Sample questions
Google Professional Cloud Security Engineer practice questions
Match each IAM role to its typical use case.
Drag a concept onto its matching description — or click a concept then click the description.
Full management of Compute Engine resources
Read-only access to Cloud Storage objects
Manage service accounts and keys
Manage Cloud KMS keys and key rings
Manage organization policies
Match each encryption scope to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Data protected while traveling over networks
Data protected when stored on disk
Customer-supplied encryption keys for Google Cloud resources
Customer-managed encryption keys via Cloud KMS
Google-managed encryption keys for all data at rest
Match each CVE or security concept to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Log4j remote code execution vulnerability
Heartbleed OpenSSL vulnerability
Apache Struts2 remote code execution
Windows CryptoAPI spoofing vulnerability
BlueKeep RDP remote code execution
Match each Google Cloud logging/monitoring term to its definition.
Drag a concept onto its matching description — or click a concept then click the description.
Routes logs to a destination (e.g., BigQuery, Pub/Sub)
Storage location for log entries
Counts log entries matching a filter
Records of admin and data access activities
Copies logs to a Cloud Storage or BigQuery
Drag and drop the steps to rotate a customer-managed encryption key (CMEK) in Cloud KMS in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a Cloud NAT for private VM instances in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to set up Cloud Armor with a WAF rule in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a VPC Service Controls perimeter in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to set up a Private Google Access for on-premises hosts using Private Service Connect in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to set up a binary authorization policy for a GKE cluster in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A company is designing a CI/CD pipeline using Cloud Build. Security requirements mandate that the pipeline deploy only to projects that have been explicitly authorized. The security team wants to use a service account that can be assumed by Cloud Build to perform deployments, and they want to restrict which projects can be deployed to using organization policies. Which approach should they take?
Trap 1: Use the organization policy constraint…
This constraint is about key expiry, not project authorization.
Trap 2: Use the organization policy constraint…
This constraint restricts which principals can be granted roles, not which projects a service account can be used in.
Trap 3: Use the organization policy constraint…
This constraint is for network permissions, not service account usage.
- A
Use the organization policy constraint 'constraints/iam.serviceAccountKeyExpiryHours' to force key rotation.
Why wrong: This constraint is about key expiry, not project authorization.
- B
Use the organization policy constraint 'constraints/iam.allowedPolicyMemberDomains' and set it to only allow the service account's domain.
Why wrong: This constraint restricts which principals can be granted roles, not which projects a service account can be used in.
- C
Use the organization policy constraint 'constraints/compute.restrictCrossProjectNw' to limit network access.
Why wrong: This constraint is for network permissions, not service account usage.
- D
Use the organization policy constraint 'constraints/iam.workloadIdentityPoolProviders' to restrict which workload identity pools can be used.
Why wrong: This constraint is for workload identity federation, not for restricting service account usage across projects.
A company must implement data residency requirements that prohibit storing data outside the European Union. They are using Cloud Bigtable and need to ensure that backups are also stored within the EU. Which configuration should they choose?
Trap 1: Create the Bigtable instance with multi-region placement in…
Multi-region placement includes multiple regions, but some may be outside the EU? Actually europe-west1 and europe-west4 are both in EU, but multi-region is not recommended for strict residency; single region is safer.
Trap 2: Create an instance in a dual-region configuration (e.g.,…
Dual-region is not a supported placement option for Bigtable; only single-region or multi-region are available.
Trap 3: Use a single-region instance in europe-west1 with customer-managed…
CMEK does not affect data residency; backups are still stored in the same region.
- A
Create the Bigtable instance with multi-region placement in europe-west1 and europe-west4.
Why wrong: Multi-region placement includes multiple regions, but some may be outside the EU? Actually europe-west1 and europe-west4 are both in EU, but multi-region is not recommended for strict residency; single region is safer.
- B
Create an instance in a dual-region configuration (e.g., europe-west1 and europe-west4) and use backup policies.
Why wrong: Dual-region is not a supported placement option for Bigtable; only single-region or multi-region are available.
- C
Use a single-region instance in europe-west1 with customer-managed encryption keys (CMEK) for backups.
Why wrong: CMEK does not affect data residency; backups are still stored in the same region.
- D
Create the Bigtable instance in a single EU region (e.g., europe-west1) and enable automatic backups.
Backups are stored in the same region as the instance, ensuring data stays in the EU.
A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their corporate Active Directory credentials. The application is exposed via an HTTPS load balancer. The Security Engineer needs to integrate identity federation and ensure that only authenticated users can reach the application. Which combination of services should be used?
Trap 1: Use Cloud Armor to allow only traffic from specific IP ranges and…
Cloud Armor does not handle user authentication.
Trap 2: Enable IAP and configure it to use Active Directory as an identity…
IAP does not directly support Active Directory; federation is needed.
Trap 3: Configure Cloud Identity as the identity provider and use IAP.
Cloud Identity does not integrate with Active Directory directly.
- A
Use Cloud Armor to allow only traffic from specific IP ranges and require client certificates.
Why wrong: Cloud Armor does not handle user authentication.
- B
Set up federation between Active Directory and Google Cloud using OIDC, and enable IAP on the load balancer.
IAP can authenticate users from an external OIDC provider.
- C
Enable IAP and configure it to use Active Directory as an identity provider.
Why wrong: IAP does not directly support Active Directory; federation is needed.
- D
Configure Cloud Identity as the identity provider and use IAP.
Why wrong: Cloud Identity does not integrate with Active Directory directly.
A security engineer is investigating an incident where an attacker gained access to a Compute Engine instance's serial console logs, which contained sensitive data. Which TWO actions should the engineer take to prevent this type of exposure in the future? (Choose TWO.)
Trap 1: Use Cloud NAT for outbound traffic to anonymize instance IP…
Incorrect: Cloud NAT does not affect serial console logs; it only changes outbound IP addresses for internet access.
Trap 2: Remove the roles/iam.serviceAccountUser role from all users to…
Incorrect: The role for serial console access is not directly tied to service account user; this would break legitimate service account usage.
Trap 3: Enable OS Login for the project to enforce SSH key management and…
Incorrect: OS Login manages SSH access but does not prevent serial console access or log exposure.
- A
Use Cloud NAT for outbound traffic to anonymize instance IP addresses in serial console logs.
Why wrong: Incorrect: Cloud NAT does not affect serial console logs; it only changes outbound IP addresses for internet access.
- B
Enable Private Google Access on the VPC subnet to restrict serial console log access to internal IPs only.
Correct: Private Google Access ensures that serial console logs are not sent over the public internet, reducing exposure.
- C
Remove the roles/iam.serviceAccountUser role from all users to prevent them from accessing serial console.
Why wrong: Incorrect: The role for serial console access is not directly tied to service account user; this would break legitimate service account usage.
- D
Disable interactive serial console access for all instances that do not require it.
Correct: Prevents unauthorized interactive use but still allows logging; however, combined with other controls, it reduces risk.
- E
Enable OS Login for the project to enforce SSH key management and prevent serial console access.
Why wrong: Incorrect: OS Login manages SSH access but does not prevent serial console access or log exposure.
A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?
Trap 1: Use a single subnet for all tiers
Assigning public IPs to app/db is insecure, and a proxy VM adds complexity.
Trap 2: Create separate VPCs for each tier
Multiple VPCs increase complexity and management overhead.
Trap 3: Place all tiers in the same VPC
Assigning public IPs to web tier is correct, but app/db tiers should not have public IPs; Cloud NAT is for outbound, not inbound.
- A
Use a single subnet for all tiers. Assign public IPs to all instances. Use firewall rules to restrict access between tiers. Use a proxy VM for outbound internet from app/db tiers.
Why wrong: Assigning public IPs to app/db is insecure, and a proxy VM adds complexity.
- B
Create separate VPCs for each tier. Use VPC peering to connect them. Use firewall rules to allow traffic. Use a bastion host for SSH access to app/db tiers.
Why wrong: Multiple VPCs increase complexity and management overhead.
- C
Place all tiers in the same VPC. Use firewall rules to restrict access. Assign public IPs to web tier instances and private IPs to app/db tiers. Configure Cloud NAT for app/db tiers.
Why wrong: Assigning public IPs to web tier is correct, but app/db tiers should not have public IPs; Cloud NAT is for outbound, not inbound.
- D
Place web tier in a public subnet with public IPs. Place app/db tiers in private subnets with no public IPs. Use firewall rules to allow traffic from web to app, and app to db. Configure Cloud NAT for private subnets.
This uses public subnets for web, private subnets for app/db, firewall rules for least privilege, and Cloud NAT for outbound access.
A security engineer is configuring Cloud Armor to protect a global external HTTP(S) Load Balancer. Which TWO of the following are valid Cloud Armor security policies? (Choose two.)
Trap 1: Web Security Scanner scan rule
Web Security Scanner is a separate tool for scanning vulnerabilities.
Trap 2: Signed URL policy
Signed URLs are a Cloud CDN feature for access control.
Trap 3: Preconfigured Identity-Aware Proxy (IAP) rule
IAP is a separate feature, not a Cloud Armor security policy.
- A
Web Security Scanner scan rule
Why wrong: Web Security Scanner is a separate tool for scanning vulnerabilities.
- B
Signed URL policy
Why wrong: Signed URLs are a Cloud CDN feature for access control.
- C
Preconfigured Identity-Aware Proxy (IAP) rule
Why wrong: IAP is a separate feature, not a Cloud Armor security policy.
- D
Preconfigured OWASP Top 10 rules
Cloud Armor includes predefined WAF rules for OWASP vulnerabilities.
- E
Custom rule with rate limiting based on IP
Cloud Armor supports custom rules including rate limiting.
Which TWO actions should a security engineer take to protect sensitive data in Cloud Storage buckets from accidental public exposure? (Choose two.)
Trap 1: Use Cloud Data Loss Prevention (DLP) to scan buckets for public…
DLP does not prevent public access; it scans for sensitive data.
Trap 2: Configure VPC Service Controls to restrict access to the buckets…
VPC-SC does not prevent public exposure; it restricts network paths.
Trap 3: Enable bucket lock on all buckets to prevent deletion of objects.
Bucket lock does not prevent public access.
- A
Use Cloud Data Loss Prevention (DLP) to scan buckets for public access.
Why wrong: DLP does not prevent public access; it scans for sensitive data.
- B
Set the organization policy constraint 'iam.disableBucketPolicyOnlyGrantedByDefault' to enforce uniform bucket-level access across the organization.
Prevents public ACLs at the org level.
- C
Configure VPC Service Controls to restrict access to the buckets from within the VPC.
Why wrong: VPC-SC does not prevent public exposure; it restricts network paths.
- D
Enable uniform bucket-level access on all buckets to disable ACLs.
Uniform access ensures access is controlled only by IAM.
- E
Enable bucket lock on all buckets to prevent deletion of objects.
Why wrong: Bucket lock does not prevent public access.
A company must ensure that all Compute Engine instances use only approved images from a specific project. They want to enforce this using Organization Policy. Which constraint should they use?
Trap 1: constraints/compute.restrictAuthorizedDomains
This restricts domains for Cloud Storage.
Trap 2: constraints/compute.trustedImageProjects
This is not a valid constraint name.
Trap 3: constraints/compute.restrictFirewallRules
This restricts firewall rule creation.
- A
constraints/compute.restrictImageUsage
This constraint restricts which images can be used to create instances.
- B
constraints/compute.restrictAuthorizedDomains
Why wrong: This restricts domains for Cloud Storage.
- C
constraints/compute.trustedImageProjects
Why wrong: This is not a valid constraint name.
- D
constraints/compute.restrictFirewallRules
Why wrong: This restricts firewall rule creation.
A company is implementing a data retention policy for Cloud Storage buckets. They need to ensure that objects cannot be deleted before a specified retention period. Which THREE features can they use? (Choose THREE.)
Trap 1: Lifecycle rules with a Delete action.
Lifecycle rules delete objects, not prevent deletion.
Trap 2: Object versioning.
Versioning keeps multiple versions but does not prevent deletion.
- A
Retention Policy on the bucket.
Retention policies prevent deletion before the retention period ends.
- B
Lifecycle rules with a Delete action.
Why wrong: Lifecycle rules delete objects, not prevent deletion.
- C
Bucket Lock feature.
Bucket Lock locks the retention policy, making it immutable.
- D
Object holds (event-based or temporary).
Holds prevent deletion of objects.
- E
Object versioning.
Why wrong: Versioning keeps multiple versions but does not prevent deletion.
A financial services company is migrating its on-premises application to Google Cloud. The application needs to access a Cloud SQL instance and a Cloud Storage bucket. Security requirements mandate that the application must use short-lived credentials and avoid storing long-lived service account keys. The application runs on Compute Engine. What should the Security Engineer do to meet these requirements?
Trap 1: Create a service account and use Workload Identity Federation to…
Workload Identity Federation is for external identities, not needed for Compute Engine.
Trap 2: Use Cloud Key Management Service to generate and rotate keys for…
This still requires a long-lived key.
Trap 3: Create a service account key and store it in Cloud Secret Manager.
Service account keys are long-lived and violate the requirement.
- A
Create a service account and use Workload Identity Federation to impersonate it.
Why wrong: Workload Identity Federation is for external identities, not needed for Compute Engine.
- B
Use Cloud Key Management Service to generate and rotate keys for the service account.
Why wrong: This still requires a long-lived key.
- C
Attach a service account to the Compute Engine instance with appropriate roles for Cloud SQL and Cloud Storage.
Compute Engine automatically obtains short-lived tokens via the metadata server.
- D
Create a service account key and store it in Cloud Secret Manager.
Why wrong: Service account keys are long-lived and violate the requirement.
A global e-commerce company must comply with GDPR and CCPA. They use BigQuery to store customer data and need to ensure that when a user requests data deletion, all copies are deleted within 30 days. Additionally, they want to minimize storage costs. Which TWO actions should they take?
Trap 1: Create a Cloud Function to export the data before deletion.
Export is not required and would keep data longer.
Trap 2: Set a table retention policy of 30 days using ALTER TABLE SET…
Retention policy prevents deletion before expiration, not enforce deletion.
Trap 3: Use BigQuery continuous backups with a 30-day retention.
Continuous backups would increase storage costs unnecessarily.
- A
Use the DDL statement to drop the table after 30 days using a scheduled query.
Scheduled query to drop table after 30 days ensures data deletion while minimizing costs.
- B
Create a Cloud Function to export the data before deletion.
Why wrong: Export is not required and would keep data longer.
- C
Set a table retention policy of 30 days using ALTER TABLE SET OPTIONS.
Why wrong: Retention policy prevents deletion before expiration, not enforce deletion.
- D
Set the Time Travel window to 7 days and the Fail-safe storage window to 23 days.
This ensures data is recoverable for 30 days, after which it is automatically deleted, complying with the requirement.
- E
Use BigQuery continuous backups with a 30-day retention.
Why wrong: Continuous backups would increase storage costs unnecessarily.
An organization uses Cloud Audit Logs to monitor admin activity. The security team wants to be alerted when a user creates a new IAM role at the organization level. Which type of audit log should they analyze?
Trap 1: Policy Denied audit logs
Policy Denied logs record access attempts denied by VPC Service Controls or IAP.
Trap 2: System Event audit logs
System Event logs record non-human actions like automatic updates.
Trap 3: Data Access audit logs
Data Access logs record reads/writes to resources, not admin actions.
- A
Policy Denied audit logs
Why wrong: Policy Denied logs record access attempts denied by VPC Service Controls or IAP.
- B
System Event audit logs
Why wrong: System Event logs record non-human actions like automatic updates.
- C
Data Access audit logs
Why wrong: Data Access logs record reads/writes to resources, not admin actions.
- D
Admin Activity audit logs
Admin Activity logs record changes to metadata, configurations, and IAM policies.
A company is migrating its on-premises Microsoft Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They need to ensure that users can authenticate to Compute Engine Windows instances using their on-premises credentials without additional user setup. What is the most secure and scalable approach?
Trap 1: Configure the Windows instances to join the on-premises AD domain…
Domain join alone does not manage authentication; users would still need to authenticate to on-premises DCs.
Trap 2: Synchronize on-premises users to Managed Microsoft AD using Google…
GCDS syncs to Google Cloud Directory, not Managed Microsoft AD.
Trap 3: Store on-premises user credentials in Cloud KMS and use a custom…
This approach is insecure and not scalable.
- A
Configure the Windows instances to join the on-premises AD domain directly via VPN.
Why wrong: Domain join alone does not manage authentication; users would still need to authenticate to on-premises DCs.
- B
Create a two-way trust between the Managed Microsoft AD domain and the on-premises AD domain.
A trust enables on-premises users to authenticate to resources in the cloud domain without duplicating identities.
- C
Synchronize on-premises users to Managed Microsoft AD using Google Cloud Directory Sync (GCDS).
Why wrong: GCDS syncs to Google Cloud Directory, not Managed Microsoft AD.
- D
Store on-premises user credentials in Cloud KMS and use a custom authentication script.
Why wrong: This approach is insecure and not scalable.
A security engineer needs to ensure that a Compute Engine VM can securely access Cloud Storage buckets without exposing a public IP address. The VM is in a VPC with Private Google Access enabled. What is the recommended approach?
Trap 1: Deploy a Squid proxy in the same VPC and configure the VM to use it…
A proxy is unnecessary and adds complexity.
Trap 2: Assign an external IP to the VM and configure a firewall rule to…
Assigning external IP is not needed; it reduces security.
Trap 3: Configure Cloud NAT and ensure the VM has a route to the internet.
Cloud NAT is for internet access, not Google API access.
- A
No additional configuration is needed; Private Google Access allows access to Cloud Storage from VMs without external IPs.
Correct: Private Google Access enables access to Google APIs via internal IPs.
- B
Deploy a Squid proxy in the same VPC and configure the VM to use it for all outbound traffic.
Why wrong: A proxy is unnecessary and adds complexity.
- C
Assign an external IP to the VM and configure a firewall rule to allow egress to 0.0.0.0/0.
Why wrong: Assigning external IP is not needed; it reduces security.
- D
Configure Cloud NAT and ensure the VM has a route to the internet.
Why wrong: Cloud NAT is for internet access, not Google API access.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.