Google Professional Cloud Security Engineer (PCSE) — Questions 226300

500 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQmedium

Refer to the exhibit. A security engineer runs the commands shown. The command 'gcloud compute instances list' fails with a permission denied error. The service account key belongs to a service account with the role 'roles/compute.viewer' on the project. What is the most likely cause?

A.The role 'roles/compute.viewer' does not include the permission to list instances.
B.The service account key file is invalid or the service account has been deleted.
C.The command 'gcloud auth activate-service-account' should be 'gcloud auth login' instead.
D.The project 'my-project' does not exist or the service account is not in that project.
AnswerB

Most likely cause: the key is invalid, causing authentication failure.

Why this answer

The command 'gcloud auth activate-service-account' uses a service account key file to authenticate as that service account. If the key file is invalid (e.g., corrupted, expired, or malformed) or the service account itself has been deleted, authentication will fail, causing subsequent commands like 'gcloud compute instances list' to return a permission denied error even if the service account has the correct role. The error is not about missing permissions on the role, but about the inability to prove identity.

Exam trap

Google Cloud often tests the distinction between authentication failure (invalid key/deleted account) and authorization failure (insufficient permissions), tricking candidates into assuming the role itself is missing a permission when the real issue is that the identity cannot be verified.

How to eliminate wrong answers

Option A is wrong because the role 'roles/compute.viewer' does include the 'compute.instances.list' permission, so it is sufficient to list instances. Option C is wrong because 'gcloud auth activate-service-account' is the correct command to authenticate using a service account key file; 'gcloud auth login' is for user accounts, not service accounts. Option D is wrong because if the project did not exist or the service account was not in it, the error would typically be 'project not found' or 'permission denied' after successful authentication, not a permission denied error caused by failed authentication; the scenario explicitly states the key belongs to a service account with the viewer role on the project, implying the project exists.

227
Multi-Selectmedium

A security engineer is investigating a potential data breach in a Google Cloud environment. The engineer suspects that a compromised service account key was used to access Cloud Storage buckets. Which TWO actions should the engineer take immediately to mitigate the risk?

Select 2 answers
A.Disable the service account
B.Revoke all IAM roles granted to the service account
C.Rotate the service account key
D.Delete the compromised service account key
E.Enable Cloud Audit Logs for the service account
AnswersA, D

Disabling the service account immediately revokes all access for that account.

Why this answer

Disabling the service account immediately stops all access using any of its keys, including the compromised one, without deleting the account or its configuration. This is the fastest way to block the attacker while preserving the ability to investigate and re-enable the account later if needed. In Google Cloud, disabling a service account is a reversible action that revokes all authentication and authorization for that identity.

Exam trap

Google Cloud often tests the distinction between disabling a service account (which stops all access immediately) versus deleting or rotating a key (which may leave other keys or a window of exposure), and candidates mistakenly choose 'rotate the key' thinking it invalidates the old key, but rotation alone does not delete the old key.

228
Matchingmedium

Match each encryption scope to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data protected while traveling over networks

Data protected when stored on disk

Customer-supplied encryption keys for Google Cloud resources

Customer-managed encryption keys via Cloud KMS

Google-managed encryption keys for all data at rest

Why these pairings

These are encryption scopes and key management options.

229
Multi-Selectmedium

A multinational corporation must comply with GDPR requirements for storing and processing personal data of EU citizens. The company is using Google Cloud and wants to ensure that data remains within the European Union. Which TWO actions should the organization take? (Select TWO.)

Select 2 answers
A.Set up VPC Service Controls to block access from outside the EU.
B.Enable Access Transparency logs to monitor access by Google support personnel.
C.Use Cloud Data Loss Prevention (DLP) to automatically redact personal data before storage.
D.Configure Organization Policies to restrict resource creation to EU regions only.
E.Use CMEK with a key stored in Cloud HSM located in a US region to encrypt data.
AnswersA, D

VPC Service Controls can prevent data access from outside the EU, further ensuring compliance.

Why this answer

Option A is correct because VPC Service Controls create a security perimeter around Google Cloud resources, allowing you to restrict data access based on attributes like IP address or geographic location. By configuring VPC Service Controls to block access from outside the EU, the organization can enforce that data stored and processed in Google Cloud remains within the European Union, directly supporting GDPR compliance for data residency.

Exam trap

Google Cloud often tests the distinction between data protection controls (like DLP or encryption) and data residency controls (like VPC Service Controls or Organization Policies), leading candidates to mistakenly select options that protect data but do not enforce geographic boundaries.

230
MCQeasy

A company has configured a VPC firewall rule to allow HTTP traffic from a specific source IP range 203.0.113.0/24. However, HTTP requests from that range are being denied. Which initial verification should the security engineer perform?

A.Check if the source range overlaps with a deny rule
B.Check if the target instances have the correct network tag
C.Check the rule priority
D.Check the rule direction (ingress vs egress)
AnswerD

A firewall rule must be ingress to allow incoming traffic. If it is egress, it won't allow inbound connections.

Why this answer

Option D is correct because the rule is configured to allow HTTP traffic, but if the rule direction is set to egress instead of ingress, it will not apply to incoming HTTP requests from the source IP range. In Google Cloud VPC firewall rules, direction determines whether the rule applies to inbound (ingress) or outbound (egress) traffic; an egress rule only controls traffic leaving the VPC network, so HTTP requests arriving from the internet would be denied by the implied deny ingress rule.

Exam trap

Google Cloud often tests the misconception that firewall rules are automatically bidirectional or that source IP range alone guarantees traffic flow, when in fact the direction attribute must match the traffic path (ingress for incoming requests).

How to eliminate wrong answers

Option A is wrong because overlapping deny rules would cause denial, but the question asks for the initial verification; checking for overlaps is secondary to confirming the rule is actually applied to the correct traffic direction. Option B is wrong because target tags are used to apply rules to specific VM instances, but the rule already specifies a source IP range; if the rule direction is wrong, even correctly tagged instances will not receive the traffic. Option C is wrong because rule priority determines which rule applies when multiple rules match, but if the rule is egress, it will never match ingress traffic regardless of priority.

231
MCQeasy

A startup is using Cloud Functions to process files uploaded to a Cloud Storage bucket. The Cloud Function is triggered by finalize events on the bucket. The developers created a service account for the Cloud Function and granted it the roles/storage.objectViewer role on the bucket. However, the function fails with a permission denied when trying to read the file. The function has the following XML in the event context: 'event_id'. What is the most likely issue?

A.The Cloud Function is using the default App Engine service account instead of the custom service account.
B.The service account does not exist.
C.The bucket is in a different project, and cross-project access is not configured.
D.The Cloud Function is not configured to be triggered by the correct event type.
AnswerA

The default service account may not have the required permissions, leading to the error.

Why this answer

The most likely issue is that the Cloud Function is using the default App Engine service account instead of the custom service account that was granted the roles/storage.objectViewer role. When a Cloud Function is deployed without explicitly specifying a service account, it defaults to the App Engine default service account (project-id@appspot.gserviceaccount.com), which does not have the necessary permissions to read the file. The custom service account with the objectViewer role exists but is not assigned to the function, causing the permission denied error.

Exam trap

Google Cloud often tests the default service account behavior in serverless services, where candidates assume that granting permissions to a custom service account automatically applies to the function, but the function must be explicitly configured to use that account.

How to eliminate wrong answers

Option B is wrong because the service account was explicitly created and granted the roles/storage.objectViewer role, so it does exist; the issue is that the function is not using it. Option C is wrong because there is no indication in the question that the bucket is in a different project; the error is a permission denied on the same project, and cross-project access would require additional IAM bindings but is not the described scenario. Option D is wrong because the function is correctly triggered by finalize events on the bucket, as indicated by the event context 'event_id', and the error occurs when trying to read the file, not during triggering.

232
MCQhard

Refer to the exhibit. This IAM policy is applied to a Google Cloud Storage bucket. Alice reports she cannot delete objects in the bucket. Bob can delete objects. What is the most likely reason?

A.The service account has objectAdmin role, but Bob is not a member.
B.The etag mismatch causes a conflict.
C.Bob has a higher role inherited from the project level.
D.Alice has only objectViewer role, which does not allow deletion.
AnswerD

The objectViewer role only allows read access to objects, not deletion.

Why this answer

Option A is correct. The policy shows Alice has only the roles/storage.objectViewer role, which does not include delete permissions. Bob, although listed in the same binding, must have additional permissions from another policy (e.g., at the project level) that allow him to delete objects.

Option B is incorrect because Bob's ability is likely due to inherited permissions, but the exhibit only shows this policy. Option C is irrelevant because the service account does not affect Bob's permissions. Option D is incorrect; etag is used for concurrent modification prevention.

233
MCQeasy

A user is getting a permission denied error when trying to access a Cloud SQL instance from a Compute Engine VM. The VM's service account has the Cloud SQL Client role. What is the most likely cause?

A.The Cloud SQL API is not enabled for the project.
B.The service account is not attached to the VM.
C.The user is not using a Cloud SQL proxy.
D.The Cloud SQL instance does not have a private IP.
AnswerA

The API must be enabled to allow access to Cloud SQL.

Why this answer

Even with correct IAM roles, the Cloud SQL API must be enabled for the project. The service account being attached is confirmed by the role assignment, private IP is not required for Client role, and using a proxy is optional but not the cause of permission denied.

234
Multi-Selectmedium

Which TWO actions are required to meet FedRAMP Moderate baseline for Google Cloud?

Select 2 answers
A.Enable Multi-Factor Authentication (MFA) for all Google Cloud users with access to the project.
B.Use Customer-Supplied Encryption Keys (CSEK) for all Cloud Storage buckets.
C.Enable encryption at rest for all data using CMEK or Google-managed keys.
D.Enable Data Access audit logs for all Google Cloud services in the project.
E.Create VPC Service Controls perimeters to restrict data exfiltration.
AnswersA, C

FedRAMP Moderate requires strong authentication, including MFA.

Why this answer

Option A is correct because FedRAMP Moderate requires multi-factor authentication (MFA) for all users accessing the system, including Google Cloud users. Enabling MFA for all users with access to the project satisfies this control by adding an additional authentication factor beyond a password, as mandated by NIST SP 800-53 IA-2. Option C is correct because FedRAMP Moderate requires encryption at rest for all data, and using Customer-Managed Encryption Keys (CMEK) or Google-managed keys meets this requirement under NIST SP 800-53 SC-28.

Exam trap

Google Cloud often tests the misconception that all audit log types (including Data Access) are required for FedRAMP Moderate, when in fact only Admin Read, Admin Write, and Data Write logs are mandatory, and Data Read logs are optional.

235
MCQeasy

A company wants to use Cloud CDN to cache content from an HTTP Load Balancer. They have a custom domain and want to serve traffic over HTTPS. What must they configure on the load balancer?

A.Create an SSL certificate resource and attach it to the HTTPS target proxy.
B.Set up a backend bucket with a public certificate.
C.Upload a custom SSL certificate directly to the Cloud CDN configuration.
D.Enable HTTP to HTTPS redirect on the load balancer.
AnswerA

Correct: HTTPS load balancer requires SSL certificate on target proxy.

Why this answer

To serve HTTPS traffic with Cloud CDN and a custom domain, the load balancer must have an SSL certificate attached to its HTTPS target proxy. This is because Cloud CDN relies on the load balancer's target proxy to terminate TLS and present the certificate to clients. Creating an SSL certificate resource (either Google-managed or self-managed) and attaching it to the HTTPS target proxy is the required step.

Exam trap

Google Cloud often tests the misconception that Cloud CDN handles SSL certificates independently, when in fact the certificate must be attached to the load balancer's HTTPS target proxy, not configured within the CDN itself.

How to eliminate wrong answers

Option B is wrong because a backend bucket stores content but does not handle SSL termination; certificates must be attached to the HTTPS target proxy, not to the bucket. Option C is wrong because Cloud CDN does not accept SSL certificates directly; certificates are managed at the load balancer level via the target proxy. Option D is wrong because HTTP-to-HTTPS redirect is a separate feature that does not provide the SSL certificate needed for HTTPS termination; it only redirects HTTP traffic to HTTPS.

236
MCQhard

A healthcare organization uses BigQuery to store patient data with column-level encryption using CMEK. They need to ensure that data is encrypted at rest and in transit, and that only authorized users can query specific columns. Which combination of controls should they use?

A.Use VPC Service Controls to restrict access to BigQuery datasets, and use IAM conditions to limit column access.
B.Use Cloud HSM to create encryption keys and apply them to BigQuery tables using Cloud Key Management Service.
C.Use Cloud Data Loss Prevention to de-identify sensitive columns, and then use IAM to control access.
D.Use BigQuery column-level encryption with CMEK keys, and grant access via Authorized Views.
AnswerD

This combination ensures encryption and fine-grained access control.

Why this answer

Option D is correct because BigQuery column-level encryption with CMEK ensures data is encrypted at rest using customer-managed keys, while Authorized Views provide row- and column-level access control without exposing the underlying encrypted columns to unauthorized users. This combination satisfies both encryption requirements (at rest and in transit, as BigQuery enforces TLS in transit) and fine-grained access control for specific columns.

Exam trap

The trap here is that candidates confuse column-level encryption with table-level encryption or de-identification, and fail to recognize that Authorized Views are the only mechanism in BigQuery that can enforce column-level access control on encrypted columns without exposing the underlying data.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls restrict data exfiltration and access at the dataset or project level, not at the column level, and IAM conditions cannot enforce column-level encryption or granular column access. Option B is wrong because Cloud HSM and Cloud KMS can create and manage CMEK keys, but applying them to tables only encrypts the table at rest, not at the column level, and does not control which users can query specific columns. Option C is wrong because Cloud DLP de-identifies data (e.g., masking or tokenization) but does not provide encryption at rest with CMEK, and IAM alone cannot enforce column-level access on the de-identified data without additional mechanisms like Authorized Views.

237
Multi-Selectmedium

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project contains Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. The perimeter is defined with the project as a protected project. Which TWO actions are valid to restrict data exfiltration while maintaining necessary access?

Select 2 answers
A.Use VPC Service Controls to block access to the Compute Engine metadata server to prevent credential extraction.
B.Configure the service perimeter to allow access from the VPC network where the Compute Engine instances reside using private Google access.
C.Create an access level that restricts access to only the IP ranges of the corporate network. Apply the access level to the service perimeter.
D.Create a service perimeter that includes all Google Cloud projects in the organization to simplify management.
E.Use VPC Service Controls to restrict access based on network tags on Compute Engine instances.
AnswersB, C

Private Google access allows on-premises or VM instances to access Google APIs within the perimeter.

Why this answer

Option B is correct because VPC Service Controls can allow traffic from a specific VPC network via private Google access, which uses RFC 1918 addresses and does not traverse the public internet. This restricts data exfiltration by ensuring that only resources within the defined VPC can access the protected services, while still allowing legitimate Compute Engine instances to reach Cloud Storage and BigQuery within the perimeter.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls can block the metadata server or use instance-level tags, when in reality they operate at the project and VPC network level and do not interact with instance metadata or tags.

238
MCQmedium

A company is migrating its on-premises Microsoft Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They need to ensure that users can authenticate to Compute Engine Windows instances using their on-premises credentials without additional user setup. What is the most secure and scalable approach?

A.Configure the Windows instances to join the on-premises AD domain directly via VPN.
B.Create a two-way trust between the Managed Microsoft AD domain and the on-premises AD domain.
C.Synchronize on-premises users to Managed Microsoft AD using Google Cloud Directory Sync (GCDS).
D.Store on-premises user credentials in Cloud KMS and use a custom authentication script.
AnswerB

A trust enables on-premises users to authenticate to resources in the cloud domain without duplicating identities.

Why this answer

Option B is correct because establishing a two-way trust between Managed Microsoft AD and the on-premises AD domain allows users to authenticate to Compute Engine Windows instances using their existing on-premises credentials without any additional user setup. This trust enables Kerberos authentication to flow seamlessly across the two domains, ensuring that on-premises users can access cloud resources securely and scalably without duplicating identities or credentials.

Exam trap

Google Cloud often tests the misconception that directory synchronization (like GCDS) is sufficient for authentication, but candidates must understand that synchronization alone does not enable single sign-on or credential validation—only a trust or federation (e.g., via Active Directory Federation Services) allows users to authenticate with their existing on-premises passwords.

How to eliminate wrong answers

Option A is wrong because joining Windows instances directly to the on-premises AD domain via VPN creates a single point of failure and introduces latency; it also requires persistent VPN connectivity and does not leverage the managed AD service, making it less scalable and less secure due to direct exposure of domain controllers over the VPN. Option C is wrong because Google Cloud Directory Sync (GCDS) only synchronizes user and group objects from on-premises AD to Managed Microsoft AD, but it does not establish a trust relationship; users would still need to be re-authenticated against the Managed Microsoft AD domain, and their passwords are not synced, so they cannot use their on-premises credentials without additional setup (e.g., password hash sync). Option D is wrong because storing on-premises user credentials in Cloud KMS and using a custom authentication script is insecure (credentials in plaintext or encrypted at rest but still exposed during runtime), unscalable (requires custom code and maintenance), and violates the principle of using managed services; it also does not integrate with Windows authentication protocols like Kerberos or NTLM.

239
MCQmedium

Refer to the exhibit. A security engineer runs the following IAM policy command for a Cloud Storage bucket. What access does the bindings grant?

A.alice can view objects; example.com users can view objects; service account can admin objects.
B.alice and example.com domain can view; service account can admin; and the public can view because of domain.
C.alice and all users from example.com can view objects; the service account can admin all objects.
D.alice can view; example.com can view; service account can admin; but only if the bucket is public.
AnswerC

This correctly describes the bindings.

Why this answer

Option C is correct because the IAM policy bindings grant `roles/storage.objectViewer` to user `alice@example.com` and to all authenticated users from the `example.com` domain (via `domain:example.com`), and `roles/storage.objectAdmin` to a service account. The viewer role allows listing and reading objects, while the admin role allows full control over objects, including creation, deletion, and modification. There is no public access granted because the bindings do not include `allUsers` or `allAuthenticatedUsers`.

Exam trap

Google Cloud often tests the distinction between `domain:` and `allUsers` — candidates mistakenly think a domain grant makes the bucket public, but it only grants access to authenticated users from that specific domain.

How to eliminate wrong answers

Option A is wrong because it omits that `example.com` users are granted viewer access, not just `alice` and the service account; it also incorrectly implies the service account can only admin objects, which is correct but incomplete. Option B is wrong because it claims 'the public can view because of domain' — a domain grant (`domain:example.com`) only applies to authenticated users from that domain, not the general public. Option D is wrong because it adds a condition 'only if the bucket is public' — IAM policies on Cloud Storage buckets are independent of bucket-level public access settings; the bindings grant access regardless of whether the bucket is public.

240
Matchingmedium

Match each access control mechanism to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identity and Access Management for resource-level permissions

Constraints applied at the organization node

Service perimeters to prevent data exfiltration

Network-level allow/deny rules for VMs

Identity-Aware Proxy for application-level access

Why these pairings

These are different access control mechanisms in Google Cloud.

241
MCQmedium

A financial institution uses Cloud KMS to manage encryption keys. They want to ensure that key material is never exported from the KMS service. Which key protection method should they use?

A.Cloud HSM
B.External key manager
C.HSM keys in Cloud KMS
D.Software keys in Cloud KMS
AnswerC

HSM keys are generated inside FIPS 140-2 Level 3 HSMs and key material never leaves the HSM.

Why this answer

Option C is correct because HSM keys in Cloud KMS are generated and stored within a FIPS 140-2 Level 3 certified hardware security module (HSM) that is physically and logically controlled by Google. The key material never leaves the HSM boundary; all cryptographic operations are performed inside the HSM, and export of the key material is prevented by design. This satisfies the requirement that key material is never exported from the KMS service.

Exam trap

Google Cloud often tests the misconception that Cloud HSM (the dedicated service) is the same as HSM keys in Cloud KMS, but Cloud HSM allows key export while HSM keys in Cloud KMS do not, making the distinction critical for this question.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a separate service that provides dedicated HSM appliances, but it does not inherently prevent key export; customers can generate and export keys from Cloud HSM if they choose. Option B is wrong because an external key manager (EKM) allows customers to bring their own key material from an external key management system, which necessarily involves exporting key material from the KMS service to the external system. Option D is wrong because software keys in Cloud KMS are stored as encrypted blobs in Google's key storage infrastructure, and while they are protected, the key material can be exported via the API (e.g., using the `cryptoKeyVersions.export` method) if the key is created with exportable material, which contradicts the requirement.

242
MCQhard

A compliance officer reviews the Cloud Audit Log entry above and wants to know if any sensitive data was exposed during the instance creation. What is the best course of action?

A.Enable data access audit logs for Compute Engine to capture request payloads.
B.Check the status field to see if the operation failed, which might indicate a misconfiguration.
C.Analyze the log entry to see the image used; the image metadata is included.
D.Use Cloud DLP to scan the log entry for sensitive data.
AnswerA

Data access logs include full request and response data.

Why this answer

Option A is correct because enabling data access audit logs for Compute Engine captures the request payloads of API calls, including the instance creation request. This allows the compliance officer to inspect the exact parameters sent, such as any sensitive data that might have been passed as metadata or startup scripts, which are not included in the default admin activity audit logs. Data access audit logs provide the granularity needed to determine if sensitive data was exposed during the operation.

Exam trap

The trap here is that candidates assume the default audit logs already contain enough detail to inspect payloads, but they do not — only enabling data access audit logs provides the request payload data needed to check for sensitive data exposure.

How to eliminate wrong answers

Option B is wrong because the status field only indicates whether the operation succeeded or failed; it does not reveal the content of the request payload, so it cannot determine if sensitive data was exposed. Option C is wrong because the log entry includes only the image name or URI, not the full image metadata or any user-provided data that might contain sensitive information; image metadata is not automatically included in audit logs. Option D is wrong because Cloud DLP is designed to scan stored data for sensitive information, not to analyze audit log entries; audit logs are not a data source for DLP scanning, and the log entry itself does not contain the payload needed for such analysis.

243
MCQeasy

You want to encrypt data in Google Cloud Storage using a key that is managed and stored in a third-party key management system outside of Google Cloud. Which feature should you use?

A.Cloud External Key Manager (Cloud EKM)
B.Cloud HSM
C.Default encryption at rest
D.Customer-Supplied Encryption Keys (CSEK)
AnswerA

Cloud EKM integrates with external key management partners, keys never stored in Google.

Why this answer

Option A is correct: Cloud EKM allows you to use keys from an external key manager, keeping keys outside Google. Option B (CSEK) also uses external keys but is deprecated and less integrated. Option C (Cloud HSM) stores keys in Google.

Option D (default) uses Google-managed keys.

244
MCQhard

A company uses Shared VPC in a host project with multiple service projects. The security team wants to ensure that all traffic between service projects is inspected by a third-party firewall appliance deployed in the host project. Which configuration should be implemented?

A.Enable Cloud NAT on each service project and configure a default route to the firewall appliance.
B.Set up VPC network peering between service projects and route traffic through the host project via a VPN tunnel.
C.Create a policy-based route in the host project that matches traffic between service project subnets and has a next hop to the firewall appliance's internal IP.
D.Create a firewall rule in the host project that allows traffic between service projects only if the source is the firewall appliance.
AnswerC

Policy-based routes can direct specific inter-subnet traffic to a next-hop instance for inspection.

Why this answer

Option C is correct because a policy-based route in the host project can match traffic based on source and destination subnets from different service projects and force that traffic to be forwarded to the next-hop IP of the third-party firewall appliance. This ensures all inter-service-project traffic is inspected by the firewall, as the route overrides the default VPC routing behavior within the Shared VPC environment.

Exam trap

Google Cloud often tests the distinction between firewall rules (which filter traffic) and routes (which direct traffic); the trap here is that candidates mistakenly think a firewall rule can force traffic through an appliance, when in fact only a route can change the path traffic takes.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access from private instances, not for directing inter-service-project traffic through a firewall; it does not provide a mechanism to route traffic between service projects via a third-party appliance. Option B is wrong because VPC network peering does not support transitive routing; traffic between peered VPCs cannot be routed through a third VPC (the host project) without additional complex configurations like VPN tunnels, and even then, it would not inherently force inspection by a firewall in the host project. Option D is wrong because a firewall rule only controls which traffic is allowed or denied based on source/destination/port, but it does not route traffic; it cannot force traffic to go through the firewall appliance—it only permits or blocks traffic that is already routed.

245
MCQeasy

A company uses Cloud Monitoring to track latency on their Compute Engine instances. They notice a spike in latency every day at 2:00 PM. The operations team wants to automate the creation of a support ticket when this spike occurs. What should they do?

A.Create a Cloud Monitoring alert that sends a notification to a Pub/Sub topic, which triggers a Cloud Function that creates a ticket.
B.Create a Cloud Function that runs every minute to check latency and create a ticket.
C.Configure Cloud Tasks to periodically query the latency metric and create a ticket.
D.Use Cloud Scheduler to run a job that checks latency every hour and creates a ticket if spike is detected.
AnswerA

This is the standard pattern: alert -> Pub/Sub -> Cloud Function -> ticket creation.

Why this answer

Option B is correct because Cloud Monitoring alerts can trigger a webhook or pub/sub to integrate with ticketing systems. Option A is incorrect because Cloud Functions require manual triggering or scheduling, not real-time alert. Option C is incorrect because Cloud Scheduler runs on a schedule, not based on metric thresholds.

Option D is incorrect because Cloud Tasks is for asynchronous task execution, not directly for alerting.

246
MCQeasy

A company needs to isolate development and production workloads within the same Google Cloud organization. Each environment must have its own VPC network, but they must share a common set of network security policies. Which design meets these requirements?

A.Create separate projects and use VPC Network Peering between them
B.Use Shared VPC with separate service projects for dev and prod
C.Create separate VPCs in the same project and use VPC peering
D.Use a single VPC with multiple subnets and strict firewall rules
AnswerB

Shared VPC centralizes network administration and security policies while allowing environment isolation via separate projects.

Why this answer

Option A is correct because shared VPC allows separate projects (dev and prod) to use a common host VPC with consistent security policies. Option B is wrong because separate projects with VPC peering do not enforce shared security policies centrally. Option C is wrong because firewall rules alone cannot create separate networks.

Option D is wrong because VPC peering does not provide centralized policy management.

247
MCQhard

A healthcare organization is designing a data pipeline that ingests patient health records into Cloud Storage, then processes them with Dataflow for analytics. They must ensure that data is encrypted at rest and in transit, and that only authorized users can access the raw data. They also need to guarantee that the encryption keys are stored outside of Google Cloud. Which solution meets all requirements?

A.Use default encryption and rely on Google's data residency commitments.
B.Use Cloud External Key Manager (Cloud EKM) with a partner key manager.
C.Use Customer-Supplied Encryption Keys (CSEK) for Cloud Storage and Dataflow.
D.Use Cloud HSM to generate and store keys.
AnswerB

Cloud EKM supports external keys and is integrated with Cloud Storage and Dataflow.

Why this answer

Cloud EKM allows you to manage encryption keys using a supported external key management partner, ensuring keys are stored outside Google Cloud. This meets the requirement for encryption at rest and in transit (Dataflow and Cloud Storage use these keys transparently) while keeping key material external to Google's infrastructure. Only authorized users can access raw data via IAM and the external key manager's access controls.

Exam trap

Google Cloud often tests the distinction between where keys are stored versus where they are managed: candidates confuse CSEK (keys stored in Google Cloud) with external key storage, or assume Cloud HSM keeps keys outside Google Cloud when it actually runs on Google's infrastructure.

How to eliminate wrong answers

Option A is wrong because default encryption uses Google-managed keys stored within Google Cloud, not outside it, and data residency commitments do not address key storage location. Option C is wrong because Customer-Supplied Encryption Keys (CSEK) are stored in Cloud Storage and managed by the customer but the key material is still stored within Google Cloud (the customer provides the key, but Google stores it in its own infrastructure). Option D is wrong because Cloud HSM generates and stores keys within Google Cloud's hardware security modules, not outside Google Cloud.

248
Multi-Selecteasy

A company is migrating workloads to Google Cloud and wants to ensure that their VPC network is secure by default. Which two best practices should they follow? (Choose two.)

Select 2 answers
A.Remove the default firewall rules that allow all egress
B.Use Shared VPC for all projects
C.Create a firewall rule to deny all ingress except specific ports
D.Enable VPC Flow Logs
E.Use private IP addresses for instances
AnswersA, E

Default egress allow can be risky; removing it enforces least privilege.

Why this answer

Option A is correct because the default VPC firewall rules include an egress rule that allows all outbound traffic (target: all instances, action: allow, protocol: all, destination: 0.0.0.0/0). Removing this default egress rule and replacing it with more restrictive outbound rules is a security best practice to prevent unauthorized data exfiltration and limit outbound connections to only necessary destinations. This aligns with the principle of least privilege for network traffic.

Exam trap

Google Cloud often tests the misconception that the default VPC firewall rules are secure by default, but the trap here is that the default egress rule is permissive (allow all), not restrictive, so candidates may overlook the need to remove or override it.

249
Matchingmedium

Match each VPC firewall rule component to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ingress or egress traffic direction

CIDR blocks for incoming traffic

VM instance tags that rule applies to

Rule evaluation order (lower number = higher priority)

Allow or deny traffic

Why these pairings

These are key components of VPC firewall rules.

250
MCQhard

A security engineer created the following IAM policy for a service account. The service account reports that it cannot access objects in bucket 'my-bucket'. What is the most likely cause?

A.The condition is too restrictive and blocks all objects.
B.The service account lacks the storage.buckets.get permission.
C.The role is missing storage.objects.list permission.
D.The condition uses 'projects/my-project' but resource.name uses the numeric project ID.
AnswerD

This is the common mistake; resource.name contains project number, not project ID.

Why this answer

The condition in the policy uses `resource.name.startsWith('projects/my-project')`, but the `resource.name` attribute for Google Cloud Storage objects uses the numeric project ID (e.g., `projects/123456789`), not the project name. This causes the condition to never evaluate to true, effectively denying all access to the bucket's objects. Option D correctly identifies this mismatch as the root cause.

Exam trap

Google Cloud often tests the subtle difference between project name and numeric project ID in IAM conditions, tricking candidates who assume the human-readable name works everywhere in GCP resource identifiers.

How to eliminate wrong answers

Option A is wrong because the condition is not inherently too restrictive; it is syntactically valid but uses the wrong identifier (project name vs. numeric ID), which prevents any object from matching the condition. Option B is wrong because `storage.buckets.get` is a bucket-level permission (for retrieving bucket metadata), not required for accessing objects within the bucket; the error is about object access, not bucket retrieval. Option C is wrong because `storage.objects.list` is needed to list objects, but the service account reports it cannot access objects, implying a broader denial; the condition mismatch would block both list and get operations, making the role/permission issue secondary.

251
MCQmedium

A government agency requires that all compute resources for a project are physically located in the United States (US) to comply with FedRAMP. The project contains Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Which configuration ensures that all future resources are created in the US?

A.Configure VPC Service Controls with a perimeter that only allows access from US-based IP addresses.
B.Assign the Compute Admin role to a security admin and restrict them to only create resources in US regions.
C.Set an Organization Policy on the folder containing the project with constraint constraints/gcp.resourceLocations set to allowedLocations list of US regions.
D.Use Cloud KMS with a key from a US-based location and require that all resources use that key.
AnswerC

This policy restricts resource creation to specified locations, applicable to all resources in that folder.

Why this answer

Option C is correct because the Organization Policy constraint `constraints/gcp.resourceLocations` enforces that all future resources in the project (Compute Engine instances, Cloud Storage buckets, BigQuery datasets) are created only in the allowed US regions. This policy is evaluated at resource creation time and prevents any resource from being provisioned outside the specified locations, directly meeting the FedRAMP requirement for physical location in the US.

Exam trap

Google Cloud often tests the misconception that IAM roles or VPC controls can enforce resource location, when in reality only Organization Policy constraints provide that enforcement at creation time.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls restrict data exfiltration and access based on IP addresses, but they do not enforce the physical location where resources are created; resources could still be provisioned outside the US. Option B is wrong because assigning the Compute Admin role with a restriction to only create resources in US regions is not a supported IAM feature; IAM roles do not have built-in region-scoping capabilities, and such a restriction would require custom logic or Organization Policies. Option D is wrong because Cloud KMS key location does not enforce the physical location of the resources using the key; a resource could be created in a non-US region and still use a US-based KMS key for encryption.

252
MCQhard

A government contractor uses Google Cloud with Assured Workloads. They need to ensure that data stored in BigQuery is encrypted with keys generated and stored in a Cloud HSM key ring located in a specific region. The keys must be rotated every 90 days. Which approach meets these requirements?

A.Create a Cloud HSM key ring in the desired region, create a key with a rotation period of 90 days, and use that key to protect the BigQuery dataset via CMEK.
B.Use Cloud KMS with a software key and enable automatic rotation of 90 days.
C.Create a Cloud HSM key ring and manually rotate keys every 90 days.
D.Use Cloud External Key Manager (EKM) with an external key management partner.
AnswerA

Cloud HSM keys can be used for CMEK, and rotation is automated.

Why this answer

Option A is correct because it uses a Cloud HSM key ring in the desired region, which meets the requirement for hardware-backed key generation and storage. Setting a rotation period of 90 days on the key satisfies the rotation requirement, and using that key as a customer-managed encryption key (CMEK) for BigQuery ensures data is encrypted with the specified key.

Exam trap

Google Cloud often tests the distinction between Cloud HSM and Cloud KMS software keys, where candidates may overlook that only Cloud HSM provides hardware-backed key storage, or confuse automatic rotation with manual rotation, leading them to choose a less secure or non-compliant option.

How to eliminate wrong answers

Option B is wrong because it uses a software key, not a Cloud HSM key, so the keys are not generated and stored in hardware, failing the requirement for Cloud HSM. Option C is wrong because it suggests manual rotation every 90 days, but the requirement can be met with automatic rotation, and manual rotation is error-prone and not the recommended approach for compliance. Option D is wrong because Cloud External Key Manager (EKM) uses an external key management partner, not Cloud HSM, so the keys are not generated and stored in a Cloud HSM key ring.

253
MCQeasy

A company wants to provide secure access to an internal web application hosted on Compute Engine without exposing it to the public internet. Which Google Cloud service should they use?

A.Cloud NAT
B.Cloud Storage signed URLs
C.Identity-Aware Proxy (IAP)
D.Cloud Load Balancing
AnswerC

IAP authenticates users and authorizes access to applications through a secure tunnel.

Why this answer

Identity-Aware Proxy (IAP) is the correct choice because it provides a centralized authentication and authorization layer for applications accessed via HTTPS, allowing you to enforce access control policies based on user identity and context without requiring a VPN or public IP exposure. IAP works with Cloud Load Balancing to verify user credentials before allowing traffic to reach the Compute Engine instance, effectively securing the internal web application from the public internet.

Exam trap

The trap here is that candidates often confuse Cloud NAT or Cloud Load Balancing as security controls, mistakenly thinking NAT hides the instance or that load balancing alone provides access control, when in fact neither authenticates users or prevents public exposure without IAP.

How to eliminate wrong answers

Option A is wrong because Cloud NAT provides outbound internet connectivity for private instances (source network address translation) but does not control inbound access or authenticate users, so it cannot secure an internal web application from public exposure. Option B is wrong because Cloud Storage signed URLs grant time-limited access to specific objects in Cloud Storage buckets, not to a Compute Engine-hosted web application, and they are designed for object-level access, not application-level authentication. Option D is wrong because Cloud Load Balancing distributes traffic across instances but does not inherently authenticate users or restrict access; without IAP, it would still expose the application to the public internet if configured with external IPs.

254
MCQeasy

A developer needs to deploy a Cloud Run service that will read from a Cloud Pub/Sub topic. What is the least privileged IAM role to grant to the Cloud Run service's service account?

A.roles/pubsub.subscriber on the topic resource
B.roles/pubsub.viewer
C.roles/pubsub.subscriber
D.roles/pubsub.publisher
AnswerC

Subscriber allows pulling messages from a subscription.

Why this answer

Option C is correct because the Cloud Run service needs only the ability to pull (subscribe to) messages from the Pub/Sub topic. The `roles/pubsub.subscriber` role grants the `pubsub.subscriptions.consume` and `pubsub.subscriptions.get` permissions required to read messages, and when applied at the topic resource level (as implied by the option), it allows the service account to create and manage a subscription on that topic. This is the least privileged role that enables the read operation without granting unnecessary permissions like publishing or viewing all topics.

Exam trap

Google Cloud often tests the distinction between granting roles on a topic versus a subscription, and candidates mistakenly choose 'roles/pubsub.subscriber on the topic resource' (Option A) because they think the subscriber role applies to the topic, when in fact it must be bound to a subscription to allow message consumption.

How to eliminate wrong answers

Option A is wrong because `roles/pubsub.subscriber` on the topic resource is not a valid IAM role binding; the subscriber role must be granted on a subscription, not a topic, to allow message consumption. Option B is wrong because `roles/pubsub.viewer` only provides read-only access to metadata (e.g., list topics, get IAM policies) and does not include the `pubsub.subscriptions.consume` permission needed to actually read messages. Option D is wrong because `roles/pubsub.publisher` grants the `pubsub.topics.publish` permission, which is for writing messages to the topic, not reading them, and would be overprivileged for a service that only reads.

255
MCQhard

An organization uses Cloud Identity-Aware Proxy (IAP) to secure access to an internal web application running on Compute Engine. Users are authenticated with Google accounts. Recently, some users report being denied access even though they are in the correct IAP-secured Web App User group. What is the most likely cause?

A.The users are trying to use IAP TCP forwarding instead of HTTPS.
B.The users are not members of the IAP-secured Web App User group.
C.The OAuth consent screen requires approval from an admin.
D.An Access Context Manager access level is configured that the users do not satisfy, such as requiring a corporate device.
AnswerD

Access levels can block access even if the user has the IAP role.

Why this answer

Option D is correct because Cloud IAP can be combined with Access Context Manager (ACM) access levels to enforce contextual requirements beyond group membership, such as device policy, IP range, or user identity attributes. If an access level is configured to require a corporate device and the user's device does not meet that policy, IAP will deny access even if the user is in the correct IAP-secured Web App User group. This explains why users who are correctly placed in the group still receive access denials.

Exam trap

The trap here is that candidates assume IAP only checks group membership and overlook the fact that IAP can enforce additional access levels via Access Context Manager, causing them to incorrectly select Option B (group membership) when the users are already in the correct group.

How to eliminate wrong answers

Option A is wrong because IAP TCP forwarding is used for SSH/RDP access to instances, not for web applications; the question specifies an internal web application accessed via HTTPS, so TCP forwarding is irrelevant. Option B is wrong because the question explicitly states that users are in the correct IAP-secured Web App User group, so group membership is not the issue. Option C is wrong because the OAuth consent screen approval is required for the application's OAuth client ID, not for individual user access; once the app is configured and consent is given by an admin, users do not need separate admin approval to authenticate.

256
MCQmedium

Refer to the exhibit. A security engineer is reviewing a Cloud KMS key. What can be concluded about this key?

A.This key is a customer-managed encryption key (CMEK) but is stored in software.
B.This key is stored in a Hardware Security Module (HSM) and cannot be exported.
C.This key is an external key managed via Cloud EKM.
D.This is a software key managed by Cloud KMS.
AnswerB

The HSM protection level means the key material resides in Cloud HSM and is non-exportable.

Why this answer

The exhibit shows a Cloud KMS key with the purpose 'symmetric encryption' and the protection level 'HSM'. Keys with HSM protection level are stored in a Hardware Security Module, which provides tamper-resistant hardware-based key storage. Additionally, the key is marked as 'Cannot be exported', meaning the key material never leaves the HSM boundary, ensuring it cannot be extracted or copied.

This matches the description of a key stored in an HSM that cannot be exported.

Exam trap

Google Cloud often tests the distinction between protection levels (software vs. HSM) and the concept of exportability, where candidates mistakenly assume that any key in Cloud KMS can be exported or that CMEK always implies software storage.

How to eliminate wrong answers

Option A is wrong because a customer-managed encryption key (CMEK) is a concept in Google Cloud that refers to keys created and managed by the customer within Cloud KMS, but the protection level can be either software or HSM; the exhibit shows 'HSM' protection level, not software. Option C is wrong because Cloud External Key Manager (EKM) is used for keys managed outside Google Cloud, and the exhibit shows a key managed within Cloud KMS, not an external key. Option D is wrong because the protection level is explicitly 'HSM', not 'software', so this is not a software key managed by Cloud KMS.

257
MCQeasy

A company has a policy that only specific service accounts can be used on Compute Engine instances. How can this be enforced?

A.Use IAM conditions on the compute.instanceAdmin role to restrict the service account.
B.Use Identity-Aware Proxy (IAP).
C.Use a VPC Service Controls perimeter.
D.Use an organization policy with constraint compute.restrictServiceAccountUsage.
AnswerD

This constraint restricts which service accounts can be attached to Compute Engine instances.

Why this answer

Option D is correct because the organization policy constraint `compute.restrictServiceAccountUsage` is specifically designed to enforce which service accounts can be used when creating Compute Engine instances. When applied at the project, folder, or organization level, this constraint allows you to define a list of allowed service accounts (by email or ID), and any attempt to launch an instance with a service account not on that list will be denied by the Resource Manager. This directly enforces the company policy that only specific service accounts are permitted on Compute Engine instances.

Exam trap

Google Cloud often tests the distinction between IAM roles (who can perform actions) and organization policy constraints (what configurations are allowed), so candidates mistakenly choose IAM conditions (Option A) thinking they can filter service accounts, when in reality only the organization policy constraint can enforce a whitelist of permitted service accounts on Compute Engine instances.

How to eliminate wrong answers

Option A is wrong because IAM conditions on the `compute.instanceAdmin` role control who can perform actions on instances (e.g., who can create or modify them), but they do not restrict which service account can be attached to an instance; the service account selection is a property of the instance, not an IAM permission on the user. Option B is wrong because Identity-Aware Proxy (IAP) controls access to SSH, RDP, or web-based applications running on instances, not the service account used by the instance itself; it is a network-level access control, not a service account usage policy. Option C is wrong because VPC Service Controls perimeters protect data exfiltration from Google Cloud services like BigQuery or Cloud Storage by controlling egress, but they do not restrict which service account can be attached to a Compute Engine instance; they operate at the service perimeter level, not the instance configuration level.

258
MCQhard

A company uses Cloud SQL for MySQL with automated backups. They want to ensure that backup data is encrypted with a key that they manage and rotate on a schedule, separate from the primary database encryption. What should they do?

A.Use Cloud SQL's backup encryption with customer-managed key by specifying a CMEK for backups.
B.Enable CMEK on the Cloud SQL instance, which automatically encrypts backups with the same key.
C.Use CSEK for the Cloud SQL instance and then re-encrypt backups.
D.Export backups to Cloud Storage and apply CMEK on the export bucket.
AnswerA

Cloud SQL allows setting a separate CMEK for backups during instance creation or update.

Why this answer

Cloud SQL allows enabling CMEK for backups separately by specifying a different CMEK key for backup encryption. Enabling CMEK on the instance encrypts both data and backups with the same key. Exporting to Cloud Storage is not automated.

259
MCQhard

Refer to the exhibit. An operations engineer configured this alert policy to notify when any VM instance in project my-project has high CPU utilization. However, no notifications are received even when CPU is consistently above 90% on multiple instances in us-central1-a. What is the most likely cause?

A.The 'duration' of 0s in the MQL condition prevents the alert from firing because it needs a minimum duration.
B.The alert policy is configured in a different project than the VM instances.
C.The MQL query uses 'group_by' which causes the condition to be evaluated on the aggregate, but the threshold should be applied before grouping.
D.The notification channel is not configured or is invalid.
AnswerB

If the alert policy is in project A but VM instances are in project B, the policy won't see those metrics unless cross-project access is set up.

Why this answer

Option B is correct because alert policies are project-scoped resources. If the VM instances reside in a different project than the one where the alert policy is defined, the policy cannot monitor those instances. The MQL query references the metric `compute.googleapis.com/instance/cpu/utilization` which is only visible within the same project as the monitored resources.

Cross-project monitoring requires additional configuration such as a metrics scope or a separate alert policy in the target project.

Exam trap

Google Cloud often tests the subtle distinction between an alert that fails to fire (scope/resource mismatch) versus an alert that fires but fails to notify (channel issue), leading candidates to incorrectly blame the notification channel when the real problem is that the alert condition is never evaluated against the target resources.

How to eliminate wrong answers

Option A is wrong because a `duration` of 0s is valid and means the condition fires immediately when the threshold is crossed; it does not prevent the alert from firing. Option C is wrong because `group_by` aggregates metrics before evaluation, and applying the threshold after grouping is the correct behavior for aggregate conditions; the threshold does not need to be applied before grouping. Option D is wrong because if the notification channel were invalid or missing, the alert would still fire (its state would change to `firing`), but no notification would be sent; the question states no notifications are received, implying the alert itself is not firing, which points to a monitoring scope issue rather than a channel problem.

260
MCQhard

A company is deploying a firewall appliance in a VPC to inspect traffic. They create custom routes to direct traffic to the appliance. Which step is necessary to ensure the appliance can forward traffic back?

A.Enable IP forwarding on the appliance instance
B.Use a load balancer
C.Configure the appliance as a next hop in a route
D.Assign a public IP to the appliance
AnswerA

This allows the instance to forward packets it receives.

Why this answer

Option A is correct because the firewall appliance instance must have IP forwarding enabled at the OS level (e.g., net.ipv4.ip_forward=1 on Linux) to forward packets between its network interfaces. Without this, the instance will drop any traffic not destined for its own IP address, even if VPC routes direct packets to it. This is a prerequisite for the appliance to act as a transparent or routed next-hop in the VPC routing table.

Exam trap

Google Cloud often tests the distinction between routing configuration (next-hop routes) and the OS-level requirement to actually forward packets, trapping candidates who assume that adding a route alone is sufficient for the appliance to process traffic.

How to eliminate wrong answers

Option B is wrong because a load balancer distributes traffic across multiple targets but does not enable an individual instance to forward packets; it is not a substitute for IP forwarding on the appliance. Option C is wrong because configuring the appliance as a next hop in a route is the step that directs traffic to the appliance, but it does not enable the appliance to forward that traffic back out; IP forwarding must be enabled separately. Option D is wrong because assigning a public IP allows internet-bound traffic to reach the instance but does not affect the kernel’s ability to forward packets between interfaces; IP forwarding is a distinct OS-level setting.

261
MCQhard

A security team wants to mirror all traffic from a critical VM to a network intrusion detection system (NIDS) appliance running in the same VPC. They need to ensure that the NIDS receives both ingress and egress traffic, and that the original traffic is not impacted. Which solution should they implement?

A.Apply a network tag to the VM and create a firewall rule to copy traffic to the NIDS.
B.Configure the VM to use the NIDS as a proxy for all traffic.
C.Enable VPC Flow Logs on the VM's subnet and forward logs to the NIDS.
D.Create a packet mirroring policy that mirrors traffic from the VM to the NIDS instance.
AnswerD

Correct: Packet Mirroring copies packets for inspection without affecting live traffic.

Why this answer

Packet mirroring (also known as VPC Traffic Mirroring) is the correct solution because it copies all ingress and egress traffic from the VM's elastic network interface (ENI) to the NIDS instance without affecting the original traffic flow. This is achieved by creating a mirror filter and session that forwards a copy of the packets to the NIDS, ensuring the VM's performance and connectivity remain unchanged.

Exam trap

Google Cloud often tests the distinction between traffic mirroring (which copies packets) and flow logs (which only log metadata), leading candidates to mistakenly choose VPC Flow Logs because they assume 'logs' provide full traffic visibility.

How to eliminate wrong answers

Option A is wrong because network tags and firewall rules in a VPC can only filter or forward traffic based on IP addresses and ports, but they cannot copy or mirror traffic; they either allow or deny traffic, not duplicate it. Option B is wrong because configuring the VM to use the NIDS as a proxy would require all traffic to be routed through the NIDS, which introduces a single point of failure, adds latency, and alters the original traffic path, violating the requirement to not impact the original traffic. Option C is wrong because VPC Flow Logs capture metadata (e.g., source/destination IP, ports, protocol) but not the actual packet payloads, so the NIDS cannot inspect the full traffic content for intrusion detection.

262
MCQhard

An organization wants to enforce that all Cloud Storage buckets are created with uniform bucket-level access enabled. Which policy can be used to achieve this?

A.Audit logs to detect non-compliance
B.VPC Service Controls perimeter
C.IAM custom role with permission to enforce uniform access
D.Organization policy with constraint `constraints/storage.uniformBucketLevelAccess`
AnswerD

This constraint enforces uniform bucket-level access at the organization level.

Why this answer

Option D is correct because the Organization Policy with the constraint `constraints/storage.uniformBucketLevelAccess` is a native Google Cloud policy that can be applied at the organization, folder, or project level to enforce that all new Cloud Storage buckets are created with uniform bucket-level access enabled. This policy prevents the creation of buckets with fine-grained ACLs, ensuring consistent access control across the organization.

Exam trap

The trap here is that candidates often confuse IAM roles or VPC Service Controls with organization policy constraints, not realizing that only a hierarchical policy constraint can enforce a specific configuration setting at resource creation time, while IAM and VPC controls address different aspects of access and security.

How to eliminate wrong answers

Option A is wrong because audit logs only detect non-compliance after the fact; they do not prevent the creation of buckets without uniform access, so they cannot enforce the policy proactively. Option B is wrong because VPC Service Controls perimeters are designed to restrict data exfiltration and control access to Google Cloud services based on network context, not to enforce bucket-level access control settings like uniform bucket-level access. Option C is wrong because IAM custom roles define permissions for actions (e.g., storage.buckets.create) but cannot enforce a specific configuration setting on bucket creation; enforcement of uniform access requires an organization policy constraint, not an IAM role.

263
MCQmedium

A company is migrating on-premises data to Cloud Storage. They have regulatory requirements to encrypt data using keys managed by their on-premises hardware security module (HSM). Which solution should they use?

A.Use Cloud HSM to create and manage keys.
B.Use Cloud External Key Manager (Cloud EKM) to reference keys in their on-premises HSM.
C.Use customer-supplied encryption keys (CSEK) for each object.
D.Use Cloud Key Management Service (Cloud KMS) with a key generated in the cloud.
AnswerB

Cloud EKM allows using externally managed keys for Cloud Storage.

Why this answer

Cloud External Key Manager (Cloud EKM) allows you to use encryption keys stored in a supported on-premises HSM via a partner integration, meeting the regulatory requirement for key management outside of Google Cloud. This solution keeps the key material under your control while enabling Cloud Storage to encrypt data using those keys.

Exam trap

Google Cloud often tests the distinction between where the key is created versus where it is stored and managed; the trap here is assuming Cloud HSM (which is hardware-backed) meets the 'on-premises HSM' requirement, when in fact it is a Google-managed service in Google's infrastructure.

How to eliminate wrong answers

Option A is wrong because Cloud HSM creates and manages keys within Google Cloud, not on your on-premises HSM, so it does not satisfy the requirement for keys managed by your own hardware. Option C is wrong because customer-supplied encryption keys (CSEK) are provided by you but stored and managed by Google Cloud, not in your on-premises HSM; they also require you to supply the key with each API call, which is impractical for ongoing encryption. Option D is wrong because Cloud KMS with a cloud-generated key keeps the key material entirely within Google Cloud, failing the requirement for on-premises HSM management.

264
MCQmedium

A financial services company must retain audit logs for seven years to meet regulatory requirements. They are using Cloud Audit Logs. Which strategy should they implement to ensure logs are not deleted or modified during the retention period?

A.Export logs to BigQuery and set table expiration to 7 years.
B.Export logs to a Pub/Sub topic, then subscribe and store in a custom database.
C.Export logs to Cloud Storage and apply a retention policy that is locked to prevent deletion.
D.Store logs in the default Cloud Logging bucket and set a retention period of 7 years.
AnswerC

Cloud Storage retention policies with lock ensure objects cannot be deleted or overwritten until retention period expires.

Why this answer

Option C is correct because Cloud Storage buckets with a locked retention policy provide immutable storage, preventing any deletion or modification of objects during the retention period. This meets the regulatory requirement for audit logs to be retained for seven years without alteration. Exporting logs to Cloud Storage and locking the retention policy ensures compliance with data retention regulations.

Exam trap

Google Cloud often tests the misconception that the default Cloud Logging bucket can be configured with long retention periods, but in reality, it only supports up to 30 days, and candidates must recognize that exporting to Cloud Storage with a locked retention policy is the only immutable option for multi-year retention.

How to eliminate wrong answers

Option A is wrong because BigQuery table expiration deletes the table after the set time, but it does not prevent modification or deletion of data within the table before expiration; also, BigQuery is not designed for immutable log storage. Option B is wrong because storing logs in a custom database via Pub/Sub does not inherently enforce immutability; the custom database could allow modifications or deletions unless specifically designed with retention locks, which is not guaranteed. Option D is wrong because the default Cloud Logging bucket has a maximum retention period of 30 days for logs, not 7 years, and logs in the default bucket can be deleted or modified by users with appropriate permissions.

265
MCQeasy

A small business stores backup archives in Cloud Storage and wants to encrypt them at rest using a key that is automatically rotated annually. They do not want to manage key material themselves. Which encryption option should they use?

A.Use Google-managed encryption keys (GMEK).
B.Use Cloud KMS customer-managed keys (CMEK) with rotation period.
C.Use Customer-Supplied Encryption Keys (CSEK).
D.Use client-side encryption with a third-party key management service.
AnswerA

GMEK is automatically rotated by Google.

Why this answer

Option A is correct because Google-managed encryption keys (GMEK) are automatically rotated and require no customer management. Option B is wrong because CMEK requires customer management. Option C is wrong because CSEK requires the customer to supply and manage keys.

Option D is wrong because client-side encryption is not handled by Google.

266
MCQmedium

A security engineer is troubleshooting connectivity issues between two Compute Engine instances in the same VPC but in different subnets. Both instances have internal IPs and are in the same region. The firewall rules allow ingress from 10.0.0.0/8. However, traffic is failing. What is the most likely cause?

A.The instances are using external IPs and the source IP is being NATed.
B.The VPC has dynamic routing mode set to global, causing routing conflicts.
C.The ingress firewall rule is applied to a network tag that is not assigned to the destination instances.
D.There is a firewall rule with a lower priority that denies egress traffic between subnets.
AnswerC

Firewall rules are applied to instances via tags or service accounts; missing tag would block traffic.

Why this answer

Option C is correct because firewall rules in Google Cloud VPC are applied to the destination instance based on network tags, not just the subnet or IP range. If the ingress rule allowing traffic from 10.0.0.0/8 is configured with a target tag that is not assigned to the destination Compute Engine instances, the rule will not apply, and traffic will be dropped. This is a common misconfiguration when using tags to selectively apply firewall rules.

Exam trap

Google Cloud often tests the misconception that firewall rules applied to a subnet or IP range automatically apply to all instances in that subnet, when in reality, network tags are required to target specific instances unless the rule is applied to all instances (target = 'all instances').

How to eliminate wrong answers

Option A is wrong because the question states both instances have internal IPs, and traffic between internal IPs in the same VPC does not go through NAT; NAT only applies when using external IPs or Cloud NAT. Option B is wrong because dynamic routing mode (regional vs. global) affects route advertisement for hybrid connectivity, not internal VPC routing between subnets in the same region; VPC internal routing is always automatic and does not cause conflicts. Option D is wrong because egress traffic between subnets in the same VPC is implicitly allowed by default; a deny egress rule would need to be explicitly configured, and the question does not mention any such rule, making this unlikely.

267
MCQmedium

A global company must store customer data in a specific geographic region to comply with data residency regulations. The database needs strong transactional consistency and low-latency reads worldwide. Which database solution should they choose?

A.Use Cloud Spanner with a multi-region configuration that includes the required region
B.Use BigQuery with a multi-region dataset
C.Use Cloud SQL with cross-region replication
D.Use Firestore in multi-region mode
AnswerA

Cloud Spanner provides strong consistency, horizontal scaling, and multi-region support to meet residency and performance requirements.

Why this answer

Option C is correct because Cloud Spanner offers global transactional consistency, horizontal scaling, and multi-region configurations for data residency. Option A is wrong because BigQuery is for analytics, not operational transactions. Option B is wrong because Cloud SQL in a single region cannot serve global reads with low latency.

Option D is wrong because Firestore in multi-region does not guarantee strong consistency for all operations.

268
MCQmedium

A company needs to securely connect two VPC networks from different projects in the same organization. Each VPC has overlapping IP ranges (10.0.0.0/16). They require high throughput and low latency. What is the recommended approach?

A.Re-IP one of the VPC networks to a non-conflicting range and then use VPC Network Peering.
B.Use Dedicated Interconnect to directly connect the two VPCs.
C.Use VPC Network Peering.
D.Use HA VPN with dynamic routing.
AnswerA

Re-IPing resolves the overlap and allows peering, which provides high throughput and low latency.

Why this answer

Option A is correct because VPC Network Peering requires non-overlapping IP ranges to establish direct connectivity. By re-IPing one VPC to a non-conflicting range (e.g., 10.1.0.0/16), you eliminate the routing conflict, allowing peering to provide high throughput and low latency via Google's internal backbone, with no bandwidth limits or single points of failure.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering can handle overlapping IP ranges if you use custom route tables or subnets, but in reality, peering requires non-overlapping CIDRs at the VPC level, and no workaround exists within the peering construct itself.

How to eliminate wrong answers

Option B is wrong because Dedicated Interconnect is a hybrid connectivity solution for on-premises to VPC, not for VPC-to-VPC connections within the same organization; it also does not resolve overlapping IP ranges. Option C is wrong because VPC Network Peering directly fails when VPCs have overlapping IP ranges, as routes conflict and traffic cannot be properly forwarded. Option D is wrong because HA VPN with dynamic routing can technically route between overlapping subnets using BGP and prefix-based filtering, but it introduces encryption overhead, higher latency, and throughput limitations compared to peering, making it suboptimal for high-throughput, low-latency requirements.

269
MCQeasy

A company uses Cloud Armor to protect their HTTP Load Balancer from DDoS attacks. They want to block requests from a specific malicious IP address range, 203.0.113.0/24. Which Cloud Armor policy configuration should they use?

A.Create an allow rule with source IP condition for their own IP ranges and rely on default deny.
B.Create a rule with a 'source-ip' tag set to 'malicious' and assign to the load balancer.
C.Create a deny rule with priority 1000000 for the IP range.
D.Create a deny rule with a source IP condition for 203.0.113.0/24 and set priority to 1000.
AnswerD

Correct: deny rule blocks; priority 1000 is higher than default rules.

Why this answer

Option D is correct because Cloud Armor security policies use priority-based rules, where lower numbers indicate higher priority. A deny rule with priority 1000 for the specific IP range 203.0.113.0/24 ensures that traffic from that range is blocked before any lower-priority allow rules are evaluated. This is the standard method to block specific IP ranges while allowing other traffic.

Exam trap

Google Cloud often tests the misconception that higher priority numbers mean higher precedence, or that a default deny rule is automatically in place, leading candidates to choose a low-priority deny rule that would be ineffective.

How to eliminate wrong answers

Option A is wrong because relying on a default deny with only allow rules for your own IP ranges would block all traffic not explicitly allowed, which is overly restrictive and not the intended approach for blocking a specific malicious range. Option B is wrong because Cloud Armor does not support a 'source-ip' tag; tags are used for labeling resources, not for IP-based filtering rules. Option C is wrong because priority 1000000 is the lowest possible priority, meaning the rule would be evaluated last and could be overridden by any higher-priority allow rule, making it ineffective for blocking traffic.

270
MCQhard

Refer to the exhibit. A company configured this VPC Service Controls perimeter for a PCI DSS project. The compliance auditor notes that BigQuery data can be accessed from outside the perimeter. Which change must be made to restrict access to BigQuery?

A.Set the perimeter enforcement mode to enforced instead of dry run
B.Add storage.googleapis.com to restrictedServices
C.Move BigQuery to a separate perimeter
D.Add allUsers to the perimeter's access levels
AnswerA

A perimeter in dry run mode logs violations but does not block access; it must be set to enforced to restrict BigQuery.

Why this answer

The dry run mode logs violations but does not enforce restrictions, allowing BigQuery data to be accessed from outside the perimeter. Changing the enforcement mode to 'enforced' activates the VPC Service Controls policies, blocking all out-of-perimeter access to the configured services. This directly addresses the auditor's finding by ensuring that only requests from within the perimeter are allowed.

Exam trap

Google Cloud often tests the distinction between 'dry run' and 'enforced' modes, where candidates mistakenly assume that simply adding a service to the perimeter or configuring access levels is sufficient without enabling enforcement.

How to eliminate wrong answers

Option B is wrong because adding storage.googleapis.com to restrictedServices would restrict Cloud Storage, not BigQuery; BigQuery uses bigquery.googleapis.com as its service name. Option C is wrong because moving BigQuery to a separate perimeter does not by itself restrict access from outside the original perimeter — the new perimeter would also need enforcement enabled and proper configuration. Option D is wrong because adding allUsers to the perimeter's access levels would explicitly allow all users, including those outside the perimeter, which is the opposite of what is needed to restrict access.

271
Multi-Selectmedium

Which TWO are correct statements about IAM deny policies? (Choose two.)

Select 2 answers
A.Deny policies are prioritized based on the resource hierarchy (organization highest).
B.Deny policies support conditions to restrict when the deny applies.
C.Deny policies can be used to block access for all users except a specific set.
D.Deny policies cannot override an allow policy if the member is explicitly granted.
E.Deny policies can be applied at any resource level including individual resources.
AnswersB, C

Conditions can be added to deny rules.

Why this answer

Option B is correct because IAM deny policies support conditions that allow you to specify when the deny should apply, such as based on IP address, date/time, or resource tags. This enables fine-grained control over access restrictions, ensuring that the deny only takes effect under defined circumstances.

Exam trap

Google Cloud often tests the misconception that deny policies can be applied at any resource level, but in Google Cloud, deny policies are only supported at the organization, folder, and project levels, not on individual resources.

272
MCQhard

An organization has three projects: dev, staging, prod. They use Cloud Build to deploy code. The Cloud Build service account in the dev project needs to deploy to GKE in the prod project. To allow cross-project deployment, what should the Cloud Build service account be granted in the prod project?

A.roles/container.clusterViewer on the prod cluster.
B.roles/container.developer on the prod project.
C.roles/storage.objectViewer on the prod bucket.
D.roles/iam.serviceAccountUser on the GKE node service account in prod.
AnswerB

Grants permissions to deploy to GKE clusters in the prod project.

Why this answer

The Cloud Build service account in the dev project needs to deploy workloads to a GKE cluster in the prod project. The role `roles/container.developer` on the prod project grants the necessary permissions to create, update, and delete pods, deployments, and services within the cluster, which is required for deployment. This role also includes `container.clusters.get` and `container.clusters.update` to interact with the cluster, making it the correct choice for cross-project GKE deployment.

Exam trap

Google Cloud often tests the distinction between read-only, developer, and admin roles in GKE, and the trap here is that candidates confuse `container.clusterViewer` (read-only) with the ability to deploy, or think that granting access to a storage bucket or node service account is sufficient for cross-project GKE deployment.

How to eliminate wrong answers

Option A is wrong because `roles/container.clusterViewer` only allows read-only access to cluster resources (e.g., listing pods, viewing cluster metadata) and does not permit creating or modifying deployments, which is required for deploying code. Option C is wrong because `roles/storage.objectViewer` grants read-only access to objects in a Cloud Storage bucket, which is irrelevant to deploying to GKE; it might be needed for pulling build artifacts but not for cluster operations. Option D is wrong because `roles/iam.serviceAccountUser` on the GKE node service account allows impersonation of that service account (e.g., to run pods as that identity), but it does not grant any permissions to deploy or manage resources on the cluster itself; the Cloud Build service account needs direct cluster permissions, not the ability to impersonate node accounts.

273
MCQmedium

Refer to the exhibit. A security engineer configured Data Access audit logs for all services. During a compliance audit, the auditor flags this configuration as deficient. What is the most likely reason?

A.The audit config does not include DATA_WRITE logging
B.ALL_SERVICES includes unsupported services for data access logs
C.The service account is exempted from DATA_READ logs, which may allow unlogged data access
D.The audit config should be applied at the project level, not organization level
AnswerC

Exempting any principal from audit logging reduces visibility and can violate compliance policies that require logging of all data access.

Why this answer

Exempting a service account from DATA_READ logging means data access by that service account is not logged, creating a gap in audit coverage that many compliance frameworks (e.g., PCI DSS) require to be comprehensive.

274
MCQeasy

A security engineer is tasked with automating the remediation of non-compliant resources in a Google Cloud organization. The organization uses Organization Policy Service to enforce constraints. The engineer needs to automatically disable a specific service (e.g., Compute Engine API) for a project that violates a policy. Which Google Cloud service should be used to trigger this remediation?

A.Cloud Build
B.Cloud Run
C.Cloud Scheduler
D.Cloud Functions
AnswerD

Cloud Functions can be triggered by logs or Pub/Sub messages to perform automated remediation actions.

Why this answer

Cloud Functions is correct because it can be triggered by real-time event notifications (e.g., from Cloud Asset Inventory or Pub/Sub) when a policy violation is detected, and then execute custom code to disable the Compute Engine API via the Service Usage API. This serverless, event-driven model is ideal for automated remediation workflows without managing infrastructure.

Exam trap

Google Cloud often tests the distinction between event-driven (Cloud Functions) and scheduled (Cloud Scheduler) or compute (Cloud Run) services, trapping candidates who confuse scheduled tasks with real-time remediation triggers.

How to eliminate wrong answers

Option A is wrong because Cloud Build is a CI/CD service for building, testing, and deploying artifacts; it is not designed to react to policy violation events or directly disable APIs. Option B is wrong because Cloud Run is a managed compute platform for running containerized applications, not an event-triggered function service; it lacks native integration with Organization Policy violation events. Option C is wrong because Cloud Scheduler is a cron job service for scheduled, not event-driven, execution; it cannot react in real time to policy violations.

275
MCQhard

An organization wants to allow a group of external auditors read-only access to specific BigQuery datasets in a project, but only during working hours (9 AM to 5 PM). The auditors belong to an external Google Workspace domain. Which IAM configuration should be used?

A.Create a custom role with required permissions on the datasets, grant it to the auditors' group with an IAM condition using request.time between 9 AM and 5 PM.
B.Configure a Cloud Scheduler job to add and remove the auditors' group membership at the required times.
C.Create an Organization Policy with a time constraint on the datasets.
D.Use VPC Service Controls with an access level that allows during working hours.
AnswerA

IAM Conditions support time-based restrictions.

Why this answer

Option A is correct because IAM conditions allow you to enforce time-based access using the `request.time` attribute, which can restrict access to specific hours. By granting a custom role with read-only permissions on the BigQuery datasets and attaching a condition that `request.time` falls between 9 AM and 5 PM, the auditors from the external Google Workspace domain will only have access during working hours. This approach is native to IAM and does not require external automation or network-level controls.

Exam trap

The trap here is that candidates often confuse IAM conditions with Organization Policies or VPC Service Controls, thinking time-based access requires a separate service, when in fact IAM conditions with `request.time` provide a native, granular solution.

How to eliminate wrong answers

Option B is wrong because Cloud Scheduler can add/remove group memberships, but it introduces a delay (up to 2 minutes for propagation) and is a workaround rather than a native IAM condition; it also risks leaving access open if the job fails. Option C is wrong because Organization Policies apply to the entire project or organization, not to specific datasets, and they do not support time-based constraints on BigQuery datasets. Option D is wrong because VPC Service Controls restrict access based on network context (e.g., IP ranges, client identity) and do not natively support time-of-day conditions; they are designed for perimeter security, not granular time-based access.

276
Multi-Selectmedium

A security engineer is investigating an incident where an attacker gained access to a Compute Engine instance's serial console logs, which contained sensitive data. Which TWO actions should the engineer take to prevent this type of exposure in the future? (Choose TWO.)

Select 2 answers
A.Use Cloud NAT for outbound traffic to anonymize instance IP addresses in serial console logs.
B.Enable Private Google Access on the VPC subnet to restrict serial console log access to internal IPs only.
C.Remove the roles/iam.serviceAccountUser role from all users to prevent them from accessing serial console.
D.Disable interactive serial console access for all instances that do not require it.
E.Enable OS Login for the project to enforce SSH key management and prevent serial console access.
AnswersB, D

Correct: Private Google Access ensures that serial console logs are not sent over the public internet, reducing exposure.

Why this answer

Option B is correct because enabling Private Google Access on the VPC subnet ensures that serial console logs are accessed only via internal IP addresses, preventing exposure over the public internet. This restricts access to the serial console logs to resources within the VPC or connected networks, reducing the attack surface for data exfiltration.

Exam trap

Google Cloud often tests the distinction between IAM roles that control access to serial console logs (e.g., roles/compute.instanceAdmin) versus roles that control instance operations (e.g., roles/iam.serviceAccountUser), leading candidates to mistakenly select Option C.

277
MCQhard

A company uses VPC Service Controls to protect sensitive data. They notice that audit logs from a service perimeter are not being exported to a logging bucket inside the same perimeter. What is the likely cause?

A.The logging bucket is not within the service perimeter
B.The logging bucket is within a different VPC
C.The logging bucket is in a different project
D.The logging bucket has a retention policy
AnswerA

Exporting to a bucket outside the perimeter is blocked by the service perimeter.

Why this answer

The logging bucket must be inside the service perimeter for logs to be accessible from within the perimeter. If the bucket is outside, the logs cannot be exported due to the perimeter's data exfiltration protections.

278
Multi-Selecteasy

Which THREE Google Cloud services can encrypt data at rest?

Select 3 answers
A.Cloud CDN
B.Cloud Storage
C.Cloud SQL
D.Cloud Functions
E.Cloud KMS
AnswersB, C, E

Cloud Storage encrypts objects at rest by default.

Why this answer

Cloud Storage encrypts data at rest by default using server-side encryption (SSE) with either Google-managed keys or customer-managed keys via Cloud KMS. This ensures that all objects stored in buckets are encrypted before being written to disk, protecting data from unauthorized access at the storage layer.

Exam trap

Google Cloud often tests the misconception that all Google Cloud services automatically encrypt data at rest, but services like Cloud CDN and Cloud Functions do not provide native at-rest encryption themselves; they rely on underlying storage services for that capability.

279
MCQeasy

A company must implement data residency requirements that prohibit storing data outside the European Union. They are using Cloud Bigtable and need to ensure that backups are also stored within the EU. Which configuration should they choose?

A.Create the Bigtable instance with multi-region placement in europe-west1 and europe-west4.
B.Create an instance in a dual-region configuration (e.g., europe-west1 and europe-west4) and use backup policies.
C.Use a single-region instance in europe-west1 with customer-managed encryption keys (CMEK) for backups.
D.Create the Bigtable instance in a single EU region (e.g., europe-west1) and enable automatic backups.
AnswerD

Backups are stored in the same region as the instance, ensuring data stays in the EU.

Why this answer

Option D is correct because a single-region Bigtable instance in an EU region (e.g., europe-west1) ensures that all data, including backups, remains within the EU. Enabling automatic backups stores backup data in the same region, satisfying data residency requirements that prohibit storing data outside the EU.

Exam trap

Google Cloud often tests the misconception that multi-region or dual-region configurations are acceptable for data residency, but the trap here is that any replication across regions (even within the EU) can violate strict data residency if the requirement prohibits storing data outside a specific geographic boundary, and backups must be explicitly confined to the same region.

How to eliminate wrong answers

Option A is wrong because multi-region placement replicates data across multiple geographic regions, which could include non-EU locations, violating data residency requirements. Option B is wrong because a dual-region configuration replicates data across two EU regions, but backups may be stored in a separate location not guaranteed to be within the EU, and backup policies do not enforce regional residency. Option C is wrong because customer-managed encryption keys (CMEK) control encryption but do not affect data storage location; backups could still be stored outside the EU if not explicitly configured to stay within the region.

280
MCQeasy

A user is unable to create a Compute Engine instance using a custom image from a family. What is the missing permission?

A.compute.disks.create on the project
B.compute.instances.create on the project
C.compute.images.get on the image family
D.compute.images.use on the image family
AnswerD

This permission is required to use the image to create an instance.

Why this answer

To create a Compute Engine instance using a custom image from a family, the user needs the `compute.images.use` permission on the image family (or the specific image). This permission allows the user to use the image as a boot disk for new instances. Without it, the instance creation fails even if the user has `compute.instances.create` on the project.

Exam trap

Google Cloud often tests the distinction between project-level permissions (like `compute.instances.create`) and resource-level permissions (like `compute.images.use`), trapping candidates who assume instance creation automatically includes the right to use any image.

How to eliminate wrong answers

Option A is wrong because `compute.disks.create` on the project allows creating persistent disks but does not grant the right to use a specific image family as the source for the boot disk. Option B is wrong because `compute.instances.create` on the project allows creating instances but does not include the permission to use a custom image from a family; that requires an additional resource-level permission. Option C is wrong because `compute.images.get` on the image family only allows viewing image metadata, not using the image to create an instance.

281
Multi-Selecteasy

A security engineer is configuring VPC Service Controls to protect a service perimeter. Which TWO conditions must be met for a request to be allowed across the perimeter? (Choose TWO.)

Select 2 answers
A.The request is made by an identity that belongs to an allowed domain.
B.The request comes from an allowed IP range.
C.The request is made by a service account that has been granted access.
D.The request includes a valid access context manager access level.
E.The request originates from a project within the perimeter.
AnswersD, E

Access levels are required for both inside and outside requests.

Why this answer

Options B and D are correct. A request is allowed if it originates from a project within the perimeter and meets the required access levels. Option A is not a direct condition; IP ranges are part of access levels.

Option C is not a standalone condition; service accounts are allowed based on identity and access levels. Option E is also part of access levels.

282
Drag & Dropmedium

Drag and drop the steps to set up a Private Google Access for on-premises hosts using Private Service Connect in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Private Service Connect requires VPC, endpoint creation, DNS configuration, hybrid connectivity, and testing.

283
MCQeasy

An engineer has enabled Private Google Access on the subnet. However, instances in the subnet cannot access Google APIs (e.g., storage.googleapis.com) using their internal IPs. What is the most likely issue?

A.The instances need a public IP
B.The domain needs to be added to a DNS zone
C.Private Google Access requires a VPC connector
D.The instances have no route to the default internet gateway
AnswerB

If using custom DNS, you must create a private zone for googleapis.com to resolve to the private IPs.

Why this answer

Private Google Access allows instances without public IPs to reach Google APIs and services using their internal IPs, but it requires that the DNS resolution for the API domain (e.g., storage.googleapis.com) resolves to the private IP range used by Google's Private Access (199.36.153.8/30). If the domain is not added to a private DNS zone (e.g., googleapis.com) in the VPC, DNS will resolve to public IPs, causing connectivity failure. Option B correctly identifies this missing DNS configuration as the most likely issue.

Exam trap

Google Cloud often tests the misconception that Private Google Access requires a public IP or a VPC connector, when in fact the critical missing piece is the DNS configuration to resolve Google API domains to private IPs.

How to eliminate wrong answers

Option A is wrong because Private Google Access is specifically designed to allow instances without public IPs to access Google APIs; requiring a public IP would defeat its purpose. Option C is wrong because Private Google Access does not require a VPC connector; it uses a special route and DNS configuration within the VPC, not a connector. Option D is wrong because Private Google Access does not rely on a route to the default internet gateway; it uses a default route (0.0.0.0/0) with a next hop of 'default internet gateway' only for public IP access, but for Private Google Access, the route must point to the 'default internet gateway' with the destination being the private IP range 199.36.153.8/30, not the entire internet.

284
Multi-Selectmedium

A Security Engineer is designing access controls for a multi-cloud environment where workloads on Google Cloud need to access on-premises databases. The company wants to use long-lived credentials. Which TWO options are valid approaches? (Choose TWO.)

Select 2 answers
A.Create an OAuth 2.0 client ID for an installed application and use offline access to obtain refresh tokens.
B.Set up a Cloud VPN tunnel and use private IP addresses to access Google Cloud services.
C.Create a service account and use its key to generate short-lived tokens.
D.Create a service account and download its private key for the on-premises application to use.
E.Use Workload Identity Federation to exchange on-premises credentials for Google Cloud tokens.
AnswersA, D

OAuth 2.0 client IDs for installed applications can use refresh tokens that are long-lived.

Why this answer

Option A is correct because OAuth 2.0 client IDs for installed applications can be configured for offline access, which returns refresh tokens. These refresh tokens are long-lived (typically do not expire unless revoked) and can be used by on-premises applications to obtain new access tokens for accessing Google Cloud APIs without user interaction. This meets the requirement for long-lived credentials in a multi-cloud environment.

Exam trap

Google Cloud often tests the distinction between long-lived and short-lived credentials, and the trap here is that candidates may confuse Workload Identity Federation (which produces short-lived tokens) with a method for obtaining long-lived credentials, or assume that VPN tunnels solve authentication requirements.

285
MCQeasy

A Cloud Function is timing out. What is the maximum timeout for a Cloud Function (1st gen)?

A.60 seconds
B.900 seconds
C.3600 seconds
D.540 seconds
AnswerD

Cloud Functions (1st gen) support up to 540 seconds timeout.

Why this answer

Cloud Functions (1st gen) have a maximum timeout of 540 seconds.

286
MCQeasy

A company needs to retain audit logs for 7 years to meet regulatory compliance. They are using Cloud Logging. Which log storage strategy should they use to minimize costs while meeting the requirement?

A.Store logs in the _Required log bucket with a custom retention of 7 years.
B.Disable logging for non-critical resources to reduce log volume and retain only essential logs.
C.Use a log sink to export logs to Cloud Storage with a retention policy of 7 years and nearline storage class.
D.Use a log sink to export logs to BigQuery and set the table expiration to 7 years.
AnswerC

Log sinks can export to Cloud Storage, and a retention policy ensures logs are kept for 7 years. Nearline storage class reduces cost.

Why this answer

Option C is correct because exporting logs to Cloud Storage via a log sink allows you to set a bucket retention policy of 7 years, meeting compliance requirements. Using the nearline storage class minimizes costs for logs that are accessed infrequently, as it offers lower storage costs than standard storage while still providing the necessary durability and retention capabilities.

Exam trap

Google Cloud often tests the misconception that the _Required log bucket can be customized for long-term retention, when in fact it is a fixed, system-managed bucket with a default retention period that cannot be extended.

How to eliminate wrong answers

Option A is wrong because the _Required log bucket is a system-managed bucket that cannot have a custom retention period; it retains logs for the default retention (typically 30 days) and is not designed for long-term archival. Option B is wrong because disabling logging for non-critical resources violates the principle of comprehensive audit logging required by many regulations; you must retain logs for all resources that generate audit-relevant data, not just 'essential' ones. Option D is wrong because BigQuery is optimized for analytics and querying, not for long-term, low-cost archival storage; table expiration at 7 years would still incur ongoing storage costs that are higher than Cloud Storage nearline, and BigQuery is not the most cost-effective choice for infrequently accessed audit logs.

287
Multi-Selectmedium

A user should be able to download and delete objects in a specific Cloud Storage bucket. Which two permissions are required in a custom role? (Choose two.)

Select 2 answers
A.storage.buckets.list
B.storage.objects.delete
C.storage.buckets.get
D.storage.objects.list
E.storage.objects.get
AnswersB, E

Required to delete objects.

Why this answer

To download an object, the user needs `storage.objects.get` permission, which allows reading the object's data and metadata from the bucket. To delete an object, the user needs `storage.objects.delete` permission, which authorizes the removal of the object from the bucket. These two permissions are the minimum required for download and delete operations on objects within a specific Cloud Storage bucket.

Exam trap

Google Cloud often tests the distinction between object-level permissions (like `storage.objects.get` and `storage.objects.delete`) and bucket-level permissions (like `storage.buckets.list` or `storage.buckets.get`), trapping candidates who assume listing or getting bucket metadata is necessary for object operations.

288
Multi-Selecteasy

Which TWO actions help ensure compliance with data residency requirements in Google Cloud? (Choose two.)

Select 2 answers
A.Configure Organization policy `gcp.resourceLocations` to restrict allowed locations
B.Use Cloud CDN to cache content globally
C.Use VPC Service Controls to create perimeters that restrict data movement
D.Enable Cloud Interconnect for dedicated connectivity
E.Use Cloud VPN for site-to-site encryption
AnswersA, C

Organization policy can enforce that resources are created only in approved regions.

Why this answer

Option A is correct because the `gcp.resourceLocations` Organization policy constraint explicitly defines the set of Google Cloud regions where resources can be created. By configuring this policy, an organization can enforce that all resources are provisioned only in approved geographic locations, directly meeting data residency requirements that mandate data remain within specific jurisdictions.

Exam trap

Google Cloud often tests the distinction between data residency controls (which restrict where data is stored) and network connectivity or encryption services (which do not enforce geographic restrictions), leading candidates to mistakenly select Cloud Interconnect or Cloud VPN as solutions for residency compliance.

289
MCQmedium

A company is using Cloud Armor to protect their HTTP(S) load balancer. They have configured a security policy with a rule to block traffic from a specific IP address (10.0.0.1/32). During testing, they observe that requests from that IP are still reaching the backend. What is the most likely reason?

A.The backend service is configured to bypass Cloud Armor.
B.Cloud Armor does not support blocking specific IP addresses.
C.The security policy is not attached to the backend service.
D.The rule has a lower priority than a default allow rule.
AnswerC

A security policy must be attached to a backend service for its rules to be enforced.

Why this answer

Cloud Armor security policies must be explicitly attached to a backend service to take effect. If the policy is not attached, the rules within it—including the block rule for 10.0.0.1/32—are not evaluated, and traffic flows to the backend as if no policy exists. This is the most common cause when a configured rule appears to be ignored.

Exam trap

Google Cloud often tests the concept that a security policy must be attached to a backend service (or target proxy) to be active; candidates mistakenly assume that creating the policy alone is sufficient to enforce its rules.

How to eliminate wrong answers

Option A is wrong because Cloud Armor does not have a 'bypass' setting on the backend service; the backend service either has a security policy attached or it does not, and there is no mechanism to selectively bypass Cloud Armor for certain traffic. Option B is wrong because Cloud Armor explicitly supports blocking specific IP addresses using CIDR-based rules in security policies, including /32 prefixes. Option D is wrong because the default rule in Cloud Armor is to allow traffic, but if a block rule has a higher priority number (lower priority) than the default allow, the default allow would take precedence; however, the question states the rule is configured, and the most likely reason for the block not working is that the policy is not attached at all, not a priority issue.

290
MCQhard

A user with this role tries to create a VM instance with a specific machine type and boot disk image. The creation fails due to missing permissions. Which permission is most likely missing?

A.compute.networks.use
B.compute.images.get
C.compute.machineTypes.get
D.compute.instances.list
AnswerC

Required to read machine type details for instance creation.

Why this answer

When creating a VM instance, the user must have permission to view the machine type definition to verify it exists and is available in the specified zone. The `compute.machineTypes.get` permission is required for this check, and without it, the creation fails even if other permissions are present. This is a prerequisite permission that the Compute Engine API checks before proceeding with instance provisioning.

Exam trap

Google Cloud often tests the misconception that creating a VM only requires broad permissions like `compute.instances.create`, but the trap here is that Google Cloud performs granular, sequential permission checks for each resource referenced in the creation request, and the machine type check is the first one to fail.

How to eliminate wrong answers

Option A is wrong because `compute.networks.use` is needed to attach the VM to a specific VPC network, but the failure occurs before that stage, at the machine type validation step. Option B is wrong because `compute.images.get` is required to read the boot disk image metadata, but the error here is specifically about the machine type, not the image. Option D is wrong because `compute.instances.list` is a read-only permission for listing existing instances and has no role in creating a new VM or validating machine types.

291
MCQeasy

A company uses Cloud KMS to protect encryption keys for their Cloud SQL databases. They want to rotate keys every 30 days and ensure that old keys are retained for at least 90 days. What is the recommended approach?

A.Use a Cloud KMS key with manual rotation every 30 days and keep all key versions indefinitely.
B.Use Cloud HSM to generate a key and set key version lifecycle to disable after 90 days.
C.Use a Cloud KMS key with automatic rotation period of 30 days and disable old key versions after 90 days.
D.Use customer-supplied encryption keys (CSEK) and rotate them manually.
AnswerC

Automatic rotation and disabling old versions satisfies both requirements.

Why this answer

Option C is correct because Cloud KMS supports automatic key rotation with a configurable period (e.g., 30 days), which creates new key versions automatically. To meet the 90-day retention requirement, you can disable old key versions after 90 days using the key version lifecycle policy, ensuring they are not used for encryption but remain available for decryption of older data.

Exam trap

Google Cloud often tests the distinction between automatic rotation (which creates new versions) and key version lifecycle (which manages old versions), and the trap here is assuming that automatic rotation alone handles retention, when in fact you must explicitly configure lifecycle policies to disable or destroy old versions after a specified period.

How to eliminate wrong answers

Option A is wrong because manual rotation every 30 days is operationally burdensome and error-prone, and keeping all key versions indefinitely does not satisfy the requirement to retain old keys for at least 90 days (it retains them forever, which is not the recommended approach). Option B is wrong because Cloud HSM is a hardware security module that can generate keys, but it does not provide a built-in mechanism to set key version lifecycle to disable after 90 days; that lifecycle management is a Cloud KMS feature, not Cloud HSM. Option D is wrong because customer-supplied encryption keys (CSEK) require you to manage and rotate keys manually, which does not leverage Cloud KMS's automatic rotation or lifecycle policies, and CSEK is typically used for Compute Engine, not Cloud SQL.

292
MCQhard

Which method ensures that Cloud Storage logs are encrypted with a key that is managed on-premises?

A.CMEK
B.Cloud External Key Manager
C.CSEK
D.Default encryption
AnswerB

Cloud External Key Manager uses an external key management partner, keeping keys on-premises.

Why this answer

Cloud External Key Manager (Cloud EKM) allows you to use an external key management system, such as one running on-premises, to manage encryption keys for Cloud Storage. This ensures that the keys used to encrypt your data are never stored in Google Cloud, meeting the requirement of on-premises key management.

Exam trap

Google Cloud often tests the distinction between where the key material is stored (Google Cloud vs. on-premises) rather than who manages the key lifecycle, causing candidates to confuse CMEK (customer-managed but cloud-hosted) with Cloud EKM (customer-managed and on-premises-hosted).

How to eliminate wrong answers

Option A (CMEK) is wrong because Cloud Key Management Service (Cloud KMS) with customer-managed encryption keys (CMEK) still stores the key material within Google Cloud, not on-premises. Option C (CSEK) is wrong because customer-supplied encryption keys (CSEK) are provided by the customer for each API call but are not managed on-premises; they are ephemeral and not stored or managed by a persistent on-premises system. Option D (Default encryption) is wrong because default encryption uses Google-managed keys, which are entirely controlled and stored by Google, not on-premises.

293
MCQhard

A company uses Cloud SQL for MySQL and needs to automate the rotation of database user passwords every 30 days. They want to store the passwords in Secret Manager and have the application retrieve them at runtime. The application runs on Compute Engine. What is the most secure way to allow the Compute Engine instances to access the secrets?

A.Attach a service account to the Compute Engine instances with the role roles/secretmanager.secretAccessor, and grant that service account access to the specific secret versions.
B.Grant the roles/secretmanager.secretAccessor role to all service accounts in the project.
C.Create a service account key for a dedicated service account, download it to the instance, and use it to access the secret.
D.Store the password in instance metadata and have the application read it from the metadata server.
AnswerA

This follows least privilege and uses short-lived credentials from the metadata server.

Why this answer

Option A is correct because it follows the principle of least privilege by attaching a service account with the roles/secretmanager.secretAccessor role directly to the Compute Engine instances and granting that service account access only to the specific secret versions needed. This ensures that the instances can authenticate via the default service account metadata server (using OAuth 2.0 tokens) without exposing any long-lived credentials, and the access is scoped to exactly the secrets required for password rotation.

Exam trap

Google Cloud often tests the misconception that storing secrets in instance metadata is acceptable for security, but the trap here is that metadata is not designed for secrets management and lacks encryption, access control, and audit capabilities that Secret Manager provides.

How to eliminate wrong answers

Option B is wrong because granting roles/secretmanager.secretAccessor to all service accounts in the project violates least privilege and could allow unintended service accounts to access secrets, increasing the attack surface. Option C is wrong because downloading a service account key file to the instance creates a long-lived credential that must be securely stored and rotated, which is less secure than using the instance's attached service account and metadata server for automatic token-based authentication. Option D is wrong because storing passwords in instance metadata is not encrypted at rest by default, is visible to anyone with metadata server access (including other processes on the instance), and does not provide the audit logging and versioning capabilities of Secret Manager.

294
MCQeasy

An organization wants to enforce that all new Cloud Storage buckets are created with uniform bucket-level access enabled to simplify access control and meet compliance requirements. What Google Cloud service should they use to enforce this?

A.VPC Service Controls
B.Organization Policies
C.Cloud IAM
D.Cloud Armor
AnswerB

Organization Policies include pre-defined constraints to enforce uniform bucket-level access.

Why this answer

Organization Policies allow administrators to set constraints on Google Cloud resources at the organization, folder, or project level. The `constraints/storage.uniformBucketLevelAccess` constraint can be applied to enforce that all new Cloud Storage buckets are created with uniform bucket-level access enabled, simplifying access control and meeting compliance requirements.

Exam trap

The trap here is that candidates confuse Organization Policies (which enforce configuration rules) with Cloud IAM (which grants permissions), leading them to select Cloud IAM even though it cannot enforce a bucket creation constraint.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are used to define security perimeters around Google Cloud services to mitigate data exfiltration risks, not to enforce bucket-level access settings. Option C is wrong because Cloud IAM manages who has access to resources (permissions) but cannot enforce configuration constraints like uniform bucket-level access on new buckets. Option D is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service for HTTP(S) load balancing, unrelated to Cloud Storage bucket access control.

295
MCQmedium

A healthcare organization ingests patient data into Cloud Storage and then processes it with Dataflow. They need to de-identify sensitive fields like Social Security numbers before storing in BigQuery. Which approach should they use?

A.Use BigQuery column-level security with data masking.
B.Write custom Dataflow transformations using a Java SDK to redact SSNs.
C.Use Cloud DLP to inspect and transform the data, then store the de-identified results in BigQuery.
D.Use Cloud Data Catalog to tag sensitive columns and rely on access control.
AnswerC

Cloud DLP can automatically identify and de-identify sensitive data.

Why this answer

Option B is correct because Cloud DLP inspection and transformation jobs can be integrated with BigQuery and Dataflow. Option A is wrong because BigQuery data masking only masks at query time, not at rest. Option C is wrong because Dataflow with custom code is more error-prone and harder to maintain.

Option D is wrong because Cloud Data Catalog only catalogs but does not transform.

296
MCQhard

A company is using Forseti for compliance automation. They need to ensure that all Cloud Storage buckets are encrypted with CMEK and that buckets without CMEK are flagged. Which Forseti scanner should they use?

A.IAM scanner
B.Resource scanner
C.Bucket ACL scanner
D.Location scanner
AnswerD

Location scanner can enforce policies like 'require CMEK' on buckets.

Why this answer

The Location scanner in Forseti is designed to audit resources based on their location or configuration settings, including encryption status. For Cloud Storage buckets, it can check whether CMEK is enabled by evaluating the bucket's encryption configuration against a policy, flagging any that lack CMEK. This makes it the correct scanner for ensuring CMEK compliance.

Exam trap

The trap here is that candidates confuse the Location scanner's name with geographic location auditing, when in fact it audits any resource property defined in the policy library, including encryption settings.

How to eliminate wrong answers

Option A is wrong because the IAM scanner audits Identity and Access Management policies and permissions, not encryption settings on Cloud Storage buckets. Option B is wrong because the Resource scanner inventories and tracks resource metadata and lifecycle, but does not evaluate encryption compliance. Option C is wrong because the Bucket ACL scanner checks Access Control Lists for bucket permissions, not encryption configurations like CMEK.

297
MCQmedium

A company uses Cloud SQL for PostgreSQL and needs to ensure that database backups are retained for 30 days for compliance. They also want to be able to perform point-in-time recovery for the last 24 hours. What configuration should they use?

A.Enable automated backups with a retention of 30 days and enable binary logging (write-ahead logs) for point-in-time recovery.
B.Manually take a full backup every day and store it in Cloud Storage with object lifecycle management set to 30 days.
C.Take daily snapshots of the Compute Engine instance running Cloud SQL.
D.Use Cloud Scheduler to run a script that exports the database to Cloud Storage every hour, and keep the exports for 30 days.
AnswerA

Automated backups provide daily backups; binary logs allow recovery to any point within the retention period.

Why this answer

Option A is correct because Cloud SQL automated backups and binary log (WAL) archiving enable point-in-time recovery. Option B is incorrect because export to Cloud Storage is a manual process. Option C is incorrect because snapshots are not supported for Cloud SQL.

Option D is incorrect because manual backups do not provide point-in-time recovery.

298
MCQhard

A security engineer is troubleshooting a connectivity issue between two VPCs connected via VPC Network Peering. VPC-A (project A) has a Compute Engine instance with internal IP 10.1.0.2. VPC-B (project B) has an instance with internal IP 10.2.0.2. The engineer has verified that the peering connection is active and the firewall rules allow ingress from 10.1.0.0/16. However, the instance in VPC-B cannot ping the instance in VPC-A. What is the most likely cause?

A.The VPC-A has a firewall rule that denies ICMP traffic from VPC-B.
B.The VPC-B does not have a route to VPC-A's subnet ranges. Custom route exchange is not enabled on the peering connection.
C.The MTU configuration on the peering connection is set too low.
D.The instance in VPC-B does not have a public IP address.
AnswerB

By default, only subnet routes are exchanged. Custom routes require explicit export/import settings.

Why this answer

The most likely cause is that custom route exchange is not enabled on the VPC Network Peering connection. By default, VPC peering does not exchange custom routes (including subnet routes) unless explicitly enabled. Without this, VPC-B has no route to the 10.1.0.0/16 subnet of VPC-A, so the instance in VPC-B cannot send traffic to 10.1.0.2, even though firewall rules allow ingress.

The peering connection being active only means the link is established, not that routes are automatically propagated.

Exam trap

Google Cloud often tests the misconception that an active peering connection and permissive firewall rules are sufficient for connectivity, when in fact route exchange (especially for custom routes) must be explicitly enabled for traffic to flow between VPCs.

How to eliminate wrong answers

Option A is wrong because the question states that firewall rules allow ingress from 10.1.0.0/16, and a deny rule on VPC-A would be a firewall issue, but the core problem is routing, not firewall. Option C is wrong because MTU configuration on a VPC peering connection is not a configurable parameter; Google Cloud uses a fixed MTU of 1460 bytes for VPC peering, and an MTU mismatch would cause fragmentation issues, not a complete lack of connectivity. Option D is wrong because a public IP address is not required for communication over VPC Network Peering; the instances communicate using internal IPs, and the lack of a public IP is irrelevant for peered VPC connectivity.

299
MCQeasy

A user receives a "403 Forbidden" error when trying to access a Compute Engine instance via SSH from the Cloud Console. The user has the Compute Admin role on the project. What is the most likely cause?

A.The user does not have the compute.instances.setMetadata permission.
B.The firewall rules do not allow SSH from the user's IP.
C.OS Login is enabled on the instance and the user lacks the osLogin role.
D.The user does not have the roles/iap.tunnelResourceAccessor role.
AnswerD

Cloud Console SSH uses IAP TCP forwarding, which requires this role.

Why this answer

The 403 Forbidden error when using Cloud Console SSH indicates that Identity-Aware Proxy (IAP) TCP forwarding is being used, which requires the roles/iap.tunnelResourceAccessor role. Even with Compute Admin, the user lacks this IAP-specific role, so the request is denied at the IAP layer before reaching the instance.

Exam trap

Google Cloud often tests the misconception that Compute Admin or firewall rules are sufficient for Cloud Console SSH, when in reality IAP requires a distinct role (roles/iap.tunnelResourceAccessor) that is not included in Compute Admin.

How to eliminate wrong answers

Option A is wrong because the compute.instances.setMetadata permission is not required for SSH access via Cloud Console; it is used for modifying instance metadata, not for establishing an SSH connection. Option B is wrong because firewall rules are bypassed when using IAP TCP forwarding, as the connection goes through Google's infrastructure, not directly from the user's IP. Option C is wrong because OS Login controls authentication via SSH keys or IAM roles, but a 403 error from Cloud Console SSH indicates an IAP authorization failure, not an OS Login issue.

300
MCQeasy

Your organization wants to ensure that no Compute Engine instance can have a public IP address. What is the best way to enforce this policy?

A.Use Cloud Audit Logs to monitor and alert on instances with public IPs
B.Use an Organization Policy with the constraint `compute.vmExternalIpAccess`
C.Use a firewall rule that blocks traffic from 0.0.0.0/0
D.Use a Service Perimeter from VPC Service Controls
AnswerB

Prevents creation of VMs with external IPs.

Why this answer

Option B is correct because the Organization Policy constraint `compute.vmExternalIpAccess` is a native Google Cloud policy that can be applied at the project, folder, or organization level to explicitly deny the assignment of external IP addresses to Compute Engine instances. This policy is enforced at the resource creation time, preventing any instance from being launched with a public IP, and it cannot be overridden by project-level IAM permissions, making it the most direct and effective enforcement mechanism.

Exam trap

The trap here is that candidates often confuse reactive monitoring (Cloud Audit Logs) or network-layer controls (firewall rules) with proactive policy enforcement, or they misapply VPC Service Controls, which are for data exfiltration prevention, not for controlling instance-level network interface configurations.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide monitoring and alerting after the fact; they do not prevent instances from being created with public IPs, so they cannot enforce a policy proactively. Option C is wrong because a firewall rule blocking traffic from 0.0.0.0/0 would prevent all inbound traffic from the internet, but it does not prevent the instance from having a public IP address assigned, and it would also block legitimate traffic that might be needed for other purposes; the instance would still have a public IP, violating the policy. Option D is wrong because a Service Perimeter from VPC Service Controls is designed to restrict data exfiltration from Google Cloud services like Cloud Storage or BigQuery, not to control whether Compute Engine instances have public IP addresses; it operates at the service perimeter level, not at the instance network interface level.

Page 3

Page 4 of 7

Page 5

All pages