CCNA Pca Security Compliance Questions

21 of 96 questions · Page 2/2 · Pca Security Compliance topic · Answers revealed

76
Multi-Selectmedium

A company needs to allow a third-party auditor to view all Compute Engine resources in a project but not allow any modifications. The auditor must not have access to any other services. Which THREE steps should be taken?

Select 3 answers
A.Grant the 'Viewer' primitive role (roles/viewer)
B.Grant the 'Compute Viewer' role (roles/compute.viewer)
C.Ensure no other IAM roles are granted to the auditor
D.Assign the role at the project level
E.Assign the role at the resource (VM) level
AnswersB, C, D

Compute Viewer provides read-only access to Compute Engine resources.

Why this answer

The correct IAM role is Compute Viewer. To restrict access to only Compute Engine, do not grant other roles. The viewer role should be assigned at the project level to cover all Compute resources.

77
MCQhard

A company is deploying a multi-tenant SaaS application on GKE. Each tenant's data must be isolated at the network level. They want to use a single GKE cluster but ensure that pods from different tenants cannot communicate with each other. Which GCP feature should they use?

A.Istio service mesh
B.VPC Service Controls
C.Kubernetes Network Policies
D.GKE Sandbox
AnswerC

Network Policies can restrict pod-to-pod traffic based on labels and namespaces, providing tenant isolation.

Why this answer

Kubernetes Network Policies allow you to define rules for pod-to-pod communication within a cluster, enabling tenant isolation. GKE Sandbox provides stronger isolation at the kernel level but is not specifically for network isolation. VPC Service Controls are for Google Cloud services, not pod-level.

Istio can also provide network control but is a more complex mesh.

78
MCQhard

A company uses Cloud KMS with CMEK to encrypt data stored in BigQuery. They need to audit who has used the encryption key and when. Which type of audit log should they enable?

A.Network Security audit logs
B.Admin Activity audit logs
C.System Event audit logs
D.Data Access audit logs
AnswerD

Data Access logs capture who accessed data or performed cryptographic operations using Cloud KMS keys.

Why this answer

Cloud KMS operations (e.g., encrypt, decrypt) are recorded in Data Access audit logs. Admin Activity logs record configuration changes, not data access.

79
Multi-Selectmedium

A company wants to implement a zero-trust access model for internal web applications running on Compute Engine. They need to authenticate users using corporate credentials and enforce context-aware access based on device posture and IP address. Which TWO services should they use?

Select 2 answers
A.VPC Service Controls
B.Cloud VPN
C.Cloud Identity
D.Cloud Armor
E.Identity-Aware Proxy (IAP)
AnswersC, E

Cloud Identity provides corporate identity management and SSO.

Why this answer

Identity-Aware Proxy (IAP) provides context-aware access control and integrates with Cloud Identity for authentication. Device posture and IP can be assessed via Access Context Manager (part of VPC Service Controls) or IAP's own context conditions.

80
Multi-Selecthard

An organization needs to comply with FedRAMP requirements and restrict data storage to specific regions. They also need to audit all admin activities and data access. Which three components should they implement? (Choose three.)

Select 3 answers
A.VPC Service Controls
B.Data Access audit logs
C.Cloud Armor
D.Admin Activity audit logs
E.Assured Workloads
AnswersB, D, E

Why this answer

Assured Workloads enforces compliance controls (e.g., region restrictions). Admin Activity audit logs capture administrative actions, and Data Access audit logs capture data reads/writes for compliance.

81
MCQmedium

A company wants to enforce that all secrets used by applications running on Compute Engine are rotated automatically every 30 days. Which GCP service should they use to store and manage these secrets?

A.Cloud Key Management Service with CMEK
B.Secret Manager
C.Environment variables
D.Cloud KMS
AnswerB

Why this answer

Secret Manager supports automatic rotation of secrets based on a specified schedule, and applications can access the latest version without redeployment.

82
MCQeasy

Which Google Cloud service allows organizations to define perimeters that protect resources and data from exfiltration to other VPCs or networks?

A.Private Service Connect
B.Identity-Aware Proxy (IAP)
C.Cloud Armor
D.VPC Service Controls
AnswerD

VPC Service Controls create service perimeters to protect data from exfiltration.

Why this answer

VPC Service Controls allow you to define service perimeters that restrict access to managed services from outside the perimeter, preventing data exfiltration.

83
MCQmedium

A security admin wants to audit all 'create' and 'delete' operations on Compute Engine instances in a project for the last 90 days. Which type of audit log should they query?

A.Data Access audit logs
B.Admin Activity audit logs
C.System Event audit logs
D.Policy Denied audit logs
AnswerB

Admin Activity logs capture administrative actions like create and delete.

Why this answer

Admin Activity audit logs record all API calls that modify configuration or metadata of resources. They are retained for 400 days by default.

84
MCQmedium

A company needs to protect an HTTPS load-balanced web application from OWASP Top 10 attacks, including SQL injection and cross-site scripting. Which GCP service should they enable?

A.Cloud NAT
B.Cloud CDN
C.Identity-Aware Proxy
D.Cloud Armor
AnswerD

Why this answer

Cloud Armor provides WAF capabilities that can be attached to HTTPS Load Balancers to filter requests based on OWASP signatures.

85
MCQhard

A financial services company runs workloads on GKE and wants to ensure only container images that have been approved by the security team can be deployed. The approval process involves signing images after vulnerability scanning. Which GCP service should be integrated with GKE to enforce this policy?

A.Cloud Key Management Service (Cloud KMS)
B.Cloud Build
C.Artifact Registry
D.Binary Authorization
AnswerD

Binary Authorization allows only signed images from approved authorities to be deployed.

Why this answer

Binary Authorization enforces that only signed container images from trusted authorities can be deployed on GKE. It integrates with Cloud KMS for signing and can be configured with attestors.

86
MCQhard

An organization needs to comply with FedRAMP High requirements and wants to run workloads in a GCP region that supports these controls. They also need to restrict data movement to only approved services. Which GCP feature should they use?

A.Cloud HSM
B.Assured Workloads
C.Data Access Audit Logging
D.VPC Service Controls
AnswerB

Assured Workloads enables FedRAMP High and ITAR compliance with region and service restrictions.

Why this answer

Assured Workloads provides compliance controls including FedRAMP, and allows creating a folder with specific regulatory requirements. VPC Service Controls can be used within that folder to restrict data movement.

87
Multi-Selectmedium

A company wants to protect a web application from SQL injection and cross-site scripting (XSS) attacks. They also need to block traffic from specific geographic regions. Which three features of Cloud Armor should they use? (Choose THREE).

Select 3 answers
A.Rate limiting
B.WAF rules
C.Geographic restrictions
D.Cloud CDN
E.Adaptive Protection
AnswersA, B, C

Can mitigate DDoS attacks by limiting request rates.

Why this answer

WAF rules (preconfigured rules for SQLi, XSS), rate limiting (optional), and geographic restrictions (geo-based access control) are all features of Cloud Armor.

88
MCQmedium

An organization requires that all container images deployed to GKE be signed and verified before deployment. Which GCP service should be used?

A.Container Registry vulnerability scanning
B.Binary Authorization
C.Cloud Build
D.Artifact Registry
AnswerB

Binary Authorization enforces attestation-based policies for deploying only signed container images.

Why this answer

Binary Authorization enforces deployment policies that require images to be signed by trusted authorities (e.g., using Cloud KMS) and verified before being deployed to GKE.

89
Multi-Selectmedium

A company wants to enforce that only approved container images can be deployed to GKE. They also want to ensure images are scanned for vulnerabilities before deployment. Which two GCP services should they use? (Choose TWO).

Select 2 answers
A.Container Analysis API
B.Cloud Security Command Center
C.Container Registry vulnerability scanning
D.Cloud Build
E.Binary Authorization
AnswersA, E

Container Analysis provides vulnerability scanning and can be integrated with Binary Authorization.

Why this answer

Binary Authorization enforces deployment policies based on image signatures. Container Analysis (or vulnerability scanning) identifies vulnerabilities in images.

90
MCQeasy

A company wants to control which resources can be accessed by a service account in a specific project. Which IAM policy binding approach should be used?

A.Use VPC Service Controls to restrict the service account
B.Grant the service account a role at the project or resource level
C.Add the service account to a Cloud Identity group and grant the group a role
D.Grant the service account a role at the organization level
AnswerB

IAM roles at the project or resource level restrict access to that scope.

Why this answer

IAM roles are bound to members (including service accounts) at the resource, project, folder, or organization level. The correct approach is to grant the service account an IAM role at the project or resource level.

91
MCQeasy

A developer needs to grant a Compute Engine instance the ability to read from a Cloud Storage bucket. The instance does not have a service account attached. What should the developer do?

A.Create a service account and assign it the Storage Object Viewer role, then attach the service account to the instance.
B.Add the instance's external IP to the bucket permissions.
C.Generate a JSON key for a user account and store it on the instance.
D.Create a firewall rule to allow access to Cloud Storage.
AnswerA

This is the recommended approach.

Why this answer

The best practice is to create a service account with the required roles (e.g., Storage Object Viewer) and attach it to the instance. This avoids managing keys and follows IAM best practices.

92
MCQmedium

A security engineer wants to ensure that all admin activity in their GCP organization is logged and retained for 3 years. They also need to be alerted if a new firewall rule is created. Which logs should they enable?

A.Data Access audit logs
B.Admin Activity audit logs
C.VPC flow logs
D.Cloud DNS logging
AnswerB

Admin Activity logs capture all create/modify/delete actions on resources like firewall rules.

Why this answer

Admin Activity audit logs record all API calls that modify configuration or metadata, such as creating firewall rules. Data Access audit logs record reads/writes to data, not admin actions. VPC flow logs record network traffic, not admin actions.

Cloud DNS logging records DNS queries.

93
MCQmedium

A company needs to ensure that only approved container images can be deployed to a GKE cluster. They already use Binary Authorization. What additional step is required to enforce this policy?

A.Configure a VPC Service Perimeter
B.Enable Container Registry vulnerability scanning
C.Create an attestor and attach it to a Binary Authorization policy
D.Assign the container.deployer role to the GKE service account
AnswerC

An attestor validates image signatures; the policy enforces that only attested images can be deployed.

Why this answer

Binary Authorization requires an attestor that verifies image signatures. The attestor must be created and attached to a policy that requires at least one attestation.

94
MCQhard

An organization needs to store secrets used by multiple GCP services. They require automatic rotation of secrets every 30 days and integration with Cloud Functions. Which service should they use?

A.Cloud HSM
B.Cloud KMS
C.Cloud Asset Inventory
D.Secret Manager
AnswerD

Secret Manager is designed for storing secrets and supports rotation policies.

Why this answer

Secret Manager supports automatic rotation (via rotation period and next rotation time) and integrates with Cloud Functions via the API client libraries.

95
MCQhard

A company uses Cloud Key Management Service (Cloud KMS) with a customer-managed encryption key (CMEK) to encrypt data in BigQuery. They want to ensure the key can only be used by the BigQuery service account in the 'us-central1' region. Which IAM condition should be added to the key's IAM policy?

A.resource.name.startsWith('projects/_/locations/us-central1') && request.auth.principal == 'bigquery@system.gserviceaccount.com'
B.resource.name.startsWith('projects/_/locations/global') && request.auth.principal == 'bigquery@system.gserviceaccount.com'
C.resource.name.startsWith('projects/_/locations/us-central1') && request.auth.principalSet == 'serviceAccount:bq-<project-number>@bigquery-encryption.iam.gserviceaccount.com'
D.resource.service == 'bigquery.googleapis.com' && resource.location == 'us-central1'
AnswerC

This condition restricts the key to the us-central1 location and the BigQuery encryption service account.

Why this answer

IAM conditions allow restricting access based on attributes like region and service account. The condition must check the 'destination_service' for BigQuery and the 'region' for us-central1.

96
MCQhard

A company wants to allow a Kubernetes pod in GKE to access a Cloud Storage bucket using the pod's own identity, without managing long-lived credentials. They have created a Google service account (GSA) and a Kubernetes service account (KSA). What should they do to bind the KSA to the GSA?

A.Create a service account key and mount it as a secret in the pod
B.Add an annotation to the KSA referencing the GSA, and grant the KSA the iam.workloadIdentityUser role on the GSA
C.Grant the GSA the roles/iam.serviceAccountUser role on the project
D.Add an annotation to the GSA referencing the KSA, and grant the KSA the iam.workloadIdentityUser role on the GSA
AnswerB

This is the correct configuration for Workload Identity: annotate the KSA with the GSA email, and grant the KSA the workload identity user role on the GSA.

Why this answer

Workload Identity allows you to configure a KSA to act as a GSA by adding an annotation to the KSA and granting the GSA the necessary IAM role. The GSA does not impersonate the KSA; the KSA impersonates the GSA. The annotation is set on the KSA, not the pod.

The GSA does not need to be bound to the KSA via an IAM role on the KSA.

← PreviousPage 2 of 2 · 96 questions total

Ready to test yourself?

Try a timed practice session using only Pca Security Compliance questions.

CCNA Pca Security Compliance Questions — Page 2 of 2 | Courseiva