CCNA Gcp Compliance Questions

75 of 108 questions · Page 1/2 · Gcp Compliance topic · Answers revealed

1
MCQeasy

A company wants to use Cloud Armor to block traffic from specific countries to comply with data sovereignty requirements. They have a global HTTP Load Balancer configured. Where should they configure the Cloud Armor policy?

A.Attach to the VPC network that hosts the load balancer.
B.Attach to the backend service of the load balancer.
C.Configure as an Organization Policy constraint.
D.Configure as a firewall rule in the VPC network.
AnswerB

Cloud Armor policies are applied to backend services.

Why this answer

Cloud Armor policies must be attached to a backend service (or backend bucket) of a global HTTP(S) Load Balancer to filter traffic at the edge. This allows the policy to evaluate incoming requests based on geographic location before they reach the backend, enforcing data sovereignty rules without modifying VPC networking or firewall rules.

Exam trap

Google Cloud often tests the misconception that Cloud Armor is a VPC-level firewall feature, leading candidates to choose VPC firewall rules or network-level attachments, when in fact it is a load balancer backend service security policy that operates at the application layer on Google's global edge.

How to eliminate wrong answers

Option A is wrong because Cloud Armor policies are not attached to VPC networks; they are applied to load balancer backend services or backend buckets, not to the underlying network infrastructure. Option C is wrong because Organization Policy constraints are used for governance controls (e.g., restricting resource locations) and cannot filter traffic by country at the application layer. Option D is wrong because firewall rules operate at the network layer (IP/port) within a VPC and cannot inspect HTTP request attributes like geographic origin; Cloud Armor uses Google's global edge infrastructure for geolocation-based filtering.

2
Multi-Selecthard

A healthcare organization is migrating to Google Cloud and needs to achieve HIPAA compliance. Which THREE actions are required to meet HIPAA requirements on GCP? (Choose THREE.)

Select 3 answers
A.Enable Cloud Audit Logs for all services handling ePHI
B.Enable VPC Flow Logs for all subnets
C.Sign a Business Associate Agreement (BAA) with Google Cloud
D.Use Customer-Managed Encryption Keys (CMEK) for Cloud Storage, BigQuery, and other services
E.Use Cloud NAT for outbound internet access
AnswersA, C, D

HIPAA requires audit controls to record access to ePHI; Cloud Audit Logs meet this requirement.

Why this answer

Option A is correct because enabling Cloud Audit Logs for all services handling ePHI is a direct requirement under HIPAA's Security Rule (45 CFR § 164.312(b)), which mandates audit controls to record and examine activity in systems that contain or use electronic protected health information. Cloud Audit Logs provide immutable, tamper-evident logs of admin activities, data access, and system events, which are essential for demonstrating compliance during audits or breach investigations. Without these logs, the organization cannot meet the audit control standard for ePHI environments on GCP.

Exam trap

Google Cloud often tests the distinction between mandatory HIPAA requirements (audit logs, BAA, encryption) and optional or unrelated networking features (VPC Flow Logs, Cloud NAT), leading candidates to mistakenly select VPC Flow Logs as an audit control when it only provides network telemetry, not access logging for ePHI.

3
MCQhard

A company is migrating a legacy on-premises application to Google Compute Engine. The application requires a static IP address for compliance with a regulatory requirement that outbound connections to a partner's IP whitelist must originate from a known, fixed IP. The application will run in a managed instance group (MIG) for high availability. Which of the following solutions meets the compliance requirement?

A.Configure VPC Service Controls to allow egress only from a specific IP range.
B.Use a regional external HTTPS load balancer with a static IP address and configure the MIG to route outbound traffic through the load balancer.
C.Assign static external IP addresses to each instance in the MIG and configure the partner firewall accordingly.
D.Use Cloud NAT with a static NAT IP address for all egress traffic from the instances.
AnswerB

The load balancer's static IP is used for outbound traffic, providing a fixed source IP.

Why this answer

Option B is correct because a regional external HTTPS load balancer with a static IP address can be used as a forward proxy for outbound traffic. By configuring the managed instance group (MIG) to route all egress traffic through the load balancer, all outbound connections will originate from the load balancer's static IP, meeting the compliance requirement for a known, fixed source IP. This approach ensures high availability through the MIG while maintaining a single static IP for partner whitelisting.

Exam trap

Google Cloud often tests the misconception that Cloud NAT alone is sufficient for static egress IPs, but the question's requirement for high availability via a MIG and the specific mention of a load balancer in the correct answer highlight that Cloud NAT does not route traffic through a load balancer, making it incompatible with the described architecture.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are designed to restrict data exfiltration from Google Cloud services (e.g., BigQuery, Cloud Storage) by defining perimeters, not to control egress IP addresses for general compute instances; they do not provide a static IP for outbound connections. Option C is wrong because assigning static external IPs to each instance in a MIG would require the partner to whitelist multiple IPs, which violates the requirement for a single known, fixed IP and adds management complexity; also, MIG autoscaling could change the number of instances, making IP whitelisting impractical. Option D is wrong because Cloud NAT with a static NAT IP provides a fixed source IP for outbound traffic, but it is designed for instances without external IPs and does not inherently integrate with a load balancer for outbound routing; the question specifies using a load balancer for high availability, and Cloud NAT alone does not satisfy the requirement to route traffic through a load balancer.

4
Multi-Selecthard

A company is implementing a data retention policy for Cloud Storage buckets. They need to ensure that objects cannot be deleted before a specified retention period. Which THREE features can they use? (Choose THREE.)

Select 3 answers
A.Retention Policy on the bucket.
B.Lifecycle rules with a Delete action.
C.Bucket Lock feature.
D.Object holds (event-based or temporary).
E.Object versioning.
AnswersA, C, D

Retention policies prevent deletion before the retention period ends.

Why this answer

A is correct because a Retention Policy on a Cloud Storage bucket enforces a minimum retention period for all objects in the bucket. Once set, objects cannot be deleted or overwritten until the retention period expires, directly meeting the requirement to prevent deletion before a specified time.

Exam trap

Google Cloud often tests the distinction between features that prevent deletion (Retention Policy, Bucket Lock, Object holds) versus features that manage deletion (Lifecycle rules) or provide recovery after deletion (Object versioning), leading candidates to confuse lifecycle rules with retention controls.

5
MCQmedium

Your company, a global e-commerce platform, must comply with the PCI DSS requirement to secure cardholder data. You have a multi-cloud environment with workloads on Google Cloud and AWS. The Google Cloud environment consists of Compute Engine instances that process credit card transactions, and a Cloud SQL for MySQL database that stores encrypted cardholder data. The security team requires that only specific service accounts can connect to the database, and all connections must be encrypted. Additionally, you need to ensure that the database is not publicly accessible and that all access is logged. You have configured the Cloud SQL instance with a private IP and enabled SSL/TLS. However, a recent audit revealed that a Compute Engine instance with a public IP and no service account was able to connect to the database and execute queries. The instance was not authorized in the Cloud SQL authorized networks. What is the most likely cause of this security gap, and what should you do to prevent it?

A.The instance bypassed SSL enforcement because the database was configured to accept non-encrypted connections. You should enable the 'require SSL' flag.
B.The instance used the Cloud SQL Proxy, which bypasses network controls. You should remove the proxy and require direct connections over private IP.
C.VPC Service Controls were not configured to block the connection. You should create a service perimeter to prevent data exfiltration.
D.The instance was in the same VPC and used the default Compute Engine service account with cloudsql.client role. You should disable the default service account and use a custom service account with the least privilege.
AnswerD

Private IP connections are allowed from any resource in the same VPC; the default service account had permission. Restricting the service account prevents unauthorized access.

Why this answer

Option D is correct because the Compute Engine instance was in the same VPC as the Cloud SQL instance (private IP), and it used the default Compute Engine service account, which had the cloudsql.client role. This allowed the instance to connect via the Cloud SQL Proxy or directly using the private IP without being listed in authorized networks, as VPC internal connectivity bypasses authorized networks. The fix is to disable the default service account and assign a custom service account with only the necessary permissions, ensuring least privilege and preventing unauthorized access.

Exam trap

Google Cloud often tests the misconception that authorized networks or SSL/TLS are the primary controls for Cloud SQL access, when in fact IAM roles on service accounts within the same VPC can override those controls.

How to eliminate wrong answers

Option A is wrong because the database already had SSL/TLS enabled, and the instance connected successfully; the issue is not about SSL enforcement but about authentication and authorization. Option B is wrong because the Cloud SQL Proxy does not bypass network controls; it actually enforces IAM-based authentication and encryption, and removing it would weaken security. Option C is wrong because VPC Service Controls are designed to prevent data exfiltration across perimeters, not to block internal VPC connections from instances with the correct IAM roles; the connection was within the same VPC, so a service perimeter would not have prevented it.

6
MCQeasy

A company needs to meet SOC 2 requirements for change management. They want to log all changes to IAM policies in their Google Cloud organization. What should they do?

A.Use Cloud Asset Inventory to scan for changes daily.
B.Configure a Cloud Monitoring alert for IAM policy changes.
C.Enable Data Access audit logs for all services.
D.Use Admin Activity audit logs, which are enabled by default.
AnswerD

Admin Activity logs record all changes to IAM policies and other configuration changes.

Why this answer

Option C is correct because Admin Activity audit logs capture all IAM policy changes by default. Option A is wrong because Data Access logs are for data access, not admin changes. Option B is wrong because Cloud Monitoring does not log changes; it monitors metrics.

Option D is wrong because Cloud Asset Inventory provides a view but does not log changes in real-time.

7
MCQeasy

Which Google Cloud audit log captures administrator activity and is enabled by default?

A.Policy Denied audit logs
B.System Event audit logs
C.Data Access audit logs
D.Admin Activity audit logs
AnswerD

Admin Activity audit logs are enabled by default and track API calls that modify resources.

Why this answer

Admin Activity audit logs (option D) are enabled by default in Google Cloud and capture all administrator actions that modify the configuration or metadata of resources, such as creating a VM or changing IAM policies. These logs are essential for compliance and security auditing because they record 'who did what, where, and when' for management activities, and they cannot be disabled.

Exam trap

Google Cloud often tests the misconception that all audit logs are enabled by default, but only Admin Activity and System Event logs are default-enabled, while Data Access logs are not, leading candidates to incorrectly choose Data Access audit logs.

How to eliminate wrong answers

Option A is wrong because Policy Denied audit logs are only generated when a Google Cloud service denies access due to a security policy (e.g., VPC firewall rules or IAP), and they are not enabled by default—they must be explicitly configured. Option B is wrong because System Event audit logs capture non-human actions, such as Google Cloud's own automated operations (e.g., automatic maintenance events), and they are enabled by default but do not cover administrator activity. Option C is wrong because Data Access audit logs track API calls that read or modify user-provided data (e.g., reading a Cloud Storage object), and they are disabled by default to avoid high volume and cost; they must be explicitly enabled per service.

8
MCQmedium

A financial services company must store customer transaction records for 7 years to comply with SEC regulations. They currently use Cloud Storage with a lifecycle rule that deletes objects after 365 days. The compliance team needs to ensure that records are immutable and cannot be deleted or modified before the retention period expires. What should the security engineer do?

A.Apply a retention policy to each object individually using object holds.
B.Use VPC Service Controls to restrict access to the bucket to only authorized compliance personnel.
C.Modify the lifecycle rule to delete objects after 2555 days instead of 365 days.
D.Enable Bucket Lock on the bucket and configure a retention policy of 7 years.
AnswerD

Bucket Lock enforces a retention policy that prevents object deletion or modification until the retention period expires, overriding lifecycle rules.

Why this answer

Option D is correct because Bucket Lock is the only Google Cloud Storage feature that enforces immutability by preventing object deletion or modification for a specified retention period. By enabling Bucket Lock and configuring a 7-year retention policy, the company ensures compliance with SEC regulations, as objects cannot be deleted or overwritten even by the bucket owner or lifecycle rules. This overrides the existing 365-day lifecycle rule because retention policies take precedence over lifecycle deletion actions.

Exam trap

Google Cloud often tests the distinction between access controls (like VPC Service Controls or IAM) and data immutability features, leading candidates to confuse restricting access with enforcing retention.

How to eliminate wrong answers

Option A is wrong because object holds (e.g., retention holds) are temporary and can be removed by users with appropriate permissions, so they do not guarantee immutable compliance for the full 7-year period. Option B is wrong because VPC Service Controls control network access but do not prevent deletion or modification of objects by authorized users or lifecycle rules, so they do not enforce immutability. Option C is wrong because modifying the lifecycle rule to 2555 days only delays deletion; it does not prevent manual deletion or overwriting of objects, and lifecycle rules can be changed or removed at any time, failing to meet the immutability requirement.

9
MCQhard

A gaming company must comply with the Children's Online Privacy Protection Act (COPPA). They use BigQuery to store user data, including age. They want to automatically classify and restrict access to data of users under 13. Which approach should they take?

A.Create a Cloud Data Catalog tag template for age and assign tags to columns, then use IAM to restrict access based on tags.
B.Store user data in Cloud Storage with uniform bucket-level access and use IAM to restrict access based on age.
C.Use DLP API to inspect BigQuery tables and apply de-identification or restriction policies.
D.Use VPC Service Controls to limit access to the BigQuery dataset from only approved IP ranges.
AnswerC

DLP can classify and automatically transform or restrict access to sensitive data.

Why this answer

Option A is correct because DLP API can classify sensitive data and set access controls accordingly. Option B is wrong because bucket-level policies apply to Cloud Storage, not BigQuery. Option C is wrong because VPC Service Controls do not inspect data content.

Option D is wrong because Data Catalog does not enforce access; it only tags metadata.

10
MCQeasy

A company is moving sensitive data to Google Cloud and must comply with GDPR data minimization principles. They want to ensure that only the minimum necessary data is collected and processed. Which Google Cloud service should they use to automatically identify and redact sensitive data before storage?

A.Cloud Composer
B.Cloud Data Fusion
C.Cloud Dataprep
D.Cloud Data Loss Prevention (DLP)
AnswerD

DLP inspects and de-identifies sensitive data to minimize data collection.

Why this answer

Cloud Data Loss Prevention (DLP) is the correct service because it provides native capabilities to inspect, classify, and automatically redact sensitive data (e.g., PII, credit card numbers) before storage, directly supporting GDPR data minimization. It uses built-in infoType detectors and can be integrated with Cloud Storage, BigQuery, and other services to apply de-identification transformations such as masking, tokenization, or deletion at ingestion time.

Exam trap

Google Cloud often tests the distinction between data transformation/ETL tools (Cloud Data Fusion, Cloud Dataprep) and a dedicated data loss prevention service (Cloud DLP), expecting candidates to recognize that only DLP provides automated sensitive data identification and redaction out of the box without requiring custom coding or external integrations.

How to eliminate wrong answers

Option A is wrong because Cloud Composer is a managed workflow orchestration service based on Apache Airflow, not a data inspection or redaction tool; it cannot automatically identify or redact sensitive data. Option B is wrong because Cloud Data Fusion is a fully managed data integration and ETL service that can transform data but lacks built-in sensitive data detection and automated redaction capabilities; it would require custom plugins or external calls to DLP for such functionality. Option C is wrong because Cloud Dataprep is a data preparation and cleaning service (based on Trifacta) that focuses on structuring and transforming data visually, but it does not natively include automated sensitive data identification or redaction; it would need to integrate with DLP for that purpose.

11
MCQeasy

A financial services company is deploying a new payment processing system on Google Cloud that must comply with PCI DSS. The system processes credit card data. The security team has implemented encryption at rest and in transit, and uses Private Google Access for VPC communication. During a PCI assessment, the assessor points out that the company is missing a critical control: the need to regularly scan the external IP addresses of the VMs for vulnerabilities. What should the company do to address this requirement?

A.Use Security Command Center Premium to perform vulnerability scanning.
B.Deploy Cloud IDS to perform active vulnerability scanning on external IPs.
C.Enable Cloud Armor to block all traffic and thus eliminate the need for scanning.
D.Set up a third-party vulnerability scanner (e.g., Nessus) from the Cloud Marketplace and run scans against external IPs.
AnswerD

A third-party ASV scanner is standard for PCI DSS.

Why this answer

Option D is correct because PCI DSS Requirement 11.2 mandates that external-facing IP addresses be scanned for vulnerabilities at least quarterly and after any significant change. Deploying a third-party scanner like Nessus from the Cloud Marketplace allows the company to run authenticated or unauthenticated scans against the external IPs of their VMs, meeting the specific requirement. Google Cloud does not provide a native active vulnerability scanning service for external IPs; Security Command Center Premium and Cloud IDS focus on asset discovery and threat detection, not active scanning of external endpoints.

Exam trap

Google Cloud often tests the misconception that Google Cloud's native security tools (like Security Command Center or Cloud IDS) can replace the need for a dedicated external vulnerability scanner, but PCI DSS explicitly requires active scanning of external IPs, which only a third-party or ASV scanner can perform.

How to eliminate wrong answers

Option A is wrong because Security Command Center Premium provides continuous monitoring, asset inventory, and findings from built-in scanners like Web Security Scanner, but it does not perform active vulnerability scanning of arbitrary external IP addresses; it relies on agent-based or API-based assessments for internal VMs. Option B is wrong because Cloud IDS is a network threat detection service that inspects traffic for malicious activity using packet mirroring, not an active vulnerability scanner that probes external IPs for CVEs. Option C is wrong because Cloud Armor is a web application firewall that blocks traffic based on rules, but it does not eliminate the need for vulnerability scanning; PCI DSS requires active scanning regardless of traffic filtering, and blocking all traffic would break the payment processing system.

12
MCQmedium

A government agency requires FedRAMP High compliance for their Google Cloud deployment. Which service should they use to create a compliant environment with pre-configured controls?

A.Cloud HSM
B.VPC Service Controls
C.Security Command Center
D.Assured Workloads
AnswerD

Assured Workloads automates the creation of a compliant environment for FedRAMP, HIPAA, etc., with pre-built controls and continuous monitoring.

Why this answer

Assured Workloads is the correct service because it enables customers to create a Google Cloud environment that is pre-configured to meet specific compliance requirements, including FedRAMP High. It automatically applies a set of controls (e.g., data residency, encryption key management, and access restrictions) based on the chosen compliance regime, reducing the manual effort needed to achieve and maintain certification.

Exam trap

Google Cloud often tests the misconception that a single security tool (like Cloud HSM or VPC Service Controls) is sufficient for full compliance, when in reality Assured Workloads is the only option that provides a holistic, pre-configured compliance environment.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module service that provides FIPS 140-2 Level 3 validated key management, but it does not create a pre-configured compliant environment or enforce broader FedRAMP controls like data residency or access boundaries. Option B is wrong because VPC Service Controls provides a security perimeter to prevent data exfiltration from VPC services, but it is a single control mechanism, not a comprehensive environment that pre-configures all FedRAMP High requirements. Option C is wrong because Security Command Center is a security and risk management platform that provides visibility, threat detection, and compliance reporting, but it does not automatically deploy a pre-configured compliant environment; it monitors and assesses existing configurations.

13
Multi-Selecteasy

Which TWO organization policies can help enforce compliance with data residency requirements?

Select 2 answers
A.constraints/storage.uniformBucketLevelAccess
B.constraints/iam.disableServiceAccountCreation
C.constraints/gcp.resourceLocations
D.constraints/gcp.restrictTrustedDomains
E.constraints/compute.requireShieldedVm
AnswersC, D

This policy restricts where resources can be created, ensuring data stays in allowed regions.

Why this answer

Option C is correct because the `constraints/gcp.resourceLocations` organization policy restricts the physical location where Google Cloud resources (like Compute Engine instances, Cloud Storage buckets, and BigQuery datasets) can be created. By defining allowed locations (e.g., `in:us-central1` or `in:europe-west1`), you enforce data residency requirements, ensuring data remains within specific geographic boundaries to comply with regulations like GDPR or HIPAA.

Exam trap

Google Cloud often tests the distinction between security controls (like Shielded VM or uniform bucket access) and compliance controls (like resource location restrictions), so candidates mistakenly pick options that sound security-related but do not enforce data residency.

14
Multi-Selecthard

A company needs to comply with GDPR and must implement data subject access request (DSAR) capabilities. Which TWO Google Cloud services should they use to locate and export personal data across various data stores?

Select 2 answers
A.Cloud Key Management Service (KMS)
B.Cloud Storage
C.BigQuery
D.Cloud Data Loss Prevention (DLP)
E.VPC Service Controls
AnswersC, D

BigQuery can store and query personal data for DSAR responses.

Why this answer

BigQuery is correct because it can be used to query and export personal data stored in BigQuery tables via SQL, enabling DSAR compliance by locating and extracting data subject information. Cloud Data Loss Prevention (DLP) is correct because it can inspect and classify personal data across various Google Cloud data stores (including Cloud Storage, BigQuery, and Datastore) and de-identify or export findings, directly supporting DSAR workflows.

Exam trap

Google Cloud often tests the misconception that Cloud Storage or VPC Service Controls can handle DSARs, but they are storage and security boundary services respectively, not data discovery or export tools; candidates confuse data storage with data subject access request capabilities.

15
MCQhard

A large healthcare organization is migrating its on-premises data center to Google Cloud. The organization must comply with HIPAA and has signed a BAA with Google Cloud. They plan to use BigQuery for analytics on PHI data. The security team has enabled encryption at rest with CMEK and has configured VPC Service Controls to prevent data exfiltration. During a penetration test, the testers discovered that they could query the BigQuery dataset using a service account that has BigQuery Data Viewer role from a non-VPC-SC-compliant network. This could allow unauthorized access to PHI data. The team needs to restrict all access to the BigQuery dataset to only originate from within the VPC perimeter defined by VPC Service Controls. What should the team do to enforce this requirement?

A.Set up Private Google Access for the on-premises network and route all traffic through a VPN tunnel.
B.Configure an Organization Policy that restricts BigQuery access to only service accounts with a specific prefix.
C.Enable VPC Service Controls perimeters for the BigQuery API and ensure that the project containing the dataset is in the perimeter, and configure ingress/egress rules to allow only requests from within the perimeter.
D.Use Cloud IAP to require users to authenticate before accessing BigQuery.
AnswerC

VPC Service Controls can enforce network-based access restrictions.

Why this answer

Option C is correct because VPC Service Controls are specifically designed to create a security perimeter around Google Cloud services like BigQuery, preventing data exfiltration and restricting access to only requests originating from within the defined perimeter. By placing the project containing the BigQuery dataset inside the VPC Service Controls perimeter and configuring ingress/egress rules, the team ensures that even a service account with BigQuery Data Viewer role cannot query the dataset from a non-VPC-SC-compliant network, as the API call is blocked at the Google Cloud edge before it reaches BigQuery.

Exam trap

Google Cloud often tests the distinction between IAM-based access control (who can access) and network-based perimeter control (from where they can access), and the trap here is that candidates confuse VPC Service Controls with Private Google Access or IAP, thinking that private connectivity or identity verification alone can enforce network origin restrictions.

How to eliminate wrong answers

Option A is wrong because Private Google Access and VPN tunnels enable on-premises access to Google Cloud APIs via private IP addresses, but they do not enforce that all access must originate from within the VPC Service Controls perimeter; they merely provide a private connectivity path, not a restriction on the source network. Option B is wrong because an Organization Policy restricting BigQuery access to service accounts with a specific prefix does not enforce network-level origin restrictions; it only controls which identities can access BigQuery, not from where they can access it, leaving the data vulnerable to queries from non-VPC-SC-compliant networks. Option D is wrong because Cloud IAP provides identity-aware access control for applications and SSH/RDP, but it does not integrate with BigQuery's API or enforce network perimeter restrictions; it cannot block API calls from a service account outside the VPC Service Controls perimeter.

16
MCQmedium

A multinational corporation must store all data subject to GDPR in the European Union. They have multiple projects and want to enforce this at the organization level. Which approach should they use to prevent resource creation outside allowed locations?

A.Configure VPC Service Controls to limit network traffic to EU regions
B.Use Cloud Deployment Manager to deploy resources only in EU regions
C.Apply Organization Policy constraints (constraints/gcp.resourceLocations) with allowed regions in EU
D.Enable Cloud Audit Logs to monitor resource locations and alert on violations
AnswerC

The Organization Policy resourceLocations constraint prevents resource creation outside specified regions, enforcing compliance across all projects.

Why this answer

Organization policies provide centralized control to constrain resource locations, ensuring all projects under the organization adhere to the data residency requirement.

17
MCQeasy

A healthcare company subject to HIPAA must prevent data exfiltration from Google Cloud storage buckets. They already use VPC Service Controls. Which additional control should they configure to directly block unauthorized copying of data to external projects?

A.Enable Cloud Data Loss Prevention (DLP) scanning
B.Use Cloud Audit Logs to review access
C.Apply Cloud Identity-Aware Proxy (IAP) to buckets
D.Configure egress rules in the VPC Service Controls perimeter
AnswerD

Egress rules define allowed destinations for data leaving the perimeter, directly preventing exfiltration to external projects.

Why this answer

VPC Service Controls allow you to define perimeters that restrict data movement between authorized and unauthorized projects. By configuring egress rules within the perimeter, you can explicitly block copying data to external projects, directly preventing data exfiltration. This is the correct additional control because it enforces policy at the network boundary, not just at the application or storage layer.

Exam trap

Google Cloud often tests the distinction between detective controls (like audit logs) and preventive controls (like VPC Service Controls egress rules), leading candidates to choose Cloud Audit Logs because they think logging alone can stop exfiltration.

How to eliminate wrong answers

Option A is wrong because Cloud DLP is a content inspection and classification tool, not a network-level enforcement mechanism; it can detect sensitive data but cannot block data transfer to external projects. Option B is wrong because Cloud Audit Logs provide visibility into who accessed what and when, but they do not actively block or prevent data exfiltration. Option C is wrong because Cloud Identity-Aware Proxy (IAP) controls access to applications and VMs via identity and context, not to Cloud Storage buckets; IAP does not apply to GCS buckets and cannot restrict data copying between projects.

18
MCQhard

A company uses Forseti Security to monitor their GCP environment for compliance violations. They want to automatically enforce policies that prevent the deployment of resources without required labels. What should they do?

A.Use Forseti Config Validator with a deny policy that blocks creation of resources without required labels
B.Configure Forseti Inventory to scan and report resources missing labels, then manually delete them
C.Enable VPC Service Controls to restrict projects without labels from accessing resources
D.Use Cloud Asset Inventory to trigger Cloud Functions that delete resources missing labels
AnswerA

Config Validator can enforce policies using constraints that deny resource creation if labels are missing, using Organization Policy constraints or Forseti's own enforcement.

Why this answer

Forseti Config Validator can enforce policies at deployment time by using a deny policy that blocks resource creation if required labels are missing. This is the correct approach because it prevents non-compliant resources from being created in the first place, rather than detecting and remediating them after the fact.

Exam trap

The trap here is confusing reactive detection and remediation (Inventory, Cloud Asset Inventory, Cloud Functions) with proactive enforcement (Config Validator), leading candidates to choose options that only report or clean up violations instead of preventing them.

How to eliminate wrong answers

Option B is wrong because Forseti Inventory only scans and reports resources missing labels; it does not automatically enforce policies or block deployments, and manual deletion is not automated enforcement. Option C is wrong because VPC Service Controls are designed to control data exfiltration and access between projects, not to enforce labeling requirements on resource creation. Option D is wrong because Cloud Asset Inventory is a discovery and monitoring service, not a policy enforcement engine; triggering Cloud Functions to delete resources is a reactive, not preventive, approach and does not block deployment.

19
MCQeasy

A financial services company must comply with PCI DSS requirements for encryption key management. They want to use Google-managed keys with automatic rotation. Which key management solution should they choose?

A.Customer-supplied encryption keys (CSEK)
B.Cloud KMS with CMEK (Customer-Managed Encryption Keys)
C.Google-managed encryption keys (default)
D.Cloud HSM
AnswerB

CMEK lets customers create, manage, and rotate keys in Cloud KMS, meeting PCI DSS requirements for key management and rotation.

Why this answer

Option B (Cloud KMS with CMEK) is correct because it allows the company to use Google-managed keys with automatic rotation while retaining control over the key material. CMEK keys are created and managed in Cloud KMS, but the actual cryptographic operations are performed by Google's key management infrastructure, and automatic rotation can be configured (e.g., every 90 days) to meet PCI DSS rotation requirements. This provides a balance between compliance control and operational simplicity.

Exam trap

Google Cloud often tests the distinction between key management (Cloud KMS with CMEK) and key hosting (Cloud HSM), tricking candidates into selecting Cloud HSM because it sounds more secure, even though the question explicitly asks for a solution with automatic rotation and managed keys.

How to eliminate wrong answers

Option A (CSEK) is wrong because CSEK requires the customer to supply their own key material and manage rotation manually, which does not satisfy the requirement for automatic rotation. Option C (Google-managed encryption keys, default) is wrong because these keys are fully managed by Google with no customer control over rotation schedule or key material, failing PCI DSS requirements for documented key management responsibilities. Option D (Cloud HSM) is wrong because while it provides FIPS 140-2 Level 3 validated hardware security modules, it is a key hosting option, not a key management solution with automatic rotation; CMEK can use Cloud HSM as a backing key store, but Cloud HSM alone does not provide the automatic rotation feature.

20
MCQeasy

A company needs to ensure that all data stored in Cloud Storage is encrypted using a key that is rotated every 30 days. Which encryption option should they choose to meet this requirement with automated rotation?

A.Cloud External Key Manager (EKM)
B.Customer-Managed Encryption Key (CMEK) using Cloud KMS
C.Google-managed encryption keys
D.Customer-Supplied Encryption Key (CSEK)
AnswerB

CMEK allows customers to set a rotation period (e.g., 30 days) and KMS handles automatic rotation.

Why this answer

Option B is correct because Customer-Managed Encryption Keys (CMEK) with Cloud KMS allow you to control and rotate encryption keys on a schedule. Cloud KMS supports automatic key rotation with a configurable rotation period (e.g., every 30 days), meeting the requirement without manual intervention.

Exam trap

The trap here is that candidates confuse CMEK (which supports automated rotation) with CSEK (which requires manual key management and does not support rotation), leading them to choose D thinking they have more control, but CSEK lacks the automated rotation feature needed for this requirement.

How to eliminate wrong answers

Option A is wrong because Cloud External Key Manager (EKM) lets you manage keys outside Google Cloud, but it does not provide automated rotation within Cloud KMS; rotation must be handled externally. Option C is wrong because Google-managed encryption keys are rotated automatically by Google, but you cannot control the rotation schedule or set it to exactly 30 days. Option D is wrong because Customer-Supplied Encryption Keys (CSEK) require you to supply the key with each API call and do not support automated rotation; you must manually rotate and re-encrypt data.

21
MCQeasy

A healthcare organization must store protected health information (PHI) in Google Cloud and ensure compliance with HIPAA. They need to prevent data from being stored outside the United States. Which Google Cloud product should they use to enforce this requirement?

A.Cloud Healthcare API
B.Organization Policy
C.VPC Service Controls
D.Cloud Data Loss Prevention (DLP) API
AnswerB

Organization Policies with constraints like constraints/gcp.resourceLocations can restrict resources to specific regions.

Why this answer

Organization Policy allows you to define and enforce constraints on Google Cloud resources at the organization, folder, or project level. The `gcp.resourceRestriction` constraint can be used to restrict the location where data can be stored, ensuring PHI remains within the United States to meet HIPAA requirements.

Exam trap

Google Cloud often tests the distinction between data residency enforcement (Organization Policy) and data exfiltration prevention (VPC Service Controls), leading candidates to confuse the two when the question focuses on storage location restrictions.

How to eliminate wrong answers

Option A is wrong because Cloud Healthcare API is a managed service for ingesting and managing healthcare data, but it does not enforce geographic restrictions on data storage. Option C is wrong because VPC Service Controls create a security perimeter around Google Cloud services to prevent data exfiltration, but they do not restrict the geographic location where data is stored. Option D is wrong because Cloud Data Loss Prevention (DLP) API is used to inspect, classify, and de-identify sensitive data, not to enforce data residency policies.

22
MCQmedium

A company wants to demonstrate to an auditor that all data access requests to a Cloud Storage bucket are logged, but they must exclude a specific service account from logging to reduce noise. What should they do to remain compliant with their audit policy?

A.Enable Data Access audit logs with exempted members set to that service account
B.Enable Data Access audit logs without exempting any service accounts
C.Configure VPC Service Controls to block the service account from accessing the bucket
D.Use Cloud Logging exclusion filters to filter out the service account logs after ingestion
AnswerB

Not exempting any service account ensures all data access is logged, satisfying audit requirements for comprehensive logging.

Why this answer

Option B is correct because enabling Data Access audit logs without exempting any service accounts ensures that all data access requests to the Cloud Storage bucket are logged, meeting the auditor's requirement. Exempting a service account (as in Option A) would violate the policy by excluding its requests from the logs entirely. Cloud Logging exclusion filters (Option D) operate after ingestion and cannot guarantee compliance, as the auditor may require logs to be captured in the first place.

Exam trap

Google Cloud often tests the distinction between logging configuration that prevents log generation (exempted members) versus post-ingestion filtering (exclusion filters), and candidates mistakenly think exclusion filters can satisfy audit requirements because they reduce noise, but they do not ensure logs are captured for compliance.

How to eliminate wrong answers

Option A is wrong because setting exempted members on the Data Access audit log configuration would exclude the specified service account from logging entirely, which directly contradicts the requirement to log all data access requests. Option C is wrong because VPC Service Controls block access at the network perimeter, but they do not log requests; they prevent the service account from accessing the bucket, which is not the goal and would break functionality. Option D is wrong because Cloud Logging exclusion filters are applied after logs are ingested, meaning the logs are still generated and stored temporarily; this does not satisfy an audit policy that requires logs to be captured for all requests, and the auditor may consider this non-compliant if logs are discarded.

23
MCQeasy

A company is deploying a new application that will process credit card data and must comply with PCI DSS. They plan to use Google Cloud services. Which service should they use to detect and redact sensitive data stored in Cloud Storage buckets?

A.Cloud Key Management Service (KMS)
B.VPC Service Controls
C.Cloud Audit Logs
D.Cloud Data Loss Prevention (DLP)
AnswerD

DLP can scan and redact sensitive data.

Why this answer

Cloud Data Loss Prevention (DLP) is the correct service because it is specifically designed to inspect, classify, and redact sensitive data such as credit card numbers (PANs) in Cloud Storage buckets. It uses built-in infoType detectors (e.g., `CREDIT_CARD_NUMBER`) to identify PCI DSS-protected data and can automatically apply de-identification transformations like redaction or masking to comply with PCI DSS requirements.

Exam trap

Google Cloud often tests the distinction between data protection services that handle encryption (KMS) versus those that handle content inspection and redaction (DLP), leading candidates to mistakenly choose KMS when the question explicitly asks about detecting and redacting sensitive data.

How to eliminate wrong answers

Option A is wrong because Cloud Key Management Service (KMS) manages encryption keys for data at rest, but it does not inspect, detect, or redact sensitive data content; it only handles cryptographic operations. Option B is wrong because VPC Service Controls provide a security perimeter to prevent data exfiltration via network boundaries, but they cannot scan or redact sensitive data within storage objects. Option C is wrong because Cloud Audit Logs record administrative and access activities for compliance auditing, but they have no capability to detect or redact sensitive data fields in stored files.

24
MCQhard

A financial services company is deploying a multi-region application on Google Kubernetes Engine (GKE) and needs to comply with PCI DSS. They must ensure that cardholder data is encrypted in transit between pods in different clusters. What is the MOST secure way to achieve this?

A.Configure TLS for each service using a Cloud Load Balancing with SSL policies.
B.Enable Anthos Service Mesh with mutual TLS (mTLS) across clusters.
C.Use HTTPS between services by configuring ingress with a Google-managed SSL certificate.
D.Use VPC Network Peering to connect the clusters and rely on the internal network encryption.
AnswerB

mTLS in a service mesh provides encryption and authentication for inter-pod traffic.

Why this answer

Option B is correct because Anthos Service Mesh with mutual TLS (mTLS) provides authenticated and encrypted communication between pods across different GKE clusters, meeting PCI DSS encryption-in-transit requirements. mTLS ensures that each side of the connection presents a certificate, verifying identity and encrypting traffic at the application layer, which is more secure than relying solely on network-level encryption. This approach also integrates with GKE's multi-cluster service mesh capabilities, allowing fine-grained policy enforcement across clusters.

Exam trap

Google Cloud often tests the misconception that network-level encryption (e.g., VPC peering or internal Google Cloud encryption) is sufficient for compliance, but PCI DSS requires application-layer encryption (e.g., TLS/mTLS) for cardholder data in transit between pods.

How to eliminate wrong answers

Option A is wrong because configuring TLS for each service using Cloud Load Balancing with SSL policies only encrypts traffic at the load balancer edge, not between pods in different clusters; internal pod-to-pod traffic would remain unencrypted unless additional measures are taken. Option C is wrong because using HTTPS between services by configuring ingress with a Google-managed SSL certificate only secures external ingress traffic, not east-west traffic between pods across clusters. Option D is wrong because VPC Network Peering provides network connectivity but does not inherently encrypt traffic between pods; it relies on Google's internal network encryption, which may not satisfy PCI DSS's explicit requirement for application-layer encryption of cardholder data in transit.

25
MCQmedium

A global e-commerce company is using Google Cloud to store customer data subject to GDPR. They have implemented data residency controls to keep data within the EU. However, during a routine audit, the compliance team discovers that some backups of customer data are being replicated to a US region due to a misconfigured backup policy. The data includes personal information. The company must ensure that all data remains within the EU. What should the team do to prevent this from recurring and remediate the current situation?

A.Delete the backups in the US region immediately and reconfigure the backup policy to only use EU regions.
B.Enable Access Transparency for the US backups to monitor access.
C.Use Organization Policies to enforce a constraint that disables the creation of resources outside the EU, and then delete the US backups.
D.Encrypt the US backups with CMEK and leave them in place, as encryption satisfies GDPR.
AnswerC

Enforces data residency and remediates current non-compliance.

Why this answer

Option C is correct because Organization Policies allow the company to enforce a resource location constraint (e.g., `constraints/gcp.resourceLocations`), which prevents the creation of any Google Cloud resources outside the EU. This proactively stops misconfigured backups from being replicated to non-EU regions. Deleting the US backups after applying the policy remediates the current GDPR violation by removing the non-compliant data.

Exam trap

Google Cloud often tests the distinction between reactive fixes (deleting data) and proactive controls (Organization Policies), leading candidates to choose Option A because it seems immediate, while overlooking the need for a preventive guardrail.

How to eliminate wrong answers

Option A is wrong because simply deleting the US backups and reconfiguring the policy does not prevent future misconfigurations; it lacks a preventive control like an Organization Policy constraint. Option B is wrong because Access Transparency only logs access to data, it does not prevent data from being stored outside the EU or remediate the existing non-compliance. Option D is wrong because encryption with CMEK does not satisfy GDPR's data residency requirements; GDPR mandates that personal data must remain within the EU, and encryption alone does not change the physical location of the data.

26
MCQhard

For PCI DSS compliance, which of the following is required for Cloud KMS keys?

A.Enable automatic rotation with a rotation period set to 90 days
B.Use a separate key per service account
C.Disable key rotation after initial use
D.Key rotation every 30 days
AnswerA

Automatic rotation with a defined period satisfies PCI DSS key rotation requirements.

Why this answer

PCI DSS requirement 3.5.1 mandates that cryptographic keys must be rotated at least every 90 days to limit the impact of a potential key compromise. For Cloud KMS, enabling automatic rotation with a rotation period of 90 days ensures compliance by automating the key rotation process without manual intervention, reducing the risk of human error.

Exam trap

Google Cloud often tests the exact PCI DSS requirement of 90-day rotation, and candidates may mistakenly choose 30 days (option D) thinking more frequent rotation is better, but the question asks for what is 'required', not what is 'allowed'.

How to eliminate wrong answers

Option B is wrong because PCI DSS does not require a separate key per service account; it requires that keys be unique per environment or per function, but a single key can be shared among multiple service accounts if access controls are properly enforced. Option C is wrong because disabling key rotation after initial use violates PCI DSS requirement 3.5.1, which mandates periodic rotation at least every 90 days. Option D is wrong because while 30-day rotation would also meet the PCI DSS requirement, the question specifically asks for the required rotation period, and 90 days is the maximum allowed interval; 30 days is more frequent than required but not incorrect, however the correct answer must match the exact requirement stated in the standard.

27
MCQeasy

A company uses Cloud Audit Logs for compliance and needs to ensure that logs are not tampered with. Which feature should they enable?

A.Store logs in Cloud Logging with default retention.
B.Enable Access Transparency logs for the project.
C.Use Cloud Key Management Service to sign audit logs.
D.Set up multiple log sinks to different destinations.
AnswerB

Access Transparency logs are immutable and provide a tamper-evident log of Google actions.

Why this answer

Option B is correct because Access Transparency logs are tamper-proof and logged at Google's infrastructure. Option A is wrong because log sinks do not prevent tampering. Option C is wrong because Cloud Logging does not provide inherent immutability.

Option D is wrong because Cloud Key Management Service is for encryption, not log integrity.

28
Multi-Selectmedium

Which THREE are requirements for HIPAA compliance when using Google Cloud? (Choose three.)

Select 3 answers
A.Use Dedicated Interconnect for network connectivity
B.Enable Data Loss Prevention (DLP) for all data
C.Enable audit logging for all PHI-related activities
D.Sign a Business Associate Agreement (BAA) with Google
E.Encrypt data at rest and in transit using appropriate algorithms
AnswersC, D, E

Audit logs are necessary to track access and changes to PHI.

Why this answer

Option C is correct because HIPAA requires covered entities to implement audit controls that record and examine access and other activity in information systems that contain or use electronic protected health information (ePHI). In Google Cloud, enabling audit logging for all PHI-related activities, such as via Cloud Audit Logs (Admin Activity, Data Access, and System Event logs), satisfies this requirement by providing an immutable, tamper-evident record of who accessed what data and when.

Exam trap

Google Cloud often tests the misconception that HIPAA mandates specific technologies (like Dedicated Interconnect or DLP for all data), when in reality HIPAA is technology-neutral and focuses on implementing reasonable and appropriate safeguards, such as encryption and audit logging.

29
MCQhard

A Cloud Run service is failing to access a secret from Secret Manager. The service account used by Cloud Run has the roles/secretmanager.secretAccessor role. What is the most likely cause of the error?

A.VPC Service Controls are blocking access to Secret Manager.
B.The service account does not have the iam.serviceAccounts.actAs permission on the Cloud Run service.
C.The secret does not exist in the specified project.
D.The service account does not have access to the 'latest' version of the secret; it needs explicit version access.
AnswerD

The secretmanager.secretAccessor role grants access to specific versions, but 'latest' may require additional permissions if not enabled.

Why this answer

D is correct because Secret Manager requires explicit access to a specific secret version. The `roles/secretmanager.secretAccessor` role grants access to all versions of a secret, but the Cloud Run service must reference a specific version (e.g., 'latest' or a version number) in its configuration. If the service is configured to access the 'latest' version without the `secretmanager.versions.access` permission on that version, access will fail.

The error occurs because the service account lacks the necessary permission to access the 'latest' version, even though it has the role.

Exam trap

Google Cloud often tests the misconception that the `roles/secretmanager.secretAccessor` role grants blanket access to all versions, but in reality, access must be explicitly granted to each version, including 'latest', via the IAM policy on the secret or version.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls block access based on perimeter boundaries, not IAM permissions; if VPC SC were blocking, the error would be a network/perimeter violation, not an IAM permission error. Option B is wrong because the `iam.serviceAccounts.actAs` permission is required for deploying Cloud Run services, not for accessing secrets at runtime; the runtime access to Secret Manager is governed by the service account's IAM roles on the secret. Option C is wrong because if the secret did not exist, the error would be a 'not found' or '404' error, not an access permission error; the question states the service is failing to access the secret, implying the secret exists.

30
MCQmedium

A government agency is migrating to Google Cloud and must comply with FedRAMP requirements. They need to ensure that only FedRAMP authorized Google Cloud services are used in their project. The security team has enabled Organization Policies and created a custom policy to restrict allowed services to a specific list. However, when a developer tries to create a Cloud SQL instance, the operation is denied. The developer receives an error: 'The organization policy constraint compute.restrictNonPdServices is not allowing this resource.' The developer is trying to create a Cloud SQL instance, which is a FedRAMP authorized service. What is the most likely cause of the denial?

A.Cloud SQL instances require a specific region that is not permitted by the policy.
B.The developer does not have the necessary IAM permissions to create Cloud SQL instances.
C.The organization policy is misconfigured and does not include Cloud SQL in the allowed list.
D.The organization policy is blocking all services not in a specific list, and Cloud SQL is not included because it is a data service rather than a compute service.
AnswerC

The error indicates the policy constraint is blocking the resource; Cloud SQL is likely not in the allowed list.

Why this answer

The error message explicitly references the `compute.restrictNonPdServices` organization policy constraint, which is used to restrict the creation of non-Persistent Disk (PD) services. The developer's attempt to create a Cloud SQL instance is denied because the custom policy's allowed list does not include Cloud SQL, even though it is a FedRAMP authorized service. The policy must be updated to include Cloud SQL in the allowed services list for the operation to succeed.

Exam trap

Google Cloud often tests the distinction between organization policy constraints and IAM permissions, and the trap here is that candidates may confuse a policy constraint error with a permissions error, or incorrectly assume that FedRAMP authorization automatically overrides organization policies.

How to eliminate wrong answers

Option A is wrong because the error message does not mention region restrictions; the `compute.restrictNonPdServices` constraint controls service types, not geographic regions. Option B is wrong because the error message explicitly cites an organization policy constraint violation, not an IAM permission issue; IAM errors would produce a different message (e.g., 'Permission denied'). Option D is wrong because Cloud SQL is a managed database service that falls under the scope of the `compute.restrictNonPdServices` constraint, and the error indicates it is being blocked due to the allowed list, not because it is a 'data service'—the constraint applies to all non-PD services, not just compute services.

31
MCQhard

A company handling credit card information must comply with PCI DSS. They use Cloud KMS with CMEK keys stored in a key ring. During a compliance audit, the auditor asks how keys are protected against unauthorized use by Google. What should the company explain?

A.They store keys in Cloud HSM, which ensures keys never leave the HSM and are bound to a specific project
B.They use customer-supplied encryption keys (CSEK), so Google never has access to keys
C.They use Cloud KMS with CMEK, and the keys are encrypted using Google-managed key encryption keys (KEKs)
D.They enabled Access Approval, so Google must obtain approval before accessing keys
AnswerA

Cloud HSM provides hardware-level protection; keys cannot be exported and are protected against unauthorized access by Google personnel.

Why this answer

Option A is correct because Cloud HSM provides a FIPS 140-2 Level 3 validated hardware security module (HSM) where customer-managed encryption keys (CMEK) are generated and used exclusively within the HSM boundary. The keys never leave the HSM in plaintext, and access is bound to the specific Google Cloud project, ensuring that even Google administrators cannot extract or use the keys outside the authorized project context.

Exam trap

Google Cloud often tests the distinction between key storage (Cloud HSM) and key management (Cloud KMS with CMEK), where candidates mistakenly believe that CMEK alone prevents Google access, when in fact only Cloud HSM provides hardware-level isolation that prevents Google from using the keys.

How to eliminate wrong answers

Option B is wrong because customer-supplied encryption keys (CSEK) are used for encrypting data at rest in Google Cloud Storage, not for Cloud KMS key protection; CSEK are provided by the customer and Google does not store them, but the question specifically asks about CMEK keys stored in a key ring, not CSEK. Option C is wrong because Cloud KMS with CMEK does use Google-managed key encryption keys (KEKs) to encrypt the CMEK keys at rest, but this does not prevent Google from having access to the keys; the KEKs are managed by Google, so Google could theoretically decrypt the CMEK keys. Option D is wrong because Access Approval is a feature that allows customers to approve or deny access requests from Google support or engineering personnel, but it does not prevent unauthorized use by Google itself; it only provides a notification and approval workflow for specific access requests, not a technical barrier against Google's underlying access to the keys.

32
MCQmedium

A financial institution is required to use customer-managed encryption keys (CMEK) for all data at rest in Google Cloud. They need to prevent key deletion by anyone except a specific IAM role. What should they do?

A.Enable destroy protection on the key ring
B.Use Organization Policies with a constraint to restrict key destruction
C.Assign the cloudkms.admin role only to a security team
D.Enable key rotation on the Cloud KMS key
AnswerA

Destroy protection prevents deletion of a key ring and its keys until the protection is disabled by an authorized user.

Why this answer

Option A is correct because enabling destroy protection on the key ring prevents any Cloud KMS key within that key ring from being destroyed, regardless of IAM permissions. This is a key ring-level setting that overrides IAM roles, ensuring that only a specific IAM role (e.g., cloudkms.admin) can disable destroy protection and then delete keys, meeting the requirement to restrict key deletion to a specific role.

Exam trap

Google Cloud often tests the misconception that IAM roles alone can prevent key deletion, but the trap here is that destroy protection is a separate, overriding mechanism that must be explicitly enabled at the key ring level to block destruction regardless of IAM permissions.

How to eliminate wrong answers

Option B is wrong because Organization Policies with constraints (e.g., constraints/cloudkms.disableDestroyProtection) can restrict the ability to disable destroy protection, but they do not directly prevent key destruction; they only control the destroy protection setting itself, not the actual deletion of keys. Option C is wrong because assigning the cloudkms.admin role to a security team does not inherently prevent key deletion by others; any user with the cloudkms.admin role can destroy keys unless destroy protection is enabled, and this option does not address the requirement to prevent deletion by anyone except a specific role. Option D is wrong because key rotation on a Cloud KMS key does not prevent deletion; it only automates the creation of new key versions and does not affect the ability to destroy the key or its versions.

33
Matchingmedium

Match each compliance framework to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Payment card data security

Protected health information privacy and security

Service organization controls for security, availability, etc.

Cloud security for U.S. federal agencies

Information security management system standard

Why these pairings

These are major compliance frameworks relevant to Google Cloud.

34
MCQeasy

For HIPAA compliance, which Google Cloud product provides a business associate agreement (BAA) and a dedicated environment for protected health information?

A.Confidential VMs
B.GKE Security Posture
C.Assured Workloads
D.Cloud Healthcare API
AnswerC

Assured Workloads provides a BAA, location controls, and access transparency for HIPAA compliance.

Why this answer

Assured Workloads is the correct answer because it enables customers to deploy workloads that must comply with HIPAA by providing a BAA-ready environment with enforced controls, including data residency, encryption, and access restrictions. It creates a dedicated folder with pre-configured security and compliance policies, ensuring that protected health information (PHI) is handled in a Google Cloud environment that meets HIPAA requirements.

Exam trap

Google Cloud often tests the misconception that a service-specific API or feature (like Cloud Healthcare API or Confidential VMs) inherently provides HIPAA compliance, when in fact the BAA and dedicated environment are delivered through the overarching compliance framework of Assured Workloads.

How to eliminate wrong answers

Option A is wrong because Confidential VMs provide memory encryption using AMD SEV-ES but do not offer a BAA or a dedicated compliance environment for PHI; they are a hardware-level security feature, not a compliance framework. Option B is wrong because GKE Security Posture is a dashboard for monitoring security configurations in Google Kubernetes Engine clusters, not a service that provides a BAA or enforces HIPAA-specific controls. Option D is wrong because Cloud Healthcare API is a service for ingesting and managing healthcare data, and while it can be used in a HIPAA-compliant manner, it does not itself provide a BAA or a dedicated environment; the BAA is obtained through Assured Workloads or a separate agreement.

35
MCQhard

An organization is configuring a Cloud Storage bucket for a regulated workload. The bucket configuration shown in the exhibit was applied. Which compliance requirement is this configuration primarily designed to address?

A.Data retention and immutability.
B.Encryption at rest using customer-managed encryption keys (CMEK).
C.Access transparency for data access.
D.Data residency within a specific geographic region.
AnswerA

The retentionPolicy with isLocked=true enforces a mandatory retention period, making objects immutable until the retention period expires.

Why this answer

The bucket configuration includes object versioning enabled and a retention policy with a retention period. This combination ensures that objects cannot be deleted or overwritten before the retention period expires, addressing data retention and immutability requirements. This is a common compliance need for regulated workloads where data must be preserved in its original state for a defined duration.

Exam trap

Google Cloud often tests the distinction between bucket-level retention policies (which enforce immutability) and encryption or access control settings, leading candidates to confuse data retention with encryption at rest or data residency.

How to eliminate wrong answers

Option B is wrong because the configuration does not specify any encryption key type (e.g., CMEK, CSEK, or Google-managed keys); encryption at rest is enabled by default but not the primary focus. Option C is wrong because Access Transparency logs are not configured or referenced in the bucket settings; Access Transparency is an organization-level policy, not a bucket-level configuration. Option D is wrong because the bucket does not have a location constraint or a specific region set; the configuration shown does not enforce data residency.

36
MCQeasy

Refer to the exhibit. A compliance officer sees this Organization Policy applied at the organization level. Which compliance requirement does this policy primarily address?

A.Encryption key management
B.Data residency
C.Audit logging
D.Access control
AnswerB

The policy limits where resources can be created, ensuring data remains in specified regions to meet residency requirements.

Why this answer

The Organization Policy shown restricts the allowed locations for Compute Engine resources to a specific region (e.g., us-central1). This directly enforces data residency requirements by preventing resources from being created or moved outside of approved geographic boundaries, ensuring that data remains within a particular jurisdiction to comply with regulations like GDPR or HIPAA.

Exam trap

Google Cloud often tests the distinction between organization policies that enforce location restrictions versus other compliance controls like IAM or encryption, leading candidates to confuse data residency with access control or key management.

How to eliminate wrong answers

Option A is wrong because encryption key management is handled by Cloud KMS and key rotation policies, not by location-based organization policies. Option C is wrong because audit logging is governed by Audit Logs configuration and log sinks, not by resource location constraints. Option D is wrong because access control is enforced through IAM roles and policies, not by restricting where resources can be deployed.

37
MCQmedium

A multi-national corporation must prevent data exfiltration from a project containing PII for GDPR compliance. They want to restrict access to only allow data transfer within the organization. Which Google Cloud service meets this requirement?

A.Use firewall rules to block all egress traffic except to approved IP ranges.
B.Create a VPC Service Control perimeter that includes the project and restricts access to other perimeters.
C.Set IAM policies to deny the storage.objectViewer role to non-compliant users.
D.Configure Cloud NAT for the VPC to route traffic through a single IP.
AnswerB

VPC Service Controls prevent data exfiltration by blocking access from outside the service perimeter.

Why this answer

VPC Service Controls allow you to define perimeters that protect the resources and data of Google Cloud services. By creating a perimeter that includes the project containing PII, you can restrict data transfer to only within the organization, preventing exfiltration to external networks or unauthorized identities, which directly meets GDPR compliance requirements.

Exam trap

Google Cloud often tests the misconception that network-level controls (firewalls, NAT) are sufficient to prevent data exfiltration from managed services, when in fact API-level controls like VPC Service Controls are required to block data movement through Google Cloud APIs.

How to eliminate wrong answers

Option A is wrong because firewall rules control network traffic at the IP/port level but cannot restrict data exfiltration via Google Cloud APIs or services that bypass the network stack, such as Cloud Storage or BigQuery. Option C is wrong because IAM policies control who can perform actions on resources but do not restrict data movement; a user with valid IAM roles could still exfiltrate data to an external location. Option D is wrong because Cloud NAT provides outbound connectivity with a single IP for VMs but does not restrict data egress to approved destinations or prevent exfiltration via API calls.

38
MCQeasy

A company must ensure that only authorized users can access sensitive data in Cloud Storage for PCI DSS compliance. They have configured a bucket with uniform bucket-level access. Which IAM policy should they use to grant access to a security team?

A.Bind the security team to roles/storage.objectViewer at the bucket level.
B.Bind the security team to roles/storage.legacyBucketReader at the bucket level.
C.Use ACLs to give the security team READ access to the bucket.
D.Bind the security team to roles/storage.admin at the project level.
AnswerA

Provides read-only access to objects, following least privilege.

Why this answer

Option A is correct because the 'Storage Object Viewer' role grants read-only access to objects, which is sufficient for security monitoring. Option B is wrong because the admin role grants full access, violating least privilege. Option C is wrong because bucket-level access is already uniform, so ACLs are not needed.

Option D is wrong because the bucket admin role gives full control, which is excessive.

39
MCQeasy

A company has a compliance policy requiring that all data at rest in Cloud Storage be encrypted with a Cloud KMS key that is rotated every 90 days. The company uses CMEK with automatic key rotation enabled. An auditor discovers that some older objects in a bucket were created with a previous key version that has since been disabled. The compliance team requires that all objects be re-encrypted with the current key version. The bucket does not have object versioning enabled. What should the security engineer do to remediate this issue?

A.Re-enable the disabled key version in Cloud KMS so that objects can be read with the old key.
B.Use the 'gsutil rewrite -k' command to re-encrypt the objects with the current key version.
C.Enable object versioning on the bucket and delete the non-compliant object versions.
D.Create a new bucket with default encryption set to the current key and copy objects to it.
AnswerB

This command rewrites the object using the bucket's current KMS key, effectively re-encrypting it without changing other properties.

Why this answer

Option B is correct because the 'gsutil rewrite -k' command re-encrypts existing objects in Cloud Storage with the current Cloud KMS key version, without requiring object versioning or re-uploading. This directly addresses the compliance requirement to re-encrypt all objects with the current key version, even though the old key version is disabled.

Exam trap

Google Cloud often tests the misconception that re-enabling a disabled key version or copying objects to a new bucket is sufficient for compliance, when in fact only a direct re-encryption operation like 'gsutil rewrite -k' ensures the objects are encrypted with the current key version.

How to eliminate wrong answers

Option A is wrong because re-enabling the disabled key version does not re-encrypt the objects; it only allows decryption with the old key, leaving the objects non-compliant. Option C is wrong because enabling object versioning and deleting non-compliant versions does not re-encrypt the existing objects; it only removes old versions, but the current live objects remain encrypted with the old key. Option D is wrong because creating a new bucket and copying objects does not re-encrypt them with the current key; the copy operation preserves the original encryption unless explicitly re-encrypted, and it is an inefficient workaround compared to the direct rewrite command.

40
MCQmedium

A security engineer notices that some developers are still uploading their own public SSH keys to Compute Engine instances despite the organization policy above being applied to the folder. What is the most likely reason?

A.The policy only applies to projects, not folders.
B.The policy takes 24 hours to propagate to all projects.
C.The policy disables uploading service account keys, not user SSH keys.
D.The policy was applied at the organization level, not the folder level.
AnswerC

The policy name indicates it's for service account keys, not SSH keys.

Why this answer

Option C is correct because the organization policy described likely restricts the uploading of service account keys, not user SSH keys. The policy in question is typically the 'Disable service account key upload' constraint (iam.disableServiceAccountKeyUpload), which prevents users from creating or uploading external service account keys. It does not affect the ability to add public SSH keys to Compute Engine instances, which is governed by separate metadata-based mechanisms (e.g., oslogin or instance metadata).

Therefore, developers can still upload their own SSH keys despite the policy being applied.

Exam trap

The trap here is that candidates confuse 'keys' in general (SSH keys vs. service account keys) and assume a policy restricting key uploads applies to all key types, when in fact it only targets service account key operations.

How to eliminate wrong answers

Option A is wrong because organization policies can be applied at the folder level and will propagate to all projects within that folder; the policy does apply to folders, not just projects. Option B is wrong because organization policy propagation is near-instantaneous (typically within minutes), not 24 hours; there is no standard 24-hour delay for such policies. Option D is wrong because the scenario states the policy was applied to the folder, and applying it at the organization level would be even broader, not a reason for it to fail; the issue is the policy's scope (service account keys vs.

SSH keys), not the hierarchical level.

41
MCQmedium

A healthcare organization must ensure that only authorized personnel can access Protected Health Information (PHI) stored in Cloud Storage. They need to enforce encryption at rest and control access based on data classification. Which combination of Google Cloud services should they use?

A.Use customer-supplied encryption keys (CSEK) and Cloud Audit Logs.
B.Use Cloud HSM for key management and Cloud DLP to inspect data.
C.Enable Access Transparency and use Organization Policies to restrict resource locations.
D.Use customer-managed encryption keys (CMEK) with Cloud KMS and VPC Service Controls.
AnswerD

CMEK provides key control; VPC Service Controls prevent data exfiltration beyond the perimeter.

Why this answer

Option D is correct because it combines customer-managed encryption keys (CMEK) with Cloud KMS to enforce encryption at rest using keys controlled by the organization, and VPC Service Controls to restrict data access based on data classification by creating a security perimeter around Cloud Storage. This ensures that only authorized personnel within the defined perimeter can access PHI, meeting both encryption and access control requirements.

Exam trap

Google Cloud often tests the distinction between encryption key management (CMEK vs. CSEK) and access control mechanisms (VPC Service Controls vs. IAM), where candidates mistakenly choose options that address only one requirement or confuse data inspection (DLP) with access enforcement.

How to eliminate wrong answers

Option A is wrong because customer-supplied encryption keys (CSEK) require the customer to provide and manage the keys themselves, which does not leverage Google Cloud's key management for fine-grained access control, and Cloud Audit Logs only provide logging, not encryption or access enforcement. Option B is wrong because Cloud HSM is a hardware security module for key management, but Cloud DLP is used for inspecting and classifying data, not for controlling access to PHI based on classification. Option C is wrong because Access Transparency provides logs of Google administrator access, and Organization Policies restrict resource locations, but neither enforces encryption at rest nor controls access based on data classification.

42
MCQmedium

A financial services company must ensure that all data stored in Cloud Storage is encrypted with customer-managed encryption keys (CMEK) that are rotated every 90 days. They have enabled Organization Policy constraints to enforce CMEK. However, some new buckets are still being created without CMEK. What is the most likely cause?

A.VPC Service Controls are blocking the use of CMEK.
B.The buckets are created using a service account that has the CMEK permission but the key ring is not in the same region.
C.The Organization Policy constraint is not applied to the folder that contains the project.
D.The buckets are using the Archive storage class, which does not support CMEK.
AnswerC

If the constraint is not applied to the folder, projects may not inherit it.

Why this answer

Organization Policy constraints are hierarchical and must be applied at the project, folder, or organization level to take effect. If the constraint is applied only at the organization level but the project resides in a folder that does not inherit the policy (or the constraint is not applied to that folder), the policy will not enforce CMEK on buckets created in that project. This explains why new buckets can still be created without CMEK despite the policy being enabled elsewhere.

Exam trap

The trap here is that candidates assume Organization Policy constraints automatically apply to all projects in the organization, but they forget that policies must be inherited through the resource hierarchy and can be overridden or missing at the folder level.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls control data exfiltration and access boundaries, not encryption key enforcement; they do not block the use of CMEK. Option B is wrong because CMEK key rings can be in any region as long as the key is accessible; the key ring region does not prevent CMEK from being applied. Option D is wrong because the Archive storage class fully supports CMEK; all Cloud Storage classes support customer-managed encryption keys.

43
MCQmedium

Refer to the exhibit. A compliance officer is reviewing an Access Transparency log entry. Which compliance benefit does this log provide?

A.It shows a user accessing a storage object
B.It provides evidence of data access by Google engineers
C.It tracks encryption key usage
D.It is a Cloud Audit Log for admin activity
AnswerB

Access Transparency logs show when Google employees access your data, which is required for certain compliance certifications.

Why this answer

Access Transparency logs are specifically designed to provide visibility into actions performed by Google personnel (e.g., engineers) on customer data. This log entry shows an operation by a Google support engineer, which directly supports compliance requirements by providing evidence of data access by Google engineers, as required for regulatory audits like SOC 2 or FedRAMP.

Exam trap

Google Cloud often tests the distinction between Access Transparency logs (Google personnel actions) and Cloud Audit Logs (customer actions), so candidates mistakenly choose an option about user access or admin activity instead of recognizing that Access Transparency is unique to Google engineer access.

How to eliminate wrong answers

Option A is wrong because Access Transparency logs do not show user access to storage objects; that is the function of Cloud Audit Logs (e.g., Data Access audit logs). Option C is wrong because encryption key usage is tracked by Cloud Key Management Service (KMS) audit logs, not Access Transparency logs. Option D is wrong because Cloud Audit Logs for admin activity are separate (Admin Activity audit logs), while Access Transparency logs specifically cover actions by Google personnel, not customer admin actions.

44
MCQhard

A company is undergoing a SOC 2 audit and needs to demonstrate that access to production data is monitored and that any changes to IAM policies are reviewed. They have enabled Cloud Audit Logs. The auditor asks for a report showing all IAM policy changes in the last 6 months. The security team notices that some older changes are missing. What is the most likely reason?

A.The log sink filter is excluding IAM policy changes.
B.Admin Activity audit logs are only retained for 30 days by default unless exported to a destination like Cloud Storage or BigQuery.
C.IAM policy changes are logged in Data Access audit logs, which are not enabled by default.
D.The logs were never exported to a long-term storage destination.
AnswerD

Without export, Admin Activity logs are retained for 400 days, but if the request is for 6 months (180 days), it should be within retention. However, if logs are not exported and the retention is 400 days, they should be there. But if the auditor wants more than 400 days, it would be missing. The question says 'older changes' implying >400 days, so missing due to retention expiration. But export would preserve them. So B is correct because without export they are lost after 400 days.

Why this answer

Option D is correct because Cloud Audit Logs are retained for a limited default period (30 days for Admin Activity logs), and the question states that the company enabled Cloud Audit Logs but does not mention exporting them to a long-term destination like Cloud Storage or BigQuery. Without such an export, logs older than 30 days are automatically deleted, which explains why some IAM policy changes from the last 6 months are missing. The auditor's requirement for a 6-month report necessitates a configured log sink to a durable storage destination.

Exam trap

The trap here is that candidates often confuse the default retention of Admin Activity logs (400 days in the log viewer) with the retention in the default Logging bucket (30 days), leading them to incorrectly assume logs are automatically available for 6 months without an export sink.

How to eliminate wrong answers

Option A is wrong because a log sink filter that excludes IAM policy changes would cause a consistent absence of those logs, not just older ones; the question indicates that some older changes are missing, not all. Option B is wrong because Admin Activity audit logs are retained for 400 days by default, not 30 days; the 30-day retention applies to Data Access audit logs, not Admin Activity logs. Option C is wrong because IAM policy changes are logged in Admin Activity audit logs, not Data Access audit logs; Data Access logs track resource access events (e.g., reading data) and are indeed disabled by default, but they are irrelevant to IAM policy changes.

45
MCQeasy

A company must ensure that all Compute Engine instances use only approved images from a specific project. They want to enforce this using Organization Policy. Which constraint should they use?

A.constraints/compute.restrictImageUsage
B.constraints/compute.restrictAuthorizedDomains
C.constraints/compute.trustedImageProjects
D.constraints/compute.restrictFirewallRules
AnswerA

This constraint restricts which images can be used to create instances.

Why this answer

The correct constraint is `constraints/compute.restrictImageUsage` because it directly controls which images can be used to create Compute Engine instances by specifying a list of allowed projects. This enforces the requirement that only approved images from a specific project are used, blocking instances launched with images from other projects.

Exam trap

Google Cloud often tests the distinction between valid and invalid constraint names, and the trap here is that candidates confuse the non-existent `constraints/compute.trustedImageProjects` with the real `constraints/compute.restrictImageUsage` because the word 'trusted' appears in the documentation for the feature but not in the constraint name.

How to eliminate wrong answers

Option B is wrong because `constraints/compute.restrictAuthorizedDomains` restricts the email domains that can be used for Cloud Identity or G Suite accounts, not image usage. Option C is wrong because `constraints/compute.trustedImageProjects` does not exist as a valid Organization Policy constraint; the correct constraint for trusted images is `constraints/compute.restrictImageUsage`. Option D is wrong because `constraints/compute.restrictFirewallRules` controls the creation of firewall rules, not the images used to launch instances.

46
MCQmedium

A security engineer is using Cloud Asset Inventory to find all Compute Engine instances that are not labeled with a 'compliance' label. Based on the exhibit, which instance(s) are missing the compliance label?

A.Both instances
B.instance-2 only
C.Neither instance
D.instance-1 only
AnswerB

instance-2 lacks compliance label.

Why this answer

Option B is correct because the exhibit shows that instance-1 has a 'compliance' label with a value of 'true', while instance-2 has no 'compliance' label at all. Cloud Asset Inventory can query assets using label filters; the absence of the 'compliance' label on instance-2 means it fails the compliance labeling requirement. Therefore, only instance-2 is missing the compliance label.

Exam trap

Google Cloud often tests the distinction between a label that exists (even with an empty value) and a label that is completely absent, leading candidates to incorrectly assume that a missing label is the same as a label with a false or empty value.

How to eliminate wrong answers

Option A is wrong because both instances are not missing the compliance label; instance-1 has the label, so only one instance is missing it. Option C is wrong because instance-2 clearly lacks the 'compliance' label, so it is not true that neither instance is missing it. Option D is wrong because instance-1 does have the 'compliance' label, so it is not missing the label; the missing instance is instance-2 only.

47
MCQeasy

A healthcare organization is deploying a new application on Google Cloud that will process protected health information (PHI) subject to HIPAA. The security team has enabled encryption at rest using Google-managed keys and configured Cloud Audit Logs. During a compliance review, the auditor notes that the organization has not yet signed a Business Associate Agreement (BAA) with Google Cloud. What should the organization do to remediate this issue?

A.Enable VPC Service Controls to satisfy HIPAA requirements without a BAA.
B.Use Customer-Managed Encryption Keys (CMEK) to meet the requirement for a signed BAA.
C.Sign a BAA with Google Cloud through the Google Cloud Console or by contacting Google Cloud Support.
D.Configure Access Transparency logs as a substitute for a BAA.
AnswerC

A BAA is required under HIPAA.

Why this answer

Under HIPAA, a covered entity or business associate must have a signed Business Associate Agreement (BAA) with any service provider that creates, receives, maintains, or transmits protected health information (PHI) on its behalf. Google Cloud offers a standard BAA that customers must accept through the Google Cloud Console or by contacting support; encryption at rest and audit logs are separate technical controls that do not satisfy this contractual requirement. Option C is correct because signing a BAA is the only direct way to establish the legally required business associate relationship with Google Cloud for PHI processing.

Exam trap

The trap here is that candidates confuse technical security controls (encryption, network isolation, logging) with the contractual requirement for a BAA, assuming that strong encryption or access controls can substitute for the legal agreement mandated by HIPAA.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls provide network-based data exfiltration prevention but do not create a contractual business associate relationship; HIPAA requires a signed BAA regardless of network controls. Option B is wrong because Customer-Managed Encryption Keys (CMEK) give the customer control over encryption keys but do not replace the legal obligation to sign a BAA; encryption is a technical safeguard, not a contractual one. Option D is wrong because Access Transparency logs provide visibility into Google administrative access but are not a substitute for a BAA; HIPAA mandates a signed agreement, not just logging features.

48
Drag & Dropmedium

Drag and drop the steps to set up IAM conditions for a service account in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IAM conditions involve identifying the scope, writing the condition, binding it, attaching the policy, and testing.

49
MCQmedium

A healthcare company must export Cloud Audit Logs to an external SIEM for HIPAA compliance. The logs must be retained for 7 years and be immutable. Which solution meets these requirements with minimal operational overhead?

A.Configure a log sink to send logs to an on-premises syslog server via VPN.
B.Create a Pub/Sub sink with a retention policy that delivers logs to a custom application.
C.Stream audit logs to BigQuery using a log sink, and set table expiration to 7 years.
D.Use a log sink to export logs to a Cloud Storage bucket with a retention policy of 7 years and Object holds enabled.
AnswerD

Retention policy prevents deletion until retention expires; Object holds prevent premature deletion.

Why this answer

Option D is correct because Cloud Storage buckets support Object holds, which prevent object deletion or modification, ensuring immutability. A retention policy set to 7 years enforces the minimum retention period required by HIPAA. This combination meets compliance needs with minimal operational overhead, as it leverages native GCP features without requiring custom infrastructure or manual management.

Exam trap

Google Cloud often tests the misconception that BigQuery or Pub/Sub can provide long-term immutable storage, but candidates must recognize that Cloud Storage with Object holds is the only native GCP service that offers both enforced retention and immutability without custom development.

How to eliminate wrong answers

Option A is wrong because sending logs to an on-premises syslog server via VPN introduces significant operational overhead for VPN maintenance, syslog server management, and does not inherently provide immutability or guaranteed 7-year retention. Option B is wrong because Pub/Sub retention policies are limited to a maximum of 7 days, not 7 years, and delivering logs to a custom application adds unnecessary complexity and does not ensure immutability. Option C is wrong because BigQuery table expiration only controls table deletion, not individual row immutability; data in BigQuery can be updated or deleted unless additional controls like time-travel or table-level access controls are implemented, which are not specified and add overhead.

50
Multi-Selectmedium

A multinational corporation must comply with GDPR requirements for storing and processing personal data of EU citizens. The company is using Google Cloud and wants to ensure that data remains within the European Union. Which TWO actions should the organization take? (Select TWO.)

Select 2 answers
A.Set up VPC Service Controls to block access from outside the EU.
B.Enable Access Transparency logs to monitor access by Google support personnel.
C.Use Cloud Data Loss Prevention (DLP) to automatically redact personal data before storage.
D.Configure Organization Policies to restrict resource creation to EU regions only.
E.Use CMEK with a key stored in Cloud HSM located in a US region to encrypt data.
AnswersA, D

VPC Service Controls can prevent data access from outside the EU, further ensuring compliance.

Why this answer

Option A is correct because VPC Service Controls create a security perimeter around Google Cloud resources, allowing you to restrict data access based on attributes like IP address or geographic location. By configuring VPC Service Controls to block access from outside the EU, the organization can enforce that data stored and processed in Google Cloud remains within the European Union, directly supporting GDPR compliance for data residency.

Exam trap

Google Cloud often tests the distinction between data protection controls (like DLP or encryption) and data residency controls (like VPC Service Controls or Organization Policies), leading candidates to mistakenly select options that protect data but do not enforce geographic boundaries.

51
Multi-Selectmedium

Which TWO actions are required to meet FedRAMP Moderate baseline for Google Cloud?

Select 2 answers
A.Enable Multi-Factor Authentication (MFA) for all Google Cloud users with access to the project.
B.Use Customer-Supplied Encryption Keys (CSEK) for all Cloud Storage buckets.
C.Enable encryption at rest for all data using CMEK or Google-managed keys.
D.Enable Data Access audit logs for all Google Cloud services in the project.
E.Create VPC Service Controls perimeters to restrict data exfiltration.
AnswersA, C

FedRAMP Moderate requires strong authentication, including MFA.

Why this answer

Option A is correct because FedRAMP Moderate requires multi-factor authentication (MFA) for all users accessing the system, including Google Cloud users. Enabling MFA for all users with access to the project satisfies this control by adding an additional authentication factor beyond a password, as mandated by NIST SP 800-53 IA-2. Option C is correct because FedRAMP Moderate requires encryption at rest for all data, and using Customer-Managed Encryption Keys (CMEK) or Google-managed keys meets this requirement under NIST SP 800-53 SC-28.

Exam trap

Google Cloud often tests the misconception that all audit log types (including Data Access) are required for FedRAMP Moderate, when in fact only Admin Read, Admin Write, and Data Write logs are mandatory, and Data Read logs are optional.

52
MCQhard

A healthcare organization uses BigQuery to store patient data with column-level encryption using CMEK. They need to ensure that data is encrypted at rest and in transit, and that only authorized users can query specific columns. Which combination of controls should they use?

A.Use VPC Service Controls to restrict access to BigQuery datasets, and use IAM conditions to limit column access.
B.Use Cloud HSM to create encryption keys and apply them to BigQuery tables using Cloud Key Management Service.
C.Use Cloud Data Loss Prevention to de-identify sensitive columns, and then use IAM to control access.
D.Use BigQuery column-level encryption with CMEK keys, and grant access via Authorized Views.
AnswerD

This combination ensures encryption and fine-grained access control.

Why this answer

Option D is correct because BigQuery column-level encryption with CMEK ensures data is encrypted at rest using customer-managed keys, while Authorized Views provide row- and column-level access control without exposing the underlying encrypted columns to unauthorized users. This combination satisfies both encryption requirements (at rest and in transit, as BigQuery enforces TLS in transit) and fine-grained access control for specific columns.

Exam trap

The trap here is that candidates confuse column-level encryption with table-level encryption or de-identification, and fail to recognize that Authorized Views are the only mechanism in BigQuery that can enforce column-level access control on encrypted columns without exposing the underlying data.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls restrict data exfiltration and access at the dataset or project level, not at the column level, and IAM conditions cannot enforce column-level encryption or granular column access. Option B is wrong because Cloud HSM and Cloud KMS can create and manage CMEK keys, but applying them to tables only encrypts the table at rest, not at the column level, and does not control which users can query specific columns. Option C is wrong because Cloud DLP de-identifies data (e.g., masking or tokenization) but does not provide encryption at rest with CMEK, and IAM alone cannot enforce column-level access on the de-identified data without additional mechanisms like Authorized Views.

53
MCQhard

A compliance officer reviews the Cloud Audit Log entry above and wants to know if any sensitive data was exposed during the instance creation. What is the best course of action?

A.Enable data access audit logs for Compute Engine to capture request payloads.
B.Check the status field to see if the operation failed, which might indicate a misconfiguration.
C.Analyze the log entry to see the image used; the image metadata is included.
D.Use Cloud DLP to scan the log entry for sensitive data.
AnswerA

Data access logs include full request and response data.

Why this answer

Option A is correct because enabling data access audit logs for Compute Engine captures the request payloads of API calls, including the instance creation request. This allows the compliance officer to inspect the exact parameters sent, such as any sensitive data that might have been passed as metadata or startup scripts, which are not included in the default admin activity audit logs. Data access audit logs provide the granularity needed to determine if sensitive data was exposed during the operation.

Exam trap

The trap here is that candidates assume the default audit logs already contain enough detail to inspect payloads, but they do not — only enabling data access audit logs provides the request payload data needed to check for sensitive data exposure.

How to eliminate wrong answers

Option B is wrong because the status field only indicates whether the operation succeeded or failed; it does not reveal the content of the request payload, so it cannot determine if sensitive data was exposed. Option C is wrong because the log entry includes only the image name or URI, not the full image metadata or any user-provided data that might contain sensitive information; image metadata is not automatically included in audit logs. Option D is wrong because Cloud DLP is designed to scan stored data for sensitive information, not to analyze audit log entries; audit logs are not a data source for DLP scanning, and the log entry itself does not contain the payload needed for such analysis.

54
MCQmedium

A government agency requires that all compute resources for a project are physically located in the United States (US) to comply with FedRAMP. The project contains Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Which configuration ensures that all future resources are created in the US?

A.Configure VPC Service Controls with a perimeter that only allows access from US-based IP addresses.
B.Assign the Compute Admin role to a security admin and restrict them to only create resources in US regions.
C.Set an Organization Policy on the folder containing the project with constraint constraints/gcp.resourceLocations set to allowedLocations list of US regions.
D.Use Cloud KMS with a key from a US-based location and require that all resources use that key.
AnswerC

This policy restricts resource creation to specified locations, applicable to all resources in that folder.

Why this answer

Option C is correct because the Organization Policy constraint `constraints/gcp.resourceLocations` enforces that all future resources in the project (Compute Engine instances, Cloud Storage buckets, BigQuery datasets) are created only in the allowed US regions. This policy is evaluated at resource creation time and prevents any resource from being provisioned outside the specified locations, directly meeting the FedRAMP requirement for physical location in the US.

Exam trap

Google Cloud often tests the misconception that IAM roles or VPC controls can enforce resource location, when in reality only Organization Policy constraints provide that enforcement at creation time.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls restrict data exfiltration and access based on IP addresses, but they do not enforce the physical location where resources are created; resources could still be provisioned outside the US. Option B is wrong because assigning the Compute Admin role with a restriction to only create resources in US regions is not a supported IAM feature; IAM roles do not have built-in region-scoping capabilities, and such a restriction would require custom logic or Organization Policies. Option D is wrong because Cloud KMS key location does not enforce the physical location of the resources using the key; a resource could be created in a non-US region and still use a US-based KMS key for encryption.

55
MCQhard

A government contractor uses Google Cloud with Assured Workloads. They need to ensure that data stored in BigQuery is encrypted with keys generated and stored in a Cloud HSM key ring located in a specific region. The keys must be rotated every 90 days. Which approach meets these requirements?

A.Create a Cloud HSM key ring in the desired region, create a key with a rotation period of 90 days, and use that key to protect the BigQuery dataset via CMEK.
B.Use Cloud KMS with a software key and enable automatic rotation of 90 days.
C.Create a Cloud HSM key ring and manually rotate keys every 90 days.
D.Use Cloud External Key Manager (EKM) with an external key management partner.
AnswerA

Cloud HSM keys can be used for CMEK, and rotation is automated.

Why this answer

Option A is correct because it uses a Cloud HSM key ring in the desired region, which meets the requirement for hardware-backed key generation and storage. Setting a rotation period of 90 days on the key satisfies the rotation requirement, and using that key as a customer-managed encryption key (CMEK) for BigQuery ensures data is encrypted with the specified key.

Exam trap

Google Cloud often tests the distinction between Cloud HSM and Cloud KMS software keys, where candidates may overlook that only Cloud HSM provides hardware-backed key storage, or confuse automatic rotation with manual rotation, leading them to choose a less secure or non-compliant option.

How to eliminate wrong answers

Option B is wrong because it uses a software key, not a Cloud HSM key, so the keys are not generated and stored in hardware, failing the requirement for Cloud HSM. Option C is wrong because it suggests manual rotation every 90 days, but the requirement can be met with automatic rotation, and manual rotation is error-prone and not the recommended approach for compliance. Option D is wrong because Cloud External Key Manager (EKM) uses an external key management partner, not Cloud HSM, so the keys are not generated and stored in a Cloud HSM key ring.

56
MCQmedium

A financial services company must retain audit logs for seven years to meet regulatory requirements. They are using Cloud Audit Logs. Which strategy should they implement to ensure logs are not deleted or modified during the retention period?

A.Export logs to BigQuery and set table expiration to 7 years.
B.Export logs to a Pub/Sub topic, then subscribe and store in a custom database.
C.Export logs to Cloud Storage and apply a retention policy that is locked to prevent deletion.
D.Store logs in the default Cloud Logging bucket and set a retention period of 7 years.
AnswerC

Cloud Storage retention policies with lock ensure objects cannot be deleted or overwritten until retention period expires.

Why this answer

Option C is correct because Cloud Storage buckets with a locked retention policy provide immutable storage, preventing any deletion or modification of objects during the retention period. This meets the regulatory requirement for audit logs to be retained for seven years without alteration. Exporting logs to Cloud Storage and locking the retention policy ensures compliance with data retention regulations.

Exam trap

Google Cloud often tests the misconception that the default Cloud Logging bucket can be configured with long retention periods, but in reality, it only supports up to 30 days, and candidates must recognize that exporting to Cloud Storage with a locked retention policy is the only immutable option for multi-year retention.

How to eliminate wrong answers

Option A is wrong because BigQuery table expiration deletes the table after the set time, but it does not prevent modification or deletion of data within the table before expiration; also, BigQuery is not designed for immutable log storage. Option B is wrong because storing logs in a custom database via Pub/Sub does not inherently enforce immutability; the custom database could allow modifications or deletions unless specifically designed with retention locks, which is not guaranteed. Option D is wrong because the default Cloud Logging bucket has a maximum retention period of 30 days for logs, not 7 years, and logs in the default bucket can be deleted or modified by users with appropriate permissions.

57
MCQhard

Refer to the exhibit. A company configured this VPC Service Controls perimeter for a PCI DSS project. The compliance auditor notes that BigQuery data can be accessed from outside the perimeter. Which change must be made to restrict access to BigQuery?

A.Set the perimeter enforcement mode to enforced instead of dry run
B.Add storage.googleapis.com to restrictedServices
C.Move BigQuery to a separate perimeter
D.Add allUsers to the perimeter's access levels
AnswerA

A perimeter in dry run mode logs violations but does not block access; it must be set to enforced to restrict BigQuery.

Why this answer

The dry run mode logs violations but does not enforce restrictions, allowing BigQuery data to be accessed from outside the perimeter. Changing the enforcement mode to 'enforced' activates the VPC Service Controls policies, blocking all out-of-perimeter access to the configured services. This directly addresses the auditor's finding by ensuring that only requests from within the perimeter are allowed.

Exam trap

Google Cloud often tests the distinction between 'dry run' and 'enforced' modes, where candidates mistakenly assume that simply adding a service to the perimeter or configuring access levels is sufficient without enabling enforcement.

How to eliminate wrong answers

Option B is wrong because adding storage.googleapis.com to restrictedServices would restrict Cloud Storage, not BigQuery; BigQuery uses bigquery.googleapis.com as its service name. Option C is wrong because moving BigQuery to a separate perimeter does not by itself restrict access from outside the original perimeter — the new perimeter would also need enforcement enabled and proper configuration. Option D is wrong because adding allUsers to the perimeter's access levels would explicitly allow all users, including those outside the perimeter, which is the opposite of what is needed to restrict access.

58
MCQmedium

Refer to the exhibit. A security engineer configured Data Access audit logs for all services. During a compliance audit, the auditor flags this configuration as deficient. What is the most likely reason?

A.The audit config does not include DATA_WRITE logging
B.ALL_SERVICES includes unsupported services for data access logs
C.The service account is exempted from DATA_READ logs, which may allow unlogged data access
D.The audit config should be applied at the project level, not organization level
AnswerC

Exempting any principal from audit logging reduces visibility and can violate compliance policies that require logging of all data access.

Why this answer

Exempting a service account from DATA_READ logging means data access by that service account is not logged, creating a gap in audit coverage that many compliance frameworks (e.g., PCI DSS) require to be comprehensive.

59
MCQhard

A company uses VPC Service Controls to protect sensitive data. They notice that audit logs from a service perimeter are not being exported to a logging bucket inside the same perimeter. What is the likely cause?

A.The logging bucket is not within the service perimeter
B.The logging bucket is within a different VPC
C.The logging bucket is in a different project
D.The logging bucket has a retention policy
AnswerA

Exporting to a bucket outside the perimeter is blocked by the service perimeter.

Why this answer

The logging bucket must be inside the service perimeter for logs to be accessible from within the perimeter. If the bucket is outside, the logs cannot be exported due to the perimeter's data exfiltration protections.

60
MCQeasy

A company must implement data residency requirements that prohibit storing data outside the European Union. They are using Cloud Bigtable and need to ensure that backups are also stored within the EU. Which configuration should they choose?

A.Create the Bigtable instance with multi-region placement in europe-west1 and europe-west4.
B.Create an instance in a dual-region configuration (e.g., europe-west1 and europe-west4) and use backup policies.
C.Use a single-region instance in europe-west1 with customer-managed encryption keys (CMEK) for backups.
D.Create the Bigtable instance in a single EU region (e.g., europe-west1) and enable automatic backups.
AnswerD

Backups are stored in the same region as the instance, ensuring data stays in the EU.

Why this answer

Option D is correct because a single-region Bigtable instance in an EU region (e.g., europe-west1) ensures that all data, including backups, remains within the EU. Enabling automatic backups stores backup data in the same region, satisfying data residency requirements that prohibit storing data outside the EU.

Exam trap

Google Cloud often tests the misconception that multi-region or dual-region configurations are acceptable for data residency, but the trap here is that any replication across regions (even within the EU) can violate strict data residency if the requirement prohibits storing data outside a specific geographic boundary, and backups must be explicitly confined to the same region.

How to eliminate wrong answers

Option A is wrong because multi-region placement replicates data across multiple geographic regions, which could include non-EU locations, violating data residency requirements. Option B is wrong because a dual-region configuration replicates data across two EU regions, but backups may be stored in a separate location not guaranteed to be within the EU, and backup policies do not enforce regional residency. Option C is wrong because customer-managed encryption keys (CMEK) control encryption but do not affect data storage location; backups could still be stored outside the EU if not explicitly configured to stay within the region.

61
MCQeasy

A company needs to retain audit logs for 7 years to meet regulatory compliance. They are using Cloud Logging. Which log storage strategy should they use to minimize costs while meeting the requirement?

A.Store logs in the _Required log bucket with a custom retention of 7 years.
B.Disable logging for non-critical resources to reduce log volume and retain only essential logs.
C.Use a log sink to export logs to Cloud Storage with a retention policy of 7 years and nearline storage class.
D.Use a log sink to export logs to BigQuery and set the table expiration to 7 years.
AnswerC

Log sinks can export to Cloud Storage, and a retention policy ensures logs are kept for 7 years. Nearline storage class reduces cost.

Why this answer

Option C is correct because exporting logs to Cloud Storage via a log sink allows you to set a bucket retention policy of 7 years, meeting compliance requirements. Using the nearline storage class minimizes costs for logs that are accessed infrequently, as it offers lower storage costs than standard storage while still providing the necessary durability and retention capabilities.

Exam trap

Google Cloud often tests the misconception that the _Required log bucket can be customized for long-term retention, when in fact it is a fixed, system-managed bucket with a default retention period that cannot be extended.

How to eliminate wrong answers

Option A is wrong because the _Required log bucket is a system-managed bucket that cannot have a custom retention period; it retains logs for the default retention (typically 30 days) and is not designed for long-term archival. Option B is wrong because disabling logging for non-critical resources violates the principle of comprehensive audit logging required by many regulations; you must retain logs for all resources that generate audit-relevant data, not just 'essential' ones. Option D is wrong because BigQuery is optimized for analytics and querying, not for long-term, low-cost archival storage; table expiration at 7 years would still incur ongoing storage costs that are higher than Cloud Storage nearline, and BigQuery is not the most cost-effective choice for infrequently accessed audit logs.

62
Multi-Selecteasy

Which TWO actions help ensure compliance with data residency requirements in Google Cloud? (Choose two.)

Select 2 answers
A.Configure Organization policy `gcp.resourceLocations` to restrict allowed locations
B.Use Cloud CDN to cache content globally
C.Use VPC Service Controls to create perimeters that restrict data movement
D.Enable Cloud Interconnect for dedicated connectivity
E.Use Cloud VPN for site-to-site encryption
AnswersA, C

Organization policy can enforce that resources are created only in approved regions.

Why this answer

Option A is correct because the `gcp.resourceLocations` Organization policy constraint explicitly defines the set of Google Cloud regions where resources can be created. By configuring this policy, an organization can enforce that all resources are provisioned only in approved geographic locations, directly meeting data residency requirements that mandate data remain within specific jurisdictions.

Exam trap

Google Cloud often tests the distinction between data residency controls (which restrict where data is stored) and network connectivity or encryption services (which do not enforce geographic restrictions), leading candidates to mistakenly select Cloud Interconnect or Cloud VPN as solutions for residency compliance.

63
MCQhard

Which method ensures that Cloud Storage logs are encrypted with a key that is managed on-premises?

A.CMEK
B.Cloud External Key Manager
C.CSEK
D.Default encryption
AnswerB

Cloud External Key Manager uses an external key management partner, keeping keys on-premises.

Why this answer

Cloud External Key Manager (Cloud EKM) allows you to use an external key management system, such as one running on-premises, to manage encryption keys for Cloud Storage. This ensures that the keys used to encrypt your data are never stored in Google Cloud, meeting the requirement of on-premises key management.

Exam trap

Google Cloud often tests the distinction between where the key material is stored (Google Cloud vs. on-premises) rather than who manages the key lifecycle, causing candidates to confuse CMEK (customer-managed but cloud-hosted) with Cloud EKM (customer-managed and on-premises-hosted).

How to eliminate wrong answers

Option A (CMEK) is wrong because Cloud Key Management Service (Cloud KMS) with customer-managed encryption keys (CMEK) still stores the key material within Google Cloud, not on-premises. Option C (CSEK) is wrong because customer-supplied encryption keys (CSEK) are provided by the customer for each API call but are not managed on-premises; they are ephemeral and not stored or managed by a persistent on-premises system. Option D (Default encryption) is wrong because default encryption uses Google-managed keys, which are entirely controlled and stored by Google, not on-premises.

64
MCQhard

A company uses Cloud SQL for MySQL and needs to automate the rotation of database user passwords every 30 days. They want to store the passwords in Secret Manager and have the application retrieve them at runtime. The application runs on Compute Engine. What is the most secure way to allow the Compute Engine instances to access the secrets?

A.Attach a service account to the Compute Engine instances with the role roles/secretmanager.secretAccessor, and grant that service account access to the specific secret versions.
B.Grant the roles/secretmanager.secretAccessor role to all service accounts in the project.
C.Create a service account key for a dedicated service account, download it to the instance, and use it to access the secret.
D.Store the password in instance metadata and have the application read it from the metadata server.
AnswerA

This follows least privilege and uses short-lived credentials from the metadata server.

Why this answer

Option A is correct because it follows the principle of least privilege by attaching a service account with the roles/secretmanager.secretAccessor role directly to the Compute Engine instances and granting that service account access only to the specific secret versions needed. This ensures that the instances can authenticate via the default service account metadata server (using OAuth 2.0 tokens) without exposing any long-lived credentials, and the access is scoped to exactly the secrets required for password rotation.

Exam trap

Google Cloud often tests the misconception that storing secrets in instance metadata is acceptable for security, but the trap here is that metadata is not designed for secrets management and lacks encryption, access control, and audit capabilities that Secret Manager provides.

How to eliminate wrong answers

Option B is wrong because granting roles/secretmanager.secretAccessor to all service accounts in the project violates least privilege and could allow unintended service accounts to access secrets, increasing the attack surface. Option C is wrong because downloading a service account key file to the instance creates a long-lived credential that must be securely stored and rotated, which is less secure than using the instance's attached service account and metadata server for automatic token-based authentication. Option D is wrong because storing passwords in instance metadata is not encrypted at rest by default, is visible to anyone with metadata server access (including other processes on the instance), and does not provide the audit logging and versioning capabilities of Secret Manager.

65
MCQeasy

An organization wants to enforce that all new Cloud Storage buckets are created with uniform bucket-level access enabled to simplify access control and meet compliance requirements. What Google Cloud service should they use to enforce this?

A.VPC Service Controls
B.Organization Policies
C.Cloud IAM
D.Cloud Armor
AnswerB

Organization Policies include pre-defined constraints to enforce uniform bucket-level access.

Why this answer

Organization Policies allow administrators to set constraints on Google Cloud resources at the organization, folder, or project level. The `constraints/storage.uniformBucketLevelAccess` constraint can be applied to enforce that all new Cloud Storage buckets are created with uniform bucket-level access enabled, simplifying access control and meeting compliance requirements.

Exam trap

The trap here is that candidates confuse Organization Policies (which enforce configuration rules) with Cloud IAM (which grants permissions), leading them to select Cloud IAM even though it cannot enforce a bucket creation constraint.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are used to define security perimeters around Google Cloud services to mitigate data exfiltration risks, not to enforce bucket-level access settings. Option C is wrong because Cloud IAM manages who has access to resources (permissions) but cannot enforce configuration constraints like uniform bucket-level access on new buckets. Option D is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service for HTTP(S) load balancing, unrelated to Cloud Storage bucket access control.

66
MCQhard

A company is using Forseti for compliance automation. They need to ensure that all Cloud Storage buckets are encrypted with CMEK and that buckets without CMEK are flagged. Which Forseti scanner should they use?

A.IAM scanner
B.Resource scanner
C.Bucket ACL scanner
D.Location scanner
AnswerD

Location scanner can enforce policies like 'require CMEK' on buckets.

Why this answer

The Location scanner in Forseti is designed to audit resources based on their location or configuration settings, including encryption status. For Cloud Storage buckets, it can check whether CMEK is enabled by evaluating the bucket's encryption configuration against a policy, flagging any that lack CMEK. This makes it the correct scanner for ensuring CMEK compliance.

Exam trap

The trap here is that candidates confuse the Location scanner's name with geographic location auditing, when in fact it audits any resource property defined in the policy library, including encryption settings.

How to eliminate wrong answers

Option A is wrong because the IAM scanner audits Identity and Access Management policies and permissions, not encryption settings on Cloud Storage buckets. Option B is wrong because the Resource scanner inventories and tracks resource metadata and lifecycle, but does not evaluate encryption compliance. Option C is wrong because the Bucket ACL scanner checks Access Control Lists for bucket permissions, not encryption configurations like CMEK.

67
MCQhard

A multinational corporation must comply with GDPR and requires that data stored in BigQuery is physically located in the European Union. They have set up BigQuery datasets in the EU region. However, a compliance audit reveals that some queries may process data in the US region due to BigQuery's multi-region behavior. What should the organization do to ensure data remains in the EU?

A.Create BigQuery datasets in a specific European region (e.g., europe-west1) instead of the EU multi-region.
B.Use the EU multi-region dataset and configure VPC Service Controls to restrict access.
C.Enable BigQuery CMEK with keys stored in a European Cloud KMS key ring.
D.Use BigQuery reservations to guarantee that data processing happens in the EU.
AnswerA

Single-region datasets keep data and processing within that region.

Why this answer

Option A is correct because creating a BigQuery dataset in a specific European region (e.g., europe-west1) ensures that all data storage and query processing are physically confined to that single region. In contrast, the EU multi-region (EU) is a geographic entity that includes multiple Google Cloud regions within the European Union, and BigQuery may process data in any of those regions, including potentially outside the EU if the multi-region expands. By using a specific regional dataset, the organization guarantees that data never leaves the designated European location, meeting GDPR's data residency requirements.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls or encryption keys can enforce data residency, but the trap here is that only choosing a specific regional dataset (not a multi-region) physically restricts data processing to a single location.

How to eliminate wrong answers

Option B is wrong because VPC Service Controls restrict network access to resources but do not control the physical location where data is processed; they cannot prevent BigQuery from processing data in a different region within a multi-region. Option C is wrong because Customer-Managed Encryption Keys (CMEK) control encryption at rest but have no impact on where data is processed or stored; the key location does not enforce data residency. Option D is wrong because BigQuery reservations manage slot capacity and query priority, not the geographic location of data processing; they cannot force processing to occur in a specific region.

68
Multi-Selecthard

Which THREE steps are necessary to meet SOC 2 Type II requirements using Google Cloud?

Select 3 answers
A.Enable Cloud Audit Logs and retain them for at least one year.
B.Ensure all data in transit is encrypted using TLS.
C.Use a single Google Cloud project for all data to simplify auditing.
D.Use Customer-Managed Encryption Keys (CMEK) for all storage services.
E.Set up Cloud Monitoring alerts to continuously monitor security configurations.
AnswersA, B, E

Audit logs provide evidence of controls and are required for SOC 2.

Why this answer

Option A is correct because SOC 2 Type II requires evidence of continuous monitoring and retention of audit logs for at least one year to demonstrate effective controls. Enabling Cloud Audit Logs in Google Cloud captures admin activity, data access, and system events, which are essential for audit evidence. Retaining these logs for a minimum of one year aligns with the SOC 2 common criteria for monitoring and response.

Exam trap

Google Cloud often tests the misconception that using a single project simplifies compliance, when in reality SOC 2 requires logical separation and least privilege, which is better achieved with multiple projects or folders; also, candidates may assume CMEK is mandatory for encryption, but Google-managed keys are acceptable for SOC 2.

69
MCQeasy

A company in the EU is moving to Google Cloud and must comply with GDPR data residency requirements. They have users across multiple EU countries and want to ensure that personal data remains within the European Economic Area (EEA). They plan to use Cloud Storage, BigQuery, and Compute Engine. The security administrator sets organization policies to restrict resource locations to europe-west1, europe-west3, and europe-west4. After deploying applications, the compliance team finds that some data is stored in a Cloud Storage bucket in us-central1. Investigation shows that the bucket was created by a developer who manually chose the region. The organization policy seems to have been bypassed. The administrator confirms the policy is active and applied to the project. What is the most likely cause?

A.The policy only applies to Compute Engine resources, not Cloud Storage.
B.The organization policy was set at the folder level, and the project where the bucket was created is not a child of that folder.
C.The developer has the orgpolicy.policyCreator role, which allows them to bypass the policy.
D.The policy was set to allowlist mode, and us-central1 is in the allowlist.
AnswerB

Organization policies are hierarchical; if the project is not under the folder where the policy is set, it is not enforced.

Why this answer

Organization policies in Google Cloud are hierarchical and apply only to resources within the scope of the node (organization, folder, or project) where they are set. If the policy is set at a folder level, it does not affect projects that are not children of that folder. In this scenario, the bucket was created in a project outside the folder hierarchy where the policy was applied, so the policy was not enforced on that project, allowing the developer to choose us-central1.

Exam trap

Google Cloud often tests the hierarchical nature of organization policies, and the trap here is that candidates assume a policy set at any level applies to all projects in the organization, ignoring that it only applies to projects within the specific folder or node where the policy is attached.

How to eliminate wrong answers

Option A is wrong because organization policies for resource location (constraints/gcp.resourceLocations) apply to Compute Engine, Cloud Storage, BigQuery, and many other services, not just Compute Engine. Option C is wrong because the orgpolicy.policyCreator role allows a user to create and manage organization policies, but it does not grant the ability to bypass an active policy; policies are enforced regardless of the creator's role. Option D is wrong because the policy was set to restrict locations to europe-west1, europe-west3, and europe-west4, which is a deny-list (restrict) mode, not an allowlist mode; if it were an allowlist, us-central1 would not be in the allowed set.

70
Multi-Selectmedium

A company is migrating to Google Cloud and needs to comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to use Cloud SQL for MySQL and Cloud Storage. Which TWO actions must they take to ensure HIPAA compliance?

Select 2 answers
A.Sign a Business Associate Agreement (BAA) with Google Cloud.
B.Disable automatic backups to prevent exposure of protected health information (PHI).
C.Enable encryption at rest for Cloud SQL and Cloud Storage.
D.Implement VPC Service Controls to create a perimeter around the projects.
E.Use customer-managed encryption keys (CMEK) for all services.
AnswersA, C

A BAA is required for any HIPAA-covered entity using Google Cloud services.

Why this answer

Option B and D are correct. HIPAA requires a Business Associate Agreement (BAA) with Google, and encryption at rest must be enabled. Cloud SQL and Cloud Storage both support encryption at rest.

Option A is wrong because disabling automatic backups is not a HIPAA requirement. Option C is wrong because VPC Service Controls are for data exfiltration prevention, not specifically required by HIPAA. Option E is wrong because HIPAA does not mandate a specific key management service; CMEK is optional.

71
MCQmedium

Refer to the exhibit. A security engineer runs the gcloud command to analyze IAM policy for a user in an organization. The output shows that the user has the 'compute.instances.create' permission via a role at the organization level. However, the user is unable to create Compute Engine instances in a specific project. What is the most likely cause?

A.The user does not have the 'compute.instances.create' permission at the project level.
B.The user has the permission but through a different role than expected.
C.An organization policy constraint is denying the creation of Compute Engine instances.
D.The user's role is not granted at the project level.
AnswerC

Organization policies can deny actions even if IAM allows them.

Why this answer

Option C is correct because organization policy constraints in Google Cloud can override IAM permissions at any level. Even if the user has the 'compute.instances.create' permission via an organization-level role, an organization policy constraint (e.g., constraints/compute.vmExternalIpAccess or constraints/compute.restrictCreateVM) can explicitly deny the creation of Compute Engine instances in a specific project. This is a common scenario where IAM allows the action, but organization policy blocks it.

Exam trap

Google Cloud often tests the distinction between IAM permissions and organization policy constraints, trapping candidates who assume that having the correct IAM permission at any level is sufficient to perform an action, without considering that organization policies can override IAM.

How to eliminate wrong answers

Option A is wrong because the user has the permission at the organization level, which is inherited by all projects in the organization, so the permission is effectively present at the project level. Option B is wrong because the role through which the permission is granted is irrelevant; IAM evaluates permissions based on the permission itself, not the role name. Option D is wrong because the role is granted at the organization level, and organization-level roles are inherited by all projects, so the role is effectively granted at the project level.

72
MCQhard

Refer to the exhibit. A security engineer reviews this IAM policy. Which compliance requirement does this policy help satisfy?

A.Key rotation schedule for encryption keys
B.Data residency by limiting access to European regions
C.Audit logging of data access
D.Encryption of data at rest
AnswerB

By restricting access to resources in europe-west, the policy supports data residency compliance.

Why this answer

The IAM policy includes a `Condition` block using `aws:RequestedRegion` to explicitly deny access to any AWS region outside of the specified European regions (eu-west-1, eu-central-1, etc.). This enforces data residency by ensuring that API calls that would create or modify resources are restricted to approved geographic boundaries, helping satisfy compliance requirements such as GDPR or local data sovereignty laws.

Exam trap

Google Cloud often tests the distinction between IAM policies that control access (like region restriction) versus resource-level configurations (like encryption or logging), leading candidates to confuse a condition-based access control policy with a data protection mechanism.

How to eliminate wrong answers

Option A is wrong because key rotation schedules are managed through AWS KMS key policies or automated rotation settings, not through IAM policies that control API access based on region. Option C is wrong because audit logging of data access is enabled by services like AWS CloudTrail or Amazon S3 server access logs, not by an IAM policy that restricts regional access. Option D is wrong because encryption of data at rest is enforced through encryption settings on the resource itself (e.g., S3 SSE, EBS encryption) or via KMS key policies, not by an IAM policy that limits the regions where API calls can be made.

73
Multi-Selecthard

Which THREE steps are necessary to ensure that a Google Cloud project complies with FedRAMP Moderate baseline requirements for access control? (Choose three.)

Select 3 answers
A.Set up session expiration policies that automatically log out inactive users after 15 minutes.
B.Configure Cloud NAT to allow instances to access the internet without public IPs.
C.Enforce multi-factor authentication (MFA) for all users accessing the Google Cloud Console.
D.Create custom IAM roles that grant only the minimum permissions required for each job function.
E.Implement VPC Service Controls to prevent data exfiltration.
AnswersA, C, D

Session timeouts are required for access control.

Why this answer

Option A is correct because FedRAMP Moderate requires session timeout policies to mitigate the risk of unauthorized access from unattended sessions. Google Cloud IAM session settings allow you to enforce a maximum session duration, and setting it to 15 minutes aligns with the FedRAMP requirement for automatic logout of inactive users. This directly addresses the access control family (AC-12) in the FedRAMP baseline.

Exam trap

Google Cloud often tests the distinction between access control (user authentication, session management, least privilege) and network security controls (NAT, VPC perimeters), leading candidates to incorrectly select options that address data exfiltration or internet access rather than direct access control requirements.

74
Multi-Selectmedium

Which TWO configurations are required to use Customer-Managed Encryption Keys (CMEK) with Cloud Storage to meet a compliance requirement that keys must be rotated every 30 days? (Choose two.)

Select 2 answers
A.Set a key destruction policy to prevent accidental deletion of the key.
B.Use Cloud External Key Manager (EKM) to manage the key externally.
C.Create a Cloud KMS key ring and key with a rotation period of 30 days.
D.Use a Cloud HSM key with protection level HSM to meet key storage requirements.
E.Grant the Cloud Storage service account the Cloud KMS CryptoKey Encrypter/Decrypter role on the key.
AnswersC, E

The key must have a rotation schedule to meet the requirement.

Why this answer

Option C is correct because Cloud KMS allows you to set a rotation period on a key, and when you use a CMEK with Cloud Storage, the key is used to encrypt the data encryption keys (DEKs). Setting a rotation period of 30 days ensures that the key material is automatically rotated every 30 days, meeting the compliance requirement. Option E is correct because the Cloud Storage service account must be granted the Cloud KMS CryptoKey Encrypter/Decrypter role to be authorized to use the CMEK for encrypting and decrypting objects.

Exam trap

Google Cloud often tests the distinction between key rotation (a lifecycle policy) and key protection (HSM or destruction policies), so candidates mistakenly select options that address security or deletion prevention instead of the rotation requirement.

75
MCQmedium

An organization uses Assured Workloads for Google Cloud to meet FedRAMP compliance. They have enabled Access Transparency logs. During an audit, they need to provide evidence that Google personnel access was logged and reviewed. What is the primary benefit of using Access Transparency?

A.It provides logs detailing the actions of Google personnel when accessing customer data.
B.It blocks all Google personnel access to customer data.
C.It encrypts data with customer-managed keys.
D.It prevents data from being moved outside the organization's VPC.
AnswerA

Access Transparency logs record Google staff access events.

Why this answer

Option D is correct because Access Transparency logs provide near-real-time logs of Google administrators' access to customer data. Option A is wrong because Access Transparency does not block access; it logs it. Option B is wrong because encryption is separate.

Option C is wrong because VPC Service Controls, not Access Transparency, restrict data movement.

Page 1 of 2 · 108 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Gcp Compliance questions.