Google Professional Cloud Security Engineer (PCSE) — Questions 826900

985 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
Multi-Selecthard

A company needs to comply with the General Data Protection Regulation (GDPR). They are using BigQuery to store personal data. Which THREE measures should they implement to meet GDPR requirements?

Select 3 answers
A.Enable audit logs via Cloud Audit Logs to track access to personal data.
B.Use Cloud KMS to encrypt individual columns containing personal data.
C.Store data in a multi-region location like 'EU' to ensure availability across regions.
D.Use Cloud DLP to classify and de-identify sensitive columns before loading into BigQuery.
E.Enable data deletion by using DML statements to remove personal data when requested.
AnswersA, D, E

Audit logs are necessary for demonstrating compliance.

Why this answer

Option A is correct because Cloud Audit Logs provide a comprehensive, immutable record of all administrative and data access activities in BigQuery, which is essential for demonstrating GDPR compliance through accountability and traceability. By enabling audit logs, the company can track who accessed personal data, when, and from where, fulfilling the GDPR requirement to maintain records of processing activities.

Exam trap

Google Cloud often tests the misconception that encryption (like Cloud KMS) is a primary GDPR measure for BigQuery, when in reality BigQuery's default encryption already meets encryption requirements, and the focus should be on access control, auditability, and data lifecycle management.

827
MCQhard

An organization uses VPC Service Controls to protect BigQuery datasets. They need to allow a specific on-premises application, which uses a static IP address, to query a BigQuery dataset inside the service perimeter. Which configuration is required?

A.Create a Cloud Armor rule to allow the on-premises IP
B.Use Private Google Access for the on-premises network
C.Create an ingress rule in the service perimeter with the on-premises IP as the source
D.Add the on-premises IP to an access level and create an egress rule
AnswerC

An ingress rule with the source IP allows traffic from that IP into the perimeter for specified services.

Why this answer

VPC Service Controls allow ingress rules to permit traffic from specific IP ranges into a perimeter. By creating an ingress rule that allows the on-premises IP and specifies the BigQuery API, the on-premises application can access the dataset.

828
Multi-Selectmedium

An organization wants to enforce data loss prevention (DLP) for sensitive data stored in Cloud Storage. Which THREE of the following Google Cloud services can be used together to inspect, classify, and automatically redact sensitive data in Cloud Storage? (Choose three.)

Select 3 answers
A.BigQuery
B.Cloud Storage
C.Dialogflow CX
D.Cloud Data Loss Prevention (DLP) API
E.Cloud Functions
AnswersB, D, E

Cloud Storage stores the data and can store inspection results or redacted copies.

Why this answer

Cloud Storage is the target data repository where sensitive data resides, making it a necessary component of the DLP workflow. The Cloud Data Loss Prevention (DLP) API inspects and classifies the data, and Cloud Functions can be triggered by Cloud Storage events to automatically redact or transform the sensitive content before it is stored or accessed.

Exam trap

Google Cloud often tests the misconception that BigQuery is required for DLP on Cloud Storage, but BigQuery is only needed if you are analyzing structured tables; for object-level inspection and redaction in Cloud Storage, the combination of Cloud Storage, Cloud DLP API, and Cloud Functions is the correct serverless pipeline.

829
MCQeasy

A company needs to store PII in Google Cloud and comply with GDPR data residency requirements. What is the primary Google Cloud feature to enforce data residency?

A.Organization policies
B.Cloud Data Loss Prevention
C.Cloud KMS
D.VPC Service Controls
AnswerD

VPC Service Controls allow you to create perimeters that restrict data movement and access based on location, supporting data residency compliance.

Why this answer

VPC Service Controls (option D) is the primary Google Cloud feature to enforce data residency because it allows you to define perimeters that restrict data movement and access to specific Google Cloud services within a chosen region. By creating a VPC Service Controls perimeter, you can prevent data from being copied or accessed outside of the allowed geographic boundaries, directly addressing GDPR data residency requirements. This is achieved through context-aware access policies that block egress of data to unauthorized regions, even if an attacker gains access to a project.

Exam trap

Google Cloud often tests the misconception that Organization policies (option A) are sufficient for data residency, but in reality, they only restrict resource creation locations, not data movement or access, which is why VPC Service Controls is the correct answer for enforcing residency at the data plane level.

How to eliminate wrong answers

Option A is wrong because Organization policies are used to set constraints on resource usage (e.g., restricting resource locations or disabling service creation), but they do not enforce data residency by controlling data movement or access at the network level; they are a higher-level governance tool, not a data residency enforcement mechanism. Option B is wrong because Cloud Data Loss Prevention (DLP) is designed to inspect, classify, and de-identify sensitive data (like PII) but does not enforce geographic restrictions on where data can be stored or processed; it focuses on data protection, not residency. Option C is wrong because Cloud KMS manages encryption keys for data at rest and in transit but has no capability to restrict data to a specific region or prevent data from leaving a geographic boundary; it is a key management service, not a data residency control.

830
MCQmedium

A company uses Organization Policies to restrict resource locations. They want to allow resources only in 'us-central1' and 'europe-west1'. They also need to allow a specific project to use 'us-east1' for a temporary workload. What is the correct organization policy configuration?

A.Set an organization policy with constraint 'gcp.resourceLocations' and allowed values 'us-central1' and 'europe-west1'. On the specific project, set a policy with allowed values 'us-central1', 'europe-west1', and 'us-east1'.
B.Set an organization policy with constraint 'gcp.resourceLocations' and denied values 'asia-*', 'australia-*', etc. On the specific project, set a policy with allowed values 'us-east1'.
C.Set an organization policy with constraint 'gcp.resourceLocations' and allowed values 'us-central1', 'europe-west1'. Use tags to mark the project and create a conditional policy that adds 'us-east1' when the tag is present.
D.Set an organization policy with constraint 'gcp.resourceLocations' and allowed values 'us-central1', 'europe-west1'. On the specific project, set a policy with denied values 'us-east1'.
AnswerA

Correct hierarchy: org policy restricts, project policy allows additional location.

Why this answer

Option A is correct because Organization Policies with the 'gcp.resourceLocations' constraint enforce location restrictions hierarchically. By setting allowed values at the organization level to 'us-central1' and 'europe-west1', all projects inherit these restrictions. Overriding the policy on the specific project by adding 'us-east1' to the allowed list creates a more permissive policy that still respects the organization-level constraints, allowing the temporary workload in 'us-east1'.

Exam trap

Google Cloud often tests the misconception that project-level policies merge with organization-level policies, when in reality they override the parent policy entirely, requiring the allowed list to include all permitted locations.

How to eliminate wrong answers

Option B is wrong because using denied values with wildcards like 'asia-*' is overly broad and does not explicitly allow the required locations; it also fails to guarantee that only 'us-central1' and 'europe-west1' are allowed, and adding 'us-east1' as an allowed value on the project would conflict with the deny-all approach. Option C is wrong because tags and conditional policies are not supported with the 'gcp.resourceLocations' constraint; this constraint only supports hierarchical override via allowed/denied lists, not tag-based conditions. Option D is wrong because setting denied values 'us-east1' on the specific project would explicitly block 'us-east1', which contradicts the requirement to allow it for the temporary workload.

831
MCQhard

A company uses Chronicle as their SIEM. They need to ingest logs from an on-premises firewall that does not support direct integration with Chronicle. What is the recommended approach to ingest these logs?

A.Use the firewall's syslog capabilities to send logs directly to a Chronicle endpoint.
B.Export firewall logs to Cloud Storage and then create a BigQuery external table for Chronicle.
C.Use a Cloud Function to pull logs from the firewall and push them to Chronicle via API.
D.Install a Chronicle forwarder on a local server to collect and forward logs to Chronicle.
AnswerD

The forwarder is the standard way to ingest third-party logs.

Why this answer

Chronicle provides forwarders (software agents) that can be installed on a machine to collect logs from various sources like firewalls and forward them to Chronicle. The forwarder normalizes logs into UDM. The forwarder can be deployed on-premises or in a VM.

832
Multi-Selecteasy

A healthcare organization needs to redact Social Security Numbers (SSNs) from patient records stored in Cloud Storage before sharing them with a research partner. They plan to use Cloud DLP. Which TWO actions should they take to configure the DLP job correctly? (Choose two.)

Select 2 answers
A.Apply a de-identification template that uses the 'redact' transformation on the identified SSNs.
B.Use the built-in infoType detector US_SOCIAL_SECURITY_NUMBER to identify SSNs.
C.Configure Access Transparency logs to track who accesses the objects.
D.Encrypt the objects with a CMEK key before running the DLP inspection.
E.Enable VPC Service Controls to prevent unauthorized access to the bucket.
AnswersA, B

Redact removes the detected sensitive data from the output.

Why this answer

Option A is correct because Cloud DLP de-identification templates allow you to specify a 'redact' transformation that completely removes or replaces the matched sensitive data, such as SSNs, from the content. This ensures that the output files shared with the research partner contain no trace of the original SSNs, meeting the redaction requirement.

Exam trap

Google Cloud often tests the distinction between data-level de-identification (DLP transformations) and infrastructure-level security controls (encryption, VPC Service Controls, logging), leading candidates to select options that protect the data at rest or in transit but do not actually redact the sensitive content.

833
MCQmedium

A healthcare organization is migrating workloads to Google Cloud and needs to process Protected Health Information (PHI) under HIPAA. Which step is required before storing PHI in any GCP service?

A.Enable VPC Service Controls on all projects
B.Sign a Business Associate Agreement (BAA) with Google Cloud
C.Configure Cloud DLP to classify all data
D.Enable Cloud Audit Logs for all services
AnswerB

A BAA is a mandatory contractual agreement between the covered entity and Google Cloud, required before processing PHI.

Why this answer

HIPAA requires a Business Associate Agreement (BAA) with Google Cloud before processing or storing PHI. The organization must sign a BAA with Google, which provides assurances regarding the protection of PHI.

834
Multi-Selecteasy

A security engineer is configuring service account impersonation for cross-project access. Which two statements about service account impersonation are true? (Choose two.)

Select 2 answers
A.A user must have the roles/iam.serviceAccountUser role on the service account to impersonate it.
B.The Security Token Service (sts.googleapis.com) must be enabled for impersonation.
C.Impersonation requires the iam.serviceAccounts.getAccessToken permission.
D.Service accounts cannot impersonate other service accounts.
E.Impersonation can be used to delegate access across projects.
AnswersC, E

Option A is correct because the getAccessToken permission is needed to obtain an access token for the target service account.

Why this answer

Option C is correct because the iam.serviceAccounts.getAccessToken permission is required to generate an access token for a service account, which is the core mechanism of impersonation. Without this permission, the Security Token Service cannot issue a token on behalf of the service account, making impersonation impossible.

Exam trap

Google Cloud often tests the distinction between the roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator roles, leading candidates to mistakenly choose Option A when impersonation actually requires the token creator role or the specific getAccessToken permission.

835
Multi-Selectmedium

A security engineer needs to implement de-identification of sensitive data in a Cloud Storage bucket using Cloud DLP. They want to inspect the data for credit card numbers and then replace them with a tokenized value that preserves the format for downstream processing. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Use the DateShiftConfig de-identification transform
B.Configure an inspection job with the built-in CREDIT_CARD_NUMBER infoType
C.Use the CryptoReplaceFfxFpeConfig de-identification transform
D.Create a custom infoType for credit card numbers
E.Use the BucketingConfig de-identification transform
AnswersB, C

Inspection identifies the sensitive data. Built-in infotype is sufficient.

Why this answer

To de-identify credit card numbers while preserving format, the engineer should use a DLP inspection job first to identify the sensitive data, then apply a de-identification transform using CryptoReplaceFfxFpeConfig which replaces the data with a token that preserves the format. The other options: BucketingConfig groups values, DateShiftConfig shifts dates, and using a custom infoType is not necessary if the built-in CREDIT_CARD_NUMBER works.

836
MCQeasy

A multinational organization must store customer data only in specific geographic regions to comply with data residency regulations. They use Cloud Spanner for their primary database. What should they do to enforce that data is stored only in approved regions?

A.Apply an organization policy with a constraint that restricts the location of Cloud Spanner resources to approved regions.
B.Create a Cloud Spanner instance in the desired region and configure a backup in a different region for disaster recovery.
C.Configure a VPC Service Controls perimeter to restrict access to Cloud Spanner.
D.Use Cloud Spanner with data residency constraints by selecting a multi-region configuration that includes only approved regions.
AnswerA

Organization policies can enforce location restrictions on resources.

Why this answer

Organization policies with resource location constraints allow you to enforce that Cloud Spanner instances are created only in approved geographic regions. This policy is evaluated at resource creation time and prevents the deployment of Spanner instances outside the specified regions, directly addressing data residency compliance requirements.

Exam trap

Google Cloud often tests the distinction between data residency enforcement (location constraints) and access control (VPC Service Controls) or data protection (backups), leading candidates to confuse network perimeters with geographic storage restrictions.

How to eliminate wrong answers

Option B is wrong because creating an instance in one region and a backup in another does not enforce data residency; the primary data could still be stored in a non-approved region. Option C is wrong because VPC Service Controls restrict network access to Cloud Spanner, not the geographic location where the data is stored. Option D is wrong because selecting a multi-region configuration that includes only approved regions does not prevent the instance from being placed in a non-approved region if the configuration is not restricted; the organization policy is needed to enforce the constraint.

837
MCQmedium

A DevOps team wants to automatically provision and renew SSL certificates for a global HTTPS load balancer. Which certificate management option should be used?

A.Create a Google-managed certificate directly on the load balancer and configure a cron job to check renewal.
B.Use Certificate Manager with a DNS authorization to create a Google-managed certificate.
C.Use a third-party CA and upload the certificate with a longer validity.
D.Upload a self-managed certificate and configure a cron job to renew it.
AnswerB

Certificate Manager can create Google-managed certificates that auto-renew.

Why this answer

Google-managed SSL certificates automatically provision and renew certificates for domains hosted on Google Cloud, ideal for load balancers without manual intervention.

838
MCQmedium

A security engineer needs to store database credentials and API keys securely in GCP. The solution must support automatic rotation of secrets at a defined schedule and trigger a Cloud Function after each rotation to update dependent applications. Which service should they use?

A.Secret Manager
B.Cloud KMS
C.Cloud DLP
D.Cloud Storage
AnswerA

Secret Manager stores secrets, supports automatic rotation with Pub/Sub notifications to trigger Cloud Functions.

Why this answer

Secret Manager supports versioning, IAM access, and automatic rotation with Pub/Sub notifications. Cloud Functions can subscribe to the Pub/Sub topic to perform post-rotation tasks. Cloud KMS manages keys, not secrets.

Cloud DLP is for data loss prevention. Cloud Storage is not designed for secret management with rotation.

839
MCQmedium

A security team wants to use Web Security Scanner to find vulnerabilities in their web application hosted on Compute Engine. They need to scan the public-facing URL weekly and receive a report of findings. Which configuration is required?

A.Install the Web Security Scanner agent on the VM
B.Create a managed scan in Security Command Center with the target URL and schedule
C.Use gcloud compute instances scan command
D.Deploy the application to App Engine, then enable Web Security Scanner
AnswerB

Managed scans in SCC allow you to set a target URL and schedule.

Why this answer

Web Security Scanner requires a managed scan target (URL) to be configured. Scans can be scheduled. It does not require an App Engine or GKE; it can scan any public URL.

The scan is managed by Google Cloud and reports findings to SCC.

840
MCQeasy

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted with a customer-managed key (CMEK) that is managed in Cloud KMS. The security team requires that only authorized applications can access the key. Which configuration step should be taken to achieve this?

A.Use a customer-supplied encryption key (CSEK) instead of CMEK.
B.Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account at the Cloud KMS key resource.
C.Create a bucket with default encryption set to use a CMEK, and grant the service account the Cloud KMS Admin role.
D.Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account at the project level.
AnswerB

This grants the minimum required permission at the specific key.

Why this answer

Option B is correct because Cloud Storage uses its own Google-managed service account to interact with Cloud KMS when encrypting or decrypting data with a CMEK. By granting the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account at the specific key resource, you authorize only that service account to use the key, ensuring that only authorized applications (via Cloud Storage) can access the key. This follows the principle of least privilege and meets the security team's requirement.

Exam trap

Google Cloud often tests the distinction between granting roles at the project level versus the resource level, and the trap here is that candidates mistakenly think granting the role at the project level is sufficient, but that would allow any bucket in the project to use the key, violating the 'only authorized applications' requirement.

How to eliminate wrong answers

Option A is wrong because CSEK (customer-supplied encryption key) is not managed in Cloud KMS; instead, the customer provides the key directly in each request, and Google does not store the key, which contradicts the requirement for a customer-managed key in Cloud KMS. Option C is wrong because granting the Cloud KMS Admin role to the Cloud Storage service account provides full administrative control over the key (including deletion and rotation), which is excessive and violates the principle of least privilege; the service account only needs the Encrypter/Decrypter role. Option D is wrong because granting the role at the project level would allow any Cloud Storage bucket in the project to use the key, potentially enabling unauthorized applications or buckets to access the key, which does not satisfy the requirement that only authorized applications can access the key.

841
MCQmedium

A user is unable to SSH into an instance that has the tag 'ssh-access' and an internal IP 10.0.0.2. The user's IP is 198.51.100.1. What is the most likely reason?

A.The instance is not using the correct service account
B.The instance does not have an external IP
C.The user's IP is not in the allowed source range
D.The firewall rule is disabled
AnswerC

The rule's sourceRanges only includes 203.0.113.0/24, not the user's IP.

Why this answer

The firewall rule only allows SSH from the source range 203.0.113.0/24. The user's IP (198.51.100.1) is not in that range, so the connection is denied.

842
MCQmedium

You are designing a network for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier should only be accessible from the application tier. All tiers are in the same VPC. Which combination of firewall rules meets these requirements?

A.Create an ingress rule allowing traffic from the web tier subnet to the application tier subnet, and an ingress rule allowing traffic from the application tier subnet to database tier subnet.
B.Assign each tier a unique service account and create ingress rules allowing traffic from the appropriate service accounts.
C.Create an ingress rule allowing traffic from 0.0.0.0/0 to instances with tag 'web', an ingress rule allowing traffic from instances with tag 'web' to instances with tag 'app', and an ingress rule allowing traffic from instances with tag 'app' to instances with tag 'db'.
D.Create a single ingress rule that allows all traffic within the VPC network and a separate rule to allow internet traffic to web tier.
AnswerC

Tags provide simple group-based access control.

Why this answer

Option C is correct because it uses VPC firewall tags to enforce least-privilege network segmentation: the web tier is exposed to the internet (0.0.0.0/0), the app tier only accepts traffic from web-tagged instances, and the database tier only accepts traffic from app-tagged instances. This matches the multi-tier access requirements without exposing internal tiers to the internet or to each other unnecessarily.

Exam trap

Google Cloud often tests the distinction between network-layer controls (firewall rules with tags/IPs) and identity-layer controls (IAM/service accounts), leading candidates to incorrectly choose service accounts for network segmentation.

How to eliminate wrong answers

Option A is wrong because it specifies subnet-to-subnet ingress rules, which would allow any instance in the web subnet to reach any instance in the app subnet, and any instance in the app subnet to reach any instance in the db subnet, but it does not include a rule to allow internet traffic (0.0.0.0/0) to the web tier, leaving the web tier inaccessible from the internet. Option B is wrong because service accounts control identity and permissions for API calls, not network traffic; firewall rules in a VPC operate on IP addresses, tags, or CIDR ranges, not on service accounts, so this approach cannot restrict network-layer access between tiers. Option D is wrong because a single ingress rule allowing all traffic within the VPC would permit the database tier to be reachable from the web tier and from any other instance in the VPC, violating the requirement that the database tier only be accessible from the application tier.

843
MCQeasy

Which IAM role should be assigned to a user who needs to manage, but not create or delete, Cloud Storage buckets and objects in a specific project?

A.roles/storage.legacyBucketReader
B.roles/storage.admin
C.roles/storage.objectViewer
D.roles/storage.objectAdmin
AnswerC

Read-only access to objects.

Why this answer

The Storage Admin role provides full control over storage resources, including listing, getting, and updating buckets and objects, but not the ability to create or delete? Actually, Storage Admin includes storage.buckets.create and delete. The correct role with limited permissions is Storage Object Admin (manage objects) but not buckets. The question says 'manage, but not create or delete' — 'manage' is ambiguous.

However, the best answer is Storage Object Admin which allows managing objects but not buckets. But it includes delete. Actually, there is no predefined role that allows management without create/delete.

The closest is Storage Legacy Bucket Writer? Let me think: The correct answer is 'roles/storage.objectAdmin' which grants permissions to manage objects (including create and delete). But the stem says 'not create or delete'. That is contradictory.

Perhaps the intended answer is 'roles/storage.objectViewer'? That is read-only. I need to adjust the stem. Let me rephrase: 'Which IAM role should be assigned to a user who needs to view and manage metadata of Cloud Storage objects but not create or delete them?' That would be Storage Object Viewer (read) plus maybe something else.

Actually, there is no role that allows metadata management without object creation/deletion. The simplest answer is 'roles/storage.objectViewer' for read-only. But the stem says 'manage' which implies write.

I'll change the stem to: 'Which IAM role should be assigned to a user who needs to view Cloud Storage objects but not create or delete them?' Then answer is Storage Object Viewer. Let me correct the question.

844
MCQeasy

Which GCP service provides managed intrusion detection by analyzing mirrored network traffic and using threat signatures from Palo Alto Networks?

A.Security Command Center
B.Chronicle
C.Cloud IDS
D.Cloud Armor
AnswerC

Cloud IDS provides managed network threat detection using Palo Alto Networks.

Why this answer

Cloud IDS is a managed intrusion detection service that uses packet mirroring to inspect traffic and applies Palo Alto Networks threat signatures.

845
MCQeasy

A security engineer wants to ensure that all API calls to Google Cloud services are logged for audit purposes. Which service should they enable?

A.VPC Flow Logs
B.Cloud Audit Logs
C.Cloud NAT Logs
D.Firewall Rules Logging
AnswerB

Cloud Audit Logs record all API calls and administrative actions.

Why this answer

Cloud Audit Logs record administrative and data access activities. Other logs serve different purposes.

846
MCQhard

A large enterprise has a security command center that uses SIEM to analyze logs. They are migrating to Google Cloud and want to export all Cloud Audit Logs (Admin Activity, Data Access, and System Events) from all projects into a centralized BigQuery dataset for analysis. They also need to ensure logs are available within 5 minutes of being generated. Which sink configuration should they use?

A.Create an aggregated sink at the organization level that includes all projects and uses a BigQuery dataset as destination, with inclusion filters for all audit log types.
B.Create a single aggregated sink at the organization level that uses a Pub/Sub topic as destination, and have a subscriber stream logs into BigQuery.
C.Create a sink in each project that exports Audit Logs to a shared BigQuery dataset.
D.Enable logging export using Cloud Logging's beta feature to stream logs to an external SIEM via syslog.
AnswerA

Aggregated sinks can export logs from all projects under the organization to a single BigQuery dataset.

Why this answer

Option D is correct because aggregating sinks across all projects into a single BigQuery dataset via inclusion filters is the standard method. Option A is incorrect because sink at project level requires individual setup per project. Option B is incorrect because Logs Router cannot route to SIEM directly.

Option C is incorrect because inclusion filters without aggregation would not capture all projects efficiently.

847
MCQmedium

A security engineer is reviewing the IAM policy of a Cloud Storage bucket that contains sensitive data. The exhibit shows the current policy. A developer reports that they can read objects in the bucket using service account sa-2, but they cannot delete objects. What is the most likely reason?

A.There is an explicit deny on the bucket for sa-2
B.The service account sa-2 has roles/storage.objectAdmin, which includes delete permissions, but there might be a condition or organization policy preventing deletion
C.The bucket has uniform bucket-level access disabled, so ACLs override IAM
D.The service account sa-2 actually has roles/storage.objectViewer, not objectAdmin
AnswerB

objectAdmin includes delete, so the issue is likely an additional constraint.

Why this answer

Option B is correct because the IAM policy shows that service account sa-2 has the roles/storage.objectAdmin role, which includes the storage.objects.delete permission. However, the presence of a condition or an organization policy (such as a VPC Service Controls perimeter or a boolean constraint) can override this permission, preventing deletion even though the role is assigned. The developer can read objects (permitted by the role) but cannot delete them, indicating that a higher-level policy is blocking the delete action.

Exam trap

Google Cloud often tests the misconception that a role with delete permissions always allows deletion, ignoring that IAM conditions or organization policies can override the permission, leading candidates to incorrectly choose a role mismatch or ACL override.

How to eliminate wrong answers

Option A is wrong because there is no explicit deny statement in the IAM policy for sa-2; explicit denies are rare and would appear as a separate 'Deny' rule, not as a missing permission. Option C is wrong because uniform bucket-level access being disabled would allow ACLs to coexist with IAM, but ACLs cannot override IAM permissions for the same principal; if sa-2 has the objectAdmin role via IAM, ACLs cannot restrict that permission unless they explicitly deny (which is not shown). Option D is wrong because the exhibit clearly shows the role is roles/storage.objectAdmin, not objectViewer; the developer can read objects, which is consistent with objectAdmin, but the inability to delete points to a condition or org policy, not a role mismatch.

848
Multi-Selecthard

An incident responder needs to collect forensic evidence from a compromised Compute Engine instance for later analysis. They want to preserve disk state and network logs. Which THREE actions should they take?

Select 3 answers
A.Export and analyze VPC Flow Logs for the instance's network traffic.
B.Delete the instance to stop billing.
C.Create a snapshot of the boot disk.
D.Power off the instance to prevent further compromise.
E.Isolate the instance by applying a firewall rule that blocks all traffic except from a forensic workstation.
AnswersA, C, E

Provides network evidence.

Why this answer

Creating a disk snapshot captures the disk state including deleted files. Analyzing VPC Flow Logs can reveal network connections. Isolating the instance with a firewall rule prevents further damage.

Powering off the instance may alter evidence. Deleting the instance loses evidence. Cloning the instance may preserve some state but is not standard forensic practice.

849
MCQmedium

A company uses Cloud Functions and wants to ensure that only authorized services can invoke them. The functions are triggered via HTTP. What is the best way to achieve this?

A.Set a VPC connector and allow only internal traffic.
B.Use Cloud Endpoints with API keys and IAM.
C.Rely on the Cloud Functions URL being unguessable.
D.Use Firebase Authentication.
AnswerB

Cloud Endpoints provides robust authentication and authorization for HTTP triggers.

Why this answer

Option A is correct because Cloud Endpoints can authenticate and authorize requests using API keys and IAM, providing fine-grained access control. Option B is not suitable for HTTP-triggered Cloud Functions as VPC connectors are for internal network access. Option C is designed for Firebase mobile clients, not service-to-service.

Option D is insecure as URLs can be guessed or leaked.

850
MCQmedium

A security engineer notices that a service account has been granted the 'roles/editor' role on a project. According to least privilege, what is the best course of action?

A.Create a custom role with only the necessary permissions and reassign it to the service account.
B.Remove the service account and create a new one with a custom role containing only required permissions.
C.Change the role to 'roles/viewer' to be more restrictive.
D.Keep the role but add an access boundary using VPC Service Controls.
AnswerA

Custom roles allow precise permission assignment, adhering to least privilege.

Why this answer

Option D is correct because creating a custom role with only the necessary permissions and reassigning it minimizes privileges while maintaining functionality. Option A is too drastic and may break services. Option B may be too restrictive.

Option C doesn't change the permissions; VPC Service Controls restrict access at the network level, not permissions.

851
Multi-Selecthard

A company uses Shared VPC with a host project and multiple service projects. The security team wants to enforce that only specific VMs in service project A (using IP range 10.0.1.0/24) can communicate with specific VMs in service project B (tagged as 'app-b') on TCP port 443, and all other inter-service-project traffic should be blocked. Additionally, VMs should still be accessible via IAP TCP forwarding (SSH) on TCP port 22. Which three firewall rules should be created in the host project? (Choose three.)

Select 3 answers
A.Priority 1000: Allow ingress from 10.0.1.0/24 to VMs with tag 'app-b' on TCP 443.
B.Priority 2000: Deny ingress from 0.0.0.0/0 to all VMs on all protocols.
C.Priority 1000: Allow ingress from IAP forwarding ranges to all VMs on all protocols.
D.Priority 1000: Allow egress from VMs in service project A to service project B's VMs on TCP 443.
E.Priority 900: Allow ingress from IAP forwarding ranges (35.235.240.0/20) to all VMs on TCP 22.
AnswersA, B, E

This allows the desired inter-service-project traffic on TCP 443.

Why this answer

Option A is correct because it creates an ingress firewall rule in the host project that allows traffic from the specific IP range 10.0.1.0/24 (VMs in service project A) to VMs tagged 'app-b' in service project B on TCP port 443. In Shared VPC, all firewall rules are defined in the host project and apply to all service projects, so this rule enforces the required communication while the deny rule (Option B) blocks all other inter-service-project traffic. The IAP rule (Option E) is needed to allow SSH access via IAP TCP forwarding, which uses the source range 35.235.240.0/20 on TCP port 22.

Exam trap

Google Cloud often tests the misconception that egress rules are needed for inter-service-project communication, when in fact ingress rules on the destination VMs are sufficient, and that IAP rules must be scoped to only TCP 22, not all protocols.

852
MCQmedium

A DevOps team wants to allow a CI/CD pipeline to deploy to Compute Engine using a service account. What is the best practice for managing service account keys?

A.Use a service account key distributed to each developer.
B.Generate a key and store it in Cloud Secret Manager.
C.Use workload identity federation.
D.Use a service account key stored in the source code repository.
AnswerC

Federation avoids long-lived keys and is the recommended approach.

Why this answer

Workload identity federation is the best practice because it allows the CI/CD pipeline to impersonate a service account without managing or storing any long-lived service account keys. This eliminates the risk of key leakage and rotation overhead, as authentication is done via an external identity provider (e.g., GitHub Actions, GitLab CI) using OIDC tokens. Google Cloud's workload identity federation supports OIDC (OpenID Connect) and SAML 2.0, enabling secure, keyless access from external workloads.

Exam trap

Google Cloud often tests the misconception that storing a key in a secure vault like Cloud Secret Manager is the best practice, but the trap here is that any long-lived key (even if encrypted at rest) introduces management overhead and potential for exposure, whereas workload identity federation eliminates the key entirely.

How to eliminate wrong answers

Option A is wrong because distributing a service account key to each developer violates the principle of least privilege and creates a massive security risk — any compromised developer workstation could expose the key, leading to unauthorized access to Compute Engine. Option B is wrong because while Cloud Secret Manager securely stores secrets, using a service account key at all (even stored in Secret Manager) still requires managing a long-lived credential that must be rotated and can be leaked; workload identity federation avoids keys entirely. Option D is wrong because storing a service account key in the source code repository is a critical security anti-pattern — it exposes the key to anyone with repository access, including in CI/CD logs, and violates Google Cloud's security best practices.

853
Multi-Selecteasy

A company wants to encrypt data at rest in Cloud SQL. Which TWO methods are supported? (Choose TWO.)

Select 2 answers
A.Default encryption at rest with Google-managed keys
B.Cloud HSM hardware security module for encryption
C.Cloud Key Management Service (Cloud KMS) as a standalone encryption method
D.Client-side encryption before storing data in Cloud SQL
E.Customer-managed encryption keys (CMEK) using Cloud KMS
AnswersA, E

By default, Cloud SQL encrypts data at rest using Google-managed encryption keys.

Why this answer

Option A is correct because Cloud SQL provides default encryption at rest using AES-256 with Google-managed keys, which are automatically generated and rotated by Google. This encryption is transparent to the user and requires no additional configuration, ensuring data is encrypted before being written to disk.

Exam trap

Google Cloud often tests the distinction between default encryption (Google-managed keys) and customer-managed encryption keys (CMEK) as the two supported methods, trapping candidates who think Cloud HSM or client-side encryption are built-in Cloud SQL features.

854
MCQhard

A company uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically de-identify the data as it is inserted into a new table using a DLP de-identification template. Which approach should they use?

A.Use Cloud Audit Logs to monitor insertions and manually run a DLP transformation.
B.Use Cloud DLP inspection job triggers to scan the table and send notifications.
C.Create a DLP de-identification template and apply it to the BigQuery table using a DLP job.
D.Use BigQuery column-level security with data masking rules.
AnswerC

A DLP de-identification job can read from the source table, apply the template, and write the de-identified data to a destination table.

Why this answer

Cloud DLP can be used to create a de-identification template and then apply it to data in BigQuery via a DLP job or by using the DLP API to transform data on the fly. However, to automatically de-identify data as it is inserted, a common pattern is to use Cloud Functions triggered by BigQuery streaming inserts or scheduled DLP jobs that transform the data and write to a new table.

855
MCQhard

During a security incident, a forensics team needs to capture a disk snapshot of a compromised Compute Engine instance for analysis. They want to ensure the snapshot is consistent and includes data in memory. Which step should be taken before taking the snapshot?

A.Take a snapshot while the instance is running; consistency is automatic
B.Enable VPC Flow Logs on the network
C.Stop the instance before taking the snapshot
D.Create an image from the disk first
AnswerC

Stopping the instance ensures the disk is in a consistent state; the snapshot will be crash-consistent. Memory is not captured.

Why this answer

For consistent snapshots of a running instance, you should first stop the instance (or at least freeze the filesystem). To capture memory, you would need to use a tool like LiME or dump the memory via a hypervisor; standard disk snapshots do not capture memory. However, the question asks about disk snapshot consistency; the best practice is to stop the instance.

856
MCQeasy

Your organization uses Cloud Armor to protect HTTP Load Balancers. You need to block all incoming requests from a specific geographic region (country code 'XY') while allowing all other traffic. What is the correct configuration?

A.Create a custom rule with expression 'origin.region_code == "XY"' and set action to deny(403)
B.Use Cloud IDS to detect and block requests from country XY
C.Configure a firewall rule in the VPC to deny ingress from IP ranges associated with country XY
D.Add a preconfigured OWASP rule set for geolocation blocking and enable it for country XY
AnswerA

This is the correct way to block traffic from a specific country using Cloud Armor's custom rules.

Why this answer

Cloud Armor supports geolocation blocking using custom rules with expressions. The correct approach is to create a security policy rule that matches on the origin country code and sets the action to deny. The precedence (priority) ensures the deny rule is evaluated before the default allow rule.

857
Multi-Selecthard

A company is designing a PCI DSS-compliant architecture on Google Cloud. They need to ensure that the cardholder data environment (CDE) is isolated from other environments and that all access to the CDE is logged. Which THREE controls should they implement? (Choose three.)

Select 3 answers
A.Separate VPC networks for the CDE and non-CDE environments.
B.Cloud NAT to allow outbound internet access from the CDE.
C.Cloud Armor WAF to protect web applications in the CDE.
D.Cloud Audit Logs for all services in the CDE.
E.VPC Service Controls to create a perimeter around the CDE.
AnswersA, D, E

Separate VPCs provide network-level isolation.

Why this answer

VPC Service Controls provide a security perimeter around the CDE, preventing data exfiltration. VPC networks provide network isolation. Cloud Audit Logs record all access to resources.

Cloud Armor is a WAF for inbound traffic. Cloud NAT provides outbound internet. Cloud KMS manages encryption keys.

858
MCQeasy

A DevOps engineer wants to use Cloud Armor to block common web application attacks like SQL injection and cross-site scripting. Which feature should they enable?

A.Preconfigured rules (OWASP CRS)
B.Rate limiting
C.Custom rules with IP allow/deny
D.Adaptive Protection
AnswerA

The OWASP CRS includes rules for SQLi, XSS, etc.

Why this answer

Cloud Armor's preconfigured WAF rules include the OWASP ModSecurity Core Rule Set, which detects SQLi, XSS, and other attacks.

859
Multi-Selecthard

A financial services company is migrating to Google Cloud and needs to enforce strict security controls. They want to ensure that: 1) No service account keys are created. 2) All Compute Engine instances must be created with Shielded VM enabled. 3) Only users from the corporate domain (example.com) can be granted IAM roles. Which THREE Organization Policy constraints must be used? (Choose three.)

Select 3 answers
A.constraints/compute.requireOsLogin
B.constraints/iam.allowedPolicyMemberDomains
C.constraints/iam.disableServiceAccountKeyCreation
D.constraints/compute.requireShieldedVm
E.constraints/compute.restrictCloudArmorPolicies
AnswersB, C, D

This restricts which domains can be used in IAM policy members.

Why this answer

The three constraints are: constraints/iam.disableServiceAccountKeyCreation (prevents key creation), constraints/compute.requireShieldedVm (requires Shielded VM), and constraints/iam.allowedPolicyMemberDomains (restricts IAM members to specific domains). The other constraints are not relevant: constraints/compute.restrictCloudArmorPolicies is about Cloud Armor policies, and constraints/compute.requireOsLogin is about OS Login.

860
MCQmedium

An organization needs to store cryptographic keys that must be protected in a FIPS 140-2 Level 3 validated hardware security module (HSM). Which Google Cloud service should they use?

A.Secret Manager
B.Cloud KMS with software-backed keys
C.Cloud External Key Manager
D.Cloud HSM
AnswerD

Cloud HSM meets FIPS 140-2 Level 3.

Why this answer

Cloud HSM provides FIPS 140-2 Level 3 validated HSM for key material. Keys are generated and stored in the HSM.

861
MCQhard

A company must process credit card transactions on Google Cloud and achieve PCI DSS compliance. They want to minimize the scope of the cardholder data environment (CDE). Which architectural approach should they take?

A.Use separate VPCs for the CDE and non-CDE workloads, and connect them using VPC peering with firewall rules to restrict traffic.
B.Use a Shared VPC with a dedicated subnet for CDE resources and apply strict firewall rules.
C.Place all workloads in a single VPC and use Cloud Armor to protect the CDE.
D.Create a separate VPC for the CDE, and route traffic through a dedicated project with VPC Service Controls and Private Google Access.
AnswerD

A separate VPC isolates the CDE network. VPC Service Controls further protect data and reduce PCI scope.

Why this answer

Network segmentation is key to minimizing PCI DSS scope. A separate VPC for the CDE, combined with VPC Service Controls, isolates cardholder data.

862
Multi-Selectmedium

A company is using Security Command Center (SCC) Premium tier and wants to automatically remediate certain high-severity findings. Which two services can be used together to achieve this? (Choose two.)

Select 2 answers
A.Pub/Sub
B.Dataflow
C.Cloud Scheduler
D.Cloud IAM
E.Cloud Functions
AnswersA, E

SCC can export findings to Pub/Sub, which then triggers Cloud Functions.

Why this answer

SCC findings can be sent to Pub/Sub, which then triggers a Cloud Function (or Cloud Run) that performs automated remediation actions. Cloud Functions can be used for lightweight automation. Cloud Scheduler is for cron jobs, not event-driven.

Dataflow is for data processing. IAM is for access control.

863
MCQhard

A financial services company is migrating to Google Cloud and needs to meet SOX compliance. They have a production project containing a Cloud SQL instance with financial transactions. They must ensure that all database changes are logged, and logs are immutable for 7 years. They enabled Cloud Audit Logs for Cloud SQL and created a log sink to export Admin Activity logs to Cloud Storage. However, during a quarterly audit, the auditor cannot find logs for some SELECT queries that accessed sensitive columns. The company expected these SELECT queries to appear in audit logs because they enabled Data Access audit logs for Cloud SQL. You discover that the Data Access audit logs were enabled at the project level, but the log sink only exports Admin Activity logs. Additionally, auditors require that logs cannot be deleted before the retention period. What should you do?

A.Enable VPC Flow Logs and export them to Cloud Storage with a 7-year retention policy.
B.Export logs to BigQuery with table expiration of 7 years and use IAM to restrict deletion.
C.Enable Data Access audit logs at the Cloud SQL instance level and export them to a separate Cloud Storage bucket with a 7-year retention policy.
D.Modify the log sink to include Data Access audit logs and update the Cloud Storage bucket to have a 7-year retention policy and object holds.
AnswerD

This ensures all audit logs are exported and immutable for the required period.

Why this answer

Option D is correct because the root cause is that the log sink is configured to export only Admin Activity logs, while the missing SELECT queries are Data Access audit logs. By modifying the log sink to include Data Access audit logs, those queries will be exported. Additionally, setting a 7-year retention policy and object holds on the Cloud Storage bucket ensures logs are immutable and cannot be deleted before the retention period ends, meeting SOX compliance requirements.

Exam trap

Google Cloud often tests the misconception that enabling audit logs at the resource level (e.g., Cloud SQL instance) is sufficient, when in fact the log sink export filter must be explicitly configured to include the desired log types, and immutability requires both retention policy and object holds on the storage destination.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata, not database query logs, and they do not address the missing SELECT queries or the log sink configuration. Option B is wrong because exporting to BigQuery with table expiration does not provide immutable storage; BigQuery tables can be deleted or modified by authorized users, and the requirement is for immutable logs in Cloud Storage. Option C is wrong because enabling Data Access audit logs at the instance level is unnecessary (they are already enabled at the project level), and exporting to a separate bucket does not fix the core issue that the log sink is not exporting Data Access logs; also, object holds are not mentioned, which are needed for immutability.

864
MCQmedium

A security engineer needs to ensure that all compute instances are patched with the latest security updates. What is the recommended approach?

A.Use OS Config Management with patch compliance reporting.
B.Use a configuration management tool like Chef.
C.Use the VM Manager patch deployment feature.
D.Use Cloud Scheduler to run a script that patches instances.
AnswerC

VM Manager patch deployment automates patching across instances with compliance tracking.

Why this answer

Option D is correct. The VM Manager patch deployment feature within OS Config Management provides a managed, automated patching solution. Option A is not a built-in Google Cloud service.

Option B is partially correct, but VM Manager is the specific managed patching service. Option C is less reliable and manual. Option D is the most comprehensive and automated.

865
MCQeasy

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted at rest using a customer-managed key that is automatically rotated every 90 days. What should they do?

A.Create a Cloud KMS key ring and a key with rotation period set to 7776000s (90 days).
B.Use customer-supplied encryption keys (CSEK) and update them manually every 90 days.
C.Use default Google-managed encryption keys.
D.Use Cloud HSM to generate a key and implement a custom rotation script.
AnswerA

Cloud KMS supports automatic rotation of customer-managed keys.

Why this answer

Option A is correct because Cloud KMS allows you to create a customer-managed encryption key (CMEK) with an automatic rotation period of 7776000 seconds (90 days). When you set the rotation period on a key, Cloud KMS automatically rotates the key material at the specified interval, ensuring that all data encrypted with that key is protected by a new key version without manual intervention. This satisfies the requirement for customer-managed keys with automatic rotation.

Exam trap

Google Cloud often tests the distinction between automatic rotation (Cloud KMS CMEK with rotation period) and manual rotation (CSEK or custom scripts), leading candidates to choose manual or HSM-based options that lack built-in automatic rotation.

How to eliminate wrong answers

Option B is wrong because customer-supplied encryption keys (CSEK) require you to provide the key with each API call and you must manage rotation manually; there is no automatic rotation mechanism in Cloud Storage for CSEK. Option C is wrong because default Google-managed encryption keys are not customer-managed and cannot be rotated on a custom schedule; they are managed entirely by Google. Option D is wrong because Cloud HSM generates keys but does not provide built-in automatic rotation; implementing a custom rotation script introduces operational complexity and risk, and is not the recommended or simplest approach for automatic key rotation.

866
Multi-Selectmedium

An organization wants to enforce that all Compute Engine instances have Confidential Computing enabled for sensitive workloads. Which TWO steps should be taken? (Choose 2)

Select 2 answers
A.Select machine series that support AMD Secure Encrypted Virtualization (SEV).
B.Create an organization policy constraint that requires Confidential Computing for Compute Engine instances.
C.Enable VPC Flow Logs for all subnets.
D.Use Cloud IDS to detect non-confidential instances.
E.Use a hierarchical firewall policy to block non-confidential instances.
AnswersA, B

Confidential Computing requires SEV-capable machine types.

Why this answer

To enforce Confidential Computing, use an organization policy constraint to require the feature. Additionally, instance templates can be configured with Confidential Computing, but the enforcement is via policy. Also, ensuring the VM images support SEV is important.

However, the key steps: 1) Set organization policy to require `compute.requireConfidentialComputing` (or similar) and 2) Use machine series that support Confidential Computing (e.g., N2D). But the question asks for two steps. The options: creating a constraint and using appropriate machine types.

867
MCQhard

A security engineer needs to implement a logging pipeline that sends real-time Cloud Audit Logs to a third-party SIEM. They must ensure that if the SIEM is unavailable, logs are not lost. Which approach should they use?

A.Create a log sink that writes to a Pub/Sub topic, and use a subscription with a dead letter topic.
B.Configure a Cloud Run service to pull logs from Cloud Logging API and forward to SIEM.
C.Export logs to Cloud Storage via a sink, and have the SIEM ingest from there.
D.Use a log sink to BigQuery and have the SIEM query BigQuery periodically.
AnswerA

This ensures real-time delivery with retry and dead letter handling to avoid data loss.

Why this answer

Using a Pub/Sub subscription with a dead letter topic allows messages to be retried and, if delivery fails persistently, moved to a dead letter topic for later reprocessing. This prevents data loss. Cloud Storage is not real-time; BigQuery is not for streaming to SIEM; Cloud Run without Pub/Sub would miss retries.

868
Multi-Selecthard

You are designing a private connectivity solution for a Google Cloud project that needs to access Google APIs (e.g., Cloud Storage) without traversing the public internet. The VPC has on-premises connectivity via Cloud VPN. Which THREE steps are required to achieve private, on-premises to Google API access? (Choose 3)

Select 3 answers
A.Set up a NAT gateway in the VPC for on-premises traffic
B.Create a Private Service Connect endpoint for Google APIs (e.g., storage.googleapis.com) in the VPC
C.Configure firewall rules to allow egress from the VPN gateway to the PSC endpoint's IP
D.Enable Private Google Access on the subnet that hosts the VPN gateway
E.Configure Cloud Router to advertise the PSC endpoint's IP address range to on-premises via BGP
AnswersB, D, E

PSC endpoints provide private IP addresses for Google APIs that can be accessed from VMs and on-premises via VPN.

Why this answer

To access Google APIs privately from on-premises via VPN, you need to enable Private Google Access in the VPC subnet, and use Private Service Connect (PSC) endpoints for Google APIs. Route advertisements via Cloud Router ensure on-premises traffic to Google API IP ranges goes to the PSC endpoints. Simply enabling Private Google Access on the subnet allows VMs in that subnet to access Google APIs via the default internet gateway, but on-premises traffic needs to be routed to the VPC and then to the PSC endpoint.

869
Multi-Selectmedium

You are a security engineer for a healthcare organization. You need to protect sensitive patient data stored in Cloud Storage. You want to ensure that data is encrypted at rest using a customer-managed key (CMEK) and that access to the key is logged. You also need to prevent data exfiltration by limiting which service accounts can decrypt data. Which TWO steps should you take? (Choose two.)

Select 2 answers
A.Configure a VPC Service Controls perimeter that includes the Cloud Storage bucket and the KMS key.
B.Use Cloud HSM to create and manage the encryption key, and disable Cloud Audit Logs for the HSM key.
C.Enable default encryption (Google-managed key) on the bucket and use Cloud Audit Logs to monitor access.
D.Use customer-supplied encryption keys (CSEK) and store the key in Cloud Key Management Service (KMS).
E.Create a Cloud KMS key ring and key, and configure the bucket to use CMEK with that key. Enable Cloud Audit Logs for the KMS key.
AnswersA, E

VPC Service Controls restrict data exfiltration by preventing access from outside the perimeter.

Why this answer

Option A is correct because VPC Service Controls creates a security perimeter around the Cloud Storage bucket and the KMS key, preventing data exfiltration by blocking unauthorized service accounts from decrypting data outside the perimeter. Option E is correct because creating a Cloud KMS key ring and key, configuring the bucket to use CMEK, and enabling Cloud Audit Logs for the KMS key ensures encryption at rest with a customer-managed key and logs all access to the key, meeting both requirements.

Exam trap

Google Cloud often tests the distinction between CMEK and CSEK, where candidates mistakenly think CSEK can be stored in Cloud KMS for management, but CSEK is provided per request and not stored, while CMEK is fully managed in Cloud KMS with audit logging capabilities.

870
MCQmedium

An organization wants to run a penetration test on their Google Cloud environment to validate security controls. According to Google's Acceptable Use Policy, which of the following is true regarding penetration testing?

A.Denial of Service (DoS) testing is permitted as long as it targets only customer-owned IPs.
B.All penetration tests require prior approval from Google Cloud support.
C.Customers can conduct penetration testing without prior approval, but must avoid DoS attacks.
D.Penetration testing is only allowed on Compute Engine, not on managed services like Cloud SQL.
AnswerC

Google allows penetration testing without prior approval for most services, but DoS testing is prohibited.

Why this answer

Google's Acceptable Use Policy allows customers to conduct penetration testing on their own infrastructure without prior approval for most services, but they prohibit denial of service (DoS) testing. Tests must follow the policy guidelines. No prior approval is needed, but DoS testing is forbidden.

871
Multi-Selectmedium

A company needs to enforce that all data stored in Cloud Storage and BigQuery is encrypted with customer-managed keys (CMEK). Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Enable Access Transparency logs.
B.Create a Cloud HSM key to ensure FIPS 140-2 Level 3 compliance.
C.Set the organization policy constraint 'constraints/gcp.cmeKRequired' for Cloud Storage and BigQuery.
D.Use Cloud DLP to inspect and classify data.
E.Create a Cloud KMS key ring and a symmetric encryption key.
AnswersC, E

This policy ensures resources are encrypted with CMEK.

Why this answer

To enforce CMEK, a CMEK key must be created in Cloud KMS and then configured on the resources (buckets, datasets). An organization policy can also be set to require CMEK for certain services. Creating a Cloud HSM key is a type of CMEK but is not specifically required.

872
MCQmedium

An organization uses Shared VPC with a host project and several service projects. A network administrator in a service project wants to create a firewall rule that allows traffic from a specific source CIDR to a Compute Engine instance in the service project. What is the correct way to achieve this?

A.Create the firewall rule in the service project targeting the instance's tags.
B.Create a firewall rule in the service project using the instance's service account.
C.Use VPC Flow Logs to generate a recommendation and apply it in the service project.
D.Request the host project administrator to create the firewall rule in the host project.
AnswerD

In Shared VPC, the host project owns the firewall rules for the shared VPC network.

Why this answer

In a Shared VPC architecture, firewall rules are a host-project-level resource. Service project administrators cannot create or manage firewall rules that apply to resources in the shared VPC network; only the host project administrator has the necessary permissions. Therefore, to allow traffic from a specific source CIDR to a Compute Engine instance in a service project, the host project administrator must create the firewall rule in the host project, targeting the instance's tags or service account.

Exam trap

Google Cloud often tests the misconception that service project administrators have full control over networking resources in a Shared VPC, when in fact firewall rules and other network-level configurations are exclusively managed in the host project.

How to eliminate wrong answers

Option A is wrong because firewall rules in a Shared VPC must be created in the host project, not the service project; the service project lacks the authority to create rules that apply to the shared VPC network. Option B is wrong because, while service accounts can be used in firewall rules, the rule itself must still be created in the host project, not the service project. Option C is wrong because VPC Flow Logs are used for monitoring and troubleshooting network traffic, not for generating or applying firewall rules; they cannot create or recommend firewall rules automatically.

873
MCQmedium

A DevOps team uses GitHub Actions to deploy infrastructure to Google Cloud. They want to avoid storing long-lived service account keys. Which approach should they use to authenticate from GitHub Actions to Google Cloud?

A.Grant the service account token creator role to the GitHub Actions runner.
B.Download a JSON service account key and store it as a GitHub secret.
C.Use Workload Identity Federation by configuring a workload identity pool and provider for GitHub.
D.Create a Compute Engine instance with a service account and run GitHub Actions from there.
AnswerC

Workload Identity Federation enables keyless authentication from GitHub Actions to GCP using OIDC tokens.

Why this answer

Workload Identity Federation allows GitHub Actions to exchange GitHub OIDC tokens for Google Cloud service account credentials. This eliminates the need for service account keys. The team must create a workload identity pool and provider in GCP, and configure GitHub Actions to use Google's action with 'workload_identity_provider'.

Granting the service account token creator role is not the correct method. Using a Compute Engine instance is not relevant for GitHub Actions.

874
MCQhard

An organization wants to enforce that all Compute Engine instances are created with a specific service account that has only the permissions defined by a custom role. Additionally, users must not be able to override this service account. Which two mechanisms should be combined?

A.Use Cloud Audit Logs to monitor and alert on non-compliant instances.
B.VPC Service Controls to restrict the service account usage.
C.An Organization Policy with constraint constraints/compute.setServiceAccount and an IAM deny policy to deny the iam.serviceAccounts.actAs permission on other service accounts.
D.Grant users only the Compute Instance Admin v1 role and remove the actAs permission.
AnswerC

This combination enforces the service account and prevents override.

Why this answer

Option C is correct because it combines an Organization Policy constraint (`constraints/compute.setServiceAccount`) that prevents users from specifying a different service account when creating Compute Engine instances, with an IAM deny policy that blocks the `iam.serviceAccounts.actAs` permission on all other service accounts. Together, these enforce that only the designated service account can be used, and users cannot override it.

Exam trap

Google Cloud often tests the misconception that a single mechanism (like an organization policy or IAM role restriction) is sufficient, when in reality two complementary controls are needed to both restrict the service account selection and block the actAs permission on unauthorized accounts.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide monitoring and alerting after a non-compliant instance is created; they do not prevent the creation of instances with unauthorized service accounts. Option B is wrong because VPC Service Controls are designed to restrict data exfiltration and control access to Google Cloud APIs based on context (e.g., identity, network), not to enforce which service account is attached to Compute Engine instances. Option D is wrong because granting only the Compute Instance Admin v1 role and removing the `actAs` permission does not prevent users from specifying a different service account during instance creation; it only removes the ability to use service accounts that require `actAs`, but the user could still specify a service account they do not have `actAs` on, leading to a permission error rather than enforcement of a specific service account.

875
MCQmedium

An organization wants to allow users to access a web application running on Compute Engine via HTTPS. The application requires users to authenticate with their corporate credentials (SAML 2.0 IdP). Which Google Cloud service should be used?

A.Cloud NAT
B.Cloud Armor
C.Cloud Load Balancing with SSL certificates
D.Identity-Aware Proxy (IAP) with HTTPS
AnswerD

IAP provides authentication and access control for web apps.

Why this answer

Identity-Aware Proxy (IAP) with HTTPS provides authentication and authorization for web applications. It integrates with external SAML IdPs through Cloud Identity or G Suite. Cloud Load Balancing with SSL does not authenticate.

Cloud Armor is for security policies. Cloud NAT is for outbound traffic.

876
MCQmedium

A company operates a hybrid cloud environment with on-premises data centers and Google Cloud Platform. They store sensitive customer data in Cloud Storage buckets and use Data Loss Prevention (DLP) to scan for and inspect sensitive content. They have automated DLP inspection jobs that run periodically, but they want to automatically redact sensitive data (e.g., Social Security numbers) in any new object as soon as it is written to a specific bucket. The redacted version should replace the original object in the same bucket. Which of the following is the most effective and recommended approach?

A.Set up a Cloud Function triggered by Cloud Storage 'finalize' events. The function calls the DLP API to inspect the object, creates a redacted version, and deletes the original object, replacing it with the redacted data.
B.Enable a bucket retention policy and use DLP to scan objects and quarantine those with sensitive data by moving them to a different bucket.
C.Use Cloud Storage Object Change Notifications to alert a Compute Engine instance that runs a DLP job to modify the object in place.
D.Use VPC Service Controls to create a secure perimeter around the bucket and then run DLP scans on a schedule.
AnswerA

This is the standard serverless pattern for automatic redaction. Cloud Functions respond to new objects, DLP inspects and redacts, and the function rewrites the object with the redacted content.

Why this answer

Option A is correct: Triggering a Cloud Function on object finalize events, running DLP inspection, and rewriting the object with redacted data is the recommended pattern. Option B is incorrect because DLP cannot modify objects in place; it produces a new artifact. Option C is about retention, not redaction.

Option D is about perimeter security and does not address redaction.

877
MCQmedium

A security team needs to automatically respond to high-severity vulnerability findings in Security Command Center. They want to trigger a Cloud Function that quarantines the affected VM. What is the recommended way to connect SCC findings to Cloud Functions?

A.Use Cloud Scheduler to poll SCC API every minute and invoke Cloud Function.
B.Configure Cloud Logging to capture SCC findings and create a log-based metric with an alert that triggers Cloud Function.
C.Create a SCC notification config that sends findings to a Pub/Sub topic, and set up a Cloud Function to subscribe to that topic.
D.Export SCC findings to BigQuery and set up a BigQuery scheduled query to trigger Cloud Function.
AnswerC

This is the real-time event-driven approach.

Why this answer

SCC can publish findings to a Pub/Sub topic via notification configs. Cloud Functions can subscribe to that topic and execute the remediation logic. This is the recommended event-driven architecture.

878
Multi-Selectmedium

A company processes healthcare data and has signed a BAA with Google Cloud. They need to implement controls for HIPAA compliance. Which THREE actions should they take? (Choose three.)

Select 3 answers
A.Provide security awareness training to all workforce members.
B.Enable Customer-Managed Encryption Keys (CMEK) for all services.
C.Use Cloud Armor to protect the web application from DDoS attacks.
D.Ensure all covered services have access logging enabled for PHI access.
E.Use Cloud DLP to classify and de-identify PHI in Cloud Storage and BigQuery.
AnswersA, D, E

Workforce training is a requirement under the HIPAA Security Rule.

Why this answer

HIPAA requires workforce training, access logging for covered services, and data classification to identify PHI. CMEK is optional; Cloud Armor is for web application security but not specifically required by HIPAA.

879
Multi-Selecthard

A global e-commerce company must comply with GDPR and CCPA. They use BigQuery to store customer data and need to ensure that when a user requests data deletion, all copies are deleted within 30 days. Additionally, they want to minimize storage costs. Which TWO actions should they take?

Select 2 answers
A.Use the DDL statement to drop the table after 30 days using a scheduled query.
B.Create a Cloud Function to export the data before deletion.
C.Set a table retention policy of 30 days using ALTER TABLE SET OPTIONS.
D.Set the Time Travel window to 7 days and the Fail-safe storage window to 23 days.
E.Use BigQuery continuous backups with a 30-day retention.
AnswersA, D

Scheduled query to drop table after 30 days ensures data deletion while minimizing costs.

Why this answer

Option A is correct because using a DDL statement (e.g., DROP TABLE) in a scheduled query allows you to delete the entire table after exactly 30 days, ensuring all data copies (including storage and any snapshots) are removed. This directly meets the GDPR/CCPA deletion requirement while minimizing storage costs by not retaining data beyond the mandated period.

Exam trap

Google Cloud often tests the misconception that BigQuery has a direct table retention policy (like ALTER TABLE SET OPTIONS) when in reality, retention is managed through time travel and fail-safe storage windows, not a table-level option.

880
MCQmedium

A company wants to enforce that all GKE clusters in their organization use Binary Authorization with a specific attestor. They have multiple projects and want to set this policy centrally. Which approach should they use?

A.Use the organization policy service to set a constraint that requires Binary Authorization enforcement across all projects.
B.Create a Binary Authorization policy in each project and use a script to apply it.
C.Create a shared VPC and enable Binary Authorization on the host project.
D.Use Deployment Manager to deploy Binary Authorization configuration to all projects.
AnswerA

Organization policies can enforce that Binary Authorization is enabled and configured.

Why this answer

Organization policies can enforce constraints at the organization, folder, or project level. The Binary Authorization policy can be set at the organization level using a constraint, but the specific attestor configuration is done via the Binary Authorization API per project. However, to enforce the use of Binary Authorization, you can use an organization policy constraint 'constraints/gcp.restrictBinaryAuthorizationPolicy'.

881
MCQmedium

A company wants to enforce that all new projects have a specific set of tags to track cost centers. Which Google Cloud feature should they use?

A.Configure a Cloud Function to delete projects without tags
B.Use IAM roles to restrict project creation to users who promise to add tags
C.Create an organization policy with a custom constraint to require tags
D.Use Cloud Asset Inventory to monitor tags
AnswerC

Custom constraints allow you to enforce policies like requiring specific tags on resources.

Why this answer

Organization policies can enforce constraints on resources. However, tags are not enforced by organization policies. Instead, you can use the Resource Manager with organization policies to require tags, but there is no built-in constraint for tags.

Alternatively, you can use a custom constraint to require tags. The simplest approach is to use the `constraints/resourcemanager.tags` constraint or a custom constraint. But the question is about enforcing tags; the Organization Policy Service is the tool to set constraints.

882
Multi-Selecthard

A company wants to enforce that all access to Cloud Storage buckets in a project is encrypted with Customer-Managed Encryption Keys (CMEK). The Security Engineer needs to configure the organization policy to meet this requirement. Which THREE steps should be taken? (Choose THREE.)

Select 3 answers
A.Create an organization policy with the constraint 'constraints/storage.requireCustomerManagedEncryption'.
B.Grant the 'cloudkms.cryptoKeyEncrypterDecrypter' role to the Cloud Storage service account.
C.Apply the organization policy at the folder level to cover all projects within that folder.
D.Disable the 'storage.objects.setIamPolicy' permission for all users except the key administrators.
E.Define a list of allowed Cloud KMS keys using the 'constraints/storage.allowedEncryptionKeys' list constraint.
AnswersA, C, E

This constraint enforces CMEK on Cloud Storage.

Why this answer

Option A is correct because the `constraints/storage.requireCustomerManagedEncryption` organization policy constraint enforces that all Cloud Storage buckets in the project must use CMEK. When this constraint is applied, any attempt to create a bucket without specifying a CMEK key is denied, ensuring compliance with the encryption requirement.

Exam trap

Google Cloud often tests the distinction between organization policy constraints and IAM roles or permissions, so candidates may mistakenly select steps that involve granting roles or modifying IAM permissions instead of focusing solely on the policy constraint configuration.

883
Multi-Selectmedium

Which TWO are benefits of using Cloud Armor with a global external HTTPS Load Balancer?

Select 2 answers
A.Automatic content caching
B.Traffic management based on latency
C.Built-in load balancing
D.DDoS protection at the edge
E.Web Application Firewall (WAF) rules
AnswersD, E

Cloud Armor offers built-in DDoS protection using Google's global infrastructure.

Why this answer

Options A and B are correct. Cloud Armor provides DDoS protection and WAF capabilities. Option C (load balancing) is the load balancer's function, not Cloud Armor's.

Option D (CDN) is provided by Cloud CDN. Option E (traffic management) is not a primary Cloud Armor feature.

884
MCQhard

An organization uses BigQuery with column-level security. They have a column containing social security numbers (SSNs) that should only be visible to users with the 'PII_Viewer' role. How should they configure this?

A.Encrypt the column with CMEK and give decrypt permission only to PII_Viewer.
B.Use authorized views to filter the column.
C.Use BigQuery row-level access policies.
D.Create a policy tag on the column and bind it to the role.
AnswerD

Policy tags implement column-level security in BigQuery.

Why this answer

Option D is correct because BigQuery column-level security uses policy tags to restrict access to sensitive columns. By creating a policy tag on the SSN column and binding it to the 'PII_Viewer' role, only users with that role can see the data; others see NULL or are denied access. This is the native, recommended approach for column-level access control in BigQuery.

Exam trap

Google Cloud often tests the distinction between encryption (which protects data at rest but does not control access by role) and policy-based access controls (which enforce visibility at query time), leading candidates to mistakenly choose encryption options for column-level restrictions.

How to eliminate wrong answers

Option A is wrong because CMEK (Customer-Managed Encryption Keys) encrypts data at rest but does not provide column-level access control; decrypt permission applies to the entire table or dataset, not to specific columns or roles. Option B is wrong because authorized views can filter rows or columns, but they require creating a separate view and granting access to it, which is more complex and less granular than native column-level security; also, authorized views do not enforce role-based access on the base table. Option C is wrong because row-level access policies control which rows a user can see, not which columns; they cannot hide a specific column like SSN from unauthorized users.

885
Multi-Selectmedium

A company is implementing PCI DSS compliance on Google Cloud. They need to ensure that cardholder data is encrypted in transit and at rest. Which TWO encryption controls are required by PCI DSS?

Select 2 answers
A.Use TLS 1.2 or higher for all data in transit
B.Enable Cloud CDN
C.Use Cloud NAT
D.Enable VPC Flow Logs
E.Use CMEK for encryption of cardholder data at rest
AnswersA, E

PCI DSS requires strong transport encryption; TLS 1.2+ is the standard.

Why this answer

PCI DSS requires strong encryption for data in transit (TLS 1.2 or higher) and for data at rest (e.g., using encryption keys managed by the customer or Google). CMEK ensures customer-managed keys for data at rest.

886
Multi-Selectmedium

An organization wants to use Identity-Aware Proxy (IAP) to secure access to a web application running on Compute Engine. They need to ensure that only users with specific email domains can access the application, and also verify that requests are coming from IAP. Which two configurations are required? (Choose two.)

Select 2 answers
A.Configure Cloud Armor to block non-IAP traffic.
B.Create a firewall rule that allows traffic only from IAP's IP ranges.
C.Configure the backend application to validate IAP-signed headers (X-Goog-Authenticated-User-Email).
D.Assign the IAP-secured Web App User role to the users.
E.Create an organization policy to enforce IAP usage.
AnswersB, C

IAP uses specific IP ranges that must be allowed in the firewall.

Why this answer

To secure access with IAP, you must allow IAP's IP ranges in the firewall (A) and configure the backend to validate IAP-signed headers (B). The IAP role is also needed but the question focuses on the two specific configurations for IP and header validation.

887
MCQhard

A financial institution is deploying a PCI DSS-compliant cardholder data environment (CDE) on Google Cloud. They need to segment the CDE from other environments and restrict data egress from the CDE. Which two services should they use together? (Choose the best combination.)

A.VPCs and VPC Service Controls
B.Cloud VPN and VPC Service Controls
C.VPCs and Cloud NAT
D.VPC Service Controls and Cloud Armor
AnswerA

VPCs provide network isolation, and VPC Service Controls restrict data egress from the CDE, meeting PCI DSS segmentation requirements.

Why this answer

For PCI DSS network segmentation, VPCs provide network isolation, and VPC Service Controls enforce perimeter security by preventing data egress from the CDE to unauthorized destinations. Cloud NAT provides outbound internet access but does not restrict egress. Cloud Armor is a WAF for inbound traffic.

Cloud VPN connects on-premises but does not segment.

888
MCQeasy

Your company runs a production application on Google Kubernetes Engine (GKE) with a Regional cluster. The application uses a custom domain with TLS certificates that are stored as Kubernetes secrets and mounted into the ingress. The certificates expire every 90 days and are currently renewed manually by a DevOps engineer. Last week, the certificate expired, causing an outage until it was renewed. Management requires an automated solution to renew certificates before expiration. The team wants to minimize changes to the existing architecture and avoid additional costs. What should you do?

A.Configure Cloud Load Balancing with a Google-managed SSL certificate and update the DNS to point to the load balancer IP.
B.Deploy cert-manager on the GKE cluster and configure it with an Issuer or ClusterIssuer to automatically obtain and renew certificates from Let's Encrypt.
C.Set up Cloud DNS to automatically respond to ACME HTTP-01 challenges and configure the ingress to use certificates from a public CA.
D.Store the certificate and private key in Cloud Secret Manager and configure the ingress to reference the secrets via the Secret Manager CSI driver.
AnswerB

cert-manager fully automates certificate lifecycle and stores certificates as Kubernetes secrets, matching the existing architecture.

Why this answer

Option B is correct because cert-manager is a native Kubernetes add-on that automates the lifecycle of TLS certificates from public CAs like Let's Encrypt. It integrates directly with GKE Ingress and can handle ACME HTTP-01 or DNS-01 challenges without altering the existing architecture or incurring additional cloud costs, as it runs within the cluster.

Exam trap

Google Cloud often tests the distinction between certificate storage solutions (like Secret Manager) and automated renewal mechanisms (like cert-manager), leading candidates to choose a storage-only option that does not solve the renewal problem.

How to eliminate wrong answers

Option A is wrong because switching to a Google-managed SSL certificate requires changing the load balancer configuration and DNS records, which modifies the existing architecture and may incur additional costs for the load balancer. Option C is wrong because Cloud DNS alone cannot automatically respond to ACME HTTP-01 challenges; the challenge response must be served by the ingress controller, and this option does not provide an automated renewal mechanism. Option D is wrong because storing certificates in Cloud Secret Manager and using the CSI driver only centralizes secret storage but does not automate the renewal process; certificates would still need to be manually updated before expiry.

889
MCQmedium

A security engineer is reviewing an IAM policy for a Cloud Storage bucket. The engineer wants to ensure that the service account 'sa@project.iam.gserviceaccount.com' can only read objects. What is the current effective permission?

A.The service account has objectCreator access by default.
B.The service account has objectViewer access as assigned.
C.The service account has no access because the policy is incomplete.
D.The service account has objectAdmin access because it is not explicitly denied.
AnswerB

The policy explicitly grants objectViewer role to the service account.

Why this answer

Option C is correct because the service account is assigned the objectViewer role, which allows read-only access. Option A is incorrect because the service account does not have objectAdmin. Option B is incorrect because there is no explicit deny; the viewer role is assigned.

Option D is incorrect because objectCreator is not granted.

890
MCQmedium

A security engineer needs to ensure that sensitive columns in BigQuery are automatically masked for certain users. For example, the email column should show only the domain for users with a specific role. Which two services must be configured together?

A.Data Catalog and BigQuery Data Policy
B.Cloud IAM and VPC Service Controls
C.Secret Manager and Cloud Functions
D.Cloud DLP and Cloud KMS
AnswerA

Data Catalog creates taxonomies and policy tags; BigQuery Data Policy uses those tags to apply data masking rules.

Why this answer

BigQuery column-level security uses policy tags attached to columns, which are defined in Data Catalog taxonomies. To apply masking, you need to use BigQuery Data Policy (also known as data masking) which uses policy tags to define masking rules. Data Catalog provides the taxonomy for policy tags, while BigQuery Data Policy applies the actual masking.

IAM roles for masking are granted via the policy tags.

891
Multi-Selecteasy

A company needs to grant a service account the ability to manage Compute Engine instances (start, stop, create) in a specific set of projects. The administrator wants to follow the principle of least privilege. Which TWO steps should the administrator take? (Choose TWO.)

Select 2 answers
A.Grant the predefined roles/compute.viewer role to the service account at the folder level.
B.Use Cloud IAP to tunnel into Compute Engine instances to perform management tasks.
C.Use IAM Conditions to restrict the service account's access to only the required projects or resources.
D.Grant the predefined roles/compute.admin role to the service account at the organization level.
E.Create a custom IAM role with compute.instances.start, compute.instances.stop, and compute.instances.create permissions and assign it to the service account at the project level.
AnswersC, E

Correct: IAM Conditions can limit access to specific projects when granting roles at a higher level.

Why this answer

Option C is correct because IAM Conditions allow the administrator to restrict the service account's permissions to a specific set of projects or resources, enforcing least privilege by limiting the scope of the granted role. This ensures the service account can only manage Compute Engine instances in the designated projects, not all projects in the folder or organization.

Exam trap

Google Cloud often tests the distinction between IAM Conditions and folder/organization-level roles, where candidates mistakenly choose broad roles like compute.admin at the organization level instead of using conditions or custom roles to scope permissions.

892
MCQmedium

A company runs a GKE cluster in a private cluster mode (no public endpoint) in a custom VPC. The cluster nodes are in a subnet that uses a secondary IP range for pods. The company needs the pods to access an on-premises service over a Cloud VPN connection that terminates in a different region. The on-premises service IP range is 10.100.0.0/16. The VPC has a route for 10.100.0.0/16 pointing to the VPN gateway. However, pods cannot reach the on-premises service. The GKE cluster is configured with a Cloud NAT for outbound internet access. The pod IP range is 10.200.0.0/16. Which step is required to allow pod traffic to reach the on-premises network?

A.Configure Cloud NAT to also translate pod IPs to the node IPs for on-premises traffic.
B.Add a static route in the VPC for the pod IP range (10.200.0.0/16) with next hop set to the VPN gateway.
C.Disable IP masquerade in the GKE cluster to use pod IPs directly.
D.Create a firewall rule allowing traffic from the pod IP range to the on-premises IP range.
AnswerB

Correct: this ensures traffic from pods to on-premises is routed via VPN.

Why this answer

The VPC has a route for the on-premises range (10.100.0.0/16) pointing to the VPN gateway, but the GKE cluster's pod IP range (10.200.0.0/16) is not part of the VPC's primary or secondary subnet ranges. By default, GKE pods use IP addresses from a secondary IP range that is not automatically advertised over Cloud VPN. Adding a static route in the VPC for 10.200.0.0/16 with next hop set to the VPN gateway ensures that traffic from pods to the on-premises network is forwarded through the VPN tunnel, allowing the on-premises routers to learn the pod subnet and route return traffic back.

Exam trap

Google Cloud often tests the misconception that firewall rules or NAT configuration are the primary solution for connectivity issues, when in fact the missing route for the pod IP range to the VPN gateway is the root cause.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access and translates pod IPs to node IPs for internet-bound traffic, not for on-premises traffic over VPN; using NAT for VPN traffic would break return routing and is unnecessary. Option C is wrong because disabling IP masquerade would cause pod traffic to use pod IPs directly, but the core issue is the lack of a route for the pod IP range to the VPN gateway, not the masquerade behavior. Option D is wrong because firewall rules control which traffic is allowed, but the problem is that traffic is not being routed to the VPN gateway at all; a firewall rule alone cannot fix a missing route.

893
MCQmedium

A company wants to allow users from a specific on-premises IP range to access a service deployed on Google Cloud, but only if the user's device is compliant with corporate security policies (e.g., has antivirus enabled). Which combination of services can achieve this?

A.VPC Service Controls with an access level that includes IP and device conditions
B.Firewall rules with source ranges and service accounts
C.Cloud Armor with geo-based access control
D.Cloud IDS with threat detection
AnswerA

Access levels can be defined with IP ranges and device policy requirements using Context-Aware Access.

Why this answer

VPC Service Controls access levels can combine IP-based conditions with device-based conditions (e.g., using BeyondCorp Enterprise). This allows restricting access to a service perimeter based on both the user's IP and device compliance.

894
MCQmedium

A company wants to expose an internal web service running on a private GKE cluster to other services within the same VPC network using a private IP address. They do not want to use a public load balancer. Which Google Cloud service should they use?

A.Cloud NAT
B.Private Service Connect
C.Cloud VPN
D.Internal load balancer
AnswerB

Correct: Private Service Connect enables private connectivity to managed services or custom internal services via endpoints.

Why this answer

Private Service Connect allows publishing services using internal IP addresses. It can be used to create a private endpoint for GKE services, accessible only within the VPC network via a Private Service Connect endpoint.

895
MCQmedium

A security operations team is using Cloud Audit Logs to investigate a suspicious data export from a Cloud Storage bucket. They need to see which user accessed a specific object and when. Which log type should they examine?

A.Data Access logs
B.Policy Denied logs
C.System Event logs
D.Admin Activity logs
AnswerD

Admin Activity logs record configuration changes, not data access.

Why this answer

Data Access logs record object-level operations on Cloud Storage. Admin Activity logs only cover configuration changes.

896
MCQmedium

An administrator wants to enforce that a user can only create virtual machines in a specific subnet of a VPC network. What IAM condition should be added to the compute.instanceAdmin role binding?

A.resource.name == "projects/PROJECT_ID/regions/us-central1/subnetworks/SUBNET"
B.resource.name == "projects/PROJECT_ID/subnetworks/SUBNET"
C.api.getAttribute("compute.googleapis.com/zone", "") != "us-central1"
D.resource.subnetwork == "projects/PROJECT_ID/subnetworks/SUBNET"
AnswerA

This condition correctly restricts to the specific subnet by its full resource name.

Why this answer

Option A is correct because the IAM condition `resource.name` with the full resource name of the subnet (including the region) is the proper way to restrict virtual machine creation to a specific subnet. The `compute.instanceAdmin` role binding with this condition ensures that the user can only create instances whose subnet matches the specified resource name, enforcing the subnet-level constraint.

Exam trap

Google Cloud often tests the distinction between the correct IAM condition attribute (`resource.name`) and incorrect ones like `resource.subnetwork` or zone-based attributes, exploiting the common misconception that subnet restrictions can be applied via zone or subnet name alone without the full hierarchical resource path.

How to eliminate wrong answers

Option B is wrong because the resource name format for a subnet must include the region (e.g., `regions/us-central1/subnetworks/SUBNET`), not just `subnetworks/SUBNET`; omitting the region makes the condition invalid or too broad. Option C is wrong because `api.getAttribute("compute.googleapis.com/zone", "")` checks the zone, not the subnet, and the condition `!= "us-central1"` would incorrectly block instances in that zone rather than restrict to a specific subnet. Option D is wrong because `resource.subnetwork` is not a valid IAM condition attribute for Compute Engine resources; the correct attribute is `resource.name` to match the full resource name of the subnet.

897
MCQmedium

A security engineer needs to ensure that all container images deployed to a GKE cluster are signed by a trusted authority. The organization uses Cloud KMS for key management and wants to enforce the policy at admission time. Which two components are essential to implement this requirement? (Choose two.)

A.Cloud Audit Logs enabled for GKE
B.Container Analysis vulnerability scanning
C.Attestor created in Binary Authorization with Cloud KMS key
D.Binary Authorization policy set to 'Require Attestation'
E.Web Security Scanner configured to scan the GKE cluster
AnswerC, D

Attestors are used to verify signatures; Cloud KMS keys provide cryptographic signing.

Why this answer

Binary Authorization requires attestors to verify image signatures and a policy that requires at least one attestation. Attestors use Cloud KMS keys for signing, and the policy is enforced at GKE admission time.

898
MCQhard

A company has a Kubernetes cluster on GKE that runs a microservice. The microservice needs to read from a Cloud Spanner database. The security team requires that the microservice uses the principle of least privilege and that credentials are never stored as Kubernetes secrets. What is the recommended configuration?

A.Use the Compute Engine default service account for the node pool.
B.Enable Workload Identity, create a Kubernetes service account, and annotate it to map to a Google Cloud service account with the necessary roles.
C.Create a Kubernetes secret containing a service account key and mount it into the pod.
D.Assign the required IAM roles to the GKE node's default service account and use it from the pod.
AnswerB

Follows best practices: keyless, least privilege.

Why this answer

Using Workload Identity, you bind a Kubernetes service account to a Google Cloud service account that has the necessary Spanner roles. The GKE node's metadata server provides the credentials, and the application uses the Kubernetes service account identity.

899
MCQmedium

A Dataflow job launched by service account 'my-sa@...' fails with permission denied. The audit log shows the above entry. What missing role is causing the failure?

A.roles/iam.workloadIdentityUser on the worker service account
B.roles/iam.serviceAccountUser on the worker service account
C.roles/iam.serviceAccountAdmin on the worker service account
D.roles/iam.serviceAccountTokenCreator on the worker service account
AnswerB

This role grants the actAs permission.

Why this answer

When a Dataflow job fails with permission denied and the audit log shows the entry, the missing role is typically roles/iam.serviceAccountUser on the worker service account. This role is required because the Dataflow service (or the service account launching the job) must be able to impersonate the worker service account to execute the pipeline's tasks. Without this role, the job cannot assume the identity of the worker service account, leading to the permission denied error.

Exam trap

Google Cloud often tests the distinction between roles that grant administrative control (serviceAccountAdmin) versus roles that grant impersonation (serviceAccountUser), and candidates mistakenly choose serviceAccountAdmin thinking it includes all permissions, but impersonation requires the specific actAs permission.

How to eliminate wrong answers

Option A is wrong because roles/iam.workloadIdentityUser is used for Kubernetes workloads to authenticate as a service account, not for Dataflow worker impersonation. Option C is wrong because roles/iam.serviceAccountAdmin grants administrative permissions to manage service accounts (e.g., create, delete, set policies), which is excessive and not required for impersonation. Option D is wrong because roles/iam.serviceAccountTokenCreator allows generating OAuth2 tokens for a service account, but Dataflow's impersonation mechanism uses the IAM serviceAccountUser role to delegate access, not token creation.

900
Multi-Selectmedium

An organization wants to implement a zero-trust network security model for their Google Cloud environment. Which TWO practices should they adopt? (Choose TWO.)

Select 2 answers
A.Implement VPC Service Controls to create perimeters around sensitive APIs.
B.Use service account targets for firewall rules instead of tags.
C.Enable Private Google Access for all subnets.
D.Use network tags to group VMs for firewall rules.
E.Allow all outbound traffic and rely on intrusion detection.
AnswersA, B

Restricts API access based on identity and context.

Why this answer

Using service account targets for firewall rules aligns with identity-based security (zero-trust). VPC Service Controls restrict access to APIs based on identity and context, reducing reliance on network perimeter.

Page 11

Page 12 of 14

Page 13