Google Professional Cloud Security Engineer (PCSE) — Questions 601675

985 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
Multi-Selectmedium

A company wants to use Cloud IDS to detect threats in their VPC. They have created a Cloud IDS endpoint and need to configure packet mirroring. Which TWO resources must be in place for packet mirroring to work? (Choose TWO.)

Select 2 answers
A.A Collector VPC network with the IDS endpoint
B.Public IP addresses on the source VMs
C.A mirrored VPC network with the VMs to be monitored
D.Cloud NAT on the mirrored VPC
E.A VPN tunnel between the collector and mirrored VPCs
AnswersA, C

The IDS endpoint is in the collector network.

Why this answer

Packet mirroring requires a Collector VPC (where the IDS endpoint resides) and a mirrored VPC (where source VMs are). The source VMs must be tagged.

602
Multi-Selectmedium

Which two best practices for managing secrets in Secret Manager? (Choose two.)

Select 2 answers
A.Enable automatic replication to multiple regions for high availability.
B.Use the Secret Manager API to list all secrets for any user.
C.Set a short TTL for secret versions and delete them immediately.
D.Store secrets in multiple ConfigMaps for redundancy.
E.Use IAM conditions to restrict access based on resource tags.
AnswersA, E

Replication ensures availability if a region fails.

Why this answer

Option A is correct because Secret Manager supports automatic replication across regions, ensuring that secret data remains available even during a regional outage. This is a key best practice for high availability and disaster recovery, as it allows applications to read secrets from the nearest or alternate region without manual intervention.

Exam trap

Google Cloud often tests the misconception that ConfigMaps are suitable for secrets or that short TTLs and immediate deletion are safe practices, when in fact they violate operational stability and security best practices.

603
MCQmedium

A healthcare organization stores Protected Health Information (PHI) in Cloud Storage. They need to de-identify data before sharing it with researchers. Which service should they use?

A.Cloud Key Management Service (KMS)
B.VPC Service Controls
C.Cloud IAM
D.Cloud Data Loss Prevention (DLP)
AnswerD

DLP can de-identify structured and unstructured data, including PHI.

Why this answer

Cloud Data Loss Prevention (DLP) is the correct service because it is specifically designed to inspect, classify, and de-identify sensitive data such as Protected Health Information (PHI). It uses built-in infoTypes (e.g., US_INDIVIDUAL_HEALTHCARE_NPI) and de-identification techniques like masking, tokenization, and redaction to transform PHI into a de-identified dataset before sharing with researchers, ensuring compliance with HIPAA.

Exam trap

Google Cloud often tests the distinction between data protection services (encryption, access control, perimeter security) and data de-identification, so the trap here is that candidates confuse Cloud KMS or IAM with DLP because they all relate to 'protecting' data, but only DLP actively transforms sensitive content to remove identifiers.

How to eliminate wrong answers

Option A is wrong because Cloud Key Management Service (KMS) is used for managing encryption keys, not for de-identifying data; it protects data at rest but does not remove or transform PHI. Option B is wrong because VPC Service Controls provide a security perimeter to prevent data exfiltration from VPC services, but they do not inspect or de-identify the content of data. Option C is wrong because Cloud IAM manages access control policies (who can access resources), but it does not perform data de-identification or content inspection.

604
MCQmedium

A company needs to archive their VPC Flow Logs for 10 years for compliance. They also need to run occasional queries on the logs. What is the most cost-effective approach?

A.Export VPC Flow Logs to both Cloud Storage and BigQuery simultaneously.
B.Create a log sink to export VPC Flow Logs to Cloud Storage with a retention policy of 10 years and use BigQuery external tables for occasional queries.
C.Create a log sink to export VPC Flow Logs to BigQuery and set a table partition expiration to 10 years.
D.Enable VPC Flow Logs and set the log bucket retention to 10 years.
AnswerB

Cloud Storage provides low-cost archival, and BigQuery external tables allow querying without loading.

Why this answer

Exporting logs to Cloud Storage with a retention policy is the most cost-effective for long-term archival. BigQuery is more expensive for storage but allows queries. Using a log sink with _Default log view includes VPC Flow Logs (if enabled).

605
MCQmedium

A company wants to restrict access to Cloud Storage buckets so that only resources in a specific VPC network can reach them, and data cannot be exfiltrated to other networks. Which Google Cloud service should they use?

A.Identity-Aware Proxy (IAP)
B.Cloud Armor
C.VPC Firewall Rules
D.VPC Service Controls
AnswerD

Correct: VPC Service Controls create a service perimeter that isolates Google Cloud services and prevents data exfiltration.

Why this answer

VPC Service Controls allows creating service perimeters that protect Google Cloud services (including Cloud Storage) by restricting access from outside the perimeter. Resources inside the perimeter can access the protected services, but data cannot be exfiltrated to external networks.

606
MCQmedium

A security engineer needs to audit changes to IAM policies across their Google Cloud organization. Which audit log type should they enable to capture IAM policy changes?

A.Admin Activity audit logs
B.System Event audit logs
C.Data Access audit logs
D.Access Transparency logs
AnswerA

Admin Activity logs record configuration changes, including IAM policy modifications.

Why this answer

Admin Activity audit logs capture all API calls that modify configuration, including IAM policy changes.

607
MCQhard

A company uses Cloud SQL for PostgreSQL with CMEK. They need to ensure that the Cloud SQL instance can only be accessed by authorized compute resources that have the correct IAM permissions to decrypt the data. What additional configuration is required to enforce access control?

A.Enable mutual TLS for all connections to the Cloud SQL instance.
B.Set up a service account with Cloud KMS CryptoKey Encrypter/Decrypter and attach it to authorized VMs.
C.Use VPC Service Controls to restrict access to the Cloud SQL instance and the key.
D.Configure Cloud SQL to use Cloud Armor to whitelist IP addresses.
AnswerB

This ensures only specific VMs can decrypt, coupling compute access with key access.

Why this answer

Option B is correct because Cloud SQL with CMEK requires that any compute resource accessing the instance must have the Cloud KMS CryptoKey Encrypter/Decrypter IAM role on the key. By attaching a service account with this role to authorized VMs, you ensure that only those VMs can decrypt the data at rest, enforcing access control at the IAM level. This directly ties the decryption permission to the compute resource's identity, not just network-level access.

Exam trap

Google Cloud often tests the distinction between network-level access controls (like VPC Service Controls or Cloud Armor) and IAM-based key authorization, leading candidates to choose perimeter security options instead of the correct identity-based decryption permission.

How to eliminate wrong answers

Option A is wrong because mutual TLS (mTLS) authenticates the client and server at the transport layer but does not control decryption permissions for CMEK; it addresses connection security, not key access. Option C is wrong because VPC Service Controls restrict data exfiltration and network access to Google Cloud services, but they do not grant or enforce IAM permissions to decrypt the CMEK key; they are a perimeter security control, not a key authorization mechanism. Option D is wrong because Cloud Armor is a web application firewall that filters traffic based on IP addresses or HTTP headers, but it cannot enforce IAM-based decryption permissions; it operates at the network edge, not at the key management layer.

608
MCQmedium

A company stores sensitive customer data in Cloud Storage. They want to ensure that data is encrypted at rest using customer-managed encryption keys (CMEK) and that access to the key is audited. Which approach should they use?

A.Use Google-managed encryption keys and enable Cloud Audit Logs for the bucket.
B.Use CMEK with key material stored in a Cloud Storage bucket.
C.Use customer-supplied encryption keys (CSEK) and store the keys in Secret Manager.
D.Use CMEK with a Cloud KMS key and enable Cloud Audit Logs for the key.
AnswerD

CMEK uses Cloud KMS, and audit logs track access to the key.

Why this answer

Option D is correct because it combines customer-managed encryption keys (CMEK) via Cloud KMS with Cloud Audit Logs enabled on the key itself. This ensures the data is encrypted at rest using a key that the customer controls and rotates, and all operations against that key (e.g., encrypt, decrypt, enable, disable) are logged for auditing. Cloud Audit Logs on the bucket alone would not capture key access events, which is required for full auditability.

Exam trap

Google Cloud often tests the distinction between CMEK and CSEK, and the trap here is that candidates confuse 'customer-managed' with 'customer-supplied' and overlook that CMEK requires Cloud KMS for key management and auditing, not just storing key material in Cloud Storage or Secret Manager.

How to eliminate wrong answers

Option A is wrong because Google-managed encryption keys do not allow customer control or rotation of the key material, and enabling Cloud Audit Logs only on the bucket does not audit access to the encryption key itself. Option B is wrong because storing CMEK key material in a Cloud Storage bucket violates the principle of keeping keys separate from the data they protect, and Cloud Storage does not provide the key management lifecycle or audit logging that Cloud KMS offers. Option C is wrong because customer-supplied encryption keys (CSEK) require the customer to supply the key on every API call, and storing the keys in Secret Manager does not provide the same level of key rotation, versioning, or centralized audit logging as Cloud KMS with CMEK.

609
MCQeasy

Your organization has a VPC with several subnets and wants to enable Private Google Access for Compute Engine instances in a specific subnet to access Google APIs and services without external IP addresses. What must be configured?

A.Assign external IPs to the instances and create a firewall rule allowing egress to Google APIs.
B.Create a Cloud NAT gateway and enable Private Google Access on the subnet.
C.Enable Private Google Access on the subnet and ensure that instances have a default route (0.0.0.0/0) with next hop to the default internet gateway.
D.Enable Private Google Access on the subnet only.
AnswerC

Private Google Access works with the default route to the internet gateway; no NAT needed.

Why this answer

Option C is correct because Private Google Access requires two components: enabling it on the subnet and having a default route (0.0.0.0/0) pointing to the internet gateway. This route allows instances without external IPs to use the VPC's default internet gateway to reach Google APIs via the 199.36.153.4/30 address range, which is advertised by Google's private IP space. Without the default route, traffic from the subnet cannot reach the internet gateway, even with Private Google Access enabled.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for Private Google Access, but the correct configuration relies solely on the default internet gateway and a default route, not NAT.

How to eliminate wrong answers

Option A is wrong because assigning external IPs defeats the purpose of Private Google Access, which is designed for instances without public IPs, and a firewall rule alone does not enable the necessary routing. Option B is wrong because Cloud NAT is used for outbound internet access to non-Google services, not for Private Google Access, which uses the default internet gateway and Google's private IP range. Option D is wrong because enabling Private Google Access on the subnet alone is insufficient; a default route (0.0.0.0/0) with next hop to the default internet gateway is required to direct traffic to Google APIs.

610
MCQeasy

What is the purpose of the Cloud DLP InfoType detector CREDIT_CARD_NUMBER?

A.It encrypts credit card numbers automatically.
B.It detects credit card numbers in data during inspection.
C.It redacts credit card numbers from images.
D.It de-identifies credit card numbers using masking.
AnswerB

InfoType detectors are used to find sensitive data.

Why this answer

Cloud DLP InfoType detectors are used to identify specific types of sensitive data. CREDIT_CARD_NUMBER is a built-in detector that finds credit card numbers in text or files.

611
MCQeasy

A development team needs to grant a third-party auditor read-only access to a specific project's resources but must not allow the auditor to view any data stored in Cloud Storage buckets. Which IAM approach should be used?

A.Assign the predefined roles/viewer role and add a condition to deny access to Cloud Storage.
B.Use a deny policy to block access to storage.objects.get for the auditor.
C.Assign the basic roles/reader role to the auditor.
D.Create a custom role that includes only the required read permissions except those for Cloud Storage.
AnswerD

Custom roles allow exact permission selection, excluding storage read permissions.

Why this answer

Custom roles allow you to curate a specific set of permissions. You can create a role that includes read permissions for Compute Engine and Cloud SQL but excludes storage.objects.get on Cloud Storage. Predefined roles like Viewer include storage.objects.get, and basic roles are too broad.

Condition-based access can be complex and error-prone.

612
MCQmedium

A security team needs to apply a set of firewall rules that enforce baseline security for all VPC networks across multiple projects in an organization. These rules must be inherited and cannot be overridden by project-level rules. What should they use?

A.VPC firewall rules
B.Network firewall policies
C.Cloud Armor security policies
D.Hierarchical firewall policies
AnswerD

Hierarchical firewall policies are applied at the organization or folder level, inherited, and cannot be overridden.

Why this answer

Hierarchical firewall policies can be applied at the organization or folder level and are inherited by all VPC networks in the hierarchy. They cannot be overridden by lower-level firewall rules, making them ideal for baseline security policies. Network firewall policies are applied to a specific VPC network.

VPC firewall rules are per project and can be overridden.

613
MCQmedium

Refer to the exhibit. A security engineer runs the gcloud command to analyze IAM policy for a user in an organization. The output shows that the user has the 'compute.instances.create' permission via a role at the organization level. However, the user is unable to create Compute Engine instances in a specific project. What is the most likely cause?

A.The user does not have the 'compute.instances.create' permission at the project level.
B.The user has the permission but through a different role than expected.
C.An organization policy constraint is denying the creation of Compute Engine instances.
D.The user's role is not granted at the project level.
AnswerC

Organization policies can deny actions even if IAM allows them.

Why this answer

Option C is correct because organization policy constraints in Google Cloud can override IAM permissions at any level. Even if the user has the 'compute.instances.create' permission via an organization-level role, an organization policy constraint (e.g., constraints/compute.vmExternalIpAccess or constraints/compute.restrictCreateVM) can explicitly deny the creation of Compute Engine instances in a specific project. This is a common scenario where IAM allows the action, but organization policy blocks it.

Exam trap

Google Cloud often tests the distinction between IAM permissions and organization policy constraints, trapping candidates who assume that having the correct IAM permission at any level is sufficient to perform an action, without considering that organization policies can override IAM.

How to eliminate wrong answers

Option A is wrong because the user has the permission at the organization level, which is inherited by all projects in the organization, so the permission is effectively present at the project level. Option B is wrong because the role through which the permission is granted is irrelevant; IAM evaluates permissions based on the permission itself, not the role name. Option D is wrong because the role is granted at the organization level, and organization-level roles are inherited by all projects, so the role is effectively granted at the project level.

614
Multi-Selectmedium

Your organization uses Cloud Key Management Service (KMS) to encrypt data at rest. You need to rotate keys automatically every 90 days. Which THREE steps are required? (Choose 3)

Select 3 answers
A.Re-encrypt any data encrypted with older versions using the new key version.
B.Enable automatic rotation on the key.
C.Create a new key version every 90 days manually.
D.Ensure the key is destroyed after rotation.
E.Use a Cloud Function to trigger rotation.
.Set a rotation period on the Cloud KMS key.
AnswersA, B

Re-encryption ensures data is protected by the latest key version.

Why this answer

Options B, C, and E are correct. You need to set a rotation period on the Cloud KMS key (B), enable automatic rotation (C), and re-encrypt any data encrypted with older versions using the new key version (E) to ensure data is protected by the new key. Option A is incorrect because rotation should be automatic.

Option D is incorrect because old key versions should not be destroyed immediately; they are needed to decrypt existing data. Option F is unnecessary because automatic rotation is a built-in feature.

615
MCQmedium

A healthcare organization is migrating to Google Cloud and needs to store Protected Health Information (PHI) in Cloud Storage. They have signed a Business Associate Agreement (BAA) with Google. Which additional step is REQUIRED to ensure HIPAA compliance for the data stored?

A.Use Customer-Managed Encryption Keys (CMEK) for the bucket.
B.Configure the bucket to be in a VPC with no public access.
C.Enable Object Versioning on the bucket.
D.No additional action is required; Cloud Storage is HIPAA-eligible and encrypts data at rest by default.
AnswerD

Cloud Storage is a HIPAA-eligible service. With a BAA in place and default encryption at rest, no further steps are strictly required for storage.

Why this answer

HIPAA requires encryption of PHI at rest. Cloud Storage automatically encrypts data at rest using Google-managed keys. Customers can optionally use CMEK, but CMEK is not required.

Enabling Object Versioning is not a HIPAA requirement. Configuring a VPC is a network control, not a specific HIPAA requirement for storage.

616
MCQmedium

A company uses Cloud Armor Managed Protection Plus to protect their applications. They want to automatically block IP addresses that are identified as malicious by adaptive protection. How should they configure this?

A.Manually review adaptive protection alerts and create deny rules.
B.Use the 'rate limiting' rule to block high-traffic IPs.
C.Set up a Cloud Function to parse logs and create rules via API.
D.Enable 'auto-deploy' in the adaptive protection configuration.
AnswerD

Correct: Adaptive protection has an auto-deploy option that automatically creates deny rules for identified malicious IPs.

Why this answer

Cloud Armor adaptive protection uses machine learning to detect DDoS attacks. It can automatically create deny rules for malicious IPs if configured to do so. The setting is in the security policy's adaptive protection configuration.

617
MCQhard

An organization uses VPC Service Controls with a service perimeter that includes Cloud Storage and BigQuery. They need to allow a specific on-premises service account to write data to a Cloud Storage bucket inside the perimeter. The on-premises network connects via Cloud VPN. What must be configured in the perimeter?

A.An ingress rule that specifies the on-premises service account and the Cloud VPN network as sources
B.A VPC firewall rule allowing traffic from the VPN to the Cloud Storage bucket
C.An egress rule that allows the service account to exit the perimeter
D.An access level that includes the on-premises IP range
AnswerA

Ingress rules allow external identities and networks to access resources inside the perimeter.

Why this answer

To allow an on-premises service account to access resources inside a service perimeter, you need an ingress rule that specifies the source (the on-premises identities and network) and the target resources (the Cloud Storage bucket). The source must include both the identity (service account) and the network (VPC or IP range).

618
MCQhard

During an incident response, a security engineer needs to analyze a Pub/Sub message that was produced by a Cloud Function triggered by a SCC finding. The message has been acknowledged and deleted from the subscription. How can the engineer retrieve the message again?

A.Submit a support ticket to Google to recover the message from internal storage.
B.Check the Cloud Function logs to view the message payload.
C.Create a new subscription to the same topic and enable 'retain_acked_messages' before the message was published.
D.Use the 'gcloud pubsub subscriptions seek' command with a snapshot or timestamp to replay the message.
AnswerD

Seek allows replaying messages from a specific point, including acked messages if a snapshot was taken or retention is enabled.

Why this answer

Pub/Sub supports message replay by seeking a snapshot or a timestamp. This allows reprocessing messages that have been acknowledged. There is no 'dead-letter queue' for this scenario.

Cloud Logging logs the message payload if configured, but not by default.

619
MCQhard

An organization uses VPC Service Controls in dry-run mode for a project containing Google Cloud Storage. They notice that BigQuery jobs are being logged as violations. How should they interpret this?

A.The perimeters are logging potential violations; no action has been taken yet.
B.The dry-run mode is not supported for Cloud Storage projects.
C.The perimeters are not configured correctly because BigQuery should not be affected.
D.The perimeters are working correctly and BigQuery access is blocked.
AnswerA

Dry-run logs violations without enforcement.

Why this answer

In dry-run mode, VPC Service Controls logs violations without enforcement, allowing administrators to review and adjust perimeters before enabling enforcement.

620
MCQmedium

A financial institution must store audit logs for 7 years to comply with PCI DSS requirements. By default, Cloud Audit Logs are retained for 30 days. What is the most cost-effective way to retain audit logs for 7 years?

A.Use Assured Workloads to automatically extend audit log retention to 7 years.
B.Create a log bucket with a retention period of 7 years using Log Analytics.
C.Configure a log sink to export logs to Cloud Storage with a retention policy set to 7 years using Object Lifecycle Management.
D.Increase the retention period for Cloud Audit Logs in the Logs Router to 7 years.
AnswerC

Exporting logs to Cloud Storage and setting a retention policy via lifecycle management is cost-effective and meets retention requirements.

Why this answer

To retain audit logs beyond Cloud Logging's 365-day max, export to Cloud Storage using a log sink and use Object Lifecycle Management to set a retention policy.

621
MCQhard

A company runs a batch job on Compute Engine that processes sensitive data. The job uses a service account with a JSON key file stored on the VM. A security audit recommends removing long-lived keys. The job must run unattended. What is the best alternative?

A.Store the service account key in Secret Manager and retrieve it at runtime.
B.Create a new service account and attach it to the VM instance; remove the old key.
C.Use the default compute engine service account instead.
D.Use Workload Identity Federation to authenticate the batch job.
AnswerB

Attached service accounts use short-lived tokens from the metadata server, no keys needed.

Why this answer

Using a service account attached to the VM instance is the best practice. Compute Engine automatically obtains short-lived tokens from the metadata server, eliminating the need for keys. Workload Identity Federation is for external workloads.

Secret Manager still requires a key to access. Default compute service account is less secure than a custom one.

622
MCQeasy

Users are reporting 502 Bad Gateway errors when accessing an application behind an external HTTPS Load Balancer. What is the most likely cause?

A.The backend instances are unhealthy or the SSL certificate is invalid
B.Cloud CDN is not enabled for the load balancer
C.The backend instances have reached maximum concurrent connections
D.The load balancer is configured as an internal load balancer
AnswerA

A 502 error indicates a communication failure between the load balancer and backend, often due to health check failures or SSL misconfiguration.

Why this answer

Option B is correct because 502 errors typically indicate that the load balancer cannot communicate with the backend, often due to unhealthy instances or SSL certificate issues. Option A is wrong because connection limits cause 503 or 429 errors, not 502. Option C is wrong because the load balancer type is correct for HTTPS.

Option D is wrong because CDN affects content delivery, not backend connectivity.

623
MCQeasy

A security team wants to detect and block network-based threats such as malware and command-and-control traffic within their VPC. They need a managed service that provides deep packet inspection. Which Google Cloud service should they use?

A.Cloud IDS
B.Security Command Center
C.VPC Flow Logs
D.Cloud Armor
AnswerA

Correct: Cloud IDS provides managed network threat detection and can block threats.

Why this answer

Cloud IDS (Intrusion Detection System) is a managed service that uses Palo Alto Networks threat detection to inspect network traffic for threats. It integrates with packet mirroring to analyze traffic.

624
MCQeasy

A developer needs to create and manage Compute Engine instances in a project. They require the ability to start, stop, and view instances, but should not be able to delete or modify network configurations. Which predefined role should be assigned?

A.roles/compute.viewer
B.roles/iam.serviceAccountUser
C.roles/compute.admin
D.roles/compute.instanceAdmin.v1
AnswerD

Provides the required permissions: compute.instances.* except delete, and compute.instances.start/stop.

Why this answer

Option D is correct because the `roles/compute.instanceAdmin.v1` role grants permissions to start, stop, and view Compute Engine instances, but explicitly excludes permissions to delete instances or modify network configurations. This predefined role is designed for users who need operational control over instances without full administrative access.

Exam trap

Google Cloud often tests the distinction between `roles/compute.instanceAdmin.v1` and `roles/compute.admin`, where candidates mistakenly choose the admin role for operational tasks, overlooking the fact that admin includes destructive permissions like deletion and network modification.

How to eliminate wrong answers

Option A is wrong because `roles/compute.viewer` only provides read-only access to view Compute Engine resources, not the ability to start or stop instances. Option B is wrong because `roles/iam.serviceAccountUser` allows a user to impersonate a service account, but does not grant any permissions to manage Compute Engine instances. Option C is wrong because `roles/compute.admin` grants full administrative access to all Compute Engine resources, including the ability to delete instances and modify network configurations, which exceeds the required permissions.

625
MCQmedium

A company uses Cloud KMS with automatic rotation enabled for a symmetric key. The rotation period is set to 90 days. After 90 days, a new key version is created. The compliance team asks: what happens to data encrypted with the old key version?

A.The old key version remains available for decryption of existing data.
B.The old key version is immediately disabled, and all data must be re-encrypted.
C.Data encrypted with the old key is automatically re-encrypted with the new key.
D.The old key version is deleted after the rotation period.
AnswerA

Old key versions are retained and can decrypt data encrypted with them.

Why this answer

When a key is rotated, a new version is created. Data encrypted with the old version can still be decrypted because the old version remains available for decryption. The key material is not destroyed unless manually deleted.

Automatic rotation does not re-encrypt existing data.

626
MCQmedium

A security engineer receives an alert from Cloud Security Command Center (Cloud SCC) about a resource that is publicly accessible. The engineer identifies that the resource is a Cloud Storage bucket containing sensitive data. After making the bucket private, what is the next best step to prevent recurrence?

A.Add a note in the operations runbook to check bucket permissions weekly.
B.Delete the bucket and all its contents to avoid future exposure.
C.Set an organization policy to disable public access to all Cloud Storage buckets.
D.Create a Cloud Security Command Center notification for public bucket findings and use a Cloud Function to automatically disable public access.
AnswerD

Automated response reduces recurrence risk.

Why this answer

Option B is correct because creating a security health analytics sink to Pub/Sub enables automated remediation. Option A is incorrect because deleting the bucket may lose data. Option C is incorrect because disabling public access at the organization level might be too broad and impact legitimate needs.

Option D is incorrect because relying on documentation is not preventive.

627
MCQeasy

Which Google Cloud service provides the ability to enforce data retention policies on Cloud Storage objects to prevent deletion or modification for a specified duration?

A.Cloud Storage Bucket Lock
B.VPC Service Controls
C.Cloud Storage Object Retention Lock
D.Cloud Storage Object Lifecycle Management
AnswerC

Object Retention Lock enforces a WORM (Write Once Read Many) policy, preventing deletion or modification.

Why this answer

Object Retention Lock uses retention policies and legal holds to comply with WORM requirements.

628
MCQhard

Refer to the exhibit. A security engineer reviews this IAM policy. Which compliance requirement does this policy help satisfy?

A.Key rotation schedule for encryption keys
B.Data residency by limiting access to European regions
C.Audit logging of data access
D.Encryption of data at rest
AnswerB

By restricting access to resources in europe-west, the policy supports data residency compliance.

Why this answer

The IAM policy includes a `Condition` block using `aws:RequestedRegion` to explicitly deny access to any AWS region outside of the specified European regions (eu-west-1, eu-central-1, etc.). This enforces data residency by ensuring that API calls that would create or modify resources are restricted to approved geographic boundaries, helping satisfy compliance requirements such as GDPR or local data sovereignty laws.

Exam trap

Google Cloud often tests the distinction between IAM policies that control access (like region restriction) versus resource-level configurations (like encryption or logging), leading candidates to confuse a condition-based access control policy with a data protection mechanism.

How to eliminate wrong answers

Option A is wrong because key rotation schedules are managed through AWS KMS key policies or automated rotation settings, not through IAM policies that control API access based on region. Option C is wrong because audit logging of data access is enabled by services like AWS CloudTrail or Amazon S3 server access logs, not by an IAM policy that restricts regional access. Option D is wrong because encryption of data at rest is enforced through encryption settings on the resource itself (e.g., S3 SSE, EBS encryption) or via KMS key policies, not by an IAM policy that limits the regions where API calls can be made.

629
MCQhard

A company uses SAML 2.0 federation with an external IdP. Users are synced from Active Directory to Cloud Identity using Google Cloud Directory Sync (GCDS). The security engineer needs to ensure that only users from a specific Active Directory group can access Google Cloud resources. What should be configured?

A.Configure the SAML IdP to include a custom attribute indicating group membership, and use attribute-based access control in Google Cloud.
B.Use IAP to restrict access based on user identity.
C.Configure an organization policy constraint (constraints/iam.allowedPolicyMemberDomains) to restrict IAM policies to the company's domain.
D.Create a Cloud Identity group that is synced with the AD group via GCDS, and assign IAM roles to that group.
AnswerD

This ensures only users in the AD group are members of the Cloud Identity group, and thus have access.

Why this answer

The correct approach is to configure the IdP to only send SAML assertions for users in that specific AD group, and then in Cloud Identity, map that group to a Cloud Identity group or use attribute-based access. Alternatively, use organization policies with constraints/iam.allowedPolicyMemberDomains to restrict members to specific domains. But the question is about user access, not policy binding.

The best answer is to create a Cloud Identity group that syncs with the AD group, and grant IAM roles to that group. This ensures only members of the AD group get access.

630
MCQmedium

A security team wants to scan a web application hosted on Compute Engine for vulnerabilities like XSS and outdated libraries. They want the scan to be authenticated to cover areas behind login. Which Google Cloud service and configuration should they use?

A.VM Manager patch management to check for outdated libraries.
B.Cloud Security Scanner with a custom scan configuration including authentication headers.
C.Container Analysis with a custom scanning schedule.
D.Web Security Scanner with a managed scan and custom login credentials.
AnswerD

Web Security Scanner supports authenticated scanning.

Why this answer

Web Security Scanner can perform authenticated scans by providing login credentials. It can scan applications on Compute Engine and App Engine. It identifies vulnerabilities like XSS, mixed content, and outdated libraries.

631
Multi-Selecthard

Which THREE steps are necessary to ensure that a Google Cloud project complies with FedRAMP Moderate baseline requirements for access control? (Choose three.)

Select 3 answers
A.Set up session expiration policies that automatically log out inactive users after 15 minutes.
B.Configure Cloud NAT to allow instances to access the internet without public IPs.
C.Enforce multi-factor authentication (MFA) for all users accessing the Google Cloud Console.
D.Create custom IAM roles that grant only the minimum permissions required for each job function.
E.Implement VPC Service Controls to prevent data exfiltration.
AnswersA, C, D

Session timeouts are required for access control.

Why this answer

Option A is correct because FedRAMP Moderate requires session timeout policies to mitigate the risk of unauthorized access from unattended sessions. Google Cloud IAM session settings allow you to enforce a maximum session duration, and setting it to 15 minutes aligns with the FedRAMP requirement for automatic logout of inactive users. This directly addresses the access control family (AC-12) in the FedRAMP baseline.

Exam trap

Google Cloud often tests the distinction between access control (user authentication, session management, least privilege) and network security controls (NAT, VPC perimeters), leading candidates to incorrectly select options that address data exfiltration or internet access rather than direct access control requirements.

632
Multi-Selectmedium

A company is deploying a multi-region application that must store data only within the European Union to comply with GDPR data residency requirements. They also need to ensure that Google Cloud administrators cannot access customer content. Which two controls should they implement? (Choose TWO).

Select 2 answers
A.Use VPC Service Controls.
B.Apply the organization policy constraint gcp.resourceLocations with the allowed regions set to europe-west1, europe-west2, etc.
C.Enable Access Transparency.
D.Configure Cloud DLP inspection jobs to scan for GDPR-sensitive data.
E.Enable Assured Workloads with EU regions boundary.
AnswersB, C

This policy ensures resources are only created in specified EU regions.

Why this answer

To enforce data residency, the organization policy constraint gcp.resourceLocations restricts resource creation to specific regions. For EU data residency, they would list EU regions. Access Transparency provides logs of Google admin access to customer content, allowing the customer to monitor and audit such access.

Assured Workloads is for compliance frameworks like FedRAMP, not specifically for data residency. Cloud DLP is for data loss prevention, not residency. VPC Service Controls is for data exfiltration prevention, not residency.

633
MCQhard

A security engineer reviews the IAM policy for a Cloud Storage bucket as shown in the exhibit. Alice reports that she cannot upload objects to the bucket, while Bob can view objects. What is the most likely issue?

A.The bucket has ACLs that deny Alice upload access.
B.Alice has the objectViewer role but not the objectAdmin role.
C.Alice does not have the storage.buckets.getIamPolicy permission.
D.The objectAdmin role does not include the storage.objects.create permission.
AnswerA

If uniform bucket-level access is not enabled, ACLs can override IAM.

Why this answer

Option A is correct because Cloud Storage buckets can have both IAM policies and Access Control Lists (ACLs) applied. If the bucket's ACL explicitly denies Alice the `WRITER` or `OWNER` permission, she will be unable to upload objects even if her IAM policy grants broader roles. Bob can view objects because his IAM role (e.g., `roles/storage.objectViewer`) is not overridden by a conflicting ACL, or his ACL entry grants `READER` access.

Exam trap

Google Cloud often tests the misconception that IAM policies alone control all access to Cloud Storage, ignoring that ACLs can override or deny permissions, leading candidates to incorrectly blame missing roles or permissions rather than a conflicting ACL.

How to eliminate wrong answers

Option B is wrong because the `objectViewer` role only allows reading objects, not uploading; however, the question states Alice cannot upload, so the issue is not about missing `objectAdmin` but a specific denial. Option C is wrong because `storage.buckets.getIamPolicy` is used to view the bucket's IAM policy, not to upload objects; lacking this permission would not prevent uploading. Option D is wrong because the `objectAdmin` role (`roles/storage.objectAdmin`) does include `storage.objects.create`, which is required for uploading; this option misrepresents the role's permissions.

634
Multi-Selecthard

A gaming company deploys a multiplayer game backend on Google Kubernetes Engine (GKE) with multiple microservices. The operations team needs to collect structured logs from containers, analyze them in real-time for anomalies, and store them for 30 days for compliance. They also need to monitor custom application metrics (e.g., player count per game server). Which three Google Cloud services should they use? (Choose three.)

Select 3 answers
A.Cloud Logging to collect container logs and store them for 30 days using a log bucket retention policy
B.Chronicle to ingest logs from Cloud Logging and apply anomaly detection rules
C.BigQuery to store logs for 30 days and run real-time queries
D.Cloud SQL to store application metrics
E.Cloud Monitoring to collect custom metrics via the Monitoring API and set up dashboards
AnswersA, B, E

Cloud Logging is the native log management service for GCP, supporting custom retention.

Why this answer

Cloud Logging collects and stores logs, Cloud Monitoring collects metrics and supports custom metrics, and Chronicle can analyze logs for anomalies in real-time. BigQuery is for long-term analysis but not real-time anomaly detection.

635
MCQeasy

Which Cloud KMS key purpose should be used to encrypt and decrypt data directly?

A.ASYMMETRIC_DECRYPT
B.ASYMMETRIC_SIGN
C.ENCRYPT_DECRYPT
D.MAC
AnswerC

This purpose enables symmetric encryption and decryption operations.

Why this answer

The ENCRYPT_DECRYPT purpose is for symmetric encryption/decryption. ASYMMETRIC_SIGN is for digital signing, ASYMMETRIC_DECRYPT is for asymmetric decryption (e.g., using RSA), and MAC is for message authentication codes.

636
Multi-Selectmedium

Which TWO configurations are required to use Customer-Managed Encryption Keys (CMEK) with Cloud Storage to meet a compliance requirement that keys must be rotated every 30 days? (Choose two.)

Select 2 answers
A.Set a key destruction policy to prevent accidental deletion of the key.
B.Use Cloud External Key Manager (EKM) to manage the key externally.
C.Create a Cloud KMS key ring and key with a rotation period of 30 days.
D.Use a Cloud HSM key with protection level HSM to meet key storage requirements.
E.Grant the Cloud Storage service account the Cloud KMS CryptoKey Encrypter/Decrypter role on the key.
AnswersC, E

The key must have a rotation schedule to meet the requirement.

Why this answer

Option C is correct because Cloud KMS allows you to set a rotation period on a key, and when you use a CMEK with Cloud Storage, the key is used to encrypt the data encryption keys (DEKs). Setting a rotation period of 30 days ensures that the key material is automatically rotated every 30 days, meeting the compliance requirement. Option E is correct because the Cloud Storage service account must be granted the Cloud KMS CryptoKey Encrypter/Decrypter role to be authorized to use the CMEK for encrypting and decrypting objects.

Exam trap

Google Cloud often tests the distinction between key rotation (a lifecycle policy) and key protection (HSM or destruction policies), so candidates mistakenly select options that address security or deletion prevention instead of the rotation requirement.

637
MCQmedium

A company uses hierarchical firewall policies at the organization level to enforce a baseline deny-all rule. A project administrator wants to create a firewall rule that allows HTTP traffic to a specific VM. Which statement is correct?

A.The project administrator can modify the hierarchical policy to allow HTTP.
B.The project administrator can create a VPC firewall rule to allow HTTP, and it will work if the policy is not enforced.
C.The project administrator cannot allow HTTP because the hierarchical policy denies all traffic.
D.The project administrator can create a VPC firewall rule with higher priority to override the policy.
AnswerC

Hierarchical policies are mandatory and override lower-level rules.

Why this answer

Hierarchical firewall policies are inherited and cannot be overridden by lower-level rules. The deny-all rule from the policy takes precedence over any VPC firewall rule that would allow traffic.

638
MCQhard

A multinational corporation is implementing a least-privilege access model for their CI/CD pipeline using Cloud Build, Artifact Registry, and GKE. The pipeline builds container images, pushes them to Artifact Registry, and deploys them to GKE clusters. The security team wants to ensure that the Cloud Build service account used by the pipeline has only the minimum necessary permissions. The service account currently has: roles/cloudbuild.builds.editor, roles/artifactregistry.writer, and roles/container.developer. After a successful build and push, the deployment step completes without errors, but the newly deployed pods on GKE immediately fail with ImagePullBackOff errors. The error message indicates: "Failed to pull image 'us-central1-docker.pkg.dev/my-project/my-repo/my-image:latest': rpc error: code = PermissionDenied desc = unauthenticated: Request had insufficient authentication scopes." The GKE cluster is a private cluster with Workload Identity enabled. The node pool uses a default Compute Engine service account with only the storage scope. What is the most likely missing permission or configuration that prevents the pods from pulling images?

A.The service account needs roles/artifactregistry.reader on the repository.
B.The service account needs roles/storage.objectViewer on the bucket where images are cached.
C.The service account needs roles/container.clusterAdmin on the cluster.
D.The service account needs roles/iam.serviceAccountUser on the GKE node service account.
AnswerD

Option B is correct; with Workload Identity, the pod's Kubernetes service account (typically the default) maps to the node service account. Granting the Cloud Build service account the serviceAccountUser role on the node service account allows impersonation for pulling images.

Why this answer

Option D is correct because the Cloud Build service account needs the `roles/iam.serviceAccountUser` permission on the GKE node's Compute Engine service account to impersonate it. With Workload Identity enabled, the GKE node's service account (not the Cloud Build service account) is what authenticates to Artifact Registry when pods pull images. Without this delegation, the Cloud Build service account cannot act on behalf of the node's service account, leading to the `PermissionDenied` error.

Exam trap

Google Cloud often tests the misconception that the Cloud Build service account itself needs Artifact Registry read permissions, when in reality the node's service account must have those permissions and the Cloud Build service account needs the `iam.serviceAccountUser` role to impersonate it.

How to eliminate wrong answers

Option A is wrong because the Cloud Build service account already has `roles/artifactregistry.writer`, which includes read permissions; the issue is not about the Cloud Build service account's permissions but about the node's service account lacking Artifact Registry read access. Option B is wrong because Artifact Registry does not use Cloud Storage buckets for image caching; images are stored directly in the registry, and the error is about authentication scopes, not storage permissions. Option C is wrong because `roles/container.clusterAdmin` grants cluster management permissions, not the ability to pull images from Artifact Registry; the error occurs at the pod level, not during deployment.

639
MCQeasy

Which Cloud Armor feature uses machine learning to detect and mitigate DDoS attacks?

A.Preconfigured WAF rules
B.Rate limiting
C.Adaptive Protection
D.Custom rules
AnswerC

Adaptive Protection uses ML to detect anomalies.

Why this answer

Cloud Armor Adaptive Protection uses ML-based DDoS detection to automatically learn normal traffic patterns and alert or mitigate attacks.

640
Multi-Selectmedium

A company wants to deploy a containerized application on GKE that needs to access Cloud SQL. They want to avoid storing database credentials in the application. Which THREE components should they use?

Select 3 answers
A.Cloud SQL Auth Proxy (sidecar container)
B.Cloud SQL private IP
C.Workload Identity
D.Service account key stored in a Kubernetes secret
E.IAM database authentication
AnswersA, C, E

Handles TLS and IAM authentication to Cloud SQL.

Why this answer

Workload Identity binds a Kubernetes service account to a GCP service account. The Cloud SQL Auth Proxy provides secure access to Cloud SQL using IAM database authentication. IAM database authentication allows the service account to authenticate to Cloud SQL without passwords.

641
MCQmedium

A company wants to allow their employees to access an internal web application running on Compute Engine using Identity-Aware Proxy (IAP). They want to ensure that only users from their corporate domain (example.com) can access the app. What is the recommended approach?

A.Grant the IAP-secured Web App User role to each individual user from the corporate domain.
B.Create a Cloud Identity group containing all corporate users, and grant the IAP-secured Web App User role to that group.
C.Use a custom SAML attribute in the IdP to filter access.
D.Configure a firewall rule that allows traffic only from the corporate IP range.
AnswerB

Scalable and maintainable approach.

Why this answer

Option B is correct because Identity-Aware Proxy (IAP) uses Cloud Identity groups to manage access at scale. By creating a group containing all corporate users (e.g., from example.com) and granting the IAP-secured Web App User role to that group, you enforce domain-level access without managing individual users. This approach leverages IAP's integration with Cloud Identity to verify the user's email domain against the group membership, ensuring only example.com users can reach the application.

Exam trap

Cisco often tests the misconception that IP-based firewall rules (Option D) are sufficient for access control, but the trap here is that IAP is specifically designed to replace network-level controls with identity-based access, making IP filtering an outdated and insecure approach in this context.

How to eliminate wrong answers

Option A is wrong because granting the IAP-secured Web App User role to each individual user is not scalable and violates the principle of least privilege management; it also does not inherently restrict to the corporate domain unless each user is manually verified. Option C is wrong because custom SAML attributes in the IdP are used for attribute-based access control (ABAC) but are not the recommended approach for domain-level filtering with IAP; IAP relies on Cloud Identity groups or OAuth scopes, not SAML attributes, to enforce domain restrictions. Option D is wrong because configuring a firewall rule based on corporate IP ranges bypasses IAP's identity-aware access control, exposing the application to network-level risks and failing to authenticate individual users; IAP is designed to replace IP-based restrictions with user identity verification.

642
MCQhard

An organization has a deny policy that denies the compute.instances.create permission for all principals on a folder. A user is granted the Compute Admin role (which includes compute.instances.create) at the project level within that folder. Can the user create Compute Engine instances in that project?

A.No, because deny policies take precedence over allow policies.
B.No, because the user is not an organization administrator.
C.Yes, if the user also has the Owner role at the project level.
D.Yes, because the project-level IAM grant overrides the folder-level deny.
AnswerA

Deny policies are evaluated after allow policies and take precedence.

Why this answer

Deny policies override allow policies regardless of hierarchy. If a deny policy denies the permission, it cannot be granted by any allow policy. The user will be denied even though they have the role.

643
MCQeasy

A small company has a single VPC with subnets in us-central1 (10.0.1.0/24) and us-west1 (10.0.2.0/24). They have a Compute Engine VM (web-server) in us-central1 that needs to connect to a Cloud SQL MySQL instance also in us-central1 using its private IP address 10.0.1.3. The Cloud SQL instance is configured with private IP only and is deployed in the same VPC. The web-server can successfully ping the Cloud SQL private IP (10.0.1.3). However, the application on the web-server fails to connect to the MySQL database with an authentication error. There are no custom firewall rules; only the default VPC firewall rules are in place. What is the most likely cause of the connection failure?

A.The default-allow-internal firewall rule does not allow TCP port 3306.
B.The web-server's service account lacks the Cloud SQL Client IAM role.
C.The Cloud SQL instance does not have the public IP address enabled.
D.The Cloud SQL instance is in a different region than the web-server.
AnswerB

This role is necessary to authenticate to Cloud SQL; without it, the application fails with a permission error.

Why this answer

The web-server can ping the Cloud SQL private IP (10.0.1.3), confirming network connectivity at Layer 3. The authentication error indicates the application is reaching the database but being denied access. Cloud SQL uses IAM for authentication when connecting via private IP; the web-server's service account must have the Cloud SQL Client IAM role to authenticate successfully.

Without this role, the connection is rejected even though the network path is open.

Exam trap

Google Cloud often tests the distinction between network connectivity (Layer 3 reachability) and application-layer authentication, leading candidates to incorrectly blame firewall rules or IP configuration when the real issue is missing IAM permissions for Cloud SQL private IP access.

How to eliminate wrong answers

Option A is wrong because the default-allow-internal firewall rule in GCP allows all TCP traffic (including port 3306) between instances in the same VPC, so it does not block MySQL connections. Option C is wrong because the Cloud SQL instance is configured with private IP only, which is sufficient for connectivity; enabling a public IP is not required for private access and would not cause an authentication error. Option D is wrong because both the web-server and the Cloud SQL instance are in us-central1, as stated in the scenario, so region mismatch is not the issue.

644
MCQmedium

An organization uses Google Workspace for email and collaboration. They want to allow employees to sign in to a custom web application using their Google Workspace credentials. The application runs on Compute Engine and uses a PostgreSQL database. Which identity solution should they implement?

A.Workload Identity Federation.
B.Cloud Identity-Aware Proxy (IAP) with OIDC.
C.SAML 2.0 federation with the web app.
D.Firebase Authentication with Google provider.
AnswerB

IAP provides authentication using Google identity and works with OIDC for web apps.

Why this answer

IAP with OIDC is the correct approach. IAP integrates with Google identity (including Google Workspace) and provides authentication and authorization for web applications. OIDC is the protocol used to verify identity.

SAML is for SSO but IAP uses OIDC. Firebase Auth is for consumer apps. Cloud Identity-Aware Proxy (IAP) is specifically designed for this use case.

645
MCQmedium

A company runs a multi-tier application on Compute Engine behind an external HTTP(S) Load Balancer. The backend consists of a managed instance group for the application tier and a Cloud Storage bucket for static assets. During peak traffic, some users receive HTTP 503 errors. The backend instances are healthy and the load balancer shows no connection errors. The company has already enabled Cloud CDN for the backend bucket. What should they do to resolve the 503 errors?

A.Increase the size of the instance group to handle more requests.
B.Enable Cloud CDN on the backend bucket to cache static content.
C.Increase the backend bucket's cache mode to force caching of dynamic content.
D.Adjust the load balancer's connection draining timeout.
AnswerA

Scaling up the instance group adds capacity to serve more requests, reducing 503 errors from resource exhaustion.

Why this answer

The 503 errors likely indicate that the instance group cannot handle the request volume. Increasing the size of the instance group provides more capacity. Option B is incorrect because CDN is already enabled for static content, and the 503 is likely for dynamic content.

Option C is incorrect because connection draining affects instance removal, not capacity. Option D is incorrect because forcing caching of dynamic content may serve stale data or not be allowed.

646
MCQmedium

A company is subject to PCI DSS and needs to protect a web application that processes credit card data. They want to block common web attacks such as SQL injection and cross-site scripting (XSS). Which Google Cloud service should they use?

A.Cloud Armor
B.Cloud NAT
C.Cloud CDN
D.Identity-Aware Proxy (IAP)
AnswerA

Cloud Armor provides WAF capabilities including preconfigured rules for SQLi and XSS, meeting the requirement.

Why this answer

Cloud Armor is a Web Application Firewall (WAF) that provides protections against OWASP Top 10 threats like SQL injection and XSS. It integrates with Cloud Load Balancing to filter traffic.

647
MCQeasy

A new employee needs to be able to create and manage Compute Engine instances. Which role should be granted at the project level?

A.roles/compute.instanceAdmin
B.roles/compute.admin
C.roles/compute.networkAdmin
D.roles/compute.viewer
AnswerA

This role includes the necessary permissions to create and manage instances.

Why this answer

The roles/compute.instanceAdmin role grants permissions to create, modify, and delete Compute Engine instances, including starting, stopping, and managing disks and snapshots, but does not allow changing project-wide network configurations or granting IAM policies. This is the least-privilege role that meets the requirement to 'create and manage Compute Engine instances' at the project level.

Exam trap

The trap here is that candidates often confuse 'admin' with 'instanceAdmin', assuming the broader role is required, but the PCSE exam emphasizes granting the minimal set of permissions needed to perform a specific job function.

How to eliminate wrong answers

Option B (roles/compute.admin) is wrong because it grants full administrative access to all Compute Engine resources, including network and security settings, which exceeds the stated need and violates the principle of least privilege. Option C (roles/compute.networkAdmin) is wrong because it only allows management of networking resources (firewalls, routes, VPNs) and does not grant permissions to create or manage instances. Option D (roles/compute.viewer) is wrong because it provides read-only access to Compute Engine resources, with no ability to create, modify, or delete instances.

648
Multi-Selectmedium

A company has multiple Google Cloud projects under an organization. They want to ensure that only service accounts from their own Cloud Identity domain (example.com) can be used in IAM policies. Which TWO steps should they take? (Choose 2)

Select 2 answers
A.Configure VPC Service Controls to restrict access.
B.Remove any IAM policies that include members from other domains.
C.Use Cloud Identity to block external users.
D.Create a deny policy that denies the resourcemanager.projects.setIamPolicy permission for non-example.com users.
E.Apply the organization policy constraint constraints/iam.allowedPolicyMemberDomains with value ['example.com'] at the organization level.
AnswersB, E

Existing policies with other domains would violate the constraint and cause errors.

Why this answer

The organization policy constraint constraints/iam.allowedPolicyMemberDomains restricts member domains in IAM policies. Setting it to ['example.com'] ensures only principals from that domain can be added. Additionally, removing other domains from existing policies is necessary to enforce the constraint.

649
MCQeasy

A DevOps team wants to grant a contractor temporary access to a specific Cloud Storage bucket for 30 days. The contractor has a Google account (example@gmail.com). The bucket contains sensitive data, and the access should be as restrictive as possible. What is the recommended way to grant this access?

A.Create a bucket ACL granting the contractor READ access.
B.Add the contractor's email to the project-level IAM policy with the 'Storage Object Viewer' role.
C.Add the contractor's email to the bucket-level IAM policy with the 'Storage Object Viewer' role.
D.Generate a signed URL for the contractor to access the bucket objects.
AnswerC

Bucket-level IAM is granular and can be removed after 30 days.

Why this answer

Option C is correct because bucket-level IAM policies allow you to grant granular, time-bound access to a specific bucket without affecting other resources in the project. By adding the contractor's email (example@gmail.com) to the bucket-level IAM policy with the 'Storage Object Viewer' role, you restrict access to only that bucket and only to read objects, which is the most restrictive approach for a 30-day temporary access requirement.

Exam trap

Google Cloud often tests the distinction between project-level and resource-level IAM policies, and the trap here is that candidates choose project-level IAM (Option B) thinking it's simpler, but they overlook that it grants access to all buckets in the project, violating the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because bucket ACLs are legacy and do not support IAM conditions for time-bound access; they also lack the granularity of IAM roles and are not recommended for new configurations. Option B is wrong because adding the contractor to the project-level IAM policy grants read access to all storage buckets in the project, which violates the 'as restrictive as possible' requirement and exposes other sensitive data. Option D is wrong because signed URLs provide temporary access to specific objects, not the entire bucket, and managing them for all objects over 30 days is impractical and insecure for ongoing bucket-level access.

650
Multi-Selectmedium

A company is implementing VPC Service Controls to protect a project that contains Cloud Storage and BigQuery. They want to allow a specific on-premises service account to read data from Cloud Storage and write to BigQuery. The on-premises network connects via Cloud VPN. Which TWO components must be configured in the service perimeter? (Choose two.)

Select 2 answers
A.Add Cloud Storage and BigQuery to the list of restricted services in the perimeter (they already are)
B.An ingress rule that allows the on-premises service account to access Cloud Storage and BigQuery
C.An access level based on the on-premises IP range (10.0.0.0/8)
D.A VPC firewall rule allowing traffic from the VPN to the Cloud Storage and BigQuery APIs
E.An egress rule that allows the on-premises service account to leave the perimeter
AnswersB, C

Ingress rules allow external identities to access resources inside the perimeter.

Why this answer

To allow external access, you need an ingress rule that specifies the source (on-premises service account and the Cloud VPN network) and the allowed services (Cloud Storage and BigQuery). An access level can be used to define the IP range, but the ingress rule is the primary mechanism. Adding the service to the perimeter is already done; you don't need to add it again.

An egress rule is not needed for inbound access.

651
Multi-Selectmedium

Which TWO of the following are valid Google Cloud firewall rule components? (Choose TWO.)

Select 2 answers
A.Priority
B.Protocol signature
C.Target service accounts
D.Next hop
E.Network tier
AnswersA, C

Priority determines the order in which rules are evaluated.

Why this answer

A is correct because firewall rules in Google Cloud require a priority value (0–65535) to determine evaluation order. Lower numbers are evaluated first, and the first matching rule is applied. This is a mandatory component of every firewall rule.

Exam trap

Google Cloud often tests the distinction between firewall rule components and routing/network tier components, so candidates mistakenly select 'Next hop' or 'Network tier' because they are familiar networking terms, but they are not part of a firewall rule definition.

652
MCQmedium

An organization needs to comply with ITAR regulations. They want to ensure that all data processed by their GCP resources remains within the United States. Which service should they use?

A.VPC Service Controls
B.Assured Workloads
C.Cloud DLP
D.Organization policy constraint gcp.resourceLocations
AnswerB

Assured Workloads provides compliance controls for ITAR, FedRAMP High, etc., including data residency and access restrictions.

Why this answer

Assured Workloads provides regulatory compliance controls, including support for ITAR. It helps enforce data residency and access controls required for ITAR workloads.

653
MCQmedium

A company has an organization policy that denies the use of certain GCP services unless the project is in a specific folder. The DevOps team wants to create a new project in that folder. However, the project creation fails. What is the most likely cause?

A.The folder has reached its maximum number of projects.
B.The project name is already taken.
C.The organization policy prevents any project creation in the organization.
D.The user does not have the resourcemanager.projects.create permission at the folder level.
AnswerD

Project creation requires the Project Creator role at the folder or organization level.

Why this answer

The most likely cause is that the user lacks the `resourcemanager.projects.create` permission at the folder level. Even if the project is being created in a folder that allows GCP services, the user must have the Project Creator role (or equivalent) granted on that specific folder. Without this permission, the creation request is denied by the Resource Manager, regardless of the folder's capacity or the project name's uniqueness.

Exam trap

Cisco often tests the misconception that organization policies (like service usage constraints) block project creation, when in fact project creation is governed by IAM permissions at the folder or organization level, not by the organization policy constraints.

How to eliminate wrong answers

Option A is wrong because the folder-level project quota is a soft limit that can be increased, and the error message for hitting the quota is distinct from a permission-denied error. Option B is wrong because a duplicate project name would cause a different error (e.g., 'Project name already exists') and is not related to the folder's policy or permissions. Option C is wrong because the organization policy only denies certain GCP services, not project creation itself; project creation is controlled by IAM permissions, not by the organization policy constraints on service usage.

654
MCQmedium

A financial institution uses Cloud HSM to protect cryptographic keys used for signing sensitive transactions. They want to ensure that keys are never exportable and that key usage is logged. Which key type should they create in Cloud HSM?

A.Purpose: ASYMMETRIC_SIGN with algorithm: RSA_SIGN_PKCS1_2048_SHA256
B.Purpose: SYMMETRIC_ENCRYPT_DECRYPT with algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
C.Purpose: ASYMMETRIC_DECRYPT with algorithm: RSA_DECRYPT_OAEP_2048_SHA256
D.Purpose: MAC with algorithm: HMAC_SHA256
AnswerA

This key type is designed for signing and uses Cloud HSM which provides non-exportable keys.

Why this answer

Option A is correct because Cloud HSM supports ASYMMETRIC_SIGN key purpose with RSA_SIGN_PKCS1_2048_SHA256, which creates a non-exportable key pair used for signing. Cloud HSM ensures the private key never leaves the HSM boundary, and all key usage is automatically logged via Cloud Audit Logs, meeting the requirements for non-exportability and logging.

Exam trap

Google Cloud often tests the distinction between key purposes: candidates confuse ASYMMETRIC_DECRYPT (used for decrypting ciphertext) with signing, but signing requires the private key to produce a signature, not to decrypt data.

How to eliminate wrong answers

Option B is wrong because SYMMETRIC_ENCRYPT_DECRYPT keys are used for encryption/decryption, not signing, and symmetric keys do not provide the non-repudiation needed for signing sensitive transactions. Option C is wrong because ASYMMETRIC_DECRYPT keys are designed for decryption operations (e.g., RSA-OAEP), not for creating digital signatures; signing requires the private key to generate a signature, not to decrypt. Option D is wrong because MAC (Message Authentication Code) keys, such as HMAC_SHA256, are symmetric and used for integrity and authentication, not for asymmetric signing; they do not provide non-repudiation and are exportable by design in Cloud HSM.

655
Multi-Selectmedium

An organization uses Cloud Identity with SAML 2.0 federation. They want to enable single sign-on (SSO) for users accessing Google Cloud Console and also allow access to a custom application behind an HTTPS load balancer using IAP. Which TWO configurations are required? (Choose two.)

Select 2 answers
A.Deploy a VPN between the IdP and Google Cloud
B.Create a service account for each user to access the application
C.Create a Cloud Armor security policy to allow only SAML-authenticated requests
D.Enable IAP on the backend service of the HTTPS load balancer
E.Configure SAML 2.0 SSO in the Cloud Identity console for the organization
AnswersD, E

IAP integrates with Cloud Identity to authenticate users before granting access to the application.

Why this answer

Option D is correct because Identity-Aware Proxy (IAP) must be enabled on the backend service of the HTTPS load balancer to enforce access control based on the user's identity. IAP uses the SAML assertion from Cloud Identity to verify the user's identity and grant access to the custom application, enabling SSO without requiring a VPN or per-user service accounts.

Exam trap

Cisco often tests the misconception that IAP requires a VPN or that service accounts can be used for user authentication, but the correct approach is to enable IAP on the backend service and configure SAML SSO in Cloud Identity.

656
Multi-Selectmedium

A company wants to prevent data exfiltration by restricting access to Google APIs from only authorized VPC networks. They also need to allow a specific on-premises IP range to access BigQuery. Which TWO services should be used together? (Choose 2)

Select 2 answers
A.Cloud Armor
B.Access levels (IP-based)
C.Hierarchical firewall policy
D.Private Service Connect
E.VPC Service Controls
AnswersB, E

Access levels define conditions (like IP ranges) to allow access into the perimeter.

Why this answer

VPC Service Controls create a service perimeter around Google APIs, and an access level (IP-based) can be used to allow the on-premises IP range into the perimeter.

657
MCQmedium

A company is deploying a microservices architecture on Google Kubernetes Engine (GKE). They need to securely store and access database credentials, API keys, and other secrets. They want to avoid storing secrets in plaintext in the container image or Kubernetes manifests. Which solution should they use?

A.Encrypt secrets with Cloud KMS and store them in a ConfigMap.
B.Store secrets in a ConfigMap and mount as environment variables.
C.Use Secret Manager and mount secrets as volumes using the Secret Manager CSI driver.
D.Use Kubernetes native Secrets, committing them to a private repository.
AnswerC

This provides secure, audited access without storing secrets in the cluster.

Why this answer

Option C is correct because Secret Manager provides a centralized, secure, and auditable way to store secrets, and the Secret Manager CSI driver allows pods to mount these secrets as volumes without exposing them in the container image or Kubernetes manifests. This approach ensures secrets are never stored in plaintext on disk or in etcd, and it integrates with GKE's workload identity for fine-grained access control.

Exam trap

The trap here is that candidates often confuse Kubernetes native Secrets (which are only base64-encoded, not encrypted) with a secure solution, or they assume ConfigMaps can be used for secrets if encrypted, missing the fact that ConfigMaps are not designed for sensitive data and are stored in plaintext in etcd.

How to eliminate wrong answers

Option A is wrong because Cloud KMS is a key management service for encryption keys, not a secret store; storing encrypted secrets in a ConfigMap still leaves the secrets in etcd and Kubernetes API, and ConfigMaps are not designed for sensitive data. Option B is wrong because ConfigMaps store data in plaintext in etcd and can be easily read by anyone with access to the Kubernetes API, violating the requirement to avoid plaintext storage. Option D is wrong because committing Kubernetes native Secrets to a private repository still stores them in plaintext in the repository and in etcd, and native Secrets are only base64-encoded, not encrypted by default, which is not a secure practice.

658
MCQmedium

A security engineer runs the command in the exhibit. The command fails with an error: 'Permission denied: cryptoKeyVersions.encrypt'. What is the most likely cause?

A.The key ring 'my-keyring' does not exist.
B.The user does not have the cloudkms.cryptoKeyVersions.encrypt permission on the key.
C.The key ring location is incorrect.
D.The user does not have the cloudkms.cryptoKeyVersions.decrypt permission.
AnswerB

The error indicates missing encrypt permission.

Why this answer

The error message 'Permission denied: cryptoKeyVersions.encrypt' explicitly indicates that the user lacks the cloudkms.cryptoKeyVersions.encrypt permission on the specific key version. In Google Cloud KMS, encrypt operations require the cloudkms.cryptoKeyVersions.encrypt permission (or a broader role like roles/cloudkms.cryptoKeyEncrypter) on the key resource. The command itself is syntactically correct, so the failure is due to insufficient IAM permissions, not resource existence or location.

Exam trap

Google Cloud often tests the distinction between resource existence errors (e.g., 'Not found') and permission errors (e.g., 'Permission denied'), so candidates must read the exact error message to avoid confusing missing resources with insufficient IAM permissions.

How to eliminate wrong answers

Option A is wrong because if the key ring 'my-keyring' did not exist, the error would be 'Not found' or 'Key ring not found', not a permission denied error. Option C is wrong because an incorrect location would produce a 'Not found' or 'Invalid location' error, not a permission denied error. Option D is wrong because the error specifically mentions 'encrypt', not 'decrypt'; lacking the decrypt permission would not cause an encrypt operation to fail with this error message.

659
MCQeasy

A company wants to scan all container images stored in Artifact Registry for vulnerabilities before deployment. Which Google Cloud service should they use?

A.Binary Authorization
B.Cloud Build
C.Container Analysis
D.Security Command Center
AnswerC

Container Analysis scans images for vulnerabilities and provides findings.

Why this answer

Container Analysis (now part of Artifact Registry) provides vulnerability scanning for images. Binary Authorization enforces policies. Security Command Center aggregates findings.

Cloud Build is for building images.

660
MCQmedium

A company is deploying an internal service on GKE that needs to be accessible privately from on-premises data centers over a VPN connection. The service should not be exposed to the internet. Which connectivity solution is MOST appropriate?

A.Expose the service via an external load balancer with Cloud Armor IP allowlisting
B.Cloud NAT with firewall rules to allow on-premises IPs
C.VPC peering between the GKE VPC and on-premises
D.Private Service Connect with an internal load balancer
AnswerD

PSC enables private connectivity; internal load balancer keeps traffic within the VPC and on-premises via VPN.

Why this answer

Private Service Connect (PSC) allows publishing services using internal IP addresses that are accessible via VPC peering or VPN. The service can be exposed as an internal load balancer and attached to a PSC service attachment. On-premises can reach it via the VPN tunnel to the VPC.

661
MCQmedium

An organization uses Assured Workloads for Google Cloud to meet FedRAMP compliance. They have enabled Access Transparency logs. During an audit, they need to provide evidence that Google personnel access was logged and reviewed. What is the primary benefit of using Access Transparency?

A.It provides logs detailing the actions of Google personnel when accessing customer data.
B.It blocks all Google personnel access to customer data.
C.It encrypts data with customer-managed keys.
D.It prevents data from being moved outside the organization's VPC.
AnswerA

Access Transparency logs record Google staff access events.

Why this answer

Option D is correct because Access Transparency logs provide near-real-time logs of Google administrators' access to customer data. Option A is wrong because Access Transparency does not block access; it logs it. Option B is wrong because encryption is separate.

Option C is wrong because VPC Service Controls, not Access Transparency, restrict data movement.

662
MCQmedium

An organization wants to use Cloud IDS to detect network threats within their VPC. They have enabled the Cloud IDS endpoint and configured packet mirroring. Which of the following is required for the packet mirroring policy to work?

A.The IDS endpoint must be in the same zone as the VMs.
B.VPC firewall rules must allow traffic to the IDS endpoint.
C.VMs must be tagged with 'cloud-ids-packet-mirroring'.
D.All VMs must have an external IP address.
AnswerC

This tag is used to select which VMs have their traffic mirrored.

Why this answer

Packet mirroring requires that the source VMs have the cloud-ids-packet-mirroring tag. The mirrored traffic is sent to the IDS endpoint via an internal load balancer.

663
MCQmedium

Your organization uses VPC Flow Logs for network forensics. During an incident, you need to analyze traffic to a compromised instance for the last 72 hours. The Flow Logs are stored in Cloud Logging. Which approach allows you to query the logs most efficiently?

A.Export logs to BigQuery and run SQL queries
B.Use the gcloud logging read command with appropriate filters
C.Use Logs Explorer in Cloud Logging to filter by instance and time range
D.Download logs as CSV from Cloud Storage
AnswerC

Logs Explorer allows real-time querying of log entries.

Why this answer

Cloud Logging's Logs Explorer provides a query interface to filter and analyze logs. BigQuery is better for large-scale analysis, but for ad-hoc querying of recent logs, Logs Explorer is efficient. Note: Logs can be exported to BigQuery for complex analysis, but the question asks for efficient querying now.

664
MCQeasy

A developer wants to be notified when a new vulnerability is found in a container image stored in Artifact Registry. Which service should they configure?

A.Container Analysis
B.Cloud Security Scanner
C.Binary Authorization
D.VM Manager
AnswerA

Container Analysis scans images in Artifact Registry and publishes findings to Pub/Sub.

Why this answer

Artifact Registry integrates with Container Analysis to scan images for vulnerabilities. Notifications can be sent via Pub/Sub when new vulnerabilities are discovered.

665
MCQhard

An organization uses Cloud DLP to scan a Cloud SQL database for PII. They want to automatically pseudonymize email addresses found in a specific column using a deterministic encryption that can be reversed for authorized users. The key must be stored in Cloud KMS. Which DLP transformation should they configure?

A.CryptoHashConfig with a cryptographic key from Cloud KMS.
B.CryptoDeterministicConfig with a key from Cloud KMS.
C.CryptoReplaceFfxFpeConfig using a key from Cloud KMS.
D.ReplaceWithInfoTypeConfig with a cryptographic key.
AnswerB

This provides deterministic, reversible encryption suitable for pseudonymization.

Why this answer

Option B is correct because CryptoDeterministicConfig performs deterministic encryption (same plaintext always produces the same ciphertext) using a key from Cloud KMS, which allows pseudonymization that can be reversed by authorized users. This matches the requirement for a reversible, deterministic transformation on email addresses in a Cloud SQL column.

Exam trap

Google Cloud often tests the distinction between deterministic encryption (reversible, same output for same input) and hashing (one-way), leading candidates to mistakenly choose CryptoHashConfig when they need reversibility.

How to eliminate wrong answers

Option A is wrong because CryptoHashConfig uses a cryptographic hash function (e.g., SHA-256) which is one-way and cannot be reversed, so it does not meet the requirement for reversible pseudonymization. Option C is wrong because CryptoReplaceFfxFpeConfig uses Format-Preserving Encryption (FFX) which preserves the format of the data (e.g., email structure) but is not specifically designed for deterministic encryption with Cloud KMS key management in this context; it is more suited for preserving format while encrypting, not for simple deterministic reversal. Option D is wrong because ReplaceWithInfoTypeConfig replaces the entire value with the info type name (e.g., 'EMAIL_ADDRESS') and does not use a cryptographic key or provide any encryption or reversibility.

666
MCQmedium

Refer to the exhibit. A compliance auditor reviews the key configuration and finds a potential issue. What is the most likely compliance impact?

A.The key is disabled and cannot encrypt data
B.The key was created too recently
C.The key lacks automatic rotation, which may violate compliance requirements
D.The key is not used for the correct purpose
AnswerC

Many compliance standards (e.g., PCI DSS) require periodic key rotation; a null rotation period means no rotation is scheduled.

Why this answer

Option C is correct because many compliance frameworks (e.g., PCI DSS, SOC 2, NIST SP 800-57) require cryptographic keys to be rotated periodically to limit the amount of data encrypted under a single key and reduce the impact of key compromise. In Cisco's key configuration, if automatic rotation is not enabled or configured, the key remains static, which can violate these compliance mandates. The auditor identifies the lack of automatic rotation as a potential non-compliance issue, even if the key is otherwise valid and functional.

Exam trap

Google Cloud often tests the distinction between a key being 'functional' versus 'compliant' — candidates may assume that because a key works and is not expired, it is compliant, but the trap is that compliance frameworks require proactive rotation policies, not just key validity.

How to eliminate wrong answers

Option A is wrong because a key being disabled would be a separate administrative action or state; the exhibit does not show the key as disabled, and a disabled key would not be available for encryption at all, which is not the issue flagged by the auditor. Option B is wrong because the age of the key alone does not create a compliance impact unless a specific maximum key lifetime is defined by policy; the auditor's concern is about rotation, not recency. Option D is wrong because the key purpose (e.g., encryption, signing) is typically defined in the key's attributes or usage policy, and the exhibit does not indicate that the key is being used for an incorrect purpose; the issue is the lack of rotation, not misuse.

667
MCQmedium

A company uses Cloud Armor to protect a web application. They want to block requests that contain SQL injection patterns based on the OWASP ModSecurity Core Rule Set. Which preconfigured rule set should they enable?

A.Custom rules using CEL expression
B.OWASP ModSecurity CRS
C.Google Cloud Armor Managed Rules (SQL Injection)
D.Rate limiting rules
AnswerB

Correct: The OWASP CRS includes rules for SQL injection, XSS, etc.

Why this answer

Cloud Armor provides preconfigured WAF rules based on the OWASP ModSecurity CRS. To block SQL injection, the rule set 'owasp-crs' with the specific paranoia level can be used, or the 'sqli' rule set if available. The correct answer is the OWASP ModSecurity CRS rule set that includes SQL injection detection.

668
Multi-Selecteasy

Which TWO of the following are valid methods to protect data in transit between on-premises and Google Cloud using Cloud VPN?

Select 2 answers
A.Use Cloud VPN with SSL VPN.
B.Use Cloud VPN with IPsec IKEv2.
C.Use Cloud NAT for outbound traffic.
D.Use Cloud VPN with IPsec IKEv1.
E.Use Cloud Interconnect with MACsec.
AnswersB, D

Cloud VPN supports IPsec with IKEv2.

Why this answer

Cloud VPN supports both IPsec IKEv1 and IKEv2 as valid protocols for establishing secure tunnels between on-premises networks and Google Cloud. IKEv2 offers improved stability and mobility support, but both are explicitly supported by Google Cloud VPN for protecting data in transit.

Exam trap

Google Cloud often tests the distinction between Cloud VPN (which uses IPsec with IKEv1 or IKEv2) and other connectivity options like Cloud Interconnect or SSL VPN, leading candidates to mistakenly select SSL VPN or MACsec as valid Cloud VPN methods.

669
Multi-Selecthard

A financial services company must ensure that its Google Cloud environment complies with PCI DSS. The security team needs to implement controls to protect cardholder data. Which TWO measures should they implement? (Choose TWO.)

Select 2 answers
A.Enable Data Access audit logs for all Cloud Storage buckets.
B.Use Security Command Center to detect misconfigurations.
C.Configure VPC Service Controls to restrict data movement from managed services.
D.Enable Shielded VMs on all Compute Engine instances.
E.Use Customer-Managed Encryption Keys (CMEK) to encrypt data at rest.
AnswersC, E

VPC Service Controls help prevent unauthorized data exfiltration, a PCI DSS requirement.

Why this answer

C is correct because VPC Service Controls create a security perimeter around Google Cloud managed services, preventing data exfiltration by restricting data movement from within the perimeter to unauthorized external networks. This is critical for PCI DSS compliance as it helps protect cardholder data from unauthorized access or transfer. E is correct because Customer-Managed Encryption Keys (CMEK) allow the organization to control and manage the encryption keys used to protect data at rest, meeting PCI DSS requirement 3.4 for rendering cardholder data unreadable.

Exam trap

Google Cloud often tests the distinction between detective controls (like audit logs and Security Command Center) and preventive controls (like VPC Service Controls and CMEK), leading candidates to mistakenly select logging or detection options as direct compliance measures.

670
MCQhard

A multinational corporation uses Google Cloud and must comply with GDPR. They want to process personal data for a new purpose that was not originally disclosed to data subjects. What is the correct course of action under GDPR?

A.Anonymize the data before processing, as anonymized data is not subject to GDPR.
B.Rely on the existing DPA with Google, as it covers all processing activities.
C.Obtain explicit consent from the data subjects for the new processing purpose.
D.Proceed with the new processing as long as the data is pseudonymized.
AnswerC

Under GDPR, processing for a new purpose generally requires a new legal basis, such as explicit consent.

Why this answer

GDPR requires a valid legal basis for each processing purpose. For a new purpose, explicit consent is often required unless another basis applies.

671
MCQmedium

An organization has multiple GCP projects managed through folders in the resource hierarchy. They want to enforce a policy that prohibits the creation of service account keys across all projects. Which approach should be used?

A.Use a deny policy at the project level to deny the 'iam.serviceAccountKeys.create' permission.
B.Configure a script that runs daily to delete any service account keys found in projects.
C.Create a custom IAM role that denies the permission to create keys and assign it to all users.
D.Apply an organization policy with the constraint 'constraints/iam.disableServiceAccountKeyCreation' at the folder level.
AnswerD

Organization policies enforce restrictions across the resource hierarchy. This constraint disables key creation for all service accounts in the folder's projects.

Why this answer

Organization policies can be applied at the folder or organization level to enforce constraints across all projects. The constraint 'constraints/iam.disableServiceAccountKeyCreation' specifically disables service account key creation. Applying it at a folder level is the most efficient way to enforce the policy across all projects in that folder.

672
MCQeasy

A security engineer needs to ensure that all data stored in Cloud Storage buckets and BigQuery tables is encrypted at rest using keys that the organization generates and manages on-premises. The keys must not be stored by Google. Which key management approach should they use?

A.Cloud HSM with Customer-Managed Keys
B.Customer-Managed Encryption Keys (CMEK) via Cloud KMS
C.Google default encryption (GMEK)
D.Customer-Supplied Encryption Keys (CSEK)
AnswerD

CSEK allows customers to supply their own keys per API call; Google does not store them.

Why this answer

Customer-Supplied Encryption Keys (CSEK) allow customers to provide their own encryption keys with each API call. Google never stores these keys, ensuring the customer retains full control. GMEK and CMEK involve Google storing the keys, and Cloud HSM is a managed service that stores keys, so none meet the 'not stored by Google' requirement.

673
MCQmedium

To comply with regulatory requirements, a company needs to prevent service account keys from being created for all projects. What should they use?

A.VPC Service Controls
B.Organization policy with a constraint
C.Security Command Center
D.IAM conditions
AnswerB

The Organization policy `iam.disableServiceAccountKeyCreation` can be applied at the organization level to prevent key creation.

Why this answer

Organization policies with constraints allow you to enforce restrictions across all projects in an organization. The `constraints/iam.disableServiceAccountKeyCreation` constraint specifically prevents the creation of service account keys, ensuring compliance with regulatory requirements that prohibit long-lived keys. This is a native Google Cloud IAM feature that applies at the organization, folder, or project level.

Exam trap

Google Cloud often tests the distinction between preventive controls (organization policy constraints) and detective/monitoring tools (Security Command Center), leading candidates to mistakenly choose Security Command Center because they think it can block actions, when in fact it only detects and alerts.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are used to define security perimeters around Google Cloud resources to mitigate data exfiltration risks, not to manage IAM policies or service account key creation. Option C is wrong because Security Command Center is a security and risk management platform that provides threat detection and vulnerability findings, but it does not enforce preventive policies like disabling key creation. Option D is wrong because IAM conditions allow you to define conditional, attribute-based access to resources (e.g., based on time, IP address, or resource tags), but they cannot prevent the creation of service account keys themselves.

674
Multi-Selecteasy

Your organization uses VM Manager for patch management. You need to configure patch deployments to run weekly on all Windows VMs. Which two resources must be configured? (Choose two.)

Select 2 answers
A.Enable VPC Flow Logs on the VMs
B.Create a patch job manually each week
C.Create a patch deployment with a weekly schedule
D.Specify the target VMs using instance filters (e.g., OS = Windows)
E.Install the OS Config agent on all VMs
AnswersC, D

Patch deployment defines the schedule and target.

Why this answer

VM Manager uses patch deployments and patch jobs. You create a patch deployment with a schedule (weekly) and target VMs (e.g., by OS type). You also need to configure a maintenance window or use a rolling update.

675
MCQmedium

A company is using Cloud SQL for MySQL in production. They notice that during peak hours, query latency increases significantly. The database is running on a db-n1-standard-2 instance with 100GB SSD. The CPU utilization spikes to 95% during peaks. The application uses connection pooling. Which action should the company take to improve performance while minimizing cost?

A.Increase the storage to 200GB to improve IOPS.
B.Add a read replica and redirect read queries to it.
C.Enable Cloud SQL Proxy to cache connections.
D.Increase the number of CPUs by switching to a db-n1-highcpu-2 instance.
AnswerB

Read replicas handle SELECT queries, reducing the primary instance's load and lowering latency for read-heavy workloads.

Why this answer

Adding a read replica offloads read queries from the primary instance, reducing CPU load and latency. Option A is incorrect because switching to a highcpu type does not increase CPU count; it rebalances memory. Option B is incorrect because Cloud SQL Proxy provides secure connections, not performance improvement.

Option D is incorrect because increasing storage primarily increases IOPS and disk throughput, but CPU is the bottleneck.

Page 8

Page 9 of 14

Page 10
Google Professional Cloud Security Engineer PCSE Questions 601–675 | Page 9/14 | Courseiva