They require that key material never leaves a hardware security module (HSM) and must be FIPS 140-2 Level 3 certified. Which TWO actions should they take?

Select 2 answers
A.Create a key ring with protection level 'HSM'
B.Use Cloud External Key Manager (Cloud EKM)
C.Use Customer-Supplied Encryption Keys (CSEK)
D.Create a key ring with protection level 'software'
E.Use a Cloud HSM cluster
AnswersA, E

HSM protection level ensures keys are generated in and remain in the HSM.

Why this answer

To use HSM-backed keys, create a key ring with protection level HSM via Cloud HSM. Cloud KMS supports HSM keys that never leave the HSM.

57
MCQmedium

A company wants to restrict access to their Cloud Storage bucket so that only requests from within a specific VPC network are allowed, and all other traffic (including internet) is denied. They also need to allow access from on-premises through a VPN. Which configuration should they use?

A.Configure the bucket with VPC Service Controls and enable Private Google Access
B.Use IAM conditions to restrict access based on IP address
C.Use firewall rules to allow traffic only from the VPC IP range
D.Set up Cloud VPN and use Cloud NAT for egress
AnswerA

VPC Service Controls create a service perimeter, and Private Google Access allows access from VMs and on-premises via VPN.

Why this answer

VPC Service Controls create a service perimeter around the bucket, and private Google Access allows resources in the VPC to use the bucket's private IP addresses. The on-premises network can connect via VPN using VPC Private Google Access. Public access is blocked by the perimeter.

Firewall rules alone cannot block internet traffic to a public bucket.

58
MCQhard

A data engineer needs to automatically detect and redact sensitive data such as credit card numbers from text files uploaded to Cloud Storage before the data is loaded into BigQuery. Which GCP service should be used?

A.Cloud Data Loss Prevention (DLP) API
B.Cloud KMS
C.Cloud Audit Logs
D.Cloud Vision API
AnswerA

DLP provides inspection and de-identification of sensitive data.

Why this answer

Cloud Data Loss Prevention (DLP) API can inspect text for sensitive patterns and de-identify (redact, mask, etc.) the content. It can be triggered via Cloud Functions or Cloud Workflows on file upload.

59
MCQeasy

A company wants to ensure that all audit logs for a project are retained for 7 years for compliance purposes. Which type of audit logs in Cloud Logging should they configure for the longest retention?

A.Export all audit logs to Cloud Storage with a retention policy
B.Admin Activity audit logs
C.Data Access audit logs
D.System Event audit logs
AnswerA

Exporting to Cloud Storage allows you to set a retention policy of 7 years.

Why this answer

Cloud Logging retains logs for a default period, but for long-term retention you can export logs to Cloud Storage. All audit logs (Admin Activity, Data Access, System Event) can be exported and stored in a bucket with retention policies. The question might refer to the default retention: Admin Activity logs are retained for 400 days, Data Access for 30 days, but you can export to Cloud Storage for longer.

The best answer is to export all audit logs to Cloud Storage.

60
MCQmedium

A security team needs to detect and redact personally identifiable information (PII) from documents uploaded to Cloud Storage before they are stored. Which GCP service should they use?

A.Cloud Audit Logs
B.Cloud Data Loss Prevention (DLP) API
C.Security Command Center
D.Access Transparency
AnswerB

Why this answer

Cloud DLP (Data Loss Prevention) API can inspect and de-identify sensitive data in documents and can be integrated with Cloud Storage workflows.

61
MCQeasy

Which IAM role should be granted to a user who needs to view but not modify resources in a project?

A.roles/editor
B.roles/viewer
C.roles/owner
D.roles/browser
AnswerB

Viewer provides read-only access.

Why this answer

The Viewer role (roles/viewer) provides read-only access to all resources in a project.

62
MCQmedium

A company is using Cloud SQL for MySQL and wants to encrypt data at rest with a key that they manage and rotate. They also want to avoid any additional cost for the encryption feature. What should they do?

A.Use Customer-Supplied Encryption Keys (CSEK).
B.Use Google-managed encryption keys (default).
C.Use Cloud HSM to manage the keys.
D.Enable Customer-Managed Encryption Keys (CMEK) with Cloud KMS.
AnswerD

CMEK allows you to manage and rotate keys, but Cloud KMS usage may incur costs. However, among the options, this is the only way to meet the requirement.

Why this answer

Cloud SQL supports CMEK, which allows customers to use their own keys from Cloud KMS. However, CMEK usage incurs charges for Cloud KMS key versions. The correct answer is to use CMEK, but note that there is no additional cost for the Cloud SQL encryption itself, only for KMS usage.

The question asks to avoid additional cost, but CMEK does add KMS cost. However, the other options are wrong: Google-managed keys cost nothing but don't meet management requirement, CSEK is deprecated, and HSM adds cost.

63
MCQmedium

A data engineer needs to scan a Cloud Storage bucket for personally identifiable information (PII) and de-identify the data before loading it into BigQuery. Which Google Cloud service should they use?

A.Cloud DLP
B.Cloud Dataprep
C.Cloud Composer
D.Cloud Data Fusion
AnswerA

Cloud DLP is designed for inspecting and de-identifying sensitive data.

Why this answer

Cloud Data Loss Prevention (DLP) API can inspect data for PII and de-identify it using techniques like masking, tokenization, or bucketing.

64
MCQmedium

A DevOps engineer needs to grant a CI/CD pipeline (running in a different Google Cloud project) the ability to deploy resources into a target project. The pipeline uses a service account. What is the best way to grant this access?

A.Use VPC peering to allow cross-project access.
B.Use Cloud NAT to enable communication.
C.Add the service account email as a member of the target project with appropriate roles.
D.Create a new service account in the target project and share the key with the pipeline.
AnswerC

Why this answer

IAM allows granting roles to a service account principal from another project by specifying the full email of the service account as a member.

65
MCQmedium

A company wants to encrypt data at rest in Cloud Storage using a key that they generate and manage themselves, not stored in Google Cloud. Which encryption type should they use?

A.Default encryption
B.Cloud HSM
C.CSEK
D.CMEK with Cloud KMS
AnswerC

Why this answer

CSEK (Customer-Supplied Encryption Keys) allows customers to provide their own encryption keys for Cloud Storage objects, which are used and then discarded by GCP.

66
MCQhard

A company uses Assured Workloads to meet FedRAMP compliance. They need to ensure that only authorized personnel can access data access audit logs for their projects. Which IAM role should they grant to the security team?

A.roles/logging.privateLogViewer
B.roles/logging.viewer
C.roles/iam.securityReviewer
D.roles/logging.admin
AnswerA

This role grants read access to Data Access audit logs and Admin Activity logs, which is the minimum required.

Why this answer

Data Access audit logs require the 'roles/logging.privateLogViewer' role (or equivalent) to view. Admin Activity logs are visible with 'roles/logging.viewer' or higher.

67
MCQmedium

A company wants to enforce that all API calls to GCP services from outside their corporate network come through a specific Cloud VPN tunnel. Which GCP service can enforce this policy?

A.VPC Service Controls
B.Cloud NAT
C.Identity-Aware Proxy
D.Cloud Armor
AnswerA

VPC Service Controls can use access levels to restrict API access to specific IP ranges, such as the VPN tunnel's egress IP.

Why this answer

VPC Service Controls with access levels can restrict access based on IP address ranges, including the VPN tunnel's egress IP.

68
MCQmedium

A company wants to use Customer-Managed Encryption Keys (CMEK) for data at rest in Cloud Storage, but also needs to ensure that the keys are stored in a hardware security module (HSM) to meet compliance requirements. Which Cloud KMS key type should they choose?

A.Predefined key
B.External key (Cloud External Key Manager)
C.Software-backed key
D.Cloud HSM key
AnswerD

Cloud HSM keys are stored in FIPS 140-2 Level 3 certified HSMs.

Why this answer

Cloud HSM provides HSM-backed keys that are FIPS 140-2 Level 3 certified. Using Cloud HSM for the CMEK ensures the key material is stored in a hardware security module.

69
MCQhard

A company is migrating an on-premises application to Google Cloud. The application requires access to a legacy database that can only be reached from a specific on-premises IP address. The company has established a Cloud VPN tunnel. What is the MOST secure way to ensure that only the migrated application's Compute Engine instances can initiate connections to the on-premises database?

A.Create a Cloud NAT and assign the application instances a static IP, then allow that IP in the on-premises firewall
B.Create a firewall egress rule with destination IP range of the on-premises database and source service account of the application instances
C.Create a firewall egress rule with destination IP range of the on-premises database and source tags 'db-access'
D.Use VPC Service Controls to create a perimeter around the application VPC
AnswerB

Using service accounts ensures only instances with that specific identity can access the database.

Why this answer

Using firewall rules with target service accounts allows you to control egress traffic based on the identity of the source instances, which is more secure than using tags or IP ranges.

70
MCQhard

A company with multiple projects must ensure that no data can be exfiltrated from a specific project's Cloud Storage buckets to unauthorized locations outside the organization. They also need to allow access only from a corporate VPN IP range. Which configuration meets these requirements?

A.Configure a VPC Service Controls perimeter with an access level restricted to the corporate VPN IP range.
B.Set firewall rules to block all traffic except from the VPN.
C.Use IAM conditions to restrict access based on IP address.
D.Use Cloud Armor with IP whitelisting.
AnswerA

Why this answer

VPC Service Controls create a service perimeter around the project, preventing data exfiltration by default. Access levels (based on IP ranges) can be used to allow access only from the corporate VPN.

71
MCQeasy

A company wants to protect their web application hosted on Google Cloud HTTP(S) Load Balancer from common web attacks like SQL injection and cross-site scripting (XSS). Which GCP service should they use?

A.Identity-Aware Proxy (IAP)
B.Cloud CDN
C.VPC Service Controls
D.Cloud Armor
AnswerD

Cloud Armor offers WAF policies to protect against web attacks.

Why this answer

Cloud Armor provides WAF (Web Application Firewall) capabilities including preconfigured rules to block OWASP Top 10 attacks like SQL injection and XSS. IAP is for access control, not attack prevention. VPC Service Controls are for data exfiltration prevention.

Cloud CDN is for caching content.

72
MCQmedium

A company wants to use their existing Active Directory for authentication to Google Cloud. They need to sync user and group identities to Cloud Identity and allow users to log in with their corporate credentials. Which two services should they use together?

A.Cloud Directory Sync and Workload Identity
B.Cloud Directory Sync and SAML SSO
C.SAML SSO and IAP
D.Cloud Identity and IAP
AnswerB

CDS syncs identities, and SAML SSO enables authentication with corporate credentials.

Why this answer

Cloud Directory Sync (CDS) syncs users and groups from LDAP/AD to Cloud Identity. SAML SSO allows users to authenticate using their corporate credentials. IAP is for application access, not directory sync.

Cloud Identity as a standalone does not sync automatically. Workload Identity is for Kubernetes.

73
MCQmedium

A company wants to use its existing Active Directory credentials to authenticate users to the GCP Console. Which service should they integrate with?

A.Identity-Aware Proxy
B.Cloud Identity with SAML SSO
C.Cloud KMS
D.Cloud Directory Sync
AnswerB

Cloud Identity supports SAML SSO with AD as an identity provider for GCP Console access.

Why this answer

Cloud Identity can federate with Active Directory via SAML or OIDC, allowing users to sign in with their AD credentials.

74
MCQmedium

A security engineer wants to configure Identity-Aware Proxy (IAP) for an HTTPS load-balanced application to enforce zero-trust access. Users will authenticate with their Google accounts. What is the minimum set of IAM roles needed for a user to access the application behind IAP?

A.roles/iam.serviceAccountUser
B.roles/iap.tunnelResourceAccessor
C.roles/iap.httpsResourceAccessor
D.roles/compute.viewer

Why this answer

To access an application protected by IAP, the user must have the IAP-secured Web App User role on the resource. This role grants permission to access via IAP.

75
MCQeasy

A company uses Cloud Identity to manage users and wants to allow employees to authenticate to Google Cloud using their existing corporate Active Directory credentials. Which solution should they implement?

A.Cloud Directory Sync
B.Workload Identity Federation
C.IAM policies
D.Identity-Aware Proxy
AnswerA

Why this answer

Cloud Directory Sync synchronizes users and groups from on-premises AD to Cloud Identity, enabling SSO with existing credentials.

Page 1 of 2 · 96 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Pca Security Compliance questions.

CCNA Pca Security Compliance Questions — Page 1 of 2 | Courseiva