Google Professional Cloud Security Engineer (PCSE) — Questions 751825

985 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQhard

Your organization has a hybrid network with an on-premises data center connected to Google Cloud via a Dedicated Interconnect. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) and Google Cloud VPC has a subnet in 10.1.0.0/16. You've configured a Cloud Router with BGP to exchange routes. Recently, you set up a new VPC with a subnet in 10.2.0.0/16 and peered it with the first VPC using VPC Network Peering. You notice that on-premises traffic destined to 10.2.0.0/16 is being dropped. You verify that the firewall rules allow the traffic and that BGP routes for 10.2.0.0/16 are not advertised on-premises. What should you do to enable connectivity from on-premises to the new VPC?

A.Set up a Cloud VPN tunnel between the new VPC and on-premises.
B.Configure the Cloud Router to advertise the 10.2.0.0/16 range via custom route advertisement.
C.Add a firewall rule in the new VPC allowing all traffic from 10.0.0.0/8.
D.Create a Shared VPC and attach the new VPC as a service project.
AnswerB

Custom route advertisements on Cloud Router propagate the peering range to on-premises.

Why this answer

Option B is correct because the Cloud Router uses BGP to advertise routes to the on-premises network via the Dedicated Interconnect. By default, only VPC subnet routes are advertised; custom route advertisements must be explicitly configured to propagate the peered VPC's subnet (10.2.0.0/16) to on-premises. This ensures the on-premises routers learn the route and can forward traffic to the new VPC.

Exam trap

The trap here is that candidates assume VPC Network Peering automatically shares routes with on-premises networks via Interconnect, but in reality, peered VPC routes are not propagated to on-premises unless explicitly advertised through Cloud Router custom route advertisements.

How to eliminate wrong answers

Option A is wrong because a Cloud VPN tunnel is unnecessary when a Dedicated Interconnect already exists; the issue is route advertisement, not connectivity method. Option C is wrong because firewall rules are not the problem (they already allow traffic); the root cause is missing route propagation, not a missing allow rule. Option D is wrong because Shared VPC is used for centralized administration of multiple projects, not for enabling route exchange between a peered VPC and an on-premises network via Interconnect.

752
Multi-Selecthard

A company must comply with regulatory requirements that restrict data access by Google Cloud support and engineering staff. They need to log all Google admin access to their data and also require explicit approval before access is granted. Which TWO features should they combine? (Choose two.)

Select 2 answers
A.Access Approval
B.Data Loss Prevention
C.VPC Service Controls
D.Access Transparency
E.Audit Logs
AnswersA, D

Allows customers to approve or deny Google support access requests.

Why this answer

Access Transparency provides logs of Google admin access to customer content. Access Approval allows customers to approve or deny Google support access requests. Together, they satisfy the requirement for logging and approval.

The other options: Audit Logs record customer project actions, not Google admin access. Data Loss Prevention is for data inspection. VPC Service Controls are for network perimeters.

753
MCQmedium

A security analyst wants to detect when a user creates a Compute Engine instance with a public IP address in a sensitive project. What is the best method?

A.Create a Cloud Function that triggers on instance creation events.
B.Enable Data Access audit logs and filter for insert calls.
C.Use Cloud Logging with a log-based metric and alert.
D.Use Cloud Asset Inventory to create a feed for instance creation.
AnswerC

Log-based metrics on Admin Activity audit logs allow real-time alerting on specific conditions.

Why this answer

Option D is correct. Using Cloud Logging with a log-based metric and alert on the compute.instances.insert log entry checking for the presence of an external IP provides real-time detection. Option A is incorrect because Data Access logs do not capture admin operations.

Option B is incorrect because Cloud Asset Inventory is not real-time. Option C is possible but more complex to set up and maintain.

754
MCQmedium

A data scientist needs to access a secret stored in Secret Manager from a Compute Engine VM. The VM has the default service account attached. Which IAM role should be granted to the service account to allow reading the secret?

A.roles/secretmanager.admin
B.roles/secretmanager.secretAccessor
C.roles/iam.serviceAccountUser
D.roles/secretmanager.viewer
AnswerB

This role grants permission to access secret versions.

Why this answer

The correct role is roles/secretmanager.secretAccessor because it grants the specific permission secretmanager.versions.access required to read the secret payload from Secret Manager. The default Compute Engine service account needs only this minimal permission to retrieve the secret value, following the principle of least privilege.

Exam trap

Cisco often tests the distinction between viewing metadata (roles/secretmanager.viewer) and accessing the actual secret value (roles/secretmanager.secretAccessor), causing candidates to mistakenly choose the viewer role for read access.

How to eliminate wrong answers

Option A is wrong because roles/secretmanager.admin grants full administrative control over secrets, including creating, updating, and deleting them, which is excessive and violates least privilege for a read-only access need. Option C is wrong because roles/iam.serviceAccountUser allows impersonating service accounts (e.g., to run instances or use gcloud with the service account), but does not grant any permissions to read Secret Manager secrets. Option D is wrong because roles/secretmanager.viewer only allows listing and viewing secret metadata (such as names and labels), not accessing the actual secret payload (the secret data).

755
MCQmedium

A security engineer needs to block traffic to a set of VMs from specific IP addresses and also apply rate limiting for HTTP traffic. The VMs are behind a global external HTTPS load balancer. Which service should they use?

A.Cloud IDS
B.Cloud Armor
C.VPC firewall rules
D.Network firewall policies
AnswerB

Cloud Armor provides IP blocking and rate limiting for HTTP(S) load balancers.

Why this answer

Cloud Armor security policies can be attached to load balancers to provide WAF capabilities, including IP allow/deny lists and rate limiting. This is the appropriate service for this scenario.

756
MCQmedium

A multinational corporation is required to protect sensitive data in BigQuery using column-level encryption. They want to use a customer-managed key stored in Cloud KMS. What is the correct approach?

A.Use Cloud DLP to de-identify columns in transit.
B.Use Cloud HSM to store the key and apply bucket-level encryption.
C.Use Cloud KMS to create an AEAD key and use BigQuery SQL functions to encrypt/decrypt.
D.Use Customer-Supplied Encryption Keys (CSEK) with BigQuery.
AnswerC

BigQuery has AEAD.ENCRYPT/DECRYPT functions that integrate with Cloud KMS.

Why this answer

Option C is correct because BigQuery supports column-level encryption and decryption using AEAD (Authenticated Encryption with Associated Data) keys created in Cloud KMS. The `AEAD.ENCRYPT` and `AEAD.DECRYPT` SQL functions allow you to encrypt specific columns at rest, using a customer-managed key that you control in Cloud KMS, ensuring that only authorized users with access to the key can decrypt the data.

Exam trap

Google Cloud often tests the distinction between encryption services (Cloud KMS, Cloud HSM, CSEK) and their applicable scopes (bucket-level vs. column-level), so the trap here is assuming that any key management service can be used for BigQuery column-level encryption without understanding that only Cloud KMS with AEAD SQL functions is supported.

How to eliminate wrong answers

Option A is wrong because Cloud DLP de-identifies data in transit or at rest using techniques like masking or tokenization, but it does not provide column-level encryption with a customer-managed key stored in Cloud KMS; DLP is a data loss prevention service, not a column-level encryption solution. Option B is wrong because Cloud HSM is a hardware security module that can store keys, but bucket-level encryption applies to Cloud Storage buckets, not to BigQuery columns; BigQuery does not use bucket-level encryption for column-level protection. Option D is wrong because Customer-Supplied Encryption Keys (CSEK) are used for encrypting Compute Engine resources and Cloud Storage objects, not for BigQuery column-level encryption; BigQuery does not support CSEK for column-level encryption.

757
Multi-Selectmedium

A security engineer needs to allow a group of external auditors to view all resources in a project but not modify anything. They must also prevent the auditors from viewing sensitive data in BigQuery datasets. Which TWO IAM bindings should the engineer configure? (Choose two.)

Select 2 answers
A.Grant roles/viewer on the project to the auditors group
B.Grant roles/bigquery.dataViewer on the project to the auditors group
C.Create a deny policy at the project level that denies bigquery.tables.getData for the auditors group
D.Grant roles/iam.securityReviewer on the project to the auditors group
E.Remove the auditors group from all IAM bindings and grant them roles/browser only
AnswersA, C

This grants read access to all resource configurations, but includes BigQuery data access.

Why this answer

To grant read-only access to resources (configurations) without data access, you can grant roles/viewer on the project. However, roles/viewer includes bigquery.tables.getData, which allows reading table data. To prevent that, you must also add a deny policy to block bigquery.tables.getData.

Alternatively, you can use a custom role, but the question asks for IAM bindings.

758
MCQhard

A company uses VPC Service Controls to protect a service perimeter around BigQuery. They need to allow a specific on-premises application (with static IP 203.0.113.10) to query BigQuery tables within the perimeter, while still blocking other internet traffic. Which configuration should be used?

A.Use Cloud Armor to allow the IP.
B.Create an ingress rule in the service perimeter with an access level that includes the on-premises IP.
C.Add the on-premises IP to the list of allowed IPs in the VPC firewall rules.
D.Set up a VPN connection and include the on-premises VPC in the perimeter.
AnswerB

This allows the specific IP to access BigQuery while respecting the perimeter.

Why this answer

Create an ingress rule in the service perimeter that allows access from the on-premises IP (using access level) to BigQuery. Access levels can be IP-based, so create an access level that includes 203.0.113.10, and use that in the ingress rule.

759
MCQeasy

A DevOps team wants to automatically scale a managed instance group based on CPU utilization. Which metric should they use in the autoscaler?

A.'compute.googleapis.com/instance/cpu/usage_time'
B.'compute.googleapis.com/instance/cpu/utilization'
C.'compute.googleapis.com/instance/cpu/reserved_cores'
D.'agent.googleapis.com/cpu/utilization'
AnswerB

This is the built-in CPU utilization metric suitable for autoscaling.

Why this answer

The compute.googleapis.com/instance/cpu/utilization metric measures actual CPU usage, suitable for autoscaling.

760
MCQmedium

A company uses Cloud Audit Logs for compliance. They want to capture all data access events to a Cloud Storage bucket containing sensitive data. What must they enable?

A.System Event audit logs
B.Admin Activity audit logs
C.Access Transparency logs
D.Data Access audit logs with a configuration to log all methods
AnswerD

Data Access audit logs must be enabled for Cloud Storage to record both read and write operations.

Why this answer

Data Access audit logs record API calls that read or modify customer data, such as reading objects from a Cloud Storage bucket. To capture all data access events, including reads and writes, you must enable Data Access audit logs and configure them to log all methods (not just admin methods). This ensures compliance by recording every access to the sensitive data.

Exam trap

Google Cloud often tests the distinction between Admin Activity logs (which log configuration changes) and Data Access logs (which log data reads/writes), and candidates mistakenly assume Admin Activity logs cover data access.

How to eliminate wrong answers

Option A is wrong because System Event audit logs capture non-data-access events like GCP system actions (e.g., automatic resource scaling), not user or service access to data. Option B is wrong because Admin Activity audit logs only record configuration changes (e.g., creating or deleting a bucket), not data reads or writes. Option C is wrong because Access Transparency logs provide visibility into Google personnel access to your data, not customer or application data access events.

761
MCQhard

A company has multiple VPCs in different projects that need to privately connect to a common internal service (e.g., a managed database) running in a central project. They want to expose this service via Private Service Connect. Which type of PSC endpoint should the consumer VPCs create?

A.Cloud NAT gateway
B.VPN tunnel
C.Producer endpoint (service attachment)
D.Consumer endpoint (forwarding rule with PSC backend)
AnswerD

Consumers create PSC endpoints to connect to the published service.

Why this answer

Consumers create Private Service Connect endpoints (forwarding rules with PSC backends) to connect to a published service. The producer publishes the service via a service attachment.

762
Multi-Selectmedium

A company must store API keys and database credentials securely in Google Cloud. They need automatic rotation of these secrets every 30 days, with notifications sent to a security team after each rotation. Which services should they use? (Choose TWO).

Select 2 answers
A.Cloud Scheduler
B.Secret Manager
C.Compute Engine
D.Cloud Functions
E.Cloud KMS
AnswersB, D

Secret Manager is the correct service for storing API keys and credentials with built-in automatic rotation and Pub/Sub notifications.

Why this answer

Secret Manager provides a native API for storing secrets and supports automatic rotation via a rotation period and Pub/Sub notifications. Cloud Functions can be triggered by the Pub/Sub message to perform any additional actions (e.g., updating applications). Cloud KMS manages encryption keys, not secrets.

Cloud Scheduler can trigger manual rotation but is not required with automatic rotation. Compute Engine is not a service for secrets management.

763
MCQeasy

A company that stores protected health information (PHI) in Google Cloud wants to run a BigQuery query to identify and classify sensitive data such as patient names and social security numbers. Which Google Cloud service should they use?

A.Cloud Audit Logs
B.Cloud Key Management Service (Cloud KMS)
C.Cloud Data Loss Prevention (Cloud DLP)
D.BigQuery's built-in data classification
AnswerC

Cloud DLP inspects and classifies sensitive data like PHI and PII.

Why this answer

Cloud Data Loss Prevention (Cloud DLP) is specifically designed to inspect, classify, and de-identify sensitive data. It can be used to scan BigQuery tables and other data sources for PHI, PII, and other sensitive content. Cloud Audit Logs track access, BigQuery itself does not classify data, and Cloud KMS manages encryption keys.

764
MCQhard

Your company has hundreds of GKE clusters across multiple projects. You need to ensure that all clusters have Container Threat Detection enabled. Which approach is most scalable?

A.Create a new organization policy that enforces Container Threat Detection on all clusters
B.Deploy a DaemonSet that enables Container Threat Detection
C.Write a script using gcloud container clusters update with --enable-threat-detection flag
D.Manually enable Container Threat Detection in each cluster via the Cloud Console
AnswerC

The gcloud command can enable Container Threat Detection on existing clusters; scripting iterates over all clusters.

Why this answer

SCC Premium includes Container Threat Detection. To enable it across clusters, you can use an organization policy or a custom script. Using Terraform or Config Controller to manage clusters as code is scalable.

The most straightforward way: enable SCC Premium at the organization level and then enable Container Threat Detection per cluster via the API or gcloud. A script using gcloud commands can iterate through all clusters.

765
Multi-Selectmedium

A company uses Active Directory (AD) on-premises and wants to implement SSO for Google Cloud Console access. They want to maintain user lifecycle management (create/disable accounts) from AD. Which TWO components are required?

Select 2 answers
A.Cloud Directory Sync (CDS)
B.SAML 2.0 SSO with Cloud Identity
C.Workload Identity Federation
D.Identity-Aware Proxy (IAP)
E.Cloud VPN
AnswersA, B

CDS syncs users from AD to Google Cloud Directory.

Why this answer

Cloud Directory Sync synchronizes users from AD to Google Cloud Directory. SAML SSO with Cloud Identity allows users to sign in using their AD credentials. Both are needed: CDS for provisioning, SAML for authentication.

766
MCQhard

A security engineer accidentally deleted a Cloud KMS key version. The key version is in the state DESTROY_SCHEDULED. How long does the engineer have to cancel the destruction before the key material is permanently destroyed?

A.30 days
B.24 hours
C.Immediate destruction, no grace period
D.7 days
AnswerB

The default pending destruction period is 24 hours.

Why this answer

When a key version is scheduled for destruction, it enters a pending destruction grace period. The default grace period is 24 hours, during which the destruction can be canceled. After that, the key material is destroyed and unrecoverable.

767
Multi-Selecteasy

A security engineer needs to set up access for a new team that will manage Cloud Storage buckets and objects. Which three IAM roles might be appropriate based on least privilege? (Choose three.)

Select 3 answers
A.roles/storage.objectAdmin
B.roles/storage.objectViewer
C.roles/storage.legacyBucketOwner
D.roles/storage.objectCreator
E.roles/storage.admin
AnswersA, B, D

Allows full object management (create, read, update, delete).

Why this answer

Option A (roles/storage.objectAdmin) is correct because it grants full control over objects in Cloud Storage buckets, including listing, reading, creating, and deleting objects, but does not allow modifying bucket-level permissions or deleting buckets. This aligns with least privilege for a team that needs to manage objects without full bucket administration.

Exam trap

Google Cloud often tests the distinction between legacy roles (like storage.legacyBucketOwner) and modern predefined roles, expecting candidates to recognize that legacy roles grant overly broad permissions and should be avoided for least privilege.

768
Multi-Selecthard

A company uses Cloud DLP to inspect data in Cloud Storage and BigQuery for sensitive information such as credit card numbers and social security numbers. They want to de-identify the data using format-preserving encryption (FPE) so that the masked data retains the same format (e.g., a 16-digit number still looks like a credit card number). Which two configurations should they use? (Choose TWO).

Select 2 answers
A.A de-identification template with BucketingConfig
B.A cryptographic key in Cloud KMS to be used with the FPE transform
C.A de-identification template with DateShiftConfig
D.A de-identification template with MaskingConfig
E.A de-identification template with CryptoReplaceFfxFpeConfig
AnswersB, E

CryptoReplaceFfxFpeConfig requires a wrapping key in Cloud KMS to encrypt the FPE key.

Why this answer

CryptoReplaceFfxFpeConfig performs format-preserving encryption (FPE) based on the FFX mode. It can preserve the format of credit card numbers. The transform must be configured with a cryptographic key from Cloud KMS to ensure the encryption is secure.

BucketingConfig replaces values with a bucket label, not FPE. MaskingConfig replaces characters with a mask character. DateShiftConfig shifts dates by a random number of days.

769
MCQhard

Refer to the exhibit. A user jane@example.com receives a 403 Access Denied error when trying to list objects in a Cloud Storage bucket. What is the most likely cause?

A.The IAM condition restricts access to requests originating from the 10.0.0.0/24 IP range
B.Jane does not have the storage.objects.list permission
C.The bucket is in a different project
D.The IAM policy is too permissive and conflicts with other policies
AnswerA

The condition checks the 'x-forwarded-for' header starts with '10.0.0.', so requests from other IPs are denied.

Why this answer

Option B is correct because the IAM policy includes a condition that requires the request to come from an IP starting with '10.0.0.' (private IP). If Jane is accessing from a different IP, the condition fails and access is denied. Option A is wrong; the role includes storage.objects.list.

Option C is wrong; there is no indication of a different project. Option D is wrong; the policy is restrictive, not permissive.

770
Multi-Selectmedium

An organization wants to detect and respond to potential data exfiltration attempts via VPC Flow Logs. They plan to export VPC Flow Logs to BigQuery for analysis. Which TWO actions should they take to enable this? (Choose TWO.)

Select 2 answers
A.Create a log sink with a filter for compute.googleapis.com/vpc_flows and destination BigQuery.
B.Set up a Cloud Function to copy logs from Cloud Logging to BigQuery.
C.Create a BigQuery view to filter VPC Flow Logs.
D.Enable Data Access logs for Compute Engine.
E.Enable VPC Flow Logs on the subnet.
AnswersA, E

This exports the flow logs to BigQuery.

Why this answer

To export VPC Flow Logs to BigQuery, you need to create a log sink that filters for VPC Flow Logs and exports to BigQuery. The sink must be configured with a destination of BigQuery. Enabling Data Access logs is not required for VPC Flow Logs.

771
Multi-Selecthard

An organization must comply with ITAR regulations. They use Assured Workloads with the ITAR regime. Which THREE controls are automatically enforced by this regime? (Choose three.)

Select 3 answers
A.VPC Service Controls automatically configured
B.Use of Customer-Managed Encryption Keys (CMEK) for applicable services
C.Data residency in the US only
D.Cloud Audit Logs retention set to 10 years
E.Access Transparency and Access Approval enabled to restrict Google personnel access
AnswersB, C, E

CMEK is enforced for services that support it, ensuring customer control over encryption keys.

Why this answer

Assured Workloads for ITAR enforces data residency, personnel access restrictions, and encryption with CMEK. VPC Service Controls, while important, are not automatically enforced by the regime itself but can be added separately.

772
Multi-Selectmedium

A company subject to PCI DSS is building a cardholder data environment (CDE) on Google Cloud. They need to encrypt cardholder data at rest and in transit. Which THREE measures should they implement? (Choose three.)

Select 3 answers
A.Enforce TLS 1.2 or higher for data in transit.
B.Implement Cloud KMS to manage encryption keys.
C.Use Customer-Managed Encryption Keys (CMEK) for at-rest encryption.
D.Configure Cloud Armor WAF to inspect traffic.
E.Use VPC Service Controls to isolate the CDE.
AnswersA, B, C

TLS 1.2+ is required by PCI DSS for encrypting data in transit.

Why this answer

PCI DSS requires strong encryption. CMEK allows customer-managed keys for at-rest encryption. TLS 1.2 or higher encrypts data in transit.

Cloud KMS is used to manage encryption keys. Cloud Armor is a WAF, not encryption. VPC Service Controls provide network segmentation, not encryption.

Cloud HSM is a hardware-backed key storage, but the question asks for measures that encrypt data; CMEK, TLS, and Cloud KMS are directly related to encryption.

773
MCQhard

An organization has multiple GCP projects under a folder. They want to prevent all users from creating service account keys in any project under that folder. They also want to allow exceptions for a specific project where key creation is needed. Which approach should they take?

A.Create a custom role that excludes the permission to create keys and assign it to all users.
B.Remove the roles/iam.serviceAccountKeyAdmin role from all users.
C.Use an IAM deny policy on the folder to deny the permission to create service account keys.
D.Apply the organization policy constraint 'constraints/iam.disableServiceAccountKeyCreation' at the folder level and set an exception for the specific project.
AnswerD

This constraint disables key creation; exceptions can be made with conditional policies or separate project-level policies.

Why this answer

Organization policies can be set at the folder level with an enforce: true condition, and then an exception can be made for a specific project using a conditional policy or by setting a different policy on that project. IAM deny policies cannot disable the API for all users. Custom roles cannot disable key creation globally.

Removing roles is impractical.

774
MCQeasy

An organization wants to prevent data exfiltration from a Google Cloud project by restricting the copying of data from Cloud Storage to external IPs. Which Google Cloud service should they use?

A.Cloud Armor
B.IAM
C.VPC Service Controls
D.Cloud Data Loss Prevention (DLP)
AnswerC

VPC Service Controls create a security perimeter that prevents data from being copied to external IPs.

Why this answer

VPC Service Controls (C) is correct because it allows you to define security perimeters around Google Cloud services like Cloud Storage, preventing data exfiltration by blocking access from external IPs. By creating a service perimeter, you can enforce that data can only be accessed from within a specified VPC network or on-premises network via Private Google Access, effectively restricting copying to external IP addresses.

Exam trap

Google Cloud often tests the distinction between IAM (identity-based access) and VPC Service Controls (network-based perimeter security), so candidates mistakenly choose IAM thinking it can block external IPs, but IAM lacks the network context to enforce such restrictions.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects against DDoS and application-layer attacks, not a tool for restricting data exfiltration based on IP origin. Option B is wrong because IAM controls who (identities) can access resources but does not control how data is transferred or restrict access based on network context (e.g., external IPs). Option D is wrong because Cloud Data Loss Prevention (DLP) is used for inspecting, classifying, and redacting sensitive data, not for enforcing network-level access controls to prevent exfiltration.

775
MCQmedium

A healthcare startup is using Google Cloud to process Protected Health Information (PHI) for a clinical study. They are HIPAA-compliant and use Cloud Storage with CMEK. They also use BigQuery to run analytics on de-identified data. The security team notices that some PHI data appears in BigQuery query results. Upon investigation, they find that a data engineer created a BigQuery table that directly references the Cloud Storage bucket containing PHI without using the de-identification pipeline. The startup needs to prevent any direct access to Cloud Storage from BigQuery unless it goes through the pipeline. They also need to ensure that any new datasets are automatically subject to the same restrictions. What should they do?

A.Enable Access Transparency logs and set up alerts for any direct access to Cloud Storage.
B.Use DLP API to automatically de-identify data in Cloud Storage before BigQuery reads it.
C.Use IAM conditions to restrict access to the Cloud Storage bucket only from the service account used by the pipeline.
D.Create a VPC Service Control perimeter around the pipeline project, and use an organization policy to require that Cloud Storage buckets be in a perimeter.
AnswerD

VPC Service Controls block direct access from BigQuery to Cloud Storage unless both are in the same perimeter.

Why this answer

Option D is correct because VPC Service Controls create a security perimeter around the pipeline project, preventing data exfiltration and unauthorized access to Cloud Storage from BigQuery unless the request originates from within the perimeter. The organization policy requiring Cloud Storage buckets to be in a perimeter ensures that any new datasets are automatically subject to the same restrictions, enforcing the de-identification pipeline as the only allowed path.

Exam trap

Google Cloud often tests the distinction between detective controls (logging) and preventive controls (perimeters), leading candidates to choose logging or IAM-based solutions that cannot enforce the 'no direct access' requirement across all new datasets.

How to eliminate wrong answers

Option A is wrong because Access Transparency logs only provide audit logs of access, not preventive controls; they cannot block direct access from BigQuery to Cloud Storage. Option B is wrong because the DLP API de-identifies data but does not enforce access control policies; it would require manual integration and does not automatically restrict new datasets. Option C is wrong because IAM conditions can restrict access to a specific service account, but they do not prevent BigQuery from directly referencing the Cloud Storage bucket if the service account used by BigQuery has permissions; they also do not automatically apply to new datasets.

776
MCQhard

A global e-commerce company uses Google Cloud to host its platform. They store customer payment data in Cloud SQL and use Cloud Storage for backups. Currently, they rely on Google-managed encryption keys. A new compliance requirement mandates that all encryption keys must be stored in a hardware security module (HSM) and rotated every 30 days. Additionally, they need to retain backup data for 7 years, during which the keys used to encrypt the backups must be available for decryption. They have created a Cloud HSM key ring and a key with a rotation period of 2592000 seconds (30 days). After configuring Cloud SQL and Cloud Storage to use the Cloud HSM key, they notice that backups older than 30 days cannot be decrypted. The company's security engineer verified that the key versions are still present. What is the most likely cause and how should it be resolved?

A.The key material was imported incorrectly. Delete the key ring and recreate it using an external HSM.
B.The automatic backups in Cloud SQL are encrypted with the primary key version at backup time, but the backup restore functionality does not automatically use the latest key version. Update the backup configuration to use the current primary key version for decryption.
C.The rotation period of 30 days is too short for key retention. Disable automatic rotation and use manual key rotation every 30 days while retaining all versions.
D.Cloud Storage does not support Cloud HSM keys for object encryption. Switch to customer-supplied encryption keys (CSEK).
AnswerB

Cloud SQL restore requires referencing the correct key version; re-associating the backup with the latest key version allows decryption.

Why this answer

Option B is correct because Cloud SQL backups are encrypted with the primary key version at the time of backup creation. When restoring a backup, Cloud SQL does not automatically use the latest key version; it attempts to decrypt using the key version that was primary at backup time. Since the key is rotated every 30 days, backups older than 30 days were encrypted with a previous primary key version.

Even though the key versions are still present in Cloud HSM, the backup restore operation fails because it does not automatically reference the correct historical key version. The fix is to explicitly update the backup configuration to point to the current primary key version, which allows Cloud SQL to locate and use the appropriate key version for decryption.

Exam trap

Google Cloud often tests the misconception that key rotation automatically updates all existing encrypted data, when in reality each encryption operation uses the key version that was primary at that time, and decryption requires explicit reference to the correct historical version.

How to eliminate wrong answers

Option A is wrong because the key material was not imported incorrectly; the security engineer verified that key versions are present, and Cloud HSM supports both imported and generated keys. The issue is not about import method but about key version referencing during restore. Option C is wrong because the rotation period of 30 days (2592000 seconds) is exactly what the compliance requires; disabling automatic rotation would violate the 30-day rotation mandate, and manual rotation does not solve the decryption problem since the root cause is that Cloud SQL does not automatically use the correct key version for older backups.

Option D is wrong because Cloud Storage does support Cloud HSM keys for object encryption via CMEK; switching to CSEK would not address the backup decryption issue and would introduce additional key management complexity.

777
MCQhard

A security team wants to audit all actions performed by users on a critical Cloud Storage bucket. They have enabled Data Access audit logs. However, they notice that read requests are not being logged. What should they do to ensure all read requests are logged?

A.Enable Access Transparency logs for the project.
B.Assign the Storage Legacy Bucket Reader role to the bucket.
C.Configure bucket-level logging to record all access requests.
D.Enable VPC Flow Logs for the network.
AnswerC

Bucket-level logging can log all requests, including reads, regardless of audit log configuration.

Why this answer

Option C is correct because bucket-level logging captures all access requests, including read operations, by recording detailed logs for each request made to the bucket. Data Access audit logs, while enabled, may not log all read requests due to exclusion filters or default configuration limitations, whereas bucket-level logging provides comprehensive access records directly from Cloud Storage.

Exam trap

Google Cloud often tests the distinction between Cloud Audit Logs (which can be filtered or excluded) and bucket-level logging (which records all requests), leading candidates to mistakenly think enabling Data Access audit logs alone is sufficient for all read logging.

How to eliminate wrong answers

Option A is wrong because Access Transparency logs are designed to log actions taken by Google Cloud support or engineering staff, not user read requests on a bucket. Option B is wrong because assigning the Storage Legacy Bucket Reader role controls permissions but does not enable logging; it only grants read access to the bucket. Option D is wrong because VPC Flow Logs capture network traffic metadata (e.g., IP flows) but do not log application-level read requests to Cloud Storage buckets.

778
Multi-Selecthard

Which THREE are capabilities of Assured Workloads? (Choose three.)

Select 3 answers
A.Location-based access controls through VPC Service Controls
B.Cloud Shell for browser-based terminal access
C.Cloud Interconnect for dedicated connectivity
D.Access Transparency logs for Google personnel actions
E.Customer-managed encryption keys (CMEK) support
AnswersA, D, E

Assured Workloads can enforce perimeters using VPC Service Controls.

Why this answer

Assured Workloads is a Google Cloud service that helps customers meet compliance requirements (e.g., FedRAMP, PCI DSS) by enforcing a set of security and data residency controls. Option A is correct because VPC Service Controls can be used to create a perimeter around the workload, restricting data access based on location (e.g., only allowing access from within a specific VPC or IP range), which is a key capability for compliance. Option D is correct because Access Transparency logs provide detailed logs of actions taken by Google personnel on customer data, which is critical for audit and compliance.

Option E is correct because Customer-Managed Encryption Keys (CMEK) allow customers to control the encryption keys used to protect their data, a fundamental requirement for many compliance frameworks.

Exam trap

Google Cloud often tests the distinction between general Google Cloud services (like Cloud Shell or Cloud Interconnect) and the specific compliance-enforcing capabilities of Assured Workloads, leading candidates to select broadly useful features that are not part of the Assured Workloads service itself.

779
Multi-Selecteasy

Which TWO Google Cloud services are serverless compute platforms that let you run code without managing servers?

Select 2 answers
A.Cloud Run
B.Compute Engine
C.Google Kubernetes Engine (GKE)
D.Cloud Functions
E.App Engine
AnswersA, D

Cloud Run is a serverless container platform.

Why this answer

Options A and C are correct. Cloud Functions and Cloud Run are serverless compute services that abstract server management. Option B (Compute Engine) is IaaS.

Option D (GKE) is container orchestration. Option E (App Engine) is also serverless but the correct two are Cloud Functions and Cloud Run. Note: App Engine is also serverless but the question asks for TWO; we selected Cloud Functions and Cloud Run as they are the most commonly cited serverless compute options.

780
MCQmedium

A company runs a GKE cluster with multiple node pools, including one pool of confidential VMs. The security team wants to ensure that only traffic from the internal VPC (10.0.0.0/8) can reach the nodes' metadata server. Which configuration should be applied?

A.Configure Private Google Access on the subnets.
B.Create a firewall rule that allows outbound traffic from nodes to 169.254.169.254 only from the internal VPC range, and deny all other outbound to that IP.
C.Enable IAP TCP forwarding on the cluster.
D.Apply a VPC Service Controls perimeter to the GKE cluster.
AnswerB

The metadata server IP is 169.254.169.254; firewall rules can restrict outbound access to this IP.

Why this answer

The metadata server for GKE nodes is accessible at the link-local IP 169.254.169.254. To restrict access to this server to traffic originating only from the internal VPC range (10.0.0.0/8), you must create a firewall rule that allows outbound traffic from the nodes to 169.254.169.254 only from that range, and then deny all other outbound traffic to that IP. This ensures that only workloads within the internal VPC can query instance metadata, preventing external or unauthorized pods from accessing sensitive metadata.

Exam trap

Google Cloud often tests the misconception that Private Google Access or VPC Service Controls can restrict metadata server access, but the metadata server is a link-local service that must be controlled via egress firewall rules targeting the specific IP 169.254.169.254.

How to eliminate wrong answers

Option A is wrong because Private Google Access enables on-premises or VM instances without external IPs to reach Google APIs and services, but it does not restrict access to the metadata server (169.254.169.254), which is a link-local address and not subject to Private Google Access. Option C is wrong because IAP TCP forwarding allows authorized users to establish TCP connections to VM instances without public IPs, but it does not control traffic to the metadata server from within the VPC. Option D is wrong because VPC Service Controls perimeters restrict data exfiltration from Google Cloud services like BigQuery or Cloud Storage, but they do not apply to the instance metadata server, which is a link-local service outside the VPC perimeter.

781
MCQeasy

A company wants to use a Google Cloud load balancer with an SSL certificate that is automatically provisioned and renewed. Which type of certificate should they use?

A.Google-managed certificate
B.Certificate Manager with a self-managed certificate
C.Certificate Authority Service
D.Self-managed certificate
AnswerA

Google-managed certificates are automatically provisioned and renewed.

Why this answer

Google-managed SSL certificates are automatically provisioned, renewed, and managed by Google for use with load balancers. This is the simplest option for automatic management.

782
MCQmedium

A company wants to provide private connectivity from its on-premises network to Google Cloud APIs (e.g., BigQuery, Cloud Storage) without traversing the public internet. They have an existing Dedicated Interconnect connection. Which solution should they use?

A.Cloud NAT
B.Cloud VPN with VPC peering
C.Private Service Connect
D.VPC Service Controls
AnswerC

PSC provides private endpoints for Google APIs, accessible via interconnect.

Why this answer

Private Service Connect (PSC) allows private access to Google APIs via private endpoints using internal IP addresses. With Dedicated Interconnect, on-premises traffic can reach these endpoints without going over the internet.

783
Multi-Selectmedium

Which THREE of the following are best practices for managing service accounts in Google Cloud?

Select 3 answers
A.Use the principle of least privilege when granting roles to service accounts.
B.Assign a single service account to all Compute Engine instances for simplicity.
C.Avoid creating and downloading service account keys if possible; use workload identity federation or other alternatives.
D.Add service accounts to a Google Group to manage permissions.
E.Enable automatic key rotation for service account keys.
AnswersA, C, E

Least privilege reduces risk.

Why this answer

Option A is correct because the principle of least privilege is a fundamental security best practice in Google Cloud IAM. Granting only the minimal roles necessary to a service account reduces the attack surface and limits potential damage from compromised credentials. This aligns with Google's recommended approach for managing identities in cloud environments.

Exam trap

Google Cloud often tests the misconception that adding service accounts to a Google Group is a best practice for managing service accounts, when in fact groups are primarily for managing user permissions and can lead to unintended privilege escalation if not carefully controlled.

784
MCQmedium

A security engineer wants to restrict access to Cloud Storage buckets such that only workloads running on Compute Engine VMs in a specific VPC can read data. The VMs are managed by multiple GKE clusters and autoscaling instance groups. Which approach BEST enforces this restriction?

A.Configure a Cloud Armor security policy to block requests to Cloud Storage from non-VPC IPs.
B.Create a firewall rule that denies all egress traffic from the VPC to Cloud Storage IP ranges except through a proxy VM.
C.Create a VPC Service Controls service perimeter with an ingress rule that allows access from the VPC network.
D.Use IAM conditions on the Cloud Storage bucket to restrict access based on VPC network tags.
AnswerC

This approach restricts access to Cloud Storage from outside the perimeter and allows only requests originating from the specified VPC.

Why this answer

Use VPC Service Controls to create a service perimeter around the Cloud Storage API, with an ingress rule allowing requests from the specific VPC (using VPC network source) and VMs using the appropriate service accounts. VPC Service Controls prevent data exfiltration by restricting access to Google-managed services from outside the perimeter.

785
MCQhard

You are designing network security for a multi-region GKE cluster with Pods that need to communicate across regions over a private network. The cluster uses VPC-native mode. Which Google Cloud networking feature should you use to ensure low-latency and secure inter-region Pod-to-Pod communication without traversing the public internet?

A.Cloud VPN with dynamic routing
B.Private Service Connect
C.VPC Flow Logs
D.Cloud Interconnect
AnswerD

Provides dedicated, low-latency, private connectivity between VPC networks across regions.

Why this answer

Cloud Interconnect provides a dedicated, high-bandwidth, low-latency connection between your on-premises network and Google Cloud, or between Google Cloud regions, bypassing the public internet. For multi-region GKE clusters using VPC-native mode, Cloud Interconnect enables secure, private inter-region Pod-to-Pod communication by routing traffic through Google's internal backbone, ensuring minimal latency and no exposure to the public internet.

Exam trap

Google Cloud often tests the misconception that Cloud VPN is sufficient for inter-region communication, but the key differentiator here is the requirement for 'low-latency' and 'private network' without traversing the public internet, which only Cloud Interconnect (or Direct Peering) can guarantee.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with dynamic routing encrypts traffic over the public internet, which introduces latency and is not designed for low-latency inter-region Pod-to-Pod communication within the same Google Cloud environment. Option B is wrong because Private Service Connect is used to privately access managed services (e.g., Google APIs or third-party services) from a VPC, not for inter-region Pod-to-Pod communication within GKE clusters. Option C is wrong because VPC Flow Logs is a logging feature that captures network flow metadata for monitoring and troubleshooting, not a connectivity solution for routing traffic between regions.

786
MCQhard

An organization needs to store API keys and database credentials in a secure, centralized service that supports automatic rotation and integrates with Cloud Functions. The solution must provide fine-grained access control at the secret version level. Which service should they use?

A.Cloud Key Management Service (Cloud KMS)
B.Cloud Storage with customer-managed encryption keys
C.Secret Manager
D.Cloud HSM
AnswerC

Secret Manager meets all requirements: secure storage, versioning, automatic rotation, and fine-grained IAM at the version level.

Why this answer

Secret Manager is designed for storing secrets such as API keys and database credentials. It supports versioning, IAM roles with fine-grained access (e.g., secretmanager.versions.access), and automatic rotation via Pub/Sub notifications triggering Cloud Functions.

787
MCQmedium

A healthcare organization is migrating to Google Cloud and needs to store Protected Health Information (PHI) while maintaining HIPAA compliance. They have executed a Business Associate Agreement (BAA) with Google. Which additional step is required to ensure that PHI is properly classified and protected?

A.Enable Audit Logs for all services that process PHI.
B.Configure Cloud Armor to protect web applications handling PHI.
C.Enable VPC Service Controls and restrict access to Cloud Storage buckets containing PHI.
D.Use Cloud Data Loss Prevention (DLP) to inspect and classify storage buckets containing PHI.
AnswerD

Cloud DLP can inspect and classify sensitive data like PHI, helping the organization apply appropriate controls.

Why this answer

For HIPAA compliance, after signing a BAA, organizations must implement data classification. Cloud DLP provides the ability to discover and classify PHI across GCP services.

788
MCQmedium

A company is required to perform penetration testing on their Google Cloud infrastructure. According to Google Cloud's policy, which statement is true regarding penetration testing?

A.Customers must use Google's own penetration testing tools, such as Web Security Scanner.
B.No prior approval is needed for testing most services, but denial-of-service (DoS) attacks are not permitted.
C.Prior approval from Google is required for all penetration testing activities.
D.Penetration testing is prohibited on Google Cloud unless it is conducted by a certified third party.
AnswerB

Google's policy allows testing without prior approval for most services, but DoS attacks are explicitly prohibited.

Why this answer

Google Cloud's Acceptable Use Policy permits penetration testing on most services without prior approval, but DoS attacks are forbidden.

789
MCQmedium

An organization wants to use Security Command Center to detect misconfigurations in their Google Cloud resources. They need a service that can automatically check for common security issues like open firewall ports and IAM policy violations. Which SCC feature should they enable?

A.Anomaly Detection
B.Event Threat Detection
C.Security Health Analytics
D.Web Security Scanner
AnswerC

SHA automatically scans resources for misconfigurations.

Why this answer

Security Health Analytics (SHA) is the SCC built-in scanner that checks for misconfigurations such as open firewall ports, overly permissive IAM roles, and other security best practices. Web Security Scanner targets web app vulnerabilities. Event Threat Detection is for threat detection.

Anomaly Detection identifies unusual behavior.

790
MCQeasy

A security analyst needs to investigate a potential breach in a Compute Engine instance. They want to create an offline forensic copy of the disk without affecting the running instance. Which action should they take?

A.Create an image from the disk while the instance is running.
B.Use the gcloud compute disks copy command to replicate the disk.
C.Attach a new blank disk to the instance and use dd to clone the data.
D.Stop the instance and create a snapshot of the boot disk.
AnswerD

Stopping ensures a consistent snapshot; the snapshot can be used for forensics without affecting the original instance.

Why this answer

Creating a snapshot is the correct method to create a point-in-time copy of a persistent disk for forensic analysis. The snapshot can be used to create a new disk for analysis. Stopping or creating an image modifies the instance state or does not preserve all data.

791
MCQeasy

An organization needs to store API keys and database credentials in a central, auditable service with versioning and IAM access control. Which GCP service should they use?

A.Cloud HSM
B.Secret Manager
C.Cloud DLP
D.Cloud KMS
AnswerB

Secret Manager is the correct service for storing and managing secrets with versioning and IAM.

Why this answer

Secret Manager is purpose-built for storing secrets like API keys, certificates, and database passwords. It provides versioning, IAM policies (e.g., secretmanager.versions.access), and automatic rotation with Pub/Sub notifications.

792
Multi-Selecthard

A company uses BigQuery to store sensitive data and wants to implement data masking using policy tags. They have three user groups: data_engineers (full access), data_analysts (masked PII), and data_scientists (masked financial data). Which THREE steps should they take?

Select 3 answers
A.Publish the taxonomy to make the policy tags available for use.
B.Create a taxonomy in Cloud Data Catalog with policy tags for PII and financial data.
C.Apply only one policy tag per column.
D.Enable Cloud Audit Logs to track policy tag usage.
E.Define data masking rules using BigQuery's conditional access on the policy tags.
AnswersA, B, E

Taxonomy must be published before policy tags can be used.

Why this answer

Option A is correct because after creating a taxonomy with policy tags in Cloud Data Catalog, you must publish the taxonomy to make those policy tags available for use in BigQuery. Publishing associates the taxonomy with the project and allows BigQuery to enforce data masking rules based on the policy tags applied to columns.

Exam trap

Google Cloud often tests the misconception that only one policy tag can be applied per column, but BigQuery supports multiple tags per column, and the most restrictive masking rule is enforced.

793
Multi-Selecthard

A security engineer needs to ensure that all Compute Engine instances in an organization are created with specific CMEK (Customer-Managed Encryption Key) for disk encryption. The engineer wants to enforce this at the organization level. Which three actions are required? (Choose three.)

Select 3 answers
A.Create a Cloud KMS key ring and encryption key.
B.Enable Customer-Supplied Encryption Keys (CSEK) for all instances.
C.Apply the policy constraint at the organization level.
D.Ensure the Compute Engine API is disabled for all projects.
E.Create a custom organization policy constraint using the Organization Policy Service.
AnswersA, C, E

A CMEK key must exist to be referenced in the constraint.

Why this answer

To enforce CMEK use, you need to create a custom organization policy constraint that requires the CMEK key resource name. Enabling CMEK via CSEK is different. The constraint must be applied at the organization level.

The key must be created in Cloud KMS. The compute engine API must be enabled for policy enforcement.

794
MCQmedium

A developer is troubleshooting a Cloud Run service that needs to read from a Cloud Storage bucket. The service runs as the compute engine default service account. The service account has been granted the Storage Object Viewer role at the project level, but the service still gets permission denied errors. What is the most likely cause?

A.The bucket uses uniform bucket-level access, which overrides IAM.
B.The service account was not granted access to the specific bucket.
C.The Cloud Run service is using a different service account than the one modified.
D.The Cloud Run service requires the Storage Admin role.
AnswerC

Cloud Run services must have a service account explicitly assigned; it does not use the compute engine default SA.

Why this answer

Cloud Run uses the runtime service account specified in the revision, not the compute engine default SA. The developer must explicitly set the service account when deploying, and grant it appropriate roles. The compute engine default SA is for Compute Engine VMs, not Cloud Run.

795
Multi-Selecthard

A security team is designing access controls for a multi-tenant SaaS application on Google Kubernetes Engine (GKE). Each tenant has a separate namespace. They want to ensure that a DevOps team can manage deployments across all namespaces, but cannot modify secrets in the 'tenant-alpha' namespace. Which THREE Kubernetes RBAC resources should be created? (Choose THREE)

Select 3 answers
A.A RoleBinding in namespace 'tenant-alpha' that binds the ClusterRole to the DevOps team.
B.A ClusterRole that grants permissions to manage secrets across all namespaces.
C.A RoleBinding in namespace 'tenant-alpha' that binds a Role granting secret modification to the DevOps team.
D.A ClusterRole that grants permissions to manage deployments, services, and ingresses across all namespaces, but does not include secrets.
E.A Role in namespace 'tenant-alpha' that grants permissions to modify secrets, bound to a separate group of tenant administrators.
AnswersA, D, E

This binds the ClusterRole to the DevOps team in the specific namespace.

Why this answer

Option A is correct because a RoleBinding in the 'tenant-alpha' namespace can bind a ClusterRole (which is a cluster-scoped resource) to the DevOps team, granting them the permissions defined in that ClusterRole within that specific namespace. Since the ClusterRole in option D explicitly excludes secrets, this RoleBinding ensures the DevOps team can manage deployments across all namespaces (via a ClusterRoleBinding) but cannot modify secrets in 'tenant-alpha'.

Exam trap

Google Cloud often tests the distinction between RoleBindings and ClusterRoleBindings, and the trap here is that candidates may think a ClusterRole can only be bound via a ClusterRoleBinding, but a RoleBinding can bind a ClusterRole to grant its permissions within a single namespace.

796
MCQhard

A security administrator wants to receive near-real-time logs whenever a Google Cloud support engineer accesses their customer content. Which GCP service provides this capability?

A.Access Transparency
B.Cloud Audit Logs (Admin Activity)
C.Cloud Security Command Center
D.Cloud Audit Logs (Data Access)
AnswerA

Access Transparency provides logs of Google admin access to customer content.

Why this answer

Access Transparency provides near-real-time logs of actions taken by Google personnel when accessing customer content. It is part of the Assured Workloads offering and can be enabled for supported services.

797
MCQmedium

A development team uses Cloud Secret Manager to store database credentials for an application running on Compute Engine. The application reads the secret using the Secret Manager API. After the team rotates the secret by adding a new version and setting it as the latest, the application continues to use the old secret version and fails to authenticate. The application is configured to fetch the secret with version 'latest' at startup. The team checks that the Compute Engine service account has the roles/secretmanager.secretAccessor role on the secret. What is the most likely cause of the issue?

A.Enable the new secret version by setting its state to 'enabled' via the Cloud Console, gcloud, or API.
B.Grant the service account the roles/secretmanager.secretAccessor at the project level instead of on the secret resource.
C.Update the application to use the specific version ID of the new secret instead of the 'latest' label.
D.Add an IAM condition on the secret that restricts access to only the latest version.
AnswerA

New versions are created disabled; they must be enabled to be accessible.

Why this answer

When a new secret version is added via Cloud Secret Manager, it is created in the 'disabled' state by default. Even if it is set as the 'latest' version, the application cannot access it until the version is explicitly enabled. The application fetches the secret using the 'latest' label, which points to the disabled version, causing authentication failure.

Enabling the new version resolves the issue.

Exam trap

Google Cloud often tests the misconception that setting a new version as 'latest' automatically makes it accessible, ignoring the default disabled state of newly added secret versions.

How to eliminate wrong answers

Option B is wrong because granting the role at the project level would not fix the issue; the service account already has the required role on the secret, but the secret version itself is disabled. Option C is wrong because using a specific version ID would still fail if that version is disabled; the core problem is the version state, not the label. Option D is wrong because adding an IAM condition does not affect the enabled/disabled state of a secret version; it only controls access based on attributes like resource tags or time, not version state.

798
MCQmedium

Refer to the exhibit. A security engineer has created this IAM policy for a Cloud KMS key. The service account my-sa is used by a Compute Engine VM to encrypt data before storing it in Cloud Storage. User alice needs to decrypt the data for analysis. Which statement is true?

A.User alice can both encrypt and decrypt.
B.User alice needs the Cloud KMS CryptoKeyEncrypter role to encrypt.
C.The service account can encrypt but cannot decrypt.
D.The service account can both encrypt and decrypt.
AnswerC

It has only the CryptoKeyEncrypter role.

Why this answer

The IAM policy grants the service account my-sa the Cloud KMS CryptoKey Encrypter role, which allows it to encrypt but not decrypt. User alice is granted the Cloud KMS CryptoKey Decrypter role, which allows her to decrypt but not encrypt. Therefore, the service account can only encrypt, and user alice can only decrypt, making option C correct.

Exam trap

Google Cloud often tests the misconception that a service account used for encryption must also be able to decrypt, or that a user with decrypt permissions can also encrypt, when in fact Cloud KMS enforces strict role separation between encrypt and decrypt operations.

How to eliminate wrong answers

Option A is wrong because user alice is only granted the Cloud KMS CryptoKey Decrypter role, which does not include encrypt permissions; she cannot encrypt. Option B is wrong because user alice already has the Cloud KMS CryptoKey Decrypter role, which is sufficient for decryption, but she does not need the Cloud KMS CryptoKeyEncrypter role to encrypt because she is not performing encryption; the service account handles encryption. Option D is wrong because the service account is only granted the Cloud KMS CryptoKey Encrypter role, which explicitly excludes decrypt permissions; it cannot decrypt.

799
MCQhard

Refer to the exhibit. A security administrator is troubleshooting why a user cannot access a BigQuery dataset. The user analyst@example.com is not a member of data-team@example.com. The user is trying to query a table in the dataset. What is the most likely reason for the denial?

A.The user needs to be added as a dataOwner to query tables.
B.The user has the role roles/bigquery.dataViewer, which does not allow querying tables; it only allows viewing dataset metadata.
C.The dataset policy includes a condition that the user does not satisfy.
D.The table itself might have additional restrictions such as row-level security.
AnswerB

dataViewer is insufficient for querying.

Why this answer

Option B is correct because the role roles/bigquery.dataViewer only grants permission to view dataset metadata (e.g., table names, schema) but does not include the bigquery.tables.getData permission required to actually query table rows. Since the user is not a member of data-team@example.com and has only this role, any query attempt will be denied with an access denied error.

Exam trap

Google Cloud often tests the misconception that a role named 'dataViewer' implies the ability to view actual data, when in fact it only grants metadata visibility, not the ability to query table rows.

How to eliminate wrong answers

Option A is wrong because 'dataOwner' is not a standard BigQuery role; the correct role for querying tables is roles/bigquery.dataEditor or roles/bigquery.dataViewer with the bigquery.tables.getData permission, and adding a user as a dataOwner would not grant query access. Option C is wrong because the question states the user is trying to query a table in the dataset, and there is no mention of a condition in the dataset policy; the most likely reason is the insufficient role, not a condition failure. Option D is wrong because row-level security is an additional restriction that applies after the user already has table-level query access; the primary denial here is due to lack of the bigquery.tables.getData permission, not row-level security.

800
MCQmedium

An organization wants to ensure that all new resources created in Google Cloud are restricted to a specific set of regions to meet data residency requirements. Which policy should they use?

A.Configure the `gcp.resourceLocations` organization policy constraint
B.Define a service perimeter using VPC Service Controls
C.Use IAM conditions to deny access outside approved regions
D.Enable Data Residency in Cloud Console settings
AnswerA

This policy directly restricts the regions where resources can be created.

Why this answer

The org policy constraint `gcp.resourceLocations` restricts resource creation to the specified locations. This is the correct method to enforce data residency for resources globally.

801
MCQhard

A financial services company is migrating to Google Cloud and needs to enforce strict access controls. They want to ensure that all access to Cloud Storage buckets containing sensitive data is logged and that only authorized IP ranges can write to those buckets. They have set up IAM conditions to allow access only from the corporate IP range. However, they notice that some write operations are not being logged in the Cloud Audit Logs for the bucket. The write operations are coming from a service account that is part of a batch job running on Compute Engine instances within the corporate network. What is the most likely reason for the missing logs?

A.The IAM condition is preventing the audit logs from being generated.
B.Data Access audit logs for Cloud Storage are not enabled.
C.The batch job is using a different service account that does not have permission to write.
D.The write operations are not being captured because they are performed by a service account.
AnswerB

Admin Activity logs are enabled by default, but Data Access logs need to be explicitly configured.

Why this answer

Option B is correct because Cloud Audit Logs for Cloud Storage require explicit enabling of Data Access audit logs to capture read, write, and other data-level operations. By default, only Admin Activity audit logs are enabled, which log metadata changes but not data access like object writes. The IAM condition correctly restricts write access to the corporate IP range, but without enabling Data Access audit logs, the write operations from the service account are not recorded.

Exam trap

The trap here is that candidates assume all audit logs are enabled by default, but Cisco tests the distinction between Admin Activity logs (always on) and Data Access logs (must be explicitly enabled), especially for services like Cloud Storage where data operations are the primary concern.

How to eliminate wrong answers

Option A is wrong because IAM conditions control access permissions, not audit log generation; audit logs are governed by the Audit Logs configuration in the project, not by IAM conditions. Option C is wrong because the question states the write operations are coming from a service account that is part of a batch job, and the issue is missing logs, not missing permissions; if the service account lacked write permission, the operations would fail, not go unlogged. Option D is wrong because service accounts can generate audit logs just like user accounts; the missing logs are due to the Data Access audit log type not being enabled, not because the principal is a service account.

802
MCQmedium

A company uses Cloud KMS to manage encryption keys for data at rest. They want to automatically rotate a symmetric key every 90 days. The key is used to encrypt Cloud Storage objects and BigQuery tables. What is the correct approach to achieve automatic rotation?

A.Use a Cloud Function to rotate the key every 90 days via the Cloud KMS API.
B.Set the rotation period on the key to 90 days and ensure the key purpose is ENCRYPT_DECRYPT.
C.Create a Cloud Scheduler job to manually rotate the key every 90 days.
D.Set the rotation period on the key ring to 90 days.
AnswerB

Setting rotation period on the key itself enables automatic rotation. ENCRYPT_DECRYPT is required for symmetric encryption.

Why this answer

In Cloud KMS, you can set a rotation period on a key. Automatic rotation creates a new key version at the specified interval. The key must have purpose ENCRYPT_DECRYPT for symmetric encryption.

Manual rotation is not automatic, and setting a rotation period on key rings is not possible.

803
MCQeasy

Which Security Command Center (SCC) tier provides built-in compliance monitoring for standards like CIS and PCI DSS?

A.Neither; compliance monitoring is part of Cloud Audit Logs
B.Both Standard and Premium
C.Premium tier
D.Standard tier
AnswerC

Premium tier includes compliance monitoring for standards like CIS, PCI DSS, and others.

Why this answer

Compliance monitoring is a feature of SCC Premium tier. Standard tier includes Security Health Analytics but not compliance monitoring. Event Threat Detection is also Premium.

804
MCQmedium

An organization needs to de-identify a BigQuery column containing US Social Security Numbers (SSNs) by replacing them with a consistent token that can be reversed if needed. Which Cloud DLP de-identification transform should they use?

A.BucketingConfig
B.MaskingConfig
C.CryptoReplaceFfxFpeConfig
D.DateShiftConfig
AnswerC

This transform uses FPE to create reversible, format-preserving tokens (e.g., SSN-like tokens).

Why this answer

CryptoReplaceFfxFpeConfig uses Format-Preserving Encryption (FPE) to replace sensitive data with a token that preserves the original format (e.g., 9 digits) and is reversible with the same key. BucketingConfig replaces with a range, MaskingConfig masks characters, and DateShiftConfig shifts dates.

805
Multi-Selecthard

A company wants to use service account keys for an on-premises application that needs to authenticate to Google Cloud APIs. Which two practices should they follow to minimize security risks? (Choose TWO.)

Select 2 answers
A.Allow end users to download and use service account keys directly.
B.Enable automatic key generation and disable any unused keys.
C.Store the service account key in the application's source code for easy access.
D.Rotate service account keys regularly and store them in a secure secret management system.
E.Use a single service account key for all environments to simplify management.
AnswersB, D

Automating key generation ensures uniqueness, and disabling unused keys reduces attack surface.

Why this answer

Option B is correct because enabling automatic key generation ensures that keys are created with strong cryptographic standards and that unused keys are promptly disabled, reducing the attack surface. This practice aligns with Google Cloud's recommendation to minimize the number of active keys and to avoid manual key management errors.

Exam trap

Google Cloud often tests the misconception that storing keys in source code is acceptable for convenience, or that a single key across environments simplifies management, when in fact both practices drastically increase security risk.

806
Multi-Selectmedium

A financial institution must meet SOX compliance requirements for audit trail integrity. Which THREE measures should they implement to ensure Cloud Audit Logs are immutable and securely stored?

Select 3 answers
A.Use VPC Service Controls to prevent exfiltration of logs.
B.Use customer-managed encryption keys (CMEK) with Cloud KMS for audit logs.
C.Export logs to Cloud Storage and apply a retention policy with a lock.
D.Set up Cloud IAM roles to restrict who can read audit logs.
E.Store logs in a Cloud Logging bucket with a retention policy locked via the Logs Retention API.
AnswersB, C, E

CMEK ensures only authorized keys can decrypt logs.

Why this answer

Option B is correct because using customer-managed encryption keys (CMEK) with Cloud KMS ensures that audit logs are encrypted with keys under the customer's control, preventing unauthorized decryption even by Google. This satisfies SOX requirements for data integrity and confidentiality, as the logs cannot be tampered with or accessed without the key.

Exam trap

Google Cloud often tests the distinction between access control (IAM, VPC Service Controls) and immutability (retention locks, CMEK), leading candidates to confuse preventing unauthorized access with preventing tampering or deletion.

807
MCQhard

A company has a Shared VPC environment with multiple service projects. The security team wants to ensure that all Compute Engine VMs in service projects are only accessible via IAP TCP forwarding for SSH management, and direct external access is completely blocked. They have already applied an organization policy constraint that denies the attachment of external IP addresses to new VMs. However, there are several existing VMs that still have public IP addresses assigned. The team wants to remove the public IPs from these existing VMs without causing downtime for any ongoing SSH sessions or disrupting the applications running on them, but they must ensure the VMs can still reach the internet if needed (for example, to download updates). What should the team do?

A.Delete each VM and recreate it without a public IP address.
B.First, deploy a Cloud NAT gateway for the VPC and subnet, then remove the public IP from each VM; the VMs will use Cloud NAT for outbound internet access.
C.Detach the public IP from each VM in the console, and then create a new private IP for the VM.
D.For each VM, use the gcloud command to delete the public IP and assign a new private IP from the same subnet.
AnswerB

Cloud NAT provides outbound internet without public IPs and can be set up without VM downtime. Then public IPs can be safely removed.

Why this answer

Option B is correct because Cloud NAT provides outbound internet access for private VMs without requiring public IPs, and removing the public IP from an existing VM does not interrupt running SSH sessions or applications—the VM continues running with its internal IP. After deploying Cloud NAT for the VPC and subnet, you can safely remove the public IP from each VM, and the VM will use Cloud NAT for outbound connections (e.g., downloading updates). This approach satisfies the security requirement of blocking direct external access while maintaining outbound connectivity and avoiding downtime.

Exam trap

Google Cloud often tests the misconception that simply removing a public IP and assigning a new private IP (options C and D) will somehow preserve internet access, but without Cloud NAT or a similar outbound gateway, private VMs cannot reach the internet.

How to eliminate wrong answers

Option A is wrong because deleting and recreating VMs would cause downtime for applications and terminate any ongoing SSH sessions, which violates the no-downtime requirement. Option C is wrong because simply detaching the public IP in the console without first setting up Cloud NAT would leave the VM without any outbound internet access, breaking the requirement that VMs can still reach the internet for updates. Option D is wrong because using gcloud to delete the public IP and assign a new private IP does not provide outbound internet access; the VM would lose connectivity to the internet unless Cloud NAT or another outbound mechanism is configured first.

808
Multi-Selectmedium

An organization wants to restrict the creation of service accounts to only certain projects. Which two approaches can achieve this? (Choose two.)

Select 2 answers
A.Use a deny policy to block service account creation in all projects except the allowed ones.
B.Create a custom role with iam.serviceAccounts.create permission and assign it to a group, then use IAM conditions to restrict the resource to specific projects.
C.Grant the roles/iam.serviceAccountAdmin role only to users in the allowed projects.
D.Use an organization policy with constraint constraints/iam.disableServiceAccountCreation set to True at the org level, and then create a folder policy to allow creation in specific folders.
E.Create a separate organization for the allowed projects.
AnswersB, D

IAM conditions can limit the scope of a role to specific projects.

Why this answer

Two valid approaches: use organization policy with overrides (A) or use IAM conditions in custom roles (C).

809
MCQmedium

A pharmaceutical company uses Google Cloud to process clinical trial data subject to HIPAA. They must ensure that only authorized applications can access the data, even if credentials are compromised. Which security control should they implement?

A.Use Workload Identity Federation to allow workloads to access data without service account keys.
B.Use service account impersonation with IAM conditions to restrict access to specific trusted applications.
C.Create a VPC Service Control perimeter that allows only specific service accounts to access the data.
D.Require users to MFA and use IAM roles to grant access.
AnswerB

Impersonation with conditions limits the use of service accounts to specific callers, reducing blast radius.

Why this answer

Option B is correct because service account impersonation with IAM conditions allows the company to bind access to specific trusted applications by requiring that the caller present a specific service account identity. Even if credentials are compromised, the attacker cannot impersonate that service account unless they also satisfy the IAM conditions (e.g., resource tags, IP ranges, or application identity). This directly addresses the requirement to restrict access to authorized applications only, as per HIPAA's minimum necessary standard.

Exam trap

The trap here is that candidates confuse authentication (who you are) with authorization (what you can do) and pick MFA or VPC perimeters, missing that the question explicitly requires application-level restriction even after credential compromise, which only impersonation with conditions provides.

How to eliminate wrong answers

Option A is wrong because Workload Identity Federation eliminates the need for service account keys but does not restrict access to specific applications; it only authenticates external workloads without keys, so a compromised credential could still be used from any federated identity. Option C is wrong because VPC Service Controls create a security perimeter around resources but do not enforce application-level authorization; they block data exfiltration based on network context, not application identity. Option D is wrong because MFA and IAM roles authenticate users, not applications; if a user's credentials are compromised, the attacker can still access data from any application the user has permission to use, failing the 'only authorized applications' requirement.

810
MCQmedium

An engineer needs to configure automatic key rotation for a symmetric encryption key in Cloud KMS. They have set the rotation period to 90 days. What happens to the old key material after rotation?

A.The old key version is disabled and can be re-enabled if needed.
B.The old key material is immediately deleted.
C.The old key version remains enabled and can still be used for decryption.
D.The old key material is moved to a pending destruction state for 24 hours.
AnswerC

Old key versions remain enabled and can be used to decrypt data encrypted with them.

Why this answer

When a key is rotated, a new key version is created and becomes the primary. The old version is retained and remains available for decrypting data encrypted with it. Key material is not automatically deleted; it can be disabled or scheduled for destruction separately.

811
MCQhard

A company uses Google Cloud Directory Sync to synchronize users from an on-premises Active Directory to Cloud Identity. They want to allow federated access from their external identity provider (IdP) that supports SAML 2.0. The IdP should be able to authenticate users from a specific AD domain. What configuration steps are required?

A.Use Workload Identity Federation to map the external IdP to Google Cloud service accounts.
B.Set up SAML SSO in Cloud Identity using Google as the IdP, and configure AD to trust Google's SAML response for the domain.
C.Configure the external IdP as a SAML identity provider in Cloud Identity, map the AD domain, and enable user provisioning via SCIM.
D.Create a custom OAuth 2.0 flow in Cloud Identity to integrate with the external IdP.
AnswerC

The external IdP acts as the SAML IdP, Cloud Identity as the SP. SCIM is optional but not required for authentication.

Why this answer

For federated access with an external SAML 2.0 IdP, configure the external IdP as a SAML identity provider in Cloud Identity, mapping the appropriate domain.

812
MCQhard

A security engineer wants to ensure that only users from a specific external identity provider (IdP) domain (example.com) can access Google Cloud resources. They have configured SAML SSO with the IdP. However, users from other domains are also able to access resources. What is the most effective way to restrict access to only users from example.com?

A.Set the Organization Policy constraint constraints/iam.allowedPolicyMemberDomains to only allow domain example.com.
B.Use Cloud Identity groups with membership restricted to example.com and grant access to the group only.
C.Configure the IdP to only assert users from example.com.
D.Use IAM Conditions to restrict access to users with a specific claim (e.g., assertion.primary_email ending with @example.com).
AnswerA

This constraint restricts which domains can be used as members in IAM policies, effectively preventing users from other domains from being granted access.

Why this answer

The best approach is to use the Organization Policy constraint 'constraints/iam.allowedPolicyMemberDomains' to restrict which external domains can be members of IAM policies. This prevents users from other domains from being granted roles. Simply blocking at the IdP is not effective because users from other domains could be added as members in IAM.

IAM Conditions can be used on role bindings to restrict access based on the user's domain, but this requires careful application to all policies. The organization policy provides a global enforcement.

813
MCQmedium

Refer to the exhibit. A Security Engineer is reviewing the IAM policy for a project. An administrator reports that a user named admin@example.com cannot create firewall rules, even though the command should allow it. According to the policy, what is the most likely reason?

A.The security-team group has the 'compute.securityAdmin' role, but the user is not in that group.
B.The user has the 'compute.instanceAdmin.v1' role, which conflicts with network admin permissions.
C.The user has the 'compute.networkAdmin' role, which does not include permission to create firewall rules.
D.The IAM policy has an invalid etag, causing the policy to be rejected.
AnswerC

NetworkAdmin can modify networks but not firewall rules; securityAdmin is needed.

Why this answer

Option C is correct because the 'compute.networkAdmin' role in Google Cloud IAM does not include the 'compute.firewalls.create' permission required to create firewall rules. The user has this role, which grants permissions to manage network resources like subnets and routes, but firewall rule creation is a security function that requires the 'compute.securityAdmin' role.

Exam trap

Google Cloud often tests the misconception that 'networkAdmin' implies full control over all network-related resources, including firewalls, when in fact firewall rule management requires a distinct security-focused role.

How to eliminate wrong answers

Option A is wrong because the user is not in the security-team group, but the policy does not indicate that the user's permissions depend on group membership; the issue is the specific role assigned. Option B is wrong because the 'compute.instanceAdmin.v1' role does not conflict with network admin permissions; it is a separate role for managing compute instances, and conflicts are not a factor in IAM—permissions are additive. Option D is wrong because an invalid etag would cause the policy to be rejected during an update, not prevent an existing user from performing an action; the user already has the policy applied.

814
MCQmedium

A security team wants to analyze VPC Flow Logs to investigate a potential data exfiltration incident. The logs are currently stored in Cloud Logging. What is the MOST efficient method to query and visualize the network traffic patterns?

A.Use Log Analytics in Cloud Logging with SQL queries
B.Enable VPC Flow Logs on a new VM and capture traffic
C.Export logs to Cloud Storage and analyze with a local tool
D.Create a log sink to BigQuery and use BigQuery for analysis
AnswerA

Log Analytics allows SQL queries on logs stored in Logging buckets, enabling analysis without export.

Why this answer

Log Analytics (powered by BigQuery) in Cloud Logging provides SQL-based analysis directly on logs without needing to export.

815
MCQmedium

A multinational corporation operates multiple Google Cloud projects across several folders. They have a security requirement to enforce that all Cloud Storage buckets are created with uniform bucket-level access enabled and that no bucket has public access. They want to automatically remediate any non-compliant bucket that violates these policies. Currently, they use Organization Policies to enforce uniform bucket-level access, but they still find some buckets with public access due to exceptions. They have Cloud Security Command Center (Cloud SCC) enabled and receive findings about public buckets. The operations team wants to build a solution that automatically disables public access on non-compliant buckets. Which approach should they take?

A.Create a new Organization Policy that denies public access to all buckets.
B.Configure a Cloud Monitoring alert policy that triggers a webhook to a third-party automation tool.
C.Create a Cloud Security Command Center notification channel for public bucket findings, publish to a Pub/Sub topic, and trigger a Cloud Function that removes public IAM bindings from the bucket.
D.Write a script using gsutil and run it daily via Cloud Scheduler to check all buckets and remove public access.
AnswerC

Automates detection and response in near real-time.

Why this answer

Option B is correct because using Cloud Functions triggered by Cloud SCC notifications allows real-time remediation. Option A is incorrect because Organization Policies can't automatically fix individual buckets after creation. Option C is incorrect because script runs on schedule, not real-time.

Option D is incorrect because Cloud Monitoring alerts are not designed for this automatic remediation.

816
Multi-Selecthard

A company is implementing a zero-trust network architecture on Google Cloud. They want to ensure that all traffic between their on-premises data center and Google Cloud is encrypted and authenticated. Additionally, they need to support high availability across multiple regions. Which two Google Cloud services should they use? (Choose two.)

Select 2 answers
A.Cloud NAT
B.VPC Network Peering
C.Cloud CDN
D.Cloud Interconnect (Dedicated)
E.Cloud VPN
AnswersD, E

Dedicated Interconnect provides high-bandwidth, low-latency connections and supports high availability via multiple VLAN attachments.

Why this answer

Cloud VPN provides encrypted tunnels for secure connectivity. Cloud Interconnect (Dedicated) offers dedicated, low-latency, high-availability connections. Combining both provides encryption (via VPN over Interconnect) and HA.

Option C is incorrect because Cloud NAT is for outbound traffic only. Option D is incorrect because VPC Network Peering is for connecting VPCs within Google Cloud. Option E is incorrect because Cloud CDN is for content delivery, not network connectivity.

817
Multi-Selectmedium

A security team needs to monitor and log all Google Cloud administrator access to customer data stored in Cloud Storage and BigQuery. They want to receive near-real-time alerts when such access occurs. Which two services should they use together? (Choose TWO).

Select 2 answers
A.Access Transparency
B.Cloud DLP
C.Cloud KMS
D.Cloud Audit Logs
E.Cloud Functions
AnswersA, D

Access Transparency logs provide details of Google admin access to customer content.

Why this answer

Access Transparency provides logs of Google admin access to customer content. These logs are delivered to the customer's Cloud project. Cloud Audit Logs can be used to route Access Transparency logs to Pub/Sub, and then Cloud Functions can process them for alerts.

Cloud Monitoring can create alerting policies based on log metrics. Cloud DLP is for data inspection, not for logging access. Cloud KMS is for key management.

818
MCQmedium

An engineer needs to ensure that only VMs with a specific service account (sa-prod@project.iam.gserviceaccount.com) can access a Cloud Spanner instance. They want to control this at the network level, not using IAM. Which VPC firewall rule configuration should they use?

A.Egress rule with source service account 'sa-prod'
B.Ingress rule with target service account 'sa-prod'
C.Egress rule with target service account 'sa-prod'
D.Ingress rule with source tag 'sa-prod'
AnswerC

Egress rules can be applied to VMs using a specific service account as the target.

Why this answer

Firewall rules can target service accounts for egress rules. Since the VMs initiate connections to Spanner, an egress rule with target service account is appropriate.

819
MCQeasy

A company needs to retain critical financial records for 7 years to comply with SEC regulations. They choose to store the records in Cloud Storage. Which feature should they enable to ensure the records cannot be deleted or overwritten before the retention period expires?

A.Enable bucket-level IAM conditions.
B.Configure an object lifecycle rule to delete objects after 7 years.
C.Use Cloud KMS to encrypt objects and destroy the key after 7 years.
D.Apply a retention policy and lock the bucket using Bucket Lock.
AnswerD

Retention policy with Bucket Lock enforces WORM compliance, making objects immutable until the retention period ends.

Why this answer

Object Retention Lock in Cloud Storage allows you to set a retention policy on a bucket, which uses a WORM (Write Once Read Many) model. Once an object is stored, it cannot be deleted or overwritten until the retention period expires. Bucket Lock locks the retention policy, preventing changes.

IAM conditions and lifecycle rules do not enforce immutability.

820
MCQmedium

An organization needs to restrict access to Cloud Storage buckets so that only requests from a specific range of IP addresses (e.g., corporate VPN) are allowed. They also want to block all other IPs. Which combination of services should they use?

A.IAM conditions with source IP
B.Firewall rules with source IP
C.VPC Service Controls with an IP-based access level
D.Cloud Armor with IP allow list
AnswerC

Access levels in VPC Service Controls can be IP-based, and a service perimeter enforces that only requests from those IPs are allowed.

Why this answer

VPC Service Controls create a service perimeter that, combined with an access level based on IP addresses, can restrict access to Google Cloud services such as Cloud Storage to only those IPs. The access level defines the allowed IP ranges.

821
MCQhard

An engineer needs to grant a group of external auditors read-only access to all resources in a specific project. The auditors authenticate via an external SAML 2.0 IdP. What is the most secure and efficient way to set this up?

A.Create individual Google accounts for each auditor and assign them the Viewer role.
B.Configure IAP with the external IdP and grant access to the project's resources through IAP.
C.Use Cloud Directory Sync to sync the auditors from the external IdP as Google Groups, then grant the group Viewer role.
D.Create a custom role with read-only permissions and assign it to each auditor individually.
AnswerC

Cloud Directory Sync can synchronize groups from the IdP. Granting the group the Viewer role is efficient and maintains group membership in the IdP.

Why this answer

The correct approach is to create a Google Group and configure SAML SSO for Cloud Identity. Then, grant the Google Group the 'Viewer' role at the project level. The auditors authenticate via SAML and become members of the group, inheriting the permissions.

822
Multi-Selectmedium

An organization wants to use Web Security Scanner to find vulnerabilities in their web application. Which TWO finding types can Web Security Scanner detect?

Select 2 answers
A.Cross-site scripting (XSS)
B.Insecure deserialization
C.Server-side request forgery (SSRF)
D.Outdated libraries
E.SQL injection
AnswersA, D

Web Security Scanner detects XSS vulnerabilities.

Why this answer

Web Security Scanner detects XSS, mixed content, outdated libraries, and other common web vulnerabilities, but not SQL injection or SSRF.

823
MCQeasy

A developer is running a batch job on Compute Engine that needs to read data from Cloud Storage. What is the recommended way to authenticate the VM to Cloud Storage without managing keys?

A.Use the Compute Engine default service account and grant it the roles/storage.objectViewer role.
B.Create a service account key, download it to the VM, and use it with gcloud auth.
C.Add the user's personal credentials to the VM and use them.
D.Use Application Default Credentials (ADC) from a service account key stored in Secret Manager.
AnswerA

The default service account is automatically attached to the VM. Granting it the Storage role allows the VM to read objects without key management.

Why this answer

The best practice is to use the Compute Engine default service account and grant it the appropriate Storage roles. This avoids managing keys and uses the VM's identity tied to the service account.

824
Multi-Selecthard

A security engineer is designing a data residency strategy for a healthcare organization that must keep all data within the European Union. They plan to use Assured Workloads to meet this requirement. Which THREE additional controls should they implement to further enforce data residency and protect data? (Choose three.)

Select 3 answers
A.Organization policy constraint gcp.resourceLocations set to allow only European regions.
B.VPC Service Controls to prevent data exfiltration to non-approved regions.
C.Cloud HSM to store encryption keys.
D.Cloud DLP to scan for sensitive data.
E.Access Transparency logs to monitor Google personnel access to data.
AnswersA, B, E

This restricts resource creation to specified European regions.

Why this answer

To enforce data residency, you can use Organization Policy constraints to restrict resource locations, VPC Service Controls to prevent data exfiltration, and Access Transparency to monitor Google personnel access. Cloud HSM is about key storage, not residency; Data Loss Prevention is about data classification, not residency.

825
MCQmedium

A company needs to ensure that all data stored in Cloud Storage is encrypted at rest using keys that they generate and manage themselves. They also need to rotate the keys every 90 days. Which encryption option should they use?

A.Customer-supplied encryption keys (CSEK)
B.Cloud External Key Manager (Cloud EKM)
C.Google-managed encryption keys (GMEK)
D.Customer-managed encryption keys (CMEK) using Cloud KMS
AnswerD

CMEK allows customers to manage their own keys in Cloud KMS, including automatic rotation on a schedule.

Why this answer

CMEK gives customers control over key lifecycle, including automatic rotation every 90 days.

Page 10

Page 11 of 14

Page 12