Google Professional Cloud Security Engineer (PCSE) — Questions 376450

500 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQhard

You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?

A.Ingress rule on frontend: allow tcp:8080 from backend's service account; Egress rule on backend: allow all to internet
B.Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on backend: allow all to internet
C.Ingress rule on frontend: allow tcp:8080 from subnet B; Egress rule on backend: allow all to internet
D.Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on frontend: deny all to internet
AnswerB

Correct: Ingress on backend allows frontend-initiated traffic only. Egress on backend allows backend to reach internet for patches. No rule allows backend to initiate to frontend.

Why this answer

Option B is correct because the frontend in subnet A initiates connections to the backend on TCP port 8080, so an ingress rule on the backend allowing traffic from subnet A permits this. An egress rule on the backend allowing all traffic to the internet enables patch downloads. This setup prevents the backend from initiating connections to the frontend, as no egress rule on the backend targets the frontend, and no ingress rule on the frontend allows unsolicited traffic from the backend.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules and the direction of traffic flow; the trap here is that candidates mistakenly place the ingress rule on the frontend (thinking it needs to 'receive' the connection) instead of on the backend, which actually receives the connection from the frontend.

How to eliminate wrong answers

Option A is wrong because it places the ingress rule on the frontend, which would allow the backend to initiate connections to the frontend, violating the requirement that the backend must not initiate connections to the frontend; also, service accounts are not typically used in VPC firewall rules for subnet-level traffic. Option C is wrong because it places the ingress rule on the frontend allowing traffic from subnet B, which would permit the backend to initiate connections to the frontend, again violating the requirement. Option D is wrong because it denies all egress traffic from the frontend, which would block the frontend from sending requests to the backend (since egress is denied), and the backend still needs an egress rule to reach the internet for patches, which is missing.

377
MCQhard

An organization uses Cloud VPN tunnels to connect multiple VPCs. They need to record all network metadata for compliance audits without affecting throughput. What is the most effective approach?

A.Enable VPC Flow Logs on all subnets and export logs to a centralized BigQuery dataset.
B.Install a third-party packet inspection appliance in each VPC.
C.Configure Packet Mirroring to mirror all VPN traffic to a collector.
D.Use Cloud Logging to capture VPN tunnel logs from Cloud Router.
AnswerA

VPC Flow Logs provide metadata with negligible performance overhead and are suitable for compliance auditing.

Why this answer

Option A is correct because VPC Flow Logs capture metadata of all network flows with minimal performance impact, and exporting to BigQuery enables analysis. Option B is resource-intensive and may impact throughput. Option C only captures VPN tunnel status, not traffic metadata.

Option D mirrors traffic, which can be costly and impact performance.

378
Matchingmedium

Match each Cloud KMS key purpose to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encrypt and decrypt

Public key encrypt, private key decrypt

Private key signs, public key verifies

Periodically generate new key material

Bring your own key (BYOK) into Cloud KMS

Why these pairings

These are different key purposes and features in Cloud KMS.

379
MCQhard

A security team needs to enforce that only requests originating from a corporate IP range (203.0.113.0/24) can access a Cloud Storage bucket containing sensitive data. They have created a custom IAM role with storage.objects.get permission and attached a condition that requires the request to have a specific IP address. However, some legitimate users outside the IP range are unable to access the data. What is the most likely cause?

A.Users must use a VPN to be assigned a corporate IP, but some are not connected.
B.The condition uses the attribute 'request.network' instead of 'source.ip'.
C.The bucket ACL is set to deny all access by default.
D.The IAM condition evaluates after authentication, and users are already authenticated; the condition is not restricting based on source IP correctly because the condition is on the user's identity, not the request's source IP.
AnswerD

IAM conditions can restrict by source IP, but if misconfigured (e.g., using wrong attribute or not applying to the correct principal), they may not work; the most likely cause is that the condition is not properly written to check the source IP.

Why this answer

Option D is correct because IAM conditions on a custom role are evaluated after the user is authenticated and authorized by IAM. The condition attribute 'source.ip' is used to restrict access based on the request's originating IP address, but if the condition is incorrectly applied to the user's identity (e.g., using a condition that checks the user's IP at the time of policy evaluation rather than the request's source IP), it may not enforce the intended restriction. In this scenario, the condition is likely misconfigured to evaluate the user's identity attributes rather than the request's source IP, allowing authenticated users from any IP to access the bucket, while legitimate users outside the corporate IP range are blocked because the condition does not correctly filter based on the request's source IP.

Exam trap

Google Cloud often tests the distinction between IAM conditions that evaluate request attributes (like source IP) versus identity attributes, leading candidates to overlook that the condition is applied after authentication and may not restrict the request's source IP correctly if misconfigured.

How to eliminate wrong answers

Option A is wrong because the issue is not about VPN connectivity; the condition is supposed to restrict access based on source IP, but if the condition is misconfigured, even users with a corporate IP via VPN may be blocked or allowed incorrectly. Option B is wrong because 'request.network' is not a valid attribute for IAM conditions in Google Cloud; the correct attribute for source IP is 'source.ip', so using 'request.network' would cause a syntax error or be ignored, not partially block users. Option C is wrong because bucket ACLs are separate from IAM policies; if the ACL is set to deny all, no one would access the bucket, but the problem states that some legitimate users outside the IP range are unable to access, implying that the ACL is not the primary issue.

380
MCQhard

A financial institution is subject to GDPR and requires encryption at rest for all data in Cloud Storage. They want to use CMEK but also need to log all key access events. Which combination of services meets both requirements with least effort?

A.Use Cloud HSM to protect keys, and enable Cloud Audit Logs for Cloud HSM.
B.Use CMEK with Cloud KMS and set key rotation every 30 days.
C.Use CSEK (customer-supplied encryption keys) and enable Cloud Audit Logs for all services.
D.Use CMEK with Cloud KMS and enable Cloud Audit Logs with Data Access audit logs for Cloud KMS.
AnswerD

CMEK uses Cloud KMS keys; Data Access logs record all key operations for compliance.

Why this answer

Option B is correct because Cloud KMS keys can be used with Cloud Storage via CMEK, and Cloud Audit Logs automatically log key access via Data Access audit logs. Option A is wrong because CSEK is deprecated. Option C is wrong because Cloud HSM is a hardware-backed key management, but the key access logs are still in Cloud Audit Logs.

Option D is wrong because rotating keys is not required for compliance; logging access is.

381
Matchingmedium

Match each CVE or security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Log4j remote code execution vulnerability

Heartbleed OpenSSL vulnerability

Apache Struts2 remote code execution

Windows CryptoAPI spoofing vulnerability

BlueKeep RDP remote code execution

Why these pairings

These are well-known CVEs and their brief descriptions.

382
MCQmedium

A multinational organization must ensure that data for European users is stored only within the European Union to comply with GDPR. They use Cloud Storage and BigQuery. Which design should they implement?

A.Use Cloud DLP to inspect and tag data for European origin.
B.Use VPC Service Controls to create a perimeter around European resources.
C.Set an organization policy with constraints/gcp.resourceLocations to restrict resource creation to EU regions.
D.Use Cloud Armor with geo-based access control to restrict access from non-EU locations.
AnswerC

Organization policies can enforce that resources like buckets and datasets are created only in allowed locations.

Why this answer

Option C is correct because the organization policy constraint `gcp/resourceLocations` is the only design that proactively prevents data from being stored outside the EU. By setting this constraint to allow only EU regions (e.g., `europe-west1`, `europe-west4`), any attempt to create a Cloud Storage bucket or BigQuery dataset in a non-EU region will be denied at the API level, ensuring GDPR compliance by design.

Exam trap

Google Cloud often tests the distinction between data access control and data residency enforcement; the trap here is confusing geo-based access controls (Cloud Armor) or data exfiltration prevention (VPC Service Controls) with the ability to restrict where data is physically stored, which requires a resource location policy.

How to eliminate wrong answers

Option A is wrong because Cloud DLP inspects and classifies data but does not enforce storage location; it only tags data for discovery, not for residency control. Option B is wrong because VPC Service Controls create a security perimeter around resources to prevent data exfiltration, but they do not restrict where resources can be created or stored; a bucket could still be created in a non-EU region within the perimeter. Option D is wrong because Cloud Armor with geo-based access control restricts user access based on geographic location, but it does not control where data is physically stored; data could still reside outside the EU.

383
MCQeasy

A company uses Cloud Storage buckets to store customer uploads. Recently, a customer reported that a file they uploaded yesterday is missing. The bucket has object versioning enabled. The security team wants to investigate how the file went missing and whether any other files have been affected. The company's compliance requirements mandate that all object deletions must be logged and reviewed. What should the admin do first to investigate the missing file?

A.Check the access logs in the Storage bucket's logs section.
B.Use gsutil ls -a to list all versions of objects in the bucket.
C.Enable Object Lifecycle Management to restore deleted objects.
D.Check Cloud Logging for storage.googleapis.com/object_delete events.
AnswerD

Cloud Logging logs object deletions by default; this provides the time, user, and method of deletion, which is essential for investigation.

Why this answer

Checking Cloud Logging for object delete events is the most direct way to determine if the file was deleted and by whom. Option A is incorrect because listing versions would only show if the object exists but not the cause of disappearance. Option C is incorrect because enabling lifecycle management does not help with investigation.

Option D is incorrect because access logs are not automatically enabled and would not specifically show delete events.

384
MCQmedium

Refer to the exhibit. A Cloud Run service fails to start and shows the above error. What is the most likely cause?

A.The container requires more memory than allocated
B.The PORT environment variable is not defined in the container
C.The application is configured to listen on a different port than the one specified by PORT
D.The number of concurrent requests exceeds the container's limit
AnswerC

Cloud Run injects PORT; the container must bind to that port. If the app listens on another port, it fails to start.

Why this answer

Option B is correct because the error explicitly states the container is not listening on the port defined by PORT. Cloud Run expects the container to bind to the port specified in the PORT env var (default 8080). Option A is wrong; the error is about listening, not the variable missing.

Option C is wrong; insufficient memory causes different errors. Option D is wrong; concurrent requests are runtime limits, not startup issues.

385
MCQmedium

A security team wants to explicitly deny access to a Cloud Storage bucket for all users except the bucket owner. Currently, there are allow policies at the project level granting Storage Object Viewer to all users. What is the most efficient way to implement this?

A.Create an Organization Policy that denies access to the bucket for all users except the owner.
B.Modify the project-level role to include a condition that only allows the bucket owner.
C.Remove the project-level Storage Object Viewer role and grant it only to the bucket owner.
D.Create an IAM deny policy on the bucket with a deny rule for all principals (principalSet: allUsers) and an exception for the bucket owner.
AnswerD

IAM deny policies explicitly deny and can exclude principals.

Why this answer

Option D is correct because Google Cloud IAM deny policies explicitly deny access to resources, overriding any allow policies. By creating a deny rule on the bucket with `principalSet: allUsers` as the denied principal and an exception for the bucket owner, you effectively block all users except the owner, regardless of project-level allow roles. This is the most efficient approach as it does not require modifying existing project-level policies or removing roles.

Exam trap

Google Cloud often tests the misconception that removing an allow role is sufficient to deny access, but in cloud IAM, explicit deny policies are required to override inherited allow policies, especially when project-level roles grant broad access.

How to eliminate wrong answers

Option A is wrong because Organization Policies are used to enforce constraints on resource usage (e.g., location restrictions), not to manage IAM access control for specific resources like a bucket. Option B is wrong because modifying the project-level role with a condition would require complex condition logic and still apply to all resources in the project, not just the bucket; it also does not explicitly deny access. Option C is wrong because removing the project-level role and granting it only to the bucket owner would affect all buckets in the project and does not explicitly deny access to other users; it only removes the allow, which is less secure than an explicit deny.

386
MCQeasy

A startup is deploying a containerized application on Google Kubernetes Engine (GKE). The application is stateless and experiences variable traffic patterns, with periodic spikes during promotional events. The startup wants to minimize costs while ensuring the application can handle the variable load without performance degradation. They also prefer to automate scaling as much as possible. Which GKE configuration should they choose?

A.Use a cluster with node auto-repair and a fixed node pool.
B.Use a cluster with node auto-provisioning and preemptible nodes.
C.Use a cluster with a single zone and regular nodes.
D.Use a cluster with regional persistent disks for pods.
AnswerB

Node auto-provisioning adds nodes as needed, and preemptible nodes cost less than regular instances, ideal for stateless, fault-tolerant workloads.

Why this answer

Node auto-provisioning automatically scales the node pool based on pod resource requests, and preemptible nodes significantly reduce cost. This combination handles variable load while being cost-effective. Option B is incorrect because regional persistent disks are for stateful applications and increase cost.

Option C is incorrect because a single zone and regular nodes may not handle spikes and can be more expensive. Option D is incorrect because a fixed node pool does not automatically scale to meet variable demand.

387
MCQhard

During a security incident, a security engineer needs to revoke a compromised service account's access across all resources immediately. However, the service account has many roles across different projects. What is the most effective immediate step?

A.Remove all IAM policies that include the service account.
B.Disable the service account.
C.Disable the service account key.
D.Delete the service account from the project.
AnswerB

Disabling the service account instantly revokes all access while preserving policies.

Why this answer

Option D is correct because disabling the service account immediately revokes all access without removing IAM policies, allowing quick recovery later. Option A is irreversible and may break dependencies. Option B only prevents key-based authentication; the account can still be used from VM instances.

Option C is time-consuming and error-prone.

388
MCQeasy

An organization uses Cloud Identity to manage users and groups. They want to synchronize their existing on-premises Active Directory with Cloud Identity. Which tool should they use?

A.Third-party SAML identity provider
B.Google Cloud Directory Sync (GCDS)
C.Identity Platform
D.Cloud Workflows
AnswerB

GCDS syncs AD with Cloud Identity.

Why this answer

Google Cloud Directory Sync (GCDS) is the correct tool because it is specifically designed to synchronize users, groups, and aliases from an on-premises Active Directory (or LDAP server) into Cloud Identity without requiring federation. GCDS maps AD attributes to Cloud Identity fields and runs on a scheduled basis to keep the cloud directory in sync, making it the appropriate choice for this use case.

Exam trap

Google Cloud often tests the distinction between directory synchronization (GCDS) and federation (SAML IdP), so the trap here is that candidates may confuse synchronizing user objects with setting up single sign-on, leading them to choose a SAML identity provider instead of GCDS.

How to eliminate wrong answers

Option A is wrong because a third-party SAML identity provider is used for federated authentication (single sign-on), not for synchronizing directory data from Active Directory into Cloud Identity. Option C is wrong because Identity Platform is a customer identity and access management (CIAM) service for adding authentication to applications, not a tool for syncing on-premises directories with Cloud Identity. Option D is wrong because Cloud Workflows is an orchestration service for automating workflows and API calls, not a directory synchronization tool.

389
MCQhard

A company has a hybrid cloud setup with a Cloud VPN tunnel to an on-premises network. They want to ensure that traffic from on-premises to a specific VPC subnet is routed through a specific next hop appliance for inspection. How can they achieve this?

A.Use Policy-based routing
B.Create a route with a next hop to the appliance's internal IP and a high priority
C.Create a route with a next hop of the internal load balancer
D.Create a static route with a next hop of the VPN gateway
AnswerB

This directs traffic to the appliance for inspection before it reaches the destination subnet.

Why this answer

Option B is correct because creating a static route with a next hop set to the appliance's internal IP and a high priority ensures that traffic from on-premises to the specific VPC subnet is forwarded to the inspection appliance before reaching its destination. In a hybrid cloud setup with Cloud VPN, the VPN gateway is the default next hop for on-premises traffic, but a higher-priority route overrides this, directing traffic to the appliance for security inspection. This leverages route priority (lower numerical value = higher priority) to enforce traffic steering without modifying the VPN tunnel itself.

Exam trap

Google Cloud often tests the misconception that policy-based routing (PBR) is the only way to steer traffic to a specific next hop, but in cloud VPC environments, static routes with priority are the correct and supported method, and PBR is not available as a VPC route option.

How to eliminate wrong answers

Option A is wrong because policy-based routing (PBR) is typically used for source/destination-based traffic steering at the router level, but in a cloud VPC environment like Google Cloud or AWS, PBR is not natively supported for VPC routes; instead, static routes with priorities are the standard mechanism. Option C is wrong because an internal load balancer distributes traffic across multiple instances and does not act as a transparent next hop for inspection; using it would bypass the intended single appliance and could cause asymmetric routing or inspection failure. Option D is wrong because creating a static route with a next hop of the VPN gateway would simply send traffic back through the VPN tunnel, defeating the purpose of routing it through the inspection appliance; the VPN gateway is the default path for on-premises traffic, not a way to insert an inspection hop.

390
MCQhard

Your organization has a hybrid network with an on-premises data center connected to Google Cloud via a Dedicated Interconnect. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) and Google Cloud VPC has a subnet in 10.1.0.0/16. You've configured a Cloud Router with BGP to exchange routes. Recently, you set up a new VPC with a subnet in 10.2.0.0/16 and peered it with the first VPC using VPC Network Peering. You notice that on-premises traffic destined to 10.2.0.0/16 is being dropped. You verify that the firewall rules allow the traffic and that BGP routes for 10.2.0.0/16 are not advertised on-premises. What should you do to enable connectivity from on-premises to the new VPC?

A.Set up a Cloud VPN tunnel between the new VPC and on-premises.
B.Configure the Cloud Router to advertise the 10.2.0.0/16 range via custom route advertisement.
C.Add a firewall rule in the new VPC allowing all traffic from 10.0.0.0/8.
D.Create a Shared VPC and attach the new VPC as a service project.
AnswerB

Custom route advertisements on Cloud Router propagate the peering range to on-premises.

Why this answer

Option B is correct because the Cloud Router uses BGP to advertise routes to the on-premises network via the Dedicated Interconnect. By default, only VPC subnet routes are advertised; custom route advertisements must be explicitly configured to propagate the peered VPC's subnet (10.2.0.0/16) to on-premises. This ensures the on-premises routers learn the route and can forward traffic to the new VPC.

Exam trap

The trap here is that candidates assume VPC Network Peering automatically shares routes with on-premises networks via Interconnect, but in reality, peered VPC routes are not propagated to on-premises unless explicitly advertised through Cloud Router custom route advertisements.

How to eliminate wrong answers

Option A is wrong because a Cloud VPN tunnel is unnecessary when a Dedicated Interconnect already exists; the issue is route advertisement, not connectivity method. Option C is wrong because firewall rules are not the problem (they already allow traffic); the root cause is missing route propagation, not a missing allow rule. Option D is wrong because Shared VPC is used for centralized administration of multiple projects, not for enabling route exchange between a peered VPC and an on-premises network via Interconnect.

391
MCQmedium

A security analyst wants to detect when a user creates a Compute Engine instance with a public IP address in a sensitive project. What is the best method?

A.Create a Cloud Function that triggers on instance creation events.
B.Enable Data Access audit logs and filter for insert calls.
C.Use Cloud Logging with a log-based metric and alert.
D.Use Cloud Asset Inventory to create a feed for instance creation.
AnswerC

Log-based metrics on Admin Activity audit logs allow real-time alerting on specific conditions.

Why this answer

Option D is correct. Using Cloud Logging with a log-based metric and alert on the compute.instances.insert log entry checking for the presence of an external IP provides real-time detection. Option A is incorrect because Data Access logs do not capture admin operations.

Option B is incorrect because Cloud Asset Inventory is not real-time. Option C is possible but more complex to set up and maintain.

392
MCQmedium

A multinational corporation is required to protect sensitive data in BigQuery using column-level encryption. They want to use a customer-managed key stored in Cloud KMS. What is the correct approach?

A.Use Cloud DLP to de-identify columns in transit.
B.Use Cloud HSM to store the key and apply bucket-level encryption.
C.Use Cloud KMS to create an AEAD key and use BigQuery SQL functions to encrypt/decrypt.
D.Use Customer-Supplied Encryption Keys (CSEK) with BigQuery.
AnswerC

BigQuery has AEAD.ENCRYPT/DECRYPT functions that integrate with Cloud KMS.

Why this answer

Option C is correct because BigQuery supports column-level encryption and decryption using AEAD (Authenticated Encryption with Associated Data) keys created in Cloud KMS. The `AEAD.ENCRYPT` and `AEAD.DECRYPT` SQL functions allow you to encrypt specific columns at rest, using a customer-managed key that you control in Cloud KMS, ensuring that only authorized users with access to the key can decrypt the data.

Exam trap

Google Cloud often tests the distinction between encryption services (Cloud KMS, Cloud HSM, CSEK) and their applicable scopes (bucket-level vs. column-level), so the trap here is assuming that any key management service can be used for BigQuery column-level encryption without understanding that only Cloud KMS with AEAD SQL functions is supported.

How to eliminate wrong answers

Option A is wrong because Cloud DLP de-identifies data in transit or at rest using techniques like masking or tokenization, but it does not provide column-level encryption with a customer-managed key stored in Cloud KMS; DLP is a data loss prevention service, not a column-level encryption solution. Option B is wrong because Cloud HSM is a hardware security module that can store keys, but bucket-level encryption applies to Cloud Storage buckets, not to BigQuery columns; BigQuery does not use bucket-level encryption for column-level protection. Option D is wrong because Customer-Supplied Encryption Keys (CSEK) are used for encrypting Compute Engine resources and Cloud Storage objects, not for BigQuery column-level encryption; BigQuery does not support CSEK for column-level encryption.

393
MCQeasy

A DevOps team wants to automatically scale a managed instance group based on CPU utilization. Which metric should they use in the autoscaler?

A.'compute.googleapis.com/instance/cpu/usage_time'
B.'compute.googleapis.com/instance/cpu/utilization'
C.'compute.googleapis.com/instance/cpu/reserved_cores'
D.'agent.googleapis.com/cpu/utilization'
AnswerB

This is the built-in CPU utilization metric suitable for autoscaling.

Why this answer

The compute.googleapis.com/instance/cpu/utilization metric measures actual CPU usage, suitable for autoscaling.

394
MCQmedium

A company uses Cloud Audit Logs for compliance. They want to capture all data access events to a Cloud Storage bucket containing sensitive data. What must they enable?

A.System Event audit logs
B.Admin Activity audit logs
C.Access Transparency logs
D.Data Access audit logs with a configuration to log all methods
AnswerD

Data Access audit logs must be enabled for Cloud Storage to record both read and write operations.

Why this answer

Data Access audit logs record API calls that read or modify customer data, such as reading objects from a Cloud Storage bucket. To capture all data access events, including reads and writes, you must enable Data Access audit logs and configure them to log all methods (not just admin methods). This ensures compliance by recording every access to the sensitive data.

Exam trap

Google Cloud often tests the distinction between Admin Activity logs (which log configuration changes) and Data Access logs (which log data reads/writes), and candidates mistakenly assume Admin Activity logs cover data access.

How to eliminate wrong answers

Option A is wrong because System Event audit logs capture non-data-access events like GCP system actions (e.g., automatic resource scaling), not user or service access to data. Option B is wrong because Admin Activity audit logs only record configuration changes (e.g., creating or deleting a bucket), not data reads or writes. Option C is wrong because Access Transparency logs provide visibility into Google personnel access to your data, not customer or application data access events.

395
Multi-Selecteasy

A security engineer needs to set up access for a new team that will manage Cloud Storage buckets and objects. Which three IAM roles might be appropriate based on least privilege? (Choose three.)

Select 3 answers
A.roles/storage.objectAdmin
B.roles/storage.objectViewer
C.roles/storage.legacyBucketOwner
D.roles/storage.objectCreator
E.roles/storage.admin
AnswersA, B, D

Allows full object management (create, read, update, delete).

Why this answer

Option A (roles/storage.objectAdmin) is correct because it grants full control over objects in Cloud Storage buckets, including listing, reading, creating, and deleting objects, but does not allow modifying bucket-level permissions or deleting buckets. This aligns with least privilege for a team that needs to manage objects without full bucket administration.

Exam trap

Google Cloud often tests the distinction between legacy roles (like storage.legacyBucketOwner) and modern predefined roles, expecting candidates to recognize that legacy roles grant overly broad permissions and should be avoided for least privilege.

396
MCQhard

Refer to the exhibit. A user jane@example.com receives a 403 Access Denied error when trying to list objects in a Cloud Storage bucket. What is the most likely cause?

A.The IAM condition restricts access to requests originating from the 10.0.0.0/24 IP range
B.Jane does not have the storage.objects.list permission
C.The bucket is in a different project
D.The IAM policy is too permissive and conflicts with other policies
AnswerA

The condition checks the 'x-forwarded-for' header starts with '10.0.0.', so requests from other IPs are denied.

Why this answer

Option B is correct because the IAM policy includes a condition that requires the request to come from an IP starting with '10.0.0.' (private IP). If Jane is accessing from a different IP, the condition fails and access is denied. Option A is wrong; the role includes storage.objects.list.

Option C is wrong; there is no indication of a different project. Option D is wrong; the policy is restrictive, not permissive.

397
MCQeasy

An organization wants to prevent data exfiltration from a Google Cloud project by restricting the copying of data from Cloud Storage to external IPs. Which Google Cloud service should they use?

A.Cloud Armor
B.IAM
C.VPC Service Controls
D.Cloud Data Loss Prevention (DLP)
AnswerC

VPC Service Controls create a security perimeter that prevents data from being copied to external IPs.

Why this answer

VPC Service Controls (C) is correct because it allows you to define security perimeters around Google Cloud services like Cloud Storage, preventing data exfiltration by blocking access from external IPs. By creating a service perimeter, you can enforce that data can only be accessed from within a specified VPC network or on-premises network via Private Google Access, effectively restricting copying to external IP addresses.

Exam trap

Google Cloud often tests the distinction between IAM (identity-based access) and VPC Service Controls (network-based perimeter security), so candidates mistakenly choose IAM thinking it can block external IPs, but IAM lacks the network context to enforce such restrictions.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects against DDoS and application-layer attacks, not a tool for restricting data exfiltration based on IP origin. Option B is wrong because IAM controls who (identities) can access resources but does not control how data is transferred or restrict access based on network context (e.g., external IPs). Option D is wrong because Cloud Data Loss Prevention (DLP) is used for inspecting, classifying, and redacting sensitive data, not for enforcing network-level access controls to prevent exfiltration.

398
MCQmedium

A healthcare startup is using Google Cloud to process Protected Health Information (PHI) for a clinical study. They are HIPAA-compliant and use Cloud Storage with CMEK. They also use BigQuery to run analytics on de-identified data. The security team notices that some PHI data appears in BigQuery query results. Upon investigation, they find that a data engineer created a BigQuery table that directly references the Cloud Storage bucket containing PHI without using the de-identification pipeline. The startup needs to prevent any direct access to Cloud Storage from BigQuery unless it goes through the pipeline. They also need to ensure that any new datasets are automatically subject to the same restrictions. What should they do?

A.Enable Access Transparency logs and set up alerts for any direct access to Cloud Storage.
B.Use DLP API to automatically de-identify data in Cloud Storage before BigQuery reads it.
C.Use IAM conditions to restrict access to the Cloud Storage bucket only from the service account used by the pipeline.
D.Create a VPC Service Control perimeter around the pipeline project, and use an organization policy to require that Cloud Storage buckets be in a perimeter.
AnswerD

VPC Service Controls block direct access from BigQuery to Cloud Storage unless both are in the same perimeter.

Why this answer

Option D is correct because VPC Service Controls create a security perimeter around the pipeline project, preventing data exfiltration and unauthorized access to Cloud Storage from BigQuery unless the request originates from within the perimeter. The organization policy requiring Cloud Storage buckets to be in a perimeter ensures that any new datasets are automatically subject to the same restrictions, enforcing the de-identification pipeline as the only allowed path.

Exam trap

Google Cloud often tests the distinction between detective controls (logging) and preventive controls (perimeters), leading candidates to choose logging or IAM-based solutions that cannot enforce the 'no direct access' requirement across all new datasets.

How to eliminate wrong answers

Option A is wrong because Access Transparency logs only provide audit logs of access, not preventive controls; they cannot block direct access from BigQuery to Cloud Storage. Option B is wrong because the DLP API de-identifies data but does not enforce access control policies; it would require manual integration and does not automatically restrict new datasets. Option C is wrong because IAM conditions can restrict access to a specific service account, but they do not prevent BigQuery from directly referencing the Cloud Storage bucket if the service account used by BigQuery has permissions; they also do not automatically apply to new datasets.

399
MCQhard

A global e-commerce company uses Google Cloud to host its platform. They store customer payment data in Cloud SQL and use Cloud Storage for backups. Currently, they rely on Google-managed encryption keys. A new compliance requirement mandates that all encryption keys must be stored in a hardware security module (HSM) and rotated every 30 days. Additionally, they need to retain backup data for 7 years, during which the keys used to encrypt the backups must be available for decryption. They have created a Cloud HSM key ring and a key with a rotation period of 2592000 seconds (30 days). After configuring Cloud SQL and Cloud Storage to use the Cloud HSM key, they notice that backups older than 30 days cannot be decrypted. The company's security engineer verified that the key versions are still present. What is the most likely cause and how should it be resolved?

A.The key material was imported incorrectly. Delete the key ring and recreate it using an external HSM.
B.The automatic backups in Cloud SQL are encrypted with the primary key version at backup time, but the backup restore functionality does not automatically use the latest key version. Update the backup configuration to use the current primary key version for decryption.
C.The rotation period of 30 days is too short for key retention. Disable automatic rotation and use manual key rotation every 30 days while retaining all versions.
D.Cloud Storage does not support Cloud HSM keys for object encryption. Switch to customer-supplied encryption keys (CSEK).
AnswerB

Cloud SQL restore requires referencing the correct key version; re-associating the backup with the latest key version allows decryption.

Why this answer

Option B is correct because Cloud SQL backups are encrypted with the primary key version at the time of backup creation. When restoring a backup, Cloud SQL does not automatically use the latest key version; it attempts to decrypt using the key version that was primary at backup time. Since the key is rotated every 30 days, backups older than 30 days were encrypted with a previous primary key version.

Even though the key versions are still present in Cloud HSM, the backup restore operation fails because it does not automatically reference the correct historical key version. The fix is to explicitly update the backup configuration to point to the current primary key version, which allows Cloud SQL to locate and use the appropriate key version for decryption.

Exam trap

Google Cloud often tests the misconception that key rotation automatically updates all existing encrypted data, when in reality each encryption operation uses the key version that was primary at that time, and decryption requires explicit reference to the correct historical version.

How to eliminate wrong answers

Option A is wrong because the key material was not imported incorrectly; the security engineer verified that key versions are present, and Cloud HSM supports both imported and generated keys. The issue is not about import method but about key version referencing during restore. Option C is wrong because the rotation period of 30 days (2592000 seconds) is exactly what the compliance requires; disabling automatic rotation would violate the 30-day rotation mandate, and manual rotation does not solve the decryption problem since the root cause is that Cloud SQL does not automatically use the correct key version for older backups.

Option D is wrong because Cloud Storage does support Cloud HSM keys for object encryption via CMEK; switching to CSEK would not address the backup decryption issue and would introduce additional key management complexity.

400
MCQhard

A security team wants to audit all actions performed by users on a critical Cloud Storage bucket. They have enabled Data Access audit logs. However, they notice that read requests are not being logged. What should they do to ensure all read requests are logged?

A.Enable Access Transparency logs for the project.
B.Assign the Storage Legacy Bucket Reader role to the bucket.
C.Configure bucket-level logging to record all access requests.
D.Enable VPC Flow Logs for the network.
AnswerC

Bucket-level logging can log all requests, including reads, regardless of audit log configuration.

Why this answer

Option C is correct because bucket-level logging captures all access requests, including read operations, by recording detailed logs for each request made to the bucket. Data Access audit logs, while enabled, may not log all read requests due to exclusion filters or default configuration limitations, whereas bucket-level logging provides comprehensive access records directly from Cloud Storage.

Exam trap

Google Cloud often tests the distinction between Cloud Audit Logs (which can be filtered or excluded) and bucket-level logging (which records all requests), leading candidates to mistakenly think enabling Data Access audit logs alone is sufficient for all read logging.

How to eliminate wrong answers

Option A is wrong because Access Transparency logs are designed to log actions taken by Google Cloud support or engineering staff, not user read requests on a bucket. Option B is wrong because assigning the Storage Legacy Bucket Reader role controls permissions but does not enable logging; it only grants read access to the bucket. Option D is wrong because VPC Flow Logs capture network traffic metadata (e.g., IP flows) but do not log application-level read requests to Cloud Storage buckets.

401
Multi-Selecthard

Which THREE are capabilities of Assured Workloads? (Choose three.)

Select 3 answers
A.Location-based access controls through VPC Service Controls
B.Cloud Shell for browser-based terminal access
C.Cloud Interconnect for dedicated connectivity
D.Access Transparency logs for Google personnel actions
E.Customer-managed encryption keys (CMEK) support
AnswersA, D, E

Assured Workloads can enforce perimeters using VPC Service Controls.

Why this answer

Assured Workloads is a Google Cloud service that helps customers meet compliance requirements (e.g., FedRAMP, PCI DSS) by enforcing a set of security and data residency controls. Option A is correct because VPC Service Controls can be used to create a perimeter around the workload, restricting data access based on location (e.g., only allowing access from within a specific VPC or IP range), which is a key capability for compliance. Option D is correct because Access Transparency logs provide detailed logs of actions taken by Google personnel on customer data, which is critical for audit and compliance.

Option E is correct because Customer-Managed Encryption Keys (CMEK) allow customers to control the encryption keys used to protect their data, a fundamental requirement for many compliance frameworks.

Exam trap

Google Cloud often tests the distinction between general Google Cloud services (like Cloud Shell or Cloud Interconnect) and the specific compliance-enforcing capabilities of Assured Workloads, leading candidates to select broadly useful features that are not part of the Assured Workloads service itself.

402
Multi-Selecteasy

Which TWO Google Cloud services are serverless compute platforms that let you run code without managing servers?

Select 2 answers
A.Cloud Run
B.Compute Engine
C.Google Kubernetes Engine (GKE)
D.Cloud Functions
E.App Engine
AnswersA, D

Cloud Run is a serverless container platform.

Why this answer

Options A and C are correct. Cloud Functions and Cloud Run are serverless compute services that abstract server management. Option B (Compute Engine) is IaaS.

Option D (GKE) is container orchestration. Option E (App Engine) is also serverless but the correct two are Cloud Functions and Cloud Run. Note: App Engine is also serverless but the question asks for TWO; we selected Cloud Functions and Cloud Run as they are the most commonly cited serverless compute options.

403
MCQmedium

A company runs a GKE cluster with multiple node pools, including one pool of confidential VMs. The security team wants to ensure that only traffic from the internal VPC (10.0.0.0/8) can reach the nodes' metadata server. Which configuration should be applied?

A.Configure Private Google Access on the subnets.
B.Create a firewall rule that allows outbound traffic from nodes to 169.254.169.254 only from the internal VPC range, and deny all other outbound to that IP.
C.Enable IAP TCP forwarding on the cluster.
D.Apply a VPC Service Controls perimeter to the GKE cluster.
AnswerB

The metadata server IP is 169.254.169.254; firewall rules can restrict outbound access to this IP.

Why this answer

The metadata server for GKE nodes is accessible at the link-local IP 169.254.169.254. To restrict access to this server to traffic originating only from the internal VPC range (10.0.0.0/8), you must create a firewall rule that allows outbound traffic from the nodes to 169.254.169.254 only from that range, and then deny all other outbound traffic to that IP. This ensures that only workloads within the internal VPC can query instance metadata, preventing external or unauthorized pods from accessing sensitive metadata.

Exam trap

Google Cloud often tests the misconception that Private Google Access or VPC Service Controls can restrict metadata server access, but the metadata server is a link-local service that must be controlled via egress firewall rules targeting the specific IP 169.254.169.254.

How to eliminate wrong answers

Option A is wrong because Private Google Access enables on-premises or VM instances without external IPs to reach Google APIs and services, but it does not restrict access to the metadata server (169.254.169.254), which is a link-local address and not subject to Private Google Access. Option C is wrong because IAP TCP forwarding allows authorized users to establish TCP connections to VM instances without public IPs, but it does not control traffic to the metadata server from within the VPC. Option D is wrong because VPC Service Controls perimeters restrict data exfiltration from Google Cloud services like BigQuery or Cloud Storage, but they do not apply to the instance metadata server, which is a link-local service outside the VPC perimeter.

404
Multi-Selectmedium

Which THREE of the following are best practices for managing service accounts in Google Cloud?

Select 3 answers
A.Use the principle of least privilege when granting roles to service accounts.
B.Assign a single service account to all Compute Engine instances for simplicity.
C.Avoid creating and downloading service account keys if possible; use workload identity federation or other alternatives.
D.Add service accounts to a Google Group to manage permissions.
E.Enable automatic key rotation for service account keys.
AnswersA, C, E

Least privilege reduces risk.

Why this answer

Option A is correct because the principle of least privilege is a fundamental security best practice in Google Cloud IAM. Granting only the minimal roles necessary to a service account reduces the attack surface and limits potential damage from compromised credentials. This aligns with Google's recommended approach for managing identities in cloud environments.

Exam trap

Google Cloud often tests the misconception that adding service accounts to a Google Group is a best practice for managing service accounts, when in fact groups are primarily for managing user permissions and can lead to unintended privilege escalation if not carefully controlled.

405
MCQhard

You are designing network security for a multi-region GKE cluster with Pods that need to communicate across regions over a private network. The cluster uses VPC-native mode. Which Google Cloud networking feature should you use to ensure low-latency and secure inter-region Pod-to-Pod communication without traversing the public internet?

A.Cloud VPN with dynamic routing
B.Private Service Connect
C.VPC Flow Logs
D.Cloud Interconnect
AnswerD

Provides dedicated, low-latency, private connectivity between VPC networks across regions.

Why this answer

Cloud Interconnect provides a dedicated, high-bandwidth, low-latency connection between your on-premises network and Google Cloud, or between Google Cloud regions, bypassing the public internet. For multi-region GKE clusters using VPC-native mode, Cloud Interconnect enables secure, private inter-region Pod-to-Pod communication by routing traffic through Google's internal backbone, ensuring minimal latency and no exposure to the public internet.

Exam trap

Google Cloud often tests the misconception that Cloud VPN is sufficient for inter-region communication, but the key differentiator here is the requirement for 'low-latency' and 'private network' without traversing the public internet, which only Cloud Interconnect (or Direct Peering) can guarantee.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with dynamic routing encrypts traffic over the public internet, which introduces latency and is not designed for low-latency inter-region Pod-to-Pod communication within the same Google Cloud environment. Option B is wrong because Private Service Connect is used to privately access managed services (e.g., Google APIs or third-party services) from a VPC, not for inter-region Pod-to-Pod communication within GKE clusters. Option C is wrong because VPC Flow Logs is a logging feature that captures network flow metadata for monitoring and troubleshooting, not a connectivity solution for routing traffic between regions.

406
Multi-Selecthard

A company uses BigQuery to store sensitive data and wants to implement data masking using policy tags. They have three user groups: data_engineers (full access), data_analysts (masked PII), and data_scientists (masked financial data). Which THREE steps should they take?

Select 3 answers
A.Publish the taxonomy to make the policy tags available for use.
B.Create a taxonomy in Cloud Data Catalog with policy tags for PII and financial data.
C.Apply only one policy tag per column.
D.Enable Cloud Audit Logs to track policy tag usage.
E.Define data masking rules using BigQuery's conditional access on the policy tags.
AnswersA, B, E

Taxonomy must be published before policy tags can be used.

Why this answer

Option A is correct because after creating a taxonomy with policy tags in Cloud Data Catalog, you must publish the taxonomy to make those policy tags available for use in BigQuery. Publishing associates the taxonomy with the project and allows BigQuery to enforce data masking rules based on the policy tags applied to columns.

Exam trap

Google Cloud often tests the misconception that only one policy tag can be applied per column, but BigQuery supports multiple tags per column, and the most restrictive masking rule is enforced.

407
Multi-Selecthard

A security team is designing access controls for a multi-tenant SaaS application on Google Kubernetes Engine (GKE). Each tenant has a separate namespace. They want to ensure that a DevOps team can manage deployments across all namespaces, but cannot modify secrets in the 'tenant-alpha' namespace. Which THREE Kubernetes RBAC resources should be created? (Choose THREE)

Select 3 answers
A.A RoleBinding in namespace 'tenant-alpha' that binds the ClusterRole to the DevOps team.
B.A ClusterRole that grants permissions to manage secrets across all namespaces.
C.A RoleBinding in namespace 'tenant-alpha' that binds a Role granting secret modification to the DevOps team.
D.A ClusterRole that grants permissions to manage deployments, services, and ingresses across all namespaces, but does not include secrets.
E.A Role in namespace 'tenant-alpha' that grants permissions to modify secrets, bound to a separate group of tenant administrators.
AnswersA, D, E

This binds the ClusterRole to the DevOps team in the specific namespace.

Why this answer

Option A is correct because a RoleBinding in the 'tenant-alpha' namespace can bind a ClusterRole (which is a cluster-scoped resource) to the DevOps team, granting them the permissions defined in that ClusterRole within that specific namespace. Since the ClusterRole in option D explicitly excludes secrets, this RoleBinding ensures the DevOps team can manage deployments across all namespaces (via a ClusterRoleBinding) but cannot modify secrets in 'tenant-alpha'.

Exam trap

Google Cloud often tests the distinction between RoleBindings and ClusterRoleBindings, and the trap here is that candidates may think a ClusterRole can only be bound via a ClusterRoleBinding, but a RoleBinding can bind a ClusterRole to grant its permissions within a single namespace.

408
MCQmedium

A development team uses Cloud Secret Manager to store database credentials for an application running on Compute Engine. The application reads the secret using the Secret Manager API. After the team rotates the secret by adding a new version and setting it as the latest, the application continues to use the old secret version and fails to authenticate. The application is configured to fetch the secret with version 'latest' at startup. The team checks that the Compute Engine service account has the roles/secretmanager.secretAccessor role on the secret. What is the most likely cause of the issue?

A.Enable the new secret version by setting its state to 'enabled' via the Cloud Console, gcloud, or API.
B.Grant the service account the roles/secretmanager.secretAccessor at the project level instead of on the secret resource.
C.Update the application to use the specific version ID of the new secret instead of the 'latest' label.
D.Add an IAM condition on the secret that restricts access to only the latest version.
AnswerA

New versions are created disabled; they must be enabled to be accessible.

Why this answer

When a new secret version is added via Cloud Secret Manager, it is created in the 'disabled' state by default. Even if it is set as the 'latest' version, the application cannot access it until the version is explicitly enabled. The application fetches the secret using the 'latest' label, which points to the disabled version, causing authentication failure.

Enabling the new version resolves the issue.

Exam trap

Google Cloud often tests the misconception that setting a new version as 'latest' automatically makes it accessible, ignoring the default disabled state of newly added secret versions.

How to eliminate wrong answers

Option B is wrong because granting the role at the project level would not fix the issue; the service account already has the required role on the secret, but the secret version itself is disabled. Option C is wrong because using a specific version ID would still fail if that version is disabled; the core problem is the version state, not the label. Option D is wrong because adding an IAM condition does not affect the enabled/disabled state of a secret version; it only controls access based on attributes like resource tags or time, not version state.

409
MCQmedium

Refer to the exhibit. A security engineer has created this IAM policy for a Cloud KMS key. The service account my-sa is used by a Compute Engine VM to encrypt data before storing it in Cloud Storage. User alice needs to decrypt the data for analysis. Which statement is true?

A.User alice can both encrypt and decrypt.
B.User alice needs the Cloud KMS CryptoKeyEncrypter role to encrypt.
C.The service account can encrypt but cannot decrypt.
D.The service account can both encrypt and decrypt.
AnswerC

It has only the CryptoKeyEncrypter role.

Why this answer

The IAM policy grants the service account my-sa the Cloud KMS CryptoKey Encrypter role, which allows it to encrypt but not decrypt. User alice is granted the Cloud KMS CryptoKey Decrypter role, which allows her to decrypt but not encrypt. Therefore, the service account can only encrypt, and user alice can only decrypt, making option C correct.

Exam trap

Google Cloud often tests the misconception that a service account used for encryption must also be able to decrypt, or that a user with decrypt permissions can also encrypt, when in fact Cloud KMS enforces strict role separation between encrypt and decrypt operations.

How to eliminate wrong answers

Option A is wrong because user alice is only granted the Cloud KMS CryptoKey Decrypter role, which does not include encrypt permissions; she cannot encrypt. Option B is wrong because user alice already has the Cloud KMS CryptoKey Decrypter role, which is sufficient for decryption, but she does not need the Cloud KMS CryptoKeyEncrypter role to encrypt because she is not performing encryption; the service account handles encryption. Option D is wrong because the service account is only granted the Cloud KMS CryptoKey Encrypter role, which explicitly excludes decrypt permissions; it cannot decrypt.

410
MCQhard

Refer to the exhibit. A security administrator is troubleshooting why a user cannot access a BigQuery dataset. The user analyst@example.com is not a member of data-team@example.com. The user is trying to query a table in the dataset. What is the most likely reason for the denial?

A.The user needs to be added as a dataOwner to query tables.
B.The user has the role roles/bigquery.dataViewer, which does not allow querying tables; it only allows viewing dataset metadata.
C.The dataset policy includes a condition that the user does not satisfy.
D.The table itself might have additional restrictions such as row-level security.
AnswerB

dataViewer is insufficient for querying.

Why this answer

Option B is correct because the role roles/bigquery.dataViewer only grants permission to view dataset metadata (e.g., table names, schema) but does not include the bigquery.tables.getData permission required to actually query table rows. Since the user is not a member of data-team@example.com and has only this role, any query attempt will be denied with an access denied error.

Exam trap

Google Cloud often tests the misconception that a role named 'dataViewer' implies the ability to view actual data, when in fact it only grants metadata visibility, not the ability to query table rows.

How to eliminate wrong answers

Option A is wrong because 'dataOwner' is not a standard BigQuery role; the correct role for querying tables is roles/bigquery.dataEditor or roles/bigquery.dataViewer with the bigquery.tables.getData permission, and adding a user as a dataOwner would not grant query access. Option C is wrong because the question states the user is trying to query a table in the dataset, and there is no mention of a condition in the dataset policy; the most likely reason is the insufficient role, not a condition failure. Option D is wrong because row-level security is an additional restriction that applies after the user already has table-level query access; the primary denial here is due to lack of the bigquery.tables.getData permission, not row-level security.

411
MCQhard

A financial services company is migrating to Google Cloud and needs to enforce strict access controls. They want to ensure that all access to Cloud Storage buckets containing sensitive data is logged and that only authorized IP ranges can write to those buckets. They have set up IAM conditions to allow access only from the corporate IP range. However, they notice that some write operations are not being logged in the Cloud Audit Logs for the bucket. The write operations are coming from a service account that is part of a batch job running on Compute Engine instances within the corporate network. What is the most likely reason for the missing logs?

A.The IAM condition is preventing the audit logs from being generated.
B.Data Access audit logs for Cloud Storage are not enabled.
C.The batch job is using a different service account that does not have permission to write.
D.The write operations are not being captured because they are performed by a service account.
AnswerB

Admin Activity logs are enabled by default, but Data Access logs need to be explicitly configured.

Why this answer

Option B is correct because Cloud Audit Logs for Cloud Storage require explicit enabling of Data Access audit logs to capture read, write, and other data-level operations. By default, only Admin Activity audit logs are enabled, which log metadata changes but not data access like object writes. The IAM condition correctly restricts write access to the corporate IP range, but without enabling Data Access audit logs, the write operations from the service account are not recorded.

Exam trap

The trap here is that candidates assume all audit logs are enabled by default, but Cisco tests the distinction between Admin Activity logs (always on) and Data Access logs (must be explicitly enabled), especially for services like Cloud Storage where data operations are the primary concern.

How to eliminate wrong answers

Option A is wrong because IAM conditions control access permissions, not audit log generation; audit logs are governed by the Audit Logs configuration in the project, not by IAM conditions. Option C is wrong because the question states the write operations are coming from a service account that is part of a batch job, and the issue is missing logs, not missing permissions; if the service account lacked write permission, the operations would fail, not go unlogged. Option D is wrong because service accounts can generate audit logs just like user accounts; the missing logs are due to the Data Access audit log type not being enabled, not because the principal is a service account.

412
Multi-Selecthard

A company wants to use service account keys for an on-premises application that needs to authenticate to Google Cloud APIs. Which two practices should they follow to minimize security risks? (Choose TWO.)

Select 2 answers
A.Allow end users to download and use service account keys directly.
B.Enable automatic key generation and disable any unused keys.
C.Store the service account key in the application's source code for easy access.
D.Rotate service account keys regularly and store them in a secure secret management system.
E.Use a single service account key for all environments to simplify management.
AnswersB, D

Automating key generation ensures uniqueness, and disabling unused keys reduces attack surface.

Why this answer

Option B is correct because enabling automatic key generation ensures that keys are created with strong cryptographic standards and that unused keys are promptly disabled, reducing the attack surface. This practice aligns with Google Cloud's recommendation to minimize the number of active keys and to avoid manual key management errors.

Exam trap

Google Cloud often tests the misconception that storing keys in source code is acceptable for convenience, or that a single key across environments simplifies management, when in fact both practices drastically increase security risk.

413
Multi-Selectmedium

A financial institution must meet SOX compliance requirements for audit trail integrity. Which THREE measures should they implement to ensure Cloud Audit Logs are immutable and securely stored?

Select 3 answers
A.Use VPC Service Controls to prevent exfiltration of logs.
B.Use customer-managed encryption keys (CMEK) with Cloud KMS for audit logs.
C.Export logs to Cloud Storage and apply a retention policy with a lock.
D.Set up Cloud IAM roles to restrict who can read audit logs.
E.Store logs in a Cloud Logging bucket with a retention policy locked via the Logs Retention API.
AnswersB, C, E

CMEK ensures only authorized keys can decrypt logs.

Why this answer

Option B is correct because using customer-managed encryption keys (CMEK) with Cloud KMS ensures that audit logs are encrypted with keys under the customer's control, preventing unauthorized decryption even by Google. This satisfies SOX requirements for data integrity and confidentiality, as the logs cannot be tampered with or accessed without the key.

Exam trap

Google Cloud often tests the distinction between access control (IAM, VPC Service Controls) and immutability (retention locks, CMEK), leading candidates to confuse preventing unauthorized access with preventing tampering or deletion.

414
MCQhard

A company has a Shared VPC environment with multiple service projects. The security team wants to ensure that all Compute Engine VMs in service projects are only accessible via IAP TCP forwarding for SSH management, and direct external access is completely blocked. They have already applied an organization policy constraint that denies the attachment of external IP addresses to new VMs. However, there are several existing VMs that still have public IP addresses assigned. The team wants to remove the public IPs from these existing VMs without causing downtime for any ongoing SSH sessions or disrupting the applications running on them, but they must ensure the VMs can still reach the internet if needed (for example, to download updates). What should the team do?

A.Delete each VM and recreate it without a public IP address.
B.First, deploy a Cloud NAT gateway for the VPC and subnet, then remove the public IP from each VM; the VMs will use Cloud NAT for outbound internet access.
C.Detach the public IP from each VM in the console, and then create a new private IP for the VM.
D.For each VM, use the gcloud command to delete the public IP and assign a new private IP from the same subnet.
AnswerB

Cloud NAT provides outbound internet without public IPs and can be set up without VM downtime. Then public IPs can be safely removed.

Why this answer

Option B is correct because Cloud NAT provides outbound internet access for private VMs without requiring public IPs, and removing the public IP from an existing VM does not interrupt running SSH sessions or applications—the VM continues running with its internal IP. After deploying Cloud NAT for the VPC and subnet, you can safely remove the public IP from each VM, and the VM will use Cloud NAT for outbound connections (e.g., downloading updates). This approach satisfies the security requirement of blocking direct external access while maintaining outbound connectivity and avoiding downtime.

Exam trap

Google Cloud often tests the misconception that simply removing a public IP and assigning a new private IP (options C and D) will somehow preserve internet access, but without Cloud NAT or a similar outbound gateway, private VMs cannot reach the internet.

How to eliminate wrong answers

Option A is wrong because deleting and recreating VMs would cause downtime for applications and terminate any ongoing SSH sessions, which violates the no-downtime requirement. Option C is wrong because simply detaching the public IP in the console without first setting up Cloud NAT would leave the VM without any outbound internet access, breaking the requirement that VMs can still reach the internet for updates. Option D is wrong because using gcloud to delete the public IP and assign a new private IP does not provide outbound internet access; the VM would lose connectivity to the internet unless Cloud NAT or another outbound mechanism is configured first.

415
MCQmedium

A pharmaceutical company uses Google Cloud to process clinical trial data subject to HIPAA. They must ensure that only authorized applications can access the data, even if credentials are compromised. Which security control should they implement?

A.Use Workload Identity Federation to allow workloads to access data without service account keys.
B.Use service account impersonation with IAM conditions to restrict access to specific trusted applications.
C.Create a VPC Service Control perimeter that allows only specific service accounts to access the data.
D.Require users to MFA and use IAM roles to grant access.
AnswerB

Impersonation with conditions limits the use of service accounts to specific callers, reducing blast radius.

Why this answer

Option B is correct because service account impersonation with IAM conditions allows the company to bind access to specific trusted applications by requiring that the caller present a specific service account identity. Even if credentials are compromised, the attacker cannot impersonate that service account unless they also satisfy the IAM conditions (e.g., resource tags, IP ranges, or application identity). This directly addresses the requirement to restrict access to authorized applications only, as per HIPAA's minimum necessary standard.

Exam trap

The trap here is that candidates confuse authentication (who you are) with authorization (what you can do) and pick MFA or VPC perimeters, missing that the question explicitly requires application-level restriction even after credential compromise, which only impersonation with conditions provides.

How to eliminate wrong answers

Option A is wrong because Workload Identity Federation eliminates the need for service account keys but does not restrict access to specific applications; it only authenticates external workloads without keys, so a compromised credential could still be used from any federated identity. Option C is wrong because VPC Service Controls create a security perimeter around resources but do not enforce application-level authorization; they block data exfiltration based on network context, not application identity. Option D is wrong because MFA and IAM roles authenticate users, not applications; if a user's credentials are compromised, the attacker can still access data from any application the user has permission to use, failing the 'only authorized applications' requirement.

416
MCQmedium

Refer to the exhibit. A Security Engineer is reviewing the IAM policy for a project. An administrator reports that a user named admin@example.com cannot create firewall rules, even though the command should allow it. According to the policy, what is the most likely reason?

A.The security-team group has the 'compute.securityAdmin' role, but the user is not in that group.
B.The user has the 'compute.instanceAdmin.v1' role, which conflicts with network admin permissions.
C.The user has the 'compute.networkAdmin' role, which does not include permission to create firewall rules.
D.The IAM policy has an invalid etag, causing the policy to be rejected.
AnswerC

NetworkAdmin can modify networks but not firewall rules; securityAdmin is needed.

Why this answer

Option C is correct because the 'compute.networkAdmin' role in Google Cloud IAM does not include the 'compute.firewalls.create' permission required to create firewall rules. The user has this role, which grants permissions to manage network resources like subnets and routes, but firewall rule creation is a security function that requires the 'compute.securityAdmin' role.

Exam trap

Google Cloud often tests the misconception that 'networkAdmin' implies full control over all network-related resources, including firewalls, when in fact firewall rule management requires a distinct security-focused role.

How to eliminate wrong answers

Option A is wrong because the user is not in the security-team group, but the policy does not indicate that the user's permissions depend on group membership; the issue is the specific role assigned. Option B is wrong because the 'compute.instanceAdmin.v1' role does not conflict with network admin permissions; it is a separate role for managing compute instances, and conflicts are not a factor in IAM—permissions are additive. Option D is wrong because an invalid etag would cause the policy to be rejected during an update, not prevent an existing user from performing an action; the user already has the policy applied.

417
MCQmedium

A multinational corporation operates multiple Google Cloud projects across several folders. They have a security requirement to enforce that all Cloud Storage buckets are created with uniform bucket-level access enabled and that no bucket has public access. They want to automatically remediate any non-compliant bucket that violates these policies. Currently, they use Organization Policies to enforce uniform bucket-level access, but they still find some buckets with public access due to exceptions. They have Cloud Security Command Center (Cloud SCC) enabled and receive findings about public buckets. The operations team wants to build a solution that automatically disables public access on non-compliant buckets. Which approach should they take?

A.Create a new Organization Policy that denies public access to all buckets.
B.Configure a Cloud Monitoring alert policy that triggers a webhook to a third-party automation tool.
C.Create a Cloud Security Command Center notification channel for public bucket findings, publish to a Pub/Sub topic, and trigger a Cloud Function that removes public IAM bindings from the bucket.
D.Write a script using gsutil and run it daily via Cloud Scheduler to check all buckets and remove public access.
AnswerC

Automates detection and response in near real-time.

Why this answer

Option B is correct because using Cloud Functions triggered by Cloud SCC notifications allows real-time remediation. Option A is incorrect because Organization Policies can't automatically fix individual buckets after creation. Option C is incorrect because script runs on schedule, not real-time.

Option D is incorrect because Cloud Monitoring alerts are not designed for this automatic remediation.

418
Multi-Selecthard

A company is implementing a zero-trust network architecture on Google Cloud. They want to ensure that all traffic between their on-premises data center and Google Cloud is encrypted and authenticated. Additionally, they need to support high availability across multiple regions. Which two Google Cloud services should they use? (Choose two.)

Select 2 answers
A.Cloud NAT
B.VPC Network Peering
C.Cloud CDN
D.Cloud Interconnect (Dedicated)
E.Cloud VPN
AnswersD, E

Dedicated Interconnect provides high-bandwidth, low-latency connections and supports high availability via multiple VLAN attachments.

Why this answer

Cloud VPN provides encrypted tunnels for secure connectivity. Cloud Interconnect (Dedicated) offers dedicated, low-latency, high-availability connections. Combining both provides encryption (via VPN over Interconnect) and HA.

Option C is incorrect because Cloud NAT is for outbound traffic only. Option D is incorrect because VPC Network Peering is for connecting VPCs within Google Cloud. Option E is incorrect because Cloud CDN is for content delivery, not network connectivity.

419
Multi-Selecthard

A company needs to comply with the General Data Protection Regulation (GDPR). They are using BigQuery to store personal data. Which THREE measures should they implement to meet GDPR requirements?

Select 3 answers
A.Enable audit logs via Cloud Audit Logs to track access to personal data.
B.Use Cloud KMS to encrypt individual columns containing personal data.
C.Store data in a multi-region location like 'EU' to ensure availability across regions.
D.Use Cloud DLP to classify and de-identify sensitive columns before loading into BigQuery.
E.Enable data deletion by using DML statements to remove personal data when requested.
AnswersA, D, E

Audit logs are necessary for demonstrating compliance.

Why this answer

Option A is correct because Cloud Audit Logs provide a comprehensive, immutable record of all administrative and data access activities in BigQuery, which is essential for demonstrating GDPR compliance through accountability and traceability. By enabling audit logs, the company can track who accessed personal data, when, and from where, fulfilling the GDPR requirement to maintain records of processing activities.

Exam trap

Google Cloud often tests the misconception that encryption (like Cloud KMS) is a primary GDPR measure for BigQuery, when in reality BigQuery's default encryption already meets encryption requirements, and the focus should be on access control, auditability, and data lifecycle management.

420
Multi-Selectmedium

An organization wants to enforce data loss prevention (DLP) for sensitive data stored in Cloud Storage. Which THREE of the following Google Cloud services can be used together to inspect, classify, and automatically redact sensitive data in Cloud Storage? (Choose three.)

Select 3 answers
A.BigQuery
B.Cloud Storage
C.Dialogflow CX
D.Cloud Data Loss Prevention (DLP) API
E.Cloud Functions
AnswersB, D, E

Cloud Storage stores the data and can store inspection results or redacted copies.

Why this answer

Cloud Storage is the target data repository where sensitive data resides, making it a necessary component of the DLP workflow. The Cloud Data Loss Prevention (DLP) API inspects and classifies the data, and Cloud Functions can be triggered by Cloud Storage events to automatically redact or transform the sensitive content before it is stored or accessed.

Exam trap

Google Cloud often tests the misconception that BigQuery is required for DLP on Cloud Storage, but BigQuery is only needed if you are analyzing structured tables; for object-level inspection and redaction in Cloud Storage, the combination of Cloud Storage, Cloud DLP API, and Cloud Functions is the correct serverless pipeline.

421
MCQeasy

A company needs to store PII in Google Cloud and comply with GDPR data residency requirements. What is the primary Google Cloud feature to enforce data residency?

A.Organization policies
B.Cloud Data Loss Prevention
C.Cloud KMS
D.VPC Service Controls
AnswerD

VPC Service Controls allow you to create perimeters that restrict data movement and access based on location, supporting data residency compliance.

Why this answer

VPC Service Controls (option D) is the primary Google Cloud feature to enforce data residency because it allows you to define perimeters that restrict data movement and access to specific Google Cloud services within a chosen region. By creating a VPC Service Controls perimeter, you can prevent data from being copied or accessed outside of the allowed geographic boundaries, directly addressing GDPR data residency requirements. This is achieved through context-aware access policies that block egress of data to unauthorized regions, even if an attacker gains access to a project.

Exam trap

Google Cloud often tests the misconception that Organization policies (option A) are sufficient for data residency, but in reality, they only restrict resource creation locations, not data movement or access, which is why VPC Service Controls is the correct answer for enforcing residency at the data plane level.

How to eliminate wrong answers

Option A is wrong because Organization policies are used to set constraints on resource usage (e.g., restricting resource locations or disabling service creation), but they do not enforce data residency by controlling data movement or access at the network level; they are a higher-level governance tool, not a data residency enforcement mechanism. Option B is wrong because Cloud Data Loss Prevention (DLP) is designed to inspect, classify, and de-identify sensitive data (like PII) but does not enforce geographic restrictions on where data can be stored or processed; it focuses on data protection, not residency. Option C is wrong because Cloud KMS manages encryption keys for data at rest and in transit but has no capability to restrict data to a specific region or prevent data from leaving a geographic boundary; it is a key management service, not a data residency control.

422
MCQmedium

A company uses Organization Policies to restrict resource locations. They want to allow resources only in 'us-central1' and 'europe-west1'. They also need to allow a specific project to use 'us-east1' for a temporary workload. What is the correct organization policy configuration?

A.Set an organization policy with constraint 'gcp.resourceLocations' and allowed values 'us-central1' and 'europe-west1'. On the specific project, set a policy with allowed values 'us-central1', 'europe-west1', and 'us-east1'.
B.Set an organization policy with constraint 'gcp.resourceLocations' and denied values 'asia-*', 'australia-*', etc. On the specific project, set a policy with allowed values 'us-east1'.
C.Set an organization policy with constraint 'gcp.resourceLocations' and allowed values 'us-central1', 'europe-west1'. Use tags to mark the project and create a conditional policy that adds 'us-east1' when the tag is present.
D.Set an organization policy with constraint 'gcp.resourceLocations' and allowed values 'us-central1', 'europe-west1'. On the specific project, set a policy with denied values 'us-east1'.
AnswerA

Correct hierarchy: org policy restricts, project policy allows additional location.

Why this answer

Option A is correct because Organization Policies with the 'gcp.resourceLocations' constraint enforce location restrictions hierarchically. By setting allowed values at the organization level to 'us-central1' and 'europe-west1', all projects inherit these restrictions. Overriding the policy on the specific project by adding 'us-east1' to the allowed list creates a more permissive policy that still respects the organization-level constraints, allowing the temporary workload in 'us-east1'.

Exam trap

Google Cloud often tests the misconception that project-level policies merge with organization-level policies, when in reality they override the parent policy entirely, requiring the allowed list to include all permitted locations.

How to eliminate wrong answers

Option B is wrong because using denied values with wildcards like 'asia-*' is overly broad and does not explicitly allow the required locations; it also fails to guarantee that only 'us-central1' and 'europe-west1' are allowed, and adding 'us-east1' as an allowed value on the project would conflict with the deny-all approach. Option C is wrong because tags and conditional policies are not supported with the 'gcp.resourceLocations' constraint; this constraint only supports hierarchical override via allowed/denied lists, not tag-based conditions. Option D is wrong because setting denied values 'us-east1' on the specific project would explicitly block 'us-east1', which contradicts the requirement to allow it for the temporary workload.

423
Multi-Selecteasy

A healthcare organization needs to redact Social Security Numbers (SSNs) from patient records stored in Cloud Storage before sharing them with a research partner. They plan to use Cloud DLP. Which TWO actions should they take to configure the DLP job correctly? (Choose two.)

Select 2 answers
A.Apply a de-identification template that uses the 'redact' transformation on the identified SSNs.
B.Use the built-in infoType detector US_SOCIAL_SECURITY_NUMBER to identify SSNs.
C.Configure Access Transparency logs to track who accesses the objects.
D.Encrypt the objects with a CMEK key before running the DLP inspection.
E.Enable VPC Service Controls to prevent unauthorized access to the bucket.
AnswersA, B

Redact removes the detected sensitive data from the output.

Why this answer

Option A is correct because Cloud DLP de-identification templates allow you to specify a 'redact' transformation that completely removes or replaces the matched sensitive data, such as SSNs, from the content. This ensures that the output files shared with the research partner contain no trace of the original SSNs, meeting the redaction requirement.

Exam trap

Google Cloud often tests the distinction between data-level de-identification (DLP transformations) and infrastructure-level security controls (encryption, VPC Service Controls, logging), leading candidates to select options that protect the data at rest or in transit but do not actually redact the sensitive content.

424
Multi-Selecteasy

A security engineer is configuring service account impersonation for cross-project access. Which two statements about service account impersonation are true? (Choose two.)

Select 2 answers
A.A user must have the roles/iam.serviceAccountUser role on the service account to impersonate it.
B.The Security Token Service (sts.googleapis.com) must be enabled for impersonation.
C.Impersonation requires the iam.serviceAccounts.getAccessToken permission.
D.Service accounts cannot impersonate other service accounts.
E.Impersonation can be used to delegate access across projects.
AnswersC, E

Option A is correct because the getAccessToken permission is needed to obtain an access token for the target service account.

Why this answer

Option C is correct because the iam.serviceAccounts.getAccessToken permission is required to generate an access token for a service account, which is the core mechanism of impersonation. Without this permission, the Security Token Service cannot issue a token on behalf of the service account, making impersonation impossible.

Exam trap

Google Cloud often tests the distinction between the roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator roles, leading candidates to mistakenly choose Option A when impersonation actually requires the token creator role or the specific getAccessToken permission.

425
MCQeasy

A multinational organization must store customer data only in specific geographic regions to comply with data residency regulations. They use Cloud Spanner for their primary database. What should they do to enforce that data is stored only in approved regions?

A.Apply an organization policy with a constraint that restricts the location of Cloud Spanner resources to approved regions.
B.Create a Cloud Spanner instance in the desired region and configure a backup in a different region for disaster recovery.
C.Configure a VPC Service Controls perimeter to restrict access to Cloud Spanner.
D.Use Cloud Spanner with data residency constraints by selecting a multi-region configuration that includes only approved regions.
AnswerA

Organization policies can enforce location restrictions on resources.

Why this answer

Organization policies with resource location constraints allow you to enforce that Cloud Spanner instances are created only in approved geographic regions. This policy is evaluated at resource creation time and prevents the deployment of Spanner instances outside the specified regions, directly addressing data residency compliance requirements.

Exam trap

Google Cloud often tests the distinction between data residency enforcement (location constraints) and access control (VPC Service Controls) or data protection (backups), leading candidates to confuse network perimeters with geographic storage restrictions.

How to eliminate wrong answers

Option B is wrong because creating an instance in one region and a backup in another does not enforce data residency; the primary data could still be stored in a non-approved region. Option C is wrong because VPC Service Controls restrict network access to Cloud Spanner, not the geographic location where the data is stored. Option D is wrong because selecting a multi-region configuration that includes only approved regions does not prevent the instance from being placed in a non-approved region if the configuration is not restricted; the organization policy is needed to enforce the constraint.

426
MCQeasy

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted with a customer-managed key (CMEK) that is managed in Cloud KMS. The security team requires that only authorized applications can access the key. Which configuration step should be taken to achieve this?

A.Use a customer-supplied encryption key (CSEK) instead of CMEK.
B.Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account at the Cloud KMS key resource.
C.Create a bucket with default encryption set to use a CMEK, and grant the service account the Cloud KMS Admin role.
D.Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account at the project level.
AnswerB

This grants the minimum required permission at the specific key.

Why this answer

Option B is correct because Cloud Storage uses its own Google-managed service account to interact with Cloud KMS when encrypting or decrypting data with a CMEK. By granting the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account at the specific key resource, you authorize only that service account to use the key, ensuring that only authorized applications (via Cloud Storage) can access the key. This follows the principle of least privilege and meets the security team's requirement.

Exam trap

Google Cloud often tests the distinction between granting roles at the project level versus the resource level, and the trap here is that candidates mistakenly think granting the role at the project level is sufficient, but that would allow any bucket in the project to use the key, violating the 'only authorized applications' requirement.

How to eliminate wrong answers

Option A is wrong because CSEK (customer-supplied encryption key) is not managed in Cloud KMS; instead, the customer provides the key directly in each request, and Google does not store the key, which contradicts the requirement for a customer-managed key in Cloud KMS. Option C is wrong because granting the Cloud KMS Admin role to the Cloud Storage service account provides full administrative control over the key (including deletion and rotation), which is excessive and violates the principle of least privilege; the service account only needs the Encrypter/Decrypter role. Option D is wrong because granting the role at the project level would allow any Cloud Storage bucket in the project to use the key, potentially enabling unauthorized applications or buckets to access the key, which does not satisfy the requirement that only authorized applications can access the key.

427
MCQmedium

A user is unable to SSH into an instance that has the tag 'ssh-access' and an internal IP 10.0.0.2. The user's IP is 198.51.100.1. What is the most likely reason?

A.The instance is not using the correct service account
B.The instance does not have an external IP
C.The user's IP is not in the allowed source range
D.The firewall rule is disabled
AnswerC

The rule's sourceRanges only includes 203.0.113.0/24, not the user's IP.

Why this answer

The firewall rule only allows SSH from the source range 203.0.113.0/24. The user's IP (198.51.100.1) is not in that range, so the connection is denied.

428
MCQmedium

You are designing a network for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier should only be accessible from the application tier. All tiers are in the same VPC. Which combination of firewall rules meets these requirements?

A.Create an ingress rule allowing traffic from the web tier subnet to the application tier subnet, and an ingress rule allowing traffic from the application tier subnet to database tier subnet.
B.Assign each tier a unique service account and create ingress rules allowing traffic from the appropriate service accounts.
C.Create an ingress rule allowing traffic from 0.0.0.0/0 to instances with tag 'web', an ingress rule allowing traffic from instances with tag 'web' to instances with tag 'app', and an ingress rule allowing traffic from instances with tag 'app' to instances with tag 'db'.
D.Create a single ingress rule that allows all traffic within the VPC network and a separate rule to allow internet traffic to web tier.
AnswerC

Tags provide simple group-based access control.

Why this answer

Option C is correct because it uses VPC firewall tags to enforce least-privilege network segmentation: the web tier is exposed to the internet (0.0.0.0/0), the app tier only accepts traffic from web-tagged instances, and the database tier only accepts traffic from app-tagged instances. This matches the multi-tier access requirements without exposing internal tiers to the internet or to each other unnecessarily.

Exam trap

Google Cloud often tests the distinction between network-layer controls (firewall rules with tags/IPs) and identity-layer controls (IAM/service accounts), leading candidates to incorrectly choose service accounts for network segmentation.

How to eliminate wrong answers

Option A is wrong because it specifies subnet-to-subnet ingress rules, which would allow any instance in the web subnet to reach any instance in the app subnet, and any instance in the app subnet to reach any instance in the db subnet, but it does not include a rule to allow internet traffic (0.0.0.0/0) to the web tier, leaving the web tier inaccessible from the internet. Option B is wrong because service accounts control identity and permissions for API calls, not network traffic; firewall rules in a VPC operate on IP addresses, tags, or CIDR ranges, not on service accounts, so this approach cannot restrict network-layer access between tiers. Option D is wrong because a single ingress rule allowing all traffic within the VPC would permit the database tier to be reachable from the web tier and from any other instance in the VPC, violating the requirement that the database tier only be accessible from the application tier.

429
MCQeasy

A security engineer wants to ensure that all API calls to Google Cloud services are logged for audit purposes. Which service should they enable?

A.VPC Flow Logs
B.Cloud Audit Logs
C.Cloud NAT Logs
D.Firewall Rules Logging
AnswerB

Cloud Audit Logs record all API calls and administrative actions.

Why this answer

Cloud Audit Logs record administrative and data access activities. Other logs serve different purposes.

430
MCQhard

A large enterprise has a security command center that uses SIEM to analyze logs. They are migrating to Google Cloud and want to export all Cloud Audit Logs (Admin Activity, Data Access, and System Events) from all projects into a centralized BigQuery dataset for analysis. They also need to ensure logs are available within 5 minutes of being generated. Which sink configuration should they use?

A.Create an aggregated sink at the organization level that includes all projects and uses a BigQuery dataset as destination, with inclusion filters for all audit log types.
B.Create a single aggregated sink at the organization level that uses a Pub/Sub topic as destination, and have a subscriber stream logs into BigQuery.
C.Create a sink in each project that exports Audit Logs to a shared BigQuery dataset.
D.Enable logging export using Cloud Logging's beta feature to stream logs to an external SIEM via syslog.
AnswerA

Aggregated sinks can export logs from all projects under the organization to a single BigQuery dataset.

Why this answer

Option D is correct because aggregating sinks across all projects into a single BigQuery dataset via inclusion filters is the standard method. Option A is incorrect because sink at project level requires individual setup per project. Option B is incorrect because Logs Router cannot route to SIEM directly.

Option C is incorrect because inclusion filters without aggregation would not capture all projects efficiently.

431
MCQmedium

A security engineer is reviewing the IAM policy of a Cloud Storage bucket that contains sensitive data. The exhibit shows the current policy. A developer reports that they can read objects in the bucket using service account sa-2, but they cannot delete objects. What is the most likely reason?

A.There is an explicit deny on the bucket for sa-2
B.The service account sa-2 has roles/storage.objectAdmin, which includes delete permissions, but there might be a condition or organization policy preventing deletion
C.The bucket has uniform bucket-level access disabled, so ACLs override IAM
D.The service account sa-2 actually has roles/storage.objectViewer, not objectAdmin
AnswerB

objectAdmin includes delete, so the issue is likely an additional constraint.

Why this answer

Option B is correct because the IAM policy shows that service account sa-2 has the roles/storage.objectAdmin role, which includes the storage.objects.delete permission. However, the presence of a condition or an organization policy (such as a VPC Service Controls perimeter or a boolean constraint) can override this permission, preventing deletion even though the role is assigned. The developer can read objects (permitted by the role) but cannot delete them, indicating that a higher-level policy is blocking the delete action.

Exam trap

Google Cloud often tests the misconception that a role with delete permissions always allows deletion, ignoring that IAM conditions or organization policies can override the permission, leading candidates to incorrectly choose a role mismatch or ACL override.

How to eliminate wrong answers

Option A is wrong because there is no explicit deny statement in the IAM policy for sa-2; explicit denies are rare and would appear as a separate 'Deny' rule, not as a missing permission. Option C is wrong because uniform bucket-level access being disabled would allow ACLs to coexist with IAM, but ACLs cannot override IAM permissions for the same principal; if sa-2 has the objectAdmin role via IAM, ACLs cannot restrict that permission unless they explicitly deny (which is not shown). Option D is wrong because the exhibit clearly shows the role is roles/storage.objectAdmin, not objectViewer; the developer can read objects, which is consistent with objectAdmin, but the inability to delete points to a condition or org policy, not a role mismatch.

432
MCQmedium

A company uses Cloud Functions and wants to ensure that only authorized services can invoke them. The functions are triggered via HTTP. What is the best way to achieve this?

A.Set a VPC connector and allow only internal traffic.
B.Use Cloud Endpoints with API keys and IAM.
C.Rely on the Cloud Functions URL being unguessable.
D.Use Firebase Authentication.
AnswerB

Cloud Endpoints provides robust authentication and authorization for HTTP triggers.

Why this answer

Option A is correct because Cloud Endpoints can authenticate and authorize requests using API keys and IAM, providing fine-grained access control. Option B is not suitable for HTTP-triggered Cloud Functions as VPC connectors are for internal network access. Option C is designed for Firebase mobile clients, not service-to-service.

Option D is insecure as URLs can be guessed or leaked.

433
MCQmedium

A security engineer notices that a service account has been granted the 'roles/editor' role on a project. According to least privilege, what is the best course of action?

A.Create a custom role with only the necessary permissions and reassign it to the service account.
B.Remove the service account and create a new one with a custom role containing only required permissions.
C.Change the role to 'roles/viewer' to be more restrictive.
D.Keep the role but add an access boundary using VPC Service Controls.
AnswerA

Custom roles allow precise permission assignment, adhering to least privilege.

Why this answer

Option D is correct because creating a custom role with only the necessary permissions and reassigning it minimizes privileges while maintaining functionality. Option A is too drastic and may break services. Option B may be too restrictive.

Option C doesn't change the permissions; VPC Service Controls restrict access at the network level, not permissions.

434
Multi-Selecthard

A company uses Shared VPC with a host project and multiple service projects. The security team wants to enforce that only specific VMs in service project A (using IP range 10.0.1.0/24) can communicate with specific VMs in service project B (tagged as 'app-b') on TCP port 443, and all other inter-service-project traffic should be blocked. Additionally, VMs should still be accessible via IAP TCP forwarding (SSH) on TCP port 22. Which three firewall rules should be created in the host project? (Choose three.)

Select 3 answers
A.Priority 1000: Allow ingress from 10.0.1.0/24 to VMs with tag 'app-b' on TCP 443.
B.Priority 2000: Deny ingress from 0.0.0.0/0 to all VMs on all protocols.
C.Priority 1000: Allow ingress from IAP forwarding ranges to all VMs on all protocols.
D.Priority 1000: Allow egress from VMs in service project A to service project B's VMs on TCP 443.
E.Priority 900: Allow ingress from IAP forwarding ranges (35.235.240.0/20) to all VMs on TCP 22.
AnswersA, B, E

This allows the desired inter-service-project traffic on TCP 443.

Why this answer

Option A is correct because it creates an ingress firewall rule in the host project that allows traffic from the specific IP range 10.0.1.0/24 (VMs in service project A) to VMs tagged 'app-b' in service project B on TCP port 443. In Shared VPC, all firewall rules are defined in the host project and apply to all service projects, so this rule enforces the required communication while the deny rule (Option B) blocks all other inter-service-project traffic. The IAP rule (Option E) is needed to allow SSH access via IAP TCP forwarding, which uses the source range 35.235.240.0/20 on TCP port 22.

Exam trap

Google Cloud often tests the misconception that egress rules are needed for inter-service-project communication, when in fact ingress rules on the destination VMs are sufficient, and that IAP rules must be scoped to only TCP 22, not all protocols.

435
MCQmedium

A DevOps team wants to allow a CI/CD pipeline to deploy to Compute Engine using a service account. What is the best practice for managing service account keys?

A.Use a service account key distributed to each developer.
B.Generate a key and store it in Cloud Secret Manager.
C.Use workload identity federation.
D.Use a service account key stored in the source code repository.
AnswerC

Federation avoids long-lived keys and is the recommended approach.

Why this answer

Workload identity federation is the best practice because it allows the CI/CD pipeline to impersonate a service account without managing or storing any long-lived service account keys. This eliminates the risk of key leakage and rotation overhead, as authentication is done via an external identity provider (e.g., GitHub Actions, GitLab CI) using OIDC tokens. Google Cloud's workload identity federation supports OIDC (OpenID Connect) and SAML 2.0, enabling secure, keyless access from external workloads.

Exam trap

Google Cloud often tests the misconception that storing a key in a secure vault like Cloud Secret Manager is the best practice, but the trap here is that any long-lived key (even if encrypted at rest) introduces management overhead and potential for exposure, whereas workload identity federation eliminates the key entirely.

How to eliminate wrong answers

Option A is wrong because distributing a service account key to each developer violates the principle of least privilege and creates a massive security risk — any compromised developer workstation could expose the key, leading to unauthorized access to Compute Engine. Option B is wrong because while Cloud Secret Manager securely stores secrets, using a service account key at all (even stored in Secret Manager) still requires managing a long-lived credential that must be rotated and can be leaked; workload identity federation avoids keys entirely. Option D is wrong because storing a service account key in the source code repository is a critical security anti-pattern — it exposes the key to anyone with repository access, including in CI/CD logs, and violates Google Cloud's security best practices.

436
Multi-Selecteasy

A company wants to encrypt data at rest in Cloud SQL. Which TWO methods are supported? (Choose TWO.)

Select 2 answers
A.Default encryption at rest with Google-managed keys
B.Cloud HSM hardware security module for encryption
C.Cloud Key Management Service (Cloud KMS) as a standalone encryption method
D.Client-side encryption before storing data in Cloud SQL
E.Customer-managed encryption keys (CMEK) using Cloud KMS
AnswersA, E

By default, Cloud SQL encrypts data at rest using Google-managed encryption keys.

Why this answer

Option A is correct because Cloud SQL provides default encryption at rest using AES-256 with Google-managed keys, which are automatically generated and rotated by Google. This encryption is transparent to the user and requires no additional configuration, ensuring data is encrypted before being written to disk.

Exam trap

Google Cloud often tests the distinction between default encryption (Google-managed keys) and customer-managed encryption keys (CMEK) as the two supported methods, trapping candidates who think Cloud HSM or client-side encryption are built-in Cloud SQL features.

437
Drag & Dropmedium

Drag and drop the steps to respond to a data breach involving a Cloud Storage bucket in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response steps are: contain, investigate, notify, remediate, and review.

438
MCQhard

A financial services company is migrating to Google Cloud and needs to meet SOX compliance. They have a production project containing a Cloud SQL instance with financial transactions. They must ensure that all database changes are logged, and logs are immutable for 7 years. They enabled Cloud Audit Logs for Cloud SQL and created a log sink to export Admin Activity logs to Cloud Storage. However, during a quarterly audit, the auditor cannot find logs for some SELECT queries that accessed sensitive columns. The company expected these SELECT queries to appear in audit logs because they enabled Data Access audit logs for Cloud SQL. You discover that the Data Access audit logs were enabled at the project level, but the log sink only exports Admin Activity logs. Additionally, auditors require that logs cannot be deleted before the retention period. What should you do?

A.Enable VPC Flow Logs and export them to Cloud Storage with a 7-year retention policy.
B.Export logs to BigQuery with table expiration of 7 years and use IAM to restrict deletion.
C.Enable Data Access audit logs at the Cloud SQL instance level and export them to a separate Cloud Storage bucket with a 7-year retention policy.
D.Modify the log sink to include Data Access audit logs and update the Cloud Storage bucket to have a 7-year retention policy and object holds.
AnswerD

This ensures all audit logs are exported and immutable for the required period.

Why this answer

Option D is correct because the root cause is that the log sink is configured to export only Admin Activity logs, while the missing SELECT queries are Data Access audit logs. By modifying the log sink to include Data Access audit logs, those queries will be exported. Additionally, setting a 7-year retention policy and object holds on the Cloud Storage bucket ensures logs are immutable and cannot be deleted before the retention period ends, meeting SOX compliance requirements.

Exam trap

Google Cloud often tests the misconception that enabling audit logs at the resource level (e.g., Cloud SQL instance) is sufficient, when in fact the log sink export filter must be explicitly configured to include the desired log types, and immutability requires both retention policy and object holds on the storage destination.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata, not database query logs, and they do not address the missing SELECT queries or the log sink configuration. Option B is wrong because exporting to BigQuery with table expiration does not provide immutable storage; BigQuery tables can be deleted or modified by authorized users, and the requirement is for immutable logs in Cloud Storage. Option C is wrong because enabling Data Access audit logs at the instance level is unnecessary (they are already enabled at the project level), and exporting to a separate bucket does not fix the core issue that the log sink is not exporting Data Access logs; also, object holds are not mentioned, which are needed for immutability.

439
MCQmedium

A security engineer needs to ensure that all compute instances are patched with the latest security updates. What is the recommended approach?

A.Use OS Config Management with patch compliance reporting.
B.Use a configuration management tool like Chef.
C.Use the VM Manager patch deployment feature.
D.Use Cloud Scheduler to run a script that patches instances.
AnswerC

VM Manager patch deployment automates patching across instances with compliance tracking.

Why this answer

Option D is correct. The VM Manager patch deployment feature within OS Config Management provides a managed, automated patching solution. Option A is not a built-in Google Cloud service.

Option B is partially correct, but VM Manager is the specific managed patching service. Option C is less reliable and manual. Option D is the most comprehensive and automated.

440
MCQeasy

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted at rest using a customer-managed key that is automatically rotated every 90 days. What should they do?

A.Create a Cloud KMS key ring and a key with rotation period set to 7776000s (90 days).
B.Use customer-supplied encryption keys (CSEK) and update them manually every 90 days.
C.Use default Google-managed encryption keys.
D.Use Cloud HSM to generate a key and implement a custom rotation script.
AnswerA

Cloud KMS supports automatic rotation of customer-managed keys.

Why this answer

Option A is correct because Cloud KMS allows you to create a customer-managed encryption key (CMEK) with an automatic rotation period of 7776000 seconds (90 days). When you set the rotation period on a key, Cloud KMS automatically rotates the key material at the specified interval, ensuring that all data encrypted with that key is protected by a new key version without manual intervention. This satisfies the requirement for customer-managed keys with automatic rotation.

Exam trap

Google Cloud often tests the distinction between automatic rotation (Cloud KMS CMEK with rotation period) and manual rotation (CSEK or custom scripts), leading candidates to choose manual or HSM-based options that lack built-in automatic rotation.

How to eliminate wrong answers

Option B is wrong because customer-supplied encryption keys (CSEK) require you to provide the key with each API call and you must manage rotation manually; there is no automatic rotation mechanism in Cloud Storage for CSEK. Option C is wrong because default Google-managed encryption keys are not customer-managed and cannot be rotated on a custom schedule; they are managed entirely by Google. Option D is wrong because Cloud HSM generates keys but does not provide built-in automatic rotation; implementing a custom rotation script introduces operational complexity and risk, and is not the recommended or simplest approach for automatic key rotation.

441
Multi-Selectmedium

You are a security engineer for a healthcare organization. You need to protect sensitive patient data stored in Cloud Storage. You want to ensure that data is encrypted at rest using a customer-managed key (CMEK) and that access to the key is logged. You also need to prevent data exfiltration by limiting which service accounts can decrypt data. Which TWO steps should you take? (Choose two.)

Select 2 answers
A.Configure a VPC Service Controls perimeter that includes the Cloud Storage bucket and the KMS key.
B.Use Cloud HSM to create and manage the encryption key, and disable Cloud Audit Logs for the HSM key.
C.Enable default encryption (Google-managed key) on the bucket and use Cloud Audit Logs to monitor access.
D.Use customer-supplied encryption keys (CSEK) and store the key in Cloud Key Management Service (KMS).
E.Create a Cloud KMS key ring and key, and configure the bucket to use CMEK with that key. Enable Cloud Audit Logs for the KMS key.
AnswersA, E

VPC Service Controls restrict data exfiltration by preventing access from outside the perimeter.

Why this answer

Option A is correct because VPC Service Controls creates a security perimeter around the Cloud Storage bucket and the KMS key, preventing data exfiltration by blocking unauthorized service accounts from decrypting data outside the perimeter. Option E is correct because creating a Cloud KMS key ring and key, configuring the bucket to use CMEK, and enabling Cloud Audit Logs for the KMS key ensures encryption at rest with a customer-managed key and logs all access to the key, meeting both requirements.

Exam trap

Google Cloud often tests the distinction between CMEK and CSEK, where candidates mistakenly think CSEK can be stored in Cloud KMS for management, but CSEK is provided per request and not stored, while CMEK is fully managed in Cloud KMS with audit logging capabilities.

442
MCQmedium

An organization uses Shared VPC with a host project and several service projects. A network administrator in a service project wants to create a firewall rule that allows traffic from a specific source CIDR to a Compute Engine instance in the service project. What is the correct way to achieve this?

A.Create the firewall rule in the service project targeting the instance's tags.
B.Create a firewall rule in the service project using the instance's service account.
C.Use VPC Flow Logs to generate a recommendation and apply it in the service project.
D.Request the host project administrator to create the firewall rule in the host project.
AnswerD

In Shared VPC, the host project owns the firewall rules for the shared VPC network.

Why this answer

In a Shared VPC architecture, firewall rules are a host-project-level resource. Service project administrators cannot create or manage firewall rules that apply to resources in the shared VPC network; only the host project administrator has the necessary permissions. Therefore, to allow traffic from a specific source CIDR to a Compute Engine instance in a service project, the host project administrator must create the firewall rule in the host project, targeting the instance's tags or service account.

Exam trap

Google Cloud often tests the misconception that service project administrators have full control over networking resources in a Shared VPC, when in fact firewall rules and other network-level configurations are exclusively managed in the host project.

How to eliminate wrong answers

Option A is wrong because firewall rules in a Shared VPC must be created in the host project, not the service project; the service project lacks the authority to create rules that apply to the shared VPC network. Option B is wrong because, while service accounts can be used in firewall rules, the rule itself must still be created in the host project, not the service project. Option C is wrong because VPC Flow Logs are used for monitoring and troubleshooting network traffic, not for generating or applying firewall rules; they cannot create or recommend firewall rules automatically.

443
MCQhard

An organization wants to enforce that all Compute Engine instances are created with a specific service account that has only the permissions defined by a custom role. Additionally, users must not be able to override this service account. Which two mechanisms should be combined?

A.Use Cloud Audit Logs to monitor and alert on non-compliant instances.
B.VPC Service Controls to restrict the service account usage.
C.An Organization Policy with constraint constraints/compute.setServiceAccount and an IAM deny policy to deny the iam.serviceAccounts.actAs permission on other service accounts.
D.Grant users only the Compute Instance Admin v1 role and remove the actAs permission.
AnswerC

This combination enforces the service account and prevents override.

Why this answer

Option C is correct because it combines an Organization Policy constraint (`constraints/compute.setServiceAccount`) that prevents users from specifying a different service account when creating Compute Engine instances, with an IAM deny policy that blocks the `iam.serviceAccounts.actAs` permission on all other service accounts. Together, these enforce that only the designated service account can be used, and users cannot override it.

Exam trap

Google Cloud often tests the misconception that a single mechanism (like an organization policy or IAM role restriction) is sufficient, when in reality two complementary controls are needed to both restrict the service account selection and block the actAs permission on unauthorized accounts.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide monitoring and alerting after a non-compliant instance is created; they do not prevent the creation of instances with unauthorized service accounts. Option B is wrong because VPC Service Controls are designed to restrict data exfiltration and control access to Google Cloud APIs based on context (e.g., identity, network), not to enforce which service account is attached to Compute Engine instances. Option D is wrong because granting only the Compute Instance Admin v1 role and removing the `actAs` permission does not prevent users from specifying a different service account during instance creation; it only removes the ability to use service accounts that require `actAs`, but the user could still specify a service account they do not have `actAs` on, leading to a permission error rather than enforcement of a specific service account.

444
Drag & Dropmedium

Drag and drop the steps to configure a VPC Service Controls perimeter in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPC Service Controls perimeters are configured by first setting up an access policy, defining access levels, creating the perimeter, adding ingress/egress rules, and finally enforcing and testing.

445
MCQmedium

A company operates a hybrid cloud environment with on-premises data centers and Google Cloud Platform. They store sensitive customer data in Cloud Storage buckets and use Data Loss Prevention (DLP) to scan for and inspect sensitive content. They have automated DLP inspection jobs that run periodically, but they want to automatically redact sensitive data (e.g., Social Security numbers) in any new object as soon as it is written to a specific bucket. The redacted version should replace the original object in the same bucket. Which of the following is the most effective and recommended approach?

A.Set up a Cloud Function triggered by Cloud Storage 'finalize' events. The function calls the DLP API to inspect the object, creates a redacted version, and deletes the original object, replacing it with the redacted data.
B.Enable a bucket retention policy and use DLP to scan objects and quarantine those with sensitive data by moving them to a different bucket.
C.Use Cloud Storage Object Change Notifications to alert a Compute Engine instance that runs a DLP job to modify the object in place.
D.Use VPC Service Controls to create a secure perimeter around the bucket and then run DLP scans on a schedule.
AnswerA

This is the standard serverless pattern for automatic redaction. Cloud Functions respond to new objects, DLP inspects and redacts, and the function rewrites the object with the redacted content.

Why this answer

Option A is correct: Triggering a Cloud Function on object finalize events, running DLP inspection, and rewriting the object with redacted data is the recommended pattern. Option B is incorrect because DLP cannot modify objects in place; it produces a new artifact. Option C is about retention, not redaction.

Option D is about perimeter security and does not address redaction.

446
Multi-Selecthard

A global e-commerce company must comply with GDPR and CCPA. They use BigQuery to store customer data and need to ensure that when a user requests data deletion, all copies are deleted within 30 days. Additionally, they want to minimize storage costs. Which TWO actions should they take?

Select 2 answers
A.Use the DDL statement to drop the table after 30 days using a scheduled query.
B.Create a Cloud Function to export the data before deletion.
C.Set a table retention policy of 30 days using ALTER TABLE SET OPTIONS.
D.Set the Time Travel window to 7 days and the Fail-safe storage window to 23 days.
E.Use BigQuery continuous backups with a 30-day retention.
AnswersA, D

Scheduled query to drop table after 30 days ensures data deletion while minimizing costs.

Why this answer

Option A is correct because using a DDL statement (e.g., DROP TABLE) in a scheduled query allows you to delete the entire table after exactly 30 days, ensuring all data copies (including storage and any snapshots) are removed. This directly meets the GDPR/CCPA deletion requirement while minimizing storage costs by not retaining data beyond the mandated period.

Exam trap

Google Cloud often tests the misconception that BigQuery has a direct table retention policy (like ALTER TABLE SET OPTIONS) when in reality, retention is managed through time travel and fail-safe storage windows, not a table-level option.

447
Multi-Selecthard

A company wants to enforce that all access to Cloud Storage buckets in a project is encrypted with Customer-Managed Encryption Keys (CMEK). The Security Engineer needs to configure the organization policy to meet this requirement. Which THREE steps should be taken? (Choose THREE.)

Select 3 answers
A.Create an organization policy with the constraint 'constraints/storage.requireCustomerManagedEncryption'.
B.Grant the 'cloudkms.cryptoKeyEncrypterDecrypter' role to the Cloud Storage service account.
C.Apply the organization policy at the folder level to cover all projects within that folder.
D.Disable the 'storage.objects.setIamPolicy' permission for all users except the key administrators.
E.Define a list of allowed Cloud KMS keys using the 'constraints/storage.allowedEncryptionKeys' list constraint.
AnswersA, C, E

This constraint enforces CMEK on Cloud Storage.

Why this answer

Option A is correct because the `constraints/storage.requireCustomerManagedEncryption` organization policy constraint enforces that all Cloud Storage buckets in the project must use CMEK. When this constraint is applied, any attempt to create a bucket without specifying a CMEK key is denied, ensuring compliance with the encryption requirement.

Exam trap

Google Cloud often tests the distinction between organization policy constraints and IAM roles or permissions, so candidates may mistakenly select steps that involve granting roles or modifying IAM permissions instead of focusing solely on the policy constraint configuration.

448
Multi-Selectmedium

Which TWO are benefits of using Cloud Armor with a global external HTTPS Load Balancer?

Select 2 answers
A.Automatic content caching
B.Traffic management based on latency
C.Built-in load balancing
D.DDoS protection at the edge
E.Web Application Firewall (WAF) rules
AnswersD, E

Cloud Armor offers built-in DDoS protection using Google's global infrastructure.

Why this answer

Options A and B are correct. Cloud Armor provides DDoS protection and WAF capabilities. Option C (load balancing) is the load balancer's function, not Cloud Armor's.

Option D (CDN) is provided by Cloud CDN. Option E (traffic management) is not a primary Cloud Armor feature.

449
MCQhard

An organization uses BigQuery with column-level security. They have a column containing social security numbers (SSNs) that should only be visible to users with the 'PII_Viewer' role. How should they configure this?

A.Encrypt the column with CMEK and give decrypt permission only to PII_Viewer.
B.Use authorized views to filter the column.
C.Use BigQuery row-level access policies.
D.Create a policy tag on the column and bind it to the role.
AnswerD

Policy tags implement column-level security in BigQuery.

Why this answer

Option D is correct because BigQuery column-level security uses policy tags to restrict access to sensitive columns. By creating a policy tag on the SSN column and binding it to the 'PII_Viewer' role, only users with that role can see the data; others see NULL or are denied access. This is the native, recommended approach for column-level access control in BigQuery.

Exam trap

Google Cloud often tests the distinction between encryption (which protects data at rest but does not control access by role) and policy-based access controls (which enforce visibility at query time), leading candidates to mistakenly choose encryption options for column-level restrictions.

How to eliminate wrong answers

Option A is wrong because CMEK (Customer-Managed Encryption Keys) encrypts data at rest but does not provide column-level access control; decrypt permission applies to the entire table or dataset, not to specific columns or roles. Option B is wrong because authorized views can filter rows or columns, but they require creating a separate view and granting access to it, which is more complex and less granular than native column-level security; also, authorized views do not enforce role-based access on the base table. Option C is wrong because row-level access policies control which rows a user can see, not which columns; they cannot hide a specific column like SSN from unauthorized users.

450
MCQeasy

Your company runs a production application on Google Kubernetes Engine (GKE) with a Regional cluster. The application uses a custom domain with TLS certificates that are stored as Kubernetes secrets and mounted into the ingress. The certificates expire every 90 days and are currently renewed manually by a DevOps engineer. Last week, the certificate expired, causing an outage until it was renewed. Management requires an automated solution to renew certificates before expiration. The team wants to minimize changes to the existing architecture and avoid additional costs. What should you do?

A.Configure Cloud Load Balancing with a Google-managed SSL certificate and update the DNS to point to the load balancer IP.
B.Deploy cert-manager on the GKE cluster and configure it with an Issuer or ClusterIssuer to automatically obtain and renew certificates from Let's Encrypt.
C.Set up Cloud DNS to automatically respond to ACME HTTP-01 challenges and configure the ingress to use certificates from a public CA.
D.Store the certificate and private key in Cloud Secret Manager and configure the ingress to reference the secrets via the Secret Manager CSI driver.
AnswerB

cert-manager fully automates certificate lifecycle and stores certificates as Kubernetes secrets, matching the existing architecture.

Why this answer

Option B is correct because cert-manager is a native Kubernetes add-on that automates the lifecycle of TLS certificates from public CAs like Let's Encrypt. It integrates directly with GKE Ingress and can handle ACME HTTP-01 or DNS-01 challenges without altering the existing architecture or incurring additional cloud costs, as it runs within the cluster.

Exam trap

Google Cloud often tests the distinction between certificate storage solutions (like Secret Manager) and automated renewal mechanisms (like cert-manager), leading candidates to choose a storage-only option that does not solve the renewal problem.

How to eliminate wrong answers

Option A is wrong because switching to a Google-managed SSL certificate requires changing the load balancer configuration and DNS records, which modifies the existing architecture and may incur additional costs for the load balancer. Option C is wrong because Cloud DNS alone cannot automatically respond to ACME HTTP-01 challenges; the challenge response must be served by the ingress controller, and this option does not provide an automated renewal mechanism. Option D is wrong because storing certificates in Cloud Secret Manager and using the CSI driver only centralizes secret storage but does not automate the renewal process; certificates would still need to be manually updated before expiry.

Page 5

Page 6 of 7

Page 7

All pages