Google Professional Cloud Security Engineer (PCSE) — Questions 151225

500 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQeasy

A company wants to grant a support team member the ability to view the IAM policy of a project (who has which roles) without being able to modify it. What is the least privileged predefined role that provides this access?

A.roles/viewer
B.roles/iam.securityAdmin
C.roles/iam.roleViewer
D.roles/iam.securityReviewer
AnswerD

Includes resourcemanager.projects.getIamPolicy and other read permissions for IAM.

Why this answer

The roles/iam.securityReviewer role grants read-only access to IAM policies and permissions across the project, including the ability to view who has which roles, without allowing modifications. This is the least privileged predefined role that provides exactly this access, as it is scoped to security-related read operations only.

Exam trap

Google Cloud often tests the distinction between viewing role definitions (roles/iam.roleViewer) and viewing actual IAM policy bindings (roles/iam.securityReviewer), causing candidates to confuse the two.

How to eliminate wrong answers

Option A is wrong because roles/viewer provides broad read access to all resources in the project, which is more permissive than necessary and includes many permissions beyond IAM policy viewing. Option B is wrong because roles/iam.securityAdmin grants full administrative control over IAM policies, including the ability to modify roles and permissions, which exceeds the requirement of read-only access. Option C is wrong because roles/iam.roleViewer only allows viewing predefined and custom role definitions, not the actual IAM policy bindings (who has which roles) on a project.

152
Multi-Selectmedium

You are a security engineer for a company that runs a critical application on Google Cloud. You need to implement defense in depth for network security. Which TWO of the following are effective network security controls that you should implement?

Select 2 answers
A.OS-level host-based firewalls on each VM
B.VPC firewall rules to restrict traffic between subnets
C.IAM roles to control who can create Compute Engine instances
D.Workload Identity Federation to allow workloads to authenticate to Google APIs
E.Cloud Armor to protect against DDoS and web application attacks
AnswersB, E

VPC firewall rules are a fundamental network security control to filter traffic.

Why this answer

VPC firewall rules (B) are a fundamental network security control that allow you to restrict traffic between subnets based on source/destination IP ranges, protocols, and ports. This implements network segmentation and micro-segmentation, which is a core principle of defense in depth. Cloud Armor (E) provides Web Application Firewall (WAF) capabilities and DDoS protection at the edge of Google's network, filtering malicious traffic before it reaches your VMs or load balancers.

Exam trap

Google Cloud often tests the distinction between network security controls (which filter traffic at the network layer) and host/identity/authentication controls, so candidates mistakenly select IAM or Workload Identity Federation because they think 'access control' equals network security.

153
MCQmedium

A financial institution is required to use customer-managed encryption keys (CMEK) for all data at rest in Google Cloud. They need to prevent key deletion by anyone except a specific IAM role. What should they do?

A.Enable destroy protection on the key ring
B.Use Organization Policies with a constraint to restrict key destruction
C.Assign the cloudkms.admin role only to a security team
D.Enable key rotation on the Cloud KMS key
AnswerA

Destroy protection prevents deletion of a key ring and its keys until the protection is disabled by an authorized user.

Why this answer

Option A is correct because enabling destroy protection on the key ring prevents any Cloud KMS key within that key ring from being destroyed, regardless of IAM permissions. This is a key ring-level setting that overrides IAM roles, ensuring that only a specific IAM role (e.g., cloudkms.admin) can disable destroy protection and then delete keys, meeting the requirement to restrict key deletion to a specific role.

Exam trap

Google Cloud often tests the misconception that IAM roles alone can prevent key deletion, but the trap here is that destroy protection is a separate, overriding mechanism that must be explicitly enabled at the key ring level to block destruction regardless of IAM permissions.

How to eliminate wrong answers

Option B is wrong because Organization Policies with constraints (e.g., constraints/cloudkms.disableDestroyProtection) can restrict the ability to disable destroy protection, but they do not directly prevent key destruction; they only control the destroy protection setting itself, not the actual deletion of keys. Option C is wrong because assigning the cloudkms.admin role to a security team does not inherently prevent key deletion by others; any user with the cloudkms.admin role can destroy keys unless destroy protection is enabled, and this option does not address the requirement to prevent deletion by anyone except a specific role. Option D is wrong because key rotation on a Cloud KMS key does not prevent deletion; it only automates the creation of new key versions and does not affect the ability to destroy the key or its versions.

154
MCQhard

An organization uses Cloud Run to deploy microservices. Each microservice needs to authenticate to Cloud Pub/Sub topics. The Security Engineer wants to enforce that each service only uses its own service account and cannot impersonate others. The team also wants to rotate credentials automatically. What is the best practice to achieve this?

A.Assign a dedicated service account to each Cloud Run service with the necessary Pub/Sub publisher role.
B.Configure each Cloud Run service to use the Compute Engine default service account and rely on the metadata server.
C.Use Workload Identity Federation to map each service to a Google service account.
D.Create a service account key for each service and store it in Cloud Secret Manager.
AnswerA

Cloud Run uses the attached service account to obtain short-lived tokens automatically.

Why this answer

Option A is correct because Cloud Run allows you to assign a dedicated, per-service service account at deployment time. By granting each service account only the Pub/Sub publisher role on its specific topic, you enforce least-privilege access and prevent impersonation. Cloud Run automatically rotates the short-lived tokens associated with these service accounts via the metadata server, eliminating the need for manual key management.

Exam trap

The trap here is that candidates often confuse the Compute Engine default service account (which is shared and not recommended for production) with the ability to assign dedicated service accounts per Cloud Run service, or they mistakenly think Workload Identity Federation is the correct approach for internal Google Cloud services.

How to eliminate wrong answers

Option B is wrong because using the Compute Engine default service account would give all Cloud Run services the same identity, violating the requirement that each service uses its own service account and cannot impersonate others. Option C is wrong because Workload Identity Federation is designed for external workloads (e.g., on-premises or other clouds) to impersonate Google service accounts, not for internal Cloud Run services that already have native identity support. Option D is wrong because creating and storing service account keys in Cloud Secret Manager introduces long-lived credentials that require manual rotation, contradicting the requirement for automatic credential rotation and increasing the risk of key leakage.

155
Matchingmedium

Match each compliance framework to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Payment card data security

Protected health information privacy and security

Service organization controls for security, availability, etc.

Cloud security for U.S. federal agencies

Information security management system standard

Why these pairings

These are major compliance frameworks relevant to Google Cloud.

156
MCQmedium

A company notices that some Compute Engine instances are making unexpected outbound connections to suspicious IP addresses. They want to investigate the traffic patterns and identify the source of these connections. Which tool should they use?

A.Cloud Armor
B.Cloud IAM
C.VPC Flow Logs
D.Firewall Rules Insights
AnswerC

VPC Flow Logs record metadata about IP traffic to and from VMs.

Why this answer

VPC Flow Logs capture metadata about network traffic to and from Compute Engine instances, including source/destination IPs, ports, and protocols. By analyzing these logs, the company can identify the specific instances making unexpected outbound connections to suspicious IP addresses, enabling investigation of traffic patterns.

Exam trap

Google Cloud often tests the distinction between tools that log actual traffic (VPC Flow Logs) versus tools that enforce security policies (Cloud Armor) or manage rules (Firewall Rules Insights), leading candidates to confuse 'investigating traffic patterns' with 'blocking traffic' or 'optimizing rules'.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects against layer 7 attacks like SQL injection and XSS, not a tool for capturing or analyzing outbound traffic logs. Option B is wrong because Cloud IAM manages access control and permissions for Google Cloud resources, not network traffic monitoring or logging. Option D is wrong because Firewall Rules Insights provides recommendations for optimizing firewall rules (e.g., identifying unused or overly permissive rules), but does not log or report actual traffic flows or connections to specific IP addresses.

157
MCQeasy

For HIPAA compliance, which Google Cloud product provides a business associate agreement (BAA) and a dedicated environment for protected health information?

A.Confidential VMs
B.GKE Security Posture
C.Assured Workloads
D.Cloud Healthcare API
AnswerC

Assured Workloads provides a BAA, location controls, and access transparency for HIPAA compliance.

Why this answer

Assured Workloads is the correct answer because it enables customers to deploy workloads that must comply with HIPAA by providing a BAA-ready environment with enforced controls, including data residency, encryption, and access restrictions. It creates a dedicated folder with pre-configured security and compliance policies, ensuring that protected health information (PHI) is handled in a Google Cloud environment that meets HIPAA requirements.

Exam trap

Google Cloud often tests the misconception that a service-specific API or feature (like Cloud Healthcare API or Confidential VMs) inherently provides HIPAA compliance, when in fact the BAA and dedicated environment are delivered through the overarching compliance framework of Assured Workloads.

How to eliminate wrong answers

Option A is wrong because Confidential VMs provide memory encryption using AMD SEV-ES but do not offer a BAA or a dedicated compliance environment for PHI; they are a hardware-level security feature, not a compliance framework. Option B is wrong because GKE Security Posture is a dashboard for monitoring security configurations in Google Kubernetes Engine clusters, not a service that provides a BAA or enforces HIPAA-specific controls. Option D is wrong because Cloud Healthcare API is a service for ingesting and managing healthcare data, and while it can be used in a HIPAA-compliant manner, it does not itself provide a BAA or a dedicated environment; the BAA is obtained through Assured Workloads or a separate agreement.

158
MCQhard

A large enterprise is migrating its on-premises Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They have established a VPN connection between their on-premises network and VPC. The domain controllers are fully synced, and users can authenticate from on-premises. However, applications running on Compute Engine VMs in the same VPC as Managed Microsoft AD are failing to authenticate using LDAP. The VMs are Linux-based and configured to use the Managed Microsoft AD domain for authentication via SSSD. The security team has verified that the firewall rules allow TCP/UDP 389 and 636 from the VMs to the Managed Microsoft AD IP addresses. The VMs can resolve the domain name (corp.example.com) to the correct IP of the Managed Microsoft AD domain controllers. What is the most likely cause of the authentication failure?

A.The VMs do not have the required network tag to allow inbound traffic from Managed Microsoft AD.
B.The VPN tunnel does not support LDAP traffic.
C.The DNS resolution returns the on-premises domain controller IP instead of the Managed Microsoft AD IP.
D.The Managed Microsoft AD service account does not have the 'domain controller' IAM role.
AnswerA

Managed Microsoft AD uses firewall rules with target tags. Without the tag, traffic is blocked.

Why this answer

Managed Microsoft AD in Google Cloud uses internal VPC IP addresses for its domain controllers. For Linux VMs using SSSD to authenticate via LDAP, the VMs must be able to initiate outbound LDAP traffic to the Managed Microsoft AD IPs, and the Managed Microsoft AD service must be able to respond. However, Managed Microsoft AD enforces network security by requiring that only VMs with a specific network tag (by default 'allow-ad') can receive inbound traffic from the Managed Microsoft AD service.

Without this tag on the VMs, the Managed Microsoft AD service will drop its response packets, causing authentication failures even though outbound firewall rules are open. The security team verified firewall rules for outbound traffic but missed this inbound tag requirement.

Exam trap

Google Cloud often tests the nuance that Managed Microsoft AD requires a specific network tag on client VMs for inbound LDAP responses, which candidates overlook because they focus only on outbound firewall rules or DNS resolution.

How to eliminate wrong answers

Option B is wrong because VPN tunnels operate at Layer 3 and do not inspect or block specific protocols like LDAP; they simply encapsulate IP packets. Option C is wrong because the question explicitly states that DNS resolution returns the correct IP of the Managed Microsoft AD domain controllers, not the on-premises IP. Option D is wrong because Managed Microsoft AD does not use IAM roles for domain controller permissions; it uses a service account for provisioning, but authentication within the domain is handled by Active Directory itself, not IAM.

159
Multi-Selecthard

An organization is designing a secure multi-tenant SaaS environment on GKE. They want to isolate tenant workloads using GKE namespaces and IAM. Which two steps should they take? (Choose two.)

Select 2 answers
A.Enable GKE Dataplane V2 for network isolation.
B.Grant cluster-level IAM roles to tenant users.
C.Use Kubernetes RBAC to restrict access within namespaces.
D.Create a separate GKE cluster per tenant.
E.Use Workload Identity to map tenant IAM roles to Kubernetes service accounts.
AnswersC, E

RBAC provides granular namespace-level access control.

Why this answer

Option C is correct because Kubernetes RBAC is the native mechanism for controlling access to resources within a namespace. By defining Role and RoleBinding objects, you can precisely restrict which tenant users can perform actions (e.g., get, list, create pods) inside their assigned namespace, ensuring logical isolation without requiring separate clusters.

Exam trap

Google Cloud often tests the distinction between network isolation (Dataplane V2) and access control (RBAC/IAM), leading candidates to confuse traffic filtering with permission boundaries.

160
MCQeasy

Refer to the exhibit. A security engineer sees this configuration for a Cloud Storage bucket. What does this indicate about the encryption of objects in this bucket?

A.Objects are encrypted with Google-managed keys, and the key name is the default.
B.Objects are encrypted with a customer-supplied key (CSEK).
C.Objects are encrypted with an external key from an on-premises HSM.
D.Objects are encrypted with a customer-managed key (CMEK) from Cloud KMS.
AnswerD

The `defaultKmsKeyName` field indicates CMEK.

Why this answer

Option D is correct because the exhibit shows `kmsKeyName` set to a Cloud KMS key resource name (e.g., `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME`). This indicates the bucket is configured with a customer-managed encryption key (CMEK) from Cloud Key Management Service (Cloud KMS), meaning Google uses the specified key to encrypt/decrypt objects, and the customer controls key rotation and access via IAM.

Exam trap

Google Cloud often tests the distinction between CMEK (persistent key reference in bucket config) and CSEK (per-request key, no stored reference), so candidates mistakenly pick CSEK when they see any mention of a custom key, ignoring that the `kmsKeyName` field is a persistent Cloud KMS resource identifier.

How to eliminate wrong answers

Option A is wrong because Google-managed keys are the default encryption (no `kmsKeyName` field is set), but the exhibit explicitly shows a `kmsKeyName` value, so it is not the default. Option B is wrong because customer-supplied encryption keys (CSEK) are provided per API call and are never stored or referenced by a persistent `kmsKeyName` in the bucket configuration; CSEK uses a different header (`x-goog-encryption-key`). Option C is wrong because external keys from an on-premises HSM are not directly supported by Cloud Storage; Cloud Storage only supports CMEK via Cloud KMS (which can use Cloud HSM as a key source, but the key is still managed in Cloud KMS, not an external on-premises HSM).

161
MCQhard

An organization is configuring a Cloud Storage bucket for a regulated workload. The bucket configuration shown in the exhibit was applied. Which compliance requirement is this configuration primarily designed to address?

A.Data retention and immutability.
B.Encryption at rest using customer-managed encryption keys (CMEK).
C.Access transparency for data access.
D.Data residency within a specific geographic region.
AnswerA

The retentionPolicy with isLocked=true enforces a mandatory retention period, making objects immutable until the retention period expires.

Why this answer

The bucket configuration includes object versioning enabled and a retention policy with a retention period. This combination ensures that objects cannot be deleted or overwritten before the retention period expires, addressing data retention and immutability requirements. This is a common compliance need for regulated workloads where data must be preserved in its original state for a defined duration.

Exam trap

Google Cloud often tests the distinction between bucket-level retention policies (which enforce immutability) and encryption or access control settings, leading candidates to confuse data retention with encryption at rest or data residency.

How to eliminate wrong answers

Option B is wrong because the configuration does not specify any encryption key type (e.g., CMEK, CSEK, or Google-managed keys); encryption at rest is enabled by default but not the primary focus. Option C is wrong because Access Transparency logs are not configured or referenced in the bucket settings; Access Transparency is an organization-level policy, not a bucket-level configuration. Option D is wrong because the bucket does not have a location constraint or a specific region set; the configuration shown does not enforce data residency.

162
Multi-Selecthard

A security engineer is responding to a data breach where an attacker exfiltrated data from a Cloud Storage bucket. Which TWO steps should the engineer take to contain the breach and preserve evidence? (Choose TWO.)

Select 2 answers
A.Disable the bucket's public access.
B.Remove the bucket's IAM policies.
C.Delete the bucket to prevent further exfiltration.
D.Enable Cloud Audit Logs for data access.
E.Create a copy of the bucket's data to a new bucket.
AnswersA, E

Prevents further unauthorized data access.

Why this answer

Options A and C are correct. Disabling public access stops further exfiltration, and creating a copy preserves the bucket's data for forensics. Removing IAM policies (B) may disrupt analysis.

Enabling logs (D) after the breach won't capture past events. Deleting the bucket (E) destroys evidence.

163
MCQeasy

Refer to the exhibit. A compliance officer sees this Organization Policy applied at the organization level. Which compliance requirement does this policy primarily address?

A.Encryption key management
B.Data residency
C.Audit logging
D.Access control
AnswerB

The policy limits where resources can be created, ensuring data remains in specified regions to meet residency requirements.

Why this answer

The Organization Policy shown restricts the allowed locations for Compute Engine resources to a specific region (e.g., us-central1). This directly enforces data residency requirements by preventing resources from being created or moved outside of approved geographic boundaries, ensuring that data remains within a particular jurisdiction to comply with regulations like GDPR or HIPAA.

Exam trap

Google Cloud often tests the distinction between organization policies that enforce location restrictions versus other compliance controls like IAM or encryption, leading candidates to confuse data residency with access control or key management.

How to eliminate wrong answers

Option A is wrong because encryption key management is handled by Cloud KMS and key rotation policies, not by location-based organization policies. Option C is wrong because audit logging is governed by Audit Logs configuration and log sinks, not by resource location constraints. Option D is wrong because access control is enforced through IAM roles and policies, not by restricting where resources can be deployed.

164
MCQeasy

A security administrator needs to ensure that all service account keys older than 90 days are automatically disabled to reduce the risk of key compromise. Which Google Cloud service should be used to implement this policy?

A.Cloud Secret Manager
B.Organization Policy Service
C.Cloud IAM
D.Cloud Key Management Service
AnswerB

Organization policies can set constraints like 'Disable automatic key creation' and 'Key expiry duration'.

Why this answer

Option D is correct because Organization Policies can enforce constraints like disabling automatic key creation or setting key expiration. Option A is incorrect because IAM itself does not have lifecycle policies. Option B is incorrect because Secret Manager does not manage service account keys.

Option C is incorrect because Cloud Key Management Service does not manage service account keys.

165
MCQmedium

A financial services company uses Cloud Storage to store sensitive customer data. They want to encrypt this data at rest using customer-managed encryption keys (CMEK) and automate key rotation every 90 days. Which approach should they take?

A.Rely on Google-managed encryption keys (default Cloud Storage encryption) and enable key rotation logs for auditing.
B.Create a Cloud KMS key ring and a key with rotation period 90 days. Use the key as CMEK for the Cloud Storage bucket.
C.Configure Cloud External Key Manager (EKM) to manage the encryption key externally and have Cloud Storage use it via CMEK integration.
D.Use customer-supplied encryption keys (CSEK) and implement a custom Cloud Function to rotate keys every 90 days.
AnswerB

This uses Cloud KMS with automatic rotation, meeting the customer-managed and rotation requirements.

Why this answer

Option B is correct because Cloud KMS allows you to create a key ring and a key with a defined rotation period of 90 days, which can then be used as a customer-managed encryption key (CMEK) for a Cloud Storage bucket. This satisfies the requirement for customer-controlled key management and automated rotation without custom code.

Exam trap

Google Cloud often tests the distinction between CMEK (customer-managed keys in Cloud KMS with automated rotation) and CSEK (customer-supplied keys per request, no rotation support), leading candidates to mistakenly choose D for its perceived control without recognizing the operational overhead and lack of native rotation.

How to eliminate wrong answers

Option A is wrong because Google-managed encryption keys do not provide customer control over key rotation or auditing of key usage; they are fully managed by Google and cannot be rotated on a custom schedule. Option C is wrong because Cloud External Key Manager (EKM) is designed for keys managed outside Google Cloud, but the question specifies customer-managed keys within Google Cloud, and EKM does not support automated rotation via Cloud KMS policies. Option D is wrong because customer-supplied encryption keys (CSEK) require the customer to provide the key on every API call and do not support automated rotation; implementing a custom Cloud Function for rotation would be complex and error-prone, and CSEK is not integrated with Cloud KMS rotation schedules.

166
MCQmedium

A multi-national corporation must prevent data exfiltration from a project containing PII for GDPR compliance. They want to restrict access to only allow data transfer within the organization. Which Google Cloud service meets this requirement?

A.Use firewall rules to block all egress traffic except to approved IP ranges.
B.Create a VPC Service Control perimeter that includes the project and restricts access to other perimeters.
C.Set IAM policies to deny the storage.objectViewer role to non-compliant users.
D.Configure Cloud NAT for the VPC to route traffic through a single IP.
AnswerB

VPC Service Controls prevent data exfiltration by blocking access from outside the service perimeter.

Why this answer

VPC Service Controls allow you to define perimeters that protect the resources and data of Google Cloud services. By creating a perimeter that includes the project containing PII, you can restrict data transfer to only within the organization, preventing exfiltration to external networks or unauthorized identities, which directly meets GDPR compliance requirements.

Exam trap

Google Cloud often tests the misconception that network-level controls (firewalls, NAT) are sufficient to prevent data exfiltration from managed services, when in fact API-level controls like VPC Service Controls are required to block data movement through Google Cloud APIs.

How to eliminate wrong answers

Option A is wrong because firewall rules control network traffic at the IP/port level but cannot restrict data exfiltration via Google Cloud APIs or services that bypass the network stack, such as Cloud Storage or BigQuery. Option C is wrong because IAM policies control who can perform actions on resources but do not restrict data movement; a user with valid IAM roles could still exfiltrate data to an external location. Option D is wrong because Cloud NAT provides outbound connectivity with a single IP for VMs but does not restrict data egress to approved destinations or prevent exfiltration via API calls.

167
MCQeasy

A company is using Cloud SQL for MySQL to store financial data. They need to ensure that all data is encrypted at rest and in transit. What should they do?

A.Use client-side encryption before storing data in Cloud SQL.
B.Enable encryption at rest by checking a box in the Cloud Console.
C.Enable CMEK on the Cloud SQL instance and configure SSL/TLS.
D.Use the default encryption provided by Cloud SQL and enforce SSL/TLS connections.
AnswerD

Cloud SQL encrypts data at rest by default and supports SSL/TLS for in-transit encryption.

Why this answer

Option D is correct because Cloud SQL for MySQL automatically encrypts data at rest using AES-256, with no additional configuration required. To protect data in transit, you must enforce SSL/TLS connections by configuring the instance to require SSL and downloading the server certificate for client connections. This combination satisfies both encryption requirements without unnecessary complexity.

Exam trap

Google Cloud often tests the misconception that encryption at rest requires manual enablement or CMEK, when in fact Cloud SQL encrypts all data at rest by default, and the key decision is whether to enforce SSL/TLS for data in transit.

How to eliminate wrong answers

Option A is wrong because client-side encryption is not necessary; Cloud SQL already provides encryption at rest, and client-side encryption would add unnecessary overhead and complexity without improving security. Option B is wrong because encryption at rest is enabled by default in Cloud SQL; there is no checkbox to enable it, and this option ignores the requirement for encryption in transit. Option C is wrong because CMEK (Customer-Managed Encryption Keys) is an optional feature for encryption at rest, not a requirement; the default encryption already meets the need, and while configuring SSL/TLS is correct, CMEK is not needed and adds key management overhead.

168
MCQeasy

A company stores sensitive customer data in Cloud Storage. They want to ensure that only users with explicit IAM permissions can decrypt the data, and that Google does not have access to the encryption keys. Which encryption option should they use?

A.Customer-managed encryption keys (CMEK)
B.Google-managed encryption keys (GMEK)
C.Default encryption
D.Customer-supplied encryption keys (CSEK)
AnswerD

CSEK keys are not stored by Google; the customer supplies their own keys, and Google does not have access to them.

Why this answer

Customer-supplied encryption keys (CSEK) allow you to provide your own encryption keys, which are used to protect data at rest in Cloud Storage. Google does not store these keys on its servers; they are used only transiently during encryption/decryption operations and then discarded, ensuring that Google cannot access the keys or the decrypted data. This meets the requirement that only users with explicit IAM permissions can decrypt the data, as access to the CSEK must be granted through IAM roles like Storage Object Viewer with the CSEK key.

Exam trap

Google Cloud often tests the distinction between CMEK and CSEK, where candidates confuse 'customer-managed' (CMEK, stored in KMS) with 'customer-supplied' (CSEK, not stored by Google), leading them to incorrectly choose CMEK when the requirement is that Google has no access to the keys.

How to eliminate wrong answers

Option A is wrong because Customer-managed encryption keys (CMEK) are stored and managed in Cloud Key Management Service (KMS), and while you control the key, Google still has access to the key material in KMS, so Google could theoretically decrypt the data. Option B is wrong because Google-managed encryption keys (GMEK) are fully managed by Google, meaning Google has access to the keys and can decrypt the data at any time. Option C is wrong because Default encryption uses Google-managed keys (GMEK) by default, so Google has access to the encryption keys and can decrypt the data.

169
MCQeasy

A security engineer needs to provide secure SSH access to a Compute Engine instance that has no external IP address. What is the recommended method?

A.Set up VPC peering with the instance's VPC.
B.Create a Cloud NAT to allow inbound SSH.
C.Add a firewall rule allowing SSH from any IP.
D.Use Identity-Aware Proxy (IAP) TCP forwarding.
AnswerD

IAP TCP forwarding establishes an encrypted tunnel to the instance via the IAP service.

Why this answer

Option B is correct because IAP TCP forwarding allows SSH without external IP. Option A is wrong because Cloud NAT is for outbound internet, not inbound SSH. Option C is wrong because VPC peering is for VPC-to-VPC, not for a single instance.

Option D is wrong because firewall rules alone cannot provide access if there is no external IP.

170
MCQeasy

A small startup recently moved their infrastructure to Google Cloud. They have a single project with a few Compute Engine instances running a web application. The security team wants to ensure that all SSH access to the instances is audited and that any failed SSH attempts are alerted in real time. They have enabled OS Login and are using Cloud Identity-Aware Proxy (IAP) for SSH access. However, they are not sure how to capture the audit logs for SSH sessions. What should they do?

A.Enable Data Access audit logs for the IAP service and filter the logs for SSH connection attempts.
B.Enable Serial Port access logs on the instances to capture SSH sessions.
C.Configure Cloud Monitoring to watch for SSH connections via agent metrics.
D.Enable guest attributes on the instances to log SSH attempts.
AnswerA

IAP TCP forwarding generates audit logs that capture connection details.

Why this answer

Option C is correct because IAP TCP forwarding logs are available as Admin Activity audit logs when IAP is used for SSH. Option A is incorrect because guest attributes are not for audit logs. Option B is incorrect because Cloud Monitoring does not directly log SSH attempts.

Option D is incorrect because Serial port access logs are separate and not for IAP.

171
MCQhard

An organization uses Cloud NAT to allow private instances to access the internet. They notice that some connections are failing intermittently. What is a common cause?

A.The NAT IP address is exhausted because too many concurrent connections.
B.The NAT gateway does not support UDP traffic.
C.The VPC firewall rules block outbound traffic.
D.The instances are in a different region than the NAT gateway.
AnswerA

Port exhaustion from many concurrent connections can cause intermittent failures.

Why this answer

Option D is correct. Cloud NAT has a limit on the number of concurrent connections per NAT IP due to port exhaustion. When many connections are made, ports can be exhausted, causing intermittent failures.

Option A is incorrect because Cloud NAT supports UDP. Option B is a potential cause but the specific failure mode is port exhaustion. Option C is unlikely because outbound traffic is typically allowed by default.

172
Multi-Selectmedium

Which TWO options are required to use Cloud DLP to successfully inspect data in a Cloud Storage bucket?

Select 2 answers
A.A service account with roles/storage.objectViewer to read the bucket.
B.A Cloud Function to send each file to the DLP API.
C.The bucket must be in the same project as the DLP job.
D.A Pub/Sub topic to receive inspection results.
E.The bucket must contain only text-based files (e.g., CSV, JSON).
AnswersA, E

DLP needs permission to access the objects.

Why this answer

Option A is correct because Cloud DLP requires read access to the Cloud Storage bucket to inspect objects. The service account used by the DLP job must have the roles/storage.objectViewer IAM role, which grants permission to list and read objects without needing to download them. This ensures the DLP API can access the data for content inspection.

Exam trap

Google Cloud often tests the misconception that Cloud DLP requires additional infrastructure like Cloud Functions or Pub/Sub to inspect Cloud Storage, when in fact DLP can directly access buckets with the correct IAM permissions.

173
MCQeasy

A developer accidentally committed a file containing a service account key to a public GitHub repository. Which action should be taken immediately to invalidate the compromised key?

A.Disable the service account key using IAM.
B.Delete the service account and create a new one.
C.Use Cloud DLP to find and redact the key.
D.Rotate the key using Cloud KMS.
AnswerA

Disabling the key immediately renders it unusable.

Why this answer

Option A is correct because immediately disabling the service account key using IAM (Identity and Access Management) is the fastest way to revoke the compromised credential's access to Google Cloud resources. Disabling the key prevents any further use of that key for authentication, even if it is still present in the public repository. This action does not affect other keys or the service account itself, allowing the developer to later rotate or delete the key without disrupting existing workloads.

Exam trap

Google Cloud often tests the distinction between 'disabling' a key (immediate revocation without side effects) and 'deleting' the service account (overly destructive), and candidates may confuse Cloud KMS (for encryption keys) with IAM (for service account keys).

How to eliminate wrong answers

Option B is wrong because deleting the entire service account would disrupt all workloads and resources that depend on that service account, including other valid keys and IAM bindings, which is an unnecessarily destructive action. Option C is wrong because Cloud DLP is a data loss prevention service used for inspecting and redacting sensitive data in content, but it cannot invalidate or revoke a key that has already been exposed; it only helps find and mask the key in the repository, not stop its use. Option D is wrong because Cloud KMS (Key Management Service) is used for managing encryption keys, not service account keys; rotating a key in Cloud KMS has no effect on a service account's JSON key file, which is a different type of credential.

174
MCQhard

A security team has a Cloud KMS key used for encrypting Cloud Storage objects. They need to ensure that when the key is rotated, old data remains decryptable without manual re-encryption. They also want to minimize the number of key versions. Which approach should they take?

A.Use automatic rotation and disable previous key versions after 30 days.
B.Use automatic rotation and keep one previous key version indefinitely.
C.Use manual rotation and delete old key versions after confirmation that all data has been re-encrypted.
D.Use symmetric key with purpose SYMMETRIC_ENCRYPT_DECRYPT and set rotation period to 0 (never).
AnswerB

This ensures old data remains decryptable and minimizes versions.

Why this answer

Option B is correct because Cloud KMS supports automatic key rotation while retaining previous key versions indefinitely. When a key is rotated, new data is encrypted with the latest version, but old data remains decryptable using the previous key version that is kept. This satisfies the requirement of minimizing manual intervention and key version count, as only one previous version is retained.

Exam trap

Google Cloud often tests the misconception that disabling or deleting old key versions is necessary for security, but the correct approach is to retain previous versions to ensure old data remains decryptable without manual re-encryption.

How to eliminate wrong answers

Option A is wrong because disabling previous key versions after 30 days would render old data undecryptable unless it has been re-encrypted, which contradicts the requirement to avoid manual re-encryption. Option C is wrong because manual rotation and deleting old key versions after re-encryption requires manual effort and does not minimize key versions; it also risks data loss if re-encryption is incomplete. Option D is wrong because setting a rotation period to 0 (never) means the key is never rotated, which fails the requirement to rotate keys and does not provide a mechanism to keep old data decryptable after rotation.

175
MCQmedium

A company wants to allow its on-premises applications to access Google Cloud resources using short-lived credentials without storing a service account key file. Which solution should they use?

A.Configure Workload Identity Federation between the on-premises identity provider and Google Cloud.
B.Set up a Cloud VPN connection and use private IPs to access resources.
C.Create a service account and download a JSON key file to the on-premises server.
D.Use signed URLs to grant access for each request.
AnswerA

This provides short-lived credentials without keys.

Why this answer

Workload Identity Federation allows on-premises applications to exchange tokens from an external identity provider (IdP) for short-lived Google Cloud access tokens, eliminating the need to store a service account key file. This solution meets the requirement for short-lived credentials and avoids the security risk of long-lived static keys.

Exam trap

Google Cloud often tests the distinction between network-level solutions (VPN) and identity-level solutions (federation), so candidates may incorrectly choose a VPN because it seems like a secure connection, but it does not solve the credential management requirement.

How to eliminate wrong answers

Option B is wrong because a Cloud VPN provides network-level connectivity but does not address authentication or the need for short-lived credentials; it still requires a service account or other identity to authorize access. Option C is wrong because downloading a JSON key file creates a long-lived static credential, which violates the requirement to avoid storing a service account key file and introduces security risks. Option D is wrong because signed URLs are used to grant time-limited access to specific objects in Cloud Storage, not for general access to Google Cloud resources by on-premises applications.

176
Drag & Dropmedium

Drag and drop the steps to set up Cloud Armor with a WAF rule in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud Armor configuration involves creating the policy, defining rules, attaching to a backend, enabling logging, and testing.

177
MCQhard

A security engineer needs to configure Cloud KMS key rotation so that existing ciphertext can still be decrypted with old key versions, but new encryption uses the latest version. Which key management practice meets this requirement?

A.Set a rotation period on the key; Cloud KMS automatically creates new versions while old versions remain available for decryption.
B.Use a single key and manually update its material every 90 days.
C.Create a new key version manually and disable the previous version after a grace period.
D.Create a new key every rotation and delete the old key after confirming re-encryption.
AnswerA

Cloud KMS key rotation creates new versions; old versions stay enabled for decryption.

Why this answer

Option A is correct because Cloud KMS supports key rotation by creating new key versions while retaining all previous versions. When you set a rotation period, Cloud KMS automatically generates a new version at the specified interval, and the key's primary version (used for new encryption) is updated. Old key versions remain enabled and available for decryption of existing ciphertext, ensuring that data encrypted with older versions can still be decrypted without manual intervention.

Exam trap

Google Cloud often tests the misconception that key rotation requires manual management or that old key versions must be disabled or deleted to enforce security, but the correct practice is to retain old versions for decryption while using the latest version for new encryption.

How to eliminate wrong answers

Option B is wrong because manually updating the key material every 90 days does not create separate key versions; it replaces the existing key material, which would break the ability to decrypt ciphertext encrypted with the previous material. Option C is wrong because disabling the previous key version after a grace period would prevent decryption of any ciphertext encrypted with that version, violating the requirement that old ciphertext remains decryptable. Option D is wrong because deleting the old key after re-encryption is not a rotation practice; it requires manual re-encryption of all data and introduces risk of data loss if re-encryption is incomplete, and it does not leverage Cloud KMS's built-in versioning for seamless decryption of old ciphertext.

178
MCQeasy

A company must ensure that only authorized users can access sensitive data in Cloud Storage for PCI DSS compliance. They have configured a bucket with uniform bucket-level access. Which IAM policy should they use to grant access to a security team?

A.Bind the security team to roles/storage.objectViewer at the bucket level.
B.Bind the security team to roles/storage.legacyBucketReader at the bucket level.
C.Use ACLs to give the security team READ access to the bucket.
D.Bind the security team to roles/storage.admin at the project level.
AnswerA

Provides read-only access to objects, following least privilege.

Why this answer

Option A is correct because the 'Storage Object Viewer' role grants read-only access to objects, which is sufficient for security monitoring. Option B is wrong because the admin role grants full access, violating least privilege. Option C is wrong because bucket-level access is already uniform, so ACLs are not needed.

Option D is wrong because the bucket admin role gives full control, which is excessive.

179
MCQeasy

A junior developer created a service account with the roles/storage.admin role and downloaded a JSON key. What is the best practice to improve security?

A.Delete the key and use workload identity federation.
B.Rotate the key every 30 days.
C.Use a user-managed service account instead.
D.Restrict the key's usage with IP allowlists.
AnswerA

Workload identity federation allows authentication without keys, improving security.

Why this answer

Option D is correct. The best practice is to delete the key and use workload identity federation, which eliminates the need for long-lived keys. Option A is not directly relevant.

Option B is partially true, but rotation alone is not as secure as eliminating the key. Option C is not a standard best practice.

180
MCQmedium

A company has multiple VPC networks that need to communicate privately. They are evaluating VPC peering and Shared VPC. Which statement correctly describes a limitation of VPC peering compared to Shared VPC?

A.VPC peering cannot route traffic to an on-premises network via VPN
B.VPC peering does not support firewall rules
C.VPC peering does not support transitive peering
D.VPC peering requires all networks to be in the same project
AnswerC

This is a key limitation. Shared VPC allows all projects in the same host project to communicate directly.

Why this answer

VPC peering does not support transitive peering, meaning if networks A and B are peered, and A and C are peered, B cannot communicate with C through A. Shared VPC does not have this limitation.

181
MCQmedium

Refer to the exhibit. A security engineer runs this command to check bucket permissions. What is the most significant security issue?

A.The domain example.com has viewer access, which may be too broad.
B.The legacy role 'roles/storage.legacyBucketReader' is used.
C.The bucket allows public read access via 'allUsers' in both ACL and legacy role.
D.Uniform bucket-level access is disabled, allowing ACLs.
AnswerC

AllUsers gives access to anyone on the internet.

Why this answer

Option C is correct because the command output shows that the bucket has both an ACL granting 'allUsers' READER access and a legacy bucket role 'roles/storage.legacyBucketReader' assigned to 'allUsers'. This means the bucket is publicly readable via two independent mechanisms, which is the most significant security issue as it exposes all objects to the internet without authentication.

Exam trap

Google Cloud often tests the distinction between a legacy role being used (which is not inherently insecure) versus that role being granted to 'allUsers' (which creates public access), causing candidates to incorrectly select Option B because they focus on the role name rather than the principal it is assigned to.

How to eliminate wrong answers

Option A is wrong because the domain example.com having viewer access is not inherently a security issue; it is a specific domain restriction that limits access to authenticated users from that domain, which is more restrictive than public access. Option B is wrong because the legacy role 'roles/storage.legacyBucketReader' is not a security issue by itself; it is a valid role that provides read access to bucket metadata, and the problem is that it is granted to 'allUsers', not the role's existence. Option D is wrong because uniform bucket-level access being disabled is a configuration choice that allows ACLs, but it is not the most significant security issue; the actual exposure comes from the combination of public ACL and public legacy role assignment.

182
Multi-Selecteasy

Which two authentication methods are available for applications to authenticate to Google Cloud APIs without using a service account key? (Choose TWO.)

Select 2 answers
A.API key
B.Compute Engine metadata server default service account token
C.OAuth 2.0 client ID
D.Workload Identity Federation
E.Service account key
AnswersB, D

Instances can use the default service account to get tokens without keys.

Why this answer

Option B is correct because the Compute Engine metadata server provides a default service account token that applications running on Compute Engine can use to authenticate to Google Cloud APIs without needing to manage a service account key file. This token is automatically obtained from the metadata server at http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token, and it is rotated automatically by Google, eliminating the need for key storage and rotation.

Exam trap

Google Cloud often tests the distinction between methods that require a key (service account key, OAuth 2.0 client secret) and those that do not (metadata server, Workload Identity Federation), and the trap here is that candidates may incorrectly select API key or OAuth 2.0 client ID because they are familiar with them for user authentication, but they do not satisfy the 'without using a service account key' condition for application-to-API authentication.

183
MCQhard

A financial services company runs a PCI DSS-compliant workload on Google Cloud. They use a service account with roles/container.clusterAdmin to manage a GKE cluster. The security team has enabled Binary Authorization with a policy that requires all container images to be signed by a trusted authority. Recently, a developer reported that a new deployment failed with the error: 'Image verification failed: no signature found for digest sha256:abc...'. The image is stored in Artifact Registry and the developer built it using Cloud Build with a trigger that automatically signs images using Cloud KMS. The Cloud Build service account has roles/cloudkms.signerVerifier and roles/binaryauthorization.attestorsViewer. The Binary Authorization policy is configured to require at least one attestation from the trusted attestor. What is the most likely reason for the failure?

A.The Cloud Build service account lacks the roles/binaryauthorization.attestorsEditor role.
B.The container image is stored in a different registry that is not supported by Binary Authorization.
C.The GKE cluster's node service account does not have permission to verify attestations.
D.The Binary Authorization policy requires an attestation from a different attestor that is not configured.
AnswerA

This role is required to create attestations. Without it, the image is never signed, so verification fails.

Why this answer

The Cloud Build service account has roles/cloudkms.signerVerifier and roles/binaryauthorization.attestorsViewer, which allow it to sign images and view attestors, but it lacks the roles/binaryauthorization.attestorsEditor role. Without this role, the service account cannot create or manage attestations in Binary Authorization, so even though the image is signed, no attestation is recorded, causing the policy to fail with 'no signature found'.

Exam trap

Google Cloud often tests the distinction between signing an image (which requires Cloud KMS permissions) and creating an attestation (which requires Binary Authorization attestor editor permissions), leading candidates to overlook the missing attestorsEditor role.

How to eliminate wrong answers

Option B is wrong because Artifact Registry is fully supported by Binary Authorization, and the error indicates the image is stored there. Option C is wrong because the node service account does not need to verify attestations; Binary Authorization enforcement happens at the admission controller level, not via node permissions. Option D is wrong because the policy is configured to require at least one attestation from the trusted attestor, and the issue is that no attestation was created, not that a different attestor is required.

184
MCQhard

A company uses multiple GCP projects and wants to allow a service account from Project A to initiate Dataflow jobs in Project B. The service account in Project A has the Dataflow Developer role at the organization level. However, it fails with permission denied when trying to submit a job to Project B. What is the most likely issue?

A.The organization policy restricts cross-project access.
B.The service account does not have permission to create Dataflow jobs in Project B because it is not a member of Project B.
C.The Dataflow API is not enabled in Project B.
D.The service account needs the Service Account User role on the Dataflow service account in Project B.
AnswerD

To act as the project's compute service account, the launching service account needs roles/iam.serviceAccountUser.

Why this answer

The service account from Project A has the Dataflow Developer role at the organization level, which grants permissions to create Dataflow jobs, but it still needs the Service Account User role (roles/iam.serviceAccountUser) on the Dataflow service account in Project B. When a Dataflow job is submitted, the job runs as a service account in the target project (Project B), and the caller must have the iam.serviceAccounts.actAs permission on that service account. Without this role, the API call fails with a permission denied error even though the Dataflow Developer role is present.

Exam trap

Google Cloud often tests the distinction between having a role that grants the ability to create a resource (like Dataflow Developer) versus the need for the Service Account User role to act as the service account that runs the resource, which is a subtle but critical IAM permission requirement.

How to eliminate wrong answers

Option A is wrong because organization policies can restrict cross-project access, but the question states the failure is a permission denied error when submitting a job, not a policy violation, and there is no indication that an organization policy is blocking the action. Option B is wrong because the service account does not need to be a member of Project B; it can be granted roles at the organization level or via IAM cross-project permissions, and the Dataflow Developer role at the org level already grants the necessary Dataflow permissions across projects. Option C is wrong because if the Dataflow API were not enabled in Project B, the error would typically be an API not enabled error (e.g., 403 with 'API has not been used'), not a permission denied error; the question explicitly states 'permission denied'.

185
MCQhard

A Cloud Function that processes financial data is timing out after 60 seconds. The function performs complex calculations and cannot be decomposed further. What is the best solution?

A.Migrate the function to Cloud Run with a longer timeout
B.Change the Cloud Functions runtime from Node.js to Python
C.Increase the allocated memory for the function
D.Increase the Cloud Functions timeout to 120 seconds and optimize the code
AnswerD

Cloud Functions allows timeout up to 60 minutes for HTTP triggers; increasing it and optimizing code addresses the timeout directly.

Why this answer

Option D is correct because Cloud Functions has a maximum timeout of 60 minutes (540 seconds) for HTTP functions; increasing the timeout to 120 seconds and optimizing code can resolve the timeout. Option A is wrong because changing the runtime won't inherently reduce execution time. Option B is wrong because Cloud Run has a similar timeout but also requires code changes; it's more complex than adjusting the function.

Option C is wrong because increasing memory alone may improve performance but does not extend timeout beyond 60 seconds.

186
Multi-Selecthard

Which THREE are best practices for managing encryption keys in Google Cloud?

Select 3 answers
A.Enable automatic rotation for keys that are used for encryption.
B.Use key versions and disable old versions instead of deleting them.
C.Use IAM conditions to restrict key usage based on caller IP or time.
D.Import key material from on-premises HSMs to avoid vendor lock-in.
E.Automatically delete old key versions once they expire.
AnswersA, B, C

Rotation limits the amount of data encrypted with a single key.

Why this answer

Option A is correct because Cloud KMS supports automatic key rotation, which reduces the risk of key compromise by ensuring that encryption keys are periodically replaced without manual intervention. Automatic rotation creates new key versions at a specified interval (e.g., every 90 days) and automatically uses the latest version for encryption, while decryption can still use older versions. This aligns with the security best practice of limiting the amount of data encrypted under a single key version.

Exam trap

Google Cloud often tests the misconception that deleting old key versions is a security best practice, when in fact it destroys the ability to decrypt legacy data, and they also test the false assumption that importing keys from on-premises HSMs reduces vendor lock-in, when it actually ties you more tightly to the cloud provider's key management APIs.

187
Multi-Selectmedium

Which THREE of the following are best practices for using Cloud DLP to protect sensitive data in BigQuery?

Select 3 answers
A.Use inspection jobs to scan tables and identify sensitive data.
B.Store transformed data in a separate dataset with stricter access controls.
C.Use DLP to classify data and then apply access controls based on data classification.
D.Automatically apply deidentification transformations to sensitive columns.
E.Encrypt the entire BigQuery table using CMEK.
AnswersA, C, D

Inspecting data is a foundational step for data protection.

Why this answer

Option A is correct because Cloud DLP inspection jobs can scan BigQuery tables to identify sensitive data types (e.g., PII, credit card numbers) using built-in infoTypes. This is a foundational step before applying any deidentification or access control measures, as it allows you to discover where sensitive data resides.

Exam trap

Google Cloud often tests the distinction between data discovery/inspection (DLP) and data protection mechanisms like encryption (CMEK) or access control (IAM), leading candidates to confuse complementary security controls with DLP-specific best practices.

188
MCQeasy

A company has a compliance policy requiring that all data at rest in Cloud Storage be encrypted with a Cloud KMS key that is rotated every 90 days. The company uses CMEK with automatic key rotation enabled. An auditor discovers that some older objects in a bucket were created with a previous key version that has since been disabled. The compliance team requires that all objects be re-encrypted with the current key version. The bucket does not have object versioning enabled. What should the security engineer do to remediate this issue?

A.Re-enable the disabled key version in Cloud KMS so that objects can be read with the old key.
B.Use the 'gsutil rewrite -k' command to re-encrypt the objects with the current key version.
C.Enable object versioning on the bucket and delete the non-compliant object versions.
D.Create a new bucket with default encryption set to the current key and copy objects to it.
AnswerB

This command rewrites the object using the bucket's current KMS key, effectively re-encrypting it without changing other properties.

Why this answer

Option B is correct because the 'gsutil rewrite -k' command re-encrypts existing objects in Cloud Storage with the current Cloud KMS key version, without requiring object versioning or re-uploading. This directly addresses the compliance requirement to re-encrypt all objects with the current key version, even though the old key version is disabled.

Exam trap

Google Cloud often tests the misconception that re-enabling a disabled key version or copying objects to a new bucket is sufficient for compliance, when in fact only a direct re-encryption operation like 'gsutil rewrite -k' ensures the objects are encrypted with the current key version.

How to eliminate wrong answers

Option A is wrong because re-enabling the disabled key version does not re-encrypt the objects; it only allows decryption with the old key, leaving the objects non-compliant. Option C is wrong because enabling object versioning and deleting non-compliant versions does not re-encrypt the existing objects; it only removes old versions, but the current live objects remain encrypted with the old key. Option D is wrong because creating a new bucket and copying objects does not re-encrypt them with the current key; the copy operation preserves the original encryption unless explicitly re-encrypted, and it is an inefficient workaround compared to the direct rewrite command.

189
MCQhard

A company has a VPC with a subnet (10.1.0.0/24) in us-central1. They have a Cloud NAT configured for outbound traffic to the internet. They want instances in this subnet to access a third-party API that is only accessible over the internet and requires a specific static source IP for whitelisting. What is the recommended approach?

A.Assign external IPs to the instances and use network-level access controls.
B.Use Private Google Access to route traffic through Google's network.
C.Reserve a static NAT IP in Cloud NAT and whitelist that IP with the third party.
D.Configure a VPC Service Controls perimeter to restrict egress.
AnswerC

Cloud NAT can use a static external IP that is consistent and can be whitelisted.

Why this answer

Cloud NAT allows instances without external IPs to initiate outbound connections to the internet. By reserving a static NAT IP address in Cloud NAT, you ensure all outbound traffic from the subnet uses a consistent source IP, which can be whitelisted by the third-party API. This meets the requirement for a static source IP without assigning external IPs to individual instances.

Exam trap

The trap here is that candidates may confuse Private Google Access (which only works for Google APIs) with general internet egress, or assume that assigning ephemeral external IPs is sufficient for static whitelisting, ignoring that ephemeral IPs can change on instance restart or stop/start.

How to eliminate wrong answers

Option A is wrong because assigning external IPs to instances would expose them directly to the internet, increasing the attack surface, and does not guarantee a static source IP unless static external IPs are used and managed per instance, which is less scalable and secure than Cloud NAT. Option B is wrong because Private Google Access is designed for accessing Google APIs and services through Google's internal network, not for routing traffic to third-party internet APIs; it does not provide a static source IP for external destinations. Option D is wrong because VPC Service Controls perimeters are used to restrict data exfiltration from Google Cloud services (e.g., Cloud Storage, BigQuery) and do not control outbound internet traffic from compute instances to third-party APIs.

190
MCQmedium

A security engineer notices that some developers are still uploading their own public SSH keys to Compute Engine instances despite the organization policy above being applied to the folder. What is the most likely reason?

A.The policy only applies to projects, not folders.
B.The policy takes 24 hours to propagate to all projects.
C.The policy disables uploading service account keys, not user SSH keys.
D.The policy was applied at the organization level, not the folder level.
AnswerC

The policy name indicates it's for service account keys, not SSH keys.

Why this answer

Option C is correct because the organization policy described likely restricts the uploading of service account keys, not user SSH keys. The policy in question is typically the 'Disable service account key upload' constraint (iam.disableServiceAccountKeyUpload), which prevents users from creating or uploading external service account keys. It does not affect the ability to add public SSH keys to Compute Engine instances, which is governed by separate metadata-based mechanisms (e.g., oslogin or instance metadata).

Therefore, developers can still upload their own SSH keys despite the policy being applied.

Exam trap

The trap here is that candidates confuse 'keys' in general (SSH keys vs. service account keys) and assume a policy restricting key uploads applies to all key types, when in fact it only targets service account key operations.

How to eliminate wrong answers

Option A is wrong because organization policies can be applied at the folder level and will propagate to all projects within that folder; the policy does apply to folders, not just projects. Option B is wrong because organization policy propagation is near-instantaneous (typically within minutes), not 24 hours; there is no standard 24-hour delay for such policies. Option D is wrong because the scenario states the policy was applied to the folder, and applying it at the organization level would be even broader, not a reason for it to fail; the issue is the policy's scope (service account keys vs.

SSH keys), not the hierarchical level.

191
MCQhard

Refer to the exhibit. A developer created the firewall rule to allow HTTPS traffic from the API service account to instances tagged 'api-instances'. However, HTTPS requests from the API server (which runs on an instance with tag 'api-instances' and uses the default compute engine service account) are failing. What is the most likely cause?

A.The rule should have a higher priority to override the default implicit deny.
B.The source instance is using the default compute engine service account, not the specified api-sa.
C.The direction should be EGRESS because the traffic originates from the API server.
D.The rule should use sourceTags instead of sourceServiceAccounts to match the source instance.
AnswerB

This service account mismatch means the source does not match the rule's sourceServiceAccounts, so the traffic is not allowed.

Why this answer

Option B is correct because the firewall rule explicitly specifies the source as the API service account (api-sa), but the API server is using the default compute engine service account. In Google Cloud, firewall rules that use sourceServiceAccounts match traffic based on the service account attached to the source instance, not the instance's tags or the service account used by the application. Since the source instance's service account does not match the rule's specified service account, the HTTPS traffic is implicitly denied.

Exam trap

Google Cloud often tests the distinction between service account identity and instance tags, tricking candidates into thinking that tagging the source instance or using the default service account will satisfy a rule that explicitly specifies a different service account.

How to eliminate wrong answers

Option A is wrong because the default implicit deny rule has the lowest priority (65535) and any explicit rule with a higher priority (lower number) will override it; the issue is not about priority but about a mismatch in the source service account. Option C is wrong because the direction should be INGRESS, not EGRESS, as the traffic originates from the API server (source) and is destined for instances tagged 'api-instances' (destination); EGRESS rules control traffic leaving the destination, not incoming requests. Option D is wrong because the rule already uses sourceTags to match the destination instances (via targetTags), but the source is specified via sourceServiceAccounts; using sourceTags instead would not solve the service account mismatch and would not match the source instance's identity.

192
MCQmedium

A healthcare organization must ensure that only authorized personnel can access Protected Health Information (PHI) stored in Cloud Storage. They need to enforce encryption at rest and control access based on data classification. Which combination of Google Cloud services should they use?

A.Use customer-supplied encryption keys (CSEK) and Cloud Audit Logs.
B.Use Cloud HSM for key management and Cloud DLP to inspect data.
C.Enable Access Transparency and use Organization Policies to restrict resource locations.
D.Use customer-managed encryption keys (CMEK) with Cloud KMS and VPC Service Controls.
AnswerD

CMEK provides key control; VPC Service Controls prevent data exfiltration beyond the perimeter.

Why this answer

Option D is correct because it combines customer-managed encryption keys (CMEK) with Cloud KMS to enforce encryption at rest using keys controlled by the organization, and VPC Service Controls to restrict data access based on data classification by creating a security perimeter around Cloud Storage. This ensures that only authorized personnel within the defined perimeter can access PHI, meeting both encryption and access control requirements.

Exam trap

Google Cloud often tests the distinction between encryption key management (CMEK vs. CSEK) and access control mechanisms (VPC Service Controls vs. IAM), where candidates mistakenly choose options that address only one requirement or confuse data inspection (DLP) with access enforcement.

How to eliminate wrong answers

Option A is wrong because customer-supplied encryption keys (CSEK) require the customer to provide and manage the keys themselves, which does not leverage Google Cloud's key management for fine-grained access control, and Cloud Audit Logs only provide logging, not encryption or access enforcement. Option B is wrong because Cloud HSM is a hardware security module for key management, but Cloud DLP is used for inspecting and classifying data, not for controlling access to PHI based on classification. Option C is wrong because Access Transparency provides logs of Google administrator access, and Organization Policies restrict resource locations, but neither enforces encryption at rest nor controls access based on data classification.

193
MCQmedium

A financial services company must ensure that all data stored in Cloud Storage is encrypted with customer-managed encryption keys (CMEK) that are rotated every 90 days. They have enabled Organization Policy constraints to enforce CMEK. However, some new buckets are still being created without CMEK. What is the most likely cause?

A.VPC Service Controls are blocking the use of CMEK.
B.The buckets are created using a service account that has the CMEK permission but the key ring is not in the same region.
C.The Organization Policy constraint is not applied to the folder that contains the project.
D.The buckets are using the Archive storage class, which does not support CMEK.
AnswerC

If the constraint is not applied to the folder, projects may not inherit it.

Why this answer

Organization Policy constraints are hierarchical and must be applied at the project, folder, or organization level to take effect. If the constraint is applied only at the organization level but the project resides in a folder that does not inherit the policy (or the constraint is not applied to that folder), the policy will not enforce CMEK on buckets created in that project. This explains why new buckets can still be created without CMEK despite the policy being enabled elsewhere.

Exam trap

The trap here is that candidates assume Organization Policy constraints automatically apply to all projects in the organization, but they forget that policies must be inherited through the resource hierarchy and can be overridden or missing at the folder level.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls control data exfiltration and access boundaries, not encryption key enforcement; they do not block the use of CMEK. Option B is wrong because CMEK key rings can be in any region as long as the key is accessible; the key ring region does not prevent CMEK from being applied. Option D is wrong because the Archive storage class fully supports CMEK; all Cloud Storage classes support customer-managed encryption keys.

194
MCQmedium

A company has deployed a multi-region Kubernetes cluster using GKE. The security team wants to ensure that only pods with a specific service account can access a Cloud Storage bucket containing sensitive data. What is the best practice to achieve this?

A.Store a service account key as a Kubernetes secret and mount it into the pod.
B.Use Workload Identity to bind the Kubernetes service account to a Google service account with appropriate roles on the bucket.
C.Create a bucket ACL that grants read access to the GKE node service account.
D.Create a PersistentVolume with a GCSFuse bucket and use a pod security policy to restrict access.
AnswerB

Workload Identity provides a secure and manageable way to grant access to specific pods.

Why this answer

Workload Identity is the best practice because it allows you to bind a Kubernetes service account (KSA) to a Google service account (GSA) that has been granted specific IAM roles on the Cloud Storage bucket. This eliminates the need to manage and distribute static service account keys, as the pod authenticates directly to Google Cloud APIs using the GSA's identity via a secure token exchange. The GKE node's metadata server is configured to vend tokens for the bound GSA only to pods running with the designated KSA, ensuring that only those pods can access the bucket.

Exam trap

Google Cloud often tests the misconception that static keys (Option A) or node-level permissions (Option C) are acceptable for pod-level access control, when in fact Workload Identity is the recommended and more secure approach for binding pod identities to cloud IAM roles.

How to eliminate wrong answers

Option A is wrong because storing a service account key as a Kubernetes secret and mounting it into the pod introduces a static credential that must be rotated, can be exfiltrated, and violates the principle of least privilege; it is not a best practice for secure access to Cloud Storage. Option C is wrong because granting read access to the GKE node service account would allow all pods running on that node, regardless of their own service account, to access the bucket, which does not restrict access to only pods with a specific service account. Option D is wrong because creating a PersistentVolume with a GCSFuse bucket and using a pod security policy does not provide fine-grained identity-based access control; GCSFuse mounts the bucket using the node's service account by default, and pod security policies control runtime security constraints, not IAM-level access to the bucket.

195
MCQmedium

Refer to the exhibit. A compliance officer is reviewing an Access Transparency log entry. Which compliance benefit does this log provide?

A.It shows a user accessing a storage object
B.It provides evidence of data access by Google engineers
C.It tracks encryption key usage
D.It is a Cloud Audit Log for admin activity
AnswerB

Access Transparency logs show when Google employees access your data, which is required for certain compliance certifications.

Why this answer

Access Transparency logs are specifically designed to provide visibility into actions performed by Google personnel (e.g., engineers) on customer data. This log entry shows an operation by a Google support engineer, which directly supports compliance requirements by providing evidence of data access by Google engineers, as required for regulatory audits like SOC 2 or FedRAMP.

Exam trap

Google Cloud often tests the distinction between Access Transparency logs (Google personnel actions) and Cloud Audit Logs (customer actions), so candidates mistakenly choose an option about user access or admin activity instead of recognizing that Access Transparency is unique to Google engineer access.

How to eliminate wrong answers

Option A is wrong because Access Transparency logs do not show user access to storage objects; that is the function of Cloud Audit Logs (e.g., Data Access audit logs). Option C is wrong because encryption key usage is tracked by Cloud Key Management Service (KMS) audit logs, not Access Transparency logs. Option D is wrong because Cloud Audit Logs for admin activity are separate (Admin Activity audit logs), while Access Transparency logs specifically cover actions by Google personnel, not customer admin actions.

196
MCQhard

A company is undergoing a SOC 2 audit and needs to demonstrate that access to production data is monitored and that any changes to IAM policies are reviewed. They have enabled Cloud Audit Logs. The auditor asks for a report showing all IAM policy changes in the last 6 months. The security team notices that some older changes are missing. What is the most likely reason?

A.The log sink filter is excluding IAM policy changes.
B.Admin Activity audit logs are only retained for 30 days by default unless exported to a destination like Cloud Storage or BigQuery.
C.IAM policy changes are logged in Data Access audit logs, which are not enabled by default.
D.The logs were never exported to a long-term storage destination.
AnswerD

Without export, Admin Activity logs are retained for 400 days, but if the request is for 6 months (180 days), it should be within retention. However, if logs are not exported and the retention is 400 days, they should be there. But if the auditor wants more than 400 days, it would be missing. The question says 'older changes' implying >400 days, so missing due to retention expiration. But export would preserve them. So B is correct because without export they are lost after 400 days.

Why this answer

Option D is correct because Cloud Audit Logs are retained for a limited default period (30 days for Admin Activity logs), and the question states that the company enabled Cloud Audit Logs but does not mention exporting them to a long-term destination like Cloud Storage or BigQuery. Without such an export, logs older than 30 days are automatically deleted, which explains why some IAM policy changes from the last 6 months are missing. The auditor's requirement for a 6-month report necessitates a configured log sink to a durable storage destination.

Exam trap

The trap here is that candidates often confuse the default retention of Admin Activity logs (400 days in the log viewer) with the retention in the default Logging bucket (30 days), leading them to incorrectly assume logs are automatically available for 6 months without an export sink.

How to eliminate wrong answers

Option A is wrong because a log sink filter that excludes IAM policy changes would cause a consistent absence of those logs, not just older ones; the question indicates that some older changes are missing, not all. Option B is wrong because Admin Activity audit logs are retained for 400 days by default, not 30 days; the 30-day retention applies to Data Access audit logs, not Admin Activity logs. Option C is wrong because IAM policy changes are logged in Admin Activity audit logs, not Data Access audit logs; Data Access logs track resource access events (e.g., reading data) and are indeed disabled by default, but they are irrelevant to IAM policy changes.

197
MCQmedium

A company has deployed an internal HTTP Load Balancer (ILB) in us-west1 within a Shared VPC. The host project contains the ILB's forwarding rule and the backend service. The backend instances are Compute Engine VMs running in a service project in us-east1. The health checks for the ILB are consistently failing with 'unhealthy' status. The firewall rules in the host project allow ingress from the Google Cloud health checker ranges (130.211.0.0/22 and 35.191.0.0/16) on TCP port 80 to all VMs in the VPC. The backend VMs are running a web server listening on port 80. What is the most likely cause of the health check failures?

A.The ILB's forwarding rule and backends are in different regions.
B.The health checker firewall rule is not applied to the service project.
C.The backend VMs are not in the same project as the ILB.
D.The backend VMs do not have the correct IAM permissions for the ILB.
AnswerA

ILB requires backends to be in the same region as the forwarding rule; otherwise health checks fail.

Why this answer

The internal HTTP Load Balancer (ILB) in Google Cloud requires that the forwarding rule, backend service, and backend instances all reside in the same region. In this scenario, the ILB is deployed in us-west1, but the backend VMs are in us-east1. Cross-region backends are not supported for ILBs, causing health checks to fail because the load balancer cannot route traffic or verify health across regions.

Exam trap

Google Cloud often tests the misconception that health check failures are always due to firewall rules or IAM, when the real issue is the regional constraint of internal load balancers.

How to eliminate wrong answers

Option B is wrong because firewall rules in a Shared VPC are applied at the VPC level (host project) and propagate to all service projects; the health checker ranges are already allowed, so the service project does not need separate rules. Option C is wrong because ILBs in a Shared VPC can have backends in a service project; the backend VMs being in a different project is not inherently a problem. Option D is wrong because IAM permissions are not required for backend VMs to respond to health checks; health checks are network-layer probes that only require the VM to be reachable and listening on the specified port.

198
MCQhard

Your organization has a security requirement that all traffic to and from Compute Engine instances must be logged and analyzed. You have enabled VPC Flow Logs for all subnets. However, you notice that flow logs are not capturing all traffic between instances in the same subnet. What is the most likely reason?

A.VPC Flow Logs must be enabled on each individual instance, not on subnets.
B.VPC Flow Logs only capture traffic that crosses subnet boundaries.
C.Traffic to the metadata server (169.254.169.254) is not captured by VPC Flow Logs.
D.VPC Flow Logs sample only 1 out of 10 packets by default.
AnswerC

Metadata server traffic is not captured to reduce noise.

Why this answer

VPC Flow Logs do not capture traffic to the metadata server (169.254.169.254) because that traffic is considered internal infrastructure communication and is excluded from flow log collection by design. This is a documented limitation in Google Cloud, and it explains why some traffic between instances in the same subnet—such as metadata queries—is missing from the logs.

Exam trap

Google Cloud often tests the misconception that VPC Flow Logs capture all traffic, including metadata server communication, when in fact metadata traffic is explicitly excluded from flow log collection.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs are enabled at the subnet level, not per instance; once enabled on a subnet, all VM instances in that subnet are automatically covered. Option B is wrong because VPC Flow Logs capture traffic within a subnet (east-west) as well as traffic crossing subnet boundaries; they are not limited to cross-subnet traffic. Option D is wrong because VPC Flow Logs sample 1 out of 10 packets only for the 'sampled' metadata field, but all connections are still logged; the sampling does not cause entire flows to be missing.

199
MCQmedium

A security engineer needs to encrypt data at rest in Cloud Storage using a key that is not managed by Google Cloud. The key must be stored on-premises and provided with each API call for data access. Which encryption approach should be used?

A.Use customer-managed encryption keys (CMEK) with key material imported from an on-premises HSM.
B.Use Cloud KMS with a key stored in an on-premises HSM via Cloud External Key Manager.
C.Use Google-managed encryption keys with an organizational policy to disable automatic encryption.
D.Use customer-supplied encryption keys (CSEK) by providing the key in the request headers.
AnswerD

CSEK allows you to provide your own key with each API call, keeping the key on-premises.

Why this answer

Customer-supplied encryption keys (CSEK) allow you to provide your own AES-256 key with each API call to Cloud Storage. The key is not stored by Google Cloud; it is used only in memory to encrypt/decrypt data and then discarded, meeting the requirement of on-premises key storage and per-API-call key provision.

Exam trap

Google Cloud often tests the distinction between CMEK (key material managed in Cloud KMS) and CSEK (key provided per request), and the trap here is that candidates confuse 'customer-managed' with 'customer-supplied,' assuming CMEK satisfies the 'provided with each API call' requirement when it does not.

How to eliminate wrong answers

Option A is wrong because CMEK with imported key material still stores the key metadata and encrypts the key within Google Cloud KMS, meaning Google manages the key lifecycle and the key is not provided with each API call. Option B is wrong because Cloud External Key Manager (Cloud EKM) uses an external key management service accessible via a network endpoint, but the key is not provided with each API call; instead, Cloud KMS interacts with the external service on your behalf, and the key is not stored solely on-premises. Option C is wrong because Google-managed encryption keys are fully managed by Google Cloud and cannot be disabled via organizational policy; automatic encryption is always enabled, and you cannot supply your own key per API call.

200
MCQeasy

A company must ensure that all Compute Engine instances use only approved images from a specific project. They want to enforce this using Organization Policy. Which constraint should they use?

A.constraints/compute.restrictImageUsage
B.constraints/compute.restrictAuthorizedDomains
C.constraints/compute.trustedImageProjects
D.constraints/compute.restrictFirewallRules
AnswerA

This constraint restricts which images can be used to create instances.

Why this answer

The correct constraint is `constraints/compute.restrictImageUsage` because it directly controls which images can be used to create Compute Engine instances by specifying a list of allowed projects. This enforces the requirement that only approved images from a specific project are used, blocking instances launched with images from other projects.

Exam trap

Google Cloud often tests the distinction between valid and invalid constraint names, and the trap here is that candidates confuse the non-existent `constraints/compute.trustedImageProjects` with the real `constraints/compute.restrictImageUsage` because the word 'trusted' appears in the documentation for the feature but not in the constraint name.

How to eliminate wrong answers

Option B is wrong because `constraints/compute.restrictAuthorizedDomains` restricts the email domains that can be used for Cloud Identity or G Suite accounts, not image usage. Option C is wrong because `constraints/compute.trustedImageProjects` does not exist as a valid Organization Policy constraint; the correct constraint for trusted images is `constraints/compute.restrictImageUsage`. Option D is wrong because `constraints/compute.restrictFirewallRules` controls the creation of firewall rules, not the images used to launch instances.

201
MCQhard

A company has deployed a Cloud Run service that needs to access a Cloud SQL database. They have configured a service account for the Cloud Run service and granted it the Cloud SQL Client role. However, the application is receiving 'Permission denied' errors when trying to connect to the database. The database has a private IP and is in a VPC. What is the most likely cause?

A.The service account lacks the cloudsql.instances.connect permission.
B.Cloud Run cannot reach the private IP because it is not connected to the VPC via Serverless VPC Access.
C.The service account is not authorized in the Cloud SQL instance's IAM policy.
D.The Cloud SQL instance requires a public IP for Cloud Run to connect.
AnswerB

Serverless VPC Access is required to allow Cloud Run to reach resources on a VPC network.

Why this answer

Cloud Run services run in a Google-managed environment that is not automatically connected to a VPC. To reach a Cloud SQL instance with a private IP, the Cloud Run service must use Serverless VPC Access to establish a VPC connector, which enables direct traffic to the private IP. Without this connector, the service cannot route to the private IP, resulting in 'Permission denied' errors even though the IAM permissions are correct.

Exam trap

Google Cloud often tests the misconception that IAM permissions alone are sufficient for private IP access, when in fact network connectivity via Serverless VPC Access is required for Cloud Run to reach resources inside a VPC.

How to eliminate wrong answers

Option A is wrong because the Cloud SQL Client role includes the cloudsql.instances.connect permission, so the service account does have it. Option C is wrong because the Cloud SQL Client role already authorizes the service account in the Cloud SQL instance's IAM policy; no additional authorization is needed. Option D is wrong because Cloud Run can connect to a private IP via Serverless VPC Access, and a public IP is not required.

202
MCQmedium

A company runs a batch processing workload on Compute Engine VMs for 6 months. They want to reduce costs without sacrificing performance. Which option should they implement?

A.Switch to preemptible VMs
B.Use sole-tenant nodes to share resources across projects
C.Migrate to custom machine types to eliminate wasted resources
D.Purchase committed use discounts for the relevant machine types and regions
AnswerD

CUDs offer up to 57% discount for stable workloads with a commitment, directly reducing costs.

Why this answer

Option A is correct because committed use discounts (CUDs) provide significant discounts in exchange for a 1- or 3-year commitment, ideal for steady-state workloads. Option B is wrong because preemptible VMs are not suitable for long-running batch jobs due to termination risk. Option C is wrong because custom machine types may optimize resource use but do not offer discounts like CUDs.

Option D is wrong because sole-tenant nodes isolate VMs but do not reduce costs.

203
MCQhard

A company needs to meet a regulatory requirement that cryptographic keys for data at rest in Google Cloud must be managed in an on-premises HSM and never leave the HSM. Google Cloud services should be able to use those keys for encryption/decryption. Which solution should they implement?

A.Use Cloud HSM to protect keys imported from on-premises HSM.
B.Use Cloud External Key Manager (EKM) to connect to the on-premises HSM.
C.Use Cloud KMS with automatic key rotation and store key versions on-premises.
D.Use customer-supplied encryption keys (CSEK) for each service.
AnswerB

Cloud EKM enables Google Cloud services to use keys from an external HSM without the key leaving the HSM.

Why this answer

Cloud External Key Manager (EKM) allows you to use keys managed in a supported external key management system, such as an on-premises HSM, for Google Cloud services. The keys are used by Google Cloud for encryption and decryption but never leave the external HSM, satisfying the regulatory requirement that keys must remain on-premises.

Exam trap

Google Cloud often tests the distinction between key location (where the key material resides) and key usage (which service performs the crypto operation), leading candidates to choose Cloud HSM (Option A) because it sounds like a managed HSM, but it fails the 'keys never leave the HSM' requirement since the HSM is in Google Cloud, not on-premises.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a Google-managed HSM service; keys imported into Cloud HSM would be stored and managed within Google Cloud, not kept exclusively on-premises. Option C is wrong because Cloud KMS with automatic key rotation stores key versions within Google Cloud, not on-premises, and does not provide a mechanism to keep keys exclusively in an on-premises HSM. Option D is wrong because customer-supplied encryption keys (CSEK) are provided per service and are stored in Google Cloud for the duration of the operation, violating the requirement that keys never leave the on-premises HSM.

204
MCQeasy

A security engineer is reviewing a log entry in Cloud Logging with the above filter. The engineer wants to understand why this specific log entry was generated. Which action most likely caused this log entry?

A.An SSH login attempt failed due to incorrect credentials
B.A firewall rule blocked incoming traffic to the instance
C.An IAM policy change granted a user compute.instances.start access
D.A user stopped the Compute Engine instance
AnswerD

Stopping an instance generates an activity log entry.

Why this answer

The log entry was generated because a user stopped the Compute Engine instance. In Cloud Logging, instance lifecycle events such as STOP, START, or RESET are recorded with the method `compute.instances.stop`. This specific log entry matches the filter criteria (e.g., `protoPayload.methodName="v1.compute.instances.stop"`), indicating that the action was a stop operation, not a failure or policy change.

Exam trap

The trap here is that candidates may confuse the log entry's method name with a security-related event (like failed SSH or firewall block) because they overlook that the filter explicitly targets Compute Engine instance operations, not network or IAM events.

How to eliminate wrong answers

Option A is wrong because an SSH login failure would generate a log entry related to `ssh` or `oslogin` authentication, not a Compute Engine instance stop event. Option B is wrong because a firewall rule blocking traffic would produce a log entry under VPC firewall rules or packet rejection, not an instance lifecycle method. Option C is wrong because an IAM policy change granting `compute.instances.start` access would be logged under `google.iam.admin.v1.SetIamPolicy` or similar IAM methods, not `compute.instances.stop`.

205
Matchingmedium

Match each IAM role to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full management of Compute Engine resources

Read-only access to Cloud Storage objects

Manage service accounts and keys

Manage Cloud KMS keys and key rings

Manage organization policies

Why these pairings

These are common IAM roles and their scopes.

206
MCQmedium

A company is using Cloud Composer (Airflow) to orchestrate data pipelines. A DAG is failing with a 'Task received SIGTERM' error. What is the most likely cause?

A.The worker node was preempted
B.The task exceeded its execution timeout
C.The task ran out of memory
D.The Airflow scheduler crashed
AnswerB

Airflow sends SIGTERM to tasks that exceed their execution timeout.

Why this answer

SIGTERM is sent when a task exceeds its execution timeout. Other causes produce different signals.

207
MCQmedium

A security engineer is using Cloud Asset Inventory to find all Compute Engine instances that are not labeled with a 'compliance' label. Based on the exhibit, which instance(s) are missing the compliance label?

A.Both instances
B.instance-2 only
C.Neither instance
D.instance-1 only
AnswerB

instance-2 lacks compliance label.

Why this answer

Option B is correct because the exhibit shows that instance-1 has a 'compliance' label with a value of 'true', while instance-2 has no 'compliance' label at all. Cloud Asset Inventory can query assets using label filters; the absence of the 'compliance' label on instance-2 means it fails the compliance labeling requirement. Therefore, only instance-2 is missing the compliance label.

Exam trap

Google Cloud often tests the distinction between a label that exists (even with an empty value) and a label that is completely absent, leading candidates to incorrectly assume that a missing label is the same as a label with a false or empty value.

How to eliminate wrong answers

Option A is wrong because both instances are not missing the compliance label; instance-1 has the label, so only one instance is missing it. Option C is wrong because instance-2 clearly lacks the 'compliance' label, so it is not true that neither instance is missing it. Option D is wrong because instance-1 does have the 'compliance' label, so it is not missing the label; the missing instance is instance-2 only.

208
MCQhard

A company has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They have a firewall appliance (internal IP 10.0.1.100) that inspects all traffic between subnets. They configure a policy-based route to redirect traffic from subnet-a to subnet-b to the appliance. However, traffic from subnet-a to subnet-b still goes directly. What is missing?

A.Compute Engine instances must have a custom route table to use policy-based routes.
B.A VPC route with priority 1000 (direct routing between subnets) is overriding the policy-based route with a lower priority.
C.A firewall rule is required to allow traffic to be redirected to the appliance.
D.The policy-based route must have the next hop IP set to the appliance's external IP.
AnswerB

The default VPC routes have priority 1000; if the policy-based route has a higher priority number, it is overridden.

Why this answer

B is correct because VPCs have an implicit default route for subnet-to-subnet traffic with a priority of 1000, which is higher than the priority of a policy-based route (typically 2000). Since the policy-based route has a lower priority (higher numerical value), the default route takes precedence, causing traffic to bypass the firewall appliance. To override this, the policy-based route must have a priority lower than 1000 (e.g., 500) to be preferred.

Exam trap

Google Cloud often tests the misconception that policy-based routes automatically override default VPC routes, but the trap is that the default subnet-to-subnet route has a higher priority (1000) than the policy-based route (2000), so candidates must remember to set a lower priority on the policy-based route to make it effective.

How to eliminate wrong answers

Option A is wrong because Compute Engine instances do not require custom route tables; policy-based routes are applied at the VPC level and affect all instances in the source subnet without needing per-instance configuration. Option C is wrong because firewall rules control whether traffic is allowed or denied, not the routing path; the issue is about route selection, not firewall permissions. Option D is wrong because the next hop for a policy-based route redirecting traffic to an internal appliance must be the appliance's internal IP (10.0.1.100), not its external IP, as traffic between subnets stays within the VPC and does not traverse the internet.

209
Multi-Selecteasy

Which TWO of the following are benefits of using Cloud NAT? (Choose TWO.)

Select 2 answers
A.Cloud NAT provides inbound port forwarding to instances.
B.Cloud NAT can be used to enable connectivity between VPC networks via VPN.
C.Instances without external IP addresses can connect to the internet.
D.Inbound connections from the internet are blocked unless explicitly allowed.
E.Cloud NAT automatically provides high availability across zones.
AnswersC, D

Cloud NAT enables outbound-only internet access for private instances.

Why this answer

Cloud NAT allows instances without external IP addresses to initiate outbound connections to the internet, translating their private IPs to a single public IP or a range. This is a core benefit because it enables secure outbound internet access without exposing instances to inbound traffic.

Exam trap

Google Cloud often tests the misconception that Cloud NAT provides inbound port forwarding or automatic high availability, but in reality it is strictly an outbound SNAT service that requires manual configuration for redundancy.

210
MCQhard

A security auditor needs to review all IAM policy changes made in the last 30 days across multiple projects. The auditor has the Organization Viewer role at the organization level. What is the most efficient way to provide access without giving unnecessary permissions?

A.Grant the auditor the Logs Viewer role at the organization level to view audit logs of IAM changes.
B.The existing Organization Viewer role already provides access to IAM policies across all projects.
C.Grant the auditor the Project Viewer role on each project.
D.Grant the auditor the roles/iam.securityReviewer role at the organization level.
AnswerD

This role provides read access to IAM policies across all projects within the organization.

Why this answer

Option D is correct because the roles/iam.securityReviewer role at the organization level grants read-only access to all IAM policies and audit logs across all projects in the organization, without granting any write or management permissions. This allows the auditor to review IAM policy changes efficiently without needing per-project assignments.

Exam trap

Google Cloud often tests the misconception that the Organization Viewer role provides broad read access to all resources, when in fact it only grants visibility into organization-level metadata, not IAM policies or audit logs.

How to eliminate wrong answers

Option A is wrong because the Logs Viewer role only provides access to log entries, not to IAM policies themselves; the auditor needs to review IAM policy changes, which requires reading the policies, not just logs. Option B is wrong because the Organization Viewer role only allows viewing organization-level resources and metadata, but does not grant access to IAM policies or audit logs across projects. Option C is wrong because granting the Project Viewer role on each project is inefficient and unnecessary; it would require manual assignment to every project, and it does not provide access to IAM policy history or audit logs.

211
Multi-Selectmedium

You are designing VPC firewall rules for a multi-tier application. Which TWO considerations are important when creating firewall rules in terms of security and manageability? (Choose TWO.)

Select 2 answers
A.Network tags are not recommended for large deployments because they require managing many tags.
B.Use hierarchical firewall policies to enforce baseline rules across all VPCs in the organization.
C.Use service accounts or network tags to target rules, rather than source CIDR, where possible for dynamic environments.
D.Enable firewall rules logging for all rules to ensure full auditability.
E.Always specify the target region for firewall rules to limit the scope.
AnswersB, C

Hierarchical policies provide centralized management and consistent enforcement.

Why this answer

Options A and C are correct. Using service accounts and tags allows dynamic rule targeting, and hierarchical rules centralize management. Option B is wrong because network tags are effective for large deployments.

Option D is wrong because global rules apply across regions, which is often desired. Option E is wrong because logging all rules may create excessive logs; only log important rules.

212
MCQeasy

A healthcare organization is deploying a new application on Google Cloud that will process protected health information (PHI) subject to HIPAA. The security team has enabled encryption at rest using Google-managed keys and configured Cloud Audit Logs. During a compliance review, the auditor notes that the organization has not yet signed a Business Associate Agreement (BAA) with Google Cloud. What should the organization do to remediate this issue?

A.Enable VPC Service Controls to satisfy HIPAA requirements without a BAA.
B.Use Customer-Managed Encryption Keys (CMEK) to meet the requirement for a signed BAA.
C.Sign a BAA with Google Cloud through the Google Cloud Console or by contacting Google Cloud Support.
D.Configure Access Transparency logs as a substitute for a BAA.
AnswerC

A BAA is required under HIPAA.

Why this answer

Under HIPAA, a covered entity or business associate must have a signed Business Associate Agreement (BAA) with any service provider that creates, receives, maintains, or transmits protected health information (PHI) on its behalf. Google Cloud offers a standard BAA that customers must accept through the Google Cloud Console or by contacting support; encryption at rest and audit logs are separate technical controls that do not satisfy this contractual requirement. Option C is correct because signing a BAA is the only direct way to establish the legally required business associate relationship with Google Cloud for PHI processing.

Exam trap

The trap here is that candidates confuse technical security controls (encryption, network isolation, logging) with the contractual requirement for a BAA, assuming that strong encryption or access controls can substitute for the legal agreement mandated by HIPAA.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls provide network-based data exfiltration prevention but do not create a contractual business associate relationship; HIPAA requires a signed BAA regardless of network controls. Option B is wrong because Customer-Managed Encryption Keys (CMEK) give the customer control over encryption keys but do not replace the legal obligation to sign a BAA; encryption is a technical safeguard, not a contractual one. Option D is wrong because Access Transparency logs provide visibility into Google administrative access but are not a substitute for a BAA; HIPAA mandates a signed agreement, not just logging features.

213
MCQeasy

Which service provides a centralized view of all resource configurations and IAM policies across projects?

A.Cloud Security Command Center
B.Cloud Asset Inventory
C.Cloud Audit Logs
D.Access Transparency
AnswerB

Cloud Asset Inventory captures snapshots of all resources and their IAM policies.

Why this answer

Option B is correct. Cloud Asset Inventory provides a centralized view of all resources and their IAM policies across projects. Option A, Cloud Security Command Center, provides security findings and vulnerabilities, not a full inventory.

Option C, Access Transparency, logs Google support access. Option D, Cloud Audit Logs, records API calls but not a static inventory.

214
MCQeasy

A security engineer wants to block all SSH access from the internet to a VPC network, except for a specific bastion host. What is the most efficient way to configure this?

A.Create a firewall rule allowing SSH only from the bastion host's IP and rely on the implicit deny
B.Create a firewall rule with deny SSH from 0.0.0.0/0 and a higher priority rule allowing SSH from the bastion host's IP
C.Use a service perimeter
D.Create a firewall rule denying SSH from all IPs except the bastion host using the 'except' sources
AnswerA

Since the implicit deny blocks all other traffic, this single rule is sufficient.

Why this answer

Option A is correct because VPC firewall rules are implicitly deny-all at the end of the evaluation order. By creating a single allow rule for SSH from the bastion host's IP, all other SSH traffic is implicitly denied by the default deny rule, without needing an explicit deny rule. This is the most efficient approach as it minimizes rule count and avoids potential priority conflicts.

Exam trap

Google Cloud often tests the misconception that you need an explicit deny rule to block traffic, when in fact the implicit deny at the end of the firewall rule evaluation order already blocks all traffic not explicitly allowed.

How to eliminate wrong answers

Option B is wrong because it introduces an unnecessary explicit deny rule for SSH from 0.0.0.0/0; the implicit deny already blocks all traffic not explicitly allowed, so the explicit deny adds no value and increases rule complexity. Option C is wrong because a service perimeter (VPC Service Controls) is designed to restrict data exfiltration from Google Cloud services, not to control network-level access like SSH to compute instances. Option D is wrong because VPC firewall rules do not support an 'except' syntax for sources; you cannot specify a deny rule with an exclusion list—you must use allow rules with specific source IPs.

215
MCQmedium

A company is using Cloud Monitoring to track latency of a microservice. They notice a sudden spike in the 99th percentile latency but no change in request count. What is the most likely cause?

A.A single slow query to a backend database
B.A pod restart in GKE
C.A misconfigured health check causing 503s
D.A DDoS attack
AnswerA

A slow query can increase tail latency, affecting p99 while average may remain low.

Why this answer

A single slow query to a backend database can increase p99 latency without affecting request count. Other options would affect availability or count.

216
Drag & Dropmedium

Drag and drop the steps to set up IAM conditions for a service account in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IAM conditions involve identifying the scope, writing the condition, binding it, attaching the policy, and testing.

217
Multi-Selecthard

Which THREE steps are required to implement field-level encryption for sensitive columns in a Cloud SQL for PostgreSQL database using Cloud KMS? (Choose three.)

Select 3 answers
A.Create a symmetric encryption key in Cloud KMS.
B.Install the pgcrypto extension in the PostgreSQL database.
C.Configure a Cloud HSM key to generate the data encryption key.
D.Enable CMEK on the Cloud SQL instance.
E.Grant the Cloud SQL service account the 'Cloud KMS CryptoKey Encrypter/Decrypter' role.
AnswersA, B, E

The key is needed to encrypt/decrypt data at the field level.

Why this answer

Option A is correct because Cloud KMS symmetric encryption keys are used to encrypt data encryption keys (DEKs) that protect the column data. In field-level encryption, the application or database encrypts each column value using a DEK, which is then wrapped (encrypted) by a Cloud KMS key. This ensures the sensitive data is encrypted at the application layer, independent of the underlying storage encryption.

Exam trap

Google Cloud often tests the distinction between instance-level encryption (CMEK) and field-level encryption; the trap here is that candidates confuse CMEK (which encrypts the entire database at rest) with the need for a per-column encryption mechanism using pgcrypto and Cloud KMS.

218
MCQmedium

Refer to the exhibit. A security engineer reviews the IAM policy for a service account. What is the effect of the condition?

A.The user can only use the service account when the request originates from a specific IP range.
B.The condition has no effect because request.time is not a supported variable in IAM conditions.
C.The user can only use the service account when the resource is in a specific region.
D.The user can only use the service account before December 31, 2025.
AnswerD

Correct: The condition requires request.time < 2025-12-31T23:59:59Z, so access is only granted before that moment.

Why this answer

Option D is correct because the condition in the IAM policy uses the `request.time` attribute with a date/time comparison operator, which is a supported variable in IAM conditions. The condition `StringEquals` with `request.time` and a specific date (e.g., `2025-12-31T23:59:59Z`) restricts access to only before that timestamp, effectively granting access only until December 31, 2025. This is a common pattern for time-based access control in cloud IAM policies.

Exam trap

Google Cloud often tests the misconception that `request.time` is not a valid IAM condition variable, leading candidates to incorrectly choose Option B, but in reality, it is fully supported and commonly used for time-based access control.

How to eliminate wrong answers

Option A is wrong because the condition does not reference an IP address range (e.g., `request.ip` or `sourceIp`); it uses `request.time`, which is a time-based variable, not a network-based one. Option B is wrong because `request.time` is indeed a supported variable in IAM conditions (e.g., in AWS IAM or Google Cloud IAM), and the condition will have an effect by restricting access based on the current timestamp. Option C is wrong because the condition does not involve a resource region (e.g., `resource.location`); it only checks the request time, not the geographic location of the resource.

219
MCQeasy

A company runs a Cloud SQL for PostgreSQL instance that stores customer data. They must encrypt the database at rest using customer-managed encryption keys (CMEK) to meet regulatory requirements. The instance is currently using Google-managed encryption. What must they do to implement CMEK? The company wants to minimize downtime and avoid data loss.

A.Use the gcloud command to update the existing instance to use CMEK by specifying the key.
B.Create a new Cloud SQL instance with CMEK enabled, then export data from the old instance and import into the new one.
C.Configure Cloud External Key Manager (EKM) and attach it to the existing instance via a patch operation.
D.Implement client-side encryption in the application using a library like Tink and store the encrypted data in the existing database.
AnswerB

This meets the CMEK requirement by creating a new instance, and data migration via export/import ensures minimal data loss and manageable downtime.

Why this answer

Option B is correct because Cloud SQL does not support enabling CMEK on an existing instance; you must create a new instance with CMEK enabled at provisioning time. Exporting data from the old instance and importing it into the new one ensures the database is re-encrypted under the customer-managed key with minimal downtime and no data loss, as the export/import process preserves the data.

Exam trap

Google Cloud often tests the misconception that you can update an existing Cloud SQL instance to use CMEK via a gcloud command or API patch, when in reality CMEK must be configured at instance creation time.

How to eliminate wrong answers

Option A is wrong because the gcloud command cannot update an existing Cloud SQL instance to use CMEK; CMEK must be specified at instance creation time and cannot be added later via an update or patch operation. Option C is wrong because Cloud External Key Manager (EKM) is used for managing keys externally but does not enable CMEK on an existing instance; attaching EKM via a patch operation is not supported for changing encryption keys on a running Cloud SQL instance. Option D is wrong because client-side encryption with Tink would encrypt data before it reaches the database, which does not satisfy the requirement for database-at-rest encryption using CMEK; it also adds application complexity and does not leverage Cloud SQL's native encryption capabilities.

220
MCQmedium

A healthcare company must export Cloud Audit Logs to an external SIEM for HIPAA compliance. The logs must be retained for 7 years and be immutable. Which solution meets these requirements with minimal operational overhead?

A.Configure a log sink to send logs to an on-premises syslog server via VPN.
B.Create a Pub/Sub sink with a retention policy that delivers logs to a custom application.
C.Stream audit logs to BigQuery using a log sink, and set table expiration to 7 years.
D.Use a log sink to export logs to a Cloud Storage bucket with a retention policy of 7 years and Object holds enabled.
AnswerD

Retention policy prevents deletion until retention expires; Object holds prevent premature deletion.

Why this answer

Option D is correct because Cloud Storage buckets support Object holds, which prevent object deletion or modification, ensuring immutability. A retention policy set to 7 years enforces the minimum retention period required by HIPAA. This combination meets compliance needs with minimal operational overhead, as it leverages native GCP features without requiring custom infrastructure or manual management.

Exam trap

Google Cloud often tests the misconception that BigQuery or Pub/Sub can provide long-term immutable storage, but candidates must recognize that Cloud Storage with Object holds is the only native GCP service that offers both enforced retention and immutability without custom development.

How to eliminate wrong answers

Option A is wrong because sending logs to an on-premises syslog server via VPN introduces significant operational overhead for VPN maintenance, syslog server management, and does not inherently provide immutability or guaranteed 7-year retention. Option B is wrong because Pub/Sub retention policies are limited to a maximum of 7 days, not 7 years, and delivering logs to a custom application adds unnecessary complexity and does not ensure immutability. Option C is wrong because BigQuery table expiration only controls table deletion, not individual row immutability; data in BigQuery can be updated or deleted unless additional controls like time-travel or table-level access controls are implemented, which are not specified and add overhead.

221
MCQeasy

You are a security engineer for a startup that uses Google Workspace and Google Cloud. You have been asked to allow a contractor, who has a Google account (contractor@example.com), to manage Cloud Storage buckets in a specific project. The contractor should not have access to any other resources. You create a custom role with the necessary permissions and grant it to the user at the project level. However, the contractor reports that they cannot see the project in the Cloud Console. What is the most likely reason?

A.The contractor's Google account is not in the same domain as the Google Cloud organization.
B.The custom role does not include the 'resourcemanager.projects.get' permission, which is required to view the project in the console.
C.The contractor needs to sign in using a different authentication method, such as SAML.
D.An organization policy denies access to the project for external users.
AnswerB

This permission is needed to list and view projects in the console.

Why this answer

The Cloud Console requires the 'resourcemanager.projects.get' permission to list and display projects. Even though the custom role grants permissions to manage Cloud Storage buckets, without this specific permission, the contractor cannot see the project in the console. Granting the permission at the project level allows the user to view the project in the console while still restricting access to other resources.

Exam trap

Google Cloud often tests the distinction between permissions needed to perform actions via the API versus permissions needed to view resources in the console, leading candidates to assume that granting resource-specific permissions (like storage.buckets.*) is sufficient for console visibility.

How to eliminate wrong answers

Option A is wrong because the contractor's Google account does not need to be in the same domain as the Google Cloud organization; external Google accounts can be granted IAM roles at the project level. Option C is wrong because the contractor already has a Google account and can sign in directly; SAML is not required for console access. Option D is wrong because organization policies that deny access to external users would block all access, not just the ability to see the project, and there is no indication such a policy is in place.

222
Multi-Selecteasy

Which TWO actions should you take to reduce the attack surface of a Compute Engine VM? (Choose 2.)

Select 2 answers
A.Remove public IP addresses
B.Enable Secure Boot
C.Enable Instance Termination Action
D.Use preemptible VMs
E.Enable Virtual Trusted Platform Module (vTPM)
AnswersA, B

Removing public IP eliminates a direct attack vector from the internet.

Why this answer

Removing public IP and enabling Secure Boot reduce exposure. vTPM and other options do not directly reduce attack surface.

223
MCQmedium

A healthcare company's data science team needs to query BigQuery tables containing sensitive patient data. The company policy requires that all queries be logged and audited. The team has been granted the bigquery.user role on the project. However, when attempting to query a specific table in a dataset, they receive the error: "Access Denied: Table X: User does not have permission to query table X." The dataset has a custom IAM role assigned to the team's Google Group. The custom role includes the permissions: bigquery.datasets.get, bigquery.tables.get, bigquery.tables.list, and bigquery.jobs.create. The engineer verifies that the bigquery.user role does include bigquery.jobs.create. The engineer also confirms that the table exists and the dataset is in the same region as the project. What is the most likely cause of the access denied error?

A.The team is not granted the bigquery.jobUser role on the project.
B.The team is not granted the bigquery.metadataViewer role on the dataset.
C.The dataset is in a different region than the project's default location, causing cross-region access restrictions.
D.The custom role does not include the bigquery.tables.getData permission.
AnswerD

Option C is correct; the custom role lacks the bigquery.tables.getData permission, which is necessary to read table data during queries.

Why this answer

The error 'Access Denied: Table X: User does not have permission to query table X' indicates that the user lacks the permission to read the actual table data. The custom role assigned to the team's Google Group includes bigquery.tables.get (metadata) and bigquery.tables.list, but not bigquery.tables.getData, which is required to read table rows. Without bigquery.tables.getData, even with bigquery.jobs.create and dataset-level metadata permissions, query execution fails because BigQuery enforces data access separately from metadata and job creation.

Exam trap

Google Cloud often tests the distinction between metadata permissions (bigquery.tables.get) and data permissions (bigquery.tables.getData), tricking candidates into thinking that table-level metadata access is sufficient to query the table.

How to eliminate wrong answers

Option A is wrong because the bigquery.user role already includes bigquery.jobs.create, which is the core permission of bigquery.jobUser; adding bigquery.jobUser would not grant the missing data read permission. Option B is wrong because bigquery.metadataViewer provides only metadata access (e.g., listing tables, getting table definitions) and does not include bigquery.tables.getData, so it would not resolve the data access issue. Option C is wrong because the engineer confirmed the dataset is in the same region as the project, and cross-region access restrictions would cause a different error (e.g., 'Cannot query across regions') rather than an access denied error.

224
Multi-Selectmedium

Which TWO of the following are valid reasons to enable VPC Flow Logs? (Choose two.)

Select 2 answers
A.To log Cloud NAT translations for audit purposes
B.To detect and block DDoS attacks at the network layer
C.To enforce firewall rules automatically based on traffic patterns
D.To perform network forensics after a security incident
E.To troubleshoot connectivity issues between VMs
AnswersD, E

Correct: logs provide source/dest information.

Why this answer

Option D is correct because VPC Flow Logs capture metadata about IP traffic going to and from network interfaces in a VPC, including source/destination IPs, ports, protocols, and packet/byte counts. This historical data is essential for post-incident network forensics, allowing you to trace the path of malicious traffic, identify compromised hosts, and reconstruct the timeline of an attack. Without flow logs, you would lack the granular traffic records needed for such analysis.

Exam trap

Google Cloud often tests the distinction between passive logging (VPC Flow Logs) and active security controls (e.g., Cloud Armor, firewall rules), leading candidates to mistakenly think flow logs can block traffic or enforce policies.

225
MCQmedium

A healthcare startup is building a data pipeline on Google Cloud. They receive patient data via a REST API running on Cloud Run. The data includes sensitive health information that must be de-identified before being stored in BigQuery. They plan to use Cloud DLP to inspect and transform the data. However, due to latency requirements, they need to de-identify the data within 5 seconds of receiving the request. They have set up a Cloud DLP job to inspect the data synchronously using the DLP API. During testing, they notice that the de-identification sometimes takes over 10 seconds, causing API timeouts. They want to reduce the latency without compromising security. What should they do?

A.Use a Cloud Function to process the data and call the DLP API.
B.Use Cloud DLP with a content item size limit and stored infoTypes to reduce inspection time.
C.Instead of using Cloud DLP, use BigQuery column-level security with data masking.
D.Configure a Cloud DLP job to run asynchronously and store results in BigQuery, then modified the pipeline to read the de-identified data later.
AnswerB

Limiting content size and using pre-defined infoTypes speeds up synchronous inspection.

Why this answer

Option B is correct because Cloud DLP synchronous inspection latency is directly proportional to the content size and the number of infoTypes scanned. By limiting the content item size (e.g., to 1 MB) and using stored infoTypes (which are pre-compiled for faster matching), you reduce the inspection time significantly, enabling de-identification within the 5-second window without compromising security.

Exam trap

Google Cloud often tests the misconception that adding more compute resources (like Cloud Functions) or switching to asynchronous processing will solve latency issues, when the real bottleneck is the DLP inspection configuration itself.

How to eliminate wrong answers

Option A is wrong because introducing a Cloud Function adds an extra hop and cold-start latency, which does not address the root cause of DLP API slowness and may even increase overall latency. Option C is wrong because BigQuery column-level security with data masking only controls access at query time; it does not de-identify data before storage, leaving sensitive data exposed in the pipeline and violating the requirement to de-identify before storing. Option D is wrong because asynchronous DLP jobs are designed for batch processing and cannot meet the 5-second synchronous latency requirement; they introduce a delay that breaks the real-time pipeline.

Page 2

Page 3 of 7

Page 4

All pages