Google Professional Cloud Security Engineer (PCSE) — Questions 451500

500 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQmedium

A security engineer is reviewing an IAM policy for a Cloud Storage bucket. The engineer wants to ensure that the service account 'sa@project.iam.gserviceaccount.com' can only read objects. What is the current effective permission?

A.The service account has objectCreator access by default.
B.The service account has objectViewer access as assigned.
C.The service account has no access because the policy is incomplete.
D.The service account has objectAdmin access because it is not explicitly denied.
AnswerB

The policy explicitly grants objectViewer role to the service account.

Why this answer

Option C is correct because the service account is assigned the objectViewer role, which allows read-only access. Option A is incorrect because the service account does not have objectAdmin. Option B is incorrect because there is no explicit deny; the viewer role is assigned.

Option D is incorrect because objectCreator is not granted.

452
Multi-Selecteasy

A company needs to grant a service account the ability to manage Compute Engine instances (start, stop, create) in a specific set of projects. The administrator wants to follow the principle of least privilege. Which TWO steps should the administrator take? (Choose TWO.)

Select 2 answers
A.Grant the predefined roles/compute.viewer role to the service account at the folder level.
B.Use Cloud IAP to tunnel into Compute Engine instances to perform management tasks.
C.Use IAM Conditions to restrict the service account's access to only the required projects or resources.
D.Grant the predefined roles/compute.admin role to the service account at the organization level.
E.Create a custom IAM role with compute.instances.start, compute.instances.stop, and compute.instances.create permissions and assign it to the service account at the project level.
AnswersC, E

Correct: IAM Conditions can limit access to specific projects when granting roles at a higher level.

Why this answer

Option C is correct because IAM Conditions allow the administrator to restrict the service account's permissions to a specific set of projects or resources, enforcing least privilege by limiting the scope of the granted role. This ensures the service account can only manage Compute Engine instances in the designated projects, not all projects in the folder or organization.

Exam trap

Google Cloud often tests the distinction between IAM Conditions and folder/organization-level roles, where candidates mistakenly choose broad roles like compute.admin at the organization level instead of using conditions or custom roles to scope permissions.

453
MCQmedium

A company runs a GKE cluster in a private cluster mode (no public endpoint) in a custom VPC. The cluster nodes are in a subnet that uses a secondary IP range for pods. The company needs the pods to access an on-premises service over a Cloud VPN connection that terminates in a different region. The on-premises service IP range is 10.100.0.0/16. The VPC has a route for 10.100.0.0/16 pointing to the VPN gateway. However, pods cannot reach the on-premises service. The GKE cluster is configured with a Cloud NAT for outbound internet access. The pod IP range is 10.200.0.0/16. Which step is required to allow pod traffic to reach the on-premises network?

A.Configure Cloud NAT to also translate pod IPs to the node IPs for on-premises traffic.
B.Add a static route in the VPC for the pod IP range (10.200.0.0/16) with next hop set to the VPN gateway.
C.Disable IP masquerade in the GKE cluster to use pod IPs directly.
D.Create a firewall rule allowing traffic from the pod IP range to the on-premises IP range.
AnswerB

Correct: this ensures traffic from pods to on-premises is routed via VPN.

Why this answer

The VPC has a route for the on-premises range (10.100.0.0/16) pointing to the VPN gateway, but the GKE cluster's pod IP range (10.200.0.0/16) is not part of the VPC's primary or secondary subnet ranges. By default, GKE pods use IP addresses from a secondary IP range that is not automatically advertised over Cloud VPN. Adding a static route in the VPC for 10.200.0.0/16 with next hop set to the VPN gateway ensures that traffic from pods to the on-premises network is forwarded through the VPN tunnel, allowing the on-premises routers to learn the pod subnet and route return traffic back.

Exam trap

Google Cloud often tests the misconception that firewall rules or NAT configuration are the primary solution for connectivity issues, when in fact the missing route for the pod IP range to the VPN gateway is the root cause.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access and translates pod IPs to node IPs for internet-bound traffic, not for on-premises traffic over VPN; using NAT for VPN traffic would break return routing and is unnecessary. Option C is wrong because disabling IP masquerade would cause pod traffic to use pod IPs directly, but the core issue is the lack of a route for the pod IP range to the VPN gateway, not the masquerade behavior. Option D is wrong because firewall rules control which traffic is allowed, but the problem is that traffic is not being routed to the VPN gateway at all; a firewall rule alone cannot fix a missing route.

454
MCQmedium

A security operations team is using Cloud Audit Logs to investigate a suspicious data export from a Cloud Storage bucket. They need to see which user accessed a specific object and when. Which log type should they examine?

A.Data Access logs
B.Policy Denied logs
C.System Event logs
D.Admin Activity logs
AnswerD

Admin Activity logs record configuration changes, not data access.

Why this answer

Data Access logs record object-level operations on Cloud Storage. Admin Activity logs only cover configuration changes.

455
MCQmedium

An administrator wants to enforce that a user can only create virtual machines in a specific subnet of a VPC network. What IAM condition should be added to the compute.instanceAdmin role binding?

A.resource.name == "projects/PROJECT_ID/regions/us-central1/subnetworks/SUBNET"
B.resource.name == "projects/PROJECT_ID/subnetworks/SUBNET"
C.api.getAttribute("compute.googleapis.com/zone", "") != "us-central1"
D.resource.subnetwork == "projects/PROJECT_ID/subnetworks/SUBNET"
AnswerA

This condition correctly restricts to the specific subnet by its full resource name.

Why this answer

Option A is correct because the IAM condition `resource.name` with the full resource name of the subnet (including the region) is the proper way to restrict virtual machine creation to a specific subnet. The `compute.instanceAdmin` role binding with this condition ensures that the user can only create instances whose subnet matches the specified resource name, enforcing the subnet-level constraint.

Exam trap

Google Cloud often tests the distinction between the correct IAM condition attribute (`resource.name`) and incorrect ones like `resource.subnetwork` or zone-based attributes, exploiting the common misconception that subnet restrictions can be applied via zone or subnet name alone without the full hierarchical resource path.

How to eliminate wrong answers

Option B is wrong because the resource name format for a subnet must include the region (e.g., `regions/us-central1/subnetworks/SUBNET`), not just `subnetworks/SUBNET`; omitting the region makes the condition invalid or too broad. Option C is wrong because `api.getAttribute("compute.googleapis.com/zone", "")` checks the zone, not the subnet, and the condition `!= "us-central1"` would incorrectly block instances in that zone rather than restrict to a specific subnet. Option D is wrong because `resource.subnetwork` is not a valid IAM condition attribute for Compute Engine resources; the correct attribute is `resource.name` to match the full resource name of the subnet.

456
Drag & Dropmedium

Drag and drop the steps to configure a Cloud NAT for private VM instances in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud NAT requires a Cloud Router, NAT gateway creation, subnet assignment, private VM configuration, and testing.

457
MCQmedium

A Dataflow job launched by service account 'my-sa@...' fails with permission denied. The audit log shows the above entry. What missing role is causing the failure?

A.roles/iam.workloadIdentityUser on the worker service account
B.roles/iam.serviceAccountUser on the worker service account
C.roles/iam.serviceAccountAdmin on the worker service account
D.roles/iam.serviceAccountTokenCreator on the worker service account
AnswerB

This role grants the actAs permission.

Why this answer

When a Dataflow job fails with permission denied and the audit log shows the entry, the missing role is typically roles/iam.serviceAccountUser on the worker service account. This role is required because the Dataflow service (or the service account launching the job) must be able to impersonate the worker service account to execute the pipeline's tasks. Without this role, the job cannot assume the identity of the worker service account, leading to the permission denied error.

Exam trap

Google Cloud often tests the distinction between roles that grant administrative control (serviceAccountAdmin) versus roles that grant impersonation (serviceAccountUser), and candidates mistakenly choose serviceAccountAdmin thinking it includes all permissions, but impersonation requires the specific actAs permission.

How to eliminate wrong answers

Option A is wrong because roles/iam.workloadIdentityUser is used for Kubernetes workloads to authenticate as a service account, not for Dataflow worker impersonation. Option C is wrong because roles/iam.serviceAccountAdmin grants administrative permissions to manage service accounts (e.g., create, delete, set policies), which is excessive and not required for impersonation. Option D is wrong because roles/iam.serviceAccountTokenCreator allows generating OAuth2 tokens for a service account, but Dataflow's impersonation mechanism uses the IAM serviceAccountUser role to delegate access, not token creation.

458
MCQhard

Refer to the exhibit. You are analyzing the IAM policy for a project. You need to ensure that only authenticated users can access objects in bucket1 under the prefix "reports/". Which of the following statements is correct?

A.The condition on objectViewer also prevents alice from listing objects under reports/.
B.The service account sa-1 can view objects under reports/ in bucket1.
C.Bob can view, create, and delete any object in bucket1.
D.Alice can only view objects under reports/ in bucket1.
AnswerC

Bob has the objectAdmin role at the project level without conditions, granting him full control over all objects in bucket1.

Why this answer

Option C is correct because the IAM policy grants Bob the roles/storage.objectAdmin role on the entire bucket1, which includes permissions to view, create, and delete any object in the bucket. The condition restricting access to the "reports/" prefix applies only to the objectViewer role, not to Bob's role. Therefore, Bob has full administrative access to all objects in bucket1 without any prefix restriction.

Exam trap

Google Cloud often tests the misconception that a condition applied to one role binding automatically restricts all other role bindings for the same principal, leading candidates to incorrectly assume that Bob's objectAdmin role is limited by the condition on Alice's objectViewer role.

How to eliminate wrong answers

Option A is wrong because the condition on objectViewer restricts access to objects under the "reports/" prefix, but it does not prevent listing objects; listing is controlled by the storage.objects.list permission, which is granted by the objectViewer role, and the condition only limits the object-level actions (like get) to the prefix, not the list action itself. Option B is wrong because the service account sa-1 is not mentioned in the IAM policy exhibit; without explicit binding, sa-1 has no access to bucket1 objects. Option D is wrong because Alice is assigned the objectViewer role with a condition that limits access to objects under "reports/", but the condition also applies to listing; however, the statement says she can "only view objects under reports/" — this is partially true but misleading because the condition also restricts listing to that prefix, and the option does not mention that she cannot list objects outside the prefix, making it incorrect as a complete statement.

459
MCQeasy

Your organization has a VPC with several subnets hosting Compute Engine instances. You need to allow SSH access (port 22) to instances in the 'management' subnet from the internet, but only from the office's static IP range (203.0.113.0/24). All other ingress traffic to that subnet should be blocked. Which firewall rule configuration should you create?

A.Create an ingress rule with target tag 'management', source IP range 0.0.0.0/0, protocol tcp:22, action allow
B.Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol tcp:22, action deny
C.Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol tcp:22, action allow
D.Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol all, action allow
AnswerC

Correct: Targets the subnet's instances via tag, allows SSH only from office IP.

Why this answer

Option C is correct because it creates an ingress firewall rule that explicitly allows TCP port 22 traffic from the office's static IP range (203.0.113.0/24) to instances tagged 'management'. In Google Cloud VPC firewall rules, the default action is to deny all ingress traffic unless an allow rule matches, so this single allow rule satisfies the requirement: only SSH from the office IP range is permitted, and all other ingress is implicitly blocked.

Exam trap

Google Cloud often tests the misconception that you need both an allow rule and a separate deny rule to block other traffic, but in Google Cloud VPC, the implicit deny all ingress rule already blocks everything not explicitly allowed, so only the allow rule is required.

How to eliminate wrong answers

Option A is wrong because it allows SSH from any source IP (0.0.0.0/0), which violates the requirement to restrict access only to the office's static IP range. Option B is wrong because it creates a deny rule for the allowed source IP range, which would block the very traffic that should be permitted; deny rules are evaluated after allow rules, but this rule would block the intended SSH access. Option D is wrong because it allows all protocols (not just TCP:22) from the office IP range, which would permit unnecessary traffic (e.g., HTTP, RDP) and violates the requirement to block all other ingress traffic to the management subnet.

460
MCQmedium

A healthcare organization is migrating to Google Cloud and needs to ensure that all data stored in Cloud Storage is encrypted at rest with customer-managed encryption keys (CMEK) to meet HIPAA requirements. The security team wants to centrally manage key rotation and access. Which solution should they implement?

A.Use Cloud Data Loss Prevention (DLP) to de-identify data before storing.
B.Use Cloud Hardware Security Module (Cloud HSM) with CMEK.
C.Use Cloud Key Management Service (Cloud KMS) with CMEK and enable key rotation.
D.Use customer-supplied encryption keys (CSEK) stored in Cloud Storage.
AnswerC

Cloud KMS provides centralized key management, rotation, and integrates with Cloud Storage for CMEK.

Why this answer

Option C is correct because Cloud KMS with CMEK allows the organization to centrally manage encryption keys, including automated key rotation, while maintaining customer control over the keys used to encrypt Cloud Storage data. This meets HIPAA requirements for encryption at rest with customer-managed keys, as Cloud KMS integrates directly with Cloud Storage to enforce encryption using the specified key.

Exam trap

The trap here is that candidates may confuse Cloud HSM with Cloud KMS, thinking that HSM is required for HIPAA compliance, but Cloud KMS with CMEK alone satisfies the requirement for customer-managed keys and key rotation without the added cost and complexity of HSM.

How to eliminate wrong answers

Option A is wrong because Cloud DLP is used for de-identification and masking of sensitive data, not for managing encryption keys or providing encryption at rest with customer-managed keys. Option B is wrong because Cloud HSM is a hardware-based key management service that can be used with CMEK, but it is an additional service that provides FIPS 140-2 Level 3 compliance, not a requirement for HIPAA; the question asks for a solution to centrally manage key rotation and access, which Cloud KMS alone provides without the need for HSM. Option D is wrong because CSEK requires customers to supply their own encryption keys and manage them outside of Google Cloud, which does not provide centralized key rotation and access management within Google Cloud; CSEK keys are stored in Cloud Storage, which introduces security risks and operational overhead.

461
Multi-Selectmedium

A company wants to audit all changes to IAM policies in their organization. They need to set up logging to capture these changes. Which TWO steps should they take? (Choose TWO.)

Select 2 answers
A.Enable Admin Activity audit logs for each individual project.
B.Enable System Event audit logs for the organization.
C.Enable Data Access audit logs for the organization.
D.Enable Admin Activity audit logs for the organization.
E.Configure a log sink to export these logs to BigQuery for analysis.
AnswersD, E

Admin Activity logs record IAM policy changes.

Why this answer

Admin Activity audit logs record operations that modify the configuration or metadata of resources, such as IAM policy changes. Enabling Admin Activity audit logs at the organization level captures these changes across all projects within the organization, providing a centralized audit trail. This is the correct step because IAM policy modifications are classified as admin activity, not system events or data access.

Exam trap

Google Cloud often tests the distinction between audit log types, and the trap here is that candidates confuse System Event logs (which handle infrastructure events) with Admin Activity logs, or assume that enabling logs per project is equivalent to enabling them at the organization level.

462
Multi-Selecthard

Which THREE components are required to configure VPC Flow Logs for a Compute Engine instance?

Select 3 answers
A.Enable VPC Flow Logs on the subnet
B.The VM's service account must have the compute.instances.get permission
C.A log sink to export logs to BigQuery
D.A VM with a network interface in the subnet
E.A metadata server to store logs
AnswersA, B, D

Flow logs are enabled per subnet.

Why this answer

VPC Flow Logs capture network traffic metadata at the subnet level. Enabling flow logs on the subnet (A) is the primary configuration step that activates logging for all VM instances within that subnet. The VM's service account must have the compute.instances.get permission (B) to allow the flow log agent to retrieve instance metadata required for log entries.

A VM with a network interface in the subnet (D) is necessary because flow logs are generated per network interface; without a VM in the subnet, there is no traffic to log.

Exam trap

Google Cloud often tests the misconception that a log sink or external export destination is a required component for VPC Flow Logs, when in fact the logs are natively stored in Cloud Logging and exporting is optional.

463
Drag & Dropmedium

Drag and drop the steps to rotate a customer-managed encryption key (CMEK) in Cloud KMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Key rotation involves creating a new version, enabling rotation, updating resource associations, verifying, and retiring old keys.

464
Multi-Selecteasy

A security engineer is configuring Cloud Armor to protect a global external HTTP(S) Load Balancer. Which TWO of the following are valid Cloud Armor security policies? (Choose two.)

Select 2 answers
A.Web Security Scanner scan rule
B.Signed URL policy
C.Preconfigured Identity-Aware Proxy (IAP) rule
D.Preconfigured OWASP Top 10 rules
E.Custom rule with rate limiting based on IP
AnswersD, E

Cloud Armor includes predefined WAF rules for OWASP vulnerabilities.

Why this answer

Option D is correct because Cloud Armor includes preconfigured rules that map directly to the OWASP Top 10 web application vulnerabilities, such as SQL injection and cross-site scripting (XSS). These rules are managed by Google and automatically updated to protect against the latest attack patterns, making them a valid security policy for a global external HTTP(S) Load Balancer.

Exam trap

Google Cloud often tests the distinction between Cloud Armor security policies and other Google Cloud security services (like IAP, Signed URLs, or Web Security Scanner), so the trap here is confusing access control or URL signing mechanisms with the WAF-like rule engine of Cloud Armor.

465
MCQmedium

Refer to the exhibit. A developer working from a workstation with IP 203.0.113.5 cannot SSH to a VM in the my-vpc network. Which firewall rule is most likely blocking the connection?

A.allow-ssh-from-bastion
B.deny-ssh-all
C.default-allow-http
D.default-allow-ssh
AnswerB

This rule denies SSH from all IPs with a higher priority, blocking all SSH traffic.

Why this answer

Option C is correct because the deny-ssh-all rule has a priority of 200 (higher priority than the allow rules at 500 and 1000) and blocks SSH from all IPs. The order in GCP is based on priority (lower number = higher priority), so the deny overrides the allows. The allow-ssh-from-bastion only permits SSH from 10.0.1.2, not the developer's IP.

466
MCQhard

A large enterprise runs a streaming data pipeline using Dataflow to process events from Pub/Sub, apply aggregations with fixed windows, and write results to BigQuery. They are experiencing high costs and long processing times. The Dataflow job uses Streaming Engine, but the workers show high CPU utilization. The pipeline has autoscaling enabled, but the number of workers rarely increases. The team wants to reduce processing time and cost. What should they do?

A.Use a larger machine type for workers, such as n1-standard-8.
B.Increase the number of workers by setting maxNumWorkers higher.
C.Optimize the windowing interval to reduce data shuffling.
D.Switch from Streaming Engine to batch mode to reduce resource overhead.
AnswerC

Shorter windows or aligning windows with data patterns can reduce state size and shuffling, lowering CPU usage and improving throughput.

Why this answer

Optimizing the windowing interval reduces data shuffling and can improve performance without adding resources. Long windows cause more state to be kept, increasing CPU and memory demands. Option A is incorrect because increasing maxNumWorkers may help but the job is already CPU-bound and not scaling; more workers might not reduce CPU per worker if the issue is data shuffling.

Option B is incorrect because larger machines increase cost and may not address the root cause. Option D is incorrect because switching to batch would not meet real-time requirements and may cause data loss.

467
MCQhard

A company has a VPC network with a default route to the internet gateway. They want all egress traffic to go through a firewall appliance instead. They create a new route with a next hop to the appliance and a priority of 500. However, traffic is still going through the internet gateway. What is the most likely reason?

A.The new route has a higher tag specification that overrides
B.The new route's destination range is not 0.0.0.0/0
C.The appliance does not have IP forwarding enabled
D.The firewall appliance is in a different network
AnswerB

The default route covers all destinations; the new route must also be 0.0.0.0/0 with a higher priority to override.

Why this answer

The default route to the internet gateway has a destination of 0.0.0.0/0. For the new route to override it, the new route must also have a destination of 0.0.0.0/0 (or a more specific prefix). If the new route's destination range is not 0.0.0.0/0, it will not match all egress traffic, and the existing default route with a lower priority (higher numerical value) will still be used for traffic that does not match the new route's destination.

Exam trap

Google Cloud often tests the misconception that a lower priority number always overrides a higher priority number, but the trap here is that the route must also have the same destination prefix (0.0.0.0/0) to override the default route; otherwise, the default route remains active for all unmatched traffic.

How to eliminate wrong answers

Option A is wrong because route tags are used for route distribution and policy-based routing, not for overriding route priority in a VPC routing table; priority (or metric) is the sole determinant of route selection among routes with the same destination prefix. Option C is wrong because IP forwarding on the appliance is required for the appliance to forward traffic, but the question states traffic is still going through the internet gateway, meaning the route to the appliance is not being used at all—IP forwarding would only matter if the route were matched. Option D is wrong because a firewall appliance in a different network would be unreachable as a next hop, but the route would still be installed; the issue is that the route's destination range does not match the traffic, not that the next hop is in a different network.

468
Multi-Selectmedium

A company must enforce that no data can be accessed from outside a specific set of Google Cloud projects. They want to ensure that only authorized services can communicate between projects. Which TWO controls should they implement? (Choose TWO.)

Select 2 answers
A.Access Context Manager
B.VPC Service Controls
C.Cloud Armor
D.Identity-Aware Proxy (IAP)
E.Cloud NAT
AnswersA, B

Access Context Manager defines and manages context-aware access policies that can be used with VPC Service Controls to enforce access based on context.

Why this answer

VPC Service Controls create a perimeter around resources, and Access Context Manager defines context-aware access policies based on attributes like IP range, device policy, etc.

469
MCQhard

During a security incident, the forensic team needs to capture the memory and disk state of a compromised Compute Engine VM without shutting it down. The VM is running a critical application and cannot be stopped. What is the best approach to gather forensic data?

A.Clone the VM and perform forensics on the clone while the original continues running.
B.Use gcloud compute ssh to connect and run a memory capture tool, then create a disk snapshot at the same time.
C.Take a snapshot of the disk while the VM is running, and use Cloud Memorystore to capture memory.
D.Stop the VM, take a snapshot of the disk, and then start the VM.
AnswerB

Memory can be acquired using tools like 'memory capture' via SSH; disk snapshot can be taken concurrently.

Why this answer

Option D is correct because Cloud Memorystore is not relevant; the best practice is to use a forensic tool via OS Login or gcloud compute ssh to acquire memory, and create a snapshot after using gcloud compute disks snapshot for disk state. Option A is incorrect because stopping the VM loses memory state. Option B is incorrect because snapshots while running are crash-consistent but memory is not captured.

Option C is incorrect because Cloud Memorystore does not handle VM memory.

470
MCQmedium

A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their corporate Active Directory credentials. The application is exposed via an HTTPS load balancer. The Security Engineer needs to integrate identity federation and ensure that only authenticated users can reach the application. Which combination of services should be used?

A.Use Cloud Armor to allow only traffic from specific IP ranges and require client certificates.
B.Set up federation between Active Directory and Google Cloud using OIDC, and enable IAP on the load balancer.
C.Enable IAP and configure it to use Active Directory as an identity provider.
D.Configure Cloud Identity as the identity provider and use IAP.
AnswerB

IAP can authenticate users from an external OIDC provider.

Why this answer

Option B is correct because it combines OIDC federation between Active Directory and Google Cloud with Identity-Aware Proxy (IAP) on the load balancer. IAP verifies user identity via OIDC tokens issued by the federated identity provider, ensuring only authenticated users can reach the application without exposing it to the public internet.

Exam trap

Google Cloud often tests the misconception that IAP can directly use any identity provider (like raw Active Directory) without an OIDC/SAML federation bridge, leading candidates to pick option C.

How to eliminate wrong answers

Option A is wrong because Cloud Armor with IP ranges and client certificates enforces network-level and mTLS access, not identity federation with Active Directory credentials; it cannot authenticate users based on corporate AD identities. Option C is wrong because IAP does not support Active Directory directly as an identity provider; it requires an OIDC-compatible identity provider, such as Azure AD or a custom OIDC provider, not raw AD. Option D is wrong because Cloud Identity is Google's own identity service, not Active Directory; while it can be used with IAP, it does not integrate with corporate AD credentials unless federation is set up, which is not mentioned in the option.

471
MCQmedium

A financial services company is required to retain audit logs for at least 7 years to comply with PCI-DSS. They have enabled Data Access audit logs for Cloud Audit Logs. However, after 6 months they notice that older logs are being automatically deleted. What is the most likely cause?

A.The default retention period for Cloud Audit Logs is 30 days, and logs are automatically deleted after that.
B.The log sink exporting to Cloud Storage has been deleted.
C.The log sink filter is incorrectly excluding certain log entries.
D.An IAM policy has revoked the Logs Viewer role for the security team.
AnswerA

Cloud Audit Logs have a default retention of 30 days (for Admin Read and Data Access) unless exported to a longer-term storage.

Why this answer

The default retention period for Cloud Audit Logs is 30 days. After this period, logs are automatically deleted unless a custom retention policy is configured or logs are exported to a long-term storage destination like Cloud Storage. Since the company enabled Data Access audit logs but did not adjust the retention setting, the logs older than 30 days are purged, explaining the 6-month observation.

Exam trap

Google Cloud often tests the misconception that log deletion is caused by misconfigured exports or IAM permissions, when in fact the default retention period for Cloud Audit Logs is the primary reason for automatic deletion, especially for Data Access audit logs.

How to eliminate wrong answers

Option B is wrong because deleting a log sink that exports to Cloud Storage would stop new logs from being exported, but it would not cause existing logs in Cloud Audit Logs to be automatically deleted; the default retention deletion is independent of sink configuration. Option C is wrong because an incorrectly excluding sink filter would affect which logs are exported, not the retention or deletion of logs already stored in Cloud Audit Logs. Option D is wrong because revoking the Logs Viewer role for the security team would prevent them from viewing logs, but it would not cause logs to be automatically deleted; deletion is governed by retention policies, not IAM permissions.

472
MCQmedium

A retail company processes customer payment data and must comply with PCI DSS. They use Cloud SQL for database storage. They need to ensure that all database backups are encrypted at rest. What should they do?

A.Use Cloud HSM to generate a key and store in Cloud Storage for backup encryption.
B.Enable Cloud DLP to inspect and encrypt backup data.
C.No additional action required; Cloud SQL automatically encrypts backups.
D.Use Cloud KMS to create a CMEK key and attach it to the Cloud SQL instance.
AnswerC

Cloud SQL encrypts all data at rest by default.

Why this answer

C is correct because Cloud SQL automatically encrypts all data at rest, including backups, using either Google-managed encryption keys or customer-managed encryption keys (CMEK) if configured. No additional action is required to enable backup encryption by default, as this is a built-in feature of the service to meet PCI DSS compliance requirements.

Exam trap

Google Cloud often tests the misconception that you must explicitly enable or configure encryption for Cloud SQL backups, when in fact Google Cloud automatically encrypts all data at rest by default, including backups, using server-side encryption.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module for key generation and management, but it does not directly encrypt backups; keys must be used with Cloud KMS or Cloud External Key Manager, and storing keys in Cloud Storage is not the correct mechanism for backup encryption. Option B is wrong because Cloud DLP is a data loss prevention service for inspecting and de-identifying sensitive data, not for encrypting backups at rest. Option D is wrong because while Cloud KMS with CMEK can be attached to a Cloud SQL instance to encrypt data and backups, it is an optional configuration, not a required action; the question asks what they 'should do' to ensure encryption, and the default encryption already satisfies the requirement.

473
MCQeasy

A startup company has a single Google Cloud project with multiple developers. To simplify identity management, they created a service account for each developer and granted them the roles/editor role on the project. However, the security team is concerned about the over-privileged access. They want to implement a more secure approach while maintaining operational efficiency. The developers need to: create Compute Engine instances, manage Cloud Storage buckets, and deploy App Engine apps. The company has a small team and does not require fine-grained access control per developer. What is the recommended approach to reduce privileges while meeting the developers' needs?

A.Remove the editor role and grant each developer the roles/owner role on the project.
B.Remove the editor role and create a custom role with the required permissions, then assign the custom role to each developer individually.
C.Remove the editor role and grant each developer the roles/iam.securityReviewer role.
D.Remove the editor role, create a custom role with the required permissions, and assign the custom role to a Google Group containing all developers.
AnswerD

Option D is correct; this follows least privilege and operational efficiency by using a group for assignment.

Why this answer

Option D is correct because it removes the overly permissive Editor role and replaces it with a custom role containing only the specific permissions needed for Compute Engine, Cloud Storage, and App Engine. Assigning this custom role to a Google Group that contains all developers simplifies identity management and ensures consistent, least-privilege access without per-user assignment overhead.

Exam trap

The trap here is that candidates may think creating a custom role is unnecessary and choose a predefined role like Editor or Owner, failing to recognize that custom roles are the correct way to implement least privilege when no predefined role matches the exact set of needed permissions.

How to eliminate wrong answers

Option A is wrong because granting the Owner role is even more permissive than Editor, including full administrative control over the project, which directly contradicts the security team's goal of reducing privileges. Option B is wrong because while creating a custom role is correct, assigning it to each developer individually creates administrative overhead and does not leverage group-based management for operational efficiency. Option C is wrong because the IAM Security Reviewer role only grants read-only access to IAM policies and does not include any permissions to create Compute Engine instances, manage Cloud Storage buckets, or deploy App Engine apps.

474
MCQhard

You are a security engineer for a financial services company that processes sensitive customer data. Your architecture includes two VPCs: 'data-vpc' (10.1.0.0/16) containing BigQuery datasets and Cloud Storage buckets, and 'app-vpc' (10.2.0.0/16) containing Compute Engine instances running a customer-facing application. The application needs to read from BigQuery and write to Cloud Storage. You have configured VPC Network Peering between the VPCs. Additionally, you have set up Private Google Access on all subnets in 'data-vpc' and 'app-vpc'. The application instances cannot connect to BigQuery or Cloud Storage. You have verified that firewall rules allow egress traffic to the Google APIs IP range (199.36.153.4/30) and that DNS resolution works correctly. What is the most likely cause of the connectivity failure?

A.VPC Network Peering does not support Private Google Access.
B.Cloud NAT is not configured for 'app-vpc'.
C.The 'app-vpc' subnets do not have a default route (0.0.0.0/0) to the internet gateway.
D.Firewall rules are blocking traffic to the Google APIs IP range.
AnswerC

Private Google Access requires a default route for traffic to be sent to the internet gateway.

Why this answer

Option C is correct because Private Google Access requires a default route (0.0.0.0/0) to the internet gateway in the VPC where the Compute Engine instances reside. Without this route, traffic destined for Google APIs (including BigQuery and Cloud Storage) cannot be forwarded to the internet gateway, even if Private Google Access is enabled on the subnet. The firewall rules and DNS are correctly configured, but the missing default route prevents the egress traffic from reaching the Google API IP range (199.36.153.4/30).

Exam trap

Google Cloud often tests the misconception that Private Google Access works independently of routing, but the trap here is that candidates overlook the requirement for a default route (0.0.0.0/0) to the internet gateway, even when Private Google Access is enabled on the subnet.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering does support Private Google Access; the peering itself does not interfere with Private Google Access, which is a subnet-level feature that allows instances to reach Google APIs without external IP addresses. Option B is wrong because Cloud NAT is not required for Private Google Access; Private Google Access uses the internet gateway (default route) to reach Google APIs, not NAT. Option D is wrong because the question states that firewall rules allow egress traffic to the Google APIs IP range (199.36.153.4/30), so blocking is not the issue.

475
Multi-Selecthard

Which TWO techniques can be used to secure a Cloud Storage bucket containing sensitive data? (Choose 2.)

Select 2 answers
A.Enable uniform bucket-level access
B.Use a VPC Service Control perimeter
C.Set a retention policy
D.Use a Customer-managed encryption key (CMEK)
E.Enable object versioning
AnswersA, B

Uniform access disables ACLs and relies solely on IAM, reducing complexity and misconfiguration.

Why this answer

Uniform bucket-level access simplifies permissions, and VPC Service Controls restrict access to the bucket from specific networks.

476
MCQeasy

A company needs to meet compliance requirements that mandate they be notified about all actions performed by Google personnel on their data. Which Google Cloud feature should they enable?

A.Cloud Asset Inventory
B.Access Approval
C.Cloud Audit Logs for Admin Activities
D.Access Transparency
AnswerD

Access Transparency provides near real-time logs of actions by Google staff, satisfying compliance notification requirements.

Why this answer

Access Transparency logs provide records of actions taken by Google staff on customer data, fulfilling compliance notification requirements. It must be enabled at the organization level.

477
Multi-Selecthard

A security engineer needs to restrict outbound traffic from a VPC to only allow specific external IP ranges. Which three components must be configured? (Choose three.)

Select 3 answers
A.Cloud NAT
B.Private Google Access
C.Routes with next hop to a firewall instance
D.Firewall rules on the instance OS
E.VPC firewall rules (egress)
AnswersA, C, E

Required for private instances to reach the internet.

Why this answer

To restrict outbound traffic, you need egress firewall rules (B). If instances have no public IP, they need Cloud NAT for internet access (A). To enforce granular filtering, traffic must be routed through a firewall appliance (D).

478
MCQeasy

A company has a single Google Cloud project with multiple VPC networks. They need to comply with PCI DSS requirement 1.3.2, which restricts inbound and outbound traffic to only what is necessary. They have a web application running on Compute Engine instances in a VPC with a public subnet and a private subnet. The web servers in the public subnet need to communicate with database servers in the private subnet. Currently, the security engineer has configured firewall rules to allow HTTP/HTTPS traffic from the internet to the web servers, and allow all traffic from the public subnet to the private subnet. The auditor flags that the rule allowing all traffic from the public subnet to the private subnet is too permissive. What should the security engineer do to meet the requirement while maintaining functionality?

A.Use VPC Service Controls to restrict access to the database instances.
B.Remove the firewall rule allowing all traffic from the public subnet to the private subnet, and rely on the default allow internal rule.
C.Change the existing rule to allow traffic only on ports 3306 and 443 from the public subnet to the private subnet.
D.Create a new firewall rule that allows TCP traffic on port 3306 (MySQL) from the web servers' service accounts to the database servers' IP ranges.
AnswerD

This restricts traffic to only the necessary port and source, meeting PCI DSS requirement.

Why this answer

Option D is correct because it implements a least-privilege firewall rule that restricts traffic to only the necessary MySQL port (3306) and uses service accounts as the source identity, which aligns with PCI DSS requirement 1.3.2. By specifying the web servers' service accounts as the source and the database servers' IP ranges as the destination, the rule ensures only authorized web server instances can initiate database connections, rather than allowing all traffic from the entire public subnet. This maintains the required functionality while eliminating the overly permissive 'allow all' rule.

Exam trap

The trap here is that candidates often assume VPC Service Controls (Option A) can restrict instance-to-instance traffic, or they mistakenly think the default allow internal rule (Option B) is subnet-specific, when in reality it applies to all instances in the VPC, and they may also overlook that allowing HTTPS (port 443) to database servers (Option C) is unnecessary and violates least privilege.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls is designed to prevent data exfiltration by controlling access to Google Cloud APIs and managed services, not to restrict network-layer traffic between Compute Engine instances within a VPC; it does not replace firewall rules for instance-to-instance communication. Option B is wrong because the default allow internal rule permits all traffic between any instances in the same VPC network, regardless of subnet, which would still allow overly broad access from the public subnet to the private subnet and fail to meet the least-privilege requirement. Option C is wrong because allowing traffic on port 443 (HTTPS) from the public subnet to the private subnet is unnecessary and introduces additional attack surface, as database servers typically do not serve HTTPS; only port 3306 (MySQL) is needed for the web-to-database communication.

479
MCQmedium

A large enterprise has multiple Google Cloud organizations due to an acquisition. They want to allow a team in Org A to access a Cloud Spanner database in Org B. The team in Org A uses a service account for their application. They have set up Workload Identity Federation between the two organizations. The service account in Org B has the roles/spanner.databaseUser role on the database. The service account in Org A has been granted the roles/iam.workloadIdentityUser role on the service account in Org B. However, access attempts are failing with a permission denied error. What is the most likely missing configuration?

A.The project in Org B has not granted the roles/spanner.databaseUser role at the project level.
B.The Spanner database does not have the service account in Org A granted access directly.
C.The service account in Org B does not have the roles/iam.workloadIdentityUser role on itself.
D.The service account in Org A does not have the roles/iam.serviceAccountTokenCreator role on the service account in Org B.
AnswerD

To impersonate, the external identity needs the serviceAccountTokenCreator role.

Why this answer

Option D is correct because the external identity (service account in Org A) must be impersonating the service account in Org B, but the impersonation requires the service account in Org A to have the roles/iam.serviceAccountTokenCreator role on the service account in Org B. Option A is wrong because the roles are correctly assigned. Option B is wrong because the Spanner database does not need the impersonation role.

Option C is wrong because the project-level Spanner role would not be the issue.

480
Multi-Selectmedium

Which TWO actions should be taken to ensure that a Google Cloud environment meets PCI-DSS requirements for protecting cardholder data? (Choose two.)

Select 2 answers
A.Use IAM roles to restrict access to cardholder data to the minimum necessary.
B.Encrypt all transmission of cardholder data using TLS 1.2 or higher.
C.Use Cloud Data Loss Prevention to tokenize all credit card numbers before storage.
D.Implement a Web Application Firewall (WAF) such as Cloud Armor to protect against web-based attacks.
E.Enable automatic DLP inspection triggers for all Cloud Storage buckets.
AnswersB, D

PCI-DSS requirement 4.1 mandates encryption of cardholder data over public networks.

Why this answer

Option B is correct because PCI-DSS Requirement 4 mandates that cardholder data must be encrypted during transmission over open, public networks. TLS 1.2 or higher is the specified protocol, and Google Cloud services such as HTTPS load balancers and Cloud VPN support this encryption natively, ensuring compliance with the transmission security requirement.

Exam trap

Google Cloud often tests the distinction between encryption in transit (TLS) and data protection at rest (tokenization, DLP scanning), leading candidates to pick storage-focused options like C or E instead of the transmission encryption requirement.

481
MCQmedium

Refer to the exhibit. A security engineer needs to ensure that all objects uploaded to the bucket are automatically encrypted with the specified KMS key. They also need to preserve older versions of objects. Which statement accurately describes the bucket configuration?

A.The bucket has default KMS encryption and versioning is enabled.
B.The bucket has default KMS encryption but versioning is disabled.
C.The bucket uses CSEK and versioning is enabled.
D.The bucket uses Google-managed encryption and versioning is disabled.
AnswerA

Output shows default KMS key and versioning enabled.

Why this answer

Option A is correct because the question requires both automatic encryption of all uploaded objects using a specified KMS key and preservation of older object versions. Default KMS encryption ensures that any object uploaded without explicit encryption headers is automatically encrypted with the configured KMS key, while enabling versioning allows the bucket to retain noncurrent object versions. Together, these settings meet both requirements.

Exam trap

Google Cloud often tests the distinction between default encryption (which applies automatically to all new objects) and per-request encryption (like CSEK or customer-managed encryption keys), and the trap here is confusing CSEK with default KMS encryption or assuming that versioning is automatically enabled when encryption is configured.

How to eliminate wrong answers

Option B is wrong because while default KMS encryption is present, versioning is disabled, which means older versions of objects are not preserved — they are overwritten and lost. Option C is wrong because CSEK (Customer-Supplied Encryption Keys) is not a default encryption mechanism; it requires the client to supply the key with each upload, and the question specifies automatic encryption with a KMS key, not CSEK. Option D is wrong because Google-managed encryption does not allow specifying a particular KMS key, and versioning is disabled, failing both requirements.

482
MCQhard

A company requires a secure, dedicated connection between their on-premises data center and Google Cloud with bandwidth of 10 Gbps and a 99.99% SLA. Which connectivity option should they use?

A.Use Direct Peering
B.Use Partner Interconnect with a 10 Gbps connection
C.Use Cloud VPN with two tunnels for redundancy
D.Use Dedicated Interconnect with two VLAN attachments
AnswerD

Dedicated Interconnect provides 10 Gbps connections with a 99.99% SLA when using redundant links.

Why this answer

Option B is correct because Dedicated Interconnect offers 10 Gbps or 100 Gbps connections with a 99.99% SLA when configured with redundant connections. Option A is wrong because Cloud VPN supports lower bandwidth (up to 3 Gbps per tunnel) and does not offer a 99.99% SLA. Option C is wrong because Direct Peering uses public IPs and lacks SLA guarantees.

Option D is wrong because Partner Interconnect typically offers lower bandwidth (up to 10 Gbps) but SLA varies by partner.

483
MCQhard

A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?

A.Use a single subnet for all tiers. Assign public IPs to all instances. Use firewall rules to restrict access between tiers. Use a proxy VM for outbound internet from app/db tiers.
B.Create separate VPCs for each tier. Use VPC peering to connect them. Use firewall rules to allow traffic. Use a bastion host for SSH access to app/db tiers.
C.Place all tiers in the same VPC. Use firewall rules to restrict access. Assign public IPs to web tier instances and private IPs to app/db tiers. Configure Cloud NAT for app/db tiers.
D.Place web tier in a public subnet with public IPs. Place app/db tiers in private subnets with no public IPs. Use firewall rules to allow traffic from web to app, and app to db. Configure Cloud NAT for private subnets.
AnswerD

This uses public subnets for web, private subnets for app/db, firewall rules for least privilege, and Cloud NAT for outbound access.

Why this answer

Option D is correct because it uses a single VPC with separate public and private subnets, which minimizes operational overhead while meeting the security requirements. The web tier in the public subnet gets public IPs for internet access, while the app and database tiers in private subnets have no public IPs and rely on Cloud NAT for outbound internet. Firewall rules restrict traffic to only the necessary flows (web→app, app→db), and Cloud NAT provides scalable outbound connectivity without managing a proxy VM.

Exam trap

Google Cloud often tests the misconception that separate VPCs or multiple subnets are required for security, when in fact a single VPC with proper subnetting and firewall rules is simpler and meets the same security goals with less operational overhead.

How to eliminate wrong answers

Option A is wrong because assigning public IPs to all instances exposes the app and database tiers directly to the internet, violating the requirement that they only be accessible from the web tier, and using a proxy VM adds unnecessary operational overhead compared to Cloud NAT. Option B is wrong because creating separate VPCs for each tier with VPC peering adds significant complexity and operational overhead (managing peering, route tables, and firewall rules across VPCs) without any security benefit over a single VPC with proper subnetting and firewall rules. Option C is wrong because placing all tiers in the same VPC with public IPs on the web tier and private IPs on app/db tiers is a valid approach, but it fails to isolate the web tier in a public subnet; the web tier instances would still be in the same subnet as private instances, which can complicate firewall rule management and does not follow the best practice of using separate subnets for public and private tiers.

484
MCQmedium

A company uses a hub-and-spoke VPC topology with Network Connectivity Center. The spoke VPCs need to reach the internet. Cloud NAT is configured in the hub VPC. Spoke VPCs have routes to the hub via a VPN tunnel. However, instances in spoke VPCs cannot reach the internet. Which configuration is most likely missing?

A.The spoke VPCs are not receiving a default route (0.0.0.0/0) from the hub via Cloud Router.
B.A network virtual appliance (NVA) is required in the hub for spoke internet access.
C.Firewall rules for egress internet traffic are missing in spoke VPCs.
D.Cloud NAT is not configured in the spoke VPCs.
AnswerA

Correct: route advertisement needed for spoke to send internet traffic to hub.

Why this answer

In a hub-and-spoke topology with Network Connectivity Center, spoke VPCs rely on the hub for internet access via Cloud NAT. For this to work, the spoke VPCs must have a default route (0.0.0.0/0) pointing to the hub, typically advertised by Cloud Router over the VPN tunnel. Without this route, traffic from spoke instances to the internet will not be forwarded to the hub, and thus will not reach Cloud NAT.

Exam trap

Google Cloud often tests the misconception that Cloud NAT must be deployed in each spoke VPC for internet access, but the trap here is that a centralized Cloud NAT in the hub can work for all spokes if the default route is properly advertised via BGP from the hub.

How to eliminate wrong answers

Option B is wrong because a network virtual appliance (NVA) is not required; Cloud NAT in the hub can provide internet access to spokes without an NVA, as long as routing is correctly configured. Option C is wrong because firewall rules for egress internet traffic are not the missing piece; by default, VPC firewall rules allow egress traffic, and the issue is routing, not firewall policy. Option D is wrong because Cloud NAT does not need to be configured in the spoke VPCs; the hub's Cloud NAT can serve spoke traffic if the default route points to the hub, making spoke-level NAT unnecessary.

485
Multi-Selecteasy

A company wants to restrict access to a Cloud SQL instance so that only Compute Engine instances in a specific VPC subnet can connect. Which THREE methods can be used to achieve this? (Choose THREE.)

Select 3 answers
A.Configure authorized networks with the subnet's CIDR range (if using public IP).
B.Create a VPC firewall rule that blocks all traffic to the Cloud SQL instance's IP.
C.Enable private IP on the Cloud SQL instance and connect from instances in the same VPC.
D.Use VPC Service Controls to limit access to the Cloud SQL instance.
E.Use Cloud SQL Proxy with IAM permissions to connect from authorized clients.
AnswersA, C, E

Authorized networks allow ingress from specified public IP ranges.

Why this answer

Option A is correct because authorized networks allow you to restrict access to a Cloud SQL instance with a public IP by specifying the CIDR range of the subnet. Only traffic originating from IP addresses within that range can connect to the instance, effectively limiting access to Compute Engine instances in that subnet.

Exam trap

Google Cloud often tests the misconception that VPC firewall rules can control traffic to managed services like Cloud SQL, but in reality, Cloud SQL instances are not part of your VPC's network stack and are not subject to VPC firewall rules.

486
Multi-Selecteasy

A company is deploying a new application that must comply with HIPAA. They are using Google Cloud services. Which TWO services are required to be enabled with appropriate configurations to support HIPAA compliance?

Select 2 answers
A.Cloud Key Management Service (KMS) with customer-managed keys (CMEK)
B.Cloud Armor
C.Cloud Audit Logs
D.Cloud Content Delivery Network (CDN)
E.Cloud Functions
AnswersA, C

CMEK is required by HIPAA for encryption key management documentation.

Why this answer

Cloud Key Management Service (KMS) with customer-managed encryption keys (CMEK) is required for HIPAA compliance because it allows the customer to control the encryption keys used to protect protected health information (PHI) at rest. HIPAA mandates that covered entities implement mechanisms to encrypt and decrypt PHI, and using CMEK ensures the customer retains sole control over key material, which is a key requirement for meeting the Security Rule's addressable implementation specification for encryption.

Exam trap

Google Cloud often tests the misconception that any security service (like Cloud Armor or Cloud CDN) is automatically required for HIPAA compliance, when in fact only services that directly enforce encryption key control and audit logging (Cloud Audit Logs) are mandatory under the HIPAA Security Rule's implementation specifications.

487
MCQmedium

A security engineer needs to investigate a potential data exfiltration incident in a Google Cloud environment. The engineer has access to Cloud Logging and wants to identify any unusual outbound network traffic from Compute Engine instances. Which log sink filter should the engineer create to capture VPC flow logs for traffic destined to an external IP address not in the internal network ranges?

A.Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
B.Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.reporter="src" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
C.Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip!="10.0.0.0/8" AND jsonPayload.connection.dest_ip!="172.16.0.0/12" AND jsonPayload.connection.dest_ip!="192.168.0.0/16"'
D.Create a sink with filter: 'compute.googleapis.com/vpc_flows'
AnswerC

This filter captures VPC flow logs where destination IP is not in private ranges, thus external traffic.

Why this answer

Option C is correct because it uses a log sink filter that captures VPC flow logs for traffic destined to external IP addresses by explicitly excluding the private RFC 1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). This filter ensures only outbound traffic to non-internal IPs is captured, which is essential for investigating potential data exfiltration. The filter correctly uses the `resource.type="gce_subnetwork"` to target VPC flow logs from Compute Engine instances.

Exam trap

Google Cloud often tests the misconception that you can use `0.0.0.0/0` as a wildcard in log filters to match any IP, but in Cloud Logging filters, CIDR notation is not supported for matching; you must explicitly exclude private ranges to capture external traffic.

How to eliminate wrong answers

Option A is wrong because it uses `jsonPayload.connection.dest_ip="0.0.0.0/0"` which is an invalid IP address for matching actual destination IPs (0.0.0.0/0 is a CIDR notation for 'all IPs', not a specific destination), and it omits the `jsonPayload.reporter="src"` field, which is necessary to capture only outbound traffic from the source. Option B is wrong because while it correctly includes `jsonPayload.reporter="src"`, it still uses the invalid `dest_ip="0.0.0.0/0"` filter, which will not match any real destination IP in VPC flow logs. Option D is wrong because `compute.googleapis.com/vpc_flows` is not a valid log filter syntax; VPC flow logs are identified by `resource.type="gce_subnetwork"` and the log name is `compute.googleapis.com/vpc_flows`, but the filter must use the resource type, not a log name string.

488
MCQeasy

A company uses Cloud Data Loss Prevention (DLP) to inspect sensitive data in Cloud Storage. They want to automatically redact credit card numbers found in text files before the files are accessed by downstream applications. Which DLP method should be used?

A.Use the DLP API's `content.deidentify` method with a `PrimitiveTransformation` of `replaceWithInfoType`.
B.Create a DLP job that uses the InspectJobConfig with a redact transformation.
C.Use Cloud DLP's inspect-only functionality and manually redact.
D.Set up a DLP inspection scan on the bucket with a `CryptoReplaceFfxFpe` transformation.
AnswerA

This method can redact sensitive data by replacing it with the info type name.

Why this answer

Option A is correct because the DLP API's `content.deidentify` method with a `PrimitiveTransformation` of `replaceWithInfoType` is designed to automatically replace sensitive data (like credit card numbers) with their corresponding info type labels (e.g., `[CREDIT_CARD_NUMBER]`) in text files. This method operates on content in memory or from Cloud Storage, enabling automated redaction before downstream access, without requiring a separate job or manual intervention.

Exam trap

Google Cloud often tests the distinction between inspection-only methods (which detect but do not modify) and deidentification methods (which transform data), and candidates may confuse DLP jobs (for scanning) with the `content.deidentify` API (for inline transformation), leading them to pick Option B or C.

How to eliminate wrong answers

Option B is wrong because DLP jobs (InspectJobConfig) are used for scanning and inspecting data at rest, but they do not support a direct 'redact transformation' in the job configuration; redaction is performed via the `deidentify` method, not through inspection jobs. Option C is wrong because inspect-only functionality only identifies sensitive data without modifying it, so manual redaction would be required, which contradicts the requirement for automatic redaction. Option D is wrong because `CryptoReplaceFfxFpe` is a format-preserving encryption (FPE) transformation that replaces data with encrypted values while preserving format, not a redaction method; it is used for tokenization, not for removing or replacing sensitive content with info types.

489
MCQhard

A multi-national company needs to ensure that customer data stored in BigQuery is encrypted with customer-managed encryption keys (CMEK) and that the keys are rotated every 90 days. Additionally, the company must be able to audit all key usage. Which steps are required to implement this compliance requirement?

A.Create a Cloud External Key Manager (EKM) key and configure BigQuery to use it. The EKM provider handles key rotation.
B.Create a Cloud KMS key ring with a key, disable automatic rotation, and use Cloud Functions to rotate the key manually every 90 days. Enable Admin Activity audit logs for Cloud KMS.
C.Create a Cloud KMS key ring with a key using a protection level of HSM and set a rotation period of 90 days. Then configure the BigQuery dataset to use this key.
D.Create a Cloud KMS key ring with a key using a protection level of software and set a rotation period of 90 days. Then configure BigQuery to use the key and enable Data Access audit logs for Cloud KMS.
AnswerD

Software keys are acceptable; rotation period in KMS handles automatic rotation. Enabling Data Access audit logs for KMS captures key usage.

Why this answer

Option D is correct because it uses a Cloud KMS software-protection-level key with a 90-day rotation period, which meets the CMEK requirement for BigQuery. Enabling Data Access audit logs for Cloud KMS captures all key usage events, satisfying the auditing requirement. Automatic rotation in Cloud KMS handles the 90-day rotation without manual intervention, and BigQuery is configured to use the CMEK key for dataset encryption.

Exam trap

Google Cloud often tests the distinction between Admin Activity audit logs (which record configuration changes) and Data Access audit logs (which record data operations like key usage), leading candidates to choose options that omit the required Data Access logging.

How to eliminate wrong answers

Option A is wrong because Cloud External Key Manager (EKM) uses an external key management provider, not customer-managed encryption keys (CMEK) within Google Cloud, and the question specifies CMEK, not EKM. Option B is wrong because it disables automatic rotation and uses Cloud Functions for manual rotation, which is unnecessary and error-prone; Cloud KMS supports automatic rotation with a specified period, and Admin Activity audit logs do not capture key usage events (only Data Access audit logs do). Option C is wrong because it uses a protection level of HSM, which is not required for CMEK compliance; a software protection level is sufficient and more cost-effective, and the option does not mention enabling Data Access audit logs for auditing key usage.

490
Multi-Selectmedium

A multinational company is migrating sensitive workloads to Google Cloud and must comply with GDPR data residency requirements. Which TWO actions ensure data remains stored only within the European Union? (Choose TWO.)

Select 2 answers
A.Enable Cloud Audit Logs with export to a BigQuery dataset in the EU region.
B.Use Cloud Data Loss Prevention (DLP) to scan for sensitive data and verify it remains in the EU.
C.Use Customer-Managed Encryption Keys (CMEK) stored in a Cloud KMS key ring located in the EU.
D.Define an Organization Policy with constraints/gcp.resourceLocations to allow resource creation only in EU regions.
E.Set up VPC Service Controls to create a service perimeter that includes only EU regions.
AnswersD, E

This directly enforces data location by restricting resource deployment to approved regions.

Why this answer

Option D is correct because the Organization Policy constraint `gcp.resourceLocations` explicitly restricts the Google Cloud regions where resources can be created. By setting this constraint to allow only EU regions (e.g., `europe-west1`, `europe-west4`), you enforce that all new resources are provisioned within the European Union, directly meeting GDPR data residency requirements. This policy is evaluated at resource creation time and prevents any resource from being deployed outside the allowed locations.

Exam trap

Google Cloud often tests the distinction between data residency enforcement (which requires location-based constraints like Organization Policies or VPC Service Controls) and data protection mechanisms (like encryption, logging, or scanning), leading candidates to mistakenly choose options that protect data but do not control where it is stored.

491
MCQhard

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project uses Cloud Storage and BigQuery. The engineer wants to ensure that data cannot be exfiltrated to external IP addresses outside the perimeter, but internal users should still be able to access the data from on-premises via a VPN. Which configuration should be applied?

A.Do not use VPC Service Controls; instead, rely on IAM permissions and firewall rules to control access
B.Add the project to a VPC Service Controls perimeter and configure an ingress rule to allow traffic from the on-premises VPN CIDR ranges
C.Create a separate perimeter that denies all traffic and apply it to the project
D.Add the project to a VPC Service Controls perimeter with no additional ingress rules
AnswerB

Ingress rules allow specific external sources (like VPN CIDR) to access the perimeter.

Why this answer

VPC Service Controls (VPC-SC) allow you to define a security perimeter around Google Cloud services like Cloud Storage and BigQuery, preventing data exfiltration to external IPs. By adding the project to a perimeter and configuring an ingress rule that permits traffic from the on-premises VPN CIDR ranges, internal users can access the data via VPN while all other external traffic is blocked. This meets the requirement of preventing exfiltration to external IPs while allowing authorized on-premises access.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls are a simple on/off switch, but the trap here is that without explicit ingress rules, all external traffic (including from VPNs) is denied, so candidates must remember to configure ingress rules for authorized sources.

How to eliminate wrong answers

Option A is wrong because relying solely on IAM and firewall rules does not prevent data exfiltration via external IPs; VPC Service Controls provide a higher layer of security that blocks data movement outside the perimeter regardless of IAM permissions. Option C is wrong because creating a separate perimeter that denies all traffic would block all access, including legitimate on-premises VPN users, which violates the requirement to allow internal user access. Option D is wrong because adding the project to a perimeter with no ingress rules would block all traffic from outside the perimeter, including the on-premises VPN, preventing authorized access.

492
MCQeasy

An organization uses Cloud Audit Logs to monitor admin activity. The security team wants to be alerted when a user creates a new IAM role at the organization level. Which type of audit log should they analyze?

A.Policy Denied audit logs
B.System Event audit logs
C.Data Access audit logs
D.Admin Activity audit logs
AnswerD

Admin Activity logs record changes to metadata, configurations, and IAM policies.

Why this answer

Admin Activity audit logs (option D) are the correct choice because they record operations that modify the configuration or metadata of resources, such as creating or modifying IAM roles and policies at the organization level. In Google Cloud, Admin Activity audit logs are enabled by default and capture all 'admin write' events, including the creation of an IAM role, which is a configuration change. The security team needs to monitor these logs to detect when a user creates a new IAM role, as this is an administrative action that alters the organization's security posture.

Exam trap

Google Cloud often tests the distinction between Admin Activity and Data Access logs, and the trap here is that candidates mistakenly choose Data Access logs because they think 'creating a role' involves accessing data, when in fact it is a pure configuration change that falls under Admin Activity logs.

How to eliminate wrong answers

Option A is wrong because Policy Denied audit logs record only when a user or service account is denied access due to a deny policy or an organization policy constraint, not when an IAM role is created. Option B is wrong because System Event audit logs capture non-human Google Cloud system actions, such as automatic scaling or maintenance events, not user-initiated IAM role creation. Option C is wrong because Data Access audit logs track API calls that read or modify user-provided data (e.g., reading a Cloud Storage object), not administrative configuration changes like creating an IAM role.

493
MCQeasy

An application needs to authenticate to Google Cloud APIs from an on-premises server. Which approach is recommended for long-lived access?

A.Use a user account with OAuth 2.0 tokens.
B.Use workload identity federation with an on-premises identity provider.
C.Use API keys.
D.Create a service account key and store it securely on the server.
AnswerD

This is a standard approach for on-premises applications.

Why this answer

Option D is correct because service account keys provide a long-lived, static credential that can be securely stored on an on-premises server for authenticating to Google Cloud APIs. Unlike user accounts or OAuth flows, service account keys do not require interactive login or token refresh, making them suitable for automated, long-running workloads.

Exam trap

Google Cloud often tests the misconception that API keys (Option C) are sufficient for service-to-service authentication, but API keys lack the ability to represent a service identity and are not supported by many Google Cloud APIs for authorization; candidates may also confuse workload identity federation (Option B) as a long-lived solution when it is designed for short-lived, federated access.

How to eliminate wrong answers

Option A is wrong because user accounts with OAuth 2.0 tokens are designed for interactive user sessions and require periodic re-authentication or refresh token management, which is not ideal for long-lived, unattended server access. Option B is wrong because workload identity federation is intended for short-lived, federated access using external identity providers, not for long-lived static credentials; it requires token exchange and has a default maximum token lifetime of 1 hour. Option C is wrong because API keys are primarily used for identifying projects and enabling simple access to public data or quota tracking, not for authenticating as a service identity to access private resources or perform authorized API calls.

494
Multi-Selectmedium

Which TWO practices help implement the principle of least privilege when configuring access to Google Cloud resources? (Choose two.)

Select 2 answers
A.Grant roles at the organization level to simplify administration.
B.Use a single service account for all Cloud Functions in a project to simplify key management.
C.Create custom roles that include only the specific permissions needed.
D.Use IAM Conditions to restrict access to specific resources or times.
E.Grant IAM roles directly to individual users for better traceability.
AnswersC, D

Custom roles allow precise permission assignment.

Why this answer

Option C is correct because creating custom roles allows you to define a precise set of permissions, ensuring that a principal has only the minimum permissions required to perform their job function. This directly implements the principle of least privilege by avoiding the broad permissions often included in predefined roles.

Exam trap

Google Cloud often tests the misconception that granting roles at a higher level (organization) or using a single service account simplifies management without considering the security implications of over-privileged access.

495
MCQhard

Alice tries to connect to Cloud SQL instance 'prod-instance' using the Cloud SQL Auth proxy. Will she succeed? Why?

A.Yes, because she has the client role with no condition.
B.Yes, because the admin role grants full access, and the condition only applies to the admin role, but the client role is unconditional.
C.No, because the admin role condition overrides the client role.
D.No, because the cloudsql.admin role condition restricts to dev instances only.
AnswerB

The unconditional client role provides the necessary permissions to connect.

Why this answer

Option B is correct because the Cloud SQL Auth proxy uses IAM permissions for authentication and authorization. The `cloudsql.client` role grants the `cloudsql.instances.connect` permission unconditionally, allowing Alice to connect to any instance. The `cloudsql.admin` role's condition restricting access to 'dev' instances only applies to the `cloudsql.instances.update` permission, not to the connect permission, so the client role's unconditional access prevails.

Exam trap

Google Cloud often tests the misconception that a restrictive condition on a higher-privilege role (like admin) overrides a lower-privilege role (like client), when in reality IAM evaluates each permission independently and the most permissive effective permission wins.

How to eliminate wrong answers

Option A is wrong because it states 'no condition' on the client role, but the question implies a condition exists on the admin role; however, the client role is indeed unconditional, so the reasoning is incomplete but not incorrect—actually, the core issue is that the client role alone suffices, but the answer fails to address the admin role condition's irrelevance. Option C is wrong because IAM conditions are evaluated per permission, not globally; the admin role condition does not override the client role's unconditional connect permission—IAM allows multiple roles to be combined, and the most permissive effective permission applies. Option D is wrong because the admin role condition restricts only admin-level actions (like modifying instances), not the connect permission granted by the client role; the condition does not block Cloud SQL Auth proxy connections.

496
MCQhard

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect. They want to allow instances in a VPC (10.0.0.0/8) to access Google APIs (e.g., Cloud Storage) without traversing the public internet. They also want to ensure that traffic from on-premises to Google APIs uses the same private path. Which configuration is required?

A.Set up Cloud VPN and use Private Google Access on the VPC.
B.Apply VPC Service Controls and enable Private Google Access on the subnet.
C.Configure Cloud NAT on the VPC and on-premises route via the interconnect.
D.Enable Private Google Access on the VPC subnet and advertise the default route (0.0.0.0/0) from on-premises with a specific route for Google APIs (199.36.153.4/30) pointing to the interconnect.
AnswerD

Private Google Access allows VMs to reach Google APIs via private IPs; on-premises can use custom routes to reach Google APIs via the interconnect.

Why this answer

Option D is correct because it enables Private Google Access on the VPC subnet, which allows instances with private IPs to reach Google APIs without public internet. Additionally, advertising a default route (0.0.0.0/0) from on-premises via the Dedicated Interconnect ensures that on-premises traffic to Google APIs also uses the private path, while the specific route for Google APIs (199.36.153.4/30) overrides the default to direct API traffic through the interconnect, avoiding asymmetric routing.

Exam trap

The trap here is that candidates often confuse Private Google Access with Cloud NAT or VPC Service Controls, not realizing that Private Google Access requires a specific route (199.36.153.4/30) and a default route from on-premises to ensure bidirectional private connectivity over Dedicated Interconnect.

How to eliminate wrong answers

Option A is wrong because Cloud VPN is a public-internet-based encrypted tunnel, not a private path like Dedicated Interconnect, and Private Google Access alone does not route on-premises traffic via the interconnect. Option B is wrong because VPC Service Controls provide security boundaries (e.g., data exfiltration prevention) but do not enable private routing for on-premises traffic to Google APIs. Option C is wrong because Cloud NAT is used for outbound internet access from private instances, not for private access to Google APIs, and it does not address on-premises routing requirements.

497
MCQhard

A company is using Cloud SQL for MySQL to store customer data subject to SOX compliance. They need to ensure that all database changes are audited and that logs are immutable. They have enabled audit logs and exported them to a Cloud Storage bucket. However, the auditor discovers that some logs were deleted from the bucket. What is the most likely cause?

A.The log sink filter is excluding certain events, causing incomplete export.
B.The bucket has retention policy enabled, which prevents deletion until the retention period expires.
C.The service account used for export does not have the storage.objects.delete permission.
D.The Cloud Storage bucket has a lifecycle rule that deletes objects after a set number of days.
AnswerD

If a lifecycle rule is set to delete objects, logs can be automatically removed, violating immutability requirements.

Why this answer

Option D is correct because Cloud Storage lifecycle rules can automatically delete objects after a specified number of days. If a lifecycle rule is configured on the bucket, it would delete audit logs regardless of the export process, making them unavailable to the auditor. This is the most likely cause of logs being deleted from the bucket, as the other options do not explain actual deletion of already-exported objects.

Exam trap

Google Cloud often tests the distinction between features that prevent deletion (retention policies, lock) versus features that cause deletion (lifecycle rules), and candidates mistakenly assume that enabling audit logs or exporting to a bucket guarantees immutability without considering bucket-level configurations.

How to eliminate wrong answers

Option A is wrong because a log sink filter controls which log entries are exported to the bucket, not the deletion of objects already stored in the bucket; missing events would not cause existing logs to be deleted. Option B is wrong because a retention policy prevents object deletion or overwrite until the retention period expires, so it would protect logs from deletion, not cause it. Option C is wrong because the service account used for export needs storage.objects.create permission to write logs, not storage.objects.delete; lacking delete permission would not cause logs to be deleted.

498
MCQhard

Refer to the exhibit. The security team created this key for encrypting database backups. After an audit, they found that data encrypted before May 1, 2023, cannot be decrypted. What is the most likely cause?

A.The rotation period is too short, causing old versions to be destroyed.
B.Key version 1 was deleted after the new primary was created.
C.The primary key version is disabled.
D.The algorithm GOOGLE_SYMMETRIC_ENCRYPTION is not supported by HSM.
AnswerB

If version 1 was deleted, data encrypted with it cannot be decrypted.

Why this answer

Option B is correct because when a new primary key version is created in Cloud KMS, the old primary key version is not automatically deleted. However, if the old key version (version 1) was manually deleted after promoting version 2 as the primary, any data encrypted with version 1 becomes permanently undecryptable. The audit finding that data encrypted before May 1, 2023 cannot be decrypted directly indicates that the key version used for that encryption (likely version 1) is no longer available, not just disabled or rotated.

Exam trap

Google Cloud often tests the distinction between key rotation (which creates new versions) and key version deletion (which removes the ability to decrypt old data), leading candidates to incorrectly assume that rotation alone causes decryption failures.

How to eliminate wrong answers

Option A is wrong because a short rotation period does not cause old key versions to be destroyed; rotation creates new versions while retaining old ones for decryption of previously encrypted data. Option C is wrong because disabling the primary key version would prevent any new encryption or decryption operations, not selectively break decryption of old data while allowing newer data to be decrypted. Option D is wrong because GOOGLE_SYMMETRIC_ENCRYPTION is a valid algorithm supported by both software and HSM-backed keys in Google Cloud KMS, and the issue is about key version availability, not algorithm support.

499
MCQeasy

A healthcare organization is migrating applications to Google Cloud and must comply with HIPAA. They plan to store protected health information (PHI) in Cloud Storage and BigQuery. The security engineer needs to ensure that all access to PHI is logged and that the data is encrypted at rest with customer-managed keys. The organization also requires that any audit logs containing PHI are stored in a separate project with restricted access. Which course of action meets all requirements?

A.Enable Data Access audit logs for Cloud Storage and BigQuery, and store logs in the same project. Use CMEK for encryption.
B.Use VPC Service Controls to create a perimeter around the project, and enable CMEK for encryption.
C.Enable Admin Read audit logs for Cloud Storage and BigQuery, and store logs in a different project. Use CSEK for encryption.
D.Enable Data Access audit logs for Cloud Storage and BigQuery, create a sink to route logs to a BigQuery dataset in a separate project, and use CMEK in the data project.
AnswerD

All requirements are met: logging enabled, logs stored separately with restricted access, and CMEK used.

Why this answer

Option D is correct because it meets all requirements: Data Access audit logs capture every access to PHI, a sink routes those logs to a BigQuery dataset in a separate project (fulfilling the separate-project storage requirement), and CMEK (customer-managed encryption keys) ensures encryption at rest with keys controlled by the organization. This combination satisfies HIPAA logging, encryption, and restricted-access log storage mandates.

Exam trap

Google Cloud often tests the distinction between Admin Read and Data Access audit logs, and the trap here is that candidates confuse Admin Read (which logs only admin actions) with Data Access (which logs all data access), leading them to choose Option C despite it failing the logging requirement.

How to eliminate wrong answers

Option A is wrong because storing audit logs in the same project as the PHI violates the requirement that logs containing PHI be stored in a separate project with restricted access. Option B is wrong because VPC Service Controls provide data exfiltration prevention but do not enable logging of access to PHI (no audit log configuration) and do not address the separate-project log storage requirement. Option C is wrong because Admin Read audit logs only record administrative actions, not data access (reads/writes), and CSEK (customer-supplied encryption keys) is deprecated in favor of CMEK and does not meet the customer-managed key requirement.

500
Multi-Selecthard

Your company has a VPC with multiple subnets. You have deployed a set of Compute Engine instances that must communicate with each other over TCP port 4444. The instances are tagged with 'app-tier'. You need to ensure that only these instances can communicate on this port. Which THREE of the following steps are necessary to achieve this?

Select 3 answers
A.Remove the default allow egress rule that allows all outbound traffic
B.Create an egress firewall rule that allows TCP 4444 from target tag 'app-tier' to source tag 'app-tier'
C.Create a VPC firewall rule to deny all egress traffic from the VPC
D.Create an ingress firewall rule that allows TCP 4444 from source tag 'app-tier' to target tag 'app-tier'
E.Apply the 'app-tier' tag to all instances that need to communicate
AnswersB, D, E

This rule allows outbound traffic on port 4444 from instances with the tag 'app-tier' to instances with the same tag.

Why this answer

Option B is correct because egress firewall rules control outbound traffic from instances. By creating an egress rule allowing TCP 4444 from source tag 'app-tier' to destination tag 'app-tier', you ensure that only instances with the 'app-tier' tag can send traffic on that port to other 'app-tier' instances, while all other outbound traffic is implicitly denied by the default deny egress rule (unless overridden by a higher-priority allow rule). This restricts communication to the intended group.

Exam trap

Google Cloud often tests the misconception that egress rules are unnecessary for restricting inter-instance communication, but in GCP, both ingress and egress rules are required to fully control traffic flow, as egress rules govern outbound packets from the source instance.

Page 6

Page 7 of 7

All pages