Google Professional Cloud Security Engineer (PCSE) — Questions 676750

985 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

An organization has a folder-level organization policy that enforces 'constraints/compute.requireShieldedVm'. A development team wants to create a test VM that does not use Shielded VM features. What is the correct approach?

A.Create the VM in a different folder that does not have the policy.
B.Use a custom role that bypasses the organization policy.
C.Override the organization policy at the project level to set the constraint to 'not enforce' for that project.
D.Create the VM with Shielded VM disabled; the policy will not apply to test projects.
AnswerC

Policy overrides at a lower level can change enforcement. The dev team should request an override.

Why this answer

Organization policies can be overridden at a lower level in the resource hierarchy using policy inheritance rules. The dev team should request an exemption for their project or folder by creating a policy override that sets the constraint to 'not enforce'. This must be done by a user with the appropriate organization policy administrator role.

677
MCQeasy

You need to grant a security auditor read-only access to all resources in a project, but they must not be able to view data within resources (e.g., table contents). Which predefined IAM role should you grant?

A.roles/iam.securityReviewer
B.roles/owner
C.roles/viewer
D.roles/editor
AnswerC

Viewer role provides read-only access to resource configurations without data access.

Why this answer

The roles/viewer role provides read-only access to view resource configurations but not data. For example, it allows listing Compute Engine instances but not connecting to them or reading data from BigQuery tables. The Security Reviewer role (roles/iam.securityReviewer) is similar but includes additional permissions; however, the question asks for read-only access without data access, and roles/viewer is the standard read-only role.

678
MCQmedium

A company has multiple GCP projects managed under a single organization node. They want to enforce that all Compute Engine VMs are created with Shielded VM features enabled. Which approach should they use?

A.Use the organization policy service with the constraint constraints/compute.requireShieldedVm at the organization level.
B.Run a gcloud command after each VM creation to enable Shielded VM.
C.Apply a deny policy that denies the compute.instances.create permission if Shielded VM is not enabled.
D.Create a custom IAM role that includes compute.instances.create permission and assign it to all users.
AnswerA

This constraint ensures all new VMs must have Shielded VM enabled.

Why this answer

Organization policies can enforce constraints across projects. The constraint constraints/compute.requireShieldedVm can be applied at the organization, folder, or project level to require Shielded VM on all new VMs. IAM roles don't enforce configuration, and gcloud commands are manual.

Deny policies are for permission denial, not resource configuration.

679
MCQhard

A company needs to respond to a GDPR data subject deletion request for a user's data stored across BigQuery and Cloud Storage. The data must be completely erased upon request. What is the most effective approach to ensure compliance?

A.Use Cloud DLP to identify the user's data across services, delete the data using API calls, and verify deletion with Cloud Audit Logs
B.Set up BigQuery time-based table expiration and Cloud Storage lifecycle policies with a 1-day deletion rule
C.Use Cloud Identity-Aware Proxy to block the user's access and mark the data as deleted
D.Enable Access Transparency logs and request Google to delete the data on their behalf
AnswerA

Cloud DLP discovers data locations, deletion APIs remove data, and audit logs confirm deletion, meeting GDPR requirements.

Why this answer

Option A is correct because Cloud DLP can be used to inspect and classify the user's data across BigQuery and Cloud Storage, then you can programmatically delete the identified data via API calls. Cloud Audit Logs provide a verifiable record that the deletion was performed, which is essential for demonstrating compliance with GDPR's right to erasure.

Exam trap

Google Cloud often tests the misconception that access control mechanisms (like IAP) or automated lifecycle policies can substitute for actual data deletion, but GDPR requires complete erasure of the specific data subject's information, not just blocking access or delayed removal.

How to eliminate wrong answers

Option B is wrong because time-based table expiration and lifecycle policies are automated deletion mechanisms that cannot target a specific user's data on demand; they delete entire tables or objects based on age, not in response to an individual deletion request. Option C is wrong because Cloud Identity-Aware Proxy controls access but does not delete data; marking data as deleted without actual erasure fails GDPR's requirement for complete removal. Option D is wrong because Access Transparency logs only provide visibility into Google's access to your data, and requesting Google to delete data on your behalf is not a supported mechanism for customer-managed data in BigQuery or Cloud Storage.

680
MCQhard

An organization uses Binary Authorization with a GKE cluster that enforces attestation. A developer builds a container and pushes it to Artifact Registry. The image must be signed before it can be deployed. Which steps are required to allow this image to run on the cluster?

A.Push the image to Artifact Registry and allow the Binary Authorization policy to automatically sign it.
B.Configure the cluster to allow all images by setting the policy to 'Allow All' for the developer's namespace.
C.Sign the image using Cloud KMS and an attestor, then create a signed attestation in Container Analysis, and deploy the image.
D.Use the Binary Authorization API to create an attestation by specifying the image URL and the attestor, then deploy.
AnswerC

This is the correct workflow: sign the image digest with the attestor's key, store the attestation as a note in Container Analysis, and the policy will verify it.

Why this answer

Binary Authorization requires a signed attestation from a trusted attestor, stored in Cloud KMS. The image must be signed using a private key associated with the attestor, and the attestation is typically stored as a note in Container Analysis. Simply having a vulnerability scan or pushing without signing will not satisfy the policy.

681
Multi-Selectmedium

Your company needs to implement real-time monitoring of security events from Google Cloud resources. They want to ingest logs into a third-party SIEM system. Which two services should they use together? (Choose two.)

Select 2 answers
A.Cloud Storage export
B.Cloud Logging log sink with Pub/Sub destination
C.Chronicle SIEM
D.BigQuery export
E.Pub/Sub subscription with a subscriber pulling logs
AnswersB, E

This enables streaming logs to Pub/Sub for real-time consumption.

Why this answer

Cloud Logging can export logs to Pub/Sub, and a subscriber (SIEM connector) can ingest them. Chronicle is a Google SIEM, but the question asks for third-party SIEM integration.

682
MCQhard

A company has a multi-project setup with a shared VPC. They want to centrally audit all firewall rule changes. What is the most efficient way?

A.Create a log sink in each project that routes firewall-related logs to a Cloud Storage bucket and then aggregate.
B.Enable VPC Flow Logs on all subnets.
C.Export Admin Activity audit logs to a centralized project's BigQuery dataset.
D.Use Cloud Asset Inventory with IAM policy change feed.
AnswerC

Admin Activity logs include firewall rule changes; BigQuery enables efficient querying.

Why this answer

Option C is correct. Exporting Admin Activity audit logs to a centralized BigQuery dataset allows querying all firewall rule changes across projects. Option A is incorrect because VPC Flow Logs capture network traffic, not rule changes.

Option B is incorrect because Cloud Asset Inventory can track assets but not real-time changes efficiently. Option D is less efficient than a single export to BigQuery.

683
MCQmedium

Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?

A.Create a firewall rule in the host project that denies all egress traffic except to the Cloud NAT IP
B.Set the instances to use a custom route with next-hop as the Cloud NAT IP address
C.Configure a Cloud NAT on the Cloud Router in the host project for the subnet that is shared with the service project
D.Configure a Cloud NAT in each service project and associate it with the subnet that the instances use
AnswerC

Correct: In Shared VPC, the host project owns the subnets. Cloud NAT on the host project's router for those subnets will handle egress for all instances in those subnets, including those from service projects.

Why this answer

Option C is correct because a Cloud NAT configured on the Cloud Router in the host project for the shared subnet allows all Compute Engine instances in service projects attached to that subnet to use the host project's NAT IP for outbound traffic. This is the only way to centralize egress traffic through the host project's Cloud NAT while respecting Shared VPC architecture, as the NAT is tied to the subnet and Cloud Router in the host project.

Exam trap

Google Cloud often tests the misconception that a Cloud NAT must be configured in the same project as the instances, but in Shared VPC, the NAT is configured in the host project for the shared subnet, and service project instances automatically use it without any additional configuration.

How to eliminate wrong answers

Option A is wrong because firewall rules in the host project cannot selectively deny egress traffic for instances in a service project; firewall rules are applied per VPC network, not per project, and a deny-all-egress rule would block all outbound traffic, including legitimate responses, and does not route traffic through Cloud NAT. Option B is wrong because a custom route with next-hop as the Cloud NAT IP address is invalid; Cloud NAT is not a routable next-hop IP — it is a translation function on the Cloud Router, and instances must use the default route (0.0.0.0/0) to reach the internet via the NAT gateway. Option D is wrong because configuring a Cloud NAT in each service project would create separate NAT gateways, defeating the requirement for centralized egress through the host project's Cloud NAT.

684
MCQeasy

An organization's security policy requires that all audit logs be stored in a separate project for centralized monitoring. Which Google Cloud service should be used to aggregate logs from multiple projects?

A.Cloud Monitoring
B.Cloud Audit Logs
C.Security Command Center
D.Cloud Logging with log sinks
AnswerD

Log sinks can aggregate logs from multiple projects to a centralized destination.

Why this answer

Option C is correct because Cloud Logging log sinks can be configured to route logs from multiple projects to a common destination like a Cloud Storage bucket or BigQuery dataset in a separate project. Option A is for metrics and alerting, not log aggregation. Option B is a type of log, not a service.

Option D is for security findings and compliance, not log aggregation.

685
Multi-Selectmedium

A company wants to deploy a web application with a global load balancer and needs to configure SSL/TLS termination. They want to use a certificate from their own CA and have the ability to manage multiple certificates for different domains. Which THREE steps should they take?

Select 3 answers
A.Ensure the certificate chain includes intermediate CA certificates
B.Set up a Cloud DNS zone with DNSSEC
C.Create a Certificate Manager certificate resource and map it to the load balancer
D.Upload the PEM certificate to the load balancer as a self-managed certificate
E.Use a Google-managed certificate for automatic renewal
AnswersA, C, D

For self-managed certificates, the full chain (leaf, intermediates) must be uploaded for the load balancer to trust the certificate.

Why this answer

To use self-managed certificates with a load balancer, you can upload the PEM file directly to the load balancer, or use Certificate Manager to manage multiple certificates. The steps: create a Certificate Manager certificate resource with your PEM, map it to the load balancer target, and ensure the certificate is properly uploaded. Self-managed certificates require manual renewal, so you need to monitor expiration.

686
MCQhard

A security team uses Security Command Center Premium to detect threats. They want to receive real-time notifications when a finding of type 'Threat' with severity 'CRITICAL' or 'HIGH' is created. Which approach should they use?

A.Use BigQuery to query SCC findings and schedule a query that pushes results to Pub/Sub.
B.Create a log sink to export SCC findings to Pub/Sub and then filter using Cloud Functions.
C.Create a SCC notification config with a filter for threat type and severity levels, sending to a Pub/Sub topic.
D.Enable Event Threat Detection and configure it to send alerts via email.
AnswerC

This is the standard way to get real-time notifications for specific findings.

Why this answer

SCC Premium provides built-in Pub/Sub notifications for findings. You can configure notification configs with filters to receive only specific finding types and severities. There is no need to export to BigQuery or use Cloud Functions to poll; the notification config pushes to a Pub/Sub topic.

687
Multi-Selectmedium

A company wants to enforce that all Compute Engine instances are created with a specific set of tags for compliance. They also want to audit any changes to firewall rules. Which two Google Cloud services or features should they use? (Choose TWO.)

Select 2 answers
A.Cloud Deployment Manager
B.Cloud IAM
C.Cloud Monitoring
D.Cloud Audit Logs
E.Organization Policy Service
AnswersD, E

Logs changes to firewall rules for auditing.

Why this answer

Organization policies can enforce VM creation with tags via a custom constraint. Cloud Audit Logs can log changes to firewall rules for auditing. IAM is for permissions, not enforcement.

Cloud Monitoring is for metrics. Cloud Deployment Manager is for infrastructure deployment but not continuous enforcement.

688
MCQmedium

A developer needs to create a custom IAM role that allows only a specific set of permissions for managing Cloud SQL instances. The role should be available at the organization level. Which command should they use?

A.gcloud iam roles create ROLE_ID --organization=ORGANIZATION_ID --file=role.yaml
B.gcloud projects add-iam-policy-binding PROJECT_ID --member=... --role=...
C.gcloud iam service-accounts create SA_NAME --display-name=...
D.gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member=... --role=...
AnswerA

This command creates a custom role at the organization level using a YAML file with permissions defined.

Why this answer

Custom roles can be created at the organization level using the 'gcloud iam roles create' command with the '--organization' flag (or '--org' for short). The role is defined in a YAML file that specifies the permissions. The 'gcloud organizations add-iam-policy-binding' is used to assign roles, not create them.

The 'gcloud iam service-accounts create' is for service accounts. The 'gcloud projects add-iam-policy-binding' is for project-level IAM bindings.

689
MCQeasy

A company wants to protect its HTTP(S) Load Balancer from common web attacks like SQL injection and cross-site scripting. Which Google Cloud service should they use?

A.Identity-Aware Proxy (IAP)
B.Cloud Armor
C.VPC Service Controls
D.Cloud CDN
AnswerB

Cloud Armor offers WAF rules to block common web attacks.

Why this answer

Cloud Armor is the correct service because it provides web application firewall (WAF) capabilities that can inspect HTTP(S) traffic and filter out common web attacks such as SQL injection and cross-site scripting (XSS). It integrates directly with HTTP(S) Load Balancers to enforce security policies at the edge, blocking malicious requests before they reach backend instances.

Exam trap

The trap here is that candidates may confuse Cloud Armor with IAP because both involve security at the load balancer, but IAP handles authentication and authorization, not web application attack filtering.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) is used for identity-based access control and authentication, not for inspecting HTTP payloads or blocking web application attacks like SQL injection or XSS. Option C is wrong because VPC Service Controls are designed to prevent data exfiltration by controlling access to Google Cloud APIs and services using perimeters, not for filtering application-layer traffic at the load balancer. Option D is wrong because Cloud CDN is a content delivery network that caches static and dynamic content to improve latency and reduce load, and it does not include a WAF or any capability to inspect or block malicious HTTP requests.

690
MCQmedium

A security engineer wants to export Cloud Audit Logs to a third-party SIEM in real time. Which log sink destination should they configure?

A.Pub/Sub
B.BigQuery
C.Cloud Storage
D.Logging bucket
AnswerA

Pub/Sub enables real-time streaming of logs to a SIEM via a push subscription.

Why this answer

To export logs in real time, configure a log sink with a Pub/Sub topic as the destination. The SIEM can then subscribe to that topic.

691
MCQmedium

A security engineer runs the above query in BigQuery and finds a column containing Social Security Numbers (SSNs). They must ensure that all SSNs in the dataset are automatically encrypted at rest using customer-managed keys (CMEK) and also that future queries do not expose SSNs to users without decryption access. Which approach should they take?

A.Use BigQuery with CMEK on the dataset and create a separate table with encrypted columns.
B.Use Cloud DLP to de-identify the data in the table and then restrict access to the de-identified column.
C.Use Cloud KMS to encrypt the column values and store the encrypted data in BigQuery.
D.Enable CMEK on the dataset, create an authorized view that excludes the sensitive column, and grant view access to users.
AnswerD

CMEK secures data at rest, and authorized views limit exposure.

Why this answer

Option D is correct because enabling CMEK on the dataset ensures all data, including SSNs, is encrypted at rest with customer-managed keys. Creating an authorized view that excludes the sensitive column and granting view access to users prevents exposure of SSNs in query results while still allowing access to non-sensitive data. This approach meets both the encryption and access control requirements without requiring manual encryption or de-identification.

Exam trap

Google Cloud often tests the misconception that manual encryption (e.g., Cloud KMS or DLP) is required for column-level protection, when in fact BigQuery's native CMEK combined with authorized views provides automatic encryption at rest and access control without custom encryption logic.

How to eliminate wrong answers

Option A is wrong because creating a separate table with encrypted columns does not automatically encrypt existing SSNs at rest; CMEK on the dataset encrypts all data at rest, but the separate table approach adds complexity and does not prevent future queries from exposing SSNs unless access is restricted. Option B is wrong because Cloud DLP de-identifies data (e.g., masking or tokenization) but does not encrypt at rest with CMEK; it also does not prevent users with direct table access from querying the original SSNs if the de-identified column is separate. Option C is wrong because using Cloud KMS to encrypt column values and storing encrypted data in BigQuery requires manual encryption/decryption logic in queries, which is error-prone and does not leverage BigQuery's native CMEK for automatic encryption at rest; it also fails to prevent exposure if users have access to the raw encrypted data.

692
Multi-Selecthard

Which THREE of the following are required to enable VPC Flow Logs for a subnet? (Choose THREE.)

Select 3 answers
A.A subnet in the VPC
B.Setting the subnet's flow logs configuration to ON
C.A VPC network
D.A sample rate
E.An aggregation interval
AnswersA, B, C

Flow logs are per-subnet.

Why this answer

A subnet in the VPC is required because VPC Flow Logs capture IP traffic metadata at the subnet level. Without a subnet, there is no network segment to monitor, as flow logs are associated with a specific subnet within a VPC.

Exam trap

Google Cloud often tests the distinction between required components (subnet, VPC, flow logs ON) and optional tuning parameters (sample rate, aggregation interval), leading candidates to mistakenly select the latter as mandatory.

693
MCQhard

Refer to the exhibit. Based on the exhibit, the corporate security policy requires that all Cloud KMS symmetric keys have automatic rotation enabled. Which statement is true?

A.Both keys are compliant.
B.Neither key is compliant.
C.Only the encryption-key is compliant.
D.Only the decryption-key is compliant.
AnswerC

Encryption-key has a rotation period; decryption-key does not.

Why this answer

The corporate security policy requires automatic rotation for all Cloud KMS symmetric keys. In the exhibit, the 'encryption-key' has automatic rotation enabled (as indicated by the rotation period being set), while the 'decryption-key' does not have automatic rotation enabled (rotation period is not set or is disabled). Therefore, only the encryption-key is compliant with the policy.

Exam trap

Google Cloud often tests the distinction between keys that have rotation enabled versus those that are simply created with a rotation period set to a non-zero value, tricking candidates into assuming all keys in a key ring are automatically rotated.

How to eliminate wrong answers

Option A is wrong because both keys are not compliant; the decryption-key lacks automatic rotation. Option B is wrong because the encryption-key does have automatic rotation enabled, so it is compliant. Option D is wrong because the decryption-key does not have automatic rotation enabled, making it non-compliant, not the only compliant key.

694
MCQmedium

A company wants to enforce that no Compute Engine firewall rule in any project under an organization can have a source range of 0.0.0.0/0 for RDP (port 3389). Which approach should be used?

A.Apply a hierarchical firewall policy at the organization level that denies ingress on port 3389 from 0.0.0.0/0.
B.Create a Cloud IDS rule to block RDP traffic.
C.Create a VPC firewall rule with priority 0 to deny RDP from 0.0.0.0/0 in each project.
D.Use organization policy with constraint `compute.skipDefaultNetworkCreation` set to true.
AnswerA

Hierarchical firewall policies are enforced across all VPCs under the organization and cannot be overridden.

Why this answer

Use a hierarchical firewall policy at the organization level that denies ingress traffic on port 3389 from any source (0.0.0.0/0). Hierarchical policies are inherited and cannot be overridden by lower-level firewall rules.

695
Multi-Selecthard

A security engineer needs to enforce column-level masking on a BigQuery table such that: (1) users with role 'data_analyst' see masked values, (2) users with role 'data_scientist' see plaintext values, and (3) the masking is applied automatically without modifying the underlying table. Which three components must they configure? (Choose 3)

Select 3 answers
A.IAM roles (e.g., roles/bigquery.maskedReader)
B.BigQuery Data Policy with masking rule
C.Cloud KMS key for column encryption
D.Data Catalog taxonomy with policy tags
E.Cloud DLP de-identification job
AnswersA, B, D

Why this answer

BigQuery column-level security uses: a Data Catalog taxonomy to define policy tags, a BigQuery Data Policy that specifies masking rules (e.g., hash, nullify) associated with the policy tag, and IAM roles (e.g., BigQuery Masked Reader) to grant access to masked data. The taxonomy contains the policy tags, the data policy defines the masking rule, and IAM controls who sees masked vs. plaintext.

696
MCQhard

A healthcare organization is migrating sensitive patient data to Google Cloud and must comply with HIPAA. They plan to use Cloud SQL for MySQL with CMEK for encryption at rest. The security team is concerned about key management and access logging. Which additional measure should be implemented to meet HIPAA audit requirements?

A.Configure VPC Service Controls to restrict access to the Cloud SQL instance.
B.Use Cloud DLP to de-identify the data before storing it in Cloud SQL.
C.Enable Data Access audit logs for the Cloud SQL instance and Cloud KMS key.
D.Store the CMEK keys in Cloud HSM to meet FIPS 140-2 Level 3 requirements.
AnswerC

Data Access audit logs record all accesses to data and keys, satisfying HIPAA audit trail requirements.

Why this answer

Option C is correct because HIPAA audit requirements mandate that access to protected health information (PHI) and the keys protecting it must be logged. Enabling Data Access audit logs on both the Cloud SQL instance and the Cloud KMS key captures read, write, and administrative operations, providing the necessary audit trail for compliance. Without these logs, the organization cannot demonstrate who accessed the data or the encryption keys, which is a core HIPAA requirement.

Exam trap

Google Cloud often tests the distinction between security controls that prevent access (like VPC Service Controls or HSM) and controls that provide auditability (like Data Access audit logs), leading candidates to pick a security measure that does not fulfill the specific audit requirement.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls restrict data exfiltration and access boundaries but do not generate the detailed audit logs required by HIPAA for tracking access to PHI and encryption keys. Option B is wrong because Cloud DLP de-identifies data before storage, which can reduce compliance scope but does not address the audit logging requirement for key management and data access. Option D is wrong because storing CMEK keys in Cloud HSM meets FIPS 140-2 Level 3 for key security but does not provide the access logging needed to satisfy HIPAA audit requirements.

697
MCQeasy

What is the default grace period before Cloud KMS permanently destroys a key version that has been scheduled for destruction?

A.24 hours
B.7 days
C.Immediate destruction with no grace period
D.30 days
AnswerA

The default pending destruction period is 24 hours.

Why this answer

When a key version is disabled and scheduled for destruction, there is a 24-hour pending destruction grace period by default. During this time, the key can be restored. After 24 hours, the key version is permanently destroyed.

698
Multi-Selecteasy

A company must ensure that all data stored in Google Cloud remains within specific geographic regions to meet data residency regulations. Which TWO methods enforce data location restrictions? (Choose TWO.)

Select 2 answers
A.VPC Service Controls
B.Cloud Data Loss Prevention scan
C.Organization Policy constraints (constraints/gcp.resourceLocations)
D.Cloud Storage bucket custom locations (e.g., US, EU)
E.Cloud Interconnect
AnswersC, D

This policy limits resource creation to specified locations, enforcing data residency.

Why this answer

Option C is correct because Organization Policy constraints, specifically `constraints/gcp.resourceLocations`, allow administrators to define a list of allowed geographic locations (e.g., `in:us-central1` or `in:europe-west1`) where Google Cloud resources can be created. This policy is enforced at the project, folder, or organization level, preventing resource creation outside the permitted regions, which directly addresses data residency requirements.

Exam trap

Google Cloud often tests the distinction between data location enforcement (Organization Policy constraints) and data access control (VPC Service Controls), causing candidates to mistakenly choose VPC Service Controls for geographic restrictions.

699
MCQmedium

A company uses Cloud Armor to protect an external HTTPS load balancer. They want to block requests from a specific IP address range 198.51.100.0/24, but allow all other traffic. After creating a deny rule with the source IP condition, they notice that requests from that range are still reaching the backend. What is the most likely cause?

A.Another rule with a lower priority number that allows all traffic is overriding the deny rule.
B.The rule action is set to 'allow' instead of 'deny'.
C.Cloud Armor cannot block traffic based on source IP; it only supports geographic and header-based conditions.
D.The rule uses the wrong match syntax, such as 'sourceIpRange' instead of 'inIpRange'.
AnswerA

Rules are evaluated in priority order; lower number wins. A default allow rule with priority 1000 might override a deny rule with higher priority.

Why this answer

In Cloud Armor, rules are evaluated in order of priority, where lower priority numbers indicate higher precedence. If a rule with a lower priority number (e.g., 1000) allows all traffic, it will be evaluated before a deny rule with a higher priority number (e.g., 2000), causing the deny rule to be overridden. This is the most likely reason the specific IP range is still reaching the backend despite the deny rule being created.

Exam trap

Google Cloud often tests the concept that priority numbers in Cloud Armor are evaluated from lowest to highest, and candidates mistakenly think a deny rule with a higher priority number will take precedence over an allow rule with a lower priority number.

How to eliminate wrong answers

Option B is wrong because if the rule action were set to 'allow' instead of 'deny', it would explicitly permit the traffic, not block it, but the question states the rule was created to deny, so this is a misconfiguration that would be obvious and not the most likely subtle cause. Option C is wrong because Cloud Armor fully supports source IP-based blocking using conditions like 'inIpRange' or source IP ranges in security policies, not just geographic or header-based conditions. Option D is wrong because Cloud Armor uses the 'sourceIpRange' syntax correctly for IP-based conditions; 'inIpRange' is not a valid match syntax in Cloud Armor rules, so this would cause a syntax error rather than silently allowing traffic.

700
MCQmedium

A company wants to enforce that all Compute Engine disk encryption uses keys managed by their own HSM on-premises, with keys provided per API call. Which encryption type should they choose when creating a persistent disk?

A.Google-managed encryption (GMEK)
B.Cloud HSM-backed keys
C.Customer-supplied encryption (CSEK)
D.Customer-managed encryption (CMEK) with Cloud KMS
AnswerC

Keys are provided per API call; Google does not store them.

Why this answer

CSEK (Customer-Supplied Encryption Keys) allows you to provide your own key with each API call, and Google never stores the key. This is appropriate for on-premises HSM integration.

701
MCQeasy

Your organization has a multi-project environment with centralized logging in a dedicated project (logging-project). All VPC Service Controls perimeters are configured correctly. The security team needs to ensure that all audit logs from all projects are retained for 5 years and cannot be deleted or modified by any project administrator. They also want to restrict access to the logs to only the security team members (who have the 'Security Reviewer' role at the organization level). Currently, each project has its own log sink that exports to a BigQuery dataset in logging-project. The security team notices that some project administrators have inadvertently deleted logs from their project's BigQuery dataset. You need to recommend a solution that prevents log deletion and enforces the retention policy. What should you do?

A.Configure the log sinks to export logs to a Cloud Storage bucket with a lifecycle rule that deletes objects after 5 years. Set the bucket's IAM policy to deny the storage.objects.delete permission to all users except the security team.
B.Create a new BigQuery dataset in logging-project with a table expiration of 5 years and configure the log sinks to export to this dataset. Grant the security team the BigQuery Data Viewer role and revoke all other users' access to the dataset.
C.Create a new organization-level log sink that exports logs to a BigQuery dataset in logging-project. Grant the security team the BigQuery Data Owner role on the dataset and remove all other project administrators from the dataset's permissions.
D.Configure the _Required and _Default log buckets in each project to route logs to a Cloud Storage bucket in logging-project using log sinks. Enable Object Hold and set a retention policy of 5 years on the bucket. Grant the security team the Storage Object Admin role on the bucket.
AnswerD

Correct: Cloud Storage retention policies and Object Hold prevent deletion or modification of objects during the retention period. This centralizes logs and enforces retention.

Why this answer

Option D is correct because it uses a Cloud Storage bucket with a retention policy and Object Hold to prevent deletion or modification of logs for 5 years. The retention policy enforces a minimum retention period, and Object Hold prevents object deletion even by project administrators. Log sinks from each project's _Required and _Default log buckets route logs to this bucket, ensuring centralized, immutable storage.

Granting the security team Storage Object Admin allows them to manage the bucket while restricting others.

Exam trap

Google Cloud often tests the misconception that BigQuery datasets can enforce immutability or that lifecycle rules alone prevent user deletion, when in fact Cloud Storage retention policies and Object Hold are required for true write-once-read-many (WORM) compliance.

How to eliminate wrong answers

Option A is wrong because a lifecycle rule that deletes objects after 5 years does not prevent deletion by users; it only automates deletion after the period, and denying storage.objects.delete to all except security team is not sufficient because project administrators could still delete objects if they have other permissions (e.g., Storage Admin) that override the deny. Option B is wrong because BigQuery datasets do not support immutable retention policies or object-level locks; table expiration only deletes data after 5 years but does not prevent deletion or modification by dataset owners or project administrators with BigQuery Data Editor or Owner roles. Option C is wrong because an organization-level log sink exports logs to BigQuery, which lacks immutability features; granting BigQuery Data Owner to security team still allows other users with inherited roles (e.g., project-level BigQuery Admin) to modify or delete data, and removing project administrators from dataset permissions does not prevent deletion by those with higher-level roles.

702
MCQmedium

A government contractor needs to deploy workloads on GCP that meet FedRAMP High baseline requirements. They want to enforce resource location restrictions and access controls for Google personnel. Which product should they use?

A.Cloud Security Command Center
B.VPC Service Controls
C.Organization Policies
D.Assured Workloads
AnswerD

Assured Workloads creates a folder with built-in compliance controls, including resource location, personnel access, and encryption requirements for FedRAMP High.

Why this answer

Assured Workloads provides compliance-focused folders that enforce location restrictions, personnel access controls, and other controls specific to the chosen regime (e.g., FedRAMP High).

703
MCQeasy

Which feature of Cloud Armor uses machine learning to detect and block distributed denial-of-service (DDoS) attacks?

A.Security policies
B.Rate limiting
C.Preconfigured WAF rules
D.Adaptive Protection
AnswerD

Adaptive Protection uses ML for DDoS detection.

Why this answer

Cloud Armor Adaptive Protection uses ML to model normal traffic and detect anomalous patterns indicative of DDoS attacks.

704
MCQeasy

Which Security Command Center tier includes Event Threat Detection and Container Threat Detection?

A.Premium tier
B.Standard tier
C.Basic tier
D.Enterprise tier
AnswerA

Premium tier includes Event Threat Detection, Container Threat Detection, VM Threat Detection, Rapid Vulnerability Detection, and Compliance monitoring.

Why this answer

Premium tier adds threat detection services beyond the Standard tier's health analytics and scanner.

705
MCQmedium

An organization uses VPC Service Controls to protect BigQuery. They want to test a new access level that allows access only from a specific IP range before enforcing it. Which mode should they use?

A.Dry-run mode
B.Audit mode
C.Enforced mode
D.Preview mode
AnswerA

Dry-run mode logs violations but does not block them.

Why this answer

Dry-run mode allows testing perimeters without enforcement, logging violations for review.

706
MCQmedium

A company is using Cloud DLP to inspect a BigQuery table containing customer PII. They want to redact all credit card numbers found in a column by replacing them with a token that preserves the format (e.g., last 4 digits visible). Which de-identification transform should they use?

A.MaskingConfig with a masking character
B.DateShiftConfig
C.BucketingConfig
D.CryptoReplaceFfxFpeConfig
AnswerD

FPE preserves the format and can keep last 4 digits visible.

Why this answer

CryptoReplaceFfxFpeConfig performs format-preserving encryption (FPE), which can replace a value with a token that retains the format, such as last 4 digits visible.

707
MCQmedium

An organization needs to enforce a TLS minimum version of 1.2 for all traffic to their HTTPS load balancers. They have multiple load balancers serving different domains. Which Google Cloud feature should they use?

A.Use a global network endpoint group (NEG) with an SSL policy.
B.Create an SSL policy with TLS 1.2 as the minimum version and attach it to the target HTTPS proxy.
C.Create a Cloud Armor security policy with a rule to block TLS 1.0 and 1.1.
D.Configure the backend instances to reject TLS 1.0 and 1.1 connections.
AnswerB

Correct: SSL policies define TLS profiles and can enforce minimum TLS version.

Why this answer

SSL policies allow you to configure the minimum TLS version and cipher suites for HTTPS load balancers. You can create an SSL policy with TLS 1.2 as the minimum and attach it to the target HTTPS proxy of each load balancer.

708
MCQmedium

A company uses multiple Google Cloud projects. A service account in Project A needs to read data from a Cloud Storage bucket in Project B. What is the correct way to grant access?

A.Make the bucket publicly accessible and use signed URLs.
B.Grant the service account the Project Viewer role on Project B.
C.Add the service account as a member of Project B with the Storage Object Viewer role.
D.Add the service account as a member of the bucket's IAM policy with the Storage Object Viewer role.
AnswerD

This grants least-privilege access specifically to the bucket.

Why this answer

Option D is correct because Cloud Storage uses IAM policies at the resource (bucket) level to grant cross-project access. By adding the service account from Project A as a member of the bucket's IAM policy in Project B with the Storage Object Viewer role, you grant the service account read-only access to objects in that bucket without requiring membership in Project B itself. This follows the principle of least privilege and avoids unnecessary project-level permissions.

Exam trap

The trap here is that candidates often confuse project-level IAM roles with resource-level IAM roles, assuming that adding a service account as a member of the target project is necessary, when in fact Cloud Storage supports direct resource-level IAM binding for cross-project access.

How to eliminate wrong answers

Option A is wrong because making the bucket publicly accessible exposes data to the entire internet, which violates security best practices and is unnecessary for granting access to a specific service account. Option B is wrong because the Project Viewer role grants read-only access to all resources in Project B, which is overly permissive and does not specifically grant access to the bucket's objects. Option C is wrong because adding the service account as a member of Project B with the Storage Object Viewer role grants the role at the project level, which applies to all buckets in Project B, violating least privilege and potentially granting unintended access.

709
MCQeasy

Which of the following is a key advantage of using Workload Identity Federation over service account keys for authenticating workloads running on AWS?

A.It allows the use of short-lived tokens instead of long-lived keys.
B.It eliminates the need to create service accounts.
C.It supports MFA for workload authentication.
D.It reduces latency compared to using keys.
AnswerA

Short-lived tokens reduce risk of key exposure.

Why this answer

Workload Identity Federation allows workloads to use short-lived tokens from the external identity provider (e.g., AWS STS) to impersonate a Google service account, eliminating the need to manage and rotate long-lived keys. Service account keys are long-lived secrets that can be leaked.

710
Multi-Selecteasy

Which TWO of the following are valid ways to grant cross-project access to a Cloud Storage bucket in Project A from a Compute Engine VM in Project B?

Select 2 answers
A.Disable uniform bucket-level access on the bucket and add an ACL entry for the VM's service account.
B.Grant the VM's service account (from Project B) the roles/storage.objectViewer role on the bucket in Project A.
C.Grant the VM's user account the roles/storage.objectViewer role on the bucket, and have the VM use gcloud with the user's credentials.
D.Use an IAM condition on the bucket that allows access only when the requester is the service account from Project B.
E.Provide the bucket's service account key to the VM and have the VM use that key for authentication.
AnswersB, D

Direct role grant to the service account is valid.

Why this answer

Option B is correct because granting the VM's service account the roles/storage.objectViewer role on the bucket in Project A uses IAM-based cross-project access. IAM roles are the recommended method for granting access to resources across projects, as they allow a service account from one project to be granted permissions on resources in another project without needing to share keys or disable uniform bucket-level access.

Exam trap

Google Cloud often tests the misconception that ACLs or sharing service account keys are valid cross-project access methods, when in fact IAM roles and IAM conditions are the only supported mechanisms for granting cross-project access to Cloud Storage buckets.

711
MCQmedium

A service provider wants to expose an internal service to external consumers in a controlled manner, without giving them direct access to the VPC. Which Google Cloud service should be used?

A.Private Service Connect
B.Cloud VPN
C.Cloud NAT
D.VPC Peering
AnswerA

PSC enables publishing services with private connectivity.

Why this answer

Private Service Connect allows service providers to publish their services via PSC endpoints, which consumers can access privately from their own VPCs without traversing the internet.

712
MCQmedium

A company is deploying a multi-region application in Cloud Run and must comply with data residency requirements in the European Union (EU). They want to ensure that only EU-based Cloud Run instances are created. Which approach should they use?

A.Add a label to the Cloud Run service specifying the region and rely on developers to follow it.
B.Set an Organization Policy with constraints/gcp.resourceLocations to restrict allowed regions to EU regions.
C.Use VPC Service Controls to limit access to the Cloud Run service from outside the EU.
D.Configure VPC Firewall rules to only allow egress to EU IP addresses.
AnswerB

This policy will prevent creation of Cloud Run services outside the allowed regions.

Why this answer

Option B is correct because Organization Policies with the `constraints/gcp.resourceLocations` constraint allow administrators to enforce a list of allowed Google Cloud regions for resource creation. By setting this policy to include only EU-based regions (e.g., `europe-west1`, `europe-west4`), the company ensures that Cloud Run instances cannot be created outside the EU, directly meeting data residency compliance requirements. This is a preventive control that applies at the project or folder level, overriding any developer choices.

Exam trap

The trap here is that candidates confuse network-level controls (VPC Service Controls, Firewall rules) with resource location enforcement, thinking that restricting access or egress to EU IPs is equivalent to ensuring resources are physically created in EU regions.

How to eliminate wrong answers

Option A is wrong because relying on labels and developer discipline is not an enforceable compliance control; labels are metadata and do not prevent resource creation in non-EU regions. Option C is wrong because VPC Service Controls restrict data exfiltration and access to services from outside a VPC perimeter, but they do not restrict the geographic location where Cloud Run instances are created; they control network access, not resource placement. Option D is wrong because VPC Firewall rules control network traffic based on IP addresses, not the location of resource creation; they cannot prevent a Cloud Run service from being deployed in a non-EU region, and EU IP ranges do not map cleanly to region-based compliance requirements.

713
MCQeasy

A company wants to grant a user the ability to delete a Cloud SQL instance but not be able to modify any other settings. What is the least privileged role?

A.roles/cloudsql.viewer
B.roles/cloudsql.editor
C.roles/cloudsql.admin
D.Use a custom role with only cloudsql.instances.delete permission.
AnswerD

A custom role with this single permission meets the requirement exactly.

Why this answer

Option D is correct because the least privileged role that allows deleting a Cloud SQL instance without granting any other permissions is a custom role containing only the `cloudsql.instances.delete` permission. Predefined roles like viewer, editor, or admin include broader permissions that would allow modifying other settings, violating the principle of least privilege.

Exam trap

The trap here is that candidates may assume a predefined role like `roles/cloudsql.editor` is the least privileged because it includes delete, but they overlook that it also grants modify permissions, which violates the 'least privileged' requirement.

How to eliminate wrong answers

Option A is wrong because `roles/cloudsql.viewer` only grants read-only permissions (e.g., `cloudsql.instances.get`) and does not include the `cloudsql.instances.delete` permission, so it cannot delete an instance. Option B is wrong because `roles/cloudsql.editor` includes permissions to modify instance settings (e.g., `cloudsql.instances.update`) in addition to delete, which exceeds the requirement. Option C is wrong because `roles/cloudsql.admin` grants full control over Cloud SQL instances, including all create, update, and delete permissions, far beyond the single delete action needed.

714
MCQeasy

An organization needs to block all inbound SSH traffic (port 22) to a set of VM instances that have a common tag 'ssh-restricted'. They want to deny this traffic at the VPC firewall level. Which firewall rule configuration should they use?

A.Allow rule: direction EGRESS, protocol tcp, port 22, target tag 'ssh-restricted'
B.Deny rule: direction INGRESS, protocol tcp, port 22, target service account 'ssh-restricted'
C.Deny rule: direction INGRESS, protocol tcp, port 22, target tag 'ssh-restricted'
D.Allow rule: direction INGRESS, protocol tcp, port 22, source tag 'ssh-restricted'
AnswerC

This correctly denies inbound SSH to VMs with the specified tag.

Why this answer

To block SSH, a deny rule with direction INGRESS, protocol tcp, port 22, and target tag 'ssh-restricted' is needed.

715
MCQhard

An organization has a Google Cloud organization node with multiple folders for different departments. A deny policy is set at the organization level to block the use of shielded VM constraints. Later, an allow policy at the folder level grants the compute.instances.create permission. A user in that folder tries to create a new VM without shielded VM enabled. What will happen?

A.The user can create the VM because the folder allow policy grants compute.instances.create
B.The VM creation fails because the deny policy at the organization level overrides the folder allow policy
C.The VM is created but without shielded VM because the folder policy allows it
D.The VM creation succeeds because allow policies take precedence over deny policies
AnswerB

Deny policies are evaluated before allow policies and can deny specific permissions, overriding any allows.

Why this answer

Deny policies override allow policies. Since the deny policy at the organization level blocks shielded VM usage, the allow policy at the folder level cannot override it. The VM creation will fail because the deny policy explicitly denies permissions related to shielded VM constraints.

716
MCQmedium

A DevOps engineer needs to create a custom IAM role that allows creating and deleting Compute Engine instances but not stopping or starting them. Which permissions should be included?

A.compute.instances.start and compute.instances.stop
B.compute.instances.create, compute.instances.delete, and compute.instances.update
C.compute.instances.create and compute.instances.delete
D.compute.instances.create
AnswerC

Correct: these allow create and delete only.

Why this answer

To create and delete instances, the permissions compute.instances.create and compute.instances.delete are required. compute.instances.stop and compute.instances.start are separate permissions for stopping/starting. compute.instances.update is for modifying existing instances.

717
MCQmedium

Your company is deploying a web application on Google Kubernetes Engine (GKE) with an Internal Load Balancer (ILB) as the ingress. The application must only be accessible from within the same VPC and from an on-premises network connected via Cloud VPN. The on-premises network uses IP range 10.0.0.0/8. You have already created the ILB with a backend service. What is the most secure way to restrict access to the ILB?

A.Configure a VPC firewall rule to deny all ingress traffic to the ILB's forwarding rule IP address, and then create a higher-priority allow rule for the VPC and on-premises ranges
B.Configure the backend service's firewall rules to only allow traffic from the ILB's health check ranges and from the VPC and on-premises source ranges
C.Use GKE Network Policy to restrict ingress traffic to the application pods from the VPC and on-premises ranges
D.Use Cloud Armor to create a security policy that allows traffic only from the VPC and on-premises ranges, and attach it to the ILB
AnswerB

Correct: Firewall rules on the backend instances allow traffic from the ILB's health check probes and from permitted source ranges, ensuring only desired traffic reaches the application.

Why this answer

Option B is correct because the most secure way to restrict access to an Internal Load Balancer (ILB) is to apply firewall rules directly on the backend service (the instance group or NEG). This ensures that only traffic from the ILB's health check probe ranges (130.211.0.0/22 and 35.191.0.0/16 for GKE) and the allowed source ranges (VPC and on-premises) can reach the backend instances. This approach prevents any traffic from reaching the backend except through the ILB, which is the intended secure design for an internal-only application.

Exam trap

Google Cloud often tests the misconception that VPC firewall rules can be applied to a load balancer's forwarding rule IP address, but in reality, firewall rules only apply to VM instances or GKE nodes, not to forwarding rules or load balancer IPs.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules cannot be applied to the ILB's forwarding rule IP address; forwarding rules are not network interfaces and are not subject to VPC firewall rules. Option C is wrong because GKE Network Policy operates at the pod level and cannot restrict traffic to the ILB itself; it only controls traffic between pods, not traffic arriving via the ILB. Option D is wrong because Cloud Armor security policies cannot be attached to an Internal Load Balancer; Cloud Armor only supports external load balancers (HTTP(S), SSL Proxy, TCP Proxy) and not ILBs.

718
MCQmedium

A company is using Cloud NAT to allow instances in a private subnet to access the internet. They notice that some instances are unable to reach external services. The NAT gateway is configured with a single IP address. Which action would most likely resolve the issue?

A.Change the NAT type to static
B.Change the VPC firewall rules to allow egress from the NAT IP
C.Increase the number of NAT IPs
D.Enable TCP established connections only
AnswerC

More NAT IPs increase available ports, reducing the chance of port exhaustion.

Why this answer

The issue is that a single NAT IP address can run out of available ports (each TCP/UDP session consumes a unique source port), causing new connections to fail. Increasing the number of NAT IPs expands the port pool, allowing more concurrent outbound connections. This directly addresses the port exhaustion problem without changing firewall rules or NAT type.

Exam trap

Google Cloud often tests the misconception that firewall rules or NAT type changes fix connectivity issues, when the real problem is port exhaustion from a single NAT IP under heavy connection load.

How to eliminate wrong answers

Option A is wrong because Cloud NAT does not have a 'static' type; the NAT type is either public (with ephemeral or static IPs) or private, and changing the type does not resolve port exhaustion. Option B is wrong because VPC firewall rules control traffic based on source/destination IPs and ports, but the NAT IP is the source IP for outbound traffic; egress rules must allow traffic from the instances' private IPs (or the NAT IP), but the issue is port capacity, not firewall blocking. Option D is wrong because 'TCP established connections only' is a firewall rule concept (e.g., connection tracking) and does not apply to NAT gateway configuration; Cloud NAT handles all protocols and does not have a setting to limit to established connections.

719
Multi-Selectmedium

A company wants to implement least privilege access for a team that needs to monitor and manage Cloud Run services. Which two IAM roles should be considered? (Choose two.)

Select 2 answers
A.roles/iam.serviceAccountUser
B.roles/run.admin
C.roles/run.viewer
D.roles/run.developer
E.roles/run.invoker
AnswersC, D

Allows viewing services and configurations.

Why this answer

Option C (roles/run.viewer) is correct because it grants read-only permissions to view Cloud Run services, configurations, and revisions, which is sufficient for monitoring without allowing modifications. Option D (roles/run.developer) is correct because it allows both viewing and managing Cloud Run services (e.g., deploying new revisions, updating configurations) while still restricting access to other GCP resources, aligning with least privilege for a team that needs to both monitor and manage.

Exam trap

Google Cloud often tests the distinction between 'viewer' and 'developer' roles, where candidates mistakenly choose 'run.admin' thinking it is needed for management, or 'run.invoker' thinking it covers monitoring, but the exam expects precise matching of permissions to the tasks of monitoring (read-only) and managing (deploy/update) without full administrative control.

720
Multi-Selecthard

A company runs containerized applications on GKE and uses Binary Authorization. They want to enforce that only images from a specific Artifact Registry repository can be deployed, and those images must be signed by a trusted attestor. Which THREE configurations are required?

Select 3 answers
A.Set up a Binary Authorization policy that requires attestation.
B.Create an attestation note and attestor in Binary Authorization.
C.Configure an Artifact Registry repository with a vulnerability scanning policy.
D.Add a constraint to the GKE cluster's Binary Authorization policy that restricts the allowed registry to the specific Artifact Registry repository.
E.Create a Cloud KMS key and an attestor in the same project as the repository.
AnswersA, B, D

This is the core policy to require signed images.

Why this answer

The three requirements: a Binary Authorization policy requiring attestation, an attestor (with note), and a policy constraint to restrict allowed registries.

721
MCQmedium

A security team wants to ensure that all service account key creation events in their organization are logged and alerted on. Which logging feature should they use?

A.Enable System Event audit logs for the IAM service.
B.Enable Data Access audit logs for the IAM service.
C.Enable Access Transparency logs for the IAM service.
D.Enable Admin Activity audit logs for the IAM service.
AnswerD

Admin Activity logs record all administrative actions, including creating keys.

Why this answer

Admin Activity audit logs capture operations that modify the configuration or metadata of resources, such as creating or deleting service account keys. Since the question asks about logging key creation events, Admin Activity logs are the correct choice because they record all administrative actions, including service account key creation, by default and cannot be disabled. Data Access audit logs, by contrast, track data-level operations like reading or writing data, not administrative changes.

Exam trap

Google Cloud often tests the distinction between Admin Activity and Data Access logs, where candidates mistakenly choose Data Access for any security-related logging, not realizing that key creation is an administrative action, not a data access operation.

How to eliminate wrong answers

Option A is wrong because System Event audit logs are not a valid log type in Google Cloud; the correct log categories are Admin Activity, Data Access, and Access Transparency. Option B is wrong because Data Access audit logs record operations that read or modify user-provided data, such as reading objects in Cloud Storage, not administrative actions like creating service account keys. Option C is wrong because Access Transparency logs capture actions taken by Google personnel when accessing your data, not actions performed by your own service accounts or administrators.

722
MCQhard

A security engineer wants to enable Access Transparency for their organization. After enabling it in the Admin Console, they notice that some access logs are missing. What is the most likely reason?

A.Access Transparency only logs access by Google personnel, not by third-party vendors.
B.Access Transparency must be enabled for each individual project, not just the organization.
C.The service being accessed does not support Access Transparency.
D.The IAM policy for the organization does not grant the required permissions.
AnswerC

Access Transparency is supported only by certain services; unsupported services will not produce logs.

Why this answer

Access Transparency logs are only generated for services that support Access Transparency and have the feature enabled. At the time of writing, not all GCP services support Access Transparency. If the missing logs are for unsupported services, they will not appear.

723
MCQeasy

Which Google Cloud SIEM solution ingests logs from various sources, normalizes them into the Unified Data Model (UDM), and allows detection using YARA-L rules?

A.Chronicle
B.Cloud Logging
C.BigQuery
D.Security Command Center
AnswerA

Chronicle is the SIEM that uses UDM and YARA-L.

Why this answer

Chronicle is Google Cloud's SIEM solution that ingests logs, normalizes them into UDM, and enables detection rules with YARA-L. Security Command Center is a security posture management tool, not a SIEM. Cloud Logging is for log storage and analysis, not SIEM.

BigQuery is a data warehouse.

724
MCQhard

You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?

A.Ingress rule on frontend: allow tcp:8080 from backend's service account; Egress rule on backend: allow all to internet
B.Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on backend: allow all to internet
C.Ingress rule on frontend: allow tcp:8080 from subnet B; Egress rule on backend: allow all to internet
D.Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on frontend: deny all to internet
AnswerB

Correct: Ingress on backend allows frontend-initiated traffic only. Egress on backend allows backend to reach internet for patches. No rule allows backend to initiate to frontend.

Why this answer

Option B is correct because the frontend in subnet A initiates connections to the backend on TCP port 8080, so an ingress rule on the backend allowing traffic from subnet A permits this. An egress rule on the backend allowing all traffic to the internet enables patch downloads. This setup prevents the backend from initiating connections to the frontend, as no egress rule on the backend targets the frontend, and no ingress rule on the frontend allows unsolicited traffic from the backend.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules and the direction of traffic flow; the trap here is that candidates mistakenly place the ingress rule on the frontend (thinking it needs to 'receive' the connection) instead of on the backend, which actually receives the connection from the frontend.

How to eliminate wrong answers

Option A is wrong because it places the ingress rule on the frontend, which would allow the backend to initiate connections to the frontend, violating the requirement that the backend must not initiate connections to the frontend; also, service accounts are not typically used in VPC firewall rules for subnet-level traffic. Option C is wrong because it places the ingress rule on the frontend allowing traffic from subnet B, which would permit the backend to initiate connections to the frontend, again violating the requirement. Option D is wrong because it denies all egress traffic from the frontend, which would block the frontend from sending requests to the backend (since egress is denied), and the backend still needs an egress rule to reach the internet for patches, which is missing.

725
MCQeasy

A company needs to enforce that all incoming traffic to their HTTPS load balancer must use TLS 1.2 or higher. Which SSL policy setting should they configure on the target HTTPS proxy?

A.Set the minimum TLS version to 1.3 only
B.Set the minimum TLS version to 1.2 and cipher profile to MODERN
C.Set the minimum TLS version to 1.0 and cipher profile to RESTRICTED
D.Use a self-managed certificate with TLS 1.2 enforcement
AnswerB

This ensures that only TLS 1.2 or higher is accepted. MODERN profile supports TLS 1.2 and 1.3.

Why this answer

SSL policies allow you to set the minimum TLS version. To require TLS 1.2 or higher, set the minimum TLS version to 1.2. The cipher profile can be set to MODERN or RESTRICTED, but the key is the minimum TLS version.

726
MCQmedium

A security engineer needs to configure firewall rules to allow traffic from a set of compute instances to a set of backend instances. The engineer wants to use a method that is more secure and scalable than using network tags. Which approach should they use?

A.Use firewall rules with source service accounts and target service accounts
B.Use hierarchical firewall policies
C.Use firewall rules with source tags and target tags
D.Use network firewall policies
AnswerA

Service accounts provide identity-based security that is immutable and more scalable than tags.

Why this answer

Service accounts as firewall rule targets are preferred over network tags because they are immutable, tied to the identity of the instance, and reduce dependency on tag management. This approach is more secure and scalable.

727
Multi-Selecthard

An organization has a requirement that all service account keys must be rotated every 90 days. The security engineer wants to automate the detection of keys older than 90 days. Which TWO methods can achieve this? (Choose 2)

Select 2 answers
A.Configure an organization policy to deny key creation if keys are older than 90 days.
B.Use Cloud Logging to analyze logs for key creation and compute age.
C.Use the IAM API to list service account keys and check the validAfterTime field.
D.Create a custom IAM role that prevents using keys older than 90 days.
E.Use Cloud Asset Inventory to query service account keys and filter by creation time.
AnswersC, E

The API returns key creation time, allowing programmatic detection.

Why this answer

Option C is correct because the IAM API's `validAfterTime` field directly indicates when a service account key was created. By listing keys and comparing this timestamp to the current time, you can programmatically identify keys older than 90 days. This method is precise and does not rely on indirect log analysis or policy enforcement.

Exam trap

Cisco often tests the distinction between detection (audit) and enforcement (prevention); candidates mistakenly choose options that attempt to enforce a policy (like denying creation or preventing use) when the question explicitly asks for detection of keys older than 90 days.

728
MCQhard

An organization uses Cloud VPN tunnels to connect multiple VPCs. They need to record all network metadata for compliance audits without affecting throughput. What is the most effective approach?

A.Enable VPC Flow Logs on all subnets and export logs to a centralized BigQuery dataset.
B.Install a third-party packet inspection appliance in each VPC.
C.Configure Packet Mirroring to mirror all VPN traffic to a collector.
D.Use Cloud Logging to capture VPN tunnel logs from Cloud Router.
AnswerA

VPC Flow Logs provide metadata with negligible performance overhead and are suitable for compliance auditing.

Why this answer

Option A is correct because VPC Flow Logs capture metadata of all network flows with minimal performance impact, and exporting to BigQuery enables analysis. Option B is resource-intensive and may impact throughput. Option C only captures VPN tunnel status, not traffic metadata.

Option D mirrors traffic, which can be costly and impact performance.

729
Multi-Selectmedium

A company is using Assured Workloads with the FEDRAMP_HIGH regime. They need to restrict where resources can be created and monitor for compliance violations. Which TWO settings should they configure? (Choose 2)

Select 2 answers
A.Access Transparency logs
B.Data residency controls
C.Resource location restrictions
D.Google personnel access restrictions
E.Compliance monitoring (drift detection)
AnswersC, E

This restricts resource deployment to allowed regions.

Why this answer

Resource location restrictions limit the regions where resources can be deployed. Compliance monitoring (or compliance drift monitoring) alerts when resources violate policies. Google personnel access restrictions control internal access, and Access Transparency logs provide logs.

Data residency is similar to resource location.

730
MCQhard

A company has a GKE cluster with a Kubernetes Service Account (KSA) that needs to access Cloud Storage. They want to bind the KSA to a Google Cloud service account (GCP SA) so that pods running under the KSA inherit the GCP SA's permissions. They have enabled Workload Identity on the cluster. What is the correct step to bind the KSA to the GCP SA?

A.Annotate the KSA with iam.gke.io/gcp-service-account=GCP_SA_EMAIL. No further steps are needed.
B.Create a JSON key for the GCP SA and store it as a Kubernetes secret, then mount it into the pods.
C.Grant the GCP SA the role roles/iam.serviceAccountUser on the KSA.
D.Grant the KSA the role iam.workloadIdentityUser on the GCP SA by running: gcloud iam service-accounts add-iam-policy-binding GCP_SA_EMAIL --member=serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME] --role=roles/iam.workloadIdentityUser
AnswerD

This is the correct IAM binding to allow the KSA to impersonate the GCP SA.

Why this answer

The correct binding is to grant the 'iam.workloadIdentityUser' role on the GCP SA to the KSA's identity. The KSA identity is represented in IAM as the principal 'serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]'. This allows the KSA to impersonate the GCP SA.

Creating a service account key defeats the purpose of Workload Identity. Adding an annotation to the KSA is necessary but not sufficient; the IAM binding is also required.

731
MCQhard

An organization wants to enforce that all Compute Engine instances in a project have a specific tag (e.g., 'env=prod') before they can be created. Which approach should be used?

A.Use an organization policy with a list constraint to require a specific tag on Compute Engine instances.
B.Create a Cloud Audit Logs sink and trigger a Cloud Function to delete instances without the tag.
C.Use a hierarchical firewall policy with a tag condition.
D.Create an organization policy with constraint `compute.requireOsLogin` set to true.
AnswerA

Organization policy constraints such as `compute.requireTags` (or custom constraint) can enforce that resources have specific tags.

Why this answer

Use Organization Policy with a constraint that requires tags on resources. The constraint `compute.requireOsLogin` is not related. Resource Manager tags can be enforced via Organization Policy using the `constraints/tags` constraint.

732
MCQmedium

A security analyst needs to mute a recurring false positive finding in Security Command Center so that it no longer appears in the active findings list. The analyst wants to keep the finding for historical reference. What should they do?

A.Set the finding's state to 'INACTIVE'
B.Create a filter to exclude the finding from view
C.Mute the finding using the SCC console or API
D.Delete the finding from SCC
AnswerC

Muting hides the finding but retains it.

Why this answer

Muting a finding in SCC hides it from active views but retains it for auditing. Muting can be done individually or via mute rules based on properties.

733
MCQeasy

An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only resources within a specific VPC network can call these APIs, and no traffic from other VPCs or on-premises networks is allowed. Which Google Cloud service should they use?

A.Firewall Rules
B.Identity-Aware Proxy
C.Cloud Armor
D.VPC Service Controls
AnswerD

VPC Service Controls use service perimeters to restrict API access to resources within a VPC, preventing unauthorized access from other networks.

Why this answer

VPC Service Controls create service perimeters that restrict access to Google Cloud APIs based on the requesting network's context. This prevents data exfiltration and ensures only resources in the specified VPC can access the APIs.

734
MCQhard

A security engineer needs to block traffic from all IP addresses in a specific geographic region from reaching an HTTPS load-balanced application. The application uses Cloud Load Balancing with an external HTTPS load balancer. Which approach should the engineer use?

A.Create a VPC firewall rule that denies ingress from the region's IP ranges.
B.Use Identity-Aware Proxy (IAP) to block access based on the user's location.
C.Configure a Cloud CDN policy to block traffic from certain regions.
D.Create a Cloud Armor security policy with a geo-based deny rule and attach it to the load balancer.
AnswerD

Correct: Cloud Armor can inspect client IPs even behind a load balancer and apply geo-blocking rules.

Why this answer

Cloud Armor security policies can be attached to external HTTPS load balancers to filter traffic based on geolocation. The engineer can create a Cloud Armor security policy with a rule that uses the geo-tag to deny traffic from the specified region.

735
MCQhard

A security team needs to enforce that only requests originating from a corporate IP range (203.0.113.0/24) can access a Cloud Storage bucket containing sensitive data. They have created a custom IAM role with storage.objects.get permission and attached a condition that requires the request to have a specific IP address. However, some legitimate users outside the IP range are unable to access the data. What is the most likely cause?

A.Users must use a VPN to be assigned a corporate IP, but some are not connected.
B.The condition uses the attribute 'request.network' instead of 'source.ip'.
C.The bucket ACL is set to deny all access by default.
D.The IAM condition evaluates after authentication, and users are already authenticated; the condition is not restricting based on source IP correctly because the condition is on the user's identity, not the request's source IP.
AnswerD

IAM conditions can restrict by source IP, but if misconfigured (e.g., using wrong attribute or not applying to the correct principal), they may not work; the most likely cause is that the condition is not properly written to check the source IP.

Why this answer

Option D is correct because IAM conditions on a custom role are evaluated after the user is authenticated and authorized by IAM. The condition attribute 'source.ip' is used to restrict access based on the request's originating IP address, but if the condition is incorrectly applied to the user's identity (e.g., using a condition that checks the user's IP at the time of policy evaluation rather than the request's source IP), it may not enforce the intended restriction. In this scenario, the condition is likely misconfigured to evaluate the user's identity attributes rather than the request's source IP, allowing authenticated users from any IP to access the bucket, while legitimate users outside the corporate IP range are blocked because the condition does not correctly filter based on the request's source IP.

Exam trap

Google Cloud often tests the distinction between IAM conditions that evaluate request attributes (like source IP) versus identity attributes, leading candidates to overlook that the condition is applied after authentication and may not restrict the request's source IP correctly if misconfigured.

How to eliminate wrong answers

Option A is wrong because the issue is not about VPN connectivity; the condition is supposed to restrict access based on source IP, but if the condition is misconfigured, even users with a corporate IP via VPN may be blocked or allowed incorrectly. Option B is wrong because 'request.network' is not a valid attribute for IAM conditions in Google Cloud; the correct attribute for source IP is 'source.ip', so using 'request.network' would cause a syntax error or be ignored, not partially block users. Option C is wrong because bucket ACLs are separate from IAM policies; if the ACL is set to deny all, no one would access the bucket, but the problem states that some legitimate users outside the IP range are unable to access, implying that the ACL is not the primary issue.

736
MCQhard

A financial institution is subject to GDPR and requires encryption at rest for all data in Cloud Storage. They want to use CMEK but also need to log all key access events. Which combination of services meets both requirements with least effort?

A.Use Cloud HSM to protect keys, and enable Cloud Audit Logs for Cloud HSM.
B.Use CMEK with Cloud KMS and set key rotation every 30 days.
C.Use CSEK (customer-supplied encryption keys) and enable Cloud Audit Logs for all services.
D.Use CMEK with Cloud KMS and enable Cloud Audit Logs with Data Access audit logs for Cloud KMS.
AnswerD

CMEK uses Cloud KMS keys; Data Access logs record all key operations for compliance.

Why this answer

Option B is correct because Cloud KMS keys can be used with Cloud Storage via CMEK, and Cloud Audit Logs automatically log key access via Data Access audit logs. Option A is wrong because CSEK is deprecated. Option C is wrong because Cloud HSM is a hardware-backed key management, but the key access logs are still in Cloud Audit Logs.

Option D is wrong because rotating keys is not required for compliance; logging access is.

737
Matchingmedium

Match each CVE or security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Log4j remote code execution vulnerability

Heartbleed OpenSSL vulnerability

Apache Struts2 remote code execution

Windows CryptoAPI spoofing vulnerability

BlueKeep RDP remote code execution

Why these pairings

These are well-known CVEs and their brief descriptions.

738
MCQmedium

A multinational organization must ensure that data for European users is stored only within the European Union to comply with GDPR. They use Cloud Storage and BigQuery. Which design should they implement?

A.Use Cloud DLP to inspect and tag data for European origin.
B.Use VPC Service Controls to create a perimeter around European resources.
C.Set an organization policy with constraints/gcp.resourceLocations to restrict resource creation to EU regions.
D.Use Cloud Armor with geo-based access control to restrict access from non-EU locations.
AnswerC

Organization policies can enforce that resources like buckets and datasets are created only in allowed locations.

Why this answer

Option C is correct because the organization policy constraint `gcp/resourceLocations` is the only design that proactively prevents data from being stored outside the EU. By setting this constraint to allow only EU regions (e.g., `europe-west1`, `europe-west4`), any attempt to create a Cloud Storage bucket or BigQuery dataset in a non-EU region will be denied at the API level, ensuring GDPR compliance by design.

Exam trap

Google Cloud often tests the distinction between data access control and data residency enforcement; the trap here is confusing geo-based access controls (Cloud Armor) or data exfiltration prevention (VPC Service Controls) with the ability to restrict where data is physically stored, which requires a resource location policy.

How to eliminate wrong answers

Option A is wrong because Cloud DLP inspects and classifies data but does not enforce storage location; it only tags data for discovery, not for residency control. Option B is wrong because VPC Service Controls create a security perimeter around resources to prevent data exfiltration, but they do not restrict where resources can be created or stored; a bucket could still be created in a non-EU region within the perimeter. Option D is wrong because Cloud Armor with geo-based access control restricts user access based on geographic location, but it does not control where data is physically stored; data could still reside outside the EU.

739
MCQeasy

A company uses Cloud Storage buckets to store customer uploads. Recently, a customer reported that a file they uploaded yesterday is missing. The bucket has object versioning enabled. The security team wants to investigate how the file went missing and whether any other files have been affected. The company's compliance requirements mandate that all object deletions must be logged and reviewed. What should the admin do first to investigate the missing file?

A.Check the access logs in the Storage bucket's logs section.
B.Use gsutil ls -a to list all versions of objects in the bucket.
C.Enable Object Lifecycle Management to restore deleted objects.
D.Check Cloud Logging for storage.googleapis.com/object_delete events.
AnswerD

Cloud Logging logs object deletions by default; this provides the time, user, and method of deletion, which is essential for investigation.

Why this answer

Checking Cloud Logging for object delete events is the most direct way to determine if the file was deleted and by whom. Option A is incorrect because listing versions would only show if the object exists but not the cause of disappearance. Option C is incorrect because enabling lifecycle management does not help with investigation.

Option D is incorrect because access logs are not automatically enabled and would not specifically show delete events.

740
MCQmedium

Refer to the exhibit. A Cloud Run service fails to start and shows the above error. What is the most likely cause?

A.The container requires more memory than allocated
B.The PORT environment variable is not defined in the container
C.The application is configured to listen on a different port than the one specified by PORT
D.The number of concurrent requests exceeds the container's limit
AnswerC

Cloud Run injects PORT; the container must bind to that port. If the app listens on another port, it fails to start.

Why this answer

Option B is correct because the error explicitly states the container is not listening on the port defined by PORT. Cloud Run expects the container to bind to the port specified in the PORT env var (default 8080). Option A is wrong; the error is about listening, not the variable missing.

Option C is wrong; insufficient memory causes different errors. Option D is wrong; concurrent requests are runtime limits, not startup issues.

741
MCQmedium

A security team wants to explicitly deny access to a Cloud Storage bucket for all users except the bucket owner. Currently, there are allow policies at the project level granting Storage Object Viewer to all users. What is the most efficient way to implement this?

A.Create an Organization Policy that denies access to the bucket for all users except the owner.
B.Modify the project-level role to include a condition that only allows the bucket owner.
C.Remove the project-level Storage Object Viewer role and grant it only to the bucket owner.
D.Create an IAM deny policy on the bucket with a deny rule for all principals (principalSet: allUsers) and an exception for the bucket owner.
AnswerD

IAM deny policies explicitly deny and can exclude principals.

Why this answer

Option D is correct because Google Cloud IAM deny policies explicitly deny access to resources, overriding any allow policies. By creating a deny rule on the bucket with `principalSet: allUsers` as the denied principal and an exception for the bucket owner, you effectively block all users except the owner, regardless of project-level allow roles. This is the most efficient approach as it does not require modifying existing project-level policies or removing roles.

Exam trap

Google Cloud often tests the misconception that removing an allow role is sufficient to deny access, but in cloud IAM, explicit deny policies are required to override inherited allow policies, especially when project-level roles grant broad access.

How to eliminate wrong answers

Option A is wrong because Organization Policies are used to enforce constraints on resource usage (e.g., location restrictions), not to manage IAM access control for specific resources like a bucket. Option B is wrong because modifying the project-level role with a condition would require complex condition logic and still apply to all resources in the project, not just the bucket; it also does not explicitly deny access. Option C is wrong because removing the project-level role and granting it only to the bucket owner would affect all buckets in the project and does not explicitly deny access to other users; it only removes the allow, which is less secure than an explicit deny.

742
Multi-Selectmedium

A company wants to use Cloud Audit Logs to monitor for security incidents. They need to retain logs for 6 months for analysis and then archive them for 5 years. Which TWO steps should they take?

Select 2 answers
A.Create a log sink to Cloud Storage with the Archive storage class and Bucket Lock retention of 5 years.
B.Rely on the default 400-day retention in Cloud Logging.
C.Enable Data Access logs for all services.
D.Create a log sink to Pub/Sub and store in Cloud SQL.
E.Create a log sink to BigQuery with a table expiration of 6 months.
AnswersA, E

Provides immutable, cost-effective archival.

Why this answer

Create a log sink to BigQuery for short-term analysis (6 months) with a table expiration. Create another sink to Cloud Storage with an archive class and a retention policy for long-term archival. A single sink cannot do both.

Pub/Sub is not archival. Default retention is only 400 days.

743
MCQeasy

A startup is deploying a containerized application on Google Kubernetes Engine (GKE). The application is stateless and experiences variable traffic patterns, with periodic spikes during promotional events. The startup wants to minimize costs while ensuring the application can handle the variable load without performance degradation. They also prefer to automate scaling as much as possible. Which GKE configuration should they choose?

A.Use a cluster with node auto-repair and a fixed node pool.
B.Use a cluster with node auto-provisioning and preemptible nodes.
C.Use a cluster with a single zone and regular nodes.
D.Use a cluster with regional persistent disks for pods.
AnswerB

Node auto-provisioning adds nodes as needed, and preemptible nodes cost less than regular instances, ideal for stateless, fault-tolerant workloads.

Why this answer

Node auto-provisioning automatically scales the node pool based on pod resource requests, and preemptible nodes significantly reduce cost. This combination handles variable load while being cost-effective. Option B is incorrect because regional persistent disks are for stateful applications and increase cost.

Option C is incorrect because a single zone and regular nodes may not handle spikes and can be more expensive. Option D is incorrect because a fixed node pool does not automatically scale to meet variable demand.

744
MCQhard

During a security incident, a security engineer needs to revoke a compromised service account's access across all resources immediately. However, the service account has many roles across different projects. What is the most effective immediate step?

A.Remove all IAM policies that include the service account.
B.Disable the service account.
C.Disable the service account key.
D.Delete the service account from the project.
AnswerB

Disabling the service account instantly revokes all access while preserving policies.

Why this answer

Option D is correct because disabling the service account immediately revokes all access without removing IAM policies, allowing quick recovery later. Option A is irreversible and may break dependencies. Option B only prevents key-based authentication; the account can still be used from VM instances.

Option C is time-consuming and error-prone.

745
Multi-Selectmedium

A company is deploying a PCI DSS-compliant application on Google Cloud. They need to ensure that the cardholder data environment (CDE) is isolated and that only authorized services can communicate. Which TWO services should they use? (Choose 2)

Select 2 answers
A.Cloud IDS
B.Cloud Armor
C.Cloud NAT
D.VPC Service Controls
E.Cloud VPN
AnswersB, D

Cloud Armor is a WAF that protects the web application.

Why this answer

VPC Service Controls create a secure perimeter around the CDE resources, preventing data exfiltration. Cloud Armor provides web application firewall capabilities to protect the application. Cloud NAT is for outbound connectivity, Cloud IDS is for intrusion detection, and Cloud VPN is for site-to-site VPN, not isolation.

746
MCQeasy

An organization uses Cloud Identity to manage users and groups. They want to synchronize their existing on-premises Active Directory with Cloud Identity. Which tool should they use?

A.Third-party SAML identity provider
B.Google Cloud Directory Sync (GCDS)
C.Identity Platform
D.Cloud Workflows
AnswerB

GCDS syncs AD with Cloud Identity.

Why this answer

Google Cloud Directory Sync (GCDS) is the correct tool because it is specifically designed to synchronize users, groups, and aliases from an on-premises Active Directory (or LDAP server) into Cloud Identity without requiring federation. GCDS maps AD attributes to Cloud Identity fields and runs on a scheduled basis to keep the cloud directory in sync, making it the appropriate choice for this use case.

Exam trap

Google Cloud often tests the distinction between directory synchronization (GCDS) and federation (SAML IdP), so the trap here is that candidates may confuse synchronizing user objects with setting up single sign-on, leading them to choose a SAML identity provider instead of GCDS.

How to eliminate wrong answers

Option A is wrong because a third-party SAML identity provider is used for federated authentication (single sign-on), not for synchronizing directory data from Active Directory into Cloud Identity. Option C is wrong because Identity Platform is a customer identity and access management (CIAM) service for adding authentication to applications, not a tool for syncing on-premises directories with Cloud Identity. Option D is wrong because Cloud Workflows is an orchestration service for automating workflows and API calls, not a directory synchronization tool.

747
MCQmedium

Your organization wants to enforce that all VMs in a project can only communicate with a specific Cloud Storage bucket, and no other external IP addresses. You need to configure firewall rules to achieve this. Which approach should you take?

A.Use VPC Service Controls to create a service perimeter that restricts access to Cloud Storage, and configure the VMs to use Private Google Access
B.Create a deny-all egress firewall rule with priority 65535 and target tags 'storage-only', then create a higher-priority allow rule for traffic to 0.0.0.0/0 with destination tags 'storage-only'
C.Create a firewall rule that allows egress to the private IP ranges used by Cloud Storage (e.g., 199.36.153.4/30) and target the VMs using service accounts, then add a lower-priority deny-all egress rule
D.Create a network firewall policy that allows egress to the Cloud Storage API endpoint (storage.googleapis.com) and attach it to the VPC
AnswerC

This correctly allows only Cloud Storage traffic using service account targets for VMs, with a deny-all catch-all.

Why this answer

To restrict VMs to only communicate with a specific Cloud Storage bucket, you should use a firewall rule with service account targets (for the VMs) and deny all egress traffic except to the private Google Access IP ranges for Cloud Storage. Using service account targets is preferred for security as it follows the principle of least privilege and is independent of VM instance changes.

748
MCQhard

A company has a hybrid cloud setup with a Cloud VPN tunnel to an on-premises network. They want to ensure that traffic from on-premises to a specific VPC subnet is routed through a specific next hop appliance for inspection. How can they achieve this?

A.Use Policy-based routing
B.Create a route with a next hop to the appliance's internal IP and a high priority
C.Create a route with a next hop of the internal load balancer
D.Create a static route with a next hop of the VPN gateway
AnswerB

This directs traffic to the appliance for inspection before it reaches the destination subnet.

Why this answer

Option B is correct because creating a static route with a next hop set to the appliance's internal IP and a high priority ensures that traffic from on-premises to the specific VPC subnet is forwarded to the inspection appliance before reaching its destination. In a hybrid cloud setup with Cloud VPN, the VPN gateway is the default next hop for on-premises traffic, but a higher-priority route overrides this, directing traffic to the appliance for security inspection. This leverages route priority (lower numerical value = higher priority) to enforce traffic steering without modifying the VPN tunnel itself.

Exam trap

Google Cloud often tests the misconception that policy-based routing (PBR) is the only way to steer traffic to a specific next hop, but in cloud VPC environments, static routes with priority are the correct and supported method, and PBR is not available as a VPC route option.

How to eliminate wrong answers

Option A is wrong because policy-based routing (PBR) is typically used for source/destination-based traffic steering at the router level, but in a cloud VPC environment like Google Cloud or AWS, PBR is not natively supported for VPC routes; instead, static routes with priorities are the standard mechanism. Option C is wrong because an internal load balancer distributes traffic across multiple instances and does not act as a transparent next hop for inspection; using it would bypass the intended single appliance and could cause asymmetric routing or inspection failure. Option D is wrong because creating a static route with a next hop of the VPN gateway would simply send traffic back through the VPN tunnel, defeating the purpose of routing it through the inspection appliance; the VPN gateway is the default path for on-premises traffic, not a way to insert an inspection hop.

749
MCQmedium

A company is using Security Command Center (SCC) Standard tier and wants to detect threats like crypto mining attacks and anomalous IAM activity in their GCP environment. Which built-in service should they enable?

A.Event Threat Detection
B.Security Health Analytics
C.Web Security Scanner
D.VM Threat Detection
AnswerA

Event Threat Detection is a Premium SCC service that monitors logs for malicious activity, including crypto mining.

Why this answer

Event Threat Detection is a premium tier service that detects threats such as crypto mining and suspicious IAM activity. Security Health Analytics is misconfigurations. Web Security Scanner is for web apps.

VM Threat Detection is also premium but for VMs.

750
Multi-Selectmedium

A security team wants to automatically detect anomalies in user behavior across Google Workspace and Google Cloud. Which TWO Security Command Center features can help?

Select 2 answers
A.Event Threat Detection
B.VM Threat Detection
C.Compliance monitoring (Premium tier)
D.Anomaly Detection (Standard tier)
E.Security Health Analytics
AnswersC, D

Compliance monitoring helps detect deviations from compliance standards, which can indicate anomalous behavior.

Why this answer

Anomaly Detection (Standard) and Compliance monitoring (Premium) can both identify anomalous behavior patterns in user and resource activity.

Page 9

Page 10 of 14

Page 11
Google Professional Cloud Security Engineer PCSE Questions 676–750 | Page 10/14 | Courseiva