Google Professional Cloud Security Engineer (PCSE) — Questions 76150

500 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQmedium

A government agency requires FedRAMP High compliance for their Google Cloud deployment. Which service should they use to create a compliant environment with pre-configured controls?

A.Cloud HSM
B.VPC Service Controls
C.Security Command Center
D.Assured Workloads
AnswerD

Assured Workloads automates the creation of a compliant environment for FedRAMP, HIPAA, etc., with pre-built controls and continuous monitoring.

Why this answer

Assured Workloads is the correct service because it enables customers to create a Google Cloud environment that is pre-configured to meet specific compliance requirements, including FedRAMP High. It automatically applies a set of controls (e.g., data residency, encryption key management, and access restrictions) based on the chosen compliance regime, reducing the manual effort needed to achieve and maintain certification.

Exam trap

Google Cloud often tests the misconception that a single security tool (like Cloud HSM or VPC Service Controls) is sufficient for full compliance, when in reality Assured Workloads is the only option that provides a holistic, pre-configured compliance environment.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module service that provides FIPS 140-2 Level 3 validated key management, but it does not create a pre-configured compliant environment or enforce broader FedRAMP controls like data residency or access boundaries. Option B is wrong because VPC Service Controls provides a security perimeter to prevent data exfiltration from VPC services, but it is a single control mechanism, not a comprehensive environment that pre-configures all FedRAMP High requirements. Option C is wrong because Security Command Center is a security and risk management platform that provides visibility, threat detection, and compliance reporting, but it does not automatically deploy a pre-configured compliant environment; it monitors and assesses existing configurations.

77
MCQmedium

A company uses Cloud Functions to process employee data and wants to ensure that personally identifiable information (PII) is redacted from log output. Which approach should they take?

A.Use Cloud Audit Logs to capture all access and redact at analysis.
B.Use Cloud DLP API to inspect and redact the log message before writing to Cloud Logging.
C.Create a Logging sink with an exclusion filter to drop logs containing PII.
D.Enable VPC Service Controls to prevent PII from leaving the VPC.
AnswerB

DLP can de-identify text in application logic.

Why this answer

Option B is correct because the Cloud DLP API can be integrated directly into a Cloud Function to inspect and redact PII from log messages before they are written to Cloud Logging. This ensures that sensitive data never appears in the logs, which is the most secure approach. Using Cloud DLP at the point of log generation prevents any exposure, rather than relying on post-hoc analysis or filtering.

Exam trap

Google Cloud often tests the distinction between reactive filtering (exclusion sinks) and proactive redaction (DLP API), and the trap here is that candidates mistakenly believe a Logging sink can redact data when it can only drop entire log entries, not modify their content.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs capture access events but do not provide a mechanism to redact PII from the log output; redaction would require a separate analysis step, which does not prevent PII from being stored in logs. Option C is wrong because a Logging sink with an exclusion filter drops entire log entries containing PII, but this is a reactive approach that still allows PII to be written to Cloud Logging before the filter is applied, and it may also drop legitimate logs that happen to contain PII. Option D is wrong because VPC Service Controls control data exfiltration at the network perimeter but do not inspect or redact log content; they cannot prevent PII from appearing in logs generated within the VPC.

78
Multi-Selecteasy

Which TWO organization policies can help enforce compliance with data residency requirements?

Select 2 answers
A.constraints/storage.uniformBucketLevelAccess
B.constraints/iam.disableServiceAccountCreation
C.constraints/gcp.resourceLocations
D.constraints/gcp.restrictTrustedDomains
E.constraints/compute.requireShieldedVm
AnswersC, D

This policy restricts where resources can be created, ensuring data stays in allowed regions.

Why this answer

Option C is correct because the `constraints/gcp.resourceLocations` organization policy restricts the physical location where Google Cloud resources (like Compute Engine instances, Cloud Storage buckets, and BigQuery datasets) can be created. By defining allowed locations (e.g., `in:us-central1` or `in:europe-west1`), you enforce data residency requirements, ensuring data remains within specific geographic boundaries to comply with regulations like GDPR or HIPAA.

Exam trap

Google Cloud often tests the distinction between security controls (like Shielded VM or uniform bucket access) and compliance controls (like resource location restrictions), so candidates mistakenly pick options that sound security-related but do not enforce data residency.

79
Multi-Selecthard

Which TWO of the following are true regarding Cloud Identity and Access Management (IAM) conditions?

Select 2 answers
A.IAM conditions can restrict access based on the current date and time.
B.IAM conditions are supported for all Google Cloud resources.
C.IAM conditions can be applied to a role binding that supports all resources.
D.IAM conditions can restrict access based on resource tags.
E.IAM conditions can restrict access based on the user's email domain.
AnswersA, D

DateTime conditions are supported.

Why this answer

Option A is correct because IAM conditions support temporal attributes, including date/time restrictions, using the `request.time` attribute. This allows policies to grant access only during specific hours or days, such as allowing access only during business hours. The condition is expressed using the Common Expression Language (CEL) syntax, e.g., `request.time.getHours("America/New_York") >= 9 && request.time.getHours("America/New_York") <= 17`.

Exam trap

Google Cloud often tests the misconception that IAM conditions can restrict access based on user attributes like email domain or group membership, but in reality, conditions only support resource and request attributes, not principal attributes.

80
MCQhard

A company is implementing VPC Service Controls to protect sensitive data in Google Cloud Storage. They want to allow a private on-premises subnet (10.1.0.0/16) to access the storage buckets via a Cloud VPN tunnel, but deny all other on-premises traffic. Which configuration approach meets this requirement with least privilege?

A.Create a service perimeter that allows all traffic from on-premises, then an explicit deny rule for other IP ranges.
B.Create a bridged access level that includes the private IP range 10.1.0.0/16 and a VPC network condition.
C.Configure Cloud NAT in the on-premises network and allow the NAT IP in an access level.
D.Create an access level with the IP range 10.1.0.0/16 and apply it to a service perimeter.
AnswerB

Correct: bridged access level ensures traffic goes through VPN and originates from correct subnet.

Why this answer

Option B is correct because VPC Service Controls use access levels to define which client identities or network sources can access protected services. By creating a bridged access level that includes both the private IP range 10.1.0.0/16 and a VPC network condition (the VPC connected via Cloud VPN), you ensure that only traffic originating from that specific on-premises subnet and arriving through the authorized VPC is allowed, denying all other on-premises traffic by default. This follows the least-privilege principle by not allowing broader IP ranges or relying on implicit denies.

Exam trap

Google Cloud often tests the misconception that an IP-based access level alone is sufficient for VPN-connected traffic, but the trap here is that without a VPC network condition, the access level would allow any traffic with that IP range, including from other networks or spoofed sources, failing the least-privilege and VPN-specific requirement.

How to eliminate wrong answers

Option A is wrong because creating a service perimeter that allows all on-premises traffic and then adding an explicit deny for other IP ranges violates least privilege by initially granting overly broad access, and VPC Service Controls do not support explicit deny rules within a perimeter—they rely on default deny for sources not in the access level. Option C is wrong because Cloud NAT is a Google Cloud service used for outbound traffic from private GCP instances to the internet, not for on-premises networks; configuring NAT in the on-premises network would require a public IP, which defeats the purpose of using a private IP range and does not integrate with VPC Service Controls access levels. Option D is wrong because an access level with only the IP range 10.1.0.0/16 does not include a VPC network condition, so it would allow traffic from any network claiming that IP range (including spoofed or overlapping ranges), not just traffic arriving via the specific Cloud VPN tunnel, thus violating the requirement to restrict access to the VPN-connected subnet only.

81
MCQhard

A security engineer is designing a VPC Service Controls perimeter to protect a project containing sensitive data stored in Cloud Storage and BigQuery. The perimeter currently allows access from an on-premises data center via private connectivity (Cloud Interconnect). The business requires that a third-party SaaS application (outside the perimeter) be able to write data into a specific Cloud Storage bucket. Which action should the engineer take?

A.Create a service account for the SaaS application and grant it the Storage Object Creator role; then add the service account to the perimeter's allowed identities.
B.Create a service account for the SaaS application, grant it the Storage Object Creator role, and configure an access level that includes the service account. Then, add that access level to the perimeter's ingress policy.
C.Create an access level that includes the SaaS application's IP addresses and use that in the perimeter's ingress policy.
D.Add the SaaS application's external IP addresses to the perimeter's allowed IP ranges.
AnswerB

VPC Service Controls ingress policies can use access levels based on service accounts. This allows the specific service account to write to the bucket while maintaining the perimeter.

Why this answer

Option B is correct because VPC Service Controls perimeters use ingress policies to explicitly allow access from outside the perimeter. By creating a service account for the SaaS application, granting it the Storage Object Creator role, and configuring an access level that includes that service account, the engineer can add the access level to the perimeter's ingress policy. This allows the external SaaS application to write data into the specific Cloud Storage bucket while still blocking all other external access, maintaining the security of the sensitive data.

Exam trap

Google Cloud often tests the distinction between VPC Service Controls and IAM permissions, where candidates mistakenly think that granting IAM roles and adding identities to the perimeter is sufficient, ignoring the requirement for explicit ingress policies to allow external access.

How to eliminate wrong answers

Option A is wrong because simply adding the service account to the perimeter's allowed identities does not create an ingress rule; VPC Service Controls require an explicit ingress policy to allow traffic from outside the perimeter, and allowed identities alone cannot bypass the perimeter for external entities. Option C is wrong because using the SaaS application's IP addresses in an access level and ingress policy would allow access based on source IP, but the SaaS application likely uses dynamic IPs or operates from multiple IP ranges, making IP-based access control unreliable and less secure than identity-based access. Option D is wrong because VPC Service Controls do not support adding external IP addresses to 'allowed IP ranges' within the perimeter; the perimeter blocks all traffic from outside by default, and IP-based exceptions are not a feature of VPC Service Controls—this misconception confuses VPC firewall rules with VPC Service Controls.

82
MCQmedium

An organization has hundreds of Google Cloud projects and wants to enforce a uniform firewall rule that blocks outbound traffic to known malicious IP addresses. They want to centrally manage this rule without manually applying it to each VPC. What should they do?

A.Create a hierarchical firewall rule at the organization or folder level.
B.Use Organization Policies to block the IP addresses.
C.Create a global VPC firewall rule in each project using Deployment Manager.
D.Use Shared VPC and configure firewall rules in the host project.
AnswerA

Hierarchical firewall rules are inherited by all VPCs under that node.

Why this answer

Option C is correct because hierarchical firewall rules can be applied at the folder or organization level, allowing central management. Option A is incorrect because global VPC firewall rules still need to be applied per network or per project. Option B is incorrect because Organization Policies do not manage firewall rules.

Option D is incorrect because Shared VPC does not enforce rules on all projects.

83
Multi-Selecteasy

Which TWO of the following are valid methods to automate responses to Cloud Security Command Center findings?

Select 2 answers
A.Create a Cloud Function that is triggered by a Pub/Sub topic receiving SCC notifications.
B.Set up Cloud Tasks to process SCC findings and send alerts.
C.Configure Cloud Run to directly receive webhooks from SCC.
D.Use Eventarc to trigger a Cloud Run job based on SCC findings.
E.Use Cloud Scheduler to periodically query SCC and trigger a Cloud Run service.
AnswersA, D

Standard pattern for automated response.

Why this answer

Options A and D are correct. Cloud Functions can subscribe to SCC notifications via Pub/Sub, and Eventarc triggers can react to findings. Option B is incorrect because Cloud Scheduler is for scheduled jobs.

Option C is incorrect because Cloud Run does not directly integrate with SCC. Option E is incorrect because Cloud Tasks is for task distribution, not direct response.

84
MCQmedium

A DevOps engineer accidentally assigned the role roles/editor to a service account used by a backend service. This gives the service account excessive permissions. The engineer wants to remove the role from the service account. What is the correct command?

A.gcloud projects remove-iam-policy-binding PROJECT_ID --member serviceAccount:SA_EMAIL --role roles/editor
B.gcloud iam policy-bindings remove --member serviceAccount:SA_EMAIL --role roles/editor
C.gcloud iam service-accounts remove-role SA_EMAIL --role roles/editor
D.gcloud projects set-iam-policy PROJECT_ID policy.yaml
AnswerA

This command correctly removes the specified role binding.

Why this answer

Option A is correct because `gcloud projects remove-iam-policy-binding` is the specific command to remove an IAM role binding from a project-level policy for a given member (service account). The syntax correctly includes the `--member` flag with the `serviceAccount:` prefix and the `--role` flag specifying `roles/editor`, which removes the excessive Editor role from the service account.

Exam trap

Google Cloud often tests the distinction between project-level IAM commands (`gcloud projects`) and service account-specific commands, leading candidates to incorrectly choose non-existent or misnamed subcommands like `gcloud iam service-accounts remove-role`.

How to eliminate wrong answers

Option B is wrong because `gcloud iam policy-bindings remove` is not a valid gcloud command; the correct command uses `gcloud projects remove-iam-policy-binding` for project-level policies. Option C is wrong because `gcloud iam service-accounts remove-role` does not exist; service account roles are managed via IAM policy bindings, not a direct service account subcommand. Option D is wrong because `gcloud projects set-iam-policy` replaces the entire IAM policy with a YAML file, which is an overly complex and error-prone approach for a single role removal, and it does not directly remove a specific role binding.

85
MCQhard

A company uses Cloud SQL for PostgreSQL with IAM database authentication. A security engineer needs to grant a user named 'analyst@example.com' the ability to run SELECT queries on the 'orders' table. The user is a member of the group 'analysts@example.com'. What is the correct combination of IAM and database permissions?

A.Grant the user 'roles/cloudsql.viewer' on the project. In the database, grant SELECT on orders to 'analyst@example.com'.
B.Grant the user 'cloudsql.instances.connect' on the instance. In the database, create a user 'analyst@example.com' with 'cloudsqllogin' role and grant SELECT on orders to that user.
C.Grant the group 'roles/cloudsql.instanceUser' on the instance. In the database, create a user 'analysts@example.com' (the group) and grant SELECT on orders to that group.
D.Grant the group 'analysts@example.com' the role 'roles/cloudsql.instanceUser' on the instance. In the database, create a user 'analyst@example.com' with 'cloudsqllogin' role and grant SELECT on orders to that user.
AnswerD

Correct approach: IAM group gets instanceUser, then database user created with cloudsqllogin and table-level grant.

Why this answer

Option D is correct because IAM database authentication requires granting the IAM group the `roles/cloudsql.instanceUser` role on the instance to allow members to connect, and then creating a database user with the same name as the IAM user (not the group) with the `cloudsqllogin` role, which maps the IAM user to the database. Granting SELECT on the `orders` table to that database user then allows the IAM user to query the table.

Exam trap

Google Cloud often tests the misconception that the database user should be created with the group email address instead of the individual user's email, leading candidates to pick Option C, which incorrectly assumes the group name is used in the database.

How to eliminate wrong answers

Option A is wrong because `roles/cloudsql.viewer` grants read-only access to Cloud SQL metadata (e.g., instance configurations) but does not allow connecting to the database or running SQL queries; it also incorrectly grants permissions at the project level instead of the instance level. Option B is wrong because granting `cloudsql.instances.connect` directly to the user is not a valid IAM role (the correct role is `roles/cloudsql.instanceUser`), and creating a database user with `cloudsqllogin` role for the individual user works but misses the group-based IAM binding, which is less scalable and not the best practice described in the scenario. Option C is wrong because while it correctly grants the group the IAM role, it incorrectly creates a database user named after the group (`analysts@example.com`) instead of the individual IAM user (`analyst@example.com`); IAM database authentication requires the database user to match the IAM user's email, not the group's email.

86
MCQhard

Your company has a hybrid cloud environment with on-premises servers and Google Cloud. You are using Cloud VPN to connect the on-premises network to a VPC in us-central1. The on-premises network uses RFC 1918 addresses (10.0.0.0/8). The VPC has subnets in 10.0.0.0/8 as well, causing IP overlap. To resolve this, you have configured the VPC with a custom IP range of 172.16.0.0/12 and migrated some workloads. However, some legacy on-premises servers still need to access a specific set of Compute Engine VMs in the VPC. The security team requires that only authenticated service accounts from the VPC can access on-premises resources, and that traffic from on-premises to Google Cloud must be limited to specific ports (e.g., 443, 8443). You have set up a Cloud VPN tunnel with route-based VPN. What should you do to enforce these access controls?

A.Use Cloud Armor to create a security policy that filters traffic from on-premises IP ranges on ports 443 and 8443, and attach it to the VPN gateway.
B.Assign network tags to the Compute Engine VMs and create a firewall rule that allows traffic from the on-premises IP ranges on ports 443 and 8443 only to VMs with that tag.
C.Use Cloud NAT to provide outbound-only access from the VPC, and create firewall rules to block inbound traffic from on-premises.
D.Create VPC firewall rules that allow ingress from the on-premises IP ranges on ports 443 and 8443 to the target VMs. On the on-premises side, configure firewall rules to allow only traffic from the VPC IP ranges and require that the source VMs present a valid service account token, which can be verified using a proxy or by using Google Cloud's Identity-Aware Proxy (IAP) for TCP forwarding.
AnswerD

Correct approach: Firewall rules restrict ports, and IAP TCP forwarding or service account tokens provide authentication.

Why this answer

Option D is correct because it addresses both requirements: limiting traffic to specific ports (443, 8443) via VPC firewall rules, and enforcing authenticated service account access from the VPC to on-premises resources. Identity-Aware Proxy (IAP) for TCP forwarding allows on-premises servers to verify that source VMs present a valid service account token, ensuring only authenticated VPC workloads can initiate connections. This combination satisfies the security team's need for both port restriction and authentication without relying on IP-based trust alone.

Exam trap

Google Cloud often tests the misconception that firewall rules alone (like tags or Cloud Armor) can enforce authentication, when in reality they only filter by IP/port and cannot verify the identity of the source VM, which requires a solution like IAP or mutual TLS.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) for HTTP(S) load balancers, not for VPN gateways; it cannot filter traffic at the VPN tunnel level or enforce service account authentication. Option B is wrong because network tags and firewall rules can restrict ports but cannot authenticate the source; they rely solely on source IP ranges, which are overlapping and do not verify the identity of the requesting VM. Option C is wrong because Cloud NAT provides outbound-only internet access for VMs without public IPs, but it does not restrict inbound traffic from on-premises or enforce authentication; it also does not solve the IP overlap issue or control specific ports.

87
Multi-Selectmedium

A company uses Cloud Armor to protect their HTTP(S) load balancer. They want to block requests from a specific geographic region. Which TWO actions should they take? (Choose 2)

Select 2 answers
A.Create a security policy with a geo-match condition for the region.
B.Enable Cloud CDN and set geo-restrictions.
C.Attach the security policy to the backend service.
D.Configure the load balancer to use a custom header for geo-blocking.
E.Add a rule in the security policy with deny action and priority lower than the default.
AnswersA, C

The geo-match condition specifies the geographic region to block or allow.

Why this answer

Options A and B are correct. To block requests by geography in Cloud Armor, you create a security policy with a geo-match condition (A) and then attach that policy to the backend service (B). Option C is incorrect because the deny rule should have a higher priority (lower number) than the default rule, not lower.

Option D is unnecessary. Option E is incorrect because Cloud CDN geo-restrictions affect caching, not request blocking.

88
MCQeasy

A company has a Google Group called team-a@example.com that contains all developers. The developers need to deploy Cloud Functions. What is the best practice to grant the necessary permissions?

A.Add each developer's email to the IAM policy with roles/cloudfunctions.developer.
B.Grant the group roles/cloudfunctions.developer at the organization level.
C.Grant the group roles/cloudfunctions.developer on the project.
D.Grant the group roles/cloudfunctions.admin on the project.
AnswerC

This role allows deploying functions without full admin.

Why this answer

Option C is correct because granting the IAM role `roles/cloudfunctions.developer` to the Google Group at the project level follows the principle of least privilege and allows all members of the group to deploy Cloud Functions without granting excessive permissions. This approach centralizes permission management via the group, avoiding the need to manage individual user IAM bindings.

Exam trap

Google Cloud often tests the distinction between project-level and organization-level IAM roles, where candidates mistakenly choose the organization level thinking it covers all projects, but the correct answer is project-level to avoid over-permissioning.

How to eliminate wrong answers

Option A is wrong because adding each developer's email individually to the IAM policy is not a best practice; it creates administrative overhead and violates the principle of using groups for scalable access management. Option B is wrong because granting the role at the organization level would apply the permission to all projects in the organization, which is overly broad and violates least privilege. Option D is wrong because `roles/cloudfunctions.admin` grants full administrative control (including deleting functions and modifying IAM policies), which is more permissive than what developers need for deploying functions.

89
Matchingmedium

Match each Google Cloud logging/monitoring term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Routes logs to a destination (e.g., BigQuery, Pub/Sub)

Storage location for log entries

Counts log entries matching a filter

Records of admin and data access activities

Copies logs to a Cloud Storage or BigQuery

Why these pairings

These are key concepts in Cloud Logging.

90
Multi-Selecthard

A company needs to comply with GDPR and must implement data subject access request (DSAR) capabilities. Which TWO Google Cloud services should they use to locate and export personal data across various data stores?

Select 2 answers
A.Cloud Key Management Service (KMS)
B.Cloud Storage
C.BigQuery
D.Cloud Data Loss Prevention (DLP)
E.VPC Service Controls
AnswersC, D

BigQuery can store and query personal data for DSAR responses.

Why this answer

BigQuery is correct because it can be used to query and export personal data stored in BigQuery tables via SQL, enabling DSAR compliance by locating and extracting data subject information. Cloud Data Loss Prevention (DLP) is correct because it can inspect and classify personal data across various Google Cloud data stores (including Cloud Storage, BigQuery, and Datastore) and de-identify or export findings, directly supporting DSAR workflows.

Exam trap

Google Cloud often tests the misconception that Cloud Storage or VPC Service Controls can handle DSARs, but they are storage and security boundary services respectively, not data discovery or export tools; candidates confuse data storage with data subject access request capabilities.

91
MCQmedium

A company is migrating to Google Cloud and wants to ensure that all service account keys are rotated automatically every 90 days. The security engineer needs to implement a solution that detects keys older than 90 days and notifies the security team. What is the most efficient way to achieve this?

A.Use Cloud Monitoring to query the IAM API for key creation timestamps and trigger an alert
B.Use Cloud Asset Inventory to list service account keys, then run a Cloud Scheduler job that invokes a Cloud Function to check key ages and send notifications
C.Create a log-based metric for service account key creation and set up an alert in Cloud Monitoring
D.Configure a custom role in Cloud IAM that denies access to keys older than 90 days
AnswerB

This combination efficiently checks key ages periodically and alerts.

Why this answer

Option B is correct because Cloud Asset Inventory can list all service account keys and their creation timestamps, and a Cloud Scheduler job can trigger a Cloud Function to check key ages against the 90-day threshold and send notifications via email or Slack. This approach is efficient as it uses serverless components and avoids polling the IAM API repeatedly, which would be less scalable and more complex.

Exam trap

Google Cloud often tests the distinction between detecting key creation events (Option C) and detecting key age, leading candidates to mistakenly choose a log-based metric that only triggers on creation, not on the passage of time.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring cannot directly query the IAM API for key creation timestamps; it relies on metrics and logs, not API queries, and would require custom metric ingestion, making it inefficient. Option C is wrong because a log-based metric for key creation only detects when keys are created, not their age, so it cannot identify keys older than 90 days. Option D is wrong because IAM custom roles cannot deny access based on key age; they define permissions, not conditional access based on time, and this approach would not detect or notify about old keys.

92
MCQhard

A large healthcare organization is migrating its on-premises data center to Google Cloud. The organization must comply with HIPAA and has signed a BAA with Google Cloud. They plan to use BigQuery for analytics on PHI data. The security team has enabled encryption at rest with CMEK and has configured VPC Service Controls to prevent data exfiltration. During a penetration test, the testers discovered that they could query the BigQuery dataset using a service account that has BigQuery Data Viewer role from a non-VPC-SC-compliant network. This could allow unauthorized access to PHI data. The team needs to restrict all access to the BigQuery dataset to only originate from within the VPC perimeter defined by VPC Service Controls. What should the team do to enforce this requirement?

A.Set up Private Google Access for the on-premises network and route all traffic through a VPN tunnel.
B.Configure an Organization Policy that restricts BigQuery access to only service accounts with a specific prefix.
C.Enable VPC Service Controls perimeters for the BigQuery API and ensure that the project containing the dataset is in the perimeter, and configure ingress/egress rules to allow only requests from within the perimeter.
D.Use Cloud IAP to require users to authenticate before accessing BigQuery.
AnswerC

VPC Service Controls can enforce network-based access restrictions.

Why this answer

Option C is correct because VPC Service Controls are specifically designed to create a security perimeter around Google Cloud services like BigQuery, preventing data exfiltration and restricting access to only requests originating from within the defined perimeter. By placing the project containing the BigQuery dataset inside the VPC Service Controls perimeter and configuring ingress/egress rules, the team ensures that even a service account with BigQuery Data Viewer role cannot query the dataset from a non-VPC-SC-compliant network, as the API call is blocked at the Google Cloud edge before it reaches BigQuery.

Exam trap

Google Cloud often tests the distinction between IAM-based access control (who can access) and network-based perimeter control (from where they can access), and the trap here is that candidates confuse VPC Service Controls with Private Google Access or IAP, thinking that private connectivity or identity verification alone can enforce network origin restrictions.

How to eliminate wrong answers

Option A is wrong because Private Google Access and VPN tunnels enable on-premises access to Google Cloud APIs via private IP addresses, but they do not enforce that all access must originate from within the VPC Service Controls perimeter; they merely provide a private connectivity path, not a restriction on the source network. Option B is wrong because an Organization Policy restricting BigQuery access to service accounts with a specific prefix does not enforce network-level origin restrictions; it only controls which identities can access BigQuery, not from where they can access it, leaving the data vulnerable to queries from non-VPC-SC-compliant networks. Option D is wrong because Cloud IAP provides identity-aware access control for applications and SSH/RDP, but it does not integrate with BigQuery's API or enforce network perimeter restrictions; it cannot block API calls from a service account outside the VPC Service Controls perimeter.

93
MCQmedium

Refer to the exhibit. A Terraform configuration applies an IAM binding with a condition. After applying this configuration, a member of the group data-scientists@example.com tries to query a BigQuery dataset on July 1, 2025. What will be the result?

A.Access is denied because the condition is no longer satisfied.
B.Access is denied because the condition is invalid after the date.
C.Access is granted because the IAM binding exists.
D.Access is granted and the condition is ignored after the date.
AnswerA

request.time is after the condition's timestamp, so the condition is false and the role is not granted.

Why this answer

The correct answer is A because the IAM binding includes a condition that restricts access based on a date/time attribute. On July 1, 2025, the condition is no longer satisfied (e.g., the condition might require the request to occur before a specific date, such as before June 30, 2025). When the condition evaluates to false, the IAM binding does not grant access, even though the binding itself exists and the user is a member of the group.

Exam trap

Google Cloud often tests the misconception that an IAM binding always grants access regardless of its condition, or that a condition becomes invalid after its date, rather than simply evaluating to false.

How to eliminate wrong answers

Option B is wrong because the condition is not 'invalid after the date'; it is a valid condition that simply evaluates to false after the specified date, which is a normal behavior for date-based conditions. Option C is wrong because the IAM binding exists but the condition attached to it must also be satisfied for access to be granted; the condition is not optional. Option D is wrong because the condition is never ignored; it is always evaluated, and if it evaluates to false, access is denied regardless of the binding's existence.

94
MCQhard

A large financial institution runs a critical application on Google Kubernetes Engine (GKE) clusters. Their security policy requires that all container images must be scanned for vulnerabilities and must come from a trusted artifact registry. They use Cloud Build to automatically build images from a CI/CD pipeline and push them to Artifact Registry. They want to enforce that only images that have passed vulnerability scanning and are signed can be deployed to the GKE cluster. Currently, they have set up Cloud Build to automatically tag images with a 'latest' tag on successful build, but they need a mechanism to prevent deployment of unsigned or vulnerable images. They also want to audit any attempts to deploy non-compliant images. What should they do?

A.Use Cloud NAT to control which images can be pulled by GKE nodes.
B.Configure GKE policy to only allow images from a specific Artifact Registry repository and enable vulnerability scanning.
C.Use Cloud IAP to block nodes from pulling non-compliant images.
D.Enable Binary Authorization on the GKE cluster, create Attestations for images that pass vulnerability scanning and signing in Cloud Build, and configure admission control to require attestations.
AnswerD

Binary Authorization enforces that only attested images can be deployed.

Why this answer

Option D is correct because combining Binary Authorization with Attestations from vulnerability and signing enables enforcement. Option A is incorrect because Cloud Nat is for outbound traffic, not image enforcement. Option B is incorrect because GKE policy does not natively enforce image contracts.

Option C is incorrect because IAP is for access, not for image verification.

95
Multi-Selectmedium

A company is using Cloud Run for a containerized application. They notice increased latency during peak hours. The operations team wants to identify the root cause. Which two steps should they take?

Select 2 answers
A.Enable Cloud Logging and use Logs Explorer to query request latency for each endpoint.
B.Use Cloud Profiler to continuously profile the application code and identify performance bottlenecks.
C.Implement Cloud Armor security policies to protect against DDoS attacks.
D.Set up a Cloud Monitoring dashboard to visualize CPU utilization for the Cloud Run service.
E.Enable VPC Flow Logs to analyze network traffic to and from the Cloud Run service.
AnswersA, B

Logs can show request latency, helping identify slow endpoints.

Why this answer

Option A is correct because Cloud Logging with Logs Explorer allows the operations team to query and analyze request latency per endpoint, which is essential for identifying which specific endpoints contribute to increased latency during peak hours. This granular visibility into request-level performance helps pinpoint the root cause of latency issues in a Cloud Run service.

Exam trap

Google Cloud often tests the distinction between monitoring (e.g., CPU utilization) and diagnostic tools (e.g., logging and profiling), leading candidates to choose a monitoring dashboard (Option D) when they need granular request-level analysis.

96
MCQeasy

A company has a VPC with several subnets. They want to allow HTTP traffic from the internet to a web server in subnet-a, but block all other inbound traffic. What is the simplest firewall rule configuration?

A.Create an ingress rule allowing all tcp and udp traffic from 0.0.0.0/0.
B.Create an egress rule allowing tcp:80 from the internet to the web server.
C.Create an ingress rule allowing tcp:80 from 0.0.0.0/0 to instances with the 'web-server' tag. The implied deny all ingress rule blocks other traffic.
D.Create an ingress rule allowing tcp:80 from the web server's internal IP range. The implied deny all ingress rule blocks other traffic.
AnswerC

Correct: single rule with tag and source range, plus implied deny.

Why this answer

Option C is correct because it creates an ingress rule that explicitly allows TCP port 80 traffic from any source (0.0.0.0/0) to instances tagged as 'web-server'. In cloud VPC firewalls (e.g., AWS Security Groups or GCP Firewall Rules), the default behavior is an implied deny all ingress traffic; only explicitly allowed traffic is permitted. This configuration satisfies the requirement to allow HTTP from the internet while blocking all other inbound traffic without needing additional rules.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules, and the trap here is that candidates mistakenly think an egress rule (Option B) can control inbound traffic, or that restricting to internal IPs (Option D) is sufficient for internet access.

How to eliminate wrong answers

Option A is wrong because allowing all TCP and UDP traffic from 0.0.0.0/0 would permit all inbound traffic, not just HTTP, violating the requirement to block other traffic. Option B is wrong because an egress rule controls outbound traffic from the web server, not inbound traffic from the internet; the requirement is to allow inbound HTTP, which requires an ingress rule. Option D is wrong because it restricts HTTP traffic to the web server's internal IP range, which would block legitimate internet traffic (since internet clients do not originate from that internal range), failing to allow HTTP from the internet.

97
MCQhard

A large enterprise runs analytics workloads on BigQuery containing sensitive financial data. They have implemented VPC Service Controls (VPC SC) to create a perimeter around the BigQuery dataset, allowing access only from a specific VPC network. Despite this, security auditors discovered that data was accessed from an IP address outside the perimeter. After investigation, they found the access originated from a user's personal laptop using the Google Cloud Console. The company's security policy requires that sensitive data can only be accessed from corporate-managed devices. What should they do to prevent this type of access?

A.Enable Cloud Data Loss Prevention (DLP) to automatically redact sensitive data before it is displayed in the console.
B.Reconfigure the VPC Service perimeter to use a more restrictive set of allowed IP ranges.
C.Activate Access Transparency logs and create a log-based alert to notify security of anomalous access.
D.Add a context-aware access level to the VPC Service perimeter that requires a corporate device policy (e.g., OS version, disk encryption).
AnswerD

This enforces device trust, blocking access from non-corporate devices while still respecting the VPC SC perimeter.

Why this answer

Option D is correct because VPC Service Controls can integrate with Access Context Manager to enforce context-aware access levels. By adding a level that requires a corporate device policy (e.g., verified OS version, disk encryption status), access from unmanaged personal laptops is blocked at the perimeter boundary, even if the user is authenticated. This directly addresses the security policy requirement that sensitive data must only be accessible from corporate-managed devices.

Exam trap

The trap here is that candidates confuse logging/monitoring (Option C) or data masking (Option A) with preventive access control, or they assume IP-based restrictions (Option B) are sufficient when the real requirement is device identity enforcement.

How to eliminate wrong answers

Option A is wrong because Cloud DLP redacts or masks sensitive data in the dataset itself, but it does not prevent access from unauthorized devices or IPs; the data is still accessible from the personal laptop, just with redacted content, which violates the security policy. Option B is wrong because reconfiguring the VPC Service perimeter to use a more restrictive set of allowed IP ranges would not block access from a personal laptop if the laptop is using a corporate VPN or if the user is accessing via the Google Cloud Console from an IP that falls within the allowed range; the issue is device identity, not IP address. Option C is wrong because Access Transparency logs and log-based alerts only provide visibility into access events after they occur; they do not prevent the access from happening in the first place, which is the requirement.

98
MCQeasy

You are configuring a new VPC network with a private subnet for Compute Engine instances that need to access the internet for updates. Which configuration is the simplest and most secure?

A.Create a default VPC firewall rule that allows all egress traffic and assign only internal IPs to instances.
B.Configure Cloud NAT to provide outbound internet access for the instances and create a firewall rule that blocks inbound traffic from the internet.
C.Use a managed instance group with a proxy instance that has an external IP, and route traffic through the proxy.
D.Assign static external IP addresses to each instance and configure firewall rules to allow egress.
AnswerB

Cloud NAT provides secure outbound-only internet access without exposing instance IPs.

Why this answer

Cloud NAT allows instances without external IPs to access the internet for outbound connections, while preventing inbound traffic. Option B is correct. Option A is incorrect because assigning external IPs to each instance increases attack surface and is less secure.

Option C is incorrect because firewall rules allowing all egress are less secure than NAT. Option D is incorrect because redirecting through a proxy instance adds complexity and single point of failure.

99
MCQeasy

A security engineer needs to grant a data analyst read-only access to a BigQuery dataset containing customer data, but must prevent the analyst from viewing or querying a specific column that contains personally identifiable information (PII). Which approach should the engineer use?

A.Use BigQuery column-level security with a policy tag on the PII column, and assign the analyst a role that denies access to that tag.
B.Grant the analyst the roles/bigquery.user role, and use IAM conditions to deny access to the PII column.
C.Create a row-level access policy on the table that denies access to rows containing PII.
D.Grant the analyst the BigQuery Data Viewer role on the dataset, and create an authorized view that excludes the PII column.
AnswerA

Policy tags can restrict access to specific columns based on IAM conditions.

Why this answer

Option A is correct because BigQuery column-level security uses policy tags to control access at the column level. By assigning a policy tag to the PII column and then granting the analyst a role that explicitly denies access to that tag (e.g., using a deny role or IAM deny policies), the analyst can query the dataset but will be blocked from viewing or querying the tagged column. This approach directly meets the requirement of read-only access while preventing access to the specific PII column.

Exam trap

Google Cloud often tests the distinction between column-level security (policy tags) and row-level security (row-level access policies), and the trap here is that candidates may confuse row-level filtering with column-level restriction, or assume that an authorized view is sufficient without considering that the underlying table remains accessible via the dataset-level role.

How to eliminate wrong answers

Option B is wrong because the roles/bigquery.user role does not provide fine-grained column-level control; IAM conditions can restrict access based on resource properties but cannot deny access to a specific column within a table. Option C is wrong because row-level access policies filter rows based on conditions, not columns; they cannot prevent access to a specific column across all rows. Option D is wrong because creating an authorized view that excludes the PII column would require granting the analyst the BigQuery Data Viewer role on the dataset, which would give them access to all tables in the dataset, including the original table with the PII column; the authorized view only controls access to the view itself, not the underlying table.

100
MCQeasy

A company is experiencing high latency on their HTTPS Load Balancer. Which action is most likely to resolve the issue?

A.Increase the machine type of the backend instances
B.Verify that the backend instances pass health checks
C.Modify the SSL policy for the load balancer
D.Add more backend instances in additional zones
AnswerB

Unhealthy backends cause the load balancer to retry or route to other instances, increasing latency. Fixing health checks is a primary step.

Why this answer

Option C is correct because health check failures can cause traffic to be routed to unhealthy backends, leading to latency. Option A is wrong because increasing instance size may help but is not the first step. Option B is wrong because adding more zones distributes load but doesn't address underlying health.

Option D is wrong because changing SSL policy affects encryption, not latency.

101
MCQmedium

A multinational corporation must store all data subject to GDPR in the European Union. They have multiple projects and want to enforce this at the organization level. Which approach should they use to prevent resource creation outside allowed locations?

A.Configure VPC Service Controls to limit network traffic to EU regions
B.Use Cloud Deployment Manager to deploy resources only in EU regions
C.Apply Organization Policy constraints (constraints/gcp.resourceLocations) with allowed regions in EU
D.Enable Cloud Audit Logs to monitor resource locations and alert on violations
AnswerC

The Organization Policy resourceLocations constraint prevents resource creation outside specified regions, enforcing compliance across all projects.

Why this answer

Organization policies provide centralized control to constrain resource locations, ensuring all projects under the organization adhere to the data residency requirement.

102
MCQhard

A security administrator needs to audit all changes to IAM policies across the organization. They want to detect when a policy binding is added that grants a sensitive role to a user outside the organization. What is the most efficient method?

A.Use Cloud Asset Inventory to monitor IAM policy changes and trigger Cloud Functions.
B.Create a log sink to export Admin Activity audit logs to BigQuery and run queries for setIamPolicy events.
C.Enable Data Access audit logs for all services and filter for policy changes.
D.Set up VPC Service Controls to prevent external access.
AnswerB

Admin Activity logs include all IAM policy changes; BigQuery enables efficient querying to find specific bindings.

Why this answer

Option A is correct because Admin Activity audit logs capture all setIamPolicy calls, and exporting them to BigQuery allows for powerful querying to detect specific changes. Option B is incorrect because Cloud Asset Inventory can monitor policy changes but setting up feeds and triggers is more complex. Option C is incorrect because Data Access audit logs are for data access, not admin changes.

Option D is incorrect because VPC Service Controls are for perimeter security, not auditing.

103
MCQhard

Your Cloud SQL PostgreSQL instance is experiencing high replication lag between primary and read replica. You have verified the network and instance metrics. What is a likely cause?

A.The replica is using a different machine type
B.Long-running queries on the replica
C.The replica has point-in-time recovery enabled
D.The primary has automated backups enabled
AnswerB

Long-running queries can hold locks and prevent replay of WAL from primary.

Why this answer

Long-running queries on the replica can block the apply process, increasing lag. Other options do not directly affect replication lag.

104
MCQmedium

A company runs a critical application on Compute Engine instances in a managed instance group (MIG) behind an external TCP/UDP Network Load Balancer. The security team requires that all traffic to the instances be inspected by a third-party next-generation firewall (NGFW) that is not yet deployed. Which architecture should the security engineer implement to meet the requirement with minimal disruption to traffic?

A.Deploy the NGFW as a Compute Engine instance in a separate instance group, and configure the load balancer to forward traffic to that instance group, which then forwards to the MIG.
B.Change the load balancer type to Internal TCP/UDP Load Balancer and route traffic through the NGFW.
C.Replace the Network Load Balancer with a proxy-based load balancer that can integrate with the NGFW via Traffic Director.
D.Use Cloud NAT and route all egress traffic through the NGFW.
AnswerA

This allows traffic inspection while preserving the load balancer frontend.

Why this answer

Option A is correct because it inserts the NGFW as a middlebox in the traffic path without changing the existing load balancer or instance group configuration. The external TCP/UDP Network Load Balancer forwards traffic to the NGFW instance group, which then inspects and forwards packets to the backend MIG. This preserves the original client IP via proxy protocol or encapsulation, meets the security requirement, and minimizes disruption by avoiding reconfiguration of the existing MIG or load balancer type.

Exam trap

Google Cloud often tests the misconception that you can simply change the load balancer type or use Cloud NAT to inspect ingress traffic, when in fact those solutions address different traffic directions or protocol requirements, and the correct approach is to insert the NGFW as a middlebox in the forwarding path without altering the existing load balancer or MIG configuration.

How to eliminate wrong answers

Option B is wrong because changing to an Internal TCP/UDP Load Balancer would make the application inaccessible from the internet, as internal load balancers only handle traffic within a VPC. Option C is wrong because replacing the Network Load Balancer with a proxy-based load balancer (e.g., HTTPS Load Balancer) would change the traffic type from TCP/UDP to HTTP/HTTPS, breaking the application if it uses non-HTTP protocols, and Traffic Director integrates with service mesh, not NGFW middlebox inspection. Option D is wrong because Cloud NAT handles only egress traffic from instances to the internet, not ingress traffic from clients to the application, so it cannot inspect incoming traffic from the load balancer.

105
MCQeasy

A healthcare company subject to HIPAA must prevent data exfiltration from Google Cloud storage buckets. They already use VPC Service Controls. Which additional control should they configure to directly block unauthorized copying of data to external projects?

A.Enable Cloud Data Loss Prevention (DLP) scanning
B.Use Cloud Audit Logs to review access
C.Apply Cloud Identity-Aware Proxy (IAP) to buckets
D.Configure egress rules in the VPC Service Controls perimeter
AnswerD

Egress rules define allowed destinations for data leaving the perimeter, directly preventing exfiltration to external projects.

Why this answer

VPC Service Controls allow you to define perimeters that restrict data movement between authorized and unauthorized projects. By configuring egress rules within the perimeter, you can explicitly block copying data to external projects, directly preventing data exfiltration. This is the correct additional control because it enforces policy at the network boundary, not just at the application or storage layer.

Exam trap

Google Cloud often tests the distinction between detective controls (like audit logs) and preventive controls (like VPC Service Controls egress rules), leading candidates to choose Cloud Audit Logs because they think logging alone can stop exfiltration.

How to eliminate wrong answers

Option A is wrong because Cloud DLP is a content inspection and classification tool, not a network-level enforcement mechanism; it can detect sensitive data but cannot block data transfer to external projects. Option B is wrong because Cloud Audit Logs provide visibility into who accessed what and when, but they do not actively block or prevent data exfiltration. Option C is wrong because Cloud Identity-Aware Proxy (IAP) controls access to applications and VMs via identity and context, not to Cloud Storage buckets; IAP does not apply to GCS buckets and cannot restrict data copying between projects.

106
MCQmedium

A company uses BigQuery to store analytics data. They need to restrict access to specific rows based on the user's department. What should they implement?

A.Column-level security
B.Row-level security using authorized views
C.Data Catalog tags
D.IAM conditions on BigQuery datasets
AnswerB

Authorized views can include row-level filters, such as filtering by the user's department.

Why this answer

Authorized views in BigQuery can filter rows based on the user's identity or other context. Column-level security is for columns, not rows. IAM conditions cannot restrict rows.

Data Catalog is for metadata.

107
MCQmedium

A company uses Binary Authorization for their GKE clusters. They want to ensure that only images signed by their internal CI/CD system can be deployed. Which IAM role is required for the CI/CD service account to attach attestations?

A.roles/binaryauthorization.attestorsViewer
B.roles/container.developer
C.roles/cloudkms.signerVerifier
D.roles/binaryauthorization.attestorsEditor
AnswerD

Grants the binaryauthorization.attestations.create permission needed to attach attestations.

Why this answer

The correct answer is D because the `roles/binaryauthorization.attestorsEditor` IAM role grants the necessary permissions to create and manage attestations, including the `binaryauthorization.attestors.attest` permission required for a CI/CD service account to attach an attestation to a container image. Without this role, the service account cannot create a signed attestation that Binary Authorization will accept during admission control.

Exam trap

Google Cloud often tests the distinction between roles that grant read access to attestors (like `attestorsViewer`) versus roles that grant the ability to create attestations (like `attestorsEditor`), and candidates may confuse the `container.developer` role as sufficient because it allows deploying containers, but it lacks the specific Binary Authorization attestation permission.

How to eliminate wrong answers

Option A is wrong because `roles/binaryauthorization.attestorsViewer` only provides read-only access to attestors and their public keys, not the ability to create or attach attestations. Option B is wrong because `roles/container.developer` grants permissions to deploy and manage GKE clusters and workloads, but does not include the `binaryauthorization.attestors.attest` permission needed to attach attestations. Option C is wrong because `roles/cloudkms.signerVerifier` is used for signing and verifying operations with Cloud Key Management Service (KMS) keys, but it does not grant the specific Binary Authorization attestation permissions required to attach an attestation to an image.

108
MCQhard

A company has a Cloud Storage bucket containing sensitive data. They want to ensure that only users with specific IAM roles can access the bucket, and that access is logged for audit purposes. They also want to prevent public access. Which configuration steps should they take?

A.Use IAM roles only and enable Cloud Audit Logs, but keep ACLs enabled.
B.Use VPC Service Controls and enable Cloud Audit Logs.
C.Enable uniform bucket-level access, set IAM policies, and enable Cloud Audit Logs.
D.Enable fine-grained access using ACLs and enable Cloud Audit Logs.
AnswerC

Uniform bucket-level access disables ACLs and relies solely on IAM, and audit logs track access.

Why this answer

Option C is correct because enabling uniform bucket-level access disables ACLs, forcing all access decisions to be made by IAM policies alone, which simplifies permission management and prevents public access. Setting IAM policies ensures only users with specific roles can access the bucket, and enabling Cloud Audit Logs captures all access requests for audit purposes. This combination meets all requirements: no public access, role-based access control, and logging.

Exam trap

Google Cloud often tests the misconception that ACLs are still needed for granular control, but uniform bucket-level access combined with IAM is the modern, secure approach that prevents public access and simplifies auditing.

How to eliminate wrong answers

Option A is wrong because keeping ACLs enabled alongside IAM roles can allow public access if ACLs grant allUsers or allAuthenticatedUsers permissions, and ACLs can override IAM policies, creating a security gap. Option B is wrong because VPC Service Controls restrict data exfiltration and access based on VPC context but do not directly control bucket-level IAM permissions or prevent public access via ACLs; they are a perimeter security control, not a substitute for IAM and uniform access. Option D is wrong because fine-grained ACLs can inadvertently allow public access (e.g., via allUsers) and are harder to audit consistently; uniform bucket-level access is the recommended approach for sensitive data.

109
MCQmedium

An organization has multiple Google Cloud projects and wants to enforce a policy that all new projects automatically have a specific set of IAM roles bound to an internal audit group at the project level. Which approach should be taken?

A.Define a custom role with the necessary permissions and assign it to the audit group at the organization level.
B.Configure Audit Logs to alert when new projects are created without the audit group.
C.Create an Organization Policy with a custom constraint that requires specific IAM bindings on all projects.
D.Add the audit group to the organization node with the desired roles, and rely on inheritance for all new projects.
AnswerC

Organization policies with custom constraints can enforce IAM bindings on new projects using the constraints/iam.allowedPolicyMemberDomains or custom constraints via the Cloud Asset API.

Why this answer

Option C is correct because Organization Policies with custom constraints allow you to enforce that specific IAM bindings must exist on all projects within the organization. This ensures that every new project automatically includes the audit group with the required roles, as the policy is evaluated at project creation time and enforced by the Resource Manager service.

Exam trap

The trap here is that candidates often confuse IAM inheritance with policy enforcement, assuming that adding the audit group at the organization level (Option D) automatically binds the roles to all projects, when in fact inheritance only applies to roles granted at the organization node, not to project-level bindings, and can be overridden by project-level IAM changes.

How to eliminate wrong answers

Option A is wrong because assigning a custom role at the organization level does not enforce that the role is bound to the audit group on every new project; it only makes the role available, not mandatory. Option B is wrong because Audit Logs only provide notification after a project is created without the audit group, they do not prevent the violation or enforce the policy proactively. Option D is wrong because IAM roles assigned at the organization node are inherited by all projects, but this inheritance applies only to roles granted directly to the audit group at the organization level, not to specific project-level bindings; moreover, inheritance does not guarantee that the audit group is bound at the project level for all resources, and it can be overridden by project-level policies.

110
MCQhard

A company uses Forseti Security to monitor their GCP environment for compliance violations. They want to automatically enforce policies that prevent the deployment of resources without required labels. What should they do?

A.Use Forseti Config Validator with a deny policy that blocks creation of resources without required labels
B.Configure Forseti Inventory to scan and report resources missing labels, then manually delete them
C.Enable VPC Service Controls to restrict projects without labels from accessing resources
D.Use Cloud Asset Inventory to trigger Cloud Functions that delete resources missing labels
AnswerA

Config Validator can enforce policies using constraints that deny resource creation if labels are missing, using Organization Policy constraints or Forseti's own enforcement.

Why this answer

Forseti Config Validator can enforce policies at deployment time by using a deny policy that blocks resource creation if required labels are missing. This is the correct approach because it prevents non-compliant resources from being created in the first place, rather than detecting and remediating them after the fact.

Exam trap

The trap here is confusing reactive detection and remediation (Inventory, Cloud Asset Inventory, Cloud Functions) with proactive enforcement (Config Validator), leading candidates to choose options that only report or clean up violations instead of preventing them.

How to eliminate wrong answers

Option B is wrong because Forseti Inventory only scans and reports resources missing labels; it does not automatically enforce policies or block deployments, and manual deletion is not automated enforcement. Option C is wrong because VPC Service Controls are designed to control data exfiltration and access between projects, not to enforce labeling requirements on resource creation. Option D is wrong because Cloud Asset Inventory is a discovery and monitoring service, not a policy enforcement engine; triggering Cloud Functions to delete resources is a reactive, not preventive, approach and does not block deployment.

111
MCQeasy

Refer to the exhibit. A security engineer runs the following command to check encryption settings on a Cloud Storage bucket. What does the output indicate about encryption?

A.The bucket uses customer-supplied encryption keys (CSEK).
B.The bucket has no default encryption.
C.The bucket uses Google-managed encryption keys.
D.The bucket uses a customer-managed encryption key (CMEK).
AnswerD

The key path shows a CMEK key.

Why this answer

The output shows `default_kms_key_name` is set to a Cloud KMS key resource name (e.g., `projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key>`), which indicates the bucket uses a customer-managed encryption key (CMEK). CMEK allows you to control and manage the key via Cloud KMS, while Google manages the underlying encryption operations.

Exam trap

Google Cloud often tests the distinction between default encryption (CMEK or GMEK) and per-object encryption (CSEK), trapping candidates who confuse a configured default KMS key with the absence of encryption or with customer-supplied keys.

How to eliminate wrong answers

Option A is wrong because customer-supplied encryption keys (CSEK) are provided per-object in the request header, not configured as a default on the bucket; the output shows a default KMS key, not per-object key supply. Option B is wrong because the presence of `default_kms_key_name` explicitly indicates a default encryption configuration is set, not absent. Option C is wrong because Google-managed encryption keys (GMEK) are the default when no `default_kms_key_name` is specified; the output shows a KMS key name, meaning the bucket is not using GMEK.

112
MCQhard

A company uses a multi-region Cloud Storage bucket for disaster recovery of critical data. They want to prevent accidental deletion of objects by requiring that objects be retained for at least 7 days after creation, and any attempt to delete or overwrite an object during that period must fail. Which configuration meets these requirements?

A.Enable object versioning and set a lifecycle rule to delete old versions after 7 days.
B.Set a bucket lock with a retention policy of 7 days and lock the bucket.
C.Set a retention policy for 7 days and apply object holds to all objects at upload time.
D.Use a lifecycle rule to delete objects that are less than 7 days old as a way to block deletion.
AnswerC

Object holds prevent deletion until released; combined with retention policy ensures minimum duration.

Why this answer

Option B is correct because retention policies with Object holds ensure minimum retention. Option A is incorrect because bucket lock is for permanent immutability, not flexible retention. Option C is incorrect because versioning alone does not prevent deletion; it allows recovery but does not block deletion.

Option D is incorrect because lifecycle management only transitions or deletes based on age, not prevents.

113
MCQhard

A company is using a Shared VPC in Google Cloud with multiple service projects. The security team wants to restrict egress traffic from a specific service project to only allowed external IP addresses. The network project hosts the VPC. What is the best approach?

A.Use Private Google Access to restrict egress.
B.Use VPC Service Controls to restrict egress.
C.Create a firewall rule in the service project's VPC that denies egress.
D.Create a firewall rule in the host project that denies egress to all destinations except the allowed IPs, and apply it to the service project's VMs via service accounts.
AnswerD

Firewall rules in host project can target service projects VMs by service account.

Why this answer

In a Shared VPC, firewall rules are defined in the host project and apply to VM instances in service projects. Option D correctly creates a deny-all egress rule in the host project, then uses a higher-priority allow rule for specific external IPs, scoped to service accounts of the target VMs. This ensures egress traffic from the specific service project is restricted at the VPC firewall level, which is the only effective way to control outbound traffic in a Shared VPC architecture.

Exam trap

Google Cloud often tests the misconception that firewall rules can be created in service projects within a Shared VPC, but the correct understanding is that all firewall rules must be managed in the host project, and service accounts are the mechanism to scope rules to specific VMs.

How to eliminate wrong answers

Option A is wrong because Private Google Access only allows on-premises or VM instances to reach Google APIs and services using internal IPs, not restrict egress to external IPs. Option B is wrong because VPC Service Controls protect Google-managed services (like Cloud Storage) by creating perimeters, not by controlling egress traffic from VMs to arbitrary external IP addresses. Option C is wrong because in a Shared VPC, firewall rules cannot be created in the service project's VPC; the service project does not own the VPC, and all firewall rules must be defined in the host project.

114
Multi-Selecthard

An organization wants to ensure that all service accounts used by Compute Engine instances have the minimal permissions required. Which TWO practices should be implemented? (Choose 2)

Select 2 answers
A.Attach service accounts to instances using the gcloud compute instances set-service-account command after creation.
B.Use the default compute service account and restrict its scopes.
C.Use Access Transparency to audit service account usage.
D.Create custom service accounts with only the needed roles.
E.Disable service account key creation for service accounts.
AnswersD, E

Custom service accounts allow fine-grained permissions.

Why this answer

Options B and D are correct. Creating custom service accounts with only the needed roles (B) ensures minimal permissions. Disabling service account key creation (D) reduces the risk of key exposure.

Option A is incorrect because the default compute service account often has excessive permissions. Option C is incorrect because Access Transparency is for auditing Google support access. Option E is incorrect because attaching a service account after instance creation is possible but not a best practice for minimal permissions; it should be assigned at creation.

115
MCQeasy

A financial services company must comply with PCI DSS requirements for encryption key management. They want to use Google-managed keys with automatic rotation. Which key management solution should they choose?

A.Customer-supplied encryption keys (CSEK)
B.Cloud KMS with CMEK (Customer-Managed Encryption Keys)
C.Google-managed encryption keys (default)
D.Cloud HSM
AnswerB

CMEK lets customers create, manage, and rotate keys in Cloud KMS, meeting PCI DSS requirements for key management and rotation.

Why this answer

Option B (Cloud KMS with CMEK) is correct because it allows the company to use Google-managed keys with automatic rotation while retaining control over the key material. CMEK keys are created and managed in Cloud KMS, but the actual cryptographic operations are performed by Google's key management infrastructure, and automatic rotation can be configured (e.g., every 90 days) to meet PCI DSS rotation requirements. This provides a balance between compliance control and operational simplicity.

Exam trap

Google Cloud often tests the distinction between key management (Cloud KMS with CMEK) and key hosting (Cloud HSM), tricking candidates into selecting Cloud HSM because it sounds more secure, even though the question explicitly asks for a solution with automatic rotation and managed keys.

How to eliminate wrong answers

Option A (CSEK) is wrong because CSEK requires the customer to supply their own key material and manage rotation manually, which does not satisfy the requirement for automatic rotation. Option C (Google-managed encryption keys, default) is wrong because these keys are fully managed by Google with no customer control over rotation schedule or key material, failing PCI DSS requirements for documented key management responsibilities. Option D (Cloud HSM) is wrong because while it provides FIPS 140-2 Level 3 validated hardware security modules, it is a key hosting option, not a key management solution with automatic rotation; CMEK can use Cloud HSM as a backing key store, but Cloud HSM alone does not provide the automatic rotation feature.

116
MCQeasy

A company has a VPC with several subnets. They want to restrict traffic between instances in the same subnet using firewall rules while allowing traffic from a specific load balancer health check range. What is the best approach?

A.Create an ingress firewall rule denying all traffic from the subnet CIDR, then create a higher priority rule allowing traffic from the health check range.
B.Use hierarchical firewall policies to enforce the rule at the organization level.
C.Use VPC firewall rules with target tags to apply rules only to instances that need health checks.
D.Create a firewall rule that allows only health check traffic and deny all other ingress by default using implied deny.
AnswerD

This leverages the implied deny rule at the end of the firewall evaluation, ensuring that only allowed health check traffic is permitted, and all other traffic is denied by default.

Why this answer

Option C is correct because GCP VPC firewall rules have an implied deny at the end; therefore, allowing only the health check traffic and relying on the implied deny for other traffic is the simplest and most secure approach. Option A is incorrect because a deny rule with higher priority than an allow rule would block the allowed traffic. Option B is incorrect because target tags are useful but do not directly address restricting internal subnet traffic.

Option D is incorrect because hierarchical policies are for organization-level rules, not for this specific subnet restriction.

117
MCQeasy

A company needs to ensure that all data stored in Cloud Storage is encrypted using a key that is rotated every 30 days. Which encryption option should they choose to meet this requirement with automated rotation?

A.Cloud External Key Manager (EKM)
B.Customer-Managed Encryption Key (CMEK) using Cloud KMS
C.Google-managed encryption keys
D.Customer-Supplied Encryption Key (CSEK)
AnswerB

CMEK allows customers to set a rotation period (e.g., 30 days) and KMS handles automatic rotation.

Why this answer

Option B is correct because Customer-Managed Encryption Keys (CMEK) with Cloud KMS allow you to control and rotate encryption keys on a schedule. Cloud KMS supports automatic key rotation with a configurable rotation period (e.g., every 30 days), meeting the requirement without manual intervention.

Exam trap

The trap here is that candidates confuse CMEK (which supports automated rotation) with CSEK (which requires manual key management and does not support rotation), leading them to choose D thinking they have more control, but CSEK lacks the automated rotation feature needed for this requirement.

How to eliminate wrong answers

Option A is wrong because Cloud External Key Manager (EKM) lets you manage keys outside Google Cloud, but it does not provide automated rotation within Cloud KMS; rotation must be handled externally. Option C is wrong because Google-managed encryption keys are rotated automatically by Google, but you cannot control the rotation schedule or set it to exactly 30 days. Option D is wrong because Customer-Supplied Encryption Keys (CSEK) require you to supply the key with each API call and do not support automated rotation; you must manually rotate and re-encrypt data.

118
MCQeasy

A healthcare organization must store protected health information (PHI) in Google Cloud and ensure compliance with HIPAA. They need to prevent data from being stored outside the United States. Which Google Cloud product should they use to enforce this requirement?

A.Cloud Healthcare API
B.Organization Policy
C.VPC Service Controls
D.Cloud Data Loss Prevention (DLP) API
AnswerB

Organization Policies with constraints like constraints/gcp.resourceLocations can restrict resources to specific regions.

Why this answer

Organization Policy allows you to define and enforce constraints on Google Cloud resources at the organization, folder, or project level. The `gcp.resourceRestriction` constraint can be used to restrict the location where data can be stored, ensuring PHI remains within the United States to meet HIPAA requirements.

Exam trap

Google Cloud often tests the distinction between data residency enforcement (Organization Policy) and data exfiltration prevention (VPC Service Controls), leading candidates to confuse the two when the question focuses on storage location restrictions.

How to eliminate wrong answers

Option A is wrong because Cloud Healthcare API is a managed service for ingesting and managing healthcare data, but it does not enforce geographic restrictions on data storage. Option C is wrong because VPC Service Controls create a security perimeter around Google Cloud services to prevent data exfiltration, but they do not restrict the geographic location where data is stored. Option D is wrong because Cloud Data Loss Prevention (DLP) API is used to inspect, classify, and de-identify sensitive data, not to enforce data residency policies.

119
MCQhard

A company uses Cloud Identity-Aware Proxy (IAP) to secure access to their web applications. They notice that some users are able to access the application even though they are not in the IAP access policy. What could be the cause?

A.The users have been granted the 'roles/iap.httpsResourceAccessor' role at the folder level.
B.The load balancer is not using HTTPS.
C.The users are using a service account that has the 'roles/iap.httpsResourceAccessor' role.
D.The backend service has an external IP address and firewall rule allowing public access.
AnswerD

Direct access to the backend bypasses IAP, allowing unauthorized users.

Why this answer

Option C is correct because if the backend service has an external IP address and a firewall rule allowing public access, users can bypass IAP entirely. Option A would actually grant legitimate access. Option B would cause IAP to fail for all users.

Option D is a legitimate way to grant access.

120
MCQmedium

A company uses Shared VPC with host project and service projects. They want to ensure that only specific service projects can create firewall rules in the host project's network. What is the correct IAM configuration?

A.Grant the Compute Security Admin role to the service project's compute service account in the service project.
B.Grant the Compute Network Admin role to the service project's service accounts in the host project.
C.Grant the Compute Security Admin role to the service project's service accounts in the host project.
D.Create a custom role with compute.firewalls.create and grant it to the host project's compute service account.
AnswerC

Correct: allows managing firewall rules in the shared VPC.

Why this answer

In a Shared VPC setup, the host project owns the network, and service projects connect to it. To allow a service project to create firewall rules in the host project's network, you must grant the Compute Security Admin role (which includes compute.firewalls.create) to the service project's service accounts at the host project level. This grants the necessary permissions on the host project's resources without giving broader network administration rights.

Exam trap

Google Cloud often tests the distinction between granting roles in the host project versus the service project, and the trap here is that candidates mistakenly think the Compute Network Admin role is required for firewall rule creation, when in fact Compute Security Admin is the correct, more restrictive role.

How to eliminate wrong answers

Option A is wrong because granting the Compute Security Admin role to the service project's compute service account in the service project only affects resources within that service project, not the host project's network. Option B is wrong because the Compute Network Admin role includes permissions to modify network configurations (e.g., create/modify VPCs, subnets) beyond just firewall rules, which violates the principle of least privilege and is not the specific role for firewall rule creation. Option D is wrong because creating a custom role with compute.firewalls.create and granting it to the host project's compute service account would allow the host project's own service account to create firewall rules, not the service project's service accounts; the requirement is to enable specific service projects, not the host project itself.

121
MCQmedium

A company wants to demonstrate to an auditor that all data access requests to a Cloud Storage bucket are logged, but they must exclude a specific service account from logging to reduce noise. What should they do to remain compliant with their audit policy?

A.Enable Data Access audit logs with exempted members set to that service account
B.Enable Data Access audit logs without exempting any service accounts
C.Configure VPC Service Controls to block the service account from accessing the bucket
D.Use Cloud Logging exclusion filters to filter out the service account logs after ingestion
AnswerB

Not exempting any service account ensures all data access is logged, satisfying audit requirements for comprehensive logging.

Why this answer

Option B is correct because enabling Data Access audit logs without exempting any service accounts ensures that all data access requests to the Cloud Storage bucket are logged, meeting the auditor's requirement. Exempting a service account (as in Option A) would violate the policy by excluding its requests from the logs entirely. Cloud Logging exclusion filters (Option D) operate after ingestion and cannot guarantee compliance, as the auditor may require logs to be captured in the first place.

Exam trap

Google Cloud often tests the distinction between logging configuration that prevents log generation (exempted members) versus post-ingestion filtering (exclusion filters), and candidates mistakenly think exclusion filters can satisfy audit requirements because they reduce noise, but they do not ensure logs are captured for compliance.

How to eliminate wrong answers

Option A is wrong because setting exempted members on the Data Access audit log configuration would exclude the specified service account from logging entirely, which directly contradicts the requirement to log all data access requests. Option C is wrong because VPC Service Controls block access at the network perimeter, but they do not log requests; they prevent the service account from accessing the bucket, which is not the goal and would break functionality. Option D is wrong because Cloud Logging exclusion filters are applied after logs are ingested, meaning the logs are still generated and stored temporarily; this does not satisfy an audit policy that requires logs to be captured for all requests, and the auditor may consider this non-compliant if logs are discarded.

122
MCQeasy

A small business runs a single Google Cloud project with a few Compute Engine instances. The administrator created a custom IAM role with the permission compute.instances.stop to allow a junior admin to stop instances. However, the junior admin reports that when they try to stop an instance, they get a 403 error. The junior admin has the custom role bound at the project level. What is the most likely cause?

A.The instance is already stopped and they need the compute.instances.start permission.
B.The custom role includes compute.instances.stop, which is not a valid permission.
C.The junior admin must use the gcloud command with the --account flag to specify a different service account.
D.The custom role is missing additional permissions required to stop an instance, such as compute.instances.list and compute.zones.get.
AnswerD

Stopping an instance may require additional permissions to identify the instance.

Why this answer

D is correct because stopping a Compute Engine instance requires more than just compute.instances.stop; the IAM system also needs permissions to read the instance metadata and zone information. Specifically, the junior admin lacks compute.instances.list and compute.zones.get, which are necessary for the API to resolve the instance resource and validate the request, leading to a 403 error despite having the stop permission.

Exam trap

The trap here is that candidates assume the single permission named in the action (e.g., compute.instances.stop) is sufficient, but Cisco tests the nuance that many gcloud commands require additional read permissions to locate and validate the target resource before the action can be performed.

How to eliminate wrong answers

Option A is wrong because a 403 error indicates insufficient permissions, not that the instance is already stopped; stopping an already-stopped instance would succeed silently or return a different error. Option B is wrong because compute.instances.stop is a valid IAM permission that exists and can be included in a custom role. Option C is wrong because the --account flag is used to specify a different user or service account for authentication, but the issue is a missing permission, not an authentication problem; the junior admin is already using the correct account with the custom role bound at the project level.

123
MCQeasy

A user has been granted the role roles/editor on a folder. What is the effective access in the projects within that folder? (Assume no deny policies)

A.Full editor access on all resources in the folder, including projects.
B.Editor access on the projects but not on resources within the projects.
C.The user must also be granted editor on each project separately.
D.Editor access on the folder resource only, not on projects.
AnswerA

Folder-level roles are inherited by projects and their resources.

Why this answer

In Google Cloud, IAM roles are inherited from parent resources to child resources. Granting the roles/editor role on a folder automatically applies that role to all projects and resources within the folder, provided there are no deny policies to override it. This means the user has full editor access on all resources in the folder, including the projects themselves and all resources within those projects.

Exam trap

Google Cloud often tests the misconception that IAM roles are not inherited across resource hierarchies, leading candidates to incorrectly believe that separate grants are needed for each project or that the role only applies to the folder itself.

How to eliminate wrong answers

Option B is wrong because editor access on a folder grants editor access not only on the projects but also on all resources within those projects, such as Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Option C is wrong because IAM roles are inherited from the folder to its child projects; the user does not need to be granted editor on each project separately. Option D is wrong because the roles/editor role on a folder is inherited by all projects and resources within the folder, not just the folder resource itself.

124
Multi-Selecthard

Which three actions help protect Cloud KMS key material? (Choose three.)

Select 3 answers
A.Store the key in an HSM cluster.
B.Use VPC Service Controls to restrict access to the key.
C.Assign the Cloud KMS Admin role to all developers.
D.Enable automatic key rotation.
E.Enable Cloud Audit Logs for key operations.
AnswersB, D, E

VPC SC prevents data exfiltration and restricts access to the key.

Why this answer

B is correct because VPC Service Controls create a security perimeter around Cloud KMS resources, preventing data exfiltration by restricting access to the key material from unauthorized networks or projects. This helps protect the key material even if an attacker gains credentials to the key, as the request must originate from within the allowed VPC scope.

Exam trap

Google Cloud often tests the misconception that hardware security modules (HSMs) alone provide complete protection for key material, but the trap here is that HSMs secure key storage, not access control or perimeter security, which are addressed by VPC Service Controls and audit logging.

125
MCQeasy

A company is deploying a new application that will process credit card data and must comply with PCI DSS. They plan to use Google Cloud services. Which service should they use to detect and redact sensitive data stored in Cloud Storage buckets?

A.Cloud Key Management Service (KMS)
B.VPC Service Controls
C.Cloud Audit Logs
D.Cloud Data Loss Prevention (DLP)
AnswerD

DLP can scan and redact sensitive data.

Why this answer

Cloud Data Loss Prevention (DLP) is the correct service because it is specifically designed to inspect, classify, and redact sensitive data such as credit card numbers (PANs) in Cloud Storage buckets. It uses built-in infoType detectors (e.g., `CREDIT_CARD_NUMBER`) to identify PCI DSS-protected data and can automatically apply de-identification transformations like redaction or masking to comply with PCI DSS requirements.

Exam trap

Google Cloud often tests the distinction between data protection services that handle encryption (KMS) versus those that handle content inspection and redaction (DLP), leading candidates to mistakenly choose KMS when the question explicitly asks about detecting and redacting sensitive data.

How to eliminate wrong answers

Option A is wrong because Cloud Key Management Service (KMS) manages encryption keys for data at rest, but it does not inspect, detect, or redact sensitive data content; it only handles cryptographic operations. Option B is wrong because VPC Service Controls provide a security perimeter to prevent data exfiltration via network boundaries, but they cannot scan or redact sensitive data within storage objects. Option C is wrong because Cloud Audit Logs record administrative and access activities for compliance auditing, but they have no capability to detect or redact sensitive data fields in stored files.

126
MCQmedium

A company runs a containerized application on Google Kubernetes Engine (GKE) that reads from a Cloud Storage bucket encrypted with a customer-managed key (CMEK) in Cloud KMS. The application uses a dedicated Google service account with the roles/storage.objectViewer role and a Cloud KMS CryptoKey Decrypter binding on the key. After a scheduled key rotation, the application started receiving '403 Access Denied' errors when accessing objects. The Cloud KMS key has multiple versions. The service account's IAM permissions have not changed. What is the most likely cause and the appropriate fix?

A.In Cloud KMS, enable the new key version and ensure it is set as primary.
B.Create a new key ring and migrate the service account to use a new key.
C.Disable the old key version and re-encrypt all objects with the new key version.
D.Ensure the service account has the 'Cloud KMS CryptoKey Decrypter' role on the key, which applies to all key versions, including the old version used for encryption.
AnswerD

The role on the key grants access to all versions; if it was previously granted only on a specific version, the old version may have lost access during rotation.

Why this answer

The correct answer is D. In Cloud KMS, IAM permissions are evaluated at the key level, not per key version. When a key is rotated, the new primary version is automatically enabled, but the old version remains active for decrypting data encrypted with it.

The service account already has the 'Cloud KMS CryptoKey Decrypter' role on the key, which grants permission to decrypt with any version of that key. The 403 error likely occurred because the application's client library or configuration was explicitly referencing the old key version ID, which may have been disabled or is no longer primary, but the IAM binding on the key itself is sufficient. The fix is to ensure the service account has the role on the key (which it does) and that the application uses the key resource name (not a specific version) to allow automatic use of the correct version.

Exam trap

Google Cloud often tests the misconception that key rotation requires updating IAM permissions or that old key versions become unusable, when in fact IAM bindings on the key cover all versions and old versions remain active for decryption unless explicitly disabled.

How to eliminate wrong answers

Option A is wrong because enabling a new key version and setting it as primary does not fix a permission issue; the new version is already enabled by default upon rotation, and the problem is not about version availability but about how the application references the key. Option B is wrong because creating a new key ring and migrating the service account is unnecessary and disruptive; the existing key ring and key are still valid, and the service account's permissions on the key are unchanged. Option C is wrong because disabling the old key version would break decryption of objects still encrypted with that version, and re-encrypting all objects is an extreme, unnecessary step that does not address the root cause of the 403 error, which is a permission or configuration issue, not a key version mismatch.

127
MCQmedium

A company uses Cloud Functions with a service account that has the role 'roles/cloudfunctions.invoker' to allow unauthenticated invocation. They want to change this so that only authenticated requests from a specific Cloud Scheduler job can invoke the function. The Cloud Scheduler job runs in the same project and uses a service account with the role 'roles/cloudscheduler.serviceAgent'. The security engineer updates the Cloud Function's ingress settings to 'Allow internal traffic only' and removes the 'allUsers' invoker binding. However, the Cloud Scheduler job now fails with a 403 error. What should the engineer do to fix this?

A.Grant the Cloud Scheduler's service account the role 'roles/cloudfunctions.invoker' on the Cloud Function.
B.Add 'allAuthenticatedUsers' as an invoker to the Cloud Function.
C.Change the ingress setting to 'Allow all traffic'.
D.Set the Cloud Function's ingress setting to 'Allow internal traffic only' and ensure the Cloud Scheduler job's region is the same as the function's region.
AnswerA

This grants the specific service account permission to invoke the function.

Why this answer

A is correct because the Cloud Scheduler job uses a service account to authenticate its requests. By default, Cloud Scheduler does not automatically have permission to invoke a Cloud Function. Granting the Cloud Scheduler's service account the 'roles/cloudfunctions.invoker' role on the Cloud Function explicitly authorizes that identity to invoke the function, even when the function's ingress is set to 'Allow internal traffic only' and the 'allUsers' binding is removed.

Exam trap

Google Cloud often tests the misconception that internal traffic settings alone control access, when in fact IAM permissions are always required for authenticated invocation, and 'Allow internal traffic only' only restricts network-level access, not IAM authorization.

How to eliminate wrong answers

Option B is wrong because adding 'allAuthenticatedUsers' would allow any authenticated Google Cloud identity (including users outside the project) to invoke the function, which does not restrict invocation to only the specific Cloud Scheduler job. Option C is wrong because changing the ingress setting to 'Allow all traffic' would allow requests from the internet, defeating the purpose of restricting to internal traffic and the specific scheduler job. Option D is wrong because ensuring the same region does not resolve the 403 error; the error is due to missing IAM permissions on the Cloud Function, not a regional mismatch.

128
MCQhard

A financial services company is deploying a multi-region application on Google Kubernetes Engine (GKE) and needs to comply with PCI DSS. They must ensure that cardholder data is encrypted in transit between pods in different clusters. What is the MOST secure way to achieve this?

A.Configure TLS for each service using a Cloud Load Balancing with SSL policies.
B.Enable Anthos Service Mesh with mutual TLS (mTLS) across clusters.
C.Use HTTPS between services by configuring ingress with a Google-managed SSL certificate.
D.Use VPC Network Peering to connect the clusters and rely on the internal network encryption.
AnswerB

mTLS in a service mesh provides encryption and authentication for inter-pod traffic.

Why this answer

Option B is correct because Anthos Service Mesh with mutual TLS (mTLS) provides authenticated and encrypted communication between pods across different GKE clusters, meeting PCI DSS encryption-in-transit requirements. mTLS ensures that each side of the connection presents a certificate, verifying identity and encrypting traffic at the application layer, which is more secure than relying solely on network-level encryption. This approach also integrates with GKE's multi-cluster service mesh capabilities, allowing fine-grained policy enforcement across clusters.

Exam trap

Google Cloud often tests the misconception that network-level encryption (e.g., VPC peering or internal Google Cloud encryption) is sufficient for compliance, but PCI DSS requires application-layer encryption (e.g., TLS/mTLS) for cardholder data in transit between pods.

How to eliminate wrong answers

Option A is wrong because configuring TLS for each service using Cloud Load Balancing with SSL policies only encrypts traffic at the load balancer edge, not between pods in different clusters; internal pod-to-pod traffic would remain unencrypted unless additional measures are taken. Option C is wrong because using HTTPS between services by configuring ingress with a Google-managed SSL certificate only secures external ingress traffic, not east-west traffic between pods across clusters. Option D is wrong because VPC Network Peering provides network connectivity but does not inherently encrypt traffic between pods; it relies on Google's internal network encryption, which may not satisfy PCI DSS's explicit requirement for application-layer encryption of cardholder data in transit.

129
Multi-Selectmedium

Which TWO of the following are valid methods for sending traffic between VPC networks in Google Cloud? (Choose two.)

Select 2 answers
A.Firewall rules in each VPC
B.Subnet routes
C.Cloud VPN (HA VPN gateway)
D.Cloud NAT
E.VPC Network Peering
AnswersC, E

Correct: creates encrypted tunnels between VPCs.

Why this answer

Cloud VPN (HA VPN gateway) is a valid method for sending traffic between VPC networks because it creates an encrypted tunnel over the public internet using IPsec (IKEv2) to connect two VPCs or an on-premises network to a VPC. It supports dynamic routing via BGP, allowing traffic to flow between VPCs when each VPC has a VPN gateway and the appropriate tunnel configurations.

Exam trap

The trap here is that candidates confuse Cloud NAT or firewall rules as a method for inter-VPC connectivity, when in fact they serve entirely different purposes (outbound NAT and access control, respectively) and cannot route traffic between separate VPC networks.

130
MCQhard

You have a Compute Engine VM that hosts a custom application. The VM has a tag 'app-server' and is in a VPC network with the following firewall rules (priority order from lowest to highest): Rule 1: Priority 1000, direction INGRESS, source 0.0.0.0/0, target tag 'app-server', protocol tcp:80, action allow Rule 2: Priority 500, direction INGRESS, source 10.0.0.0/8, target tag 'app-server', protocol tcp:80, action deny Rule 3: Priority 2000, direction INGRESS, source 192.168.0.0/16, target tag 'app-server', protocol tcp:80, action allow A user from IP 10.0.0.5 tries to access the application on port 80. Will the request be allowed or denied?

A.Denied, because Rule 2 has a lower priority number and explicitly denies traffic from 10.0.0.0/8
B.Denied, because Rule 3 has a higher priority number and denies traffic from 192.168.0.0/16
C.Allowed, because Rule 1 has a lower priority number and allows all traffic
D.Allowed, because Rule 3 has a higher priority number and allows traffic from 192.168.0.0/16
AnswerA

Correct: Rule 2 has priority 500, which is evaluated before Rule 1 (1000) and Rule 3 (2000). Since it matches, the deny action is applied.

Why this answer

Rule 2 has a priority of 500, which is lower (higher priority) than Rule 1 (priority 1000) and Rule 3 (priority 2000). Since the source IP 10.0.0.5 falls within the 10.0.0.0/8 range, Rule 2 matches first and explicitly denies the traffic. In Google Cloud VPC firewall rules, lower priority numbers are evaluated first, and the first matching rule determines the action.

Exam trap

Google Cloud often tests the misconception that higher priority numbers mean higher precedence, but in Google Cloud VPC firewall rules, lower numeric priority values are evaluated first, so candidates must remember that priority 500 is evaluated before priority 1000.

How to eliminate wrong answers

Option B is wrong because Rule 3 has a higher priority number (2000) and allows traffic from 192.168.0.0/16, but the source IP is 10.0.0.5, which does not match that range; also, Rule 2 with lower priority already denies the traffic. Option C is wrong because Rule 1 has a higher priority number (1000) than Rule 2 (500), so Rule 2 is evaluated first and denies the traffic before Rule 1 is considered. Option D is wrong because Rule 3 has the highest priority number (2000) and applies to a different source range (192.168.0.0/16), so it does not affect traffic from 10.0.0.5.

131
MCQmedium

A global e-commerce company is using Google Cloud to store customer data subject to GDPR. They have implemented data residency controls to keep data within the EU. However, during a routine audit, the compliance team discovers that some backups of customer data are being replicated to a US region due to a misconfigured backup policy. The data includes personal information. The company must ensure that all data remains within the EU. What should the team do to prevent this from recurring and remediate the current situation?

A.Delete the backups in the US region immediately and reconfigure the backup policy to only use EU regions.
B.Enable Access Transparency for the US backups to monitor access.
C.Use Organization Policies to enforce a constraint that disables the creation of resources outside the EU, and then delete the US backups.
D.Encrypt the US backups with CMEK and leave them in place, as encryption satisfies GDPR.
AnswerC

Enforces data residency and remediates current non-compliance.

Why this answer

Option C is correct because Organization Policies allow the company to enforce a resource location constraint (e.g., `constraints/gcp.resourceLocations`), which prevents the creation of any Google Cloud resources outside the EU. This proactively stops misconfigured backups from being replicated to non-EU regions. Deleting the US backups after applying the policy remediates the current GDPR violation by removing the non-compliant data.

Exam trap

Google Cloud often tests the distinction between reactive fixes (deleting data) and proactive controls (Organization Policies), leading candidates to choose Option A because it seems immediate, while overlooking the need for a preventive guardrail.

How to eliminate wrong answers

Option A is wrong because simply deleting the US backups and reconfiguring the policy does not prevent future misconfigurations; it lacks a preventive control like an Organization Policy constraint. Option B is wrong because Access Transparency only logs access to data, it does not prevent data from being stored outside the EU or remediate the existing non-compliance. Option D is wrong because encryption with CMEK does not satisfy GDPR's data residency requirements; GDPR mandates that personal data must remain within the EU, and encryption alone does not change the physical location of the data.

132
MCQhard

For PCI DSS compliance, which of the following is required for Cloud KMS keys?

A.Enable automatic rotation with a rotation period set to 90 days
B.Use a separate key per service account
C.Disable key rotation after initial use
D.Key rotation every 30 days
AnswerA

Automatic rotation with a defined period satisfies PCI DSS key rotation requirements.

Why this answer

PCI DSS requirement 3.5.1 mandates that cryptographic keys must be rotated at least every 90 days to limit the impact of a potential key compromise. For Cloud KMS, enabling automatic rotation with a rotation period of 90 days ensures compliance by automating the key rotation process without manual intervention, reducing the risk of human error.

Exam trap

Google Cloud often tests the exact PCI DSS requirement of 90-day rotation, and candidates may mistakenly choose 30 days (option D) thinking more frequent rotation is better, but the question asks for what is 'required', not what is 'allowed'.

How to eliminate wrong answers

Option B is wrong because PCI DSS does not require a separate key per service account; it requires that keys be unique per environment or per function, but a single key can be shared among multiple service accounts if access controls are properly enforced. Option C is wrong because disabling key rotation after initial use violates PCI DSS requirement 3.5.1, which mandates periodic rotation at least every 90 days. Option D is wrong because while 30-day rotation would also meet the PCI DSS requirement, the question specifically asks for the required rotation period, and 90 days is the maximum allowed interval; 30 days is more frequent than required but not incorrect, however the correct answer must match the exact requirement stated in the standard.

133
MCQhard

User user1@domain.com tries to SSH into a Compute Engine instance that has the service account sa1@project.iam.gserviceaccount.com attached. Will the SSH connection succeed? (Assume no other policies)

A.No, because user1 lacks compute.instances.osLogin permission.
B.No, because user1 needs a role such as compute.osLogin to SSH into the instance.
C.Yes, because user1 has iam.serviceAccountUser role on the service account, which is required to use it.
D.Yes, because user1 has compute.viewer role.
AnswerB

The compute.osLogin role (or compute.osAdminLogin) is required for SSH access via OS Login.

Why this answer

Option B is correct because SSH access to a Compute Engine instance requires the user to have the compute.osLogin role (or a role that includes compute.instances.osLogin permission) when OS Login is enabled. Without OS Login, the user needs the compute.instances.setMetadata permission to add SSH keys. The service account attached to the instance does not grant SSH access; it only allows the instance to authenticate to Google Cloud APIs.

User1 has no relevant IAM roles for SSH, so the connection will fail.

Exam trap

Google Cloud often tests the misconception that having the iam.serviceAccountUser role on a service account attached to an instance grants SSH access, when in reality it only allows impersonation of the service account for API calls, not interactive login.

How to eliminate wrong answers

Option A is wrong because the permission compute.instances.osLogin is part of the compute.osLogin role, but the question states no other policies, and the user lacks any role that includes this permission; the issue is the missing role, not just the permission name. Option C is wrong because the iam.serviceAccountUser role only allows the user to impersonate the service account (e.g., use it for API calls), not to SSH into the instance; SSH access requires separate compute instance permissions. Option D is wrong because the compute.viewer role provides read-only access to instance metadata and does not grant any SSH-related permissions such as osLogin or setMetadata.

134
Multi-Selecthard

An organization wants to ensure that only compute instances in a specific VPC can access a Cloud Storage bucket. They also want to prevent the bucket data from being downloaded to an external IP. Which TWO services should they combine? (Choose TWO.)

Select 2 answers
A.IAM conditions restricting access by VPC network
B.Cloud NAT
C.Cloud VPN
D.Private Google Access
E.VPC Service Controls
AnswersA, E

IAM conditions can use the `request.network` attribute to allow access only from a specific VPC network.

Why this answer

IAM conditions allow you to restrict access to a Cloud Storage bucket based on the requester's VPC network, ensuring only compute instances in that specific VPC can access the bucket. VPC Service Controls create a security perimeter around the bucket, preventing data exfiltration to external IPs by blocking unauthorized network paths. Together, they enforce both network-level access restriction and data download prevention.

Exam trap

Google Cloud often tests the misconception that Private Google Access alone can restrict access to a specific VPC, but it only enables connectivity without any access control or exfiltration prevention.

135
MCQeasy

A company uses Cloud Audit Logs for compliance and needs to ensure that logs are not tampered with. Which feature should they enable?

A.Store logs in Cloud Logging with default retention.
B.Enable Access Transparency logs for the project.
C.Use Cloud Key Management Service to sign audit logs.
D.Set up multiple log sinks to different destinations.
AnswerB

Access Transparency logs are immutable and provide a tamper-evident log of Google actions.

Why this answer

Option B is correct because Access Transparency logs are tamper-proof and logged at Google's infrastructure. Option A is wrong because log sinks do not prevent tampering. Option C is wrong because Cloud Logging does not provide inherent immutability.

Option D is wrong because Cloud Key Management Service is for encryption, not log integrity.

136
MCQhard

A company has a Google Cloud organization with several hundred projects. They are using VPC Service Controls to protect sensitive data in BigQuery. They have a service perimeter that includes the projects containing the sensitive datasets. Users in a separate perimeter (perimeter B) need to query a BigQuery dataset in the sensitive perimeter using federated queries from Cloud SQL. The users are authenticated via Cloud Identity and have appropriate IAM roles, but queries are failing. The Cloud SQL instance is in perimeter B. What is the most likely cause?

A.The sensitive perimeter does not have an ingress rule to allow requests from the Cloud SQL service in perimeter B.
B.The Cloud SQL instance must be moved into the sensitive perimeter to access BigQuery.
C.The users do not have the appropriate IAM role on the BigQuery dataset.
D.The BigQuery dataset does not have a corresponding table for export to Cloud SQL.
AnswerA

An ingress rule is required to allow traffic from outside the perimeter.

Why this answer

VPC Service Controls enforce perimeters that block all data access across perimeter boundaries by default. For a Cloud SQL instance in perimeter B to query BigQuery in the sensitive perimeter via federated queries, the sensitive perimeter must have an ingress rule explicitly allowing requests from the Cloud SQL service (or the VPC network) in perimeter B. Without this ingress rule, the request is denied at the perimeter boundary, regardless of IAM permissions.

Exam trap

Google Cloud often tests the distinction between IAM permissions and VPC Service Controls perimeter rules, leading candidates to incorrectly attribute the failure to missing IAM roles when the real issue is the absence of an ingress rule in the perimeter.

How to eliminate wrong answers

Option B is wrong because moving the Cloud SQL instance into the sensitive perimeter would violate the requirement that users in perimeter B need to query the dataset; it also unnecessarily exposes the Cloud SQL instance to the sensitive perimeter's restrictions. Option C is wrong because the question states users have appropriate IAM roles, and the failure is due to perimeter enforcement, not IAM. Option D is wrong because BigQuery federated queries from Cloud SQL do not require a corresponding table for export; the query is executed directly against BigQuery datasets via the BigQuery federated query feature.

137
MCQeasy

A company has an on-premises Active Directory and wants to allow on-premises users to access Google Cloud resources using their existing credentials without synchronizing passwords to Google Cloud. Which identity federation solution should they use?

A.Service Account Key Exchange
B.Workload Identity Federation
C.Cloud Identity
D.Identity Platform
AnswerB

It enables on-premises or multi-cloud workloads to impersonate a service account without a key.

Why this answer

Workload Identity Federation allows on-premises users to authenticate to Google Cloud using their existing Active Directory credentials without synchronizing passwords. It uses a federated identity model where the on-premises identity provider (IdP) issues tokens that are exchanged for Google Cloud short-lived credentials via the Security Token Service (STS), enabling access to Google Cloud resources while keeping passwords on-premises.

Exam trap

Google Cloud often tests the distinction between Cloud Identity (which requires user directory management in Google) and Workload Identity Federation (which allows external IdP federation without password sync), leading candidates to mistakenly choose Cloud Identity because they associate it with identity management for enterprise users.

How to eliminate wrong answers

Option A is wrong because Service Account Key Exchange is not an identity federation solution; it is a mechanism for exchanging a service account key for an OAuth 2.0 access token, and it does not support federating external identity providers like Active Directory. Option C is wrong because Cloud Identity is Google's identity-as-a-service (IDaaS) solution that requires users to be managed within Google's directory, which would necessitate synchronizing or creating user accounts, not using existing on-premises credentials without password sync. Option D is wrong because Identity Platform is a customer identity and access management (CIAM) service primarily for customer-facing applications, not for federating on-premises enterprise Active Directory users to access Google Cloud resources without password synchronization.

138
MCQmedium

A company has configured a HA VPN between Google Cloud and an on-premises data center using two tunnels with separate Cloud Routers and BGP sessions in active/active mode. Each Cloud Router is configured to learn routes from the on-premises side and advertise VPC subnets. Recently, one of the tunnels experienced a physical link failure and went down. The security team notices that the remaining tunnel is still up and passing traffic, but some routes that were learned via the failed tunnel are no longer present in the routing table of that Cloud Router. The on-premises administrator confirms that the routes are still being advertised from the local router. What is the impact on traffic to the on-premises network?

A.The failed tunnel will automatically be restored by BGP when the link comes back.
B.The Cloud Router will initiate a failover to a secondary BGP session.
C.Traffic destined to subnets only reachable via the failed tunnel will be dropped.
D.All traffic will continue to flow through the remaining tunnel without any disruption.
AnswerC

The missing routes mean those destinations are unreachable until the tunnel recovers or routes are learned via the other tunnel.

Why this answer

In an active/active HA VPN with separate Cloud Routers and BGP sessions, each Cloud Router maintains its own independent routing table. When a tunnel fails, the BGP session associated with that Cloud Router goes down, causing all routes learned via that session to be withdrawn. Even though the on-premises router continues to advertise the routes, the Cloud Router that lost its BGP session will no longer have those routes in its routing table.

Traffic destined to subnets that were only reachable through the failed tunnel will be dropped because the remaining Cloud Router does not have a route for those subnets.

Exam trap

Google Cloud often tests the misconception that active/active HA VPN provides full redundancy for all routes, but in reality, each Cloud Router independently learns routes, and a tunnel failure only drops traffic to subnets unique to that tunnel's BGP session.

How to eliminate wrong answers

Option A is wrong because BGP does not automatically restore a failed tunnel; the tunnel is a separate VPN construct that must be re-established by the underlying IPsec/IKE mechanisms, and BGP only re-establishes the session after the tunnel is up. Option B is wrong because there is no secondary BGP session to failover to; each Cloud Router runs its own independent BGP session, and the failure of one tunnel does not trigger a failover to another session on the same router. Option D is wrong because not all traffic will continue to flow; only traffic to subnets that are reachable via both tunnels will continue, while traffic to subnets unique to the failed tunnel will be dropped.

139
MCQmedium

A company uses VPC Service Controls to protect data in BigQuery and Cloud Storage. They need to allow a third-party application running outside the service perimeter to query BigQuery datasets within the perimeter. What should they configure?

A.Use private Google Access with a VPC network to allow the third-party.
B.Grant the third-party project access to the perimeter via an access level.
C.Create a service perimeter bridge between the third-party project and the protected project.
D.Set up a VPC peering connection between the third-party VPC and the VPC hosting the resources.
AnswerB

Access levels can be used to allow ingress from external identities or IPs.

Why this answer

Option B is correct because VPC Service Controls use access levels to define which client identities, IP addresses, or device characteristics are allowed to access protected resources from outside the service perimeter. By configuring an access level that includes the third-party application's project or IP range, the company can grant explicit, policy-based access to BigQuery datasets without removing the perimeter's data exfiltration protections.

Exam trap

The trap here is that candidates confuse VPC peering or Private Google Access with VPC Service Controls, assuming network-level connectivity is sufficient to bypass API-level perimeter enforcement, when in fact only access levels or perimeter membership can grant external access.

How to eliminate wrong answers

Option A is wrong because Private Google Access enables on-premises or VM instances to reach Google APIs via internal IPs, but it does not bypass VPC Service Controls; the third-party application still needs an access level to be allowed through the perimeter. Option C is wrong because a service perimeter bridge connects two perimeters to allow controlled resource sharing between them, but the third-party application is outside any perimeter, so a bridge does not apply. Option D is wrong because VPC peering connects two VPC networks for private IP communication, but it does not grant access to BigQuery datasets protected by VPC Service Controls, which operate at the API layer and require access levels or perimeter membership.

140
MCQeasy

A security engineer needs to audit all attempts to access a Cloud Storage bucket, including successful and failed attempts. Which logging option should they enable?

A.Cloud Audit Logs with Data Access
B.Cloud Audit Logs with Admin Read
C.Cloud Monitoring with uptime checks
D.VPC Flow Logs
AnswerA

Data Access logs record all read and write operations on objects, including successful and failed attempts.

Why this answer

Cloud Audit Logs with Data Access logs capture read/write operations on data. Admin Read logs only record configuration changes, not data access. Cloud Monitoring is for metrics, not logs.

VPC Flow Logs are for network traffic, not object-level access.

141
MCQhard

A company connects their on-premises data center to Google Cloud via Dedicated Interconnect. They have two VLAN attachments (VLAN-A and VLAN-B) to a single VPC. They use BGP over the VLAN attachments with Cloud Router. Both VLAN attachments are in the same region. They want to use both links for active-active traffic and have redundancy. Which BGP configuration is correct?

A.Use a different BGP ASN for each VLAN attachment.
B.Use a single VLAN attachment and rely on link redundancy.
C.Set different MED values for each BGP session to load-balance.
D.Use the same BGP ASN and same MED for both VLAN attachments, and enable ECMP on Cloud Router.
AnswerD

Correct: this allows equal-cost multipath, active-active.

Why this answer

For active-active traffic with two VLAN attachments to the same VPC in the same region, you must use the same BGP ASN on both sessions and enable ECMP (Equal Cost Multi-Path) on Cloud Router. This allows Cloud Router to install multiple equal-cost routes from both BGP sessions, enabling load balancing across both links. Using the same MED value ensures the routes are considered equal, which is required for ECMP to function correctly.

Exam trap

Google Cloud often tests the misconception that different BGP ASNs or MED values are needed for load balancing, but in Google Cloud's Dedicated Interconnect with Cloud Router, active-active requires identical ASN and MED plus explicit ECMP enablement.

How to eliminate wrong answers

Option A is wrong because using a different BGP ASN for each VLAN attachment would cause Cloud Router to treat the routes as coming from different autonomous systems, preventing ECMP from load-balancing across them; Cloud Router requires the same ASN to consider routes as equal-cost candidates. Option B is wrong because a single VLAN attachment does not provide link-level redundancy; you need two separate attachments to protect against failure of one attachment or its underlying circuit. Option C is wrong because setting different MED values would make one route preferred over the other, breaking active-active load balancing; ECMP requires equal MED values to treat routes as equal-cost.

142
Multi-Selectmedium

Which THREE are requirements for HIPAA compliance when using Google Cloud? (Choose three.)

Select 3 answers
A.Use Dedicated Interconnect for network connectivity
B.Enable Data Loss Prevention (DLP) for all data
C.Enable audit logging for all PHI-related activities
D.Sign a Business Associate Agreement (BAA) with Google
E.Encrypt data at rest and in transit using appropriate algorithms
AnswersC, D, E

Audit logs are necessary to track access and changes to PHI.

Why this answer

Option C is correct because HIPAA requires covered entities to implement audit controls that record and examine access and other activity in information systems that contain or use electronic protected health information (ePHI). In Google Cloud, enabling audit logging for all PHI-related activities, such as via Cloud Audit Logs (Admin Activity, Data Access, and System Event logs), satisfies this requirement by providing an immutable, tamper-evident record of who accessed what data and when.

Exam trap

Google Cloud often tests the misconception that HIPAA mandates specific technologies (like Dedicated Interconnect or DLP for all data), when in reality HIPAA is technology-neutral and focuses on implementing reasonable and appropriate safeguards, such as encryption and audit logging.

143
MCQhard

A company uses a shared VPC with multiple service projects. A security administrator created an organization policy with the constraint 'gcp.resourceLocations' to restrict Cloud SQL instance creation to only the 'us-central1' region. The policy is applied at the organization level. A Cloud SQL administrator is using a service account with the predefined role 'roles/cloudsql.admin' (also granted at the organization level) to create instances. Despite the organization policy, the service account successfully creates a Cloud SQL instance in the 'europe-west1' region. The administrator verifies that the organization policy is active and the constraint is enforced. What is the most likely reason the policy is not preventing the creation?

A.The organization policy is set to 'dry-run' mode, so it logs violations but does not deny the operation.
B.The organization policy is applied at the organization level, but the service account's permissions are also at the organization level, causing an override.
C.The service account has the 'Organization Policy Administrator' role, which allows it to bypass constraints.
D.The gcp.resourceLocations constraint does not apply to Cloud SQL instances.
AnswerA

Correct: In dry-run mode, the policy is not enforced, only audited.

Why this answer

Option A is correct because the organization policy constraint 'gcp.resourceLocations' can be set to 'dry-run' mode, which logs violations but does not deny the operation. In this scenario, the policy is active and enforced, but if it is in dry-run mode, it will not block the creation of Cloud SQL instances in non-compliant regions. The service account's successful creation in 'europe-west1' indicates that the policy is not actively denying the request, which aligns with dry-run behavior.

Exam trap

Google Cloud often tests the distinction between policy enforcement modes (dry-run vs. live) and the misconception that IAM roles can override organization policy constraints, leading candidates to incorrectly attribute the bypass to permission levels rather than policy configuration.

How to eliminate wrong answers

Option B is wrong because organization policies and IAM permissions are independent; granting a role at the organization level does not override or bypass an organization policy constraint. Option C is wrong because the 'Organization Policy Administrator' role allows managing policies but does not automatically bypass constraints; bypassing requires a specific 'set' or 'unset' of the constraint, not just the role. Option D is wrong because the 'gcp.resourceLocations' constraint explicitly applies to Cloud SQL instances, as documented in Google Cloud's list of supported services.

144
MCQeasy

A developer accidentally deleted a Cloud SQL instance. The organization has automated backups enabled. How can the DBA restore the instance?

A.The instance cannot be restored because deletion is permanent.
B.Use the gcloud sql backups restore command with the backup ID.
C.Use the Cloud Console to restore from backup of the deleted instance.
D.Create a new instance and then import the backup from Cloud Storage.
AnswerB

This command restores a backup to a new instance, effectively recovering the deleted instance.

Why this answer

Option B is correct because the gcloud sql backups restore command can restore a backup to a new instance, even if the original instance was deleted. Option A is incorrect because importing a backup is a manual process that requires creating an instance first, which is less direct. Option C is incorrect because restoration is possible.

Option D is incorrect because the Cloud Console does not support restoring a deleted instance directly.

145
MCQhard

A Cloud Run service is failing to access a secret from Secret Manager. The service account used by Cloud Run has the roles/secretmanager.secretAccessor role. What is the most likely cause of the error?

A.VPC Service Controls are blocking access to Secret Manager.
B.The service account does not have the iam.serviceAccounts.actAs permission on the Cloud Run service.
C.The secret does not exist in the specified project.
D.The service account does not have access to the 'latest' version of the secret; it needs explicit version access.
AnswerD

The secretmanager.secretAccessor role grants access to specific versions, but 'latest' may require additional permissions if not enabled.

Why this answer

D is correct because Secret Manager requires explicit access to a specific secret version. The `roles/secretmanager.secretAccessor` role grants access to all versions of a secret, but the Cloud Run service must reference a specific version (e.g., 'latest' or a version number) in its configuration. If the service is configured to access the 'latest' version without the `secretmanager.versions.access` permission on that version, access will fail.

The error occurs because the service account lacks the necessary permission to access the 'latest' version, even though it has the role.

Exam trap

Google Cloud often tests the misconception that the `roles/secretmanager.secretAccessor` role grants blanket access to all versions, but in reality, access must be explicitly granted to each version, including 'latest', via the IAM policy on the secret or version.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls block access based on perimeter boundaries, not IAM permissions; if VPC SC were blocking, the error would be a network/perimeter violation, not an IAM permission error. Option B is wrong because the `iam.serviceAccounts.actAs` permission is required for deploying Cloud Run services, not for accessing secrets at runtime; the runtime access to Secret Manager is governed by the service account's IAM roles on the secret. Option C is wrong because if the secret did not exist, the error would be a 'not found' or '404' error, not an access permission error; the question states the service is failing to access the secret, implying the secret exists.

146
MCQhard

A company uses Cloud Storage with CMEK. The Cloud KMS key is disabled accidentally by an administrator. What will happen to existing objects encrypted with that key?

A.Objects are automatically re-encrypted with Google-managed keys.
B.Objects become inaccessible immediately.
C.Objects remain accessible until the key is destroyed.
D.Objects become inaccessible after a 24-hour grace period.
AnswerB

Disabling the key immediately prevents decryption of any object encrypted with that key.

Why this answer

When a Cloud KMS key used for CMEK is disabled, Cloud Storage immediately loses the ability to decrypt the encrypted object data and its associated metadata. Without the key, the service cannot serve the object, making it inaccessible for read, write, or delete operations until the key is re-enabled. This is because CMEK objects are encrypted at rest using the customer-managed key, and Cloud Storage does not maintain a cached copy of the key material.

Exam trap

Google Cloud often tests the misconception that disabling a CMEK key has a grace period or that Google will automatically fall back to Google-managed keys, but the correct behavior is immediate inaccessibility with no automatic recovery or re-encryption.

How to eliminate wrong answers

Option A is wrong because Cloud Storage does not automatically re-encrypt CMEK objects with Google-managed keys when the CMEK key is disabled; re-encryption would require explicit action and a new key version. Option C is wrong because objects remain accessible only as long as the key is enabled; disabling the key immediately blocks access, not just when the key is destroyed. Option D is wrong because there is no 24-hour grace period; access is revoked immediately upon key disablement, as the key is required for decryption on every request.

147
Multi-Selecteasy

Which two Cloud Storage encryption options allow the customer to supply or manage the encryption keys? (Choose two.)

Select 2 answers
A.Default encryption at rest
B.Google-managed encryption keys
C.Cloud HSM keys
D.Customer-Supplied Encryption Keys (CSEK)
E.Customer-Managed Encryption Keys (CMEK)
AnswersD, E

Customer supplies the key material directly.

Why this answer

Customer-Supplied Encryption Keys (CSEK) allow you to supply your own encryption keys for protecting data at rest in Cloud Storage. With CSEK, you provide the key material for each API call, and Google does not store the key on its servers. This option is correct because the customer directly supplies the encryption key.

Exam trap

Google Cloud often tests the distinction between 'supplying' the key (CSEK) versus 'managing' a key that Google generates (CMEK), causing candidates to mistakenly think Cloud HSM keys (which are a CMEK implementation) count as customer-supplied.

148
MCQmedium

A government agency is migrating to Google Cloud and must comply with FedRAMP requirements. They need to ensure that only FedRAMP authorized Google Cloud services are used in their project. The security team has enabled Organization Policies and created a custom policy to restrict allowed services to a specific list. However, when a developer tries to create a Cloud SQL instance, the operation is denied. The developer receives an error: 'The organization policy constraint compute.restrictNonPdServices is not allowing this resource.' The developer is trying to create a Cloud SQL instance, which is a FedRAMP authorized service. What is the most likely cause of the denial?

A.Cloud SQL instances require a specific region that is not permitted by the policy.
B.The developer does not have the necessary IAM permissions to create Cloud SQL instances.
C.The organization policy is misconfigured and does not include Cloud SQL in the allowed list.
D.The organization policy is blocking all services not in a specific list, and Cloud SQL is not included because it is a data service rather than a compute service.
AnswerC

The error indicates the policy constraint is blocking the resource; Cloud SQL is likely not in the allowed list.

Why this answer

The error message explicitly references the `compute.restrictNonPdServices` organization policy constraint, which is used to restrict the creation of non-Persistent Disk (PD) services. The developer's attempt to create a Cloud SQL instance is denied because the custom policy's allowed list does not include Cloud SQL, even though it is a FedRAMP authorized service. The policy must be updated to include Cloud SQL in the allowed services list for the operation to succeed.

Exam trap

Google Cloud often tests the distinction between organization policy constraints and IAM permissions, and the trap here is that candidates may confuse a policy constraint error with a permissions error, or incorrectly assume that FedRAMP authorization automatically overrides organization policies.

How to eliminate wrong answers

Option A is wrong because the error message does not mention region restrictions; the `compute.restrictNonPdServices` constraint controls service types, not geographic regions. Option B is wrong because the error message explicitly cites an organization policy constraint violation, not an IAM permission issue; IAM errors would produce a different message (e.g., 'Permission denied'). Option D is wrong because Cloud SQL is a managed database service that falls under the scope of the `compute.restrictNonPdServices` constraint, and the error indicates it is being blocked due to the allowed list, not because it is a 'data service'—the constraint applies to all non-PD services, not just compute services.

149
MCQhard

A company handling credit card information must comply with PCI DSS. They use Cloud KMS with CMEK keys stored in a key ring. During a compliance audit, the auditor asks how keys are protected against unauthorized use by Google. What should the company explain?

A.They store keys in Cloud HSM, which ensures keys never leave the HSM and are bound to a specific project
B.They use customer-supplied encryption keys (CSEK), so Google never has access to keys
C.They use Cloud KMS with CMEK, and the keys are encrypted using Google-managed key encryption keys (KEKs)
D.They enabled Access Approval, so Google must obtain approval before accessing keys
AnswerA

Cloud HSM provides hardware-level protection; keys cannot be exported and are protected against unauthorized access by Google personnel.

Why this answer

Option A is correct because Cloud HSM provides a FIPS 140-2 Level 3 validated hardware security module (HSM) where customer-managed encryption keys (CMEK) are generated and used exclusively within the HSM boundary. The keys never leave the HSM in plaintext, and access is bound to the specific Google Cloud project, ensuring that even Google administrators cannot extract or use the keys outside the authorized project context.

Exam trap

Google Cloud often tests the distinction between key storage (Cloud HSM) and key management (Cloud KMS with CMEK), where candidates mistakenly believe that CMEK alone prevents Google access, when in fact only Cloud HSM provides hardware-level isolation that prevents Google from using the keys.

How to eliminate wrong answers

Option B is wrong because customer-supplied encryption keys (CSEK) are used for encrypting data at rest in Google Cloud Storage, not for Cloud KMS key protection; CSEK are provided by the customer and Google does not store them, but the question specifically asks about CMEK keys stored in a key ring, not CSEK. Option C is wrong because Cloud KMS with CMEK does use Google-managed key encryption keys (KEKs) to encrypt the CMEK keys at rest, but this does not prevent Google from having access to the keys; the KEKs are managed by Google, so Google could theoretically decrypt the CMEK keys. Option D is wrong because Access Approval is a feature that allows customers to approve or deny access requests from Google support or engineering personnel, but it does not prevent unauthorized use by Google itself; it only provides a notification and approval workflow for specific access requests, not a technical barrier against Google's underlying access to the keys.

150
MCQeasy

A company has two VPC networks in the same project: VPC-A (10.0.0.0/16) and VPC-B (172.16.0.0/16). They have established VPC peering between them. An instance in VPC-A needs to communicate with an instance in VPC-B on TCP port 443. What is the minimal firewall configuration needed?

A.Add an ingress firewall rule in VPC-B allowing traffic from 10.0.0.0/16 on port 443.
B.Add an ingress firewall rule in VPC-A allowing traffic from 172.16.0.0/16 on port 443.
C.Add a single firewall rule in the project with source 10.0.0.0/16 and destination 172.16.0.0/16 on port 443.
D.Add an egress firewall rule in VPC-A allowing traffic to 172.16.0.0/16 on port 443.
AnswerA

Ingress rule on the target network is required; default egress allows outbound from source.

Why this answer

Option A is correct because VPC peering does not automatically allow traffic; firewall rules must explicitly permit the desired communication. Since the instance in VPC-A initiates the connection to VPC-B, VPC-B's firewall must have an ingress rule allowing traffic from VPC-A's CIDR (10.0.0.0/16) on TCP port 443. This is the minimal configuration because egress rules in VPC-A are implicitly permissive by default in Google Cloud, and only the destination VPC's ingress needs to be opened.

Exam trap

Google Cloud often tests the misconception that VPC peering automatically opens all traffic between the peered networks, leading candidates to think no firewall rules are needed, or that egress rules must be added on the source side.

How to eliminate wrong answers

Option B is wrong because it adds an ingress rule in VPC-A for traffic from VPC-B, but the traffic flows from VPC-A to VPC-B, so VPC-A does not need to allow incoming traffic from VPC-B for this communication. Option C is wrong because Google Cloud firewall rules are applied per VPC network, not as a single project-level rule with both source and destination; they operate on ingress or egress direction, not as a bidirectional filter. Option D is wrong because egress rules in VPC-A are not needed; Google Cloud's default egress allow rule permits all outbound traffic unless explicitly overridden, and the minimal configuration only requires the ingress rule in VPC-B.

Page 1

Page 2 of 7

Page 3

All pages