Google Professional Cloud Security Engineer (PCSE) — Questions 901975

985 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQhard

Refer to the exhibit. You are analyzing the IAM policy for a project. You need to ensure that only authenticated users can access objects in bucket1 under the prefix "reports/". Which of the following statements is correct?

A.The condition on objectViewer also prevents alice from listing objects under reports/.
B.The service account sa-1 can view objects under reports/ in bucket1.
C.Bob can view, create, and delete any object in bucket1.
D.Alice can only view objects under reports/ in bucket1.
AnswerC

Bob has the objectAdmin role at the project level without conditions, granting him full control over all objects in bucket1.

Why this answer

Option C is correct because the IAM policy grants Bob the roles/storage.objectAdmin role on the entire bucket1, which includes permissions to view, create, and delete any object in the bucket. The condition restricting access to the "reports/" prefix applies only to the objectViewer role, not to Bob's role. Therefore, Bob has full administrative access to all objects in bucket1 without any prefix restriction.

Exam trap

Google Cloud often tests the misconception that a condition applied to one role binding automatically restricts all other role bindings for the same principal, leading candidates to incorrectly assume that Bob's objectAdmin role is limited by the condition on Alice's objectViewer role.

How to eliminate wrong answers

Option A is wrong because the condition on objectViewer restricts access to objects under the "reports/" prefix, but it does not prevent listing objects; listing is controlled by the storage.objects.list permission, which is granted by the objectViewer role, and the condition only limits the object-level actions (like get) to the prefix, not the list action itself. Option B is wrong because the service account sa-1 is not mentioned in the IAM policy exhibit; without explicit binding, sa-1 has no access to bucket1 objects. Option D is wrong because Alice is assigned the objectViewer role with a condition that limits access to objects under "reports/", but the condition also applies to listing; however, the statement says she can "only view objects under reports/" — this is partially true but misleading because the condition also restricts listing to that prefix, and the option does not mention that she cannot list objects outside the prefix, making it incorrect as a complete statement.

902
MCQeasy

Your organization has a VPC with several subnets hosting Compute Engine instances. You need to allow SSH access (port 22) to instances in the 'management' subnet from the internet, but only from the office's static IP range (203.0.113.0/24). All other ingress traffic to that subnet should be blocked. Which firewall rule configuration should you create?

A.Create an ingress rule with target tag 'management', source IP range 0.0.0.0/0, protocol tcp:22, action allow
B.Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol tcp:22, action deny
C.Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol tcp:22, action allow
D.Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol all, action allow
AnswerC

Correct: Targets the subnet's instances via tag, allows SSH only from office IP.

Why this answer

Option C is correct because it creates an ingress firewall rule that explicitly allows TCP port 22 traffic from the office's static IP range (203.0.113.0/24) to instances tagged 'management'. In Google Cloud VPC firewall rules, the default action is to deny all ingress traffic unless an allow rule matches, so this single allow rule satisfies the requirement: only SSH from the office IP range is permitted, and all other ingress is implicitly blocked.

Exam trap

Google Cloud often tests the misconception that you need both an allow rule and a separate deny rule to block other traffic, but in Google Cloud VPC, the implicit deny all ingress rule already blocks everything not explicitly allowed, so only the allow rule is required.

How to eliminate wrong answers

Option A is wrong because it allows SSH from any source IP (0.0.0.0/0), which violates the requirement to restrict access only to the office's static IP range. Option B is wrong because it creates a deny rule for the allowed source IP range, which would block the very traffic that should be permitted; deny rules are evaluated after allow rules, but this rule would block the intended SSH access. Option D is wrong because it allows all protocols (not just TCP:22) from the office IP range, which would permit unnecessary traffic (e.g., HTTP, RDP) and violates the requirement to block all other ingress traffic to the management subnet.

903
MCQmedium

A healthcare organization is migrating to Google Cloud and needs to ensure that all data stored in Cloud Storage is encrypted at rest with customer-managed encryption keys (CMEK) to meet HIPAA requirements. The security team wants to centrally manage key rotation and access. Which solution should they implement?

A.Use Cloud Data Loss Prevention (DLP) to de-identify data before storing.
B.Use Cloud Hardware Security Module (Cloud HSM) with CMEK.
C.Use Cloud Key Management Service (Cloud KMS) with CMEK and enable key rotation.
D.Use customer-supplied encryption keys (CSEK) stored in Cloud Storage.
AnswerC

Cloud KMS provides centralized key management, rotation, and integrates with Cloud Storage for CMEK.

Why this answer

Option C is correct because Cloud KMS with CMEK allows the organization to centrally manage encryption keys, including automated key rotation, while maintaining customer control over the keys used to encrypt Cloud Storage data. This meets HIPAA requirements for encryption at rest with customer-managed keys, as Cloud KMS integrates directly with Cloud Storage to enforce encryption using the specified key.

Exam trap

The trap here is that candidates may confuse Cloud HSM with Cloud KMS, thinking that HSM is required for HIPAA compliance, but Cloud KMS with CMEK alone satisfies the requirement for customer-managed keys and key rotation without the added cost and complexity of HSM.

How to eliminate wrong answers

Option A is wrong because Cloud DLP is used for de-identification and masking of sensitive data, not for managing encryption keys or providing encryption at rest with customer-managed keys. Option B is wrong because Cloud HSM is a hardware-based key management service that can be used with CMEK, but it is an additional service that provides FIPS 140-2 Level 3 compliance, not a requirement for HIPAA; the question asks for a solution to centrally manage key rotation and access, which Cloud KMS alone provides without the need for HSM. Option D is wrong because CSEK requires customers to supply their own encryption keys and manage them outside of Google Cloud, which does not provide centralized key rotation and access management within Google Cloud; CSEK keys are stored in Cloud Storage, which introduces security risks and operational overhead.

904
Multi-Selectmedium

A company wants to audit all changes to IAM policies in their organization. They need to set up logging to capture these changes. Which TWO steps should they take? (Choose TWO.)

Select 2 answers
A.Enable Admin Activity audit logs for each individual project.
B.Enable System Event audit logs for the organization.
C.Enable Data Access audit logs for the organization.
D.Enable Admin Activity audit logs for the organization.
E.Configure a log sink to export these logs to BigQuery for analysis.
AnswersD, E

Admin Activity logs record IAM policy changes.

Why this answer

Admin Activity audit logs record operations that modify the configuration or metadata of resources, such as IAM policy changes. Enabling Admin Activity audit logs at the organization level captures these changes across all projects within the organization, providing a centralized audit trail. This is the correct step because IAM policy modifications are classified as admin activity, not system events or data access.

Exam trap

Google Cloud often tests the distinction between audit log types, and the trap here is that candidates confuse System Event logs (which handle infrastructure events) with Admin Activity logs, or assume that enabling logs per project is equivalent to enabling them at the organization level.

905
MCQmedium

A security engineer wants to test a web application hosted on Compute Engine for vulnerabilities. According to Google Cloud's Acceptable Use Policy, which of the following is true regarding penetration testing?

A.Penetration testing is allowed only for customers with Enterprise support plans.
B.All penetration testing requires prior written approval from Google.
C.Penetration testing is allowed without prior approval, but Denial of Service (DoS) testing is prohibited.
D.Testing must be limited to non-production environments only.
AnswerC

As per Google Cloud's Acceptable Use Policy, penetration testing is allowed without prior approval, but DoS testing is not permitted.

Why this answer

Google Cloud does not require prior approval for penetration testing of most services, but Denial of Service (DoS) testing is explicitly prohibited.

906
Multi-Selecthard

Which THREE components are required to configure VPC Flow Logs for a Compute Engine instance?

Select 3 answers
A.Enable VPC Flow Logs on the subnet
B.The VM's service account must have the compute.instances.get permission
C.A log sink to export logs to BigQuery
D.A VM with a network interface in the subnet
E.A metadata server to store logs
AnswersA, B, D

Flow logs are enabled per subnet.

Why this answer

VPC Flow Logs capture network traffic metadata at the subnet level. Enabling flow logs on the subnet (A) is the primary configuration step that activates logging for all VM instances within that subnet. The VM's service account must have the compute.instances.get permission (B) to allow the flow log agent to retrieve instance metadata required for log entries.

A VM with a network interface in the subnet (D) is necessary because flow logs are generated per network interface; without a VM in the subnet, there is no traffic to log.

Exam trap

Google Cloud often tests the misconception that a log sink or external export destination is a required component for VPC Flow Logs, when in fact the logs are natively stored in Cloud Logging and exporting is optional.

907
Multi-Selecteasy

A security engineer is configuring Cloud Armor to protect a global external HTTP(S) Load Balancer. Which TWO of the following are valid Cloud Armor security policies? (Choose two.)

Select 2 answers
A.Web Security Scanner scan rule
B.Signed URL policy
C.Preconfigured Identity-Aware Proxy (IAP) rule
D.Preconfigured OWASP Top 10 rules
E.Custom rule with rate limiting based on IP
AnswersD, E

Cloud Armor includes predefined WAF rules for OWASP vulnerabilities.

Why this answer

Option D is correct because Cloud Armor includes preconfigured rules that map directly to the OWASP Top 10 web application vulnerabilities, such as SQL injection and cross-site scripting (XSS). These rules are managed by Google and automatically updated to protect against the latest attack patterns, making them a valid security policy for a global external HTTP(S) Load Balancer.

Exam trap

Google Cloud often tests the distinction between Cloud Armor security policies and other Google Cloud security services (like IAP, Signed URLs, or Web Security Scanner), so the trap here is confusing access control or URL signing mechanisms with the WAF-like rule engine of Cloud Armor.

908
MCQmedium

Refer to the exhibit. A developer working from a workstation with IP 203.0.113.5 cannot SSH to a VM in the my-vpc network. Which firewall rule is most likely blocking the connection?

A.allow-ssh-from-bastion
B.deny-ssh-all
C.default-allow-http
D.default-allow-ssh
AnswerB

This rule denies SSH from all IPs with a higher priority, blocking all SSH traffic.

Why this answer

Option C is correct because the deny-ssh-all rule has a priority of 200 (higher priority than the allow rules at 500 and 1000) and blocks SSH from all IPs. The order in GCP is based on priority (lower number = higher priority), so the deny overrides the allows. The allow-ssh-from-bastion only permits SSH from 10.0.1.2, not the developer's IP.

909
MCQeasy

A security team wants to monitor for compliance drift in an Assured Workloads folder that enforces FedRAMP High controls. Which Google Cloud service should they use to detect violations of organization policies?

A.Cloud Monitoring
B.Security Command Center
C.Access Transparency
D.Cloud Audit Logs
AnswerB

Security Command Center provides compliance monitoring and can detect violations of organization policies.

Why this answer

Security Command Center includes a compliance dashboard and can detect policy violations in Assured Workloads.

910
MCQhard

A large enterprise runs a streaming data pipeline using Dataflow to process events from Pub/Sub, apply aggregations with fixed windows, and write results to BigQuery. They are experiencing high costs and long processing times. The Dataflow job uses Streaming Engine, but the workers show high CPU utilization. The pipeline has autoscaling enabled, but the number of workers rarely increases. The team wants to reduce processing time and cost. What should they do?

A.Use a larger machine type for workers, such as n1-standard-8.
B.Increase the number of workers by setting maxNumWorkers higher.
C.Optimize the windowing interval to reduce data shuffling.
D.Switch from Streaming Engine to batch mode to reduce resource overhead.
AnswerC

Shorter windows or aligning windows with data patterns can reduce state size and shuffling, lowering CPU usage and improving throughput.

Why this answer

Optimizing the windowing interval reduces data shuffling and can improve performance without adding resources. Long windows cause more state to be kept, increasing CPU and memory demands. Option A is incorrect because increasing maxNumWorkers may help but the job is already CPU-bound and not scaling; more workers might not reduce CPU per worker if the issue is data shuffling.

Option B is incorrect because larger machines increase cost and may not address the root cause. Option D is incorrect because switching to batch would not meet real-time requirements and may cause data loss.

911
MCQhard

A company has a VPC network with a default route to the internet gateway. They want all egress traffic to go through a firewall appliance instead. They create a new route with a next hop to the appliance and a priority of 500. However, traffic is still going through the internet gateway. What is the most likely reason?

A.The new route has a higher tag specification that overrides
B.The new route's destination range is not 0.0.0.0/0
C.The appliance does not have IP forwarding enabled
D.The firewall appliance is in a different network
AnswerB

The default route covers all destinations; the new route must also be 0.0.0.0/0 with a higher priority to override.

Why this answer

The default route to the internet gateway has a destination of 0.0.0.0/0. For the new route to override it, the new route must also have a destination of 0.0.0.0/0 (or a more specific prefix). If the new route's destination range is not 0.0.0.0/0, it will not match all egress traffic, and the existing default route with a lower priority (higher numerical value) will still be used for traffic that does not match the new route's destination.

Exam trap

Google Cloud often tests the misconception that a lower priority number always overrides a higher priority number, but the trap here is that the route must also have the same destination prefix (0.0.0.0/0) to override the default route; otherwise, the default route remains active for all unmatched traffic.

How to eliminate wrong answers

Option A is wrong because route tags are used for route distribution and policy-based routing, not for overriding route priority in a VPC routing table; priority (or metric) is the sole determinant of route selection among routes with the same destination prefix. Option C is wrong because IP forwarding on the appliance is required for the appliance to forward traffic, but the question states traffic is still going through the internet gateway, meaning the route to the appliance is not being used at all—IP forwarding would only matter if the route were matched. Option D is wrong because a firewall appliance in a different network would be unreachable as a next hop, but the route would still be installed; the issue is that the route's destination range does not match the traffic, not that the next hop is in a different network.

912
MCQmedium

A company wants to use Cloud Armor Managed Protection Plus to protect their HTTP(S) load balancer from DDoS attacks. They need to automatically block traffic from IP addresses that exhibit anomalous behavior based on machine learning. Which Cloud Armor feature should they enable?

A.Custom rules with CEL
B.Pre-configured WAF rules
C.Rate limiting
D.Adaptive Protection
AnswerD

Adaptive Protection uses ML models to detect anomalous traffic and generate rules.

Why this answer

Adaptive Protection uses ML to detect anomalous traffic and suggests rules to block it. Managed Protection Plus includes adaptive protection.

913
MCQeasy

Which IAM role type is recommended for granting fine-grained permissions to Google Cloud services in production?

A.Basic roles (Owner, Editor, Viewer)
B.Custom roles
C.Primitive roles
D.Predefined roles
AnswerD

Predefined roles provide service-specific permissions and are the recommended default.

Why this answer

Predefined roles are curated by Google and provide granular permissions for specific services. They are designed for production use. Basic roles (Owner/Editor/Viewer) are broad and not recommended.

Custom roles can be used if predefined roles are insufficient, but predefined are preferred for simplicity and maintainability.

914
MCQmedium

A company wants to allow users to access an internal web application running on Compute Engine behind a load balancer without requiring a VPN. The solution must authenticate users and enforce access based on user identity and context (e.g., device security). Which Google Cloud service should they use?

A.Cloud NAT
B.Identity-Aware Proxy (IAP)
C.Cloud Armor
D.VPC Service Controls
AnswerB

Correct for identity and context-aware access.

Why this answer

Identity-Aware Proxy (IAP) provides zero-trust access control for web applications, authenticating users and enforcing context-aware access policies without requiring VPN. IAP sits in front of the load balancer and verifies identity and context before allowing access.

915
Multi-Selectmedium

A company must enforce that no data can be accessed from outside a specific set of Google Cloud projects. They want to ensure that only authorized services can communicate between projects. Which TWO controls should they implement? (Choose TWO.)

Select 2 answers
A.Access Context Manager
B.VPC Service Controls
C.Cloud Armor
D.Identity-Aware Proxy (IAP)
E.Cloud NAT
AnswersA, B

Access Context Manager defines and manages context-aware access policies that can be used with VPC Service Controls to enforce access based on context.

Why this answer

VPC Service Controls create a perimeter around resources, and Access Context Manager defines context-aware access policies based on attributes like IP range, device policy, etc.

916
MCQhard

During a security incident, the forensic team needs to capture the memory and disk state of a compromised Compute Engine VM without shutting it down. The VM is running a critical application and cannot be stopped. What is the best approach to gather forensic data?

A.Clone the VM and perform forensics on the clone while the original continues running.
B.Use gcloud compute ssh to connect and run a memory capture tool, then create a disk snapshot at the same time.
C.Take a snapshot of the disk while the VM is running, and use Cloud Memorystore to capture memory.
D.Stop the VM, take a snapshot of the disk, and then start the VM.
AnswerB

Memory can be acquired using tools like 'memory capture' via SSH; disk snapshot can be taken concurrently.

Why this answer

Option D is correct because Cloud Memorystore is not relevant; the best practice is to use a forensic tool via OS Login or gcloud compute ssh to acquire memory, and create a snapshot after using gcloud compute disks snapshot for disk state. Option A is incorrect because stopping the VM loses memory state. Option B is incorrect because snapshots while running are crash-consistent but memory is not captured.

Option C is incorrect because Cloud Memorystore does not handle VM memory.

917
MCQmedium

A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their corporate Active Directory credentials. The application is exposed via an HTTPS load balancer. The Security Engineer needs to integrate identity federation and ensure that only authenticated users can reach the application. Which combination of services should be used?

A.Use Cloud Armor to allow only traffic from specific IP ranges and require client certificates.
B.Set up federation between Active Directory and Google Cloud using OIDC, and enable IAP on the load balancer.
C.Enable IAP and configure it to use Active Directory as an identity provider.
D.Configure Cloud Identity as the identity provider and use IAP.
AnswerB

IAP can authenticate users from an external OIDC provider.

Why this answer

Option B is correct because it combines OIDC federation between Active Directory and Google Cloud with Identity-Aware Proxy (IAP) on the load balancer. IAP verifies user identity via OIDC tokens issued by the federated identity provider, ensuring only authenticated users can reach the application without exposing it to the public internet.

Exam trap

Google Cloud often tests the misconception that IAP can directly use any identity provider (like raw Active Directory) without an OIDC/SAML federation bridge, leading candidates to pick option C.

How to eliminate wrong answers

Option A is wrong because Cloud Armor with IP ranges and client certificates enforces network-level and mTLS access, not identity federation with Active Directory credentials; it cannot authenticate users based on corporate AD identities. Option C is wrong because IAP does not support Active Directory directly as an identity provider; it requires an OIDC-compatible identity provider, such as Azure AD or a custom OIDC provider, not raw AD. Option D is wrong because Cloud Identity is Google's own identity service, not Active Directory; while it can be used with IAP, it does not integrate with corporate AD credentials unless federation is set up, which is not mentioned in the option.

918
MCQmedium

A financial services company is required to retain audit logs for at least 7 years to comply with PCI-DSS. They have enabled Data Access audit logs for Cloud Audit Logs. However, after 6 months they notice that older logs are being automatically deleted. What is the most likely cause?

A.The default retention period for Cloud Audit Logs is 30 days, and logs are automatically deleted after that.
B.The log sink exporting to Cloud Storage has been deleted.
C.The log sink filter is incorrectly excluding certain log entries.
D.An IAM policy has revoked the Logs Viewer role for the security team.
AnswerA

Cloud Audit Logs have a default retention of 30 days (for Admin Read and Data Access) unless exported to a longer-term storage.

Why this answer

The default retention period for Cloud Audit Logs is 30 days. After this period, logs are automatically deleted unless a custom retention policy is configured or logs are exported to a long-term storage destination like Cloud Storage. Since the company enabled Data Access audit logs but did not adjust the retention setting, the logs older than 30 days are purged, explaining the 6-month observation.

Exam trap

Google Cloud often tests the misconception that log deletion is caused by misconfigured exports or IAM permissions, when in fact the default retention period for Cloud Audit Logs is the primary reason for automatic deletion, especially for Data Access audit logs.

How to eliminate wrong answers

Option B is wrong because deleting a log sink that exports to Cloud Storage would stop new logs from being exported, but it would not cause existing logs in Cloud Audit Logs to be automatically deleted; the default retention deletion is independent of sink configuration. Option C is wrong because an incorrectly excluding sink filter would affect which logs are exported, not the retention or deletion of logs already stored in Cloud Audit Logs. Option D is wrong because revoking the Logs Viewer role for the security team would prevent them from viewing logs, but it would not cause logs to be automatically deleted; deletion is governed by retention policies, not IAM permissions.

919
Multi-Selecthard

A company is designing a key destruction process for Cloud KMS. They need to ensure that after a key is destroyed, the ciphertext encrypted with that key becomes permanently undecryptable. They also need to allow a 7-day recovery window in case of accidental destruction. Which three steps should they take? (Choose THREE).

Select 3 answers
A.Schedule destruction of the key and set a destruction period of 7 days.
B.Disable the key before scheduling destruction.
C.Use Cloud HSM to store the key material for additional protection.
D.Ensure the key is not used by any active resources before destruction.
E.Rotate the key before destruction to create a new version.
AnswersA, C, D

This sets a 7-day grace period before permanent destruction, allowing recovery.

Why this answer

Cloud KMS offers a pending destruction state with a default grace period of 24 hours, which can be extended up to 30 days. By setting a longer destruction period (e.g., 7 days), the key remains in pending destruction state and can be restored. After the grace period expires, the key is destroyed permanently.

Disabling the key prevents use but allows re-enabling. Rotation does not affect destruction. Using Cloud HSM is not directly related to destruction timing.

920
MCQeasy

A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They want Google to manage the certificate lifecycle. Which certificate type should they use?

A.Self-managed certificate
B.Upload a certificate via the Cloud Load Balancing UI
C.Certificate Manager with a self-managed certificate
D.Google-managed certificate
AnswerD

Google-managed certificates are automatically provisioned and renewed.

Why this answer

Google-managed SSL certificates are automatically provisioned, renewed, and managed by Google. They are the correct choice for automatic lifecycle management. Self-managed certificates require the user to upload the certificate and renew it manually.

Certificate Manager is a service for managing certificates but does not automate renewal unless using Google-managed certificates.

921
MCQmedium

An organization uses Cloud Identity with Google Workspace. They want to grant a group of external auditors read-only access to a specific folder in Google Cloud. The auditors have accounts in the organization's Cloud Identity domain. What is the most efficient way to grant this access?

A.Create a Google Group, add auditors to it, and grant the group the Viewer role at the folder level.
B.Create a custom role and assign it to each auditor.
C.Use Cloud Directory Sync to sync auditors from an external identity provider.
D.Grant each auditor the Viewer role individually at the folder level.
AnswerA

Efficient and scalable.

Why this answer

The best practice is to create a Google Group (which is a Cloud Identity group) containing the auditors, then grant the group the desired IAM role (e.g., Viewer) at the folder level. This simplifies management.

922
MCQmedium

A retail company processes customer payment data and must comply with PCI DSS. They use Cloud SQL for database storage. They need to ensure that all database backups are encrypted at rest. What should they do?

A.Use Cloud HSM to generate a key and store in Cloud Storage for backup encryption.
B.Enable Cloud DLP to inspect and encrypt backup data.
C.No additional action required; Cloud SQL automatically encrypts backups.
D.Use Cloud KMS to create a CMEK key and attach it to the Cloud SQL instance.
AnswerC

Cloud SQL encrypts all data at rest by default.

Why this answer

C is correct because Cloud SQL automatically encrypts all data at rest, including backups, using either Google-managed encryption keys or customer-managed encryption keys (CMEK) if configured. No additional action is required to enable backup encryption by default, as this is a built-in feature of the service to meet PCI DSS compliance requirements.

Exam trap

Google Cloud often tests the misconception that you must explicitly enable or configure encryption for Cloud SQL backups, when in fact Google Cloud automatically encrypts all data at rest by default, including backups, using server-side encryption.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module for key generation and management, but it does not directly encrypt backups; keys must be used with Cloud KMS or Cloud External Key Manager, and storing keys in Cloud Storage is not the correct mechanism for backup encryption. Option B is wrong because Cloud DLP is a data loss prevention service for inspecting and de-identifying sensitive data, not for encrypting backups at rest. Option D is wrong because while Cloud KMS with CMEK can be attached to a Cloud SQL instance to encrypt data and backups, it is an optional configuration, not a required action; the question asks what they 'should do' to ensure encryption, and the default encryption already satisfies the requirement.

923
MCQeasy

A startup company has a single Google Cloud project with multiple developers. To simplify identity management, they created a service account for each developer and granted them the roles/editor role on the project. However, the security team is concerned about the over-privileged access. They want to implement a more secure approach while maintaining operational efficiency. The developers need to: create Compute Engine instances, manage Cloud Storage buckets, and deploy App Engine apps. The company has a small team and does not require fine-grained access control per developer. What is the recommended approach to reduce privileges while meeting the developers' needs?

A.Remove the editor role and grant each developer the roles/owner role on the project.
B.Remove the editor role and create a custom role with the required permissions, then assign the custom role to each developer individually.
C.Remove the editor role and grant each developer the roles/iam.securityReviewer role.
D.Remove the editor role, create a custom role with the required permissions, and assign the custom role to a Google Group containing all developers.
AnswerD

Option D is correct; this follows least privilege and operational efficiency by using a group for assignment.

Why this answer

Option D is correct because it removes the overly permissive Editor role and replaces it with a custom role containing only the specific permissions needed for Compute Engine, Cloud Storage, and App Engine. Assigning this custom role to a Google Group that contains all developers simplifies identity management and ensures consistent, least-privilege access without per-user assignment overhead.

Exam trap

The trap here is that candidates may think creating a custom role is unnecessary and choose a predefined role like Editor or Owner, failing to recognize that custom roles are the correct way to implement least privilege when no predefined role matches the exact set of needed permissions.

How to eliminate wrong answers

Option A is wrong because granting the Owner role is even more permissive than Editor, including full administrative control over the project, which directly contradicts the security team's goal of reducing privileges. Option B is wrong because while creating a custom role is correct, assigning it to each developer individually creates administrative overhead and does not leverage group-based management for operational efficiency. Option C is wrong because the IAM Security Reviewer role only grants read-only access to IAM policies and does not include any permissions to create Compute Engine instances, manage Cloud Storage buckets, or deploy App Engine apps.

924
MCQhard

A security team wants to automatically rotate a database password stored in Secret Manager every 60 days and notify the operations team when a new version is created. Which approach should they use?

A.Set a rotation period on the secret and configure a Pub/Sub topic for notifications; use a Cloud Function to generate new password
B.Use Cloud Scheduler to call Secret Manager API to add a new version
C.Use Cloud KMS key rotation to rotate the secret
D.Manually update the secret every 60 days
AnswerA

Secret Manager rotation with Pub/Sub and Cloud Function automates password generation and notification.

Why this answer

Secret Manager supports automatic rotation with a Pub/Sub topic. You can set a rotation period (e.g., 60 days) and a Pub/Sub topic for notifications. A Cloud Function can listen to the topic and update the password.

Secret Manager can also call a user-provided Cloud Function to generate the new secret version.

925
MCQhard

You are a security engineer for a financial services company that processes sensitive customer data. Your architecture includes two VPCs: 'data-vpc' (10.1.0.0/16) containing BigQuery datasets and Cloud Storage buckets, and 'app-vpc' (10.2.0.0/16) containing Compute Engine instances running a customer-facing application. The application needs to read from BigQuery and write to Cloud Storage. You have configured VPC Network Peering between the VPCs. Additionally, you have set up Private Google Access on all subnets in 'data-vpc' and 'app-vpc'. The application instances cannot connect to BigQuery or Cloud Storage. You have verified that firewall rules allow egress traffic to the Google APIs IP range (199.36.153.4/30) and that DNS resolution works correctly. What is the most likely cause of the connectivity failure?

A.VPC Network Peering does not support Private Google Access.
B.Cloud NAT is not configured for 'app-vpc'.
C.The 'app-vpc' subnets do not have a default route (0.0.0.0/0) to the internet gateway.
D.Firewall rules are blocking traffic to the Google APIs IP range.
AnswerC

Private Google Access requires a default route for traffic to be sent to the internet gateway.

Why this answer

Option C is correct because Private Google Access requires a default route (0.0.0.0/0) to the internet gateway in the VPC where the Compute Engine instances reside. Without this route, traffic destined for Google APIs (including BigQuery and Cloud Storage) cannot be forwarded to the internet gateway, even if Private Google Access is enabled on the subnet. The firewall rules and DNS are correctly configured, but the missing default route prevents the egress traffic from reaching the Google API IP range (199.36.153.4/30).

Exam trap

Google Cloud often tests the misconception that Private Google Access works independently of routing, but the trap here is that candidates overlook the requirement for a default route (0.0.0.0/0) to the internet gateway, even when Private Google Access is enabled on the subnet.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering does support Private Google Access; the peering itself does not interfere with Private Google Access, which is a subnet-level feature that allows instances to reach Google APIs without external IP addresses. Option B is wrong because Cloud NAT is not required for Private Google Access; Private Google Access uses the internet gateway (default route) to reach Google APIs, not NAT. Option D is wrong because the question states that firewall rules allow egress traffic to the Google APIs IP range (199.36.153.4/30), so blocking is not the issue.

926
Multi-Selecthard

Which TWO techniques can be used to secure a Cloud Storage bucket containing sensitive data? (Choose 2.)

Select 2 answers
A.Enable uniform bucket-level access
B.Use a VPC Service Control perimeter
C.Set a retention policy
D.Use a Customer-managed encryption key (CMEK)
E.Enable object versioning
AnswersA, B

Uniform access disables ACLs and relies solely on IAM, reducing complexity and misconfiguration.

Why this answer

Uniform bucket-level access simplifies permissions, and VPC Service Controls restrict access to the bucket from specific networks.

927
MCQeasy

A company needs to meet compliance requirements that mandate they be notified about all actions performed by Google personnel on their data. Which Google Cloud feature should they enable?

A.Cloud Asset Inventory
B.Access Approval
C.Cloud Audit Logs for Admin Activities
D.Access Transparency
AnswerD

Access Transparency provides near real-time logs of actions by Google staff, satisfying compliance notification requirements.

Why this answer

Access Transparency logs provide records of actions taken by Google staff on customer data, fulfilling compliance notification requirements. It must be enabled at the organization level.

928
Multi-Selecthard

A security engineer needs to restrict outbound traffic from a VPC to only allow specific external IP ranges. Which three components must be configured? (Choose three.)

Select 3 answers
A.Cloud NAT
B.Private Google Access
C.Routes with next hop to a firewall instance
D.Firewall rules on the instance OS
E.VPC firewall rules (egress)
AnswersA, C, E

Required for private instances to reach the internet.

Why this answer

To restrict outbound traffic, you need egress firewall rules (B). If instances have no public IP, they need Cloud NAT for internet access (A). To enforce granular filtering, traffic must be routed through a firewall appliance (D).

929
MCQeasy

A company has a single Google Cloud project with multiple VPC networks. They need to comply with PCI DSS requirement 1.3.2, which restricts inbound and outbound traffic to only what is necessary. They have a web application running on Compute Engine instances in a VPC with a public subnet and a private subnet. The web servers in the public subnet need to communicate with database servers in the private subnet. Currently, the security engineer has configured firewall rules to allow HTTP/HTTPS traffic from the internet to the web servers, and allow all traffic from the public subnet to the private subnet. The auditor flags that the rule allowing all traffic from the public subnet to the private subnet is too permissive. What should the security engineer do to meet the requirement while maintaining functionality?

A.Use VPC Service Controls to restrict access to the database instances.
B.Remove the firewall rule allowing all traffic from the public subnet to the private subnet, and rely on the default allow internal rule.
C.Change the existing rule to allow traffic only on ports 3306 and 443 from the public subnet to the private subnet.
D.Create a new firewall rule that allows TCP traffic on port 3306 (MySQL) from the web servers' service accounts to the database servers' IP ranges.
AnswerD

This restricts traffic to only the necessary port and source, meeting PCI DSS requirement.

Why this answer

Option D is correct because it implements a least-privilege firewall rule that restricts traffic to only the necessary MySQL port (3306) and uses service accounts as the source identity, which aligns with PCI DSS requirement 1.3.2. By specifying the web servers' service accounts as the source and the database servers' IP ranges as the destination, the rule ensures only authorized web server instances can initiate database connections, rather than allowing all traffic from the entire public subnet. This maintains the required functionality while eliminating the overly permissive 'allow all' rule.

Exam trap

The trap here is that candidates often assume VPC Service Controls (Option A) can restrict instance-to-instance traffic, or they mistakenly think the default allow internal rule (Option B) is subnet-specific, when in reality it applies to all instances in the VPC, and they may also overlook that allowing HTTPS (port 443) to database servers (Option C) is unnecessary and violates least privilege.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls is designed to prevent data exfiltration by controlling access to Google Cloud APIs and managed services, not to restrict network-layer traffic between Compute Engine instances within a VPC; it does not replace firewall rules for instance-to-instance communication. Option B is wrong because the default allow internal rule permits all traffic between any instances in the same VPC network, regardless of subnet, which would still allow overly broad access from the public subnet to the private subnet and fail to meet the least-privilege requirement. Option C is wrong because allowing traffic on port 443 (HTTPS) from the public subnet to the private subnet is unnecessary and introduces additional attack surface, as database servers typically do not serve HTTPS; only port 3306 (MySQL) is needed for the web-to-database communication.

930
Multi-Selecthard

A company is using GKE with Workload Identity to allow pods to access Google Cloud services. A security engineer needs to restrict a specific pod to only read from a single Cloud Storage bucket. Which THREE steps should be taken? (Choose 3 correct answers)

Select 3 answers
A.Create a Kubernetes service account (KSA) in the pod's namespace.
B.Grant the GCP SA roles/storage.objectViewer at the project level.
C.Create a custom role with storage.objects.get and storage.objects.list, and assign to the GCP SA.
D.Create a Google service account (GCP SA) with roles/storage.objectViewer, and bind it to the bucket using resource-level IAM.
E.Annotate the KSA with the GCP SA email (iam.gke.io/gcp-service-account).
AnswersA, D, E

A KSA is needed to be bound to the GCP SA.

Why this answer

Option A is correct because Workload Identity requires a Kubernetes Service Account (KSA) to be associated with a pod. The KSA is annotated with the email of a Google Cloud Service Account (GCP SA), and the pod uses the KSA to authenticate. This creates a direct identity binding between the pod and the GCP SA, enabling fine-grained access control.

Exam trap

Cisco often tests the distinction between project-level and resource-level IAM bindings; the trap here is that candidates may think granting a role at the project level is sufficient, but the requirement to restrict access to a single bucket demands a bucket-level binding.

931
MCQeasy

A project manager needs to create custom IAM roles for a project. At which levels in the resource hierarchy can custom roles be defined?

A.All levels: organization, folder, project
B.Organization and folder levels only
C.Organization and project levels only
D.Project level only
AnswerC

Correct: custom roles can be created at organization or project level.

Why this answer

Custom roles can be defined at the organization level or the project level. They cannot be defined at the folder level. Organization-level roles can be used across all folders and projects under that organization.

932
MCQmedium

A large enterprise has multiple Google Cloud organizations due to an acquisition. They want to allow a team in Org A to access a Cloud Spanner database in Org B. The team in Org A uses a service account for their application. They have set up Workload Identity Federation between the two organizations. The service account in Org B has the roles/spanner.databaseUser role on the database. The service account in Org A has been granted the roles/iam.workloadIdentityUser role on the service account in Org B. However, access attempts are failing with a permission denied error. What is the most likely missing configuration?

A.The project in Org B has not granted the roles/spanner.databaseUser role at the project level.
B.The Spanner database does not have the service account in Org A granted access directly.
C.The service account in Org B does not have the roles/iam.workloadIdentityUser role on itself.
D.The service account in Org A does not have the roles/iam.serviceAccountTokenCreator role on the service account in Org B.
AnswerD

To impersonate, the external identity needs the serviceAccountTokenCreator role.

Why this answer

Option D is correct because the external identity (service account in Org A) must be impersonating the service account in Org B, but the impersonation requires the service account in Org A to have the roles/iam.serviceAccountTokenCreator role on the service account in Org B. Option A is wrong because the roles are correctly assigned. Option B is wrong because the Spanner database does not need the impersonation role.

Option C is wrong because the project-level Spanner role would not be the issue.

933
Multi-Selecthard

A security engineer is investigating a potential data exfiltration incident. They suspect that a compromised VM is sending sensitive data to an external IP. Which three data sources should they examine to trace the exfiltration? (Choose three.)

Select 3 answers
A.Cloud NAT logs
B.VPC Flow Logs
C.Compute Engine serial port output
D.Cloud Audit Logs (Data Access)
E.Cloud DNS logging
AnswersB, D, E

Shows source/destination IPs, ports, protocols for all network flows.

Why this answer

VPC Flow Logs capture network metadata, DNS queries can show domain lookups, and Cloud Audit Logs (Data Access) can log data access events. Cloud NAT logs show outbound connections but are not as detailed for exfiltration. Compute Engine serial port output shows console logs but not network traffic.

934
Multi-Selectmedium

Which TWO actions should be taken to ensure that a Google Cloud environment meets PCI-DSS requirements for protecting cardholder data? (Choose two.)

Select 2 answers
A.Use IAM roles to restrict access to cardholder data to the minimum necessary.
B.Encrypt all transmission of cardholder data using TLS 1.2 or higher.
C.Use Cloud Data Loss Prevention to tokenize all credit card numbers before storage.
D.Implement a Web Application Firewall (WAF) such as Cloud Armor to protect against web-based attacks.
E.Enable automatic DLP inspection triggers for all Cloud Storage buckets.
AnswersB, D

PCI-DSS requirement 4.1 mandates encryption of cardholder data over public networks.

Why this answer

Option B is correct because PCI-DSS Requirement 4 mandates that cardholder data must be encrypted during transmission over open, public networks. TLS 1.2 or higher is the specified protocol, and Google Cloud services such as HTTPS load balancers and Cloud VPN support this encryption natively, ensuring compliance with the transmission security requirement.

Exam trap

Google Cloud often tests the distinction between encryption in transit (TLS) and data protection at rest (tokenization, DLP scanning), leading candidates to pick storage-focused options like C or E instead of the transmission encryption requirement.

935
Multi-Selectmedium

A security engineer is designing access control for a multi-project environment. The engineer needs to ensure that a data science team can read data from a BigQuery dataset in Project A and write results to a Cloud Storage bucket in Project B. The team members are authenticated via an external SAML IdP. Which TWO steps should be taken? (Choose 2 correct answers)

Select 2 answers
A.Create a custom role with bigquery.tables.getData and storage.objects.create, and assign to the group at the organization level.
B.Create a service account for the team and set up workload identity federation with the SAML IdP.
C.Grant the group the BigQuery Data Viewer role at the project A level and Storage Object Admin at the project B level.
D.Grant the Cloud Identity group BigQuery Data Viewer on the specific dataset and Storage Object Creator on the specific bucket.
E.Create a Cloud Identity group and synchronize it with the SAML IdP using Google Cloud Directory Sync.
AnswersD, E

This grants exactly the needed permissions on the resources.

Why this answer

Option A: Create a Cloud Identity group for the data science team, sync it with the SAML IdP, and grant the group appropriate IAM roles. This ensures users from the IdP are mapped to a group that can be used in IAM. Option D: Grant the Cloud Identity group BigQuery Data Viewer on the dataset in Project A and Storage Object Creator on the bucket in Project B.

This provides the required read and write access. Option B (granting at project level) might be too broad. Option C (separate service accounts) is more complex and not necessary.

Option E (cross-project service account) is not required.

936
MCQmedium

A company using Cloud KMS wants to automatically rotate a symmetric encryption key every 90 days. What is the correct way to configure this?

A.Set the key purpose to ASYMMETRIC_SIGN for automatic rotation
B.Set the rotation period to 90 days when creating the key ring
C.Use Cloud Scheduler to call `cloudkms.rotateKey` every 90 days
D.Set the rotation period on the cryptographic key to 90 days
AnswerD

Setting rotation period on the key enables automatic rotation.

Why this answer

Cloud KMS supports automatic rotation by setting a rotation period on the key. The key's primary version will be rotated automatically at the specified interval.

937
MCQmedium

A security engineer wants to apply a baseline set of firewall rules that apply to all new and existing VMs in an organization, and these rules must not be overridden by project-level rules. Which approach should be used?

A.Create a VPC firewall rule with priority 0.
B.Use Cloud IDS to monitor and block traffic.
C.Create a firewall rule in each project and enforce via policy library.
D.Use a hierarchical firewall policy at the organization level.
AnswerD

Hierarchical policies cannot be overridden, enforcing baseline rules.

Why this answer

Hierarchical firewall policies are enforced at the organization or folder level and cannot be overridden at lower levels, ensuring baseline rules are always applied.

938
MCQhard

A company has set up a VPC Service Controls perimeter that includes Cloud Storage. They want to allow a specific on-premises server to copy data to a Cloud Storage bucket inside the perimeter. The on-premises server uses an external IP address. Which configuration is required?

A.Create an ingress rule in the service perimeter that allows the on-premises IP range
B.Configure a firewall rule allowing traffic from the on-premises IP to Cloud Storage
C.Add the on-premises server's IP to the access level of the perimeter
D.Create an egress rule in the service perimeter that allows the on-premises IP range
AnswerA

Ingress rules permit traffic from outside the perimeter to access allowed services and resources.

Why this answer

In VPC Service Controls, ingress rules allow traffic from outside the perimeter to access resources inside. To allow an on-premises server with an external IP, an ingress rule from all identities (or the specific identity) using the source IP range of the on-premises server must be configured. This allows the server to cross the perimeter.

939
MCQmedium

Refer to the exhibit. A security engineer needs to ensure that all objects uploaded to the bucket are automatically encrypted with the specified KMS key. They also need to preserve older versions of objects. Which statement accurately describes the bucket configuration?

A.The bucket has default KMS encryption and versioning is enabled.
B.The bucket has default KMS encryption but versioning is disabled.
C.The bucket uses CSEK and versioning is enabled.
D.The bucket uses Google-managed encryption and versioning is disabled.
AnswerA

Output shows default KMS key and versioning enabled.

Why this answer

Option A is correct because the question requires both automatic encryption of all uploaded objects using a specified KMS key and preservation of older object versions. Default KMS encryption ensures that any object uploaded without explicit encryption headers is automatically encrypted with the configured KMS key, while enabling versioning allows the bucket to retain noncurrent object versions. Together, these settings meet both requirements.

Exam trap

Google Cloud often tests the distinction between default encryption (which applies automatically to all new objects) and per-request encryption (like CSEK or customer-managed encryption keys), and the trap here is confusing CSEK with default KMS encryption or assuming that versioning is automatically enabled when encryption is configured.

How to eliminate wrong answers

Option B is wrong because while default KMS encryption is present, versioning is disabled, which means older versions of objects are not preserved — they are overwritten and lost. Option C is wrong because CSEK (Customer-Supplied Encryption Keys) is not a default encryption mechanism; it requires the client to supply the key with each upload, and the question specifies automatic encryption with a KMS key, not CSEK. Option D is wrong because Google-managed encryption does not allow specifying a particular KMS key, and versioning is disabled, failing both requirements.

940
MCQhard

A company requires a secure, dedicated connection between their on-premises data center and Google Cloud with bandwidth of 10 Gbps and a 99.99% SLA. Which connectivity option should they use?

A.Use Direct Peering
B.Use Partner Interconnect with a 10 Gbps connection
C.Use Cloud VPN with two tunnels for redundancy
D.Use Dedicated Interconnect with two VLAN attachments
AnswerD

Dedicated Interconnect provides 10 Gbps connections with a 99.99% SLA when using redundant links.

Why this answer

Option B is correct because Dedicated Interconnect offers 10 Gbps or 100 Gbps connections with a 99.99% SLA when configured with redundant connections. Option A is wrong because Cloud VPN supports lower bandwidth (up to 3 Gbps per tunnel) and does not offer a 99.99% SLA. Option C is wrong because Direct Peering uses public IPs and lacks SLA guarantees.

Option D is wrong because Partner Interconnect typically offers lower bandwidth (up to 10 Gbps) but SLA varies by partner.

941
MCQhard

An engineer needs to destroy a Cloud KMS key immediately due to a security incident. They disable the key and then schedule destruction. What is the default waiting period before the key is permanently destroyed?

A.Immediate destruction
B.24 hours
C.7 days
D.30 days
AnswerB

The default pending destruction period is 24 hours.

Why this answer

In Cloud KMS, when you schedule destruction of a key version, there is a default pending destruction grace period of 24 hours. During this time, you can cancel destruction. The key is not immediately destroyed.

942
MCQhard

A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?

A.Use a single subnet for all tiers. Assign public IPs to all instances. Use firewall rules to restrict access between tiers. Use a proxy VM for outbound internet from app/db tiers.
B.Create separate VPCs for each tier. Use VPC peering to connect them. Use firewall rules to allow traffic. Use a bastion host for SSH access to app/db tiers.
C.Place all tiers in the same VPC. Use firewall rules to restrict access. Assign public IPs to web tier instances and private IPs to app/db tiers. Configure Cloud NAT for app/db tiers.
D.Place web tier in a public subnet with public IPs. Place app/db tiers in private subnets with no public IPs. Use firewall rules to allow traffic from web to app, and app to db. Configure Cloud NAT for private subnets.
AnswerD

This uses public subnets for web, private subnets for app/db, firewall rules for least privilege, and Cloud NAT for outbound access.

Why this answer

Option D is correct because it uses a single VPC with separate public and private subnets, which minimizes operational overhead while meeting the security requirements. The web tier in the public subnet gets public IPs for internet access, while the app and database tiers in private subnets have no public IPs and rely on Cloud NAT for outbound internet. Firewall rules restrict traffic to only the necessary flows (web→app, app→db), and Cloud NAT provides scalable outbound connectivity without managing a proxy VM.

Exam trap

Google Cloud often tests the misconception that separate VPCs or multiple subnets are required for security, when in fact a single VPC with proper subnetting and firewall rules is simpler and meets the same security goals with less operational overhead.

How to eliminate wrong answers

Option A is wrong because assigning public IPs to all instances exposes the app and database tiers directly to the internet, violating the requirement that they only be accessible from the web tier, and using a proxy VM adds unnecessary operational overhead compared to Cloud NAT. Option B is wrong because creating separate VPCs for each tier with VPC peering adds significant complexity and operational overhead (managing peering, route tables, and firewall rules across VPCs) without any security benefit over a single VPC with proper subnetting and firewall rules. Option C is wrong because placing all tiers in the same VPC with public IPs on the web tier and private IPs on app/db tiers is a valid approach, but it fails to isolate the web tier in a public subnet; the web tier instances would still be in the same subnet as private instances, which can complicate firewall rule management and does not follow the best practice of using separate subnets for public and private tiers.

943
MCQeasy

A security engineer needs to view logs of Google Cloud support engineers accessing their data to meet compliance requirements. Which GCP feature should they enable?

A.Access Approval
B.Access Transparency
C.Audit Logs
D.VPC Flow Logs
AnswerB

Access Transparency logs Google admin access to customer content.

Why this answer

Access Transparency provides near-real-time logs of Google admin access to customer content. It is available for certain services like Compute Engine, Cloud Storage, BigQuery, etc. Audit Logs record actions performed by users in the customer's project, not Google staff.

Access Approval is a separate feature that allows customers to approve or deny access requests. VPC Flow Logs record network traffic, not admin access.

944
Multi-Selecthard

A financial services company must ensure that all data in Cloud Storage remains within a specific region and that no data can be accessed from outside the corporate network. They also need to allow a partner organization to access a specific bucket. Which THREE Google Cloud services or features should be combined to meet these requirements? (Choose THREE.)

Select 3 answers
A.Cloud IDS
B.Private Service Connect
C.Access levels (IP-based)
D.Cloud Armor security policies
E.VPC Service Controls
AnswersB, C, E

Enables private connectivity for the partner.

Why this answer

VPC Service Controls restricts data access to authorized VPCs/environments. Access levels can enforce IP-based restrictions (corporate network). Private Service Connect can allow the partner to access the bucket privately via PSC endpoints without traversing the internet.

945
MCQmedium

A company uses a hub-and-spoke VPC topology with Network Connectivity Center. The spoke VPCs need to reach the internet. Cloud NAT is configured in the hub VPC. Spoke VPCs have routes to the hub via a VPN tunnel. However, instances in spoke VPCs cannot reach the internet. Which configuration is most likely missing?

A.The spoke VPCs are not receiving a default route (0.0.0.0/0) from the hub via Cloud Router.
B.A network virtual appliance (NVA) is required in the hub for spoke internet access.
C.Firewall rules for egress internet traffic are missing in spoke VPCs.
D.Cloud NAT is not configured in the spoke VPCs.
AnswerA

Correct: route advertisement needed for spoke to send internet traffic to hub.

Why this answer

In a hub-and-spoke topology with Network Connectivity Center, spoke VPCs rely on the hub for internet access via Cloud NAT. For this to work, the spoke VPCs must have a default route (0.0.0.0/0) pointing to the hub, typically advertised by Cloud Router over the VPN tunnel. Without this route, traffic from spoke instances to the internet will not be forwarded to the hub, and thus will not reach Cloud NAT.

Exam trap

Google Cloud often tests the misconception that Cloud NAT must be deployed in each spoke VPC for internet access, but the trap here is that a centralized Cloud NAT in the hub can work for all spokes if the default route is properly advertised via BGP from the hub.

How to eliminate wrong answers

Option B is wrong because a network virtual appliance (NVA) is not required; Cloud NAT in the hub can provide internet access to spokes without an NVA, as long as routing is correctly configured. Option C is wrong because firewall rules for egress internet traffic are not the missing piece; by default, VPC firewall rules allow egress traffic, and the issue is routing, not firewall policy. Option D is wrong because Cloud NAT does not need to be configured in the spoke VPCs; the hub's Cloud NAT can serve spoke traffic if the default route points to the hub, making spoke-level NAT unnecessary.

946
MCQeasy

Which of the following is the correct order of the Google Cloud resource hierarchy from highest to lowest?

A.Resources -> Projects -> Folders -> Organization
B.Folders -> Organization -> Projects -> Resources
C.Organization -> Projects -> Folders -> Resources
D.Organization -> Folders -> Projects -> Resources
AnswerD

This is the correct hierarchy.

Why this answer

The Google Cloud resource hierarchy is: Organization -> Folders -> Projects -> Resources. Resources are the lowest level (e.g., Compute Engine instances, Cloud Storage buckets).

947
Multi-Selectmedium

You manage a Google Cloud environment using shared VPC with multiple service projects. You need to enforce consistent firewall rules across all projects in the organization, ensuring that certain security rules cannot be overridden by project administrators. Which TWO steps should you take? (Choose 2)

Select 2 answers
A.Attach the hierarchical firewall policy to the organization node or to the folder containing all projects
B.Create a global network firewall policy and attach it to each service project's VPC
C.Create a hierarchical firewall policy at the organization level with the required rules
D.Use VPC Service Controls to enforce firewall rules across projects
E.Attach the hierarchical firewall policy to the shared VPC host project
AnswersA, C

This ensures the policy applies to all projects under that node and cannot be overridden.

Why this answer

Hierarchical firewall policies are inherited down the resource hierarchy and cannot be overridden by lower-level policies. Global network firewall policies can be applied at the VPC level but can be overridden by lower priority rules. The correct approach is to use a hierarchical firewall policy at the organization level, which enforces rules that cannot be overridden.

948
MCQmedium

A healthcare organization is migrating PHI workloads to Google Cloud and needs to encrypt data at rest with keys that are generated and managed within their own on-premises hardware security module (HSM). Which encryption approach should they use?

A.Enable Cloud External Key Manager (Cloud EKM).
B.Apply default Google-managed AES-256 encryption.
C.Use Cloud Key Management Service (Cloud KMS) with Cloud HSM to generate keys.
D.Use customer-supplied encryption keys (CSEK).
AnswerA

Cloud EKM allows you to use an external key management partner or your own on-premises HSM to manage encryption keys.

Why this answer

Cloud External Key Manager (Cloud EKM) allows you to manage encryption keys in an external key management system that is FIPS 140-2 Level 3 validated, including on-premises HSMs. CSEK requires you to supply your own keys but Google manages them on the server side. CMEK uses Cloud KMS keys, which can be generated in Cloud HSM, but the keys remain under Google's control.

AES-256 encryption is the default Google-managed encryption, which does not meet the requirement for customer-managed keys on an on-premises HSM.

949
MCQmedium

A company uses Cloud KMS with a key purpose of ENCRYPT_DECRYPT. They want to rotate the key automatically every 90 days. What must the security engineer configure to achieve this?

A.Use a key with ASYMMETRIC_SIGN purpose
B.Set the key version state to 'disabled' after 90 days
C.Manually rotate the key every 90 days using gcloud command
D.Set the rotation period on the key to 7776000 seconds
AnswerD

Automatic rotation is configured by setting a rotation period on the key. 90 days = 7776000 seconds.

Why this answer

In Cloud KMS, key rotation can be automatic by setting a rotation period on a key. The rotation period is configured in seconds (e.g., 90 days = 7776000 seconds). Manual rotation via the console or API is not automatic.

The key purpose does not affect rotation capability; ENCRYPT_DECRYPT supports rotation.

950
Multi-Selecteasy

A company wants to restrict access to a Cloud SQL instance so that only Compute Engine instances in a specific VPC subnet can connect. Which THREE methods can be used to achieve this? (Choose THREE.)

Select 3 answers
A.Configure authorized networks with the subnet's CIDR range (if using public IP).
B.Create a VPC firewall rule that blocks all traffic to the Cloud SQL instance's IP.
C.Enable private IP on the Cloud SQL instance and connect from instances in the same VPC.
D.Use VPC Service Controls to limit access to the Cloud SQL instance.
E.Use Cloud SQL Proxy with IAM permissions to connect from authorized clients.
AnswersA, C, E

Authorized networks allow ingress from specified public IP ranges.

Why this answer

Option A is correct because authorized networks allow you to restrict access to a Cloud SQL instance with a public IP by specifying the CIDR range of the subnet. Only traffic originating from IP addresses within that range can connect to the instance, effectively limiting access to Compute Engine instances in that subnet.

Exam trap

Google Cloud often tests the misconception that VPC firewall rules can control traffic to managed services like Cloud SQL, but in reality, Cloud SQL instances are not part of your VPC's network stack and are not subject to VPC firewall rules.

951
MCQmedium

After deleting a Cloud KMS key version, an engineer receives an error when trying to decrypt data that was encrypted with that key version. The key version was deleted 12 hours ago. What is the most likely cause?

A.The key version was automatically rotated and is no longer the primary.
B.The key version is disabled and needs to be re-enabled.
C.The key version is in a pending destruction state and can be restored within 24 hours.
D.The key version was destroyed immediately upon deletion because the grace period is configurable.
AnswerD

If the key version was deleted (not scheduled for destruction), it is destroyed immediately. The grace period only applies when scheduling destruction.

Why this answer

When a key version is destroyed before the grace period expires, it is destroyed immediately. The default grace period is 24 hours, but if the key version was deleted (not scheduled for destruction), it may have been destroyed immediately. Cloud KMS does not allow recovery after destruction.

952
Multi-Selectmedium

A security engineer needs to ensure that no one in the organization can disable or delete Cloud Key Management Service (Cloud KMS) keys, except for a designated security team. Which TWO approaches should be combined? (Choose 2 correct answers)

Select 2 answers
A.Apply the organization policy constraint constraints/cloudkms.disableKeyDeletion with value True.
B.Grant the security team the Cloud KMS Admin role (roles/cloudkms.admin) at the organization level.
C.Create an IAM deny policy at the organization level that denies cloudkms.cryptoKeys.disable and cloudkms.cryptoKeys.destroy for all principals.
D.Store the key material in a separate project with a private key access control.
E.Create an IAM allow policy at the organization level that grants the same permissions only to the security team.
AnswersB, C

This role includes permissions to disable and destroy keys, and if the deny policy has an exception for the security team, they can perform these actions.

Why this answer

Option B is correct because the Cloud KMS Admin role (roles/cloudkms.admin) includes the permissions needed to manage key lifecycle, such as disabling and destroying keys. Granting this role at the organization level ensures the security team can control keys across all projects, while the IAM deny policy in option C blocks all other principals from performing those actions, creating a secure, layered access control approach.

Exam trap

Cisco often tests the distinction between organization policy constraints (which apply to all principals uniformly) and IAM deny policies (which can exclude specific principals), leading candidates to incorrectly choose option A as a blanket solution without considering the need for an exception for the security team.

953
Multi-Selecteasy

A company is deploying a new application that must comply with HIPAA. They are using Google Cloud services. Which TWO services are required to be enabled with appropriate configurations to support HIPAA compliance?

Select 2 answers
A.Cloud Key Management Service (KMS) with customer-managed keys (CMEK)
B.Cloud Armor
C.Cloud Audit Logs
D.Cloud Content Delivery Network (CDN)
E.Cloud Functions
AnswersA, C

CMEK is required by HIPAA for encryption key management documentation.

Why this answer

Cloud Key Management Service (KMS) with customer-managed encryption keys (CMEK) is required for HIPAA compliance because it allows the customer to control the encryption keys used to protect protected health information (PHI) at rest. HIPAA mandates that covered entities implement mechanisms to encrypt and decrypt PHI, and using CMEK ensures the customer retains sole control over key material, which is a key requirement for meeting the Security Rule's addressable implementation specification for encryption.

Exam trap

Google Cloud often tests the misconception that any security service (like Cloud Armor or Cloud CDN) is automatically required for HIPAA compliance, when in fact only services that directly enforce encryption key control and audit logging (Cloud Audit Logs) are mandatory under the HIPAA Security Rule's implementation specifications.

954
MCQeasy

Which Google Cloud compliance certification requires the customer to sign a Business Associate Agreement (BAA) with Google?

A.PCI DSS
B.SOC 2
C.HIPAA
D.FedRAMP
AnswerC

HIPAA requires a signed BAA to ensure Google Cloud agrees to safeguard PHI.

Why this answer

HIPAA requires a BAA between a covered entity (or business associate) and Google Cloud before processing Protected Health Information (PHI).

955
MCQmedium

A security engineer needs to investigate a potential data exfiltration incident in a Google Cloud environment. The engineer has access to Cloud Logging and wants to identify any unusual outbound network traffic from Compute Engine instances. Which log sink filter should the engineer create to capture VPC flow logs for traffic destined to an external IP address not in the internal network ranges?

A.Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
B.Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.reporter="src" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
C.Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip!="10.0.0.0/8" AND jsonPayload.connection.dest_ip!="172.16.0.0/12" AND jsonPayload.connection.dest_ip!="192.168.0.0/16"'
D.Create a sink with filter: 'compute.googleapis.com/vpc_flows'
AnswerC

This filter captures VPC flow logs where destination IP is not in private ranges, thus external traffic.

Why this answer

Option C is correct because it uses a log sink filter that captures VPC flow logs for traffic destined to external IP addresses by explicitly excluding the private RFC 1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). This filter ensures only outbound traffic to non-internal IPs is captured, which is essential for investigating potential data exfiltration. The filter correctly uses the `resource.type="gce_subnetwork"` to target VPC flow logs from Compute Engine instances.

Exam trap

Google Cloud often tests the misconception that you can use `0.0.0.0/0` as a wildcard in log filters to match any IP, but in Cloud Logging filters, CIDR notation is not supported for matching; you must explicitly exclude private ranges to capture external traffic.

How to eliminate wrong answers

Option A is wrong because it uses `jsonPayload.connection.dest_ip="0.0.0.0/0"` which is an invalid IP address for matching actual destination IPs (0.0.0.0/0 is a CIDR notation for 'all IPs', not a specific destination), and it omits the `jsonPayload.reporter="src"` field, which is necessary to capture only outbound traffic from the source. Option B is wrong because while it correctly includes `jsonPayload.reporter="src"`, it still uses the invalid `dest_ip="0.0.0.0/0"` filter, which will not match any real destination IP in VPC flow logs. Option D is wrong because `compute.googleapis.com/vpc_flows` is not a valid log filter syntax; VPC flow logs are identified by `resource.type="gce_subnetwork"` and the log name is `compute.googleapis.com/vpc_flows`, but the filter must use the resource type, not a log name string.

956
MCQhard

A company uses Cloud KMS with an HSM key for encryption of sensitive data. The compliance team requires that the key material never leaves the HSM boundary. They plan to use the key for symmetric encryption/decryption. Which key purpose should they specify when creating the key?

A.ASYMMETRIC_SIGN
B.ASYMMETRIC_DECRYPT
C.MAC
D.ENCRYPT_DECRYPT
AnswerD

This is the purpose for symmetric encryption/decryption, and HSM keys support it.

Why this answer

For symmetric encryption/decryption, the key purpose must be ENCRYPT_DECRYPT. ASYMMETRIC_SIGN and ASYMMETRIC_DECRYPT are for asymmetric keys. MAC is for message authentication codes.

Only ENCRYPT_DECRYPT supports symmetric operations.

957
MCQmedium

A company wants to provide their employees access to a web application running on Compute Engine without exposing the VM to the public internet. The application uses a custom header to verify the user's identity. Which service should they use?

A.Cloud Identity-Aware Proxy (IAP)
B.Cloud Armor with OAuth
C.Cloud Load Balancing with SSL termination
D.VPC firewall rules with source IP restrictions
AnswerA

IAP provides identity verification and signed headers for backend verification.

Why this answer

Identity-Aware Proxy (IAP) provides zero-trust access to web applications. It can be configured to verify identity and pass signed headers (e.g., X-Goog-Authenticated-User-Email) to the backend, allowing the application to verify the user without public IP exposure.

958
Multi-Selectmedium

A company is implementing a HIPAA-compliant environment on Google Cloud. They need to ensure that all access to protected health information (PHI) is logged and monitored. Which TWO steps should they take? (Choose two.)

Select 2 answers
A.Set up Cloud Logging-based alerts for suspicious access patterns.
B.Use Cloud DLP to automatically classify PHI in logs.
C.Configure VPC Service Controls to restrict PHI data egress.
D.Deploy Cloud NAT for outbound traffic from PHI instances.
E.Enable Cloud Audit Logs for all services that store or process PHI.
AnswersA, E

Alerts on audit logs help detect unauthorized access, supporting HIPAA compliance.

Why this answer

HIPAA requires logging of access to PHI. Enabling Cloud Audit Logs for covered services and using Cloud Logging to monitor and set alerts on access patterns are key steps. VPC Service Controls restrict data movement but do not log access.

Cloud DLP is for data classification, not logging. Cloud NAT provides outbound internet access, which is not related to logging.

959
MCQeasy

A company uses Cloud Data Loss Prevention (DLP) to inspect sensitive data in Cloud Storage. They want to automatically redact credit card numbers found in text files before the files are accessed by downstream applications. Which DLP method should be used?

A.Use the DLP API's `content.deidentify` method with a `PrimitiveTransformation` of `replaceWithInfoType`.
B.Create a DLP job that uses the InspectJobConfig with a redact transformation.
C.Use Cloud DLP's inspect-only functionality and manually redact.
D.Set up a DLP inspection scan on the bucket with a `CryptoReplaceFfxFpe` transformation.
AnswerA

This method can redact sensitive data by replacing it with the info type name.

Why this answer

Option A is correct because the DLP API's `content.deidentify` method with a `PrimitiveTransformation` of `replaceWithInfoType` is designed to automatically replace sensitive data (like credit card numbers) with their corresponding info type labels (e.g., `[CREDIT_CARD_NUMBER]`) in text files. This method operates on content in memory or from Cloud Storage, enabling automated redaction before downstream access, without requiring a separate job or manual intervention.

Exam trap

Google Cloud often tests the distinction between inspection-only methods (which detect but do not modify) and deidentification methods (which transform data), and candidates may confuse DLP jobs (for scanning) with the `content.deidentify` API (for inline transformation), leading them to pick Option B or C.

How to eliminate wrong answers

Option B is wrong because DLP jobs (InspectJobConfig) are used for scanning and inspecting data at rest, but they do not support a direct 'redact transformation' in the job configuration; redaction is performed via the `deidentify` method, not through inspection jobs. Option C is wrong because inspect-only functionality only identifies sensitive data without modifying it, so manual redaction would be required, which contradicts the requirement for automatic redaction. Option D is wrong because `CryptoReplaceFfxFpe` is a format-preserving encryption (FPE) transformation that replaces data with encrypted values while preserving format, not a redaction method; it is used for tokenization, not for removing or replacing sensitive content with info types.

960
MCQmedium

A company uses Cloud KMS with a key purpose of ENCRYPT_DECRYPT. They need to rotate the key automatically every 30 days. What must they configure?

A.Set a rotation period of 30 days on the key.
B.Use a cron job to rotate keys manually every 30 days.
C.Set a rotation period of 30 days on the key ring.
D.Set a rotation period on the key version.
AnswerA

Setting the rotation period on the key enables automatic rotation every 30 days.

Why this answer

Option A is correct because Cloud KMS allows you to set a rotation period directly on a key (a CryptoKey resource) when its purpose is ENCRYPT_DECRYPT. Configuring a rotation period of 30 days on the key enables automatic, scheduled rotation, where Cloud KMS creates a new key version every 30 days and promotes it to primary, without any manual intervention.

Exam trap

Cisco often tests the distinction between key-level and key-ring-level configurations, and the trap here is that candidates mistakenly think rotation is set on the key ring or on individual key versions, when in fact it is always set on the CryptoKey resource itself.

How to eliminate wrong answers

Option B is wrong because using a cron job to rotate keys manually every 30 days is unnecessary and error-prone; Cloud KMS provides native automatic rotation, and manual rotation via cron would require custom scripting and API calls, defeating the purpose of managed rotation. Option C is wrong because rotation periods are set on the key (CryptoKey), not on the key ring; a key ring is a logical grouping of keys and does not have a rotation period property. Option D is wrong because rotation periods are configured on the key itself, not on individual key versions; key versions are immutable snapshots created during rotation, and you cannot set a rotation schedule on a version.

961
MCQhard

A multi-national company needs to ensure that customer data stored in BigQuery is encrypted with customer-managed encryption keys (CMEK) and that the keys are rotated every 90 days. Additionally, the company must be able to audit all key usage. Which steps are required to implement this compliance requirement?

A.Create a Cloud External Key Manager (EKM) key and configure BigQuery to use it. The EKM provider handles key rotation.
B.Create a Cloud KMS key ring with a key, disable automatic rotation, and use Cloud Functions to rotate the key manually every 90 days. Enable Admin Activity audit logs for Cloud KMS.
C.Create a Cloud KMS key ring with a key using a protection level of HSM and set a rotation period of 90 days. Then configure the BigQuery dataset to use this key.
D.Create a Cloud KMS key ring with a key using a protection level of software and set a rotation period of 90 days. Then configure BigQuery to use the key and enable Data Access audit logs for Cloud KMS.
AnswerD

Software keys are acceptable; rotation period in KMS handles automatic rotation. Enabling Data Access audit logs for KMS captures key usage.

Why this answer

Option D is correct because it uses a Cloud KMS software-protection-level key with a 90-day rotation period, which meets the CMEK requirement for BigQuery. Enabling Data Access audit logs for Cloud KMS captures all key usage events, satisfying the auditing requirement. Automatic rotation in Cloud KMS handles the 90-day rotation without manual intervention, and BigQuery is configured to use the CMEK key for dataset encryption.

Exam trap

Google Cloud often tests the distinction between Admin Activity audit logs (which record configuration changes) and Data Access audit logs (which record data operations like key usage), leading candidates to choose options that omit the required Data Access logging.

How to eliminate wrong answers

Option A is wrong because Cloud External Key Manager (EKM) uses an external key management provider, not customer-managed encryption keys (CMEK) within Google Cloud, and the question specifies CMEK, not EKM. Option B is wrong because it disables automatic rotation and uses Cloud Functions for manual rotation, which is unnecessary and error-prone; Cloud KMS supports automatic rotation with a specified period, and Admin Activity audit logs do not capture key usage events (only Data Access audit logs do). Option C is wrong because it uses a protection level of HSM, which is not required for CMEK compliance; a software protection level is sufficient and more cost-effective, and the option does not mention enabling Data Access audit logs for auditing key usage.

962
MCQeasy

An organization needs to store API keys for external services. Which Google Cloud service is designed for secure storage of secrets such as API keys, passwords, and certificates?

A.Cloud KMS
B.Secret Manager
C.Cloud Datastore
D.Cloud HSM
AnswerB

Secret Manager is the correct service for storing secrets.

Why this answer

Secret Manager is specifically designed for storing secrets like API keys, passwords, and certificates, with versioning, IAM access control, and rotation support.

963
Multi-Selectmedium

A multinational company is migrating sensitive workloads to Google Cloud and must comply with GDPR data residency requirements. Which TWO actions ensure data remains stored only within the European Union? (Choose TWO.)

Select 2 answers
A.Enable Cloud Audit Logs with export to a BigQuery dataset in the EU region.
B.Use Cloud Data Loss Prevention (DLP) to scan for sensitive data and verify it remains in the EU.
C.Use Customer-Managed Encryption Keys (CMEK) stored in a Cloud KMS key ring located in the EU.
D.Define an Organization Policy with constraints/gcp.resourceLocations to allow resource creation only in EU regions.
E.Set up VPC Service Controls to create a service perimeter that includes only EU regions.
AnswersD, E

This directly enforces data location by restricting resource deployment to approved regions.

Why this answer

Option D is correct because the Organization Policy constraint `gcp.resourceLocations` explicitly restricts the Google Cloud regions where resources can be created. By setting this constraint to allow only EU regions (e.g., `europe-west1`, `europe-west4`), you enforce that all new resources are provisioned within the European Union, directly meeting GDPR data residency requirements. This policy is evaluated at resource creation time and prevents any resource from being deployed outside the allowed locations.

Exam trap

Google Cloud often tests the distinction between data residency enforcement (which requires location-based constraints like Organization Policies or VPC Service Controls) and data protection mechanisms (like encryption, logging, or scanning), leading candidates to mistakenly choose options that protect data but do not control where it is stored.

964
MCQhard

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project uses Cloud Storage and BigQuery. The engineer wants to ensure that data cannot be exfiltrated to external IP addresses outside the perimeter, but internal users should still be able to access the data from on-premises via a VPN. Which configuration should be applied?

A.Do not use VPC Service Controls; instead, rely on IAM permissions and firewall rules to control access
B.Add the project to a VPC Service Controls perimeter and configure an ingress rule to allow traffic from the on-premises VPN CIDR ranges
C.Create a separate perimeter that denies all traffic and apply it to the project
D.Add the project to a VPC Service Controls perimeter with no additional ingress rules
AnswerB

Ingress rules allow specific external sources (like VPN CIDR) to access the perimeter.

Why this answer

VPC Service Controls (VPC-SC) allow you to define a security perimeter around Google Cloud services like Cloud Storage and BigQuery, preventing data exfiltration to external IPs. By adding the project to a perimeter and configuring an ingress rule that permits traffic from the on-premises VPN CIDR ranges, internal users can access the data via VPN while all other external traffic is blocked. This meets the requirement of preventing exfiltration to external IPs while allowing authorized on-premises access.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls are a simple on/off switch, but the trap here is that without explicit ingress rules, all external traffic (including from VPNs) is denied, so candidates must remember to configure ingress rules for authorized sources.

How to eliminate wrong answers

Option A is wrong because relying solely on IAM and firewall rules does not prevent data exfiltration via external IPs; VPC Service Controls provide a higher layer of security that blocks data movement outside the perimeter regardless of IAM permissions. Option C is wrong because creating a separate perimeter that denies all traffic would block all access, including legitimate on-premises VPN users, which violates the requirement to allow internal user access. Option D is wrong because adding the project to a perimeter with no ingress rules would block all traffic from outside the perimeter, including the on-premises VPN, preventing authorized access.

965
MCQeasy

A security engineer needs to enforce that all Compute Engine VMs in an organization use Shielded VM features. Which approach should they use?

A.Use IAP to enforce Shielded VM on all instances.
B.Enable Shielded VM in the project's compute engine settings.
C.Configure a firewall rule to block non-Shielded VMs.
D.Create an organization policy with the constraint constraints/compute.requireShieldedVm set to True.
AnswerD

The organization policy constraint enforces Shielded VM at the organization level.

Why this answer

The organization policy constraint constraints/compute.requireShieldedVm is the correct way to enforce Shielded VM across all VMs.

966
MCQeasy

An organization uses Cloud Audit Logs to monitor admin activity. The security team wants to be alerted when a user creates a new IAM role at the organization level. Which type of audit log should they analyze?

A.Policy Denied audit logs
B.System Event audit logs
C.Data Access audit logs
D.Admin Activity audit logs
AnswerD

Admin Activity logs record changes to metadata, configurations, and IAM policies.

Why this answer

Admin Activity audit logs (option D) are the correct choice because they record operations that modify the configuration or metadata of resources, such as creating or modifying IAM roles and policies at the organization level. In Google Cloud, Admin Activity audit logs are enabled by default and capture all 'admin write' events, including the creation of an IAM role, which is a configuration change. The security team needs to monitor these logs to detect when a user creates a new IAM role, as this is an administrative action that alters the organization's security posture.

Exam trap

Google Cloud often tests the distinction between Admin Activity and Data Access logs, and the trap here is that candidates mistakenly choose Data Access logs because they think 'creating a role' involves accessing data, when in fact it is a pure configuration change that falls under Admin Activity logs.

How to eliminate wrong answers

Option A is wrong because Policy Denied audit logs record only when a user or service account is denied access due to a deny policy or an organization policy constraint, not when an IAM role is created. Option B is wrong because System Event audit logs capture non-human Google Cloud system actions, such as automatic scaling or maintenance events, not user-initiated IAM role creation. Option C is wrong because Data Access audit logs track API calls that read or modify user-provided data (e.g., reading a Cloud Storage object), not administrative configuration changes like creating an IAM role.

967
MCQeasy

An application needs to authenticate to Google Cloud APIs from an on-premises server. Which approach is recommended for long-lived access?

A.Use a user account with OAuth 2.0 tokens.
B.Use workload identity federation with an on-premises identity provider.
C.Use API keys.
D.Create a service account key and store it securely on the server.
AnswerD

This is a standard approach for on-premises applications.

Why this answer

Option D is correct because service account keys provide a long-lived, static credential that can be securely stored on an on-premises server for authenticating to Google Cloud APIs. Unlike user accounts or OAuth flows, service account keys do not require interactive login or token refresh, making them suitable for automated, long-running workloads.

Exam trap

Google Cloud often tests the misconception that API keys (Option C) are sufficient for service-to-service authentication, but API keys lack the ability to represent a service identity and are not supported by many Google Cloud APIs for authorization; candidates may also confuse workload identity federation (Option B) as a long-lived solution when it is designed for short-lived, federated access.

How to eliminate wrong answers

Option A is wrong because user accounts with OAuth 2.0 tokens are designed for interactive user sessions and require periodic re-authentication or refresh token management, which is not ideal for long-lived, unattended server access. Option B is wrong because workload identity federation is intended for short-lived, federated access using external identity providers, not for long-lived static credentials; it requires token exchange and has a default maximum token lifetime of 1 hour. Option C is wrong because API keys are primarily used for identifying projects and enabling simple access to public data or quota tracking, not for authenticating as a service identity to access private resources or perform authorized API calls.

968
Multi-Selectmedium

A security engineer wants to ensure that sensitive data in BigQuery is masked for analysts but visible in full to data stewards. Which two components must be used together? (Choose TWO.)

Select 2 answers
A.Data Catalog taxonomy with policy tags
B.BigQuery Data Policy with masking rules
C.Cloud DLP de-identification templates
D.IAM roles with conditions on table
E.Cloud KMS key for encryption
AnswersA, B

Policy tags are used to classify columns and control access.

Why this answer

BigQuery column-level security requires a Data Catalog taxonomy with policy tags, and then BigQuery Data Policy to define masking rules (e.g., email masking). Policy tags alone provide access control but not masking; data policies provide the masking.

969
Multi-Selectmedium

Which TWO practices help implement the principle of least privilege when configuring access to Google Cloud resources? (Choose two.)

Select 2 answers
A.Grant roles at the organization level to simplify administration.
B.Use a single service account for all Cloud Functions in a project to simplify key management.
C.Create custom roles that include only the specific permissions needed.
D.Use IAM Conditions to restrict access to specific resources or times.
E.Grant IAM roles directly to individual users for better traceability.
AnswersC, D

Custom roles allow precise permission assignment.

Why this answer

Option C is correct because creating custom roles allows you to define a precise set of permissions, ensuring that a principal has only the minimum permissions required to perform their job function. This directly implements the principle of least privilege by avoiding the broad permissions often included in predefined roles.

Exam trap

Google Cloud often tests the misconception that granting roles at a higher level (organization) or using a single service account simplifies management without considering the security implications of over-privileged access.

970
MCQmedium

A company uses Cloud DLP to de-identify a dataset containing customer phone numbers. They need to replace each phone number with a consistently masked value that preserves the format (e.g., XXX-XXX-1234) but cannot be reversed. Which de-identification transform should they use?

A.DateShiftConfig
B.MaskingConfig
C.CryptoReplaceFfxFpeConfig
D.BucketingConfig
AnswerB

MaskingConfig replaces characters with a mask character, preserving formatting and not reversible.

Why this answer

MaskingConfig is the correct choice because it irreversibly replaces characters in a string while preserving the format. In this scenario, the customer phone numbers need to be consistently masked (e.g., replacing all but the last four digits with 'X') so that the output maintains the pattern XXX-XXX-1234, and the original value cannot be recovered. MaskingConfig supports character-level replacement with a fixed character (like 'X') and can preserve the original length and formatting, which meets the requirement for a non-reversible, format-preserving de-identification.

Exam trap

Cisco often tests the distinction between reversible (CryptoReplaceFfxFpeConfig) and irreversible (MaskingConfig) transforms, and candidates mistakenly choose CryptoReplaceFfxFpeConfig because it preserves format, but they overlook the 'cannot be reversed' requirement.

How to eliminate wrong answers

Option A is wrong because DateShiftConfig is specifically designed for shifting dates by a random or deterministic offset, not for masking or formatting phone numbers. Option C is wrong because CryptoReplaceFfxFpeConfig uses Format-Preserving Encryption (FFX) which is reversible with the correct key, contradicting the requirement that the masked value cannot be reversed. Option D is wrong because BucketingConfig replaces a value with a general bucket or range (e.g., '555-555-XXXX'), which does not preserve the specific format of the original phone number (e.g., it would lose the last four digits' exact pattern).

971
MCQhard

An organization stores sensitive customer data in BigQuery tables. They need to enforce column-level security such that users in the 'support' group see a masked version of email addresses (e.g., j***@example.com), while managers see the full email. Which approach should they use?

A.Create a view that applies masking functions and grant access to the view.
B.Use Cloud DLP to scan and de-identify the data in place.
C.Apply a BigQuery data masking policy using policy tags on the email column.
D.Create separate tables for each role and populate them with appropriate data.
AnswerC

Data masking policies allow dynamic masking based on the user's role when querying the table.

Why this answer

BigQuery column-level security with policy tags and data masking rules can achieve this. Data masking policies can be applied to policy tags to mask data based on user access. Using views or separate tables is less maintainable, and Cloud DLP is for batch scanning/de-identification, not real-time masking.

972
MCQhard

Alice tries to connect to Cloud SQL instance 'prod-instance' using the Cloud SQL Auth proxy. Will she succeed? Why?

A.Yes, because she has the client role with no condition.
B.Yes, because the admin role grants full access, and the condition only applies to the admin role, but the client role is unconditional.
C.No, because the admin role condition overrides the client role.
D.No, because the cloudsql.admin role condition restricts to dev instances only.
AnswerB

The unconditional client role provides the necessary permissions to connect.

Why this answer

Option B is correct because the Cloud SQL Auth proxy uses IAM permissions for authentication and authorization. The `cloudsql.client` role grants the `cloudsql.instances.connect` permission unconditionally, allowing Alice to connect to any instance. The `cloudsql.admin` role's condition restricting access to 'dev' instances only applies to the `cloudsql.instances.update` permission, not to the connect permission, so the client role's unconditional access prevails.

Exam trap

Google Cloud often tests the misconception that a restrictive condition on a higher-privilege role (like admin) overrides a lower-privilege role (like client), when in reality IAM evaluates each permission independently and the most permissive effective permission wins.

How to eliminate wrong answers

Option A is wrong because it states 'no condition' on the client role, but the question implies a condition exists on the admin role; however, the client role is indeed unconditional, so the reasoning is incomplete but not incorrect—actually, the core issue is that the client role alone suffices, but the answer fails to address the admin role condition's irrelevance. Option C is wrong because IAM conditions are evaluated per permission, not globally; the admin role condition does not override the client role's unconditional connect permission—IAM allows multiple roles to be combined, and the most permissive effective permission applies. Option D is wrong because the admin role condition restricts only admin-level actions (like modifying instances), not the connect permission granted by the client role; the condition does not block Cloud SQL Auth proxy connections.

973
MCQhard

A financial services company must ensure that all data egress from a VPC to BigQuery goes through a Private Service Connect endpoint for private access. They have set up the PSC endpoint and configured DNS. However, connections from VMs are still using the public internet. What is the most likely cause?

A.The VPC has a default route to the internet via NAT.
B.The DNS record for bigquery.googleapis.com points to the public IP.
C.Private Google Access is disabled on the subnet.
D.The PSC endpoint is not associated with a forwarding rule.
AnswerC

Private Google Access must be enabled for VMs to use the PSC endpoint for Google APIs.

Why this answer

For private access to Google APIs via PSC, the VPC must have Private Google Access enabled on the subnet. Without it, VMs will use the default public route.

974
MCQhard

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect. They want to allow instances in a VPC (10.0.0.0/8) to access Google APIs (e.g., Cloud Storage) without traversing the public internet. They also want to ensure that traffic from on-premises to Google APIs uses the same private path. Which configuration is required?

A.Set up Cloud VPN and use Private Google Access on the VPC.
B.Apply VPC Service Controls and enable Private Google Access on the subnet.
C.Configure Cloud NAT on the VPC and on-premises route via the interconnect.
D.Enable Private Google Access on the VPC subnet and advertise the default route (0.0.0.0/0) from on-premises with a specific route for Google APIs (199.36.153.4/30) pointing to the interconnect.
AnswerD

Private Google Access allows VMs to reach Google APIs via private IPs; on-premises can use custom routes to reach Google APIs via the interconnect.

Why this answer

Option D is correct because it enables Private Google Access on the VPC subnet, which allows instances with private IPs to reach Google APIs without public internet. Additionally, advertising a default route (0.0.0.0/0) from on-premises via the Dedicated Interconnect ensures that on-premises traffic to Google APIs also uses the private path, while the specific route for Google APIs (199.36.153.4/30) overrides the default to direct API traffic through the interconnect, avoiding asymmetric routing.

Exam trap

The trap here is that candidates often confuse Private Google Access with Cloud NAT or VPC Service Controls, not realizing that Private Google Access requires a specific route (199.36.153.4/30) and a default route from on-premises to ensure bidirectional private connectivity over Dedicated Interconnect.

How to eliminate wrong answers

Option A is wrong because Cloud VPN is a public-internet-based encrypted tunnel, not a private path like Dedicated Interconnect, and Private Google Access alone does not route on-premises traffic via the interconnect. Option B is wrong because VPC Service Controls provide security boundaries (e.g., data exfiltration prevention) but do not enable private routing for on-premises traffic to Google APIs. Option C is wrong because Cloud NAT is used for outbound internet access from private instances, not for private access to Google APIs, and it does not address on-premises routing requirements.

975
MCQeasy

A company wants to use a Google-managed SSL certificate for their external HTTPS load balancer. Which step is required to provision the certificate?

A.Install the certificate on each backend instance.
B.Submit a Certificate Signing Request (CSR) to Google.
C.Upload the private key and certificate in PEM format.
D.Create a DNS record for the domain that resolves to the load balancer's IP address.
AnswerD

Correct: Google uses DNS records to verify domain ownership and automate certificate issuance.

Why this answer

Google-managed SSL certificates require domain ownership verification. You must create a DNS record (CNAME or A record) that points to the load balancer's IP address or a specific verification record. The certificate is automatically provisioned and renewed.

Page 12

Page 13 of 14

Page 14
Google Professional Cloud Security Engineer PCSE Questions 901–975 | Page 13/14 | Courseiva