CCNA Gcp Security Operations Questions

75 of 109 questions · Page 1/2 · Gcp Security Operations topic · Answers revealed

1
MCQeasy

Refer to the exhibit. A user tries to create a Compute Engine instance using a custom image from another project. What is the most likely cause of the error?

A.The user does not have permission to use images from the other project.
B.The image family does not exist in the specified project.
C.The user specified the wrong project ID.
D.The image family name is misspelled.
AnswerB

The error message directly indicates that the image family does not exist in the project.

Why this answer

Option C is correct. The error message explicitly states that the image family does not exist in the specified project. Option A is possible, but the error specifically says the image family does not exist.

Option B would result in a permission denied error, not this error. Option D is incorrect because the project ID is specified in the image path; if it were wrong, the error would indicate an invalid project.

2
MCQhard

During an incident, a security engineer finds this audit log entry. What action was taken and by whom?

A.A user modified instance 'instance-1'.
B.A user created an instance named 'instance-1'.
C.A user stopped instance 'instance-1'.
D.A user deleted an instance named 'instance-1'.
AnswerD

methodName is delete and principal is admin@example.com.

Why this answer

Option D is correct because methodName is 'v1.compute.instances.delete', indicating a delete operation, and the principal is admin@example.com. Option A is incorrect because the method is delete, not create. Option B is incorrect because the method is delete, not modify.

Option C is incorrect because the method is delete, not update.

3
Multi-Selectmedium

Which THREE of the following are recommended practices for managing secrets in Google Cloud?

Select 3 answers
A.Enable automatic secret rotation and use short-lived secrets.
B.Use Cloud Secret Manager to store and access secrets programmatically.
C.Store encrypted secrets in Cloud Storage buckets with uniform bucket-level access.
D.Embed secrets as environment variables in source code during deployment.
E.Grant access to secrets using IAM roles (e.g., Secret Manager Secret Accessor).
AnswersA, B, E

Reduces risk if a secret is compromised.

Why this answer

Options A, C, and D are correct. Using Secret Manager, IAM binding, and short-lived secrets via Secret Manager with rotation. Option B is incorrect because storing secrets in Cloud Storage even encrypted is less secure than Secret Manager.

Option E is incorrect because hardcoding secrets in source code is dangerous.

4
Drag & Dropmedium

Drag and drop the steps to set up a Cloud VPN with a static route in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud VPN setup requires gateway creation, Cloud Router, tunnel configuration, route addition, and connectivity testing.

5
MCQhard

Your organization uses Cloud CDN to distribute static content. Recently, users in a specific geographic region are experiencing high latency. What is the most likely cause?

A.The CDN cache has been purged for that region
B.The origin server is unhealthy
C.There is no CDN edge node in that region
D.The DNS resolution is failing for that region
AnswerC

Without a local edge, requests are routed to the nearest available edge or origin, increasing latency.

Why this answer

If there is no CDN edge node in that region, traffic must travel directly to the origin, increasing latency.

6
Multi-Selecthard

A security engineer is designing a solution to monitor and detect anomalous IAM role usage across multiple Google Cloud projects. The engineer wants to create a centralized logging solution that captures all IAM policy changes and access attempts. Which THREE services should the engineer use together to achieve this?

Select 3 answers
A.BigQuery
B.Cloud Logging
C.Cloud Audit Logs
D.Cloud Monitoring
E.Cloud Functions
AnswersA, B, C

Used to store and analyze logs forwarded from Cloud Logging via log sinks.

Why this answer

BigQuery is correct because it serves as the centralized analytics destination for Cloud Audit Logs, enabling the security engineer to run SQL queries across IAM policy changes and access attempts from multiple Google Cloud projects. By exporting audit logs to BigQuery, you can perform complex aggregations and anomaly detection at scale, which is essential for monitoring IAM role usage across a fleet of projects.

Exam trap

Google Cloud often tests the distinction between logging/audit services (Cloud Logging, Cloud Audit Logs, BigQuery) and monitoring/alerting services (Cloud Monitoring), so candidates mistakenly choose Cloud Monitoring for log analysis when it is only for metrics and dashboards.

7
MCQhard

A DevOps team wants to centralize logging and monitoring for a GKE cluster that runs hundreds of microservices. They need to view logs, metrics, and traces in a single dashboard. Which approach should they use?

A.Use Stackdriver Logging and Stackdriver Monitoring
B.Use a third-party SIEM tool like Splunk or Elastic
C.Deploy Prometheus and Grafana on the cluster
D.Enable Cloud Logging and Cloud Monitoring for the GKE cluster
AnswerD

Cloud Logging and Cloud Monitoring provide native integration, automatic metrics, log collection, and trace capabilities for GKE.

Why this answer

Option C is correct because Cloud Logging and Cloud Monitoring natively integrate with GKE and provide logs, metrics, and traces in a unified dashboard. Option A is wrong because Stackdriver Logging and Monitoring are the former names of Cloud Logging and Monitoring; they are the same service but the answer refers to outdated names. Option B is wrong because Prometheus requires manual setup and does not provide native GKE integration for all signals.

Option D is wrong because third-party tools add complexity and may not integrate as seamlessly.

8
Drag & Dropmedium

Drag and drop the steps to set up a binary authorization policy for a GKE cluster in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Binary Authorization requires authority creation, attestor setup, policy creation, cluster enablement, and testing.

9
MCQeasy

A security engineer is troubleshooting an issue where a Compute Engine VM cannot connect to a Cloud SQL instance that has a private IP address. Both resources are in the same VPC network. The VM's firewall rules allow egress to any destination, and the Cloud SQL instance's authorized networks include the VPC network. What is the most likely cause of the connection failure?

A.Private Google Access is not enabled on the subnet.
B.The VM's firewall rules block traffic to the Cloud SQL IP range.
C.The VPC network does not have a private services access connection (VPC peering) to the Service Networking API.
D.The Cloud SQL instance requires the Cloud SQL Auth proxy to be installed on the VM.
AnswerC

Private services access requires a VPC peering connection to route traffic to Google-managed services like Cloud SQL.

Why this answer

Cloud SQL instances with private IP addresses require a private services access connection (VPC peering) between the VPC network and the Service Networking API's managed tenant project. Without this VPC peering, the VM cannot route traffic to the Cloud SQL instance's private IP, even if both are in the same VPC network. Option C directly identifies this missing prerequisite.

Exam trap

Google Cloud often tests the misconception that being in the same VPC network guarantees Layer 3 connectivity, but private Cloud SQL instances require an explicit VPC peering to the Service Networking API, which is a separate configuration step.

How to eliminate wrong answers

Option A is wrong because Private Google Access enables VMs without external IPs to reach Google APIs and services (like Cloud Storage) via the default internet gateway, but it is not required for VPC-internal traffic to a Cloud SQL private IP. Option B is wrong because the VM's firewall rules allow egress to any destination, so they do not block traffic to the Cloud SQL IP range; the issue is at the routing/peering layer, not firewall. Option D is wrong because the Cloud SQL Auth proxy is an optional tool for encrypting connections and managing IAM-based authentication, but it is not required for connectivity when using a private IP within the same VPC; the proxy is typically used for public IP connections or to avoid managing SSL certificates.

10
MCQhard

Your organization uses Cloud Armor to protect against web attacks. After a change to the security policy, legitimate traffic from certain IPs is being blocked. You need to quickly allow that traffic while preserving the security policy. What should you do?

A.Remove the offending rule from the security policy
B.Enable logging on the security policy
C.Set the security policy to preview mode
D.Add a higher priority allow rule for those IPs
AnswerD

A higher priority rule explicitly allows the traffic before the blocking rule is evaluated.

Why this answer

Adding a higher priority allow rule for the affected IPs allows the traffic without removing the security policy. Other options either remove protection or are ineffective.

11
MCQmedium

Refer to the exhibit. A VM in the default network with internal IP 10.128.0.5 is unable to reach a VM at 10.0.0.4 over TCP port 22. What is the most likely cause?

A.The deny-all rule blocks traffic from 10.0.0.4 to the VM.
B.The deny-all rule has higher priority than default-allow-internal.
C.The default-allow-internal rule does not cover port 22.
D.There is no rule allowing SSH traffic from 10.0.0.4.
AnswerB

Deny-all (priority 2000) has higher priority (numerically lower) than default-allow-internal (priority 65534), so it overrides the allow rule.

Why this answer

Option C is correct. The deny-all rule (priority 2000) has a higher priority (lower number) than the default-allow-internal rule (priority 65534). Since the deny-all rule blocks all TCP traffic from the 10.0.0.0/8 range, it overrides the default-allow-internal rule, blocking SSH traffic from 10.0.0.4 to 10.128.0.5.

Option A is incorrect because the deny rule denies traffic from 10.0.0.0/8, not to it. Option B is incorrect because default-allow-internal allows all TCP traffic. Option D is incorrect because default-allow-internal covers SSH; the issue is priority.

12
MCQeasy

A security engineer is troubleshooting a VPC firewall rule that is not allowing traffic from a specific subnet to a Compute Engine instance. The target tag is set correctly. What is the most likely cause?

A.A deny rule with a higher priority (lower number) exists and blocks the traffic.
B.The firewall rule is in the wrong network.
C.The instance has an internal IP address that is not within the source range of the rule.
D.The firewall rule's target tag is misspelled.
AnswerA

A deny rule with lower priority number overrides allow rules of higher priority number.

Why this answer

Option A is correct because if a deny rule with a lower priority number (higher priority) exists, it will take precedence and block traffic despite an allow rule. Option B is incorrect because the instance's internal IP address does not affect the source range check. Option C is incorrect because the problem states the target tag is set correctly.

Option D is incorrect because the rule is in the correct network.

13
Multi-Selecthard

Which TWO of the following are true regarding Cloud Audit Logs?

Select 2 answers
A.Data Access audit logs are enabled by default for all services.
B.Admin Activity audit logs are enabled by default and cannot be disabled.
C.Cloud Audit Logs are retained indefinitely unless a retention policy is set.
D.Cloud Audit Logs include monitoring metrics for log volume.
E.System Event audit logs record non-human administrative actions and are enabled by default.
AnswersB, E

Default on for all projects.

Why this answer

Options A and C are correct. Admin Activity audit logs are always enabled by default and cannot be disabled. System Event audit logs are also enabled but capture Google Cloud actions.

Option B is incorrect because Data Access logs are disabled by default and need to be enabled. Option D is incorrect because Cloud Audit Logs do NOT include metrics, only logs. Option E is incorrect because all audit logs are retained for 400 days by default.

14
MCQeasy

A security team needs to centrally manage secrets for multiple Google Cloud projects. Which solution should they use?

A.Hardcode secrets in application code and use IAM with access scopes
B.Use Cloud Key Management Service (Cloud KMS) to store and manage secrets
C.Use Secret Manager
D.Store secrets in encrypted Cloud Storage buckets
AnswerC

Secret Manager is purpose-built for storing, rotating, and managing secrets with fine-grained access control.

Why this answer

Option D is correct because Secret Manager provides a centralized, durable, and scalable solution for storing and managing secrets across projects. Option A is wrong because storing secrets in Cloud Storage with encryption still requires managing access and does not offer built-in versioning or rotation. Option B is wrong because hardcoding secrets in code is insecure.

Option C is wrong because Cloud KMS is for managing encryption keys, not secrets.

15
MCQeasy

An engineer notices that traffic on port 80 is not reaching instances with the tag 'http-server'. The instances have external IPs and are in the default VPC. What could be the reason?

A.The sourceRanges does not include the instance's public IP.
B.The targetTags are not applied to the instances.
C.A deny rule with a lower priority number (higher priority) exists and blocks the traffic.
D.The direction should be EGRESS.
AnswerC

A deny rule with higher priority can override this allow rule.

Why this answer

Option B is correct because if a deny rule with a lower priority number (higher priority) exists, it will block traffic despite the allow rule. Option A is incorrect because sourceRanges includes all IPs. Option C is incorrect because the rule targets the correct tags.

Option D is incorrect because direction is correctly INGRESS for incoming traffic.

16
Multi-Selecteasy

Which THREE components are customer responsibilities under the Google Cloud Shared Responsibility Model for IaaS? (Choose 3.)

Select 3 answers
A.Security of virtual network controls
B.Security of application code
C.Physical security of data centers
D.Security of the hypervisor
E.Security of guest operating system
AnswersA, B, E

Customers configure firewall rules, VPCs, etc.

Why this answer

Option A is correct because under the IaaS shared responsibility model, the customer is responsible for configuring and managing virtual network controls such as firewalls, route tables, and network ACLs. Google Cloud provides the underlying network infrastructure, but the customer must secure traffic flows and access policies within their VPC.

Exam trap

Google Cloud often tests the misconception that physical security or hypervisor security is a shared responsibility, when in fact these are exclusively the provider's domain under IaaS.

17
Matchingmedium

Match each security command center tier to its capabilities.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Free, includes basic vulnerability scanning and findings

Paid, includes threat detection, event threat detection, and container threat detection

Paid, includes all Premium features plus security posture, asset inventory, and compliance

Built-in vulnerability scanning and misconfiguration detection

Detects threats from Cloud Logging and DNS logs

Why these pairings

These are Security Command Center tiers and their features.

18
MCQmedium

A financial firm uses Cloud Deployment Manager to manage their Google Cloud infrastructure. They have a strict change management policy requiring that all infrastructure changes in the production environment must be reviewed and approved by a senior engineer before being applied. Currently, developers can modify the Deployment Manager configurations directly, leading to unapproved changes. The company wants to enforce this policy without impacting development agility. What should they implement?

A.Use Deployment Manager snapshots to roll back changes if needed.
B.Set up Cloud Audit Logs to monitor changes and alert on unauthorized modifications.
C.Use organization policies to restrict access to the Deployment Manager service.
D.Use a CI/CD pipeline with Cloud Build and require approval gates.
AnswerD

A CI/CD pipeline enforces a workflow where changes go through review and approval before deployment, satisfying the policy.

Why this answer

A CI/CD pipeline with Cloud Build can include manual approval gates that block deployments until approved. This enforces change review while allowing development to proceed. Option A is incorrect because organization policies would block all Deployment Manager usage, including in development.

Option C is incorrect because auditing only monitors changes but does not prevent them. Option D is incorrect because snapshots allow rollback but do not prevent unapproved changes.

19
MCQhard

A security engineer is designing a VPC Service Controls perimeter to protect a project containing sensitive data stored in Cloud Storage and BigQuery. The perimeter currently allows access from an on-premises data center via private connectivity (Cloud Interconnect). The business requires that a third-party SaaS application (outside the perimeter) be able to write data into a specific Cloud Storage bucket. Which action should the engineer take?

A.Create a service account for the SaaS application and grant it the Storage Object Creator role; then add the service account to the perimeter's allowed identities.
B.Create a service account for the SaaS application, grant it the Storage Object Creator role, and configure an access level that includes the service account. Then, add that access level to the perimeter's ingress policy.
C.Create an access level that includes the SaaS application's IP addresses and use that in the perimeter's ingress policy.
D.Add the SaaS application's external IP addresses to the perimeter's allowed IP ranges.
AnswerB

VPC Service Controls ingress policies can use access levels based on service accounts. This allows the specific service account to write to the bucket while maintaining the perimeter.

Why this answer

Option B is correct because VPC Service Controls perimeters use ingress policies to explicitly allow access from outside the perimeter. By creating a service account for the SaaS application, granting it the Storage Object Creator role, and configuring an access level that includes that service account, the engineer can add the access level to the perimeter's ingress policy. This allows the external SaaS application to write data into the specific Cloud Storage bucket while still blocking all other external access, maintaining the security of the sensitive data.

Exam trap

Google Cloud often tests the distinction between VPC Service Controls and IAM permissions, where candidates mistakenly think that granting IAM roles and adding identities to the perimeter is sufficient, ignoring the requirement for explicit ingress policies to allow external access.

How to eliminate wrong answers

Option A is wrong because simply adding the service account to the perimeter's allowed identities does not create an ingress rule; VPC Service Controls require an explicit ingress policy to allow traffic from outside the perimeter, and allowed identities alone cannot bypass the perimeter for external entities. Option C is wrong because using the SaaS application's IP addresses in an access level and ingress policy would allow access based on source IP, but the SaaS application likely uses dynamic IPs or operates from multiple IP ranges, making IP-based access control unreliable and less secure than identity-based access. Option D is wrong because VPC Service Controls do not support adding external IP addresses to 'allowed IP ranges' within the perimeter; the perimeter blocks all traffic from outside by default, and IP-based exceptions are not a feature of VPC Service Controls—this misconception confuses VPC firewall rules with VPC Service Controls.

20
MCQmedium

An organization has hundreds of Google Cloud projects and wants to enforce a uniform firewall rule that blocks outbound traffic to known malicious IP addresses. They want to centrally manage this rule without manually applying it to each VPC. What should they do?

A.Create a hierarchical firewall rule at the organization or folder level.
B.Use Organization Policies to block the IP addresses.
C.Create a global VPC firewall rule in each project using Deployment Manager.
D.Use Shared VPC and configure firewall rules in the host project.
AnswerA

Hierarchical firewall rules are inherited by all VPCs under that node.

Why this answer

Option C is correct because hierarchical firewall rules can be applied at the folder or organization level, allowing central management. Option A is incorrect because global VPC firewall rules still need to be applied per network or per project. Option B is incorrect because Organization Policies do not manage firewall rules.

Option D is incorrect because Shared VPC does not enforce rules on all projects.

21
Multi-Selecteasy

Which TWO of the following are valid methods to automate responses to Cloud Security Command Center findings?

Select 2 answers
A.Create a Cloud Function that is triggered by a Pub/Sub topic receiving SCC notifications.
B.Set up Cloud Tasks to process SCC findings and send alerts.
C.Configure Cloud Run to directly receive webhooks from SCC.
D.Use Eventarc to trigger a Cloud Run job based on SCC findings.
E.Use Cloud Scheduler to periodically query SCC and trigger a Cloud Run service.
AnswersA, D

Standard pattern for automated response.

Why this answer

Options A and D are correct. Cloud Functions can subscribe to SCC notifications via Pub/Sub, and Eventarc triggers can react to findings. Option B is incorrect because Cloud Scheduler is for scheduled jobs.

Option C is incorrect because Cloud Run does not directly integrate with SCC. Option E is incorrect because Cloud Tasks is for task distribution, not direct response.

22
Multi-Selectmedium

A company uses Cloud Armor to protect their HTTP(S) load balancer. They want to block requests from a specific geographic region. Which TWO actions should they take? (Choose 2)

Select 2 answers
A.Create a security policy with a geo-match condition for the region.
B.Enable Cloud CDN and set geo-restrictions.
C.Attach the security policy to the backend service.
D.Configure the load balancer to use a custom header for geo-blocking.
E.Add a rule in the security policy with deny action and priority lower than the default.
AnswersA, C

The geo-match condition specifies the geographic region to block or allow.

Why this answer

Options A and B are correct. To block requests by geography in Cloud Armor, you create a security policy with a geo-match condition (A) and then attach that policy to the backend service (B). Option C is incorrect because the deny rule should have a higher priority (lower number) than the default rule, not lower.

Option D is unnecessary. Option E is incorrect because Cloud CDN geo-restrictions affect caching, not request blocking.

23
MCQmedium

A company is migrating to Google Cloud and wants to ensure that all service account keys are rotated automatically every 90 days. The security engineer needs to implement a solution that detects keys older than 90 days and notifies the security team. What is the most efficient way to achieve this?

A.Use Cloud Monitoring to query the IAM API for key creation timestamps and trigger an alert
B.Use Cloud Asset Inventory to list service account keys, then run a Cloud Scheduler job that invokes a Cloud Function to check key ages and send notifications
C.Create a log-based metric for service account key creation and set up an alert in Cloud Monitoring
D.Configure a custom role in Cloud IAM that denies access to keys older than 90 days
AnswerB

This combination efficiently checks key ages periodically and alerts.

Why this answer

Option B is correct because Cloud Asset Inventory can list all service account keys and their creation timestamps, and a Cloud Scheduler job can trigger a Cloud Function to check key ages against the 90-day threshold and send notifications via email or Slack. This approach is efficient as it uses serverless components and avoids polling the IAM API repeatedly, which would be less scalable and more complex.

Exam trap

Google Cloud often tests the distinction between detecting key creation events (Option C) and detecting key age, leading candidates to mistakenly choose a log-based metric that only triggers on creation, not on the passage of time.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring cannot directly query the IAM API for key creation timestamps; it relies on metrics and logs, not API queries, and would require custom metric ingestion, making it inefficient. Option C is wrong because a log-based metric for key creation only detects when keys are created, not their age, so it cannot identify keys older than 90 days. Option D is wrong because IAM custom roles cannot deny access based on key age; they define permissions, not conditional access based on time, and this approach would not detect or notify about old keys.

24
MCQhard

A large financial institution runs a critical application on Google Kubernetes Engine (GKE) clusters. Their security policy requires that all container images must be scanned for vulnerabilities and must come from a trusted artifact registry. They use Cloud Build to automatically build images from a CI/CD pipeline and push them to Artifact Registry. They want to enforce that only images that have passed vulnerability scanning and are signed can be deployed to the GKE cluster. Currently, they have set up Cloud Build to automatically tag images with a 'latest' tag on successful build, but they need a mechanism to prevent deployment of unsigned or vulnerable images. They also want to audit any attempts to deploy non-compliant images. What should they do?

A.Use Cloud NAT to control which images can be pulled by GKE nodes.
B.Configure GKE policy to only allow images from a specific Artifact Registry repository and enable vulnerability scanning.
C.Use Cloud IAP to block nodes from pulling non-compliant images.
D.Enable Binary Authorization on the GKE cluster, create Attestations for images that pass vulnerability scanning and signing in Cloud Build, and configure admission control to require attestations.
AnswerD

Binary Authorization enforces that only attested images can be deployed.

Why this answer

Option D is correct because combining Binary Authorization with Attestations from vulnerability and signing enables enforcement. Option A is incorrect because Cloud Nat is for outbound traffic, not image enforcement. Option B is incorrect because GKE policy does not natively enforce image contracts.

Option C is incorrect because IAP is for access, not for image verification.

25
Multi-Selectmedium

A company is using Cloud Run for a containerized application. They notice increased latency during peak hours. The operations team wants to identify the root cause. Which two steps should they take?

Select 2 answers
A.Enable Cloud Logging and use Logs Explorer to query request latency for each endpoint.
B.Use Cloud Profiler to continuously profile the application code and identify performance bottlenecks.
C.Implement Cloud Armor security policies to protect against DDoS attacks.
D.Set up a Cloud Monitoring dashboard to visualize CPU utilization for the Cloud Run service.
E.Enable VPC Flow Logs to analyze network traffic to and from the Cloud Run service.
AnswersA, B

Logs can show request latency, helping identify slow endpoints.

Why this answer

Option A is correct because Cloud Logging with Logs Explorer allows the operations team to query and analyze request latency per endpoint, which is essential for identifying which specific endpoints contribute to increased latency during peak hours. This granular visibility into request-level performance helps pinpoint the root cause of latency issues in a Cloud Run service.

Exam trap

Google Cloud often tests the distinction between monitoring (e.g., CPU utilization) and diagnostic tools (e.g., logging and profiling), leading candidates to choose a monitoring dashboard (Option D) when they need granular request-level analysis.

26
MCQeasy

A company is experiencing high latency on their HTTPS Load Balancer. Which action is most likely to resolve the issue?

A.Increase the machine type of the backend instances
B.Verify that the backend instances pass health checks
C.Modify the SSL policy for the load balancer
D.Add more backend instances in additional zones
AnswerB

Unhealthy backends cause the load balancer to retry or route to other instances, increasing latency. Fixing health checks is a primary step.

Why this answer

Option C is correct because health check failures can cause traffic to be routed to unhealthy backends, leading to latency. Option A is wrong because increasing instance size may help but is not the first step. Option B is wrong because adding more zones distributes load but doesn't address underlying health.

Option D is wrong because changing SSL policy affects encryption, not latency.

27
MCQhard

A security administrator needs to audit all changes to IAM policies across the organization. They want to detect when a policy binding is added that grants a sensitive role to a user outside the organization. What is the most efficient method?

A.Use Cloud Asset Inventory to monitor IAM policy changes and trigger Cloud Functions.
B.Create a log sink to export Admin Activity audit logs to BigQuery and run queries for setIamPolicy events.
C.Enable Data Access audit logs for all services and filter for policy changes.
D.Set up VPC Service Controls to prevent external access.
AnswerB

Admin Activity logs include all IAM policy changes; BigQuery enables efficient querying to find specific bindings.

Why this answer

Option A is correct because Admin Activity audit logs capture all setIamPolicy calls, and exporting them to BigQuery allows for powerful querying to detect specific changes. Option B is incorrect because Cloud Asset Inventory can monitor policy changes but setting up feeds and triggers is more complex. Option C is incorrect because Data Access audit logs are for data access, not admin changes.

Option D is incorrect because VPC Service Controls are for perimeter security, not auditing.

28
MCQhard

Your Cloud SQL PostgreSQL instance is experiencing high replication lag between primary and read replica. You have verified the network and instance metrics. What is a likely cause?

A.The replica is using a different machine type
B.Long-running queries on the replica
C.The replica has point-in-time recovery enabled
D.The primary has automated backups enabled
AnswerB

Long-running queries can hold locks and prevent replay of WAL from primary.

Why this answer

Long-running queries on the replica can block the apply process, increasing lag. Other options do not directly affect replication lag.

29
MCQmedium

A company runs a critical application on Compute Engine instances in a managed instance group (MIG) behind an external TCP/UDP Network Load Balancer. The security team requires that all traffic to the instances be inspected by a third-party next-generation firewall (NGFW) that is not yet deployed. Which architecture should the security engineer implement to meet the requirement with minimal disruption to traffic?

A.Deploy the NGFW as a Compute Engine instance in a separate instance group, and configure the load balancer to forward traffic to that instance group, which then forwards to the MIG.
B.Change the load balancer type to Internal TCP/UDP Load Balancer and route traffic through the NGFW.
C.Replace the Network Load Balancer with a proxy-based load balancer that can integrate with the NGFW via Traffic Director.
D.Use Cloud NAT and route all egress traffic through the NGFW.
AnswerA

This allows traffic inspection while preserving the load balancer frontend.

Why this answer

Option A is correct because it inserts the NGFW as a middlebox in the traffic path without changing the existing load balancer or instance group configuration. The external TCP/UDP Network Load Balancer forwards traffic to the NGFW instance group, which then inspects and forwards packets to the backend MIG. This preserves the original client IP via proxy protocol or encapsulation, meets the security requirement, and minimizes disruption by avoiding reconfiguration of the existing MIG or load balancer type.

Exam trap

Google Cloud often tests the misconception that you can simply change the load balancer type or use Cloud NAT to inspect ingress traffic, when in fact those solutions address different traffic directions or protocol requirements, and the correct approach is to insert the NGFW as a middlebox in the forwarding path without altering the existing load balancer or MIG configuration.

How to eliminate wrong answers

Option B is wrong because changing to an Internal TCP/UDP Load Balancer would make the application inaccessible from the internet, as internal load balancers only handle traffic within a VPC. Option C is wrong because replacing the Network Load Balancer with a proxy-based load balancer (e.g., HTTPS Load Balancer) would change the traffic type from TCP/UDP to HTTP/HTTPS, breaking the application if it uses non-HTTP protocols, and Traffic Director integrates with service mesh, not NGFW middlebox inspection. Option D is wrong because Cloud NAT handles only egress traffic from instances to the internet, not ingress traffic from clients to the application, so it cannot inspect incoming traffic from the load balancer.

30
MCQhard

A company uses a multi-region Cloud Storage bucket for disaster recovery of critical data. They want to prevent accidental deletion of objects by requiring that objects be retained for at least 7 days after creation, and any attempt to delete or overwrite an object during that period must fail. Which configuration meets these requirements?

A.Enable object versioning and set a lifecycle rule to delete old versions after 7 days.
B.Set a bucket lock with a retention policy of 7 days and lock the bucket.
C.Set a retention policy for 7 days and apply object holds to all objects at upload time.
D.Use a lifecycle rule to delete objects that are less than 7 days old as a way to block deletion.
AnswerC

Object holds prevent deletion until released; combined with retention policy ensures minimum duration.

Why this answer

Option B is correct because retention policies with Object holds ensure minimum retention. Option A is incorrect because bucket lock is for permanent immutability, not flexible retention. Option C is incorrect because versioning alone does not prevent deletion; it allows recovery but does not block deletion.

Option D is incorrect because lifecycle management only transitions or deletes based on age, not prevents.

31
Multi-Selecthard

An organization wants to ensure that all service accounts used by Compute Engine instances have the minimal permissions required. Which TWO practices should be implemented? (Choose 2)

Select 2 answers
A.Attach service accounts to instances using the gcloud compute instances set-service-account command after creation.
B.Use the default compute service account and restrict its scopes.
C.Use Access Transparency to audit service account usage.
D.Create custom service accounts with only the needed roles.
E.Disable service account key creation for service accounts.
AnswersD, E

Custom service accounts allow fine-grained permissions.

Why this answer

Options B and D are correct. Creating custom service accounts with only the needed roles (B) ensures minimal permissions. Disabling service account key creation (D) reduces the risk of key exposure.

Option A is incorrect because the default compute service account often has excessive permissions. Option C is incorrect because Access Transparency is for auditing Google support access. Option E is incorrect because attaching a service account after instance creation is possible but not a best practice for minimal permissions; it should be assigned at creation.

32
MCQeasy

A company has a VPC with several subnets. They want to restrict traffic between instances in the same subnet using firewall rules while allowing traffic from a specific load balancer health check range. What is the best approach?

A.Create an ingress firewall rule denying all traffic from the subnet CIDR, then create a higher priority rule allowing traffic from the health check range.
B.Use hierarchical firewall policies to enforce the rule at the organization level.
C.Use VPC firewall rules with target tags to apply rules only to instances that need health checks.
D.Create a firewall rule that allows only health check traffic and deny all other ingress by default using implied deny.
AnswerD

This leverages the implied deny rule at the end of the firewall evaluation, ensuring that only allowed health check traffic is permitted, and all other traffic is denied by default.

Why this answer

Option C is correct because GCP VPC firewall rules have an implied deny at the end; therefore, allowing only the health check traffic and relying on the implied deny for other traffic is the simplest and most secure approach. Option A is incorrect because a deny rule with higher priority than an allow rule would block the allowed traffic. Option B is incorrect because target tags are useful but do not directly address restricting internal subnet traffic.

Option D is incorrect because hierarchical policies are for organization-level rules, not for this specific subnet restriction.

33
MCQhard

A company uses Cloud Identity-Aware Proxy (IAP) to secure access to their web applications. They notice that some users are able to access the application even though they are not in the IAP access policy. What could be the cause?

A.The users have been granted the 'roles/iap.httpsResourceAccessor' role at the folder level.
B.The load balancer is not using HTTPS.
C.The users are using a service account that has the 'roles/iap.httpsResourceAccessor' role.
D.The backend service has an external IP address and firewall rule allowing public access.
AnswerD

Direct access to the backend bypasses IAP, allowing unauthorized users.

Why this answer

Option C is correct because if the backend service has an external IP address and a firewall rule allowing public access, users can bypass IAP entirely. Option A would actually grant legitimate access. Option B would cause IAP to fail for all users.

Option D is a legitimate way to grant access.

34
MCQeasy

A developer accidentally deleted a Cloud SQL instance. The organization has automated backups enabled. How can the DBA restore the instance?

A.The instance cannot be restored because deletion is permanent.
B.Use the gcloud sql backups restore command with the backup ID.
C.Use the Cloud Console to restore from backup of the deleted instance.
D.Create a new instance and then import the backup from Cloud Storage.
AnswerB

This command restores a backup to a new instance, effectively recovering the deleted instance.

Why this answer

Option B is correct because the gcloud sql backups restore command can restore a backup to a new instance, even if the original instance was deleted. Option A is incorrect because importing a backup is a manual process that requires creating an instance first, which is less direct. Option C is incorrect because restoration is possible.

Option D is incorrect because the Cloud Console does not support restoring a deleted instance directly.

35
MCQhard

A large enterprise is migrating its on-premises Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They have established a VPN connection between their on-premises network and VPC. The domain controllers are fully synced, and users can authenticate from on-premises. However, applications running on Compute Engine VMs in the same VPC as Managed Microsoft AD are failing to authenticate using LDAP. The VMs are Linux-based and configured to use the Managed Microsoft AD domain for authentication via SSSD. The security team has verified that the firewall rules allow TCP/UDP 389 and 636 from the VMs to the Managed Microsoft AD IP addresses. The VMs can resolve the domain name (corp.example.com) to the correct IP of the Managed Microsoft AD domain controllers. What is the most likely cause of the authentication failure?

A.The VMs do not have the required network tag to allow inbound traffic from Managed Microsoft AD.
B.The VPN tunnel does not support LDAP traffic.
C.The DNS resolution returns the on-premises domain controller IP instead of the Managed Microsoft AD IP.
D.The Managed Microsoft AD service account does not have the 'domain controller' IAM role.
AnswerA

Managed Microsoft AD uses firewall rules with target tags. Without the tag, traffic is blocked.

Why this answer

Managed Microsoft AD in Google Cloud uses internal VPC IP addresses for its domain controllers. For Linux VMs using SSSD to authenticate via LDAP, the VMs must be able to initiate outbound LDAP traffic to the Managed Microsoft AD IPs, and the Managed Microsoft AD service must be able to respond. However, Managed Microsoft AD enforces network security by requiring that only VMs with a specific network tag (by default 'allow-ad') can receive inbound traffic from the Managed Microsoft AD service.

Without this tag on the VMs, the Managed Microsoft AD service will drop its response packets, causing authentication failures even though outbound firewall rules are open. The security team verified firewall rules for outbound traffic but missed this inbound tag requirement.

Exam trap

Google Cloud often tests the nuance that Managed Microsoft AD requires a specific network tag on client VMs for inbound LDAP responses, which candidates overlook because they focus only on outbound firewall rules or DNS resolution.

How to eliminate wrong answers

Option B is wrong because VPN tunnels operate at Layer 3 and do not inspect or block specific protocols like LDAP; they simply encapsulate IP packets. Option C is wrong because the question explicitly states that DNS resolution returns the correct IP of the Managed Microsoft AD domain controllers, not the on-premises IP. Option D is wrong because Managed Microsoft AD does not use IAM roles for domain controller permissions; it uses a service account for provisioning, but authentication within the domain is handled by Active Directory itself, not IAM.

36
Multi-Selecthard

A security engineer is responding to a data breach where an attacker exfiltrated data from a Cloud Storage bucket. Which TWO steps should the engineer take to contain the breach and preserve evidence? (Choose TWO.)

Select 2 answers
A.Disable the bucket's public access.
B.Remove the bucket's IAM policies.
C.Delete the bucket to prevent further exfiltration.
D.Enable Cloud Audit Logs for data access.
E.Create a copy of the bucket's data to a new bucket.
AnswersA, E

Prevents further unauthorized data access.

Why this answer

Options A and C are correct. Disabling public access stops further exfiltration, and creating a copy preserves the bucket's data for forensics. Removing IAM policies (B) may disrupt analysis.

Enabling logs (D) after the breach won't capture past events. Deleting the bucket (E) destroys evidence.

37
MCQeasy

A security administrator needs to ensure that all service account keys older than 90 days are automatically disabled to reduce the risk of key compromise. Which Google Cloud service should be used to implement this policy?

A.Cloud Secret Manager
B.Organization Policy Service
C.Cloud IAM
D.Cloud Key Management Service
AnswerB

Organization policies can set constraints like 'Disable automatic key creation' and 'Key expiry duration'.

Why this answer

Option D is correct because Organization Policies can enforce constraints like disabling automatic key creation or setting key expiration. Option A is incorrect because IAM itself does not have lifecycle policies. Option B is incorrect because Secret Manager does not manage service account keys.

Option C is incorrect because Cloud Key Management Service does not manage service account keys.

38
MCQeasy

A small startup recently moved their infrastructure to Google Cloud. They have a single project with a few Compute Engine instances running a web application. The security team wants to ensure that all SSH access to the instances is audited and that any failed SSH attempts are alerted in real time. They have enabled OS Login and are using Cloud Identity-Aware Proxy (IAP) for SSH access. However, they are not sure how to capture the audit logs for SSH sessions. What should they do?

A.Enable Data Access audit logs for the IAP service and filter the logs for SSH connection attempts.
B.Enable Serial Port access logs on the instances to capture SSH sessions.
C.Configure Cloud Monitoring to watch for SSH connections via agent metrics.
D.Enable guest attributes on the instances to log SSH attempts.
AnswerA

IAP TCP forwarding generates audit logs that capture connection details.

Why this answer

Option C is correct because IAP TCP forwarding logs are available as Admin Activity audit logs when IAP is used for SSH. Option A is incorrect because guest attributes are not for audit logs. Option B is incorrect because Cloud Monitoring does not directly log SSH attempts.

Option D is incorrect because Serial port access logs are separate and not for IAP.

39
MCQhard

An organization uses Cloud NAT to allow private instances to access the internet. They notice that some connections are failing intermittently. What is a common cause?

A.The NAT IP address is exhausted because too many concurrent connections.
B.The NAT gateway does not support UDP traffic.
C.The VPC firewall rules block outbound traffic.
D.The instances are in a different region than the NAT gateway.
AnswerA

Port exhaustion from many concurrent connections can cause intermittent failures.

Why this answer

Option D is correct. Cloud NAT has a limit on the number of concurrent connections per NAT IP due to port exhaustion. When many connections are made, ports can be exhausted, causing intermittent failures.

Option A is incorrect because Cloud NAT supports UDP. Option B is a potential cause but the specific failure mode is port exhaustion. Option C is unlikely because outbound traffic is typically allowed by default.

40
MCQeasy

A junior developer created a service account with the roles/storage.admin role and downloaded a JSON key. What is the best practice to improve security?

A.Delete the key and use workload identity federation.
B.Rotate the key every 30 days.
C.Use a user-managed service account instead.
D.Restrict the key's usage with IP allowlists.
AnswerA

Workload identity federation allows authentication without keys, improving security.

Why this answer

Option D is correct. The best practice is to delete the key and use workload identity federation, which eliminates the need for long-lived keys. Option A is not directly relevant.

Option B is partially true, but rotation alone is not as secure as eliminating the key. Option C is not a standard best practice.

41
MCQhard

A financial services company runs a PCI DSS-compliant workload on Google Cloud. They use a service account with roles/container.clusterAdmin to manage a GKE cluster. The security team has enabled Binary Authorization with a policy that requires all container images to be signed by a trusted authority. Recently, a developer reported that a new deployment failed with the error: 'Image verification failed: no signature found for digest sha256:abc...'. The image is stored in Artifact Registry and the developer built it using Cloud Build with a trigger that automatically signs images using Cloud KMS. The Cloud Build service account has roles/cloudkms.signerVerifier and roles/binaryauthorization.attestorsViewer. The Binary Authorization policy is configured to require at least one attestation from the trusted attestor. What is the most likely reason for the failure?

A.The Cloud Build service account lacks the roles/binaryauthorization.attestorsEditor role.
B.The container image is stored in a different registry that is not supported by Binary Authorization.
C.The GKE cluster's node service account does not have permission to verify attestations.
D.The Binary Authorization policy requires an attestation from a different attestor that is not configured.
AnswerA

This role is required to create attestations. Without it, the image is never signed, so verification fails.

Why this answer

The Cloud Build service account has roles/cloudkms.signerVerifier and roles/binaryauthorization.attestorsViewer, which allow it to sign images and view attestors, but it lacks the roles/binaryauthorization.attestorsEditor role. Without this role, the service account cannot create or manage attestations in Binary Authorization, so even though the image is signed, no attestation is recorded, causing the policy to fail with 'no signature found'.

Exam trap

Google Cloud often tests the distinction between signing an image (which requires Cloud KMS permissions) and creating an attestation (which requires Binary Authorization attestor editor permissions), leading candidates to overlook the missing attestorsEditor role.

How to eliminate wrong answers

Option B is wrong because Artifact Registry is fully supported by Binary Authorization, and the error indicates the image is stored there. Option C is wrong because the node service account does not need to verify attestations; Binary Authorization enforcement happens at the admission controller level, not via node permissions. Option D is wrong because the policy is configured to require at least one attestation from the trusted attestor, and the issue is that no attestation was created, not that a different attestor is required.

42
MCQhard

A Cloud Function that processes financial data is timing out after 60 seconds. The function performs complex calculations and cannot be decomposed further. What is the best solution?

A.Migrate the function to Cloud Run with a longer timeout
B.Change the Cloud Functions runtime from Node.js to Python
C.Increase the allocated memory for the function
D.Increase the Cloud Functions timeout to 120 seconds and optimize the code
AnswerD

Cloud Functions allows timeout up to 60 minutes for HTTP triggers; increasing it and optimizing code addresses the timeout directly.

Why this answer

Option D is correct because Cloud Functions has a maximum timeout of 60 minutes (540 seconds) for HTTP functions; increasing the timeout to 120 seconds and optimizing code can resolve the timeout. Option A is wrong because changing the runtime won't inherently reduce execution time. Option B is wrong because Cloud Run has a similar timeout but also requires code changes; it's more complex than adjusting the function.

Option C is wrong because increasing memory alone may improve performance but does not extend timeout beyond 60 seconds.

43
MCQmedium

A company runs a batch processing workload on Compute Engine VMs for 6 months. They want to reduce costs without sacrificing performance. Which option should they implement?

A.Switch to preemptible VMs
B.Use sole-tenant nodes to share resources across projects
C.Migrate to custom machine types to eliminate wasted resources
D.Purchase committed use discounts for the relevant machine types and regions
AnswerD

CUDs offer up to 57% discount for stable workloads with a commitment, directly reducing costs.

Why this answer

Option A is correct because committed use discounts (CUDs) provide significant discounts in exchange for a 1- or 3-year commitment, ideal for steady-state workloads. Option B is wrong because preemptible VMs are not suitable for long-running batch jobs due to termination risk. Option C is wrong because custom machine types may optimize resource use but do not offer discounts like CUDs.

Option D is wrong because sole-tenant nodes isolate VMs but do not reduce costs.

44
MCQeasy

A security engineer is reviewing a log entry in Cloud Logging with the above filter. The engineer wants to understand why this specific log entry was generated. Which action most likely caused this log entry?

A.An SSH login attempt failed due to incorrect credentials
B.A firewall rule blocked incoming traffic to the instance
C.An IAM policy change granted a user compute.instances.start access
D.A user stopped the Compute Engine instance
AnswerD

Stopping an instance generates an activity log entry.

Why this answer

The log entry was generated because a user stopped the Compute Engine instance. In Cloud Logging, instance lifecycle events such as STOP, START, or RESET are recorded with the method `compute.instances.stop`. This specific log entry matches the filter criteria (e.g., `protoPayload.methodName="v1.compute.instances.stop"`), indicating that the action was a stop operation, not a failure or policy change.

Exam trap

The trap here is that candidates may confuse the log entry's method name with a security-related event (like failed SSH or firewall block) because they overlook that the filter explicitly targets Compute Engine instance operations, not network or IAM events.

How to eliminate wrong answers

Option A is wrong because an SSH login failure would generate a log entry related to `ssh` or `oslogin` authentication, not a Compute Engine instance stop event. Option B is wrong because a firewall rule blocking traffic would produce a log entry under VPC firewall rules or packet rejection, not an instance lifecycle method. Option C is wrong because an IAM policy change granting `compute.instances.start` access would be logged under `google.iam.admin.v1.SetIamPolicy` or similar IAM methods, not `compute.instances.stop`.

45
MCQmedium

A company is using Cloud Composer (Airflow) to orchestrate data pipelines. A DAG is failing with a 'Task received SIGTERM' error. What is the most likely cause?

A.The worker node was preempted
B.The task exceeded its execution timeout
C.The task ran out of memory
D.The Airflow scheduler crashed
AnswerB

Airflow sends SIGTERM to tasks that exceed their execution timeout.

Why this answer

SIGTERM is sent when a task exceeds its execution timeout. Other causes produce different signals.

46
MCQeasy

Which service provides a centralized view of all resource configurations and IAM policies across projects?

A.Cloud Security Command Center
B.Cloud Asset Inventory
C.Cloud Audit Logs
D.Access Transparency
AnswerB

Cloud Asset Inventory captures snapshots of all resources and their IAM policies.

Why this answer

Option B is correct. Cloud Asset Inventory provides a centralized view of all resources and their IAM policies across projects. Option A, Cloud Security Command Center, provides security findings and vulnerabilities, not a full inventory.

Option C, Access Transparency, logs Google support access. Option D, Cloud Audit Logs, records API calls but not a static inventory.

47
MCQmedium

A company is using Cloud Monitoring to track latency of a microservice. They notice a sudden spike in the 99th percentile latency but no change in request count. What is the most likely cause?

A.A single slow query to a backend database
B.A pod restart in GKE
C.A misconfigured health check causing 503s
D.A DDoS attack
AnswerA

A slow query can increase tail latency, affecting p99 while average may remain low.

Why this answer

A single slow query to a backend database can increase p99 latency without affecting request count. Other options would affect availability or count.

48
Multi-Selecteasy

Which TWO actions should you take to reduce the attack surface of a Compute Engine VM? (Choose 2.)

Select 2 answers
A.Remove public IP addresses
B.Enable Secure Boot
C.Enable Instance Termination Action
D.Use preemptible VMs
E.Enable Virtual Trusted Platform Module (vTPM)
AnswersA, B

Removing public IP eliminates a direct attack vector from the internet.

Why this answer

Removing public IP and enabling Secure Boot reduce exposure. vTPM and other options do not directly reduce attack surface.

49
Multi-Selectmedium

A security engineer is investigating a potential data breach in a Google Cloud environment. The engineer suspects that a compromised service account key was used to access Cloud Storage buckets. Which TWO actions should the engineer take immediately to mitigate the risk?

Select 2 answers
A.Disable the service account
B.Revoke all IAM roles granted to the service account
C.Rotate the service account key
D.Delete the compromised service account key
E.Enable Cloud Audit Logs for the service account
AnswersA, D

Disabling the service account immediately revokes all access for that account.

Why this answer

Disabling the service account immediately stops all access using any of its keys, including the compromised one, without deleting the account or its configuration. This is the fastest way to block the attacker while preserving the ability to investigate and re-enable the account later if needed. In Google Cloud, disabling a service account is a reversible action that revokes all authentication and authorization for that identity.

Exam trap

Google Cloud often tests the distinction between disabling a service account (which stops all access immediately) versus deleting or rotating a key (which may leave other keys or a window of exposure), and candidates mistakenly choose 'rotate the key' thinking it invalidates the old key, but rotation alone does not delete the old key.

50
MCQhard

Refer to the exhibit. This IAM policy is applied to a Google Cloud Storage bucket. Alice reports she cannot delete objects in the bucket. Bob can delete objects. What is the most likely reason?

A.The service account has objectAdmin role, but Bob is not a member.
B.The etag mismatch causes a conflict.
C.Bob has a higher role inherited from the project level.
D.Alice has only objectViewer role, which does not allow deletion.
AnswerD

The objectViewer role only allows read access to objects, not deletion.

Why this answer

Option A is correct. The policy shows Alice has only the roles/storage.objectViewer role, which does not include delete permissions. Bob, although listed in the same binding, must have additional permissions from another policy (e.g., at the project level) that allow him to delete objects.

Option B is incorrect because Bob's ability is likely due to inherited permissions, but the exhibit only shows this policy. Option C is irrelevant because the service account does not affect Bob's permissions. Option D is incorrect; etag is used for concurrent modification prevention.

51
MCQmedium

A company is migrating its on-premises Microsoft Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They need to ensure that users can authenticate to Compute Engine Windows instances using their on-premises credentials without additional user setup. What is the most secure and scalable approach?

A.Configure the Windows instances to join the on-premises AD domain directly via VPN.
B.Create a two-way trust between the Managed Microsoft AD domain and the on-premises AD domain.
C.Synchronize on-premises users to Managed Microsoft AD using Google Cloud Directory Sync (GCDS).
D.Store on-premises user credentials in Cloud KMS and use a custom authentication script.
AnswerB

A trust enables on-premises users to authenticate to resources in the cloud domain without duplicating identities.

Why this answer

Option B is correct because establishing a two-way trust between Managed Microsoft AD and the on-premises AD domain allows users to authenticate to Compute Engine Windows instances using their existing on-premises credentials without any additional user setup. This trust enables Kerberos authentication to flow seamlessly across the two domains, ensuring that on-premises users can access cloud resources securely and scalably without duplicating identities or credentials.

Exam trap

Google Cloud often tests the misconception that directory synchronization (like GCDS) is sufficient for authentication, but candidates must understand that synchronization alone does not enable single sign-on or credential validation—only a trust or federation (e.g., via Active Directory Federation Services) allows users to authenticate with their existing on-premises passwords.

How to eliminate wrong answers

Option A is wrong because joining Windows instances directly to the on-premises AD domain via VPN creates a single point of failure and introduces latency; it also requires persistent VPN connectivity and does not leverage the managed AD service, making it less scalable and less secure due to direct exposure of domain controllers over the VPN. Option C is wrong because Google Cloud Directory Sync (GCDS) only synchronizes user and group objects from on-premises AD to Managed Microsoft AD, but it does not establish a trust relationship; users would still need to be re-authenticated against the Managed Microsoft AD domain, and their passwords are not synced, so they cannot use their on-premises credentials without additional setup (e.g., password hash sync). Option D is wrong because storing on-premises user credentials in Cloud KMS and using a custom authentication script is insecure (credentials in plaintext or encrypted at rest but still exposed during runtime), unscalable (requires custom code and maintenance), and violates the principle of using managed services; it also does not integrate with Windows authentication protocols like Kerberos or NTLM.

52
MCQeasy

A company uses Cloud Monitoring to track latency on their Compute Engine instances. They notice a spike in latency every day at 2:00 PM. The operations team wants to automate the creation of a support ticket when this spike occurs. What should they do?

A.Create a Cloud Monitoring alert that sends a notification to a Pub/Sub topic, which triggers a Cloud Function that creates a ticket.
B.Create a Cloud Function that runs every minute to check latency and create a ticket.
C.Configure Cloud Tasks to periodically query the latency metric and create a ticket.
D.Use Cloud Scheduler to run a job that checks latency every hour and creates a ticket if spike is detected.
AnswerA

This is the standard pattern: alert -> Pub/Sub -> Cloud Function -> ticket creation.

Why this answer

Option B is correct because Cloud Monitoring alerts can trigger a webhook or pub/sub to integrate with ticketing systems. Option A is incorrect because Cloud Functions require manual triggering or scheduling, not real-time alert. Option C is incorrect because Cloud Scheduler runs on a schedule, not based on metric thresholds.

Option D is incorrect because Cloud Tasks is for asynchronous task execution, not directly for alerting.

53
MCQeasy

A company needs to isolate development and production workloads within the same Google Cloud organization. Each environment must have its own VPC network, but they must share a common set of network security policies. Which design meets these requirements?

A.Create separate projects and use VPC Network Peering between them
B.Use Shared VPC with separate service projects for dev and prod
C.Create separate VPCs in the same project and use VPC peering
D.Use a single VPC with multiple subnets and strict firewall rules
AnswerB

Shared VPC centralizes network administration and security policies while allowing environment isolation via separate projects.

Why this answer

Option A is correct because shared VPC allows separate projects (dev and prod) to use a common host VPC with consistent security policies. Option B is wrong because separate projects with VPC peering do not enforce shared security policies centrally. Option C is wrong because firewall rules alone cannot create separate networks.

Option D is wrong because VPC peering does not provide centralized policy management.

54
Matchingmedium

Match each VPC firewall rule component to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ingress or egress traffic direction

CIDR blocks for incoming traffic

VM instance tags that rule applies to

Rule evaluation order (lower number = higher priority)

Allow or deny traffic

Why these pairings

These are key components of VPC firewall rules.

55
MCQhard

Refer to the exhibit. An operations engineer configured this alert policy to notify when any VM instance in project my-project has high CPU utilization. However, no notifications are received even when CPU is consistently above 90% on multiple instances in us-central1-a. What is the most likely cause?

A.The 'duration' of 0s in the MQL condition prevents the alert from firing because it needs a minimum duration.
B.The alert policy is configured in a different project than the VM instances.
C.The MQL query uses 'group_by' which causes the condition to be evaluated on the aggregate, but the threshold should be applied before grouping.
D.The notification channel is not configured or is invalid.
AnswerB

If the alert policy is in project A but VM instances are in project B, the policy won't see those metrics unless cross-project access is set up.

Why this answer

Option B is correct because alert policies are project-scoped resources. If the VM instances reside in a different project than the one where the alert policy is defined, the policy cannot monitor those instances. The MQL query references the metric `compute.googleapis.com/instance/cpu/utilization` which is only visible within the same project as the monitored resources.

Cross-project monitoring requires additional configuration such as a metrics scope or a separate alert policy in the target project.

Exam trap

Google Cloud often tests the subtle distinction between an alert that fails to fire (scope/resource mismatch) versus an alert that fires but fails to notify (channel issue), leading candidates to incorrectly blame the notification channel when the real problem is that the alert condition is never evaluated against the target resources.

How to eliminate wrong answers

Option A is wrong because a `duration` of 0s is valid and means the condition fires immediately when the threshold is crossed; it does not prevent the alert from firing. Option C is wrong because `group_by` aggregates metrics before evaluation, and applying the threshold after grouping is the correct behavior for aggregate conditions; the threshold does not need to be applied before grouping. Option D is wrong because if the notification channel were invalid or missing, the alert would still fire (its state would change to `firing`), but no notification would be sent; the question states no notifications are received, implying the alert itself is not firing, which points to a monitoring scope issue rather than a channel problem.

56
MCQmedium

A global company must store customer data in a specific geographic region to comply with data residency regulations. The database needs strong transactional consistency and low-latency reads worldwide. Which database solution should they choose?

A.Use Cloud Spanner with a multi-region configuration that includes the required region
B.Use BigQuery with a multi-region dataset
C.Use Cloud SQL with cross-region replication
D.Use Firestore in multi-region mode
AnswerA

Cloud Spanner provides strong consistency, horizontal scaling, and multi-region support to meet residency and performance requirements.

Why this answer

Option C is correct because Cloud Spanner offers global transactional consistency, horizontal scaling, and multi-region configurations for data residency. Option A is wrong because BigQuery is for analytics, not operational transactions. Option B is wrong because Cloud SQL in a single region cannot serve global reads with low latency.

Option D is wrong because Firestore in multi-region does not guarantee strong consistency for all operations.

57
MCQeasy

A security engineer is tasked with automating the remediation of non-compliant resources in a Google Cloud organization. The organization uses Organization Policy Service to enforce constraints. The engineer needs to automatically disable a specific service (e.g., Compute Engine API) for a project that violates a policy. Which Google Cloud service should be used to trigger this remediation?

A.Cloud Build
B.Cloud Run
C.Cloud Scheduler
D.Cloud Functions
AnswerD

Cloud Functions can be triggered by logs or Pub/Sub messages to perform automated remediation actions.

Why this answer

Cloud Functions is correct because it can be triggered by real-time event notifications (e.g., from Cloud Asset Inventory or Pub/Sub) when a policy violation is detected, and then execute custom code to disable the Compute Engine API via the Service Usage API. This serverless, event-driven model is ideal for automated remediation workflows without managing infrastructure.

Exam trap

Google Cloud often tests the distinction between event-driven (Cloud Functions) and scheduled (Cloud Scheduler) or compute (Cloud Run) services, trapping candidates who confuse scheduled tasks with real-time remediation triggers.

How to eliminate wrong answers

Option A is wrong because Cloud Build is a CI/CD service for building, testing, and deploying artifacts; it is not designed to react to policy violation events or directly disable APIs. Option B is wrong because Cloud Run is a managed compute platform for running containerized applications, not an event-triggered function service; it lacks native integration with Organization Policy violation events. Option C is wrong because Cloud Scheduler is a cron job service for scheduled, not event-driven, execution; it cannot react in real time to policy violations.

58
Multi-Selectmedium

A security engineer is investigating an incident where an attacker gained access to a Compute Engine instance's serial console logs, which contained sensitive data. Which TWO actions should the engineer take to prevent this type of exposure in the future? (Choose TWO.)

Select 2 answers
A.Use Cloud NAT for outbound traffic to anonymize instance IP addresses in serial console logs.
B.Enable Private Google Access on the VPC subnet to restrict serial console log access to internal IPs only.
C.Remove the roles/iam.serviceAccountUser role from all users to prevent them from accessing serial console.
D.Disable interactive serial console access for all instances that do not require it.
E.Enable OS Login for the project to enforce SSH key management and prevent serial console access.
AnswersB, D

Correct: Private Google Access ensures that serial console logs are not sent over the public internet, reducing exposure.

Why this answer

Option B is correct because enabling Private Google Access on the VPC subnet ensures that serial console logs are accessed only via internal IP addresses, preventing exposure over the public internet. This restricts access to the serial console logs to resources within the VPC or connected networks, reducing the attack surface for data exfiltration.

Exam trap

Google Cloud often tests the distinction between IAM roles that control access to serial console logs (e.g., roles/compute.instanceAdmin) versus roles that control instance operations (e.g., roles/iam.serviceAccountUser), leading candidates to mistakenly select Option C.

59
Multi-Selecteasy

A security engineer is configuring VPC Service Controls to protect a service perimeter. Which TWO conditions must be met for a request to be allowed across the perimeter? (Choose TWO.)

Select 2 answers
A.The request is made by an identity that belongs to an allowed domain.
B.The request comes from an allowed IP range.
C.The request is made by a service account that has been granted access.
D.The request includes a valid access context manager access level.
E.The request originates from a project within the perimeter.
AnswersD, E

Access levels are required for both inside and outside requests.

Why this answer

Options B and D are correct. A request is allowed if it originates from a project within the perimeter and meets the required access levels. Option A is not a direct condition; IP ranges are part of access levels.

Option C is not a standalone condition; service accounts are allowed based on identity and access levels. Option E is also part of access levels.

60
MCQeasy

A Cloud Function is timing out. What is the maximum timeout for a Cloud Function (1st gen)?

A.60 seconds
B.900 seconds
C.3600 seconds
D.540 seconds
AnswerD

Cloud Functions (1st gen) support up to 540 seconds timeout.

Why this answer

Cloud Functions (1st gen) have a maximum timeout of 540 seconds.

61
MCQmedium

A company is using Cloud Armor to protect their HTTP(S) load balancer. They have configured a security policy with a rule to block traffic from a specific IP address (10.0.0.1/32). During testing, they observe that requests from that IP are still reaching the backend. What is the most likely reason?

A.The backend service is configured to bypass Cloud Armor.
B.Cloud Armor does not support blocking specific IP addresses.
C.The security policy is not attached to the backend service.
D.The rule has a lower priority than a default allow rule.
AnswerC

A security policy must be attached to a backend service for its rules to be enforced.

Why this answer

Cloud Armor security policies must be explicitly attached to a backend service to take effect. If the policy is not attached, the rules within it—including the block rule for 10.0.0.1/32—are not evaluated, and traffic flows to the backend as if no policy exists. This is the most common cause when a configured rule appears to be ignored.

Exam trap

Google Cloud often tests the concept that a security policy must be attached to a backend service (or target proxy) to be active; candidates mistakenly assume that creating the policy alone is sufficient to enforce its rules.

How to eliminate wrong answers

Option A is wrong because Cloud Armor does not have a 'bypass' setting on the backend service; the backend service either has a security policy attached or it does not, and there is no mechanism to selectively bypass Cloud Armor for certain traffic. Option B is wrong because Cloud Armor explicitly supports blocking specific IP addresses using CIDR-based rules in security policies, including /32 prefixes. Option D is wrong because the default rule in Cloud Armor is to allow traffic, but if a block rule has a higher priority number (lower priority) than the default allow, the default allow would take precedence; however, the question states the rule is configured, and the most likely reason for the block not working is that the policy is not attached at all, not a priority issue.

62
MCQmedium

A company uses Cloud SQL for PostgreSQL and needs to ensure that database backups are retained for 30 days for compliance. They also want to be able to perform point-in-time recovery for the last 24 hours. What configuration should they use?

A.Enable automated backups with a retention of 30 days and enable binary logging (write-ahead logs) for point-in-time recovery.
B.Manually take a full backup every day and store it in Cloud Storage with object lifecycle management set to 30 days.
C.Take daily snapshots of the Compute Engine instance running Cloud SQL.
D.Use Cloud Scheduler to run a script that exports the database to Cloud Storage every hour, and keep the exports for 30 days.
AnswerA

Automated backups provide daily backups; binary logs allow recovery to any point within the retention period.

Why this answer

Option A is correct because Cloud SQL automated backups and binary log (WAL) archiving enable point-in-time recovery. Option B is incorrect because export to Cloud Storage is a manual process. Option C is incorrect because snapshots are not supported for Cloud SQL.

Option D is incorrect because manual backups do not provide point-in-time recovery.

63
MCQhard

A security engineer is troubleshooting a connectivity issue between two VPCs connected via VPC Network Peering. VPC-A (project A) has a Compute Engine instance with internal IP 10.1.0.2. VPC-B (project B) has an instance with internal IP 10.2.0.2. The engineer has verified that the peering connection is active and the firewall rules allow ingress from 10.1.0.0/16. However, the instance in VPC-B cannot ping the instance in VPC-A. What is the most likely cause?

A.The VPC-A has a firewall rule that denies ICMP traffic from VPC-B.
B.The VPC-B does not have a route to VPC-A's subnet ranges. Custom route exchange is not enabled on the peering connection.
C.The MTU configuration on the peering connection is set too low.
D.The instance in VPC-B does not have a public IP address.
AnswerB

By default, only subnet routes are exchanged. Custom routes require explicit export/import settings.

Why this answer

The most likely cause is that custom route exchange is not enabled on the VPC Network Peering connection. By default, VPC peering does not exchange custom routes (including subnet routes) unless explicitly enabled. Without this, VPC-B has no route to the 10.1.0.0/16 subnet of VPC-A, so the instance in VPC-B cannot send traffic to 10.1.0.2, even though firewall rules allow ingress.

The peering connection being active only means the link is established, not that routes are automatically propagated.

Exam trap

Google Cloud often tests the misconception that an active peering connection and permissive firewall rules are sufficient for connectivity, when in fact route exchange (especially for custom routes) must be explicitly enabled for traffic to flow between VPCs.

How to eliminate wrong answers

Option A is wrong because the question states that firewall rules allow ingress from 10.1.0.0/16, and a deny rule on VPC-A would be a firewall issue, but the core problem is routing, not firewall. Option C is wrong because MTU configuration on a VPC peering connection is not a configurable parameter; Google Cloud uses a fixed MTU of 1460 bytes for VPC peering, and an MTU mismatch would cause fragmentation issues, not a complete lack of connectivity. Option D is wrong because a public IP address is not required for communication over VPC Network Peering; the instances communicate using internal IPs, and the lack of a public IP is irrelevant for peered VPC connectivity.

64
MCQmedium

During an incident, a security engineer needs to isolate a compromised Compute Engine instance for forensic analysis without losing evidence. What should they do first?

A.Disconnect the instance from the VPC network.
B.Shut down the instance immediately.
C.Delete the instance to prevent further damage.
D.Create a snapshot of the instance's persistent disks.
AnswerD

Snapshots capture disk data for later analysis without altering the instance.

Why this answer

Option B is correct because taking a snapshot of the persistent disks preserves the disk state for forensic analysis without altering the instance. Option A may cause loss of volatile data but is acceptable; however, snapshot is the recommended first step to capture data. Option C disconnects the instance but may not prevent further damage.

Option D destroys evidence.

65
MCQeasy

A company wants to monitor for suspicious login attempts across all their Google Cloud projects. They want to send a real-time Slack notification when a login fails from an IP address outside their corporate CIDR range. What is the most efficient way to achieve this?

A.Create a Cloud Monitoring alert policy that checks for failed logins in logs and sends a notification to Slack via webhook.
B.Use Cloud Scheduler to run a batch job every hour that queries logs and sends a summary to Slack.
C.Export Admin Activity audit logs to a Pub/Sub topic via a sink, and use a Cloud Function that subscribes to the topic to filter and post to Slack.
D.Enable Cloud Audit Logs and configure a log router to forward logs directly to Slack.
AnswerC

This provides real-time, scalable, and customizable notification.

Why this answer

Option A is correct because Admin Activity audit logs capture login events, and a Cloud Logging sink to Pub/Sub enables real-time streaming to a Cloud Function that posts to Slack. Option B is incorrect because Cloud Monitoring does not directly analyze audit logs. Option C is incorrect because Cloud Scheduler would not provide real-time response.

Option D is incorrect because Cloud Audit Logs alone cannot send Slack notifications.

66
MCQhard

Refer to the exhibit. A security engineer runs the command to view recent decrypt operations on a Cloud KMS key. The output shows a successful decryption. However, the engineer is concerned about the exposure of the plaintext. Based on the log entry, what is the most accurate statement regarding the visibility of the decrypted plaintext?

A.The plaintext field is not present in the log because the service does not log it.
B.The plaintext field contains the base64-encoded ciphertext, and the engineer needs to decode it.
C.The plaintext field is redacted by Cloud KMS, and the actual plaintext is not visible in the log entry.
D.The plaintext field contains the actual decrypted data in plaintext, and the engineer should restrict access to the logs.
AnswerC

Cloud Audit Logs automatically redact sensitive data like decrypted plaintext.

Why this answer

Option C is correct because Cloud KMS automatically redacts the plaintext field in Cloud Audit Logs for decrypt operations. The log entry shows a successful decryption, but the actual decrypted data is never written to the logs; instead, the plaintext field is replaced with a redacted marker (e.g., `[REDACTED]`). This is a security feature to prevent sensitive data from being exposed in audit logs, even to users with access to view them.

Exam trap

Google Cloud often tests the misconception that the plaintext field in Cloud KMS logs contains the actual decrypted data or that it is simply absent, when in fact it is explicitly redacted to protect sensitive information.

How to eliminate wrong answers

Option A is wrong because the plaintext field is present in the log entry (as shown in the exhibit), but it is redacted, not absent; the service does log the field but explicitly omits the actual plaintext. Option B is wrong because the plaintext field does not contain base64-encoded ciphertext; it contains a redacted value, and the engineer does not need to decode anything—the ciphertext is a separate field in the log. Option D is wrong because the plaintext field does not contain the actual decrypted data; Cloud KMS ensures the plaintext is never exposed in logs, so restricting access to logs would not address the concern about plaintext visibility.

67
Multi-Selectmedium

A security engineer is designing a logging and monitoring strategy to meet compliance requirements. Which THREE services should be integrated to ensure log data is tamper-proof and available for analysis? (Choose THREE.)

Select 3 answers
A.Cloud Logging
B.BigQuery
C.Cloud Audit Logs
D.Security Command Center
E.Cloud Storage with Object Lock
AnswersA, B, E

Centralized log ingestion and management.

Why this answer

Options A, B, and D are correct. Cloud Logging ingests logs, Cloud Storage with Object Lock provides immutability, and BigQuery allows querying. Option C is a type of log, not a service.

Option E is for security findings, not log management.

68
MCQhard

A financial services company runs a sensitive application on Google Kubernetes Engine (GKE) with Workload Identity enabled. Security policy requires that only pods with a specific service account can access a Cloud Storage bucket containing customer data. The bucket has uniform bucket-level access enabled. What is the correct combination of IAM bindings to achieve this?

A.Add the Google service account as a member of the bucket with roles/storage.objectViewer
B.Bind the Google service account (linked to the Kubernetes service account via Workload Identity) to the bucket IAM policy with roles/storage.objectViewer
C.Grant the Google service account roles/storage.objectViewer at the project level
D.Bind the Kubernetes service account to the bucket IAM policy with roles/storage.objectViewer
AnswerB

This is the correct approach: the GSA is granted the role, and pods using the mapped KSA inherit that access.

Why this answer

Workload Identity links a Kubernetes service account (KSA) to a Google service account (GSA). When a pod uses that KSA, it authenticates as the linked GSA. Since the bucket has uniform bucket-level access, IAM permissions must be granted directly on the bucket resource, not at the project level.

Binding the GSA to the bucket with roles/storage.objectViewer ensures only pods using that specific KSA can read the bucket.

Exam trap

Google Cloud often tests the distinction between Kubernetes service accounts and Google service accounts, trapping candidates who try to bind a KSA directly to a Google Cloud resource instead of using the linked GSA via Workload Identity.

How to eliminate wrong answers

Option A is wrong because it says 'Add the Google service account as a member of the bucket' but does not specify the correct IAM role binding on the bucket resource; it is vague and incomplete. Option C is wrong because granting roles/storage.objectViewer at the project level would allow any workload or user with that role to access the bucket, violating the security policy that restricts access to only pods with a specific service account. Option D is wrong because Kubernetes service accounts are not recognized by Cloud Storage IAM; only Google service accounts can be bound to bucket IAM policies, and Workload Identity provides the mapping.

69
Multi-Selecthard

Which THREE steps are most effective for troubleshooting a VPC firewall rule issue where desired traffic is being blocked?

Select 3 answers
A.Check IAM permissions for the VM's service account
B.Check firewall rule logs in Cloud Logging
C.Verify that the network tags on instances match the target tags in the firewall rule
D.Review VPC flow logs to see if traffic is reaching the VM
E.Inspect the route tables for the subnet
AnswersB, C, D

Firewall logs show allowed and denied connections, directly indicating blocking.

Why this answer

Options A, B, and D are correct. Checking firewall logs reveals denied traffic. Verifying network tags ensures instances match the target tags.

Reviewing VPC flow logs shows actual traffic flows. Option C (check IAM permissions) is less relevant because firewall rules are network-level, not identity-based. Option E (inspect route tables) affects routing, not firewall blocking.

70
MCQeasy

A company uses Cloud Armor to protect their HTTP Load Balancer. They want to block requests from a specific IP range during a DDoS attack. What is the most efficient way to implement this?

A.Create a new Cloud Armor security policy and attach it to the backend service.
B.Modify the load balancer's firewall rule to deny traffic from that IP range.
C.Use Cloud CDN to cache responses and block the IP at the edge.
D.Update the existing security policy by adding a deny rule for the IP range with priority 1000.
AnswerD

Adding a deny rule to the existing policy is immediate and efficient.

Why this answer

Option B is correct because updating the existing security policy by adding a deny rule is the quickest and most efficient way to block the IP range during an active attack. Option A is less efficient as it requires creating a new policy and reconfiguring the attachment. Option C is incorrect because firewall rules operate at the network layer and cannot block HTTP-level requests.

Option D is incorrect because Cloud CDN does not provide IP blocking capabilities.

71
Multi-Selectmedium

Your organization uses Cloud Key Management Service (KMS) to encrypt data at rest. You need to rotate keys automatically every 90 days. Which THREE steps are required? (Choose 3)

Select 3 answers
A.Re-encrypt any data encrypted with older versions using the new key version.
B.Enable automatic rotation on the key.
C.Create a new key version every 90 days manually.
D.Ensure the key is destroyed after rotation.
E.Use a Cloud Function to trigger rotation.
.Set a rotation period on the Cloud KMS key.
AnswersA, B

Re-encryption ensures data is protected by the latest key version.

Why this answer

Options B, C, and E are correct. You need to set a rotation period on the Cloud KMS key (B), enable automatic rotation (C), and re-encrypt any data encrypted with older versions using the new key version (E) to ensure data is protected by the new key. Option A is incorrect because rotation should be automatic.

Option D is incorrect because old key versions should not be destroyed immediately; they are needed to decrypt existing data. Option F is unnecessary because automatic rotation is a built-in feature.

72
MCQeasy

Users are reporting 502 Bad Gateway errors when accessing an application behind an external HTTPS Load Balancer. What is the most likely cause?

A.The backend instances are unhealthy or the SSL certificate is invalid
B.Cloud CDN is not enabled for the load balancer
C.The backend instances have reached maximum concurrent connections
D.The load balancer is configured as an internal load balancer
AnswerA

A 502 error indicates a communication failure between the load balancer and backend, often due to health check failures or SSL misconfiguration.

Why this answer

Option B is correct because 502 errors typically indicate that the load balancer cannot communicate with the backend, often due to unhealthy instances or SSL certificate issues. Option A is wrong because connection limits cause 503 or 429 errors, not 502. Option C is wrong because the load balancer type is correct for HTTPS.

Option D is wrong because CDN affects content delivery, not backend connectivity.

73
MCQmedium

A security engineer receives an alert from Cloud Security Command Center (Cloud SCC) about a resource that is publicly accessible. The engineer identifies that the resource is a Cloud Storage bucket containing sensitive data. After making the bucket private, what is the next best step to prevent recurrence?

A.Add a note in the operations runbook to check bucket permissions weekly.
B.Delete the bucket and all its contents to avoid future exposure.
C.Set an organization policy to disable public access to all Cloud Storage buckets.
D.Create a Cloud Security Command Center notification for public bucket findings and use a Cloud Function to automatically disable public access.
AnswerD

Automated response reduces recurrence risk.

Why this answer

Option B is correct because creating a security health analytics sink to Pub/Sub enables automated remediation. Option A is incorrect because deleting the bucket may lose data. Option C is incorrect because disabling public access at the organization level might be too broad and impact legitimate needs.

Option D is incorrect because relying on documentation is not preventive.

74
MCQmedium

A company runs a multi-tier application on Compute Engine behind an external HTTP(S) Load Balancer. The backend consists of a managed instance group for the application tier and a Cloud Storage bucket for static assets. During peak traffic, some users receive HTTP 503 errors. The backend instances are healthy and the load balancer shows no connection errors. The company has already enabled Cloud CDN for the backend bucket. What should they do to resolve the 503 errors?

A.Increase the size of the instance group to handle more requests.
B.Enable Cloud CDN on the backend bucket to cache static content.
C.Increase the backend bucket's cache mode to force caching of dynamic content.
D.Adjust the load balancer's connection draining timeout.
AnswerA

Scaling up the instance group adds capacity to serve more requests, reducing 503 errors from resource exhaustion.

Why this answer

The 503 errors likely indicate that the instance group cannot handle the request volume. Increasing the size of the instance group provides more capacity. Option B is incorrect because CDN is already enabled for static content, and the 503 is likely for dynamic content.

Option C is incorrect because connection draining affects instance removal, not capacity. Option D is incorrect because forcing caching of dynamic content may serve stale data or not be allowed.

75
MCQmedium

A company is using Cloud SQL for MySQL in production. They notice that during peak hours, query latency increases significantly. The database is running on a db-n1-standard-2 instance with 100GB SSD. The CPU utilization spikes to 95% during peaks. The application uses connection pooling. Which action should the company take to improve performance while minimizing cost?

A.Increase the storage to 200GB to improve IOPS.
B.Add a read replica and redirect read queries to it.
C.Enable Cloud SQL Proxy to cache connections.
D.Increase the number of CPUs by switching to a db-n1-highcpu-2 instance.
AnswerB

Read replicas handle SELECT queries, reducing the primary instance's load and lowering latency for read-heavy workloads.

Why this answer

Adding a read replica offloads read queries from the primary instance, reducing CPU load and latency. Option A is incorrect because switching to a highcpu type does not increase CPU count; it rebalances memory. Option B is incorrect because Cloud SQL Proxy provides secure connections, not performance improvement.

Option D is incorrect because increasing storage primarily increases IOPS and disk throughput, but CPU is the bottleneck.

Page 1 of 2 · 109 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Gcp Security Operations questions.