CCNA Configuring access within a cloud solution environment Questions

30 of 105 questions · Page 2/2 · Configuring access within a cloud solution environment · Answers revealed

76
MCQeasy

A DevOps team wants to grant a contractor temporary access to a specific Cloud Storage bucket for 30 days. The contractor has a Google account (example@gmail.com). The bucket contains sensitive data, and the access should be as restrictive as possible. What is the recommended way to grant this access?

A.Create a bucket ACL granting the contractor READ access.
B.Add the contractor's email to the project-level IAM policy with the 'Storage Object Viewer' role.
C.Add the contractor's email to the bucket-level IAM policy with the 'Storage Object Viewer' role.
D.Generate a signed URL for the contractor to access the bucket objects.
AnswerC

Bucket-level IAM is granular and can be removed after 30 days.

Why this answer

Option C is correct because bucket-level IAM policies allow you to grant granular, time-bound access to a specific bucket without affecting other resources in the project. By adding the contractor's email (example@gmail.com) to the bucket-level IAM policy with the 'Storage Object Viewer' role, you restrict access to only that bucket and only to read objects, which is the most restrictive approach for a 30-day temporary access requirement.

Exam trap

Google Cloud often tests the distinction between project-level and resource-level IAM policies, and the trap here is that candidates choose project-level IAM (Option B) thinking it's simpler, but they overlook that it grants access to all buckets in the project, violating the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because bucket ACLs are legacy and do not support IAM conditions for time-bound access; they also lack the granularity of IAM roles and are not recommended for new configurations. Option B is wrong because adding the contractor to the project-level IAM policy grants read access to all storage buckets in the project, which violates the 'as restrictive as possible' requirement and exposes other sensitive data. Option D is wrong because signed URLs provide temporary access to specific objects, not the entire bucket, and managing them for all objects over 30 days is impractical and insecure for ongoing bucket-level access.

77
MCQmedium

A company uses multiple Google Cloud projects. A service account in Project A needs to read data from a Cloud Storage bucket in Project B. What is the correct way to grant access?

A.Make the bucket publicly accessible and use signed URLs.
B.Grant the service account the Project Viewer role on Project B.
C.Add the service account as a member of Project B with the Storage Object Viewer role.
D.Add the service account as a member of the bucket's IAM policy with the Storage Object Viewer role.
AnswerD

This grants least-privilege access specifically to the bucket.

Why this answer

Option D is correct because Cloud Storage uses IAM policies at the resource (bucket) level to grant cross-project access. By adding the service account from Project A as a member of the bucket's IAM policy in Project B with the Storage Object Viewer role, you grant the service account read-only access to objects in that bucket without requiring membership in Project B itself. This follows the principle of least privilege and avoids unnecessary project-level permissions.

Exam trap

The trap here is that candidates often confuse project-level IAM roles with resource-level IAM roles, assuming that adding a service account as a member of the target project is necessary, when in fact Cloud Storage supports direct resource-level IAM binding for cross-project access.

How to eliminate wrong answers

Option A is wrong because making the bucket publicly accessible exposes data to the entire internet, which violates security best practices and is unnecessary for granting access to a specific service account. Option B is wrong because the Project Viewer role grants read-only access to all resources in Project B, which is overly permissive and does not specifically grant access to the bucket's objects. Option C is wrong because adding the service account as a member of Project B with the Storage Object Viewer role grants the role at the project level, which applies to all buckets in Project B, violating least privilege and potentially granting unintended access.

78
Multi-Selecteasy

Which TWO of the following are valid ways to grant cross-project access to a Cloud Storage bucket in Project A from a Compute Engine VM in Project B?

Select 2 answers
A.Disable uniform bucket-level access on the bucket and add an ACL entry for the VM's service account.
B.Grant the VM's service account (from Project B) the roles/storage.objectViewer role on the bucket in Project A.
C.Grant the VM's user account the roles/storage.objectViewer role on the bucket, and have the VM use gcloud with the user's credentials.
D.Use an IAM condition on the bucket that allows access only when the requester is the service account from Project B.
E.Provide the bucket's service account key to the VM and have the VM use that key for authentication.
AnswersB, D

Direct role grant to the service account is valid.

Why this answer

Option B is correct because granting the VM's service account the roles/storage.objectViewer role on the bucket in Project A uses IAM-based cross-project access. IAM roles are the recommended method for granting access to resources across projects, as they allow a service account from one project to be granted permissions on resources in another project without needing to share keys or disable uniform bucket-level access.

Exam trap

Google Cloud often tests the misconception that ACLs or sharing service account keys are valid cross-project access methods, when in fact IAM roles and IAM conditions are the only supported mechanisms for granting cross-project access to Cloud Storage buckets.

79
MCQeasy

A company wants to grant a user the ability to delete a Cloud SQL instance but not be able to modify any other settings. What is the least privileged role?

A.roles/cloudsql.viewer
B.roles/cloudsql.editor
C.roles/cloudsql.admin
D.Use a custom role with only cloudsql.instances.delete permission.
AnswerD

A custom role with this single permission meets the requirement exactly.

Why this answer

Option D is correct because the least privileged role that allows deleting a Cloud SQL instance without granting any other permissions is a custom role containing only the `cloudsql.instances.delete` permission. Predefined roles like viewer, editor, or admin include broader permissions that would allow modifying other settings, violating the principle of least privilege.

Exam trap

The trap here is that candidates may assume a predefined role like `roles/cloudsql.editor` is the least privileged because it includes delete, but they overlook that it also grants modify permissions, which violates the 'least privileged' requirement.

How to eliminate wrong answers

Option A is wrong because `roles/cloudsql.viewer` only grants read-only permissions (e.g., `cloudsql.instances.get`) and does not include the `cloudsql.instances.delete` permission, so it cannot delete an instance. Option B is wrong because `roles/cloudsql.editor` includes permissions to modify instance settings (e.g., `cloudsql.instances.update`) in addition to delete, which exceeds the requirement. Option C is wrong because `roles/cloudsql.admin` grants full control over Cloud SQL instances, including all create, update, and delete permissions, far beyond the single delete action needed.

80
Multi-Selectmedium

A company wants to implement least privilege access for a team that needs to monitor and manage Cloud Run services. Which two IAM roles should be considered? (Choose two.)

Select 2 answers
A.roles/iam.serviceAccountUser
B.roles/run.admin
C.roles/run.viewer
D.roles/run.developer
E.roles/run.invoker
AnswersC, D

Allows viewing services and configurations.

Why this answer

Option C (roles/run.viewer) is correct because it grants read-only permissions to view Cloud Run services, configurations, and revisions, which is sufficient for monitoring without allowing modifications. Option D (roles/run.developer) is correct because it allows both viewing and managing Cloud Run services (e.g., deploying new revisions, updating configurations) while still restricting access to other GCP resources, aligning with least privilege for a team that needs to both monitor and manage.

Exam trap

Google Cloud often tests the distinction between 'viewer' and 'developer' roles, where candidates mistakenly choose 'run.admin' thinking it is needed for management, or 'run.invoker' thinking it covers monitoring, but the exam expects precise matching of permissions to the tasks of monitoring (read-only) and managing (deploy/update) without full administrative control.

81
MCQmedium

A security team wants to ensure that all service account key creation events in their organization are logged and alerted on. Which logging feature should they use?

A.Enable System Event audit logs for the IAM service.
B.Enable Data Access audit logs for the IAM service.
C.Enable Access Transparency logs for the IAM service.
D.Enable Admin Activity audit logs for the IAM service.
AnswerD

Admin Activity logs record all administrative actions, including creating keys.

Why this answer

Admin Activity audit logs capture operations that modify the configuration or metadata of resources, such as creating or deleting service account keys. Since the question asks about logging key creation events, Admin Activity logs are the correct choice because they record all administrative actions, including service account key creation, by default and cannot be disabled. Data Access audit logs, by contrast, track data-level operations like reading or writing data, not administrative changes.

Exam trap

Google Cloud often tests the distinction between Admin Activity and Data Access logs, where candidates mistakenly choose Data Access for any security-related logging, not realizing that key creation is an administrative action, not a data access operation.

How to eliminate wrong answers

Option A is wrong because System Event audit logs are not a valid log type in Google Cloud; the correct log categories are Admin Activity, Data Access, and Access Transparency. Option B is wrong because Data Access audit logs record operations that read or modify user-provided data, such as reading objects in Cloud Storage, not administrative actions like creating service account keys. Option C is wrong because Access Transparency logs capture actions taken by Google personnel when accessing your data, not actions performed by your own service accounts or administrators.

82
MCQhard

A security team needs to enforce that only requests originating from a corporate IP range (203.0.113.0/24) can access a Cloud Storage bucket containing sensitive data. They have created a custom IAM role with storage.objects.get permission and attached a condition that requires the request to have a specific IP address. However, some legitimate users outside the IP range are unable to access the data. What is the most likely cause?

A.Users must use a VPN to be assigned a corporate IP, but some are not connected.
B.The condition uses the attribute 'request.network' instead of 'source.ip'.
C.The bucket ACL is set to deny all access by default.
D.The IAM condition evaluates after authentication, and users are already authenticated; the condition is not restricting based on source IP correctly because the condition is on the user's identity, not the request's source IP.
AnswerD

IAM conditions can restrict by source IP, but if misconfigured (e.g., using wrong attribute or not applying to the correct principal), they may not work; the most likely cause is that the condition is not properly written to check the source IP.

Why this answer

Option D is correct because IAM conditions on a custom role are evaluated after the user is authenticated and authorized by IAM. The condition attribute 'source.ip' is used to restrict access based on the request's originating IP address, but if the condition is incorrectly applied to the user's identity (e.g., using a condition that checks the user's IP at the time of policy evaluation rather than the request's source IP), it may not enforce the intended restriction. In this scenario, the condition is likely misconfigured to evaluate the user's identity attributes rather than the request's source IP, allowing authenticated users from any IP to access the bucket, while legitimate users outside the corporate IP range are blocked because the condition does not correctly filter based on the request's source IP.

Exam trap

Google Cloud often tests the distinction between IAM conditions that evaluate request attributes (like source IP) versus identity attributes, leading candidates to overlook that the condition is applied after authentication and may not restrict the request's source IP correctly if misconfigured.

How to eliminate wrong answers

Option A is wrong because the issue is not about VPN connectivity; the condition is supposed to restrict access based on source IP, but if the condition is misconfigured, even users with a corporate IP via VPN may be blocked or allowed incorrectly. Option B is wrong because 'request.network' is not a valid attribute for IAM conditions in Google Cloud; the correct attribute for source IP is 'source.ip', so using 'request.network' would cause a syntax error or be ignored, not partially block users. Option C is wrong because bucket ACLs are separate from IAM policies; if the ACL is set to deny all, no one would access the bucket, but the problem states that some legitimate users outside the IP range are unable to access, implying that the ACL is not the primary issue.

83
MCQmedium

A security team wants to explicitly deny access to a Cloud Storage bucket for all users except the bucket owner. Currently, there are allow policies at the project level granting Storage Object Viewer to all users. What is the most efficient way to implement this?

A.Create an Organization Policy that denies access to the bucket for all users except the owner.
B.Modify the project-level role to include a condition that only allows the bucket owner.
C.Remove the project-level Storage Object Viewer role and grant it only to the bucket owner.
D.Create an IAM deny policy on the bucket with a deny rule for all principals (principalSet: allUsers) and an exception for the bucket owner.
AnswerD

IAM deny policies explicitly deny and can exclude principals.

Why this answer

Option D is correct because Google Cloud IAM deny policies explicitly deny access to resources, overriding any allow policies. By creating a deny rule on the bucket with `principalSet: allUsers` as the denied principal and an exception for the bucket owner, you effectively block all users except the owner, regardless of project-level allow roles. This is the most efficient approach as it does not require modifying existing project-level policies or removing roles.

Exam trap

Google Cloud often tests the misconception that removing an allow role is sufficient to deny access, but in cloud IAM, explicit deny policies are required to override inherited allow policies, especially when project-level roles grant broad access.

How to eliminate wrong answers

Option A is wrong because Organization Policies are used to enforce constraints on resource usage (e.g., location restrictions), not to manage IAM access control for specific resources like a bucket. Option B is wrong because modifying the project-level role with a condition would require complex condition logic and still apply to all resources in the project, not just the bucket; it also does not explicitly deny access. Option C is wrong because removing the project-level role and granting it only to the bucket owner would affect all buckets in the project and does not explicitly deny access to other users; it only removes the allow, which is less secure than an explicit deny.

84
MCQeasy

An organization uses Cloud Identity to manage users and groups. They want to synchronize their existing on-premises Active Directory with Cloud Identity. Which tool should they use?

A.Third-party SAML identity provider
B.Google Cloud Directory Sync (GCDS)
C.Identity Platform
D.Cloud Workflows
AnswerB

GCDS syncs AD with Cloud Identity.

Why this answer

Google Cloud Directory Sync (GCDS) is the correct tool because it is specifically designed to synchronize users, groups, and aliases from an on-premises Active Directory (or LDAP server) into Cloud Identity without requiring federation. GCDS maps AD attributes to Cloud Identity fields and runs on a scheduled basis to keep the cloud directory in sync, making it the appropriate choice for this use case.

Exam trap

Google Cloud often tests the distinction between directory synchronization (GCDS) and federation (SAML IdP), so the trap here is that candidates may confuse synchronizing user objects with setting up single sign-on, leading them to choose a SAML identity provider instead of GCDS.

How to eliminate wrong answers

Option A is wrong because a third-party SAML identity provider is used for federated authentication (single sign-on), not for synchronizing directory data from Active Directory into Cloud Identity. Option C is wrong because Identity Platform is a customer identity and access management (CIAM) service for adding authentication to applications, not a tool for syncing on-premises directories with Cloud Identity. Option D is wrong because Cloud Workflows is an orchestration service for automating workflows and API calls, not a directory synchronization tool.

85
Multi-Selecteasy

A security engineer needs to set up access for a new team that will manage Cloud Storage buckets and objects. Which three IAM roles might be appropriate based on least privilege? (Choose three.)

Select 3 answers
A.roles/storage.objectAdmin
B.roles/storage.objectViewer
C.roles/storage.legacyBucketOwner
D.roles/storage.objectCreator
E.roles/storage.admin
AnswersA, B, D

Allows full object management (create, read, update, delete).

Why this answer

Option A (roles/storage.objectAdmin) is correct because it grants full control over objects in Cloud Storage buckets, including listing, reading, creating, and deleting objects, but does not allow modifying bucket-level permissions or deleting buckets. This aligns with least privilege for a team that needs to manage objects without full bucket administration.

Exam trap

Google Cloud often tests the distinction between legacy roles (like storage.legacyBucketOwner) and modern predefined roles, expecting candidates to recognize that legacy roles grant overly broad permissions and should be avoided for least privilege.

86
MCQhard

A security team wants to audit all actions performed by users on a critical Cloud Storage bucket. They have enabled Data Access audit logs. However, they notice that read requests are not being logged. What should they do to ensure all read requests are logged?

A.Enable Access Transparency logs for the project.
B.Assign the Storage Legacy Bucket Reader role to the bucket.
C.Configure bucket-level logging to record all access requests.
D.Enable VPC Flow Logs for the network.
AnswerC

Bucket-level logging can log all requests, including reads, regardless of audit log configuration.

Why this answer

Option C is correct because bucket-level logging captures all access requests, including read operations, by recording detailed logs for each request made to the bucket. Data Access audit logs, while enabled, may not log all read requests due to exclusion filters or default configuration limitations, whereas bucket-level logging provides comprehensive access records directly from Cloud Storage.

Exam trap

Google Cloud often tests the distinction between Cloud Audit Logs (which can be filtered or excluded) and bucket-level logging (which records all requests), leading candidates to mistakenly think enabling Data Access audit logs alone is sufficient for all read logging.

How to eliminate wrong answers

Option A is wrong because Access Transparency logs are designed to log actions taken by Google Cloud support or engineering staff, not user read requests on a bucket. Option B is wrong because assigning the Storage Legacy Bucket Reader role controls permissions but does not enable logging; it only grants read access to the bucket. Option D is wrong because VPC Flow Logs capture network traffic metadata (e.g., IP flows) but do not log application-level read requests to Cloud Storage buckets.

87
Multi-Selectmedium

Which THREE of the following are best practices for managing service accounts in Google Cloud?

Select 3 answers
A.Use the principle of least privilege when granting roles to service accounts.
B.Assign a single service account to all Compute Engine instances for simplicity.
C.Avoid creating and downloading service account keys if possible; use workload identity federation or other alternatives.
D.Add service accounts to a Google Group to manage permissions.
E.Enable automatic key rotation for service account keys.
AnswersA, C, E

Least privilege reduces risk.

Why this answer

Option A is correct because the principle of least privilege is a fundamental security best practice in Google Cloud IAM. Granting only the minimal roles necessary to a service account reduces the attack surface and limits potential damage from compromised credentials. This aligns with Google's recommended approach for managing identities in cloud environments.

Exam trap

Google Cloud often tests the misconception that adding service accounts to a Google Group is a best practice for managing service accounts, when in fact groups are primarily for managing user permissions and can lead to unintended privilege escalation if not carefully controlled.

88
Multi-Selecthard

A security team is designing access controls for a multi-tenant SaaS application on Google Kubernetes Engine (GKE). Each tenant has a separate namespace. They want to ensure that a DevOps team can manage deployments across all namespaces, but cannot modify secrets in the 'tenant-alpha' namespace. Which THREE Kubernetes RBAC resources should be created? (Choose THREE)

Select 3 answers
A.A RoleBinding in namespace 'tenant-alpha' that binds the ClusterRole to the DevOps team.
B.A ClusterRole that grants permissions to manage secrets across all namespaces.
C.A RoleBinding in namespace 'tenant-alpha' that binds a Role granting secret modification to the DevOps team.
D.A ClusterRole that grants permissions to manage deployments, services, and ingresses across all namespaces, but does not include secrets.
E.A Role in namespace 'tenant-alpha' that grants permissions to modify secrets, bound to a separate group of tenant administrators.
AnswersA, D, E

This binds the ClusterRole to the DevOps team in the specific namespace.

Why this answer

Option A is correct because a RoleBinding in the 'tenant-alpha' namespace can bind a ClusterRole (which is a cluster-scoped resource) to the DevOps team, granting them the permissions defined in that ClusterRole within that specific namespace. Since the ClusterRole in option D explicitly excludes secrets, this RoleBinding ensures the DevOps team can manage deployments across all namespaces (via a ClusterRoleBinding) but cannot modify secrets in 'tenant-alpha'.

Exam trap

Google Cloud often tests the distinction between RoleBindings and ClusterRoleBindings, and the trap here is that candidates may think a ClusterRole can only be bound via a ClusterRoleBinding, but a RoleBinding can bind a ClusterRole to grant its permissions within a single namespace.

89
MCQhard

A financial services company is migrating to Google Cloud and needs to enforce strict access controls. They want to ensure that all access to Cloud Storage buckets containing sensitive data is logged and that only authorized IP ranges can write to those buckets. They have set up IAM conditions to allow access only from the corporate IP range. However, they notice that some write operations are not being logged in the Cloud Audit Logs for the bucket. The write operations are coming from a service account that is part of a batch job running on Compute Engine instances within the corporate network. What is the most likely reason for the missing logs?

A.The IAM condition is preventing the audit logs from being generated.
B.Data Access audit logs for Cloud Storage are not enabled.
C.The batch job is using a different service account that does not have permission to write.
D.The write operations are not being captured because they are performed by a service account.
AnswerB

Admin Activity logs are enabled by default, but Data Access logs need to be explicitly configured.

Why this answer

Option B is correct because Cloud Audit Logs for Cloud Storage require explicit enabling of Data Access audit logs to capture read, write, and other data-level operations. By default, only Admin Activity audit logs are enabled, which log metadata changes but not data access like object writes. The IAM condition correctly restricts write access to the corporate IP range, but without enabling Data Access audit logs, the write operations from the service account are not recorded.

Exam trap

The trap here is that candidates assume all audit logs are enabled by default, but Cisco tests the distinction between Admin Activity logs (always on) and Data Access logs (must be explicitly enabled), especially for services like Cloud Storage where data operations are the primary concern.

How to eliminate wrong answers

Option A is wrong because IAM conditions control access permissions, not audit log generation; audit logs are governed by the Audit Logs configuration in the project, not by IAM conditions. Option C is wrong because the question states the write operations are coming from a service account that is part of a batch job, and the issue is missing logs, not missing permissions; if the service account lacked write permission, the operations would fail, not go unlogged. Option D is wrong because service accounts can generate audit logs just like user accounts; the missing logs are due to the Data Access audit log type not being enabled, not because the principal is a service account.

90
Multi-Selecthard

A company wants to use service account keys for an on-premises application that needs to authenticate to Google Cloud APIs. Which two practices should they follow to minimize security risks? (Choose TWO.)

Select 2 answers
A.Allow end users to download and use service account keys directly.
B.Enable automatic key generation and disable any unused keys.
C.Store the service account key in the application's source code for easy access.
D.Rotate service account keys regularly and store them in a secure secret management system.
E.Use a single service account key for all environments to simplify management.
AnswersB, D

Automating key generation ensures uniqueness, and disabling unused keys reduces attack surface.

Why this answer

Option B is correct because enabling automatic key generation ensures that keys are created with strong cryptographic standards and that unused keys are promptly disabled, reducing the attack surface. This practice aligns with Google Cloud's recommendation to minimize the number of active keys and to avoid manual key management errors.

Exam trap

Google Cloud often tests the misconception that storing keys in source code is acceptable for convenience, or that a single key across environments simplifies management, when in fact both practices drastically increase security risk.

91
MCQmedium

Refer to the exhibit. A Security Engineer is reviewing the IAM policy for a project. An administrator reports that a user named admin@example.com cannot create firewall rules, even though the command should allow it. According to the policy, what is the most likely reason?

A.The security-team group has the 'compute.securityAdmin' role, but the user is not in that group.
B.The user has the 'compute.instanceAdmin.v1' role, which conflicts with network admin permissions.
C.The user has the 'compute.networkAdmin' role, which does not include permission to create firewall rules.
D.The IAM policy has an invalid etag, causing the policy to be rejected.
AnswerC

NetworkAdmin can modify networks but not firewall rules; securityAdmin is needed.

Why this answer

Option C is correct because the 'compute.networkAdmin' role in Google Cloud IAM does not include the 'compute.firewalls.create' permission required to create firewall rules. The user has this role, which grants permissions to manage network resources like subnets and routes, but firewall rule creation is a security function that requires the 'compute.securityAdmin' role.

Exam trap

Google Cloud often tests the misconception that 'networkAdmin' implies full control over all network-related resources, including firewalls, when in fact firewall rule management requires a distinct security-focused role.

How to eliminate wrong answers

Option A is wrong because the user is not in the security-team group, but the policy does not indicate that the user's permissions depend on group membership; the issue is the specific role assigned. Option B is wrong because the 'compute.instanceAdmin.v1' role does not conflict with network admin permissions; it is a separate role for managing compute instances, and conflicts are not a factor in IAM—permissions are additive. Option D is wrong because an invalid etag would cause the policy to be rejected during an update, not prevent an existing user from performing an action; the user already has the policy applied.

92
MCQmedium

A company uses Organization Policies to restrict resource locations. They want to allow resources only in 'us-central1' and 'europe-west1'. They also need to allow a specific project to use 'us-east1' for a temporary workload. What is the correct organization policy configuration?

A.Set an organization policy with constraint 'gcp.resourceLocations' and allowed values 'us-central1' and 'europe-west1'. On the specific project, set a policy with allowed values 'us-central1', 'europe-west1', and 'us-east1'.
B.Set an organization policy with constraint 'gcp.resourceLocations' and denied values 'asia-*', 'australia-*', etc. On the specific project, set a policy with allowed values 'us-east1'.
C.Set an organization policy with constraint 'gcp.resourceLocations' and allowed values 'us-central1', 'europe-west1'. Use tags to mark the project and create a conditional policy that adds 'us-east1' when the tag is present.
D.Set an organization policy with constraint 'gcp.resourceLocations' and allowed values 'us-central1', 'europe-west1'. On the specific project, set a policy with denied values 'us-east1'.
AnswerA

Correct hierarchy: org policy restricts, project policy allows additional location.

Why this answer

Option A is correct because Organization Policies with the 'gcp.resourceLocations' constraint enforce location restrictions hierarchically. By setting allowed values at the organization level to 'us-central1' and 'europe-west1', all projects inherit these restrictions. Overriding the policy on the specific project by adding 'us-east1' to the allowed list creates a more permissive policy that still respects the organization-level constraints, allowing the temporary workload in 'us-east1'.

Exam trap

Google Cloud often tests the misconception that project-level policies merge with organization-level policies, when in reality they override the parent policy entirely, requiring the allowed list to include all permitted locations.

How to eliminate wrong answers

Option B is wrong because using denied values with wildcards like 'asia-*' is overly broad and does not explicitly allow the required locations; it also fails to guarantee that only 'us-central1' and 'europe-west1' are allowed, and adding 'us-east1' as an allowed value on the project would conflict with the deny-all approach. Option C is wrong because tags and conditional policies are not supported with the 'gcp.resourceLocations' constraint; this constraint only supports hierarchical override via allowed/denied lists, not tag-based conditions. Option D is wrong because setting denied values 'us-east1' on the specific project would explicitly block 'us-east1', which contradicts the requirement to allow it for the temporary workload.

93
Multi-Selecteasy

A security engineer is configuring service account impersonation for cross-project access. Which two statements about service account impersonation are true? (Choose two.)

Select 2 answers
A.A user must have the roles/iam.serviceAccountUser role on the service account to impersonate it.
B.The Security Token Service (sts.googleapis.com) must be enabled for impersonation.
C.Impersonation requires the iam.serviceAccounts.getAccessToken permission.
D.Service accounts cannot impersonate other service accounts.
E.Impersonation can be used to delegate access across projects.
AnswersC, E

Option A is correct because the getAccessToken permission is needed to obtain an access token for the target service account.

Why this answer

Option C is correct because the iam.serviceAccounts.getAccessToken permission is required to generate an access token for a service account, which is the core mechanism of impersonation. Without this permission, the Security Token Service cannot issue a token on behalf of the service account, making impersonation impossible.

Exam trap

Google Cloud often tests the distinction between the roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator roles, leading candidates to mistakenly choose Option A when impersonation actually requires the token creator role or the specific getAccessToken permission.

94
MCQmedium

A DevOps team wants to allow a CI/CD pipeline to deploy to Compute Engine using a service account. What is the best practice for managing service account keys?

A.Use a service account key distributed to each developer.
B.Generate a key and store it in Cloud Secret Manager.
C.Use workload identity federation.
D.Use a service account key stored in the source code repository.
AnswerC

Federation avoids long-lived keys and is the recommended approach.

Why this answer

Workload identity federation is the best practice because it allows the CI/CD pipeline to impersonate a service account without managing or storing any long-lived service account keys. This eliminates the risk of key leakage and rotation overhead, as authentication is done via an external identity provider (e.g., GitHub Actions, GitLab CI) using OIDC tokens. Google Cloud's workload identity federation supports OIDC (OpenID Connect) and SAML 2.0, enabling secure, keyless access from external workloads.

Exam trap

Google Cloud often tests the misconception that storing a key in a secure vault like Cloud Secret Manager is the best practice, but the trap here is that any long-lived key (even if encrypted at rest) introduces management overhead and potential for exposure, whereas workload identity federation eliminates the key entirely.

How to eliminate wrong answers

Option A is wrong because distributing a service account key to each developer violates the principle of least privilege and creates a massive security risk — any compromised developer workstation could expose the key, leading to unauthorized access to Compute Engine. Option B is wrong because while Cloud Secret Manager securely stores secrets, using a service account key at all (even stored in Secret Manager) still requires managing a long-lived credential that must be rotated and can be leaked; workload identity federation avoids keys entirely. Option D is wrong because storing a service account key in the source code repository is a critical security anti-pattern — it exposes the key to anyone with repository access, including in CI/CD logs, and violates Google Cloud's security best practices.

95
MCQhard

An organization wants to enforce that all Compute Engine instances are created with a specific service account that has only the permissions defined by a custom role. Additionally, users must not be able to override this service account. Which two mechanisms should be combined?

A.Use Cloud Audit Logs to monitor and alert on non-compliant instances.
B.VPC Service Controls to restrict the service account usage.
C.An Organization Policy with constraint constraints/compute.setServiceAccount and an IAM deny policy to deny the iam.serviceAccounts.actAs permission on other service accounts.
D.Grant users only the Compute Instance Admin v1 role and remove the actAs permission.
AnswerC

This combination enforces the service account and prevents override.

Why this answer

Option C is correct because it combines an Organization Policy constraint (`constraints/compute.setServiceAccount`) that prevents users from specifying a different service account when creating Compute Engine instances, with an IAM deny policy that blocks the `iam.serviceAccounts.actAs` permission on all other service accounts. Together, these enforce that only the designated service account can be used, and users cannot override it.

Exam trap

Google Cloud often tests the misconception that a single mechanism (like an organization policy or IAM role restriction) is sufficient, when in reality two complementary controls are needed to both restrict the service account selection and block the actAs permission on unauthorized accounts.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide monitoring and alerting after a non-compliant instance is created; they do not prevent the creation of instances with unauthorized service accounts. Option B is wrong because VPC Service Controls are designed to restrict data exfiltration and control access to Google Cloud APIs based on context (e.g., identity, network), not to enforce which service account is attached to Compute Engine instances. Option D is wrong because granting only the Compute Instance Admin v1 role and removing the `actAs` permission does not prevent users from specifying a different service account during instance creation; it only removes the ability to use service accounts that require `actAs`, but the user could still specify a service account they do not have `actAs` on, leading to a permission error rather than enforcement of a specific service account.

96
Multi-Selecthard

A company wants to enforce that all access to Cloud Storage buckets in a project is encrypted with Customer-Managed Encryption Keys (CMEK). The Security Engineer needs to configure the organization policy to meet this requirement. Which THREE steps should be taken? (Choose THREE.)

Select 3 answers
A.Create an organization policy with the constraint 'constraints/storage.requireCustomerManagedEncryption'.
B.Grant the 'cloudkms.cryptoKeyEncrypterDecrypter' role to the Cloud Storage service account.
C.Apply the organization policy at the folder level to cover all projects within that folder.
D.Disable the 'storage.objects.setIamPolicy' permission for all users except the key administrators.
E.Define a list of allowed Cloud KMS keys using the 'constraints/storage.allowedEncryptionKeys' list constraint.
AnswersA, C, E

This constraint enforces CMEK on Cloud Storage.

Why this answer

Option A is correct because the `constraints/storage.requireCustomerManagedEncryption` organization policy constraint enforces that all Cloud Storage buckets in the project must use CMEK. When this constraint is applied, any attempt to create a bucket without specifying a CMEK key is denied, ensuring compliance with the encryption requirement.

Exam trap

Google Cloud often tests the distinction between organization policy constraints and IAM roles or permissions, so candidates may mistakenly select steps that involve granting roles or modifying IAM permissions instead of focusing solely on the policy constraint configuration.

97
Multi-Selecteasy

A company needs to grant a service account the ability to manage Compute Engine instances (start, stop, create) in a specific set of projects. The administrator wants to follow the principle of least privilege. Which TWO steps should the administrator take? (Choose TWO.)

Select 2 answers
A.Grant the predefined roles/compute.viewer role to the service account at the folder level.
B.Use Cloud IAP to tunnel into Compute Engine instances to perform management tasks.
C.Use IAM Conditions to restrict the service account's access to only the required projects or resources.
D.Grant the predefined roles/compute.admin role to the service account at the organization level.
E.Create a custom IAM role with compute.instances.start, compute.instances.stop, and compute.instances.create permissions and assign it to the service account at the project level.
AnswersC, E

Correct: IAM Conditions can limit access to specific projects when granting roles at a higher level.

Why this answer

Option C is correct because IAM Conditions allow the administrator to restrict the service account's permissions to a specific set of projects or resources, enforcing least privilege by limiting the scope of the granted role. This ensures the service account can only manage Compute Engine instances in the designated projects, not all projects in the folder or organization.

Exam trap

Google Cloud often tests the distinction between IAM Conditions and folder/organization-level roles, where candidates mistakenly choose broad roles like compute.admin at the organization level instead of using conditions or custom roles to scope permissions.

98
MCQmedium

An administrator wants to enforce that a user can only create virtual machines in a specific subnet of a VPC network. What IAM condition should be added to the compute.instanceAdmin role binding?

A.resource.name == "projects/PROJECT_ID/regions/us-central1/subnetworks/SUBNET"
B.resource.name == "projects/PROJECT_ID/subnetworks/SUBNET"
C.api.getAttribute("compute.googleapis.com/zone", "") != "us-central1"
D.resource.subnetwork == "projects/PROJECT_ID/subnetworks/SUBNET"
AnswerA

This condition correctly restricts to the specific subnet by its full resource name.

Why this answer

Option A is correct because the IAM condition `resource.name` with the full resource name of the subnet (including the region) is the proper way to restrict virtual machine creation to a specific subnet. The `compute.instanceAdmin` role binding with this condition ensures that the user can only create instances whose subnet matches the specified resource name, enforcing the subnet-level constraint.

Exam trap

Google Cloud often tests the distinction between the correct IAM condition attribute (`resource.name`) and incorrect ones like `resource.subnetwork` or zone-based attributes, exploiting the common misconception that subnet restrictions can be applied via zone or subnet name alone without the full hierarchical resource path.

How to eliminate wrong answers

Option B is wrong because the resource name format for a subnet must include the region (e.g., `regions/us-central1/subnetworks/SUBNET`), not just `subnetworks/SUBNET`; omitting the region makes the condition invalid or too broad. Option C is wrong because `api.getAttribute("compute.googleapis.com/zone", "")` checks the zone, not the subnet, and the condition `!= "us-central1"` would incorrectly block instances in that zone rather than restrict to a specific subnet. Option D is wrong because `resource.subnetwork` is not a valid IAM condition attribute for Compute Engine resources; the correct attribute is `resource.name` to match the full resource name of the subnet.

99
MCQmedium

A Dataflow job launched by service account 'my-sa@...' fails with permission denied. The audit log shows the above entry. What missing role is causing the failure?

A.roles/iam.workloadIdentityUser on the worker service account
B.roles/iam.serviceAccountUser on the worker service account
C.roles/iam.serviceAccountAdmin on the worker service account
D.roles/iam.serviceAccountTokenCreator on the worker service account
AnswerB

This role grants the actAs permission.

Why this answer

When a Dataflow job fails with permission denied and the audit log shows the entry, the missing role is typically roles/iam.serviceAccountUser on the worker service account. This role is required because the Dataflow service (or the service account launching the job) must be able to impersonate the worker service account to execute the pipeline's tasks. Without this role, the job cannot assume the identity of the worker service account, leading to the permission denied error.

Exam trap

Google Cloud often tests the distinction between roles that grant administrative control (serviceAccountAdmin) versus roles that grant impersonation (serviceAccountUser), and candidates mistakenly choose serviceAccountAdmin thinking it includes all permissions, but impersonation requires the specific actAs permission.

How to eliminate wrong answers

Option A is wrong because roles/iam.workloadIdentityUser is used for Kubernetes workloads to authenticate as a service account, not for Dataflow worker impersonation. Option C is wrong because roles/iam.serviceAccountAdmin grants administrative permissions to manage service accounts (e.g., create, delete, set policies), which is excessive and not required for impersonation. Option D is wrong because roles/iam.serviceAccountTokenCreator allows generating OAuth2 tokens for a service account, but Dataflow's impersonation mechanism uses the IAM serviceAccountUser role to delegate access, not token creation.

100
MCQmedium

A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their corporate Active Directory credentials. The application is exposed via an HTTPS load balancer. The Security Engineer needs to integrate identity federation and ensure that only authenticated users can reach the application. Which combination of services should be used?

A.Use Cloud Armor to allow only traffic from specific IP ranges and require client certificates.
B.Set up federation between Active Directory and Google Cloud using OIDC, and enable IAP on the load balancer.
C.Enable IAP and configure it to use Active Directory as an identity provider.
D.Configure Cloud Identity as the identity provider and use IAP.
AnswerB

IAP can authenticate users from an external OIDC provider.

Why this answer

Option B is correct because it combines OIDC federation between Active Directory and Google Cloud with Identity-Aware Proxy (IAP) on the load balancer. IAP verifies user identity via OIDC tokens issued by the federated identity provider, ensuring only authenticated users can reach the application without exposing it to the public internet.

Exam trap

Google Cloud often tests the misconception that IAP can directly use any identity provider (like raw Active Directory) without an OIDC/SAML federation bridge, leading candidates to pick option C.

How to eliminate wrong answers

Option A is wrong because Cloud Armor with IP ranges and client certificates enforces network-level and mTLS access, not identity federation with Active Directory credentials; it cannot authenticate users based on corporate AD identities. Option C is wrong because IAP does not support Active Directory directly as an identity provider; it requires an OIDC-compatible identity provider, such as Azure AD or a custom OIDC provider, not raw AD. Option D is wrong because Cloud Identity is Google's own identity service, not Active Directory; while it can be used with IAP, it does not integrate with corporate AD credentials unless federation is set up, which is not mentioned in the option.

101
MCQeasy

A startup company has a single Google Cloud project with multiple developers. To simplify identity management, they created a service account for each developer and granted them the roles/editor role on the project. However, the security team is concerned about the over-privileged access. They want to implement a more secure approach while maintaining operational efficiency. The developers need to: create Compute Engine instances, manage Cloud Storage buckets, and deploy App Engine apps. The company has a small team and does not require fine-grained access control per developer. What is the recommended approach to reduce privileges while meeting the developers' needs?

A.Remove the editor role and grant each developer the roles/owner role on the project.
B.Remove the editor role and create a custom role with the required permissions, then assign the custom role to each developer individually.
C.Remove the editor role and grant each developer the roles/iam.securityReviewer role.
D.Remove the editor role, create a custom role with the required permissions, and assign the custom role to a Google Group containing all developers.
AnswerD

Option D is correct; this follows least privilege and operational efficiency by using a group for assignment.

Why this answer

Option D is correct because it removes the overly permissive Editor role and replaces it with a custom role containing only the specific permissions needed for Compute Engine, Cloud Storage, and App Engine. Assigning this custom role to a Google Group that contains all developers simplifies identity management and ensures consistent, least-privilege access without per-user assignment overhead.

Exam trap

The trap here is that candidates may think creating a custom role is unnecessary and choose a predefined role like Editor or Owner, failing to recognize that custom roles are the correct way to implement least privilege when no predefined role matches the exact set of needed permissions.

How to eliminate wrong answers

Option A is wrong because granting the Owner role is even more permissive than Editor, including full administrative control over the project, which directly contradicts the security team's goal of reducing privileges. Option B is wrong because while creating a custom role is correct, assigning it to each developer individually creates administrative overhead and does not leverage group-based management for operational efficiency. Option C is wrong because the IAM Security Reviewer role only grants read-only access to IAM policies and does not include any permissions to create Compute Engine instances, manage Cloud Storage buckets, or deploy App Engine apps.

102
MCQmedium

A large enterprise has multiple Google Cloud organizations due to an acquisition. They want to allow a team in Org A to access a Cloud Spanner database in Org B. The team in Org A uses a service account for their application. They have set up Workload Identity Federation between the two organizations. The service account in Org B has the roles/spanner.databaseUser role on the database. The service account in Org A has been granted the roles/iam.workloadIdentityUser role on the service account in Org B. However, access attempts are failing with a permission denied error. What is the most likely missing configuration?

A.The project in Org B has not granted the roles/spanner.databaseUser role at the project level.
B.The Spanner database does not have the service account in Org A granted access directly.
C.The service account in Org B does not have the roles/iam.workloadIdentityUser role on itself.
D.The service account in Org A does not have the roles/iam.serviceAccountTokenCreator role on the service account in Org B.
AnswerD

To impersonate, the external identity needs the serviceAccountTokenCreator role.

Why this answer

Option D is correct because the external identity (service account in Org A) must be impersonating the service account in Org B, but the impersonation requires the service account in Org A to have the roles/iam.serviceAccountTokenCreator role on the service account in Org B. Option A is wrong because the roles are correctly assigned. Option B is wrong because the Spanner database does not need the impersonation role.

Option C is wrong because the project-level Spanner role would not be the issue.

103
MCQeasy

An application needs to authenticate to Google Cloud APIs from an on-premises server. Which approach is recommended for long-lived access?

A.Use a user account with OAuth 2.0 tokens.
B.Use workload identity federation with an on-premises identity provider.
C.Use API keys.
D.Create a service account key and store it securely on the server.
AnswerD

This is a standard approach for on-premises applications.

Why this answer

Option D is correct because service account keys provide a long-lived, static credential that can be securely stored on an on-premises server for authenticating to Google Cloud APIs. Unlike user accounts or OAuth flows, service account keys do not require interactive login or token refresh, making them suitable for automated, long-running workloads.

Exam trap

Google Cloud often tests the misconception that API keys (Option C) are sufficient for service-to-service authentication, but API keys lack the ability to represent a service identity and are not supported by many Google Cloud APIs for authorization; candidates may also confuse workload identity federation (Option B) as a long-lived solution when it is designed for short-lived, federated access.

How to eliminate wrong answers

Option A is wrong because user accounts with OAuth 2.0 tokens are designed for interactive user sessions and require periodic re-authentication or refresh token management, which is not ideal for long-lived, unattended server access. Option B is wrong because workload identity federation is intended for short-lived, federated access using external identity providers, not for long-lived static credentials; it requires token exchange and has a default maximum token lifetime of 1 hour. Option C is wrong because API keys are primarily used for identifying projects and enabling simple access to public data or quota tracking, not for authenticating as a service identity to access private resources or perform authorized API calls.

104
Multi-Selectmedium

Which TWO practices help implement the principle of least privilege when configuring access to Google Cloud resources? (Choose two.)

Select 2 answers
A.Grant roles at the organization level to simplify administration.
B.Use a single service account for all Cloud Functions in a project to simplify key management.
C.Create custom roles that include only the specific permissions needed.
D.Use IAM Conditions to restrict access to specific resources or times.
E.Grant IAM roles directly to individual users for better traceability.
AnswersC, D

Custom roles allow precise permission assignment.

Why this answer

Option C is correct because creating custom roles allows you to define a precise set of permissions, ensuring that a principal has only the minimum permissions required to perform their job function. This directly implements the principle of least privilege by avoiding the broad permissions often included in predefined roles.

Exam trap

Google Cloud often tests the misconception that granting roles at a higher level (organization) or using a single service account simplifies management without considering the security implications of over-privileged access.

105
MCQhard

Alice tries to connect to Cloud SQL instance 'prod-instance' using the Cloud SQL Auth proxy. Will she succeed? Why?

A.Yes, because she has the client role with no condition.
B.Yes, because the admin role grants full access, and the condition only applies to the admin role, but the client role is unconditional.
C.No, because the admin role condition overrides the client role.
D.No, because the cloudsql.admin role condition restricts to dev instances only.
AnswerB

The unconditional client role provides the necessary permissions to connect.

Why this answer

Option B is correct because the Cloud SQL Auth proxy uses IAM permissions for authentication and authorization. The `cloudsql.client` role grants the `cloudsql.instances.connect` permission unconditionally, allowing Alice to connect to any instance. The `cloudsql.admin` role's condition restricting access to 'dev' instances only applies to the `cloudsql.instances.update` permission, not to the connect permission, so the client role's unconditional access prevails.

Exam trap

Google Cloud often tests the misconception that a restrictive condition on a higher-privilege role (like admin) overrides a lower-privilege role (like client), when in reality IAM evaluates each permission independently and the most permissive effective permission wins.

How to eliminate wrong answers

Option A is wrong because it states 'no condition' on the client role, but the question implies a condition exists on the admin role; however, the client role is indeed unconditional, so the reasoning is incomplete but not incorrect—actually, the core issue is that the client role alone suffices, but the answer fails to address the admin role condition's irrelevance. Option C is wrong because IAM conditions are evaluated per permission, not globally; the admin role condition does not override the client role's unconditional connect permission—IAM allows multiple roles to be combined, and the most permissive effective permission applies. Option D is wrong because the admin role condition restricts only admin-level actions (like modifying instances), not the connect permission granted by the client role; the condition does not block Cloud SQL Auth proxy connections.

← PreviousPage 2 of 2 · 105 questions total

Ready to test yourself?

Try a timed practice session using only Configuring access within a cloud solution environment questions.