Google Professional Cloud Security Engineer (PCSE) — Questions 976985

985 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQmedium

An organization needs to centralize audit logs from multiple Google Cloud projects into a BigQuery dataset for long-term analysis. They also want to retain raw logs in Cloud Storage for archival purposes. What is the most efficient way to accomplish this?

A.Create a single log sink that exports to both BigQuery and Cloud Storage.
B.Enable Data Access logs for all services and configure BigQuery as the default log destination.
C.Use Cloud Functions to copy logs from Cloud Logging to BigQuery and Cloud Storage.
D.Create two log sinks: one exporting to BigQuery, one to Cloud Storage, using an aggregated sink at the organization level.
AnswerD

This allows centralized collection of logs from all projects to both destinations.

Why this answer

Log sinks can route logs to multiple destinations by creating separate sinks for each destination. One sink can export logs to BigQuery, and another sink can export logs to Cloud Storage. Aggregated sinks at the organization or folder level allow collecting logs from all projects.

977
MCQmedium

An organization uses Certificate Manager to provision SSL certificates for multiple domains across several load balancers. They want to automate certificate renewal. Which type of certificate should be used?

A.Wildcard certificates purchased from a third-party CA
B.Self-managed certificates uploaded as PEM files
C.Google-managed certificates with DNS authorization
D.Certificates from a private CA
AnswerC

Google-managed certificates are automatically renewed when DNS authorization is configured.

Why this answer

Google-managed certificates automatically provision and renew certificates for domains that are DNS-authorized. Certificate Manager can manage these certificates and map them to load balancer targets.

978
MCQhard

A company is using Cloud SQL for MySQL to store customer data subject to SOX compliance. They need to ensure that all database changes are audited and that logs are immutable. They have enabled audit logs and exported them to a Cloud Storage bucket. However, the auditor discovers that some logs were deleted from the bucket. What is the most likely cause?

A.The log sink filter is excluding certain events, causing incomplete export.
B.The bucket has retention policy enabled, which prevents deletion until the retention period expires.
C.The service account used for export does not have the storage.objects.delete permission.
D.The Cloud Storage bucket has a lifecycle rule that deletes objects after a set number of days.
AnswerD

If a lifecycle rule is set to delete objects, logs can be automatically removed, violating immutability requirements.

Why this answer

Option D is correct because Cloud Storage lifecycle rules can automatically delete objects after a specified number of days. If a lifecycle rule is configured on the bucket, it would delete audit logs regardless of the export process, making them unavailable to the auditor. This is the most likely cause of logs being deleted from the bucket, as the other options do not explain actual deletion of already-exported objects.

Exam trap

Google Cloud often tests the distinction between features that prevent deletion (retention policies, lock) versus features that cause deletion (lifecycle rules), and candidates mistakenly assume that enabling audit logs or exporting to a bucket guarantees immutability without considering bucket-level configurations.

How to eliminate wrong answers

Option A is wrong because a log sink filter controls which log entries are exported to the bucket, not the deletion of objects already stored in the bucket; missing events would not cause existing logs to be deleted. Option B is wrong because a retention policy prevents object deletion or overwrite until the retention period expires, so it would protect logs from deletion, not cause it. Option C is wrong because the service account used for export needs storage.objects.create permission to write logs, not storage.objects.delete; lacking delete permission would not cause logs to be deleted.

979
MCQmedium

A financial institution is deploying a PCI DSS-compliant web application on Google Cloud. They need to isolate the cardholder data environment (CDE) from other environments and protect the web application against common web attacks. Which combination of services meets these requirements?

A.Cloud NAT and Cloud IDS
B.VPC Service Controls and Cloud Armor
C.Identity-Aware Proxy (IAP) and Cloud Storage
D.Shared VPC and Cloud Load Balancing
AnswerB

VPC Service Controls create a secure perimeter for the CDE, and Cloud Armor provides WAF protection against web attacks.

Why this answer

VPC Service Controls create a perimeter around Google Cloud resources to prevent data exfiltration. Cloud Armor is a web application firewall that protects against OWASP Top 10 attacks. Together they isolate the CDE and protect the application.

Cloud IDS is for network threat detection, not isolation. Cloud NAT provides outbound internet access, not security. Cloud Load Balancing distributes traffic but does not isolate.

980
MCQhard

Refer to the exhibit. The security team created this key for encrypting database backups. After an audit, they found that data encrypted before May 1, 2023, cannot be decrypted. What is the most likely cause?

A.The rotation period is too short, causing old versions to be destroyed.
B.Key version 1 was deleted after the new primary was created.
C.The primary key version is disabled.
D.The algorithm GOOGLE_SYMMETRIC_ENCRYPTION is not supported by HSM.
AnswerB

If version 1 was deleted, data encrypted with it cannot be decrypted.

Why this answer

Option B is correct because when a new primary key version is created in Cloud KMS, the old primary key version is not automatically deleted. However, if the old key version (version 1) was manually deleted after promoting version 2 as the primary, any data encrypted with version 1 becomes permanently undecryptable. The audit finding that data encrypted before May 1, 2023 cannot be decrypted directly indicates that the key version used for that encryption (likely version 1) is no longer available, not just disabled or rotated.

Exam trap

Google Cloud often tests the distinction between key rotation (which creates new versions) and key version deletion (which removes the ability to decrypt old data), leading candidates to incorrectly assume that rotation alone causes decryption failures.

How to eliminate wrong answers

Option A is wrong because a short rotation period does not cause old key versions to be destroyed; rotation creates new versions while retaining old ones for decryption of previously encrypted data. Option C is wrong because disabling the primary key version would prevent any new encryption or decryption operations, not selectively break decryption of old data while allowing newer data to be decrypted. Option D is wrong because GOOGLE_SYMMETRIC_ENCRYPTION is a valid algorithm supported by both software and HSM-backed keys in Google Cloud KMS, and the issue is about key version availability, not algorithm support.

981
MCQeasy

A healthcare organization is migrating applications to Google Cloud and must comply with HIPAA. They plan to store protected health information (PHI) in Cloud Storage and BigQuery. The security engineer needs to ensure that all access to PHI is logged and that the data is encrypted at rest with customer-managed keys. The organization also requires that any audit logs containing PHI are stored in a separate project with restricted access. Which course of action meets all requirements?

A.Enable Data Access audit logs for Cloud Storage and BigQuery, and store logs in the same project. Use CMEK for encryption.
B.Use VPC Service Controls to create a perimeter around the project, and enable CMEK for encryption.
C.Enable Admin Read audit logs for Cloud Storage and BigQuery, and store logs in a different project. Use CSEK for encryption.
D.Enable Data Access audit logs for Cloud Storage and BigQuery, create a sink to route logs to a BigQuery dataset in a separate project, and use CMEK in the data project.
AnswerD

All requirements are met: logging enabled, logs stored separately with restricted access, and CMEK used.

Why this answer

Option D is correct because it meets all requirements: Data Access audit logs capture every access to PHI, a sink routes those logs to a BigQuery dataset in a separate project (fulfilling the separate-project storage requirement), and CMEK (customer-managed encryption keys) ensures encryption at rest with keys controlled by the organization. This combination satisfies HIPAA logging, encryption, and restricted-access log storage mandates.

Exam trap

Google Cloud often tests the distinction between Admin Read and Data Access audit logs, and the trap here is that candidates confuse Admin Read (which logs only admin actions) with Data Access (which logs all data access), leading them to choose Option C despite it failing the logging requirement.

How to eliminate wrong answers

Option A is wrong because storing audit logs in the same project as the PHI violates the requirement that logs containing PHI be stored in a separate project with restricted access. Option B is wrong because VPC Service Controls provide data exfiltration prevention but do not enable logging of access to PHI (no audit log configuration) and do not address the separate-project log storage requirement. Option C is wrong because Admin Read audit logs only record administrative actions, not data access (reads/writes), and CSEK (customer-supplied encryption keys) is deprecated in favor of CMEK and does not meet the customer-managed key requirement.

982
Multi-Selecthard

Your company has a VPC with multiple subnets. You have deployed a set of Compute Engine instances that must communicate with each other over TCP port 4444. The instances are tagged with 'app-tier'. You need to ensure that only these instances can communicate on this port. Which THREE of the following steps are necessary to achieve this?

Select 3 answers
A.Remove the default allow egress rule that allows all outbound traffic
B.Create an egress firewall rule that allows TCP 4444 from target tag 'app-tier' to source tag 'app-tier'
C.Create a VPC firewall rule to deny all egress traffic from the VPC
D.Create an ingress firewall rule that allows TCP 4444 from source tag 'app-tier' to target tag 'app-tier'
E.Apply the 'app-tier' tag to all instances that need to communicate
AnswersB, D, E

This rule allows outbound traffic on port 4444 from instances with the tag 'app-tier' to instances with the same tag.

Why this answer

Option B is correct because egress firewall rules control outbound traffic from instances. By creating an egress rule allowing TCP 4444 from source tag 'app-tier' to destination tag 'app-tier', you ensure that only instances with the 'app-tier' tag can send traffic on that port to other 'app-tier' instances, while all other outbound traffic is implicitly denied by the default deny egress rule (unless overridden by a higher-priority allow rule). This restricts communication to the intended group.

Exam trap

Google Cloud often tests the misconception that egress rules are unnecessary for restricting inter-instance communication, but in GCP, both ingress and egress rules are required to fully control traffic flow, as egress rules govern outbound packets from the source instance.

983
MCQhard

You need to configure automated remediation for high-severity SCC findings. When a finding of type 'VULNERABILITY' with severity 'HIGH' is created, a Cloud Function should execute a script to patch the vulnerable VM. Which architecture is correct?

A.Configure SCC to publish findings to a Pub/Sub topic, and set up a Cloud Function subscribed to that topic
B.Configure SCC to send findings to Cloud Storage, then use Cloud Functions on object change
C.Use Cloud Scheduler to poll SCC API every minute and trigger Cloud Function
D.Configure SCC to send notifications to Cloud Logging, then create a log-based metric and alert to trigger Cloud Function
AnswerA

This is the direct and recommended integration for automated response.

Why this answer

SCC can publish findings to a Pub/Sub topic. A Cloud Function subscribed to that topic can then trigger remediation actions. The Cloud Function must filter findings by severity and type.

984
MCQmedium

A company wants internal VMs to access Google APIs (e.g., Cloud Storage, BigQuery) without traversing the internet. What is the simplest configuration?

A.Assign external IPs to all VMs and use VPC firewall rules to restrict egress.
B.Use Cloud NAT to route traffic to Google APIs.
C.Enable Private Google Access on the subnet where the VMs reside.
D.Set up Private Service Connect to googleapis.com.
AnswerC

Private Google Access allows internal-only VMs to reach Google APIs privately.

Why this answer

Private Google Access enables VMs with only internal IPs to reach Google APIs via the Google Cloud private network, without needing external IPs or internet access.

985
MCQhard

A company enforces Binary Authorization on a GKE cluster. They want to require that all container images be signed by a specific attestor located in a different project. What must be configured?

A.A Binary Authorization policy that allows all images, and an attestor with the same name in both projects.
B.A Cloud KMS key for the attestor in the same project as the cluster, and a policy that requires attestation.
C.A policy that requires attestation, an attestor in the same or different project, and a service account on the GKE node with the appropriate IAM permissions to access the attestor.
D.A policy that denies all images, and a separate attestor for each project.
AnswerC

Binary Authorization supports cross-project attestors. The GKE nodes need IAM permissions (roles/binaryauthorization.attestorsVerifier) to verify the attestation.

Why this answer

Binary Authorization allows attestors in different projects. The key requirement is the proper IAM role (roles/binaryauthorization.attestorsVerifier) on the GKE service account.

Page 13

Page 14 of 14