Google Professional Cloud Security Engineer (PCSE) — Questions 175

500 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQeasy

A company wants to use Cloud Armor to block traffic from specific countries to comply with data sovereignty requirements. They have a global HTTP Load Balancer configured. Where should they configure the Cloud Armor policy?

A.Attach to the VPC network that hosts the load balancer.
B.Attach to the backend service of the load balancer.
C.Configure as an Organization Policy constraint.
D.Configure as a firewall rule in the VPC network.
AnswerB

Cloud Armor policies are applied to backend services.

Why this answer

Cloud Armor policies must be attached to a backend service (or backend bucket) of a global HTTP(S) Load Balancer to filter traffic at the edge. This allows the policy to evaluate incoming requests based on geographic location before they reach the backend, enforcing data sovereignty rules without modifying VPC networking or firewall rules.

Exam trap

Google Cloud often tests the misconception that Cloud Armor is a VPC-level firewall feature, leading candidates to choose VPC firewall rules or network-level attachments, when in fact it is a load balancer backend service security policy that operates at the application layer on Google's global edge.

How to eliminate wrong answers

Option A is wrong because Cloud Armor policies are not attached to VPC networks; they are applied to load balancer backend services or backend buckets, not to the underlying network infrastructure. Option C is wrong because Organization Policy constraints are used for governance controls (e.g., restricting resource locations) and cannot filter traffic by country at the application layer. Option D is wrong because firewall rules operate at the network layer (IP/port) within a VPC and cannot inspect HTTP request attributes like geographic origin; Cloud Armor uses Google's global edge infrastructure for geolocation-based filtering.

2
MCQeasy

Refer to the exhibit. A user tries to create a Compute Engine instance using a custom image from another project. What is the most likely cause of the error?

A.The user does not have permission to use images from the other project.
B.The image family does not exist in the specified project.
C.The user specified the wrong project ID.
D.The image family name is misspelled.
AnswerB

The error message directly indicates that the image family does not exist in the project.

Why this answer

Option C is correct. The error message explicitly states that the image family does not exist in the specified project. Option A is possible, but the error specifically says the image family does not exist.

Option B would result in a permission denied error, not this error. Option D is incorrect because the project ID is specified in the image path; if it were wrong, the error would indicate an invalid project.

3
MCQhard

During an incident, a security engineer finds this audit log entry. What action was taken and by whom?

A.A user modified instance 'instance-1'.
B.A user created an instance named 'instance-1'.
C.A user stopped instance 'instance-1'.
D.A user deleted an instance named 'instance-1'.
AnswerD

methodName is delete and principal is admin@example.com.

Why this answer

Option D is correct because methodName is 'v1.compute.instances.delete', indicating a delete operation, and the principal is admin@example.com. Option A is incorrect because the method is delete, not create. Option B is incorrect because the method is delete, not modify.

Option C is incorrect because the method is delete, not update.

4
Multi-Selecthard

A healthcare organization is migrating to Google Cloud and needs to achieve HIPAA compliance. Which THREE actions are required to meet HIPAA requirements on GCP? (Choose THREE.)

Select 3 answers
A.Enable Cloud Audit Logs for all services handling ePHI
B.Enable VPC Flow Logs for all subnets
C.Sign a Business Associate Agreement (BAA) with Google Cloud
D.Use Customer-Managed Encryption Keys (CMEK) for Cloud Storage, BigQuery, and other services
E.Use Cloud NAT for outbound internet access
AnswersA, C, D

HIPAA requires audit controls to record access to ePHI; Cloud Audit Logs meet this requirement.

Why this answer

Option A is correct because enabling Cloud Audit Logs for all services handling ePHI is a direct requirement under HIPAA's Security Rule (45 CFR § 164.312(b)), which mandates audit controls to record and examine activity in systems that contain or use electronic protected health information. Cloud Audit Logs provide immutable, tamper-evident logs of admin activities, data access, and system events, which are essential for demonstrating compliance during audits or breach investigations. Without these logs, the organization cannot meet the audit control standard for ePHI environments on GCP.

Exam trap

Google Cloud often tests the distinction between mandatory HIPAA requirements (audit logs, BAA, encryption) and optional or unrelated networking features (VPC Flow Logs, Cloud NAT), leading candidates to mistakenly select VPC Flow Logs as an audit control when it only provides network telemetry, not access logging for ePHI.

5
MCQmedium

A company stores sensitive customer data in Cloud Storage and uses CMEK with Cloud KMS. They want to ensure that data in transit to the storage bucket is always encrypted using TLS 1.2 or higher. Which configuration should they implement?

A.Use Cloud Armor to enforce HTTPS with a TLS 1.2 minimum.
B.Set the bucket's 'requireTls' transport security setting to 'true' in the bucket's IAM policy.
C.Configure the bucket to use CMEK with a key from Cloud HSM.
D.Add a bucket policy that denies requests with 'sslEnabled' set to 'false'.
AnswerB

This enforces TLS 1.2+ for all requests to the bucket.

Why this answer

Option B is correct because setting the bucket's 'requireTls' transport security setting to 'true' in the bucket's IAM policy enforces that all requests to the bucket must use TLS 1.2 or higher. This is a bucket-level policy condition that directly controls the encryption of data in transit, ensuring that any HTTP request without TLS 1.2+ is denied.

Exam trap

Google Cloud often tests the distinction between data-at-rest encryption (CMEK, CSEK) and data-in-transit encryption (TLS), leading candidates to incorrectly choose CMEK or HSM options when the question explicitly asks about transit security.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall and DDoS protection service that operates at the HTTP(S) load balancer level, not at the Cloud Storage bucket level, and it cannot enforce transport encryption directly on storage bucket requests. Option C is wrong because CMEK with Cloud HSM encrypts data at rest using customer-managed keys, not data in transit; it does not enforce TLS version requirements. Option D is wrong because there is no 'sslEnabled' condition in Cloud Storage IAM policies; the correct condition is 'requireTls' in the bucket's transport security settings, not a deny policy with a non-existent attribute.

6
Multi-Selectmedium

A company is implementing data loss prevention (DLP) for BigQuery. Which THREE capabilities are provided by Cloud DLP? (Choose THREE.)

Select 3 answers
A.Redacting sensitive data in query results.
B.Auditing all queries that access sensitive columns.
C.Classifying data using built-in infoTypes.
D.Encrypting entire tables with customer-managed keys.
E.De-identifying data using masking, tokenization, or pseudonymization.
AnswersA, C, E

DLP can redact sensitive data in real-time during queries.

Why this answer

Option A is correct because Cloud DLP can inspect and redact sensitive data directly in BigQuery query results. When you configure a DLP job or use the DLP API with BigQuery, you can specify infoTypes to detect and then redact matching values before returning the results to the user, preventing exposure of sensitive information like credit card numbers or PII.

Exam trap

Google Cloud often tests the distinction between DLP's de-identification capabilities and BigQuery's native encryption or auditing features, so candidates mistakenly select options like auditing or CMEK because they associate them with data protection, but DLP does not handle those functions.

7
MCQhard

A company is migrating a legacy on-premises application to Google Compute Engine. The application requires a static IP address for compliance with a regulatory requirement that outbound connections to a partner's IP whitelist must originate from a known, fixed IP. The application will run in a managed instance group (MIG) for high availability. Which of the following solutions meets the compliance requirement?

A.Configure VPC Service Controls to allow egress only from a specific IP range.
B.Use a regional external HTTPS load balancer with a static IP address and configure the MIG to route outbound traffic through the load balancer.
C.Assign static external IP addresses to each instance in the MIG and configure the partner firewall accordingly.
D.Use Cloud NAT with a static NAT IP address for all egress traffic from the instances.
AnswerB

The load balancer's static IP is used for outbound traffic, providing a fixed source IP.

Why this answer

Option B is correct because a regional external HTTPS load balancer with a static IP address can be used as a forward proxy for outbound traffic. By configuring the managed instance group (MIG) to route all egress traffic through the load balancer, all outbound connections will originate from the load balancer's static IP, meeting the compliance requirement for a known, fixed source IP. This approach ensures high availability through the MIG while maintaining a single static IP for partner whitelisting.

Exam trap

Google Cloud often tests the misconception that Cloud NAT alone is sufficient for static egress IPs, but the question's requirement for high availability via a MIG and the specific mention of a load balancer in the correct answer highlight that Cloud NAT does not route traffic through a load balancer, making it incompatible with the described architecture.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are designed to restrict data exfiltration from Google Cloud services (e.g., BigQuery, Cloud Storage) by defining perimeters, not to control egress IP addresses for general compute instances; they do not provide a static IP for outbound connections. Option C is wrong because assigning static external IPs to each instance in a MIG would require the partner to whitelist multiple IPs, which violates the requirement for a single known, fixed IP and adds management complexity; also, MIG autoscaling could change the number of instances, making IP whitelisting impractical. Option D is wrong because Cloud NAT with a static NAT IP provides a fixed source IP for outbound traffic, but it is designed for instances without external IPs and does not inherently integrate with a load balancer for outbound routing; the question specifies using a load balancer for high availability, and Cloud NAT alone does not satisfy the requirement to route traffic through a load balancer.

8
Multi-Selectmedium

Which THREE of the following are recommended practices for managing secrets in Google Cloud?

Select 3 answers
A.Enable automatic secret rotation and use short-lived secrets.
B.Use Cloud Secret Manager to store and access secrets programmatically.
C.Store encrypted secrets in Cloud Storage buckets with uniform bucket-level access.
D.Embed secrets as environment variables in source code during deployment.
E.Grant access to secrets using IAM roles (e.g., Secret Manager Secret Accessor).
AnswersA, B, E

Reduces risk if a secret is compromised.

Why this answer

Options A, C, and D are correct. Using Secret Manager, IAM binding, and short-lived secrets via Secret Manager with rotation. Option B is incorrect because storing secrets in Cloud Storage even encrypted is less secure than Secret Manager.

Option E is incorrect because hardcoding secrets in source code is dangerous.

9
MCQhard

A financial services company needs to inspect all inbound and outbound packets from a subnet containing highly sensitive data for compliance. They have enabled VPC Flow Logs on that subnet, which record metadata such as source and destination IP, ports, and protocol. However, the security team requires the actual packet payload to perform deep packet inspection (DPI) for malicious patterns. They want to capture the packets without disrupting network traffic. Which additional configuration should be implemented to meet this requirement?

A.Configure Cloud Armor to log all HTTP requests with full request body.
B.Enable VPC Flow Logs with metadata capture set to 'include payload'.
C.Enable Packet Mirroring on a Compute Engine instance in the subnet to mirror all packets to a collector instance.
D.Enable Cloud NAT logging to capture all outbound traffic payloads.
AnswerC

Packet Mirroring captures full packet payloads without affecting live traffic.

Why this answer

Option C is correct because Packet Mirroring clones all packets (including payload) from a source instance in the subnet and forwards them to a collector instance for deep packet inspection, without disrupting the original traffic flow. VPC Flow Logs only capture metadata (headers, timestamps) and cannot include payload content, making Packet Mirroring the only solution that meets the requirement for actual packet payload capture.

Exam trap

Google Cloud often tests the distinction between metadata logging (VPC Flow Logs) and full packet capture (Packet Mirroring), and the trap here is assuming VPC Flow Logs can be configured to include payloads, which is technically impossible in GCP.

How to eliminate wrong answers

Option A is wrong because Cloud Armor only inspects and logs HTTP/HTTPS traffic at the edge, not all inbound/outbound packets from the subnet, and it cannot capture payloads for non-HTTP protocols or for traffic that does not pass through the Cloud Armor proxy. Option B is wrong because VPC Flow Logs do not support a 'include payload' setting; they are limited to metadata such as IP addresses, ports, and protocol numbers, and never capture packet payloads. Option D is wrong because Cloud NAT logging only records metadata about outbound connections (source/destination IPs, ports) and does not capture packet payloads; it is designed for connection tracking, not deep packet inspection.

10
Drag & Dropmedium

Drag and drop the steps to set up a Cloud VPN with a static route in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud VPN setup requires gateway creation, Cloud Router, tunnel configuration, route addition, and connectivity testing.

11
Multi-Selecthard

A company is implementing a data retention policy for Cloud Storage buckets. They need to ensure that objects cannot be deleted before a specified retention period. Which THREE features can they use? (Choose THREE.)

Select 3 answers
A.Retention Policy on the bucket.
B.Lifecycle rules with a Delete action.
C.Bucket Lock feature.
D.Object holds (event-based or temporary).
E.Object versioning.
AnswersA, C, D

Retention policies prevent deletion before the retention period ends.

Why this answer

A is correct because a Retention Policy on a Cloud Storage bucket enforces a minimum retention period for all objects in the bucket. Once set, objects cannot be deleted or overwritten until the retention period expires, directly meeting the requirement to prevent deletion before a specified time.

Exam trap

Google Cloud often tests the distinction between features that prevent deletion (Retention Policy, Bucket Lock, Object holds) versus features that manage deletion (Lifecycle rules) or provide recovery after deletion (Object versioning), leading candidates to confuse lifecycle rules with retention controls.

12
MCQhard

Your organization uses Cloud CDN to distribute static content. Recently, users in a specific geographic region are experiencing high latency. What is the most likely cause?

A.The CDN cache has been purged for that region
B.The origin server is unhealthy
C.There is no CDN edge node in that region
D.The DNS resolution is failing for that region
AnswerC

Without a local edge, requests are routed to the nearest available edge or origin, increasing latency.

Why this answer

If there is no CDN edge node in that region, traffic must travel directly to the origin, increasing latency.

13
MCQhard

A company has a VPC network named 'production' with subnets in us-central1 and europe-west1. They have on-premises data centers in New York and London connected via two HA VPN gateways to the respective regions. The on-premises networks use BGP with Cloud Routers in each region. The company also has a Shared VPC with service projects. Recently, they migrated a critical application to Google Cloud, which runs on Compute Engine instances in the europe-west1 subnet. The application needs to communicate with an on-premises database in London reachable via the London VPN. After the migration, the application fails to connect to the database. The Cloud Router in europe-west1 shows that it is receiving the on-premises routes. The instance has a default route to the internet via Cloud NAT. The firewall rules allow all traffic from the instance to the on-premises IP range. What is the most likely cause of the connectivity issue?

A.The on-premises firewall is blocking traffic from the Google Cloud IP ranges.
B.The Cloud NAT is incorrectly configured and blocking traffic to on-premises IP ranges.
C.The Shared VPC configuration prevents service project instances from using VPC routes.
D.The Cloud Router in europe-west1 has dynamic route import from BGP disabled.
AnswerD

Correct: without dynamic route import, learned BGP routes are not added to the VPC route table.

Why this answer

The Cloud Router in europe-west1 is receiving the on-premises routes via BGP, but if dynamic route import from BGP is disabled, those routes are not installed into the VPC route table. Without the specific route for the London on-premises database subnet, traffic from the Compute Engine instance will not be forwarded to the VPN tunnel, causing the connection failure. The default route via Cloud NAT only handles internet-bound traffic, not traffic destined for on-premises IP ranges.

Exam trap

Google Cloud often tests the distinction between BGP session establishment (routes received) and route installation (routes imported into the VPC route table), leading candidates to assume that receiving BGP routes automatically means they are usable for forwarding.

How to eliminate wrong answers

Option A is wrong because the on-premises firewall blocking Google Cloud IP ranges would cause a symmetric issue, but the problem is that traffic never reaches the on-premises network due to missing routes in the VPC. Option B is wrong because Cloud NAT is used for outbound internet access and does not affect traffic destined for on-premises IP ranges; it only translates private IPs to public IPs for internet-bound packets. Option C is wrong because Shared VPC does not prevent service project instances from using VPC routes; service project instances can use routes from the host project as long as they are in the same VPC network, and the route import issue is independent of Shared VPC.

14
Multi-Selecthard

A security engineer is designing a solution to monitor and detect anomalous IAM role usage across multiple Google Cloud projects. The engineer wants to create a centralized logging solution that captures all IAM policy changes and access attempts. Which THREE services should the engineer use together to achieve this?

Select 3 answers
A.BigQuery
B.Cloud Logging
C.Cloud Audit Logs
D.Cloud Monitoring
E.Cloud Functions
AnswersA, B, C

Used to store and analyze logs forwarded from Cloud Logging via log sinks.

Why this answer

BigQuery is correct because it serves as the centralized analytics destination for Cloud Audit Logs, enabling the security engineer to run SQL queries across IAM policy changes and access attempts from multiple Google Cloud projects. By exporting audit logs to BigQuery, you can perform complex aggregations and anomaly detection at scale, which is essential for monitoring IAM role usage across a fleet of projects.

Exam trap

Google Cloud often tests the distinction between logging/audit services (Cloud Logging, Cloud Audit Logs, BigQuery) and monitoring/alerting services (Cloud Monitoring), so candidates mistakenly choose Cloud Monitoring for log analysis when it is only for metrics and dashboards.

15
MCQhard

A DevOps team wants to centralize logging and monitoring for a GKE cluster that runs hundreds of microservices. They need to view logs, metrics, and traces in a single dashboard. Which approach should they use?

A.Use Stackdriver Logging and Stackdriver Monitoring
B.Use a third-party SIEM tool like Splunk or Elastic
C.Deploy Prometheus and Grafana on the cluster
D.Enable Cloud Logging and Cloud Monitoring for the GKE cluster
AnswerD

Cloud Logging and Cloud Monitoring provide native integration, automatic metrics, log collection, and trace capabilities for GKE.

Why this answer

Option C is correct because Cloud Logging and Cloud Monitoring natively integrate with GKE and provide logs, metrics, and traces in a unified dashboard. Option A is wrong because Stackdriver Logging and Monitoring are the former names of Cloud Logging and Monitoring; they are the same service but the answer refers to outdated names. Option B is wrong because Prometheus requires manual setup and does not provide native GKE integration for all signals.

Option D is wrong because third-party tools add complexity and may not integrate as seamlessly.

16
Drag & Dropmedium

Drag and drop the steps to set up a binary authorization policy for a GKE cluster in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Binary Authorization requires authority creation, attestor setup, policy creation, cluster enablement, and testing.

17
MCQhard

Refer to the exhibit. An organization has the above IAM policy on a project. The user user@example.com is trying to view a list of objects in a bucket from IP address 10.1.1.1. What will be the result?

A.The user cannot list objects because the condition is evaluated as false.
B.The user cannot list objects because IAM conditions do not support IP-based restrictions.
C.The user can list objects because they have inherited roles/storage.admin permissions from the admin.
D.The user can list objects because the condition is satisfied.
AnswerD

The source IP is in the allowed range, so the role is granted.

Why this answer

Option D is correct because the IAM policy grants the `storage.objects.list` permission to `user@example.com` with a condition that requires the request to come from an IP address within the `10.0.0.0/8` range. Since the user is accessing from `10.1.1.1`, which falls within that CIDR block, the condition evaluates to true, allowing the list operation.

Exam trap

Google Cloud often tests the misconception that IAM conditions cannot restrict by IP address, or that a condition that appears to be a deny will automatically block access, when in fact the condition must be evaluated against the actual request context.

How to eliminate wrong answers

Option A is wrong because the condition is actually satisfied (10.1.1.1 is within 10.0.0.0/8), so it evaluates as true, not false. Option B is wrong because IAM conditions do support IP-based restrictions using the `aws:SourceIp` condition key (or in GCP, `gcp:sourceIp`), contrary to the claim. Option C is wrong because the user is not inheriting permissions from an admin role; the policy explicitly grants `storage.objectViewer` (or equivalent) to the user directly, not via inheritance.

18
MCQeasy

A security engineer is troubleshooting an issue where a Compute Engine VM cannot connect to a Cloud SQL instance that has a private IP address. Both resources are in the same VPC network. The VM's firewall rules allow egress to any destination, and the Cloud SQL instance's authorized networks include the VPC network. What is the most likely cause of the connection failure?

A.Private Google Access is not enabled on the subnet.
B.The VM's firewall rules block traffic to the Cloud SQL IP range.
C.The VPC network does not have a private services access connection (VPC peering) to the Service Networking API.
D.The Cloud SQL instance requires the Cloud SQL Auth proxy to be installed on the VM.
AnswerC

Private services access requires a VPC peering connection to route traffic to Google-managed services like Cloud SQL.

Why this answer

Cloud SQL instances with private IP addresses require a private services access connection (VPC peering) between the VPC network and the Service Networking API's managed tenant project. Without this VPC peering, the VM cannot route traffic to the Cloud SQL instance's private IP, even if both are in the same VPC network. Option C directly identifies this missing prerequisite.

Exam trap

Google Cloud often tests the misconception that being in the same VPC network guarantees Layer 3 connectivity, but private Cloud SQL instances require an explicit VPC peering to the Service Networking API, which is a separate configuration step.

How to eliminate wrong answers

Option A is wrong because Private Google Access enables VMs without external IPs to reach Google APIs and services (like Cloud Storage) via the default internet gateway, but it is not required for VPC-internal traffic to a Cloud SQL private IP. Option B is wrong because the VM's firewall rules allow egress to any destination, so they do not block traffic to the Cloud SQL IP range; the issue is at the routing/peering layer, not firewall. Option D is wrong because the Cloud SQL Auth proxy is an optional tool for encrypting connections and managing IAM-based authentication, but it is not required for connectivity when using a private IP within the same VPC; the proxy is typically used for public IP connections or to avoid managing SSL certificates.

19
MCQhard

A large enterprise is using Cloud Data Loss Prevention (DLP) to inspect a Cloud Storage bucket containing millions of files for sensitive data like credit card numbers and health information. The DLP inspection job is configured to scan the entire bucket with a schedule. Recently, the job has been failing with a 'Quota exceeded' error for the DLP inspect requests quota. The team needs to continue inspecting all files without increasing the quota limit, as the quota increase request would take weeks. They cannot skip any files due to compliance requirements. What should they do to work around the quota limit while inspecting all files?

A.Switch from file store inspection to content inspection (items) and send each file individually via the API to bypass the file-level quota.
B.Create de-identification templates to automatically redact the found sensitive data, which reduces the need for inspection.
C.Submit a quota increase request and pause the inspection job until the increase is approved.
D.Reconfigure the DLP job to use a smaller sampling size (e.g., 'bytesLimitPerFile' or 'filesLimitPercent') to stay within quota limits, and schedule more frequent runs to cover all files over time.
AnswerD

Sampling reduces per-job usage, and more frequent runs ensure eventual full coverage within quota.

Why this answer

Option D is correct because by reducing the per-job scan volume (e.g., via 'bytesLimitPerFile' or 'filesLimitPercent'), the job stays within the DLP inspect requests quota while still covering all files over multiple scheduled runs. This approach respects the quota ceiling without skipping any files, as the sampling is applied per job execution, not per file permanently. The team can increase the job frequency to ensure the entire bucket is eventually inspected, meeting compliance requirements.

Exam trap

Google Cloud often tests the misconception that reducing per-job sampling means permanently skipping files, but the key is that sampling is per execution, and multiple runs over time can cover all files without exceeding quota.

How to eliminate wrong answers

Option A is wrong because switching to content inspection (items) and sending each file individually via the API would still consume the same or more inspect requests quota per file, and the quota limit applies to API calls as well, not just file store inspection jobs. Option B is wrong because creating de-identification templates does not reduce the need for inspection; de-identification occurs after inspection, and the quota issue is about the inspection step itself, not redaction. Option C is wrong because submitting a quota increase request and pausing the job would leave files uninspected during the weeks-long wait, violating the requirement to continue inspecting all files without skipping any.

20
MCQhard

Refer to the exhibit. A Security Engineer runs the command to grant Alice access to view objects in a Cloud Storage bucket. Later, Alice reports she can no longer access the bucket after January 1, 2024. What is the most likely reason?

A.Alice does not have the 'storage.objects.get' permission required to view objects.
B.The command removed Alice's existing access because it replaced all bindings.
C.The command failed to apply because the service account does not have permission to modify IAM policies.
D.The IAM condition expired on January 1, 2024, because the timestamp condition prevented access after that date.
AnswerD

The condition checks request.time < timestamp, so after the timestamp, access is denied.

Why this answer

Option D is correct because the IAM condition attached to the binding includes a timestamp condition that expires on January 1, 2024. When the condition is no longer satisfied, the binding becomes ineffective, and Alice loses access to the bucket. This is a common use of IAM conditions to grant time-limited access.

Exam trap

Google Cloud often tests the distinction between IAM conditions and permission scoping, where candidates mistakenly think the issue is a missing permission or a policy replacement rather than a time-based condition expiring.

How to eliminate wrong answers

Option A is wrong because the command explicitly grants the 'storage.objectViewer' role, which includes the 'storage.objects.get' permission, so Alice had the necessary permission. Option B is wrong because the command uses 'gcloud storage buckets add-iam-policy-binding', which adds a new binding without removing existing ones; it does not replace all bindings. Option C is wrong because the command successfully applied (Alice had access initially), and the error would have been reported immediately if the service account lacked permission to modify IAM policies.

21
Multi-Selectmedium

Which TWO actions should a security engineer take to protect sensitive data in Cloud Storage buckets from accidental public exposure? (Choose two.)

Select 2 answers
A.Use Cloud Data Loss Prevention (DLP) to scan buckets for public access.
B.Set the organization policy constraint 'iam.disableBucketPolicyOnlyGrantedByDefault' to enforce uniform bucket-level access across the organization.
C.Configure VPC Service Controls to restrict access to the buckets from within the VPC.
D.Enable uniform bucket-level access on all buckets to disable ACLs.
E.Enable bucket lock on all buckets to prevent deletion of objects.
AnswersB, D

Prevents public ACLs at the org level.

Why this answer

Option B is correct because setting the organization policy constraint 'iam.disableBucketPolicyOnlyGrantedByDefault' enforces uniform bucket-level access across the organization, preventing the use of fine-grained ACLs that can accidentally expose data. This policy ensures that all new buckets default to IAM-based access control, reducing the risk of misconfigured public ACLs.

Exam trap

Google Cloud often tests the distinction between detection tools (like DLP) and preventive controls (like organization policy constraints), leading candidates to mistakenly choose DLP as a protective measure against public exposure.

22
MCQhard

Refer to the exhibit. An auditor notices this log entry. Which of the following is true about this event?

A.The decryption operation was performed on a key version that is disabled.
B.The service account has the Cloud KMS CryptoKey Decrypter role.
C.The decryption operation failed due to insufficient permissions.
D.The service account used is impersonating a user to decrypt data.
AnswerB

A successful decrypt operation implies the service account has the decrypter role.

Why this answer

The log entry indicates a successful decryption operation ("decrypt" action with a success status). For a service account to successfully decrypt data using Cloud KMS, it must have the Cloud KMS CryptoKey Decrypter role (roles/cloudkms.cryptoKeyDecrypter) on the key. The log shows the caller is a service account, and the operation succeeded, confirming it has the necessary permissions.

Option B correctly identifies this.

Exam trap

Google Cloud often tests the distinction between a successful operation and a failure — candidates see 'decrypt' and assume it failed due to permissions, but the log's success status directly proves the service account had the correct role.

How to eliminate wrong answers

Option A is wrong because the log shows the decryption succeeded, and a disabled key version would cause the operation to fail with an error like 'key version disabled' or 'permission denied' — not a success. Option C is wrong because the log entry shows a successful decryption (status is not an error), so insufficient permissions cannot be the case; a failure would be logged with an error code. Option D is wrong because the log does not show any impersonation (e.g., no 'impersonated' field or 'iam.serviceAccounts.signBlob' action); the caller is directly the service account, and impersonation would require additional delegation steps.

23
MCQmedium

Refer to the exhibit. An engineer wants to allow inbound SSH (tcp:22) to a VM with network tag 'ssh-access' in the 'default' VPC. Which firewall rule should they create?

A.Remove the 'default-allow-ssh' rule and create a new rule with no target tags.
B.Create a new ingress rule allowing tcp:22 from 0.0.0.0/0 to instances with tag 'ssh-access' with priority 1000.
C.Create a new egress rule allowing tcp:22 from instances with tag 'ssh-access' to 0.0.0.0/0.
D.Modify the existing 'default-allow-ssh' rule to add a target tag 'ssh-access'.
AnswerB

Correct: higher priority rule overrides the lower-priority default allow, ensuring only tagged instances receive SSH.

Why this answer

Option B is correct because it creates a new ingress firewall rule that explicitly allows inbound TCP port 22 traffic from any source (0.0.0.0/0) only to VM instances that have the network tag 'ssh-access'. In Google Cloud VPC, firewall rules are stateful and apply at the instance level based on target tags; a priority of 1000 ensures this rule is evaluated appropriately relative to higher-priority (lower number) deny rules. This approach preserves the default-allow-ssh rule for other instances while granting SSH access specifically to tagged VMs.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules, and the trap here is that candidates may mistakenly choose an egress rule (Option C) thinking it controls incoming SSH traffic, or they may incorrectly assume that modifying the default rule (Option D) is the simplest approach without considering the impact on untagged instances.

How to eliminate wrong answers

Option A is wrong because removing the default-allow-ssh rule and creating a new rule with no target tags would apply the rule to all instances in the VPC, which is overly permissive and does not restrict SSH access to only the VM with tag 'ssh-access'. Option C is wrong because an egress rule controls outbound traffic from instances, not inbound SSH connections; the requirement is to allow inbound SSH (tcp:22) to the VM, which requires an ingress rule. Option D is wrong because modifying the existing 'default-allow-ssh' rule to add a target tag 'ssh-access' would change the rule's scope to only apply to tagged instances, but it would also remove the rule's effect on untagged instances (since the rule originally had no target tags, meaning it applied to all instances); this could inadvertently block SSH access to other VMs that previously relied on the default rule.

24
MCQmedium

Your company, a global e-commerce platform, must comply with the PCI DSS requirement to secure cardholder data. You have a multi-cloud environment with workloads on Google Cloud and AWS. The Google Cloud environment consists of Compute Engine instances that process credit card transactions, and a Cloud SQL for MySQL database that stores encrypted cardholder data. The security team requires that only specific service accounts can connect to the database, and all connections must be encrypted. Additionally, you need to ensure that the database is not publicly accessible and that all access is logged. You have configured the Cloud SQL instance with a private IP and enabled SSL/TLS. However, a recent audit revealed that a Compute Engine instance with a public IP and no service account was able to connect to the database and execute queries. The instance was not authorized in the Cloud SQL authorized networks. What is the most likely cause of this security gap, and what should you do to prevent it?

A.The instance bypassed SSL enforcement because the database was configured to accept non-encrypted connections. You should enable the 'require SSL' flag.
B.The instance used the Cloud SQL Proxy, which bypasses network controls. You should remove the proxy and require direct connections over private IP.
C.VPC Service Controls were not configured to block the connection. You should create a service perimeter to prevent data exfiltration.
D.The instance was in the same VPC and used the default Compute Engine service account with cloudsql.client role. You should disable the default service account and use a custom service account with the least privilege.
AnswerD

Private IP connections are allowed from any resource in the same VPC; the default service account had permission. Restricting the service account prevents unauthorized access.

Why this answer

Option D is correct because the Compute Engine instance was in the same VPC as the Cloud SQL instance (private IP), and it used the default Compute Engine service account, which had the cloudsql.client role. This allowed the instance to connect via the Cloud SQL Proxy or directly using the private IP without being listed in authorized networks, as VPC internal connectivity bypasses authorized networks. The fix is to disable the default service account and assign a custom service account with only the necessary permissions, ensuring least privilege and preventing unauthorized access.

Exam trap

Google Cloud often tests the misconception that authorized networks or SSL/TLS are the primary controls for Cloud SQL access, when in fact IAM roles on service accounts within the same VPC can override those controls.

How to eliminate wrong answers

Option A is wrong because the database already had SSL/TLS enabled, and the instance connected successfully; the issue is not about SSL enforcement but about authentication and authorization. Option B is wrong because the Cloud SQL Proxy does not bypass network controls; it actually enforces IAM-based authentication and encryption, and removing it would weaken security. Option C is wrong because VPC Service Controls are designed to prevent data exfiltration across perimeters, not to block internal VPC connections from instances with the correct IAM roles; the connection was within the same VPC, so a service perimeter would not have prevented it.

25
Multi-Selectmedium

A company wants to implement least privilege for a service account that needs to read objects from a Cloud Storage bucket and publish messages to a Pub/Sub topic. Which TWO IAM roles should be granted to the service account? (Choose TWO)

Select 2 answers
A.roles/storage.objectViewer
B.roles/pubsub.subscriber
C.roles/storage.admin
D.roles/pubsub.viewer
E.roles/pubsub.publisher
AnswersA, E

Provides read-only access to objects.

Why this answer

Option A is correct because roles/storage.objectViewer grants read-only access to objects in Cloud Storage buckets, which is the minimum permission needed for the service account to read objects. This role includes permissions like storage.objects.get and storage.objects.list, allowing the service account to retrieve object data without any write or administrative capabilities.

Exam trap

Google Cloud often tests the distinction between publisher and subscriber roles in Pub/Sub, and candidates mistakenly choose roles/pubsub.subscriber (Option B) thinking it covers publishing, when in fact it only allows consuming messages from a subscription.

26
MCQhard

Your organization uses Cloud Armor to protect against web attacks. After a change to the security policy, legitimate traffic from certain IPs is being blocked. You need to quickly allow that traffic while preserving the security policy. What should you do?

A.Remove the offending rule from the security policy
B.Enable logging on the security policy
C.Set the security policy to preview mode
D.Add a higher priority allow rule for those IPs
AnswerD

A higher priority rule explicitly allows the traffic before the blocking rule is evaluated.

Why this answer

Adding a higher priority allow rule for the affected IPs allows the traffic without removing the security policy. Other options either remove protection or are ineffective.

27
MCQhard

An organization uses Cloud Run to deploy microservices. They need to restrict access to a specific Cloud Run service to only requests coming from a different Cloud Run service within the same project. The services communicate over HTTP. Which configuration should be used?

A.Deploy both services in a VPC and use VPC firewall rules to allow traffic only from the caller's internal IP.
B.Use Cloud Armor with a rule to allow only requests with a specific header set by the caller.
C.Set the Cloud Run service to require authentication and grant the invoker role to the calling service's Google service account.
D.Configure the Cloud Run service to use 'Internal and Cloud Load Balancing' ingress control and use VPC Service Controls with an access level based on the caller's identity.
AnswerD

This restricts traffic to internal sources and allows identity-based conditions.

Why this answer

Option D is correct because it combines ingress control set to 'Internal and Cloud Load Balancing' with VPC Service Controls, which restricts access to the Cloud Run service to only requests originating from within the specified VPC or from Cloud Load Balancing. By adding an access level based on the caller's identity (the calling service's Google service account), you ensure that only the specific Cloud Run service can invoke the target service, meeting the requirement for service-to-service authentication within the same project.

Exam trap

Google Cloud often tests the misconception that VPC firewall rules or Cloud Armor can secure serverless services, but the correct approach for restricting access between Cloud Run services within the same project is to use ingress controls combined with identity-based access via VPC Service Controls.

How to eliminate wrong answers

Option A is wrong because Cloud Run services are serverless and do not have static internal IPs that can be used in VPC firewall rules; they use ephemeral IPs or are accessed via a VPC connector, making IP-based filtering impractical and insecure. Option B is wrong because Cloud Armor is a web application firewall that filters traffic based on HTTP headers or IP addresses, but it does not authenticate the caller's identity; a header can be easily spoofed, so it does not provide secure access control between services. Option C is wrong because while setting the Cloud Run service to require authentication and granting the invoker role to the calling service's Google service account is a valid approach for service-to-service authentication, it does not restrict ingress to only internal traffic; the service would still be publicly accessible over the internet, which does not meet the requirement to restrict access to only requests from within the same project.

28
Multi-Selecthard

Which THREE of the following are valid requirements for using VPC Network Peering? (Choose three.)

Select 3 answers
A.Cloud NAT must be configured in at least one VPC.
B.Subnet routes are automatically exchanged between the peered VPCs.
C.An IAM role with compute.networkAdmin must be granted to all users.
D.Each VPC must have firewall rules to allow traffic from the peered VPC.
E.The VPC networks must not have overlapping IP ranges.
AnswersB, D, E

Correct: peering exchanges subnet routes.

Why this answer

Option B is correct because VPC Network Peering automatically exchanges subnet routes between the peered VPCs, enabling private IP connectivity without requiring additional route tables or VPN gateways. This route exchange is implicit once the peering connection is established, provided the networks do not have overlapping CIDR blocks.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for VPC Peering, but the trap here is that peering is purely for private IP communication and does not involve NAT or internet gateway functionality.

29
MCQeasy

A developer needs to allow a specific Compute Engine instance to communicate with a Cloud SQL database instance. Both are in the same project but different VPC networks. What is the simplest secure method?

A.Create a firewall rule allowing traffic between networks
B.Use VPC peering between the two networks
C.Use Cloud SQL Proxy on the instance
D.Grant the instance's service account access to Cloud SQL
AnswerB

VPC peering provides a direct private connection between the two VPCs.

Why this answer

VPC peering is the simplest secure method to allow communication between two VPC networks in the same project. It establishes a private RFC 1918 connection using internal IPs, avoiding the public internet. Firewall rules alone cannot bridge separate VPCs, and Cloud SQL Proxy is unnecessary overhead for internal connectivity.

Exam trap

Google Cloud often tests the misconception that firewall rules can span VPCs, but in Google Cloud, firewall rules are scoped to a single VPC network and cannot enable cross-network traffic without peering or VPN.

How to eliminate wrong answers

Option A is wrong because firewall rules only control traffic within a single VPC network; they cannot route traffic between different VPC networks. Option C is wrong because Cloud SQL Proxy is an extra component that adds complexity and is typically used for public IP access or from external clients, not for private VPC-to-VPC communication. Option D is wrong because granting a service account access to Cloud SQL controls authentication and authorization, not network-level connectivity between separate VPCs.

30
MCQmedium

A company uses Cloud Storage buckets to store sensitive data. They want to allow a third-party auditor to list bucket contents but not download the objects. Which IAM role should be assigned?

A.roles/storage.legacyBucketReader
B.roles/storage.objectAdmin
C.roles/storage.objectViewer
D.roles/storage.objectCreator
AnswerA

Allows listing bucket contents without downloading objects.

Why this answer

The correct answer is A because roles/storage.legacyBucketReader grants permission to list the contents of a bucket (via the storage.buckets.get and storage.objects.list permissions) without allowing object downloads, which require storage.objects.get. This role is specifically designed for scenarios where a user needs to enumerate objects but not read their data, aligning with the auditor's requirement.

Exam trap

The trap here is that candidates often confuse 'listing' with 'viewing' and choose roles/storage.objectViewer, not realizing that objectViewer includes the download permission (storage.objects.get), which is broader than the required list-only access.

How to eliminate wrong answers

Option B is wrong because roles/storage.objectAdmin includes storage.objects.get and storage.objects.update permissions, which allow downloading and modifying objects, exceeding the auditor's needs. Option C is wrong because roles/storage.objectViewer includes storage.objects.get, which permits downloading object data, not just listing. Option D is wrong because roles/storage.objectCreator only allows creating new objects (storage.objects.create) and does not include the storage.objects.list permission needed to list bucket contents.

31
Drag & Dropmedium

Drag and drop the steps to configure a security scanner to scan a web application in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Security scanning involves configuration, scheduling, execution, review, and remediation verification.

32
MCQeasy

A company needs to meet SOC 2 requirements for change management. They want to log all changes to IAM policies in their Google Cloud organization. What should they do?

A.Use Cloud Asset Inventory to scan for changes daily.
B.Configure a Cloud Monitoring alert for IAM policy changes.
C.Enable Data Access audit logs for all services.
D.Use Admin Activity audit logs, which are enabled by default.
AnswerD

Admin Activity logs record all changes to IAM policies and other configuration changes.

Why this answer

Option C is correct because Admin Activity audit logs capture all IAM policy changes by default. Option A is wrong because Data Access logs are for data access, not admin changes. Option B is wrong because Cloud Monitoring does not log changes; it monitors metrics.

Option D is wrong because Cloud Asset Inventory provides a view but does not log changes in real-time.

33
MCQmedium

Refer to the exhibit. A VM in the default network with internal IP 10.128.0.5 is unable to reach a VM at 10.0.0.4 over TCP port 22. What is the most likely cause?

A.The deny-all rule blocks traffic from 10.0.0.4 to the VM.
B.The deny-all rule has higher priority than default-allow-internal.
C.The default-allow-internal rule does not cover port 22.
D.There is no rule allowing SSH traffic from 10.0.0.4.
AnswerB

Deny-all (priority 2000) has higher priority (numerically lower) than default-allow-internal (priority 65534), so it overrides the allow rule.

Why this answer

Option C is correct. The deny-all rule (priority 2000) has a higher priority (lower number) than the default-allow-internal rule (priority 65534). Since the deny-all rule blocks all TCP traffic from the 10.0.0.0/8 range, it overrides the default-allow-internal rule, blocking SSH traffic from 10.0.0.4 to 10.128.0.5.

Option A is incorrect because the deny rule denies traffic from 10.0.0.0/8, not to it. Option B is incorrect because default-allow-internal allows all TCP traffic. Option D is incorrect because default-allow-internal covers SSH; the issue is priority.

34
MCQeasy

Which Google Cloud audit log captures administrator activity and is enabled by default?

A.Policy Denied audit logs
B.System Event audit logs
C.Data Access audit logs
D.Admin Activity audit logs
AnswerD

Admin Activity audit logs are enabled by default and track API calls that modify resources.

Why this answer

Admin Activity audit logs (option D) are enabled by default in Google Cloud and capture all administrator actions that modify the configuration or metadata of resources, such as creating a VM or changing IAM policies. These logs are essential for compliance and security auditing because they record 'who did what, where, and when' for management activities, and they cannot be disabled.

Exam trap

Google Cloud often tests the misconception that all audit logs are enabled by default, but only Admin Activity and System Event logs are default-enabled, while Data Access logs are not, leading candidates to incorrectly choose Data Access audit logs.

How to eliminate wrong answers

Option A is wrong because Policy Denied audit logs are only generated when a Google Cloud service denies access due to a security policy (e.g., VPC firewall rules or IAP), and they are not enabled by default—they must be explicitly configured. Option B is wrong because System Event audit logs capture non-human actions, such as Google Cloud's own automated operations (e.g., automatic maintenance events), and they are enabled by default but do not cover administrator activity. Option C is wrong because Data Access audit logs track API calls that read or modify user-provided data (e.g., reading a Cloud Storage object), and they are disabled by default to avoid high volume and cost; they must be explicitly enabled per service.

35
MCQmedium

Refer to the exhibit. The output shows that Alice has the following IAM policy binding: { "role": "roles/storage.objectAdmin", "members": ["user:alice@example.com"], "condition": { "title": "storage_access_condition", "expression": "request.time < timestamp('2024-12-31T23:59:59Z') && source.ip in ['203.0.113.0/24']" } } Alice is currently working from an IP address 198.51.100.10, and the date is 2025-01-01. What is the result when Alice tries to upload an object to a bucket in this project?

A.Access is denied because both the time and IP conditions are not satisfied.
B.Access is denied because the role does not include storage.objects.create permission.
C.Access is granted because the condition is not evaluated for uploads.
D.Access is granted because the IP condition is satisfied.
AnswerA

The condition evaluates to false because time is after the expiration and source IP is not allowed.

Why this answer

Alice's IAM policy binding includes a condition that requires both the request time to be before 2024-12-31T23:59:59Z and the source IP to be within 203.0.113.0/24. Since the current date is 2025-01-01, the time condition fails, and her IP address 198.51.100.10 is not in the allowed range. With a condition that uses AND logic, both subconditions must be true for access to be granted; because neither is satisfied, access is denied.

Exam trap

Google Cloud often tests the misconception that a condition with multiple subconditions grants access if any one subcondition is met, but the AND logic requires all subconditions to be true simultaneously.

How to eliminate wrong answers

Option B is wrong because the role roles/storage.objectAdmin includes the storage.objects.create permission, which is required to upload an object. Option C is wrong because conditions are always evaluated for uploads when they are attached to the policy binding; there is no exception for upload operations. Option D is wrong because the IP condition is not satisfied (198.51.100.10 is not in 203.0.113.0/24), and even if it were, the time condition also fails, so access would still be denied.

36
MCQhard

A company uses hierarchical firewall policies to enforce security across all VPC networks in an organization. They have an organization policy that denies egress traffic to the internet. However, a team needs to allow outbound HTTPS traffic to a specific external API (api.example.com) for a project. What is the best way to achieve this?

A.Create a new hierarchical firewall policy rule that allows egress to the IP range of api.example.com with a higher priority than the deny rule.
B.Configure Cloud NAT with a static IP and allow that IP in the org policy.
C.Remove the organization policy and rely on VPC firewall rules.
D.Use VPC Service Controls to allow access to the API.
AnswerA

Hierarchical rules follow priority order; a higher priority allow rule overrides a lower priority deny.

Why this answer

Hierarchical firewall policies allow you to enforce organization-wide rules while still permitting exceptions via higher-priority rules. By creating a new rule that allows egress to the IP range of api.example.com with a priority higher than the deny rule, you override the deny for that specific traffic. This approach maintains the organization's security posture while enabling the required outbound HTTPS access.

Exam trap

Google Cloud often tests the misconception that Cloud NAT or VPC Service Controls can bypass organization-level firewall policies, but only hierarchical firewall rules with appropriate priority can create exceptions to such policies.

How to eliminate wrong answers

Option B is wrong because Cloud NAT is used for outbound internet access from private instances, but it does not override an organization policy that denies egress traffic; the policy still blocks all egress regardless of NAT. Option C is wrong because removing the organization policy eliminates the baseline security control, which is unnecessary and insecure when a targeted exception can be made. Option D is wrong because VPC Service Controls are designed to restrict data exfiltration from Google Cloud services, not to control egress traffic to external APIs like api.example.com.

37
MCQeasy

A security engineer is troubleshooting a VPC firewall rule that is not allowing traffic from a specific subnet to a Compute Engine instance. The target tag is set correctly. What is the most likely cause?

A.A deny rule with a higher priority (lower number) exists and blocks the traffic.
B.The firewall rule is in the wrong network.
C.The instance has an internal IP address that is not within the source range of the rule.
D.The firewall rule's target tag is misspelled.
AnswerA

A deny rule with lower priority number overrides allow rules of higher priority number.

Why this answer

Option A is correct because if a deny rule with a lower priority number (higher priority) exists, it will take precedence and block traffic despite an allow rule. Option B is incorrect because the instance's internal IP address does not affect the source range check. Option C is incorrect because the problem states the target tag is set correctly.

Option D is incorrect because the rule is in the correct network.

38
MCQmedium

A company uses Cloud Identity-Aware Proxy (IAP) to secure access to an internal web application hosted on Compute Engine. After a recent security audit, the team wants to ensure that only users with specific attributes can access the app, such as belonging to the 'engineering' group and having a verified corporate email. What is the best approach to enforce this requirement?

A.Use VPC Service Controls to restrict access based on user attributes.
B.Disable OAuth and use a custom JWT with group membership claims.
C.Set up an HTTP load balancer with a custom header that passes group membership from the identity provider.
D.Configure IAP with access levels that require the user to be in the 'engineering' group and have a verified email.
AnswerD

Access levels in Context-Aware Access can enforce group membership and email verification.

Why this answer

Option D is correct because Cloud IAP integrates with Identity-Aware Proxy access levels, which allow you to enforce attribute-based access control (ABAC) using Google Cloud's context-aware access features. By configuring an access level that requires the user to belong to the 'engineering' group (via Cloud Identity or G Suite group membership) and have a verified corporate email (e.g., using the `email_verified` attribute from the identity provider), you can precisely restrict access to the Compute Engine web application without modifying the application code.

Exam trap

Google Cloud often tests the distinction between network-level controls (VPC Service Controls) and identity-aware access (IAP), leading candidates to incorrectly choose VPC Service Controls for user attribute enforcement, when in fact IAP access levels are the correct mechanism for granular, attribute-based authorization.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are designed to prevent data exfiltration by controlling access to Google Cloud APIs and services (e.g., BigQuery, Cloud Storage) based on network perimeters and project boundaries, not to enforce user attribute-based access control for an individual web application. Option B is wrong because disabling OAuth and using a custom JWT would bypass IAP's built-in authentication and authorization mechanisms, requiring you to manually validate tokens and manage group membership claims, which is less secure and more complex than using IAP's native integration with Cloud Identity. Option C is wrong because setting up an HTTP load balancer with a custom header from the identity provider would require the application to parse and trust that header, which is insecure (headers can be spoofed) and does not leverage IAP's centralized access control; IAP itself handles authentication and injects verified identity headers (e.g., `X-Goog-Authenticated-User-Email`) after successful authorization.

39
MCQhard

A financial services company is migrating its on-premises application to Google Cloud. The application needs to access a Cloud SQL instance and a Cloud Storage bucket. Security requirements mandate that the application must use short-lived credentials and avoid storing long-lived service account keys. The application runs on Compute Engine. What should the Security Engineer do to meet these requirements?

A.Create a service account and use Workload Identity Federation to impersonate it.
B.Use Cloud Key Management Service to generate and rotate keys for the service account.
C.Attach a service account to the Compute Engine instance with appropriate roles for Cloud SQL and Cloud Storage.
D.Create a service account key and store it in Cloud Secret Manager.
AnswerC

Compute Engine automatically obtains short-lived tokens via the metadata server.

Why this answer

Option C is correct because attaching a service account directly to a Compute Engine instance allows the application to automatically obtain short-lived access tokens from the instance metadata server (http://169.254.169.254) for accessing Cloud SQL and Cloud Storage. This approach eliminates the need to store long-lived service account keys, meeting the security requirement for short-lived credentials.

Exam trap

Google Cloud often tests the distinction between Compute Engine's native service account attachment (which provides short-lived tokens via metadata server) and external identity federation methods, leading candidates to incorrectly choose Workload Identity Federation for internal workloads.

How to eliminate wrong answers

Option A is wrong because Workload Identity Federation is designed for workloads running outside Google Cloud (e.g., AWS, Azure, on-premises) to impersonate a service account, not for applications already running on Compute Engine. Option B is wrong because Cloud Key Management Service (KMS) manages encryption keys, not service account keys; it cannot generate or rotate service account keys. Option D is wrong because storing a service account key in Cloud Secret Manager still involves a long-lived key that must be retrieved and used, violating the requirement to avoid storing long-lived service account keys.

40
MCQeasy

A company is using Cloud SQL with a private IP address in the same VPC as their Compute Engine web application server. The server can reach the Cloud SQL instance's IP address via ping, but the application is failing to connect with a permission error. The VPC firewall rules include the default allow internal rule. What is the most likely cause?

A.The Cloud SQL instance's private IP address is not assigned to the correct subnetwork.
B.The firewall rules need an explicit allow rule for TCP port 3306 for the server's IP range.
C.The Compute Engine server's service account does not have the Cloud SQL Client IAM role.
D.The Cloud SQL instance requires the public IP address to be enabled for the application to connect.
AnswerC

The Cloud SQL Client role is required to connect to Cloud SQL instances. The permission error aligns with missing IAM permissions.

Why this answer

The default allow internal rule permits all protocols and ports, so network connectivity is fine. The permission error indicates insufficient IAM permissions. The Cloud SQL Client role is required for connecting to Cloud SQL instances via private IP.

41
Multi-Selecthard

Which TWO of the following are true regarding Cloud Audit Logs?

Select 2 answers
A.Data Access audit logs are enabled by default for all services.
B.Admin Activity audit logs are enabled by default and cannot be disabled.
C.Cloud Audit Logs are retained indefinitely unless a retention policy is set.
D.Cloud Audit Logs include monitoring metrics for log volume.
E.System Event audit logs record non-human administrative actions and are enabled by default.
AnswersB, E

Default on for all projects.

Why this answer

Options A and C are correct. Admin Activity audit logs are always enabled by default and cannot be disabled. System Event audit logs are also enabled but capture Google Cloud actions.

Option B is incorrect because Data Access logs are disabled by default and need to be enabled. Option D is incorrect because Cloud Audit Logs do NOT include metrics, only logs. Option E is incorrect because all audit logs are retained for 400 days by default.

42
Multi-Selecteasy

A security engineer is designing data protection for Cloud Storage. Which TWO methods can be used to enforce encryption at rest for objects? (Choose TWO.)

Select 2 answers
A.Setting a bucket-level default encryption with a CMEK key.
B.Enabling VPC Service Controls.
C.Applying a retention policy.
D.Using a bucket policy that requires the x-goog-encryption header for uploads.
E.Using an Organization Policy to enforce CMEK at the project level.
AnswersA, E

This ensures all objects uploaded to the bucket are encrypted with the specified CMEK key.

Why this answer

Option A is correct because setting a bucket-level default encryption with a CMEK (Customer-Managed Encryption Key) ensures that all new objects written to the bucket are encrypted at rest using a key managed by the customer in Cloud KMS. This enforces encryption at rest at the bucket level, meeting the requirement.

Exam trap

Google Cloud often tests the distinction between encryption at rest (server-side) and encryption in transit or client-side encryption, leading candidates to mistakenly choose options like D that enforce client-side headers rather than server-side encryption at rest.

43
MCQhard

A company is using VPC Service Controls to protect their Google Cloud Storage buckets. They want to allow a specific instance to access a bucket from within a VPC. What networking configuration is required?

A.The instance must have a public IP
B.A VPC peering connection to Google services
C.A Cloud NAT gateway
D.Private Google Access must be enabled on the subnet
AnswerD

Private Google Access allows instances with internal IPs to reach Google APIs through Google's private network.

Why this answer

VPC Service Controls require Private Google Access to be enabled on the subnet so that the instance can access Google APIs using its internal IP address.

44
MCQmedium

A financial services company must store customer transaction records for 7 years to comply with SEC regulations. They currently use Cloud Storage with a lifecycle rule that deletes objects after 365 days. The compliance team needs to ensure that records are immutable and cannot be deleted or modified before the retention period expires. What should the security engineer do?

A.Apply a retention policy to each object individually using object holds.
B.Use VPC Service Controls to restrict access to the bucket to only authorized compliance personnel.
C.Modify the lifecycle rule to delete objects after 2555 days instead of 365 days.
D.Enable Bucket Lock on the bucket and configure a retention policy of 7 years.
AnswerD

Bucket Lock enforces a retention policy that prevents object deletion or modification until the retention period expires, overriding lifecycle rules.

Why this answer

Option D is correct because Bucket Lock is the only Google Cloud Storage feature that enforces immutability by preventing object deletion or modification for a specified retention period. By enabling Bucket Lock and configuring a 7-year retention policy, the company ensures compliance with SEC regulations, as objects cannot be deleted or overwritten even by the bucket owner or lifecycle rules. This overrides the existing 365-day lifecycle rule because retention policies take precedence over lifecycle deletion actions.

Exam trap

Google Cloud often tests the distinction between access controls (like VPC Service Controls or IAM) and data immutability features, leading candidates to confuse restricting access with enforcing retention.

How to eliminate wrong answers

Option A is wrong because object holds (e.g., retention holds) are temporary and can be removed by users with appropriate permissions, so they do not guarantee immutable compliance for the full 7-year period. Option B is wrong because VPC Service Controls control network access but do not prevent deletion or modification of objects by authorized users or lifecycle rules, so they do not enforce immutability. Option C is wrong because modifying the lifecycle rule to 2555 days only delays deletion; it does not prevent manual deletion or overwriting of objects, and lifecycle rules can be changed or removed at any time, failing to meet the immutability requirement.

45
MCQhard

Alice has the role roles/storage.objectAdmin on the bucket my-bucket via the IAM policy shown. She is unable to access the object gs://my-bucket/reports/data.csv. What is the most likely reason?

A.The condition restricts access to objects with a prefix 'uploads/', and the requested object is under 'reports/'.
B.The bucket has a retention policy that prevents access to objects older than a certain period.
C.The condition uses the wrong resource attribute; it should be resource.name.startsWith('my-bucket/uploads/').
D.Alice does not have the storage.objects.get permission on the bucket.
AnswerA

The condition resource.name.startsWith('projects/_/buckets/my-bucket/objects/uploads/') only allows access to objects whose path starts with 'uploads/'. The object 'reports/data.csv' does not match.

Why this answer

The IAM policy condition uses the `resource.name.startsWith('my-bucket/uploads/')` condition key, which restricts the `storage.objects.get` permission to objects whose name starts with `uploads/`. The requested object `gs://my-bucket/reports/data.csv` is under the `reports/` prefix, so the condition evaluates to false, denying access. This is the most likely reason Alice cannot access the object.

Exam trap

Google Cloud often tests the nuance that IAM conditions can silently override explicit allow permissions, leading candidates to overlook the condition and incorrectly blame missing permissions or unrelated bucket policies.

How to eliminate wrong answers

Option B is wrong because a retention policy prevents deletion or modification of objects, not read access; it does not block `storage.objects.get`. Option C is wrong because the condition already uses `resource.name.startsWith` correctly; the issue is the prefix value, not the attribute. Option D is wrong because the IAM policy explicitly grants `storage.objects.get` on the bucket, but the condition overrides that grant for objects not matching the prefix.

46
MCQeasy

A security team needs to centrally manage secrets for multiple Google Cloud projects. Which solution should they use?

A.Hardcode secrets in application code and use IAM with access scopes
B.Use Cloud Key Management Service (Cloud KMS) to store and manage secrets
C.Use Secret Manager
D.Store secrets in encrypted Cloud Storage buckets
AnswerC

Secret Manager is purpose-built for storing, rotating, and managing secrets with fine-grained access control.

Why this answer

Option D is correct because Secret Manager provides a centralized, durable, and scalable solution for storing and managing secrets across projects. Option A is wrong because storing secrets in Cloud Storage with encryption still requires managing access and does not offer built-in versioning or rotation. Option B is wrong because hardcoding secrets in code is insecure.

Option C is wrong because Cloud KMS is for managing encryption keys, not secrets.

47
MCQeasy

Your company is deploying a multi-tier application in a single VPC with two subnets: web (10.0.1.0/24) and db (10.0.2.0/24). The web instances need to connect to a private Cloud SQL instance (MySQL) that is provisioned in a service project. The Cloud SQL instance has a private IP address 10.0.3.5 assigned using private services access. You have established VPC peering between your VPC and the service producer VPC (the Google-managed VPC hosting Cloud SQL). You verified that the peering connection is in 'ACTIVE' state. The web instances can reach internet sites, but connections to the Cloud SQL instance (using the MySQL client) are timing out. The db instances do not need to connect to Cloud SQL. What is the most likely cause and recommended solution?

A.Configure the VPC peering connection to export custom routes from your VPC to the service producer VPC.
B.Re-create the VPC peering connection because it might be misconfigured.
C.Change the Cloud SQL instance to use a public IP and allowlist your web subnet.
D.Set up Cloud NAT for the web subnet to enable outbound connections.
AnswerA

Exporting custom routes ensures the service VPC knows how to reach your subnets for return traffic.

Why this answer

The web instances are timing out when connecting to the Cloud SQL private IP (10.0.3.5) because the VPC peering connection is not exporting custom routes from your VPC to the service producer VPC. By default, VPC peering does not export custom routes (including the subnet routes for 10.0.1.0/24 and 10.0.2.0/24) unless explicitly configured. Without these routes, the Cloud SQL instance cannot send response traffic back to the web instances, causing the TCP handshake to fail (SYN sent, SYN-ACK never received).

Enabling 'Export custom routes' on the peering connection from your VPC to the service producer VPC resolves this by advertising your subnet routes to the Cloud SQL host VPC.

Exam trap

Google Cloud often tests the misconception that an 'ACTIVE' peering status guarantees full connectivity, but the trap here is that route exchange is not automatic for custom routes — candidates overlook the need to explicitly export custom routes for return traffic.

How to eliminate wrong answers

Option B is wrong because the peering connection is already in 'ACTIVE' state, which indicates it is correctly configured at the peering level; re-creating it would not solve the missing route export issue. Option C is wrong because using a public IP for Cloud SQL would expose the database to the internet, violating the requirement for a private connection, and it would not address the underlying routing problem caused by missing custom route exports. Option D is wrong because Cloud NAT is used for outbound internet access from private instances, but the issue here is bidirectional routing between the web subnet and the Cloud SQL private IP; Cloud NAT does not help with VPC peering route advertisement.

48
MCQeasy

Your company runs a data analytics platform on Google Cloud that processes sensitive financial data. Data is ingested from various sources into a Cloud Storage bucket, then processed by Dataflow jobs, and final results are stored in BigQuery. You have implemented the following security controls: - VPC Service Controls perimeter around the project - Cloud KMS CMEK for all storage services - IAM conditions restricting access based on tags - Cloud Audit Logs enabled for all services Recently, an auditor discovered that a compromised service account was able to read data from the Cloud Storage bucket even though it was outside the VPC Service Controls perimeter. The auditor reviewed the logs and found that the access came from a Compute Engine instance that was running within the same project. What is the most likely reason the VPC Service Controls perimeter did not block this access?

A.The VPC Service Controls perimeter allows access from resources within the same project, even if they are outside the perimeter.
B.The Cloud KMS key used for encryption was not bound to the perimeter.
C.The Cloud Audit Logs were not enabled for the Cloud Storage bucket, so the access was not logged.
D.The VPC Service Controls perimeter was not configured to include the Cloud Storage bucket.
AnswerA

VPC Service Controls only block access from outside the perimeter; resources within the same project are considered inside and allowed by default.

Why this answer

VPC Service Controls perimeters are designed to prevent data exfiltration by blocking access from networks outside the perimeter, but they explicitly allow access from resources within the same project, even if those resources are not inside the perimeter. In this scenario, the compromised service account was used by a Compute Engine instance running in the same project, so the access was permitted by design. This is a known behavior: VPC Service Controls do not restrict access between resources that share the same Google Cloud project, regardless of whether the requesting resource is inside or outside the perimeter.

Exam trap

The trap here is that candidates assume VPC Service Controls block all cross-resource access within a project, but Cisco tests the specific exception that resources in the same project are always allowed, regardless of perimeter boundaries.

How to eliminate wrong answers

Option B is wrong because Cloud KMS CMEK keys are not bound to VPC Service Controls perimeters; the perimeter controls access at the network layer, not the encryption layer. Option C is wrong because the auditor already reviewed the logs and found the access, so Cloud Audit Logs were clearly enabled and working. Option D is wrong because the Cloud Storage bucket was included in the perimeter (the perimeter was configured around the project, which includes all services in that project), but the access was allowed due to the same-project exception.

49
MCQeasy

An engineer notices that traffic on port 80 is not reaching instances with the tag 'http-server'. The instances have external IPs and are in the default VPC. What could be the reason?

A.The sourceRanges does not include the instance's public IP.
B.The targetTags are not applied to the instances.
C.A deny rule with a lower priority number (higher priority) exists and blocks the traffic.
D.The direction should be EGRESS.
AnswerC

A deny rule with higher priority can override this allow rule.

Why this answer

Option B is correct because if a deny rule with a lower priority number (higher priority) exists, it will block traffic despite the allow rule. Option A is incorrect because sourceRanges includes all IPs. Option C is incorrect because the rule targets the correct tags.

Option D is incorrect because direction is correctly INGRESS for incoming traffic.

50
Multi-Selecteasy

Which THREE components are customer responsibilities under the Google Cloud Shared Responsibility Model for IaaS? (Choose 3.)

Select 3 answers
A.Security of virtual network controls
B.Security of application code
C.Physical security of data centers
D.Security of the hypervisor
E.Security of guest operating system
AnswersA, B, E

Customers configure firewall rules, VPCs, etc.

Why this answer

Option A is correct because under the IaaS shared responsibility model, the customer is responsible for configuring and managing virtual network controls such as firewalls, route tables, and network ACLs. Google Cloud provides the underlying network infrastructure, but the customer must secure traffic flows and access policies within their VPC.

Exam trap

Google Cloud often tests the misconception that physical security or hypervisor security is a shared responsibility, when in fact these are exclusively the provider's domain under IaaS.

51
MCQhard

A company must comply with PCI DSS requirements that mandate the use of a hardware security module (HSM) for key storage. They plan to use Cloud KMS for key management. Which implementation meets compliance?

A.Use Cloud External Key Manager (EKM) with an external HSM.
B.Create a Cloud HSM key ring and use Cloud KMS with protection level 'HSM'.
C.Use Customer-Supplied Encryption Keys (CSEK) stored in an on-premises HSM.
D.Create keys in Cloud KMS using the default software protection level.
AnswerB

Cloud HSM provides HSM-backed key storage in Cloud KMS.

Why this answer

Option B is correct because PCI DSS requires that cryptographic keys be stored in a hardware security module (HSM) to ensure tamper resistance. Cloud HSM provides a FIPS 140-2 Level 3 validated HSM directly integrated with Cloud KMS, allowing you to create keys with the 'HSM' protection level that are generated and stored within the HSM hardware, meeting compliance without managing external infrastructure.

Exam trap

Google Cloud often tests the distinction between using an external HSM (EKM) versus a native Cloud HSM, where candidates mistakenly think that any HSM integration satisfies PCI DSS, but the key is that the keys must be stored and managed within a validated HSM that is directly integrated with the key management service.

How to eliminate wrong answers

Option A is wrong because Cloud External Key Manager (EKM) allows you to use an external HSM for key storage, but it does not store keys within Google Cloud's HSM; instead, it references keys held in your external HSM, which adds operational complexity and may not satisfy PCI DSS requirements if the external HSM is not properly validated or managed. Option C is wrong because Customer-Supplied Encryption Keys (CSEK) are used for encrypting data at rest in Google Cloud Storage, not for key management within Cloud KMS, and storing them in an on-premises HSM does not integrate with Cloud KMS's key management lifecycle or meet PCI DSS requirements for key storage in a validated HSM. Option D is wrong because the default software protection level stores keys in software-based key storage, which does not meet PCI DSS's mandate for hardware-based key storage in an HSM.

52
Matchingmedium

Match each security command center tier to its capabilities.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Free, includes basic vulnerability scanning and findings

Paid, includes threat detection, event threat detection, and container threat detection

Paid, includes all Premium features plus security posture, asset inventory, and compliance

Built-in vulnerability scanning and misconfiguration detection

Detects threats from Cloud Logging and DNS logs

Why these pairings

These are Security Command Center tiers and their features.

53
Multi-Selecthard

An organization wants to enforce that all Compute Engine instances must use a specific service account. Which three steps are necessary? (Choose three.)

Select 3 answers
A.Create a custom role with compute.instances.create permission.
B.Grant the service account the needed roles on the project.
C.Create the service account in the project.
D.Set an organization policy constraint compute.restrictServiceAccountUsage to allow only that service account.
E.Grant the compute.instanceAdmin role to the service account.
AnswersB, C, D

The SA needs permissions to perform its intended tasks.

Why this answer

Option B is correct because the service account must be granted the necessary IAM roles on the project (or specific resources) to perform its intended actions. Without these grants, even if the service account is enforced, it will lack permissions to interact with Compute Engine resources. This step ensures the service account has the required access, such as compute.instanceAdmin or custom roles, to manage instances.

Exam trap

Google Cloud often tests the distinction between enforcing a service account (via organization policy) and granting permissions to that service account (via IAM roles), leading candidates to mistakenly include steps like creating custom roles or granting instanceAdmin to the service account as part of the enforcement process.

54
Multi-Selectmedium

A company wants to allow a third-party auditor to view their organization's IAM policies and logs but not make any changes. Which two predefined roles should be granted? (Choose two.)

Select 2 answers
A.roles/iam.securityReviewer
B.roles/iam.securityAdmin
C.roles/monitoring.viewer
D.roles/logging.viewer
E.roles/iam.roleViewer
AnswersA, D

Grants read-only access to IAM policies.

Why this answer

Options A and B are correct. roles/iam.securityReviewer grants read access to IAM policies, and roles/logging.viewer grants read access to logs. All other options either grant too many permissions or are not relevant.

55
MCQeasy

A retail company hosts an e-commerce website on Compute Engine behind an HTTPS load balancer. They want to encrypt traffic between the load balancer and backend instances. What should they do?

A.Enable HTTPS only between clients and load balancer; backend traffic uses HTTP.
B.Use an internal HTTPS load balancer and configure SSL certificates on backend services.
C.Apply Cloud Armor policy to enforce TLS between load balancer and backends.
D.Use Cloud VPN to connect load balancer to backend instances.
AnswerB

Internal HTTPS LB can terminate SSL and re-encrypt to backends.

Why this answer

Option B is correct because an internal HTTPS load balancer in Google Cloud can terminate HTTPS from clients and re-encrypt traffic to backend instances using SSL certificates configured on the backend services. This ensures end-to-end encryption between the load balancer and backends, meeting the requirement to encrypt traffic in that segment.

Exam trap

The trap here is that candidates often assume Cloud Armor can enforce TLS encryption, but Cloud Armor only applies security policies (e.g., IP allow/deny, rate limiting) and does not handle SSL/TLS termination or re-encryption between the load balancer and backends.

How to eliminate wrong answers

Option A is wrong because it explicitly leaves backend traffic unencrypted (HTTP), which fails the requirement to encrypt traffic between the load balancer and backend instances. Option C is wrong because Cloud Armor is a web application firewall and DDoS protection service that enforces security policies at the edge, not a mechanism to enforce TLS between the load balancer and backends; it cannot configure SSL/TLS on the backend connection. Option D is wrong because Cloud VPN is used to securely connect on-premises networks or VPCs over the internet, not to encrypt traffic between a load balancer and its backend instances within the same VPC.

56
Multi-Selectmedium

A company is using Cloud Data Loss Prevention (DLP) to inspect and de-identify sensitive data in Cloud Storage. They want to classify data using infoTypes and apply de-identification techniques. Which TWO actions should they take?

Select 2 answers
A.Create custom infoTypes for all sensitive data.
B.Use the DLP API to inspect the storage for sensitive data.
C.Apply de-identification transformations such as masking or tokenization.
D.Store de-identification templates in Cloud KMS.
E.Use VPC Service Controls to restrict access to the data.
AnswersB, C

DLP API can scan and classify data using infoTypes.

Why this answer

Option B is correct because the DLP API's `inspect` method is the primary mechanism to scan Cloud Storage objects for sensitive data patterns defined by infoTypes. Option C is correct because after inspection, de-identification transformations like masking or tokenization are applied via the DLP API's `deidentify` method to redact or replace sensitive content. Together, these two actions form the standard workflow for classifying and protecting data in Cloud Storage using Cloud DLP.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls or Cloud KMS are directly involved in the DLP inspection and de-identification process, when in fact they are separate security services for perimeter control and key management, respectively.

57
MCQmedium

A financial firm uses Cloud Deployment Manager to manage their Google Cloud infrastructure. They have a strict change management policy requiring that all infrastructure changes in the production environment must be reviewed and approved by a senior engineer before being applied. Currently, developers can modify the Deployment Manager configurations directly, leading to unapproved changes. The company wants to enforce this policy without impacting development agility. What should they implement?

A.Use Deployment Manager snapshots to roll back changes if needed.
B.Set up Cloud Audit Logs to monitor changes and alert on unauthorized modifications.
C.Use organization policies to restrict access to the Deployment Manager service.
D.Use a CI/CD pipeline with Cloud Build and require approval gates.
AnswerD

A CI/CD pipeline enforces a workflow where changes go through review and approval before deployment, satisfying the policy.

Why this answer

A CI/CD pipeline with Cloud Build can include manual approval gates that block deployments until approved. This enforces change review while allowing development to proceed. Option A is incorrect because organization policies would block all Deployment Manager usage, including in development.

Option C is incorrect because auditing only monitors changes but does not prevent them. Option D is incorrect because snapshots allow rollback but do not prevent unapproved changes.

58
MCQeasy

Your organization requires that all egress traffic from a VPC network be inspected by a third-party security appliance before leaving the network. The appliance is deployed in a separate VPC. What is the most scalable and maintainable way to route traffic through the appliance?

A.Use Cloud Interconnect to connect the two VPCs and configure BGP to advertise a default route from the appliance VPC.
B.Use Private Google Access to route traffic through the appliance.
C.Deploy the appliance in a separate VPC and create a route with next hop as the appliance's internal IP, and tag the VMs that need inspection.
D.Deploy the appliance in a separate VPC and use VPC Network Peering with route export/import to redirect traffic.
AnswerC

This is the recommended pattern: use instance-level routes with next hop to the appliance.

Why this answer

Option C is correct because it uses a route with a next hop of the appliance's internal IP, combined with VM tags to selectively route egress traffic through the appliance. This approach is scalable and maintainable as it avoids complex peering or interconnect setups, and tags allow granular control without modifying routes for every VM.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering with route export/import is the simplest way to route traffic between VPCs, but the trap here is that peering creates a full mesh of routes, which can cause asymmetric routing and does not allow selective egress-only inspection without additional complex filtering.

How to eliminate wrong answers

Option A is wrong because Cloud Interconnect is a dedicated connection to on-premises networks, not between VPCs, and BGP advertising a default route from the appliance VPC would require complex routing policies and does not inherently inspect egress traffic. Option B is wrong because Private Google Access allows VMs without external IPs to access Google APIs and services, not to route traffic through a third-party security appliance in another VPC. Option D is wrong because VPC Network Peering with route export/import would redirect all traffic between the VPCs, but it does not provide a mechanism to selectively route only egress traffic through the appliance; it would also route ingress traffic, causing asymmetric routing and potential inspection bypass.

59
MCQhard

A gaming company must comply with the Children's Online Privacy Protection Act (COPPA). They use BigQuery to store user data, including age. They want to automatically classify and restrict access to data of users under 13. Which approach should they take?

A.Create a Cloud Data Catalog tag template for age and assign tags to columns, then use IAM to restrict access based on tags.
B.Store user data in Cloud Storage with uniform bucket-level access and use IAM to restrict access based on age.
C.Use DLP API to inspect BigQuery tables and apply de-identification or restriction policies.
D.Use VPC Service Controls to limit access to the BigQuery dataset from only approved IP ranges.
AnswerC

DLP can classify and automatically transform or restrict access to sensitive data.

Why this answer

Option A is correct because DLP API can classify sensitive data and set access controls accordingly. Option B is wrong because bucket-level policies apply to Cloud Storage, not BigQuery. Option C is wrong because VPC Service Controls do not inspect data content.

Option D is wrong because Data Catalog does not enforce access; it only tags metadata.

60
MCQeasy

A company is moving sensitive data to Google Cloud and must comply with GDPR data minimization principles. They want to ensure that only the minimum necessary data is collected and processed. Which Google Cloud service should they use to automatically identify and redact sensitive data before storage?

A.Cloud Composer
B.Cloud Data Fusion
C.Cloud Dataprep
D.Cloud Data Loss Prevention (DLP)
AnswerD

DLP inspects and de-identifies sensitive data to minimize data collection.

Why this answer

Cloud Data Loss Prevention (DLP) is the correct service because it provides native capabilities to inspect, classify, and automatically redact sensitive data (e.g., PII, credit card numbers) before storage, directly supporting GDPR data minimization. It uses built-in infoType detectors and can be integrated with Cloud Storage, BigQuery, and other services to apply de-identification transformations such as masking, tokenization, or deletion at ingestion time.

Exam trap

Google Cloud often tests the distinction between data transformation/ETL tools (Cloud Data Fusion, Cloud Dataprep) and a dedicated data loss prevention service (Cloud DLP), expecting candidates to recognize that only DLP provides automated sensitive data identification and redaction out of the box without requiring custom coding or external integrations.

How to eliminate wrong answers

Option A is wrong because Cloud Composer is a managed workflow orchestration service based on Apache Airflow, not a data inspection or redaction tool; it cannot automatically identify or redact sensitive data. Option B is wrong because Cloud Data Fusion is a fully managed data integration and ETL service that can transform data but lacks built-in sensitive data detection and automated redaction capabilities; it would require custom plugins or external calls to DLP for such functionality. Option C is wrong because Cloud Dataprep is a data preparation and cleaning service (based on Trifacta) that focuses on structuring and transforming data visually, but it does not natively include automated sensitive data identification or redaction; it would need to integrate with DLP for that purpose.

61
Multi-Selectmedium

Which TWO options are valid methods to secure data in transit between an on-premises data center and a Google Cloud VPC?

Select 2 answers
A.Private Google Access
B.Dedicated Interconnect with MACsec
C.Cloud VPN with IPsec
D.VPC Network Peering
E.Internal HTTPS Load Balancing
AnswersB, C

Provides encryption at Layer 2 for dedicated connections.

Why this answer

Dedicated Interconnect with MACsec (Media Access Control Security) provides encryption at Layer 2, securing data in transit over the dedicated connection between your on-premises data center and Google Cloud VPC. MACsec uses GCM-AES-128 or GCM-AES-256 encryption to protect all traffic on the link, ensuring confidentiality and integrity without the overhead of IPsec.

Exam trap

Google Cloud often tests the distinction between connectivity methods (like Private Google Access or VPC Peering) and actual encryption mechanisms, leading candidates to confuse access control or internal routing with data-in-transit security.

62
MCQmedium

A company assigns roles to Google Groups to simplify management. They have a group called data-engineers@example.com that needs access to BigQuery datasets. Instead of adding each user individually, they want to grant the group roles/bigquery.dataViewer at the project level. After granting the role, a new member added to the group reports they cannot query a dataset. What is the most likely reason?

A.The dataset is in a different project than the one where the role was granted.
B.The user needs to be added directly to the dataset's access control list.
C.The dataset has been configured with private access control that overrides the project-level IAM.
D.The group does not have the necessary permissions because BigQuery does not support IAM groups.
AnswerA

If the dataset is in another project, the IAM role must be granted on that project or dataset.

Why this answer

Option A is correct because IAM roles granted at the project level apply only to resources within that project. If the BigQuery dataset resides in a different project, the group's project-level role does not grant access to that dataset. The user would need either a role granted at the dataset's project level or direct dataset-level permissions.

Exam trap

Google Cloud often tests the misconception that project-level IAM roles grant access to all resources across all projects in the organization, when in fact they are scoped to the specific project where the role is assigned.

How to eliminate wrong answers

Option B is wrong because adding the user directly to the dataset's ACL is not necessary if the group already has a project-level role that should grant access; the issue is the dataset being in a different project, not the need for direct user ACLs. Option C is wrong because private access control (e.g., Authorized Views or dataset-level ACLs) can restrict access, but it does not override project-level IAM; rather, it works in conjunction with IAM, and the scenario describes a missing access issue, not an override. Option D is wrong because BigQuery fully supports IAM groups; groups can be granted roles at the project or dataset level, and the group itself is a valid principal in IAM policies.

63
Multi-Selecthard

A company is implementing confidential VMs with Shielded VM and data encryption. Which two actions must be taken to ensure data protection for confidential compute workloads?

Select 2 answers
A.Use vTPM for key management.
B.Enable Secure Boot and Measured Boot.
C.Use customer-managed encryption keys (CMEK) for persistent disk encryption.
D.Use a Confidential VM instance with an N2D machine series.
E.Use Cloud HSM to protect the encryption keys for the encrypted memory.
AnswersA, B

vTPM is used for secure key storage and attestation.

Why this answer

Option A is correct because vTPM (virtual Trusted Platform Module) provides hardware-based key management for confidential VMs, enabling secure generation, storage, and attestation of encryption keys used for memory encryption and disk encryption. This ensures that only authorized code can access the keys, protecting data at rest and in use.

Exam trap

Google Cloud often tests the distinction between data-at-rest encryption (CMEK, Cloud HSM) and data-in-use protection (confidential VMs with vTPM and Secure Boot), leading candidates to mistakenly select C or E for memory encryption.

64
MCQmedium

A security administrator wants to ensure that only requests coming through Identity-Aware Proxy (IAP) can access a backend service running on Compute Engine. Which configuration is required?

A.Use a VPN between IAP and backend.
B.Configure Cloud Armor to block non-IAP traffic.
C.Configure the backend service to require IAP credentials.
D.Set firewall rules to allow only traffic from IAP proxy IP ranges.
AnswerD

This restricts access to only IAP requests.

Why this answer

Option D is correct because Identity-Aware Proxy (IAP) uses a fixed set of Google-owned IP ranges to forward authenticated and authorized requests to backend services. By configuring VPC firewall rules to allow ingress only from these IAP proxy IP ranges, the administrator ensures that any traffic not originating from IAP is blocked, effectively restricting access to IAP-authorized requests only.

Exam trap

The trap here is that candidates often confuse application-layer authentication (IAP JWT validation) with network-layer access control (firewall rules), leading them to choose option C, but the question specifically asks for the configuration to ensure only requests coming through IAP can access the backend, which at the network level is achieved by restricting source IPs to IAP proxy ranges.

How to eliminate wrong answers

Option A is wrong because a VPN between IAP and the backend is not supported; IAP is a Google Cloud service that proxies traffic from the internet, and it does not establish VPN tunnels to backends. Option B is wrong because Cloud Armor is a web application firewall (WAF) that filters HTTP/S traffic based on rules (e.g., OWASP signatures), but it cannot natively inspect whether a request originated from IAP; it would require custom header validation, which is not the primary recommended method. Option C is wrong because the backend service itself does not 'require IAP credentials'; IAP validates identity and authorization at the proxy layer, and the backend service must be configured to trust IAP-signed JWTs (via the IAP-issued JWT audience), not to directly require credentials.

65
Multi-Selecthard

A company is setting up Cloud NAT for a subnet that hosts compute instances. They want to ensure high availability and efficient use of IPs. Which TWO configurations should they apply? (Choose TWO.)

Select 2 answers
A.Create a separate Cloud NAT gateway for each zone in the region.
B.Disable IP masquerading to preserve source IPs.
C.Specify at least two NAT IPs, each from different zones for redundancy.
D.Reserve static external IP addresses and assign them to the Cloud NAT.
E.Use dynamic NAT IPs so that Google-managed allocation is used.
AnswersC, D

Multiple IPs across zones provide HA if a zone fails.

Why this answer

Options B and D are correct. Using multiple NAT IPs in different zones provides HA, and manual NAT IP with static reservations ensures IPs are not lost. Option A is wrong because dynamic NAT IPs may change.

Option C is wrong because one NAT gateway is sufficient per region; zone-level is not needed. Option E is wrong because Cloud NAT already handles port exhaustion.

66
MCQmedium

A company has a VPC with subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They enabled Private Google Access on subnet-a. Instances in subnet-a can access Google APIs and services using private IPs. However, instances in subnet-b cannot reach Google APIs even though subnet-b has a default route to the internet through a NAT gateway. What is the likely cause?

A.Subnet-b does not have a default route to the internet.
B.Cloud NAT is not configured for subnet-b.
C.Firewall rules are blocking traffic to googleapis.com.
D.Private Google Access is not enabled on subnet-b.
AnswerD

Correct: must enable per subnet.

Why this answer

Private Google Access is a per-subnet setting that allows instances with only private IPs to reach Google APIs and services through the VPC's default internet gateway, without needing public IPs or NAT. Since subnet-b does not have Private Google Access enabled, its instances cannot use this feature even though they have a default route to the internet via a NAT gateway; the NAT gateway only provides outbound internet access for public IP destinations, not the private IP ranges used by Google APIs.

Exam trap

Google Cloud often tests the misconception that a NAT gateway or internet gateway alone is sufficient for accessing Google APIs, when in fact Private Google Access must be explicitly enabled on each subnet that requires it.

How to eliminate wrong answers

Option A is wrong because subnet-b has a default route to the internet through a NAT gateway, as stated in the question. Option B is wrong because Cloud NAT is not required for Private Google Access; Private Google Access uses the VPC's default internet gateway, not a NAT gateway, and the question already states subnet-b has a NAT gateway. Option C is wrong because there is no indication of firewall rules blocking traffic to googleapis.com; the issue is specifically about the subnet-level Private Google Access setting, not firewall rules.

67
MCQeasy

A developer is creating a Cloud Function that needs to access a Cloud SQL database. They have granted the function's service account the Cloud SQL Client role. However, the function still gets permission denied. What is the most likely issue?

A.The service account needs the Cloud SQL Admin role instead.
B.The Cloud SQL instance is not configured with an authorized network that includes the function's IP range, or the function is not using the Cloud SQL Auth proxy.
C.The function must use a VPN to connect to Cloud SQL.
D.The function needs to be in the same region as the Cloud SQL instance.
AnswerB

Networking must allow the connection via Cloud SQL Auth proxy.

Why this answer

Option C is correct because Cloud Functions use the Cloud SQL Auth proxy, which requires the service account to have the Cloud SQL Client role, but also the function must be in the same VPC or configured with VPC connector, otherwise it cannot reach the database IP. However, the most common reason is that the function is not using the Cloud SQL Auth proxy or the connection string is incorrect. But given the options, the most likely is that the function is trying to connect via public IP without proper authorized networks.

Option A is wrong because the Cloud SQL Client role is sufficient if networking is correct. Option B is wrong because Cloud SQL Admin is unnecessary. Option D is wrong because Cloud SQL does not require VPN if using Cloud SQL Auth proxy.

68
MCQeasy

A company uses Organization Policies to restrict public IP addresses on Compute Engine instances. An engineer created a new project and cannot launch any instances because the organization policy denies external IPs. However, the engineer needs to launch a bastion host with an external IP. What should they do?

A.Request that the organization policy be removed at the org level.
B.Use a VM with a NAT gateway instead.
C.Add an exception to the organization policy for the project.
D.Create a new folder with a different policy and move the project.
AnswerC

Organization policies can be overridden at a lower level by adding an exception.

Why this answer

Option A is correct because organization policies can have exceptions per project. Option B is a workaround but not the direct fix. Option C avoids external IP, which may not meet requirements.

Option D is too drastic.

69
MCQeasy

A financial services company is deploying a new payment processing system on Google Cloud that must comply with PCI DSS. The system processes credit card data. The security team has implemented encryption at rest and in transit, and uses Private Google Access for VPC communication. During a PCI assessment, the assessor points out that the company is missing a critical control: the need to regularly scan the external IP addresses of the VMs for vulnerabilities. What should the company do to address this requirement?

A.Use Security Command Center Premium to perform vulnerability scanning.
B.Deploy Cloud IDS to perform active vulnerability scanning on external IPs.
C.Enable Cloud Armor to block all traffic and thus eliminate the need for scanning.
D.Set up a third-party vulnerability scanner (e.g., Nessus) from the Cloud Marketplace and run scans against external IPs.
AnswerD

A third-party ASV scanner is standard for PCI DSS.

Why this answer

Option D is correct because PCI DSS Requirement 11.2 mandates that external-facing IP addresses be scanned for vulnerabilities at least quarterly and after any significant change. Deploying a third-party scanner like Nessus from the Cloud Marketplace allows the company to run authenticated or unauthenticated scans against the external IPs of their VMs, meeting the specific requirement. Google Cloud does not provide a native active vulnerability scanning service for external IPs; Security Command Center Premium and Cloud IDS focus on asset discovery and threat detection, not active scanning of external endpoints.

Exam trap

Google Cloud often tests the misconception that Google Cloud's native security tools (like Security Command Center or Cloud IDS) can replace the need for a dedicated external vulnerability scanner, but PCI DSS explicitly requires active scanning of external IPs, which only a third-party or ASV scanner can perform.

How to eliminate wrong answers

Option A is wrong because Security Command Center Premium provides continuous monitoring, asset inventory, and findings from built-in scanners like Web Security Scanner, but it does not perform active vulnerability scanning of arbitrary external IP addresses; it relies on agent-based or API-based assessments for internal VMs. Option B is wrong because Cloud IDS is a network threat detection service that inspects traffic for malicious activity using packet mirroring, not an active vulnerability scanner that probes external IPs for CVEs. Option C is wrong because Cloud Armor is a web application firewall that blocks traffic based on rules, but it does not eliminate the need for vulnerability scanning; PCI DSS requires active scanning regardless of traffic filtering, and blocking all traffic would break the payment processing system.

70
MCQhard

A healthcare organization stores PHI in BigQuery tables with row-level access policies. They need to ensure that data is automatically de-identified when exported to Cloud Storage for analytics. What is the most scalable solution with minimal manual intervention?

A.Set up VPC Service Controls to prevent data exfiltration and rely on access controls.
B.Create a scheduled query in BigQuery that exports data using a view with de-identification functions.
C.Use Cloud DLP API to scan and de-identify the export file after it is written to Cloud Storage.
D.Use BigQuery data masking to define de-identification policies, then export the masked data directly.
AnswerD

Dynamic data masking applies policies at query time, automatically de-identifying exports.

Why this answer

Option D is correct because BigQuery data masking allows you to define column-level de-identification policies that are applied automatically at query time. When you export the masked data directly using an export job, the de-identification is enforced without additional scripting or post-processing, making it the most scalable and low-maintenance solution for PHI protection.

Exam trap

Google Cloud often tests the distinction between access control (VPC Service Controls) and data de-identification, leading candidates to choose network-level solutions (Option A) when the requirement is specifically about transforming the data content.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls prevent data exfiltration at the network perimeter but do not de-identify the data itself; the exported PHI would remain fully readable. Option B is wrong because scheduled queries that export via a view with de-identification functions require manual creation and maintenance of the view and the schedule, and the de-identification logic must be re-applied if the schema changes, increasing operational overhead. Option C is wrong because scanning and de-identifying the file after it is written to Cloud Storage introduces a window where raw PHI exists in the bucket, and it requires an additional DLP job that must be triggered and managed, reducing scalability and increasing latency.

71
MCQhard

A company uses Cloud KMS to protect encryption keys for various applications. They need to ensure that keys are automatically rotated every 90 days and that the rotation does not require re-encrypting all data. Which key type and rotation strategy should they use?

A.Use a symmetric key with automatic rotation period set to 90 days.
B.Use an asymmetric key and set the rotation period to 90 days.
C.Use an asymmetric key and manually create a new version every 90 days.
D.Use a symmetric key and manually create a new version every 90 days.
AnswerA

Symmetric keys support automatic rotation, and old versions remain for decryption.

Why this answer

Symmetric keys are used for encryption/decryption of data at rest, and Cloud KMS supports automatic key rotation by creating a new key version at a specified interval (e.g., 90 days). Because Cloud KMS uses key versions and the key material is never exposed, existing ciphertext remains decryptable using the old key version, so no re-encryption is required. This meets the requirement for automatic rotation without data re-encryption.

Exam trap

Google Cloud often tests the misconception that automatic rotation requires re-encrypting data, or that asymmetric keys are suitable for bulk encryption, leading candidates to choose manual rotation or asymmetric key options.

How to eliminate wrong answers

Option B is wrong because asymmetric keys are typically used for digital signatures or key exchange, not for bulk data encryption, and automatic rotation of asymmetric keys would require re-encrypting data or re-signing. Option C is wrong because manual creation of a new version every 90 days does not satisfy the requirement for automatic rotation, and asymmetric keys still do not avoid re-encryption for data encryption use cases. Option D is wrong because manual creation of a new version every 90 days is not automatic rotation; the requirement explicitly states 'automatically rotated'.

72
Multi-Selecthard

Which THREE are valid considerations when designing cross-organization access for Cloud Storage? (Choose three.)

Select 3 answers
A.Uniform bucket-level access disables ACLs, simplifying cross-org access management.
B.Signed URLs require the requester pays configuration to be enabled.
C.You can grant IAM roles to a principal from another Google Cloud organization.
D.VPC Service Controls must be configured to allow cross-org IAM policies.
E.Organization Policy constraints can prevent sharing resources with external principals.
AnswersA, C, E

Uniform access ensures only IAM policies control access.

Why this answer

Uniform bucket-level access disables Access Control Lists (ACLs) and relies solely on IAM permissions for bucket access. This eliminates the complexity of managing both ACLs and IAM across organizations, making cross-org access management simpler and more consistent.

Exam trap

Google Cloud often tests the misconception that Signed URLs require requester pays, but in reality, they are independent features; the trap is confusing the cost-bearing mechanism with the access delegation mechanism.

73
MCQeasy

A financial institution wants to encrypt data in Cloud Storage using keys that they rotate monthly through Cloud KMS. Which key management option should they use?

A.Customer-Managed Encryption Keys (CMEK)
B.Google-managed encryption keys
C.Default encryption at rest
D.Customer-Supplied Encryption Keys (CSEK)
AnswerA

CMEK allows full control via Cloud KMS, including rotation.

Why this answer

Option A is correct: CMEK allows customers to manage and rotate keys in Cloud KMS. Option B (CSEK) requires customer-supplied keys per request and does not support rotation. Option C (Google-managed) does not allow customer rotation.

Option D (default) is Google-managed.

74
MCQeasy

An organization uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically remove credit card numbers before the data is accessed by analysts but still allow the raw data for auditing purposes. Which DLP technique should they use?

A.De-identification transform with masking
B.Re-identification transform with tokenization
C.De-identification transform with redact
D.De-identification transform with replacement
AnswerC

Redact completely removes the sensitive data from the output.

Why this answer

Option C is correct because the 'De-identification transform with redact' completely removes sensitive data (like credit card numbers) from the output, ensuring analysts never see the raw values while the original data remains intact in the source BigQuery table for auditing. This aligns with the requirement to automatically strip sensitive content before access, without altering the stored data.

Exam trap

Google Cloud often tests the distinction between 'redact' (complete removal) and 'masking' or 'replacement' (partial or substituted data), trapping candidates who confuse removal with obfuscation or who incorrectly think tokenization is a re-identification technique.

How to eliminate wrong answers

Option A is wrong because masking (e.g., showing only the last four digits) still exposes partial sensitive data, which violates the requirement to remove credit card numbers entirely from analyst access. Option B is wrong because re-identification transforms are not a DLP technique; tokenization is a de-identification method that replaces sensitive data with a token, but the question demands removal, not reversible replacement, and 're-identification' implies restoring the original, which is the opposite of the goal. Option D is wrong because replacement (e.g., substituting with a static value like 'REDACTED') still leaves a placeholder that could be confused with real data or inadvertently expose patterns, whereas redact completely omits the field or value, providing stricter removal.

75
MCQmedium

A company wants to allow a Compute Engine VM to access a Cloud SQL instance without exposing the SQL instance to the internet. The VM is in the same VPC but different subnet. Which configuration is required?

A.Use the Cloud SQL Proxy on the VM and a public IP for the Cloud SQL instance.
B.Configure VPC peering between the VM's subnet and the Cloud SQL instance's VPC.
C.Create a private IP for the Cloud SQL instance using Private Services Access, grant the VM's service account the Cloud SQL Client role, and ensure the VM is in the same VPC.
D.Add a firewall rule allowing ingress from the VM's IP to the Cloud SQL instance's internal IP.
AnswerC

This setup provides private connectivity and IAM authorization.

Why this answer

Option C is correct because Cloud SQL requires a private services access connection and the VM must have the cloudsql.client role to connect. Option A is wrong because the Cloud SQL Proxy can be used but requires a public IP if not within the VPC. Option B is wrong because VPC peering alone does not grant IAM permissions.

Option D is wrong because a firewall rule is not sufficient without IAM.

Page 1 of 7

Page 2

All pages