CCNA Gcp Security Operations Questions

34 of 109 questions · Page 2/2 · Gcp Security Operations topic · Answers revealed

76
MCQhard

A company has a multi-project setup with a shared VPC. They want to centrally audit all firewall rule changes. What is the most efficient way?

A.Create a log sink in each project that routes firewall-related logs to a Cloud Storage bucket and then aggregate.
B.Enable VPC Flow Logs on all subnets.
C.Export Admin Activity audit logs to a centralized project's BigQuery dataset.
D.Use Cloud Asset Inventory with IAM policy change feed.
AnswerC

Admin Activity logs include firewall rule changes; BigQuery enables efficient querying.

Why this answer

Option C is correct. Exporting Admin Activity audit logs to a centralized BigQuery dataset allows querying all firewall rule changes across projects. Option A is incorrect because VPC Flow Logs capture network traffic, not rule changes.

Option B is incorrect because Cloud Asset Inventory can track assets but not real-time changes efficiently. Option D is less efficient than a single export to BigQuery.

77
MCQeasy

An organization's security policy requires that all audit logs be stored in a separate project for centralized monitoring. Which Google Cloud service should be used to aggregate logs from multiple projects?

A.Cloud Monitoring
B.Cloud Audit Logs
C.Security Command Center
D.Cloud Logging with log sinks
AnswerD

Log sinks can aggregate logs from multiple projects to a centralized destination.

Why this answer

Option C is correct because Cloud Logging log sinks can be configured to route logs from multiple projects to a common destination like a Cloud Storage bucket or BigQuery dataset in a separate project. Option A is for metrics and alerting, not log aggregation. Option B is a type of log, not a service.

Option D is for security findings and compliance, not log aggregation.

78
MCQeasy

Your organization has a multi-project environment with centralized logging in a dedicated project (logging-project). All VPC Service Controls perimeters are configured correctly. The security team needs to ensure that all audit logs from all projects are retained for 5 years and cannot be deleted or modified by any project administrator. They also want to restrict access to the logs to only the security team members (who have the 'Security Reviewer' role at the organization level). Currently, each project has its own log sink that exports to a BigQuery dataset in logging-project. The security team notices that some project administrators have inadvertently deleted logs from their project's BigQuery dataset. You need to recommend a solution that prevents log deletion and enforces the retention policy. What should you do?

A.Configure the log sinks to export logs to a Cloud Storage bucket with a lifecycle rule that deletes objects after 5 years. Set the bucket's IAM policy to deny the storage.objects.delete permission to all users except the security team.
B.Create a new BigQuery dataset in logging-project with a table expiration of 5 years and configure the log sinks to export to this dataset. Grant the security team the BigQuery Data Viewer role and revoke all other users' access to the dataset.
C.Create a new organization-level log sink that exports logs to a BigQuery dataset in logging-project. Grant the security team the BigQuery Data Owner role on the dataset and remove all other project administrators from the dataset's permissions.
D.Configure the _Required and _Default log buckets in each project to route logs to a Cloud Storage bucket in logging-project using log sinks. Enable Object Hold and set a retention policy of 5 years on the bucket. Grant the security team the Storage Object Admin role on the bucket.
AnswerD

Correct: Cloud Storage retention policies and Object Hold prevent deletion or modification of objects during the retention period. This centralizes logs and enforces retention.

Why this answer

Option D is correct because it uses a Cloud Storage bucket with a retention policy and Object Hold to prevent deletion or modification of logs for 5 years. The retention policy enforces a minimum retention period, and Object Hold prevents object deletion even by project administrators. Log sinks from each project's _Required and _Default log buckets route logs to this bucket, ensuring centralized, immutable storage.

Granting the security team Storage Object Admin allows them to manage the bucket while restricting others.

Exam trap

Google Cloud often tests the misconception that BigQuery datasets can enforce immutability or that lifecycle rules alone prevent user deletion, when in fact Cloud Storage retention policies and Object Hold are required for true write-once-read-many (WORM) compliance.

How to eliminate wrong answers

Option A is wrong because a lifecycle rule that deletes objects after 5 years does not prevent deletion by users; it only automates deletion after the period, and denying storage.objects.delete to all except security team is not sufficient because project administrators could still delete objects if they have other permissions (e.g., Storage Admin) that override the deny. Option B is wrong because BigQuery datasets do not support immutable retention policies or object-level locks; table expiration only deletes data after 5 years but does not prevent deletion or modification by dataset owners or project administrators with BigQuery Data Editor or Owner roles. Option C is wrong because an organization-level log sink exports logs to BigQuery, which lacks immutability features; granting BigQuery Data Owner to security team still allows other users with inherited roles (e.g., project-level BigQuery Admin) to modify or delete data, and removing project administrators from dataset permissions does not prevent deletion by those with higher-level roles.

79
MCQhard

An organization uses Cloud VPN tunnels to connect multiple VPCs. They need to record all network metadata for compliance audits without affecting throughput. What is the most effective approach?

A.Enable VPC Flow Logs on all subnets and export logs to a centralized BigQuery dataset.
B.Install a third-party packet inspection appliance in each VPC.
C.Configure Packet Mirroring to mirror all VPN traffic to a collector.
D.Use Cloud Logging to capture VPN tunnel logs from Cloud Router.
AnswerA

VPC Flow Logs provide metadata with negligible performance overhead and are suitable for compliance auditing.

Why this answer

Option A is correct because VPC Flow Logs capture metadata of all network flows with minimal performance impact, and exporting to BigQuery enables analysis. Option B is resource-intensive and may impact throughput. Option C only captures VPN tunnel status, not traffic metadata.

Option D mirrors traffic, which can be costly and impact performance.

80
MCQeasy

A company uses Cloud Storage buckets to store customer uploads. Recently, a customer reported that a file they uploaded yesterday is missing. The bucket has object versioning enabled. The security team wants to investigate how the file went missing and whether any other files have been affected. The company's compliance requirements mandate that all object deletions must be logged and reviewed. What should the admin do first to investigate the missing file?

A.Check the access logs in the Storage bucket's logs section.
B.Use gsutil ls -a to list all versions of objects in the bucket.
C.Enable Object Lifecycle Management to restore deleted objects.
D.Check Cloud Logging for storage.googleapis.com/object_delete events.
AnswerD

Cloud Logging logs object deletions by default; this provides the time, user, and method of deletion, which is essential for investigation.

Why this answer

Checking Cloud Logging for object delete events is the most direct way to determine if the file was deleted and by whom. Option A is incorrect because listing versions would only show if the object exists but not the cause of disappearance. Option C is incorrect because enabling lifecycle management does not help with investigation.

Option D is incorrect because access logs are not automatically enabled and would not specifically show delete events.

81
MCQmedium

Refer to the exhibit. A Cloud Run service fails to start and shows the above error. What is the most likely cause?

A.The container requires more memory than allocated
B.The PORT environment variable is not defined in the container
C.The application is configured to listen on a different port than the one specified by PORT
D.The number of concurrent requests exceeds the container's limit
AnswerC

Cloud Run injects PORT; the container must bind to that port. If the app listens on another port, it fails to start.

Why this answer

Option B is correct because the error explicitly states the container is not listening on the port defined by PORT. Cloud Run expects the container to bind to the port specified in the PORT env var (default 8080). Option A is wrong; the error is about listening, not the variable missing.

Option C is wrong; insufficient memory causes different errors. Option D is wrong; concurrent requests are runtime limits, not startup issues.

82
MCQeasy

A startup is deploying a containerized application on Google Kubernetes Engine (GKE). The application is stateless and experiences variable traffic patterns, with periodic spikes during promotional events. The startup wants to minimize costs while ensuring the application can handle the variable load without performance degradation. They also prefer to automate scaling as much as possible. Which GKE configuration should they choose?

A.Use a cluster with node auto-repair and a fixed node pool.
B.Use a cluster with node auto-provisioning and preemptible nodes.
C.Use a cluster with a single zone and regular nodes.
D.Use a cluster with regional persistent disks for pods.
AnswerB

Node auto-provisioning adds nodes as needed, and preemptible nodes cost less than regular instances, ideal for stateless, fault-tolerant workloads.

Why this answer

Node auto-provisioning automatically scales the node pool based on pod resource requests, and preemptible nodes significantly reduce cost. This combination handles variable load while being cost-effective. Option B is incorrect because regional persistent disks are for stateful applications and increase cost.

Option C is incorrect because a single zone and regular nodes may not handle spikes and can be more expensive. Option D is incorrect because a fixed node pool does not automatically scale to meet variable demand.

83
MCQhard

During a security incident, a security engineer needs to revoke a compromised service account's access across all resources immediately. However, the service account has many roles across different projects. What is the most effective immediate step?

A.Remove all IAM policies that include the service account.
B.Disable the service account.
C.Disable the service account key.
D.Delete the service account from the project.
AnswerB

Disabling the service account instantly revokes all access while preserving policies.

Why this answer

Option D is correct because disabling the service account immediately revokes all access without removing IAM policies, allowing quick recovery later. Option A is irreversible and may break dependencies. Option B only prevents key-based authentication; the account can still be used from VM instances.

Option C is time-consuming and error-prone.

84
MCQmedium

A security analyst wants to detect when a user creates a Compute Engine instance with a public IP address in a sensitive project. What is the best method?

A.Create a Cloud Function that triggers on instance creation events.
B.Enable Data Access audit logs and filter for insert calls.
C.Use Cloud Logging with a log-based metric and alert.
D.Use Cloud Asset Inventory to create a feed for instance creation.
AnswerC

Log-based metrics on Admin Activity audit logs allow real-time alerting on specific conditions.

Why this answer

Option D is correct. Using Cloud Logging with a log-based metric and alert on the compute.instances.insert log entry checking for the presence of an external IP provides real-time detection. Option A is incorrect because Data Access logs do not capture admin operations.

Option B is incorrect because Cloud Asset Inventory is not real-time. Option C is possible but more complex to set up and maintain.

85
MCQeasy

A DevOps team wants to automatically scale a managed instance group based on CPU utilization. Which metric should they use in the autoscaler?

A.'compute.googleapis.com/instance/cpu/usage_time'
B.'compute.googleapis.com/instance/cpu/utilization'
C.'compute.googleapis.com/instance/cpu/reserved_cores'
D.'agent.googleapis.com/cpu/utilization'
AnswerB

This is the built-in CPU utilization metric suitable for autoscaling.

Why this answer

The compute.googleapis.com/instance/cpu/utilization metric measures actual CPU usage, suitable for autoscaling.

86
MCQhard

Refer to the exhibit. A user jane@example.com receives a 403 Access Denied error when trying to list objects in a Cloud Storage bucket. What is the most likely cause?

A.The IAM condition restricts access to requests originating from the 10.0.0.0/24 IP range
B.Jane does not have the storage.objects.list permission
C.The bucket is in a different project
D.The IAM policy is too permissive and conflicts with other policies
AnswerA

The condition checks the 'x-forwarded-for' header starts with '10.0.0.', so requests from other IPs are denied.

Why this answer

Option B is correct because the IAM policy includes a condition that requires the request to come from an IP starting with '10.0.0.' (private IP). If Jane is accessing from a different IP, the condition fails and access is denied. Option A is wrong; the role includes storage.objects.list.

Option C is wrong; there is no indication of a different project. Option D is wrong; the policy is restrictive, not permissive.

87
Multi-Selecteasy

Which TWO Google Cloud services are serverless compute platforms that let you run code without managing servers?

Select 2 answers
A.Cloud Run
B.Compute Engine
C.Google Kubernetes Engine (GKE)
D.Cloud Functions
E.App Engine
AnswersA, D

Cloud Run is a serverless container platform.

Why this answer

Options A and C are correct. Cloud Functions and Cloud Run are serverless compute services that abstract server management. Option B (Compute Engine) is IaaS.

Option D (GKE) is container orchestration. Option E (App Engine) is also serverless but the correct two are Cloud Functions and Cloud Run. Note: App Engine is also serverless but the question asks for TWO; we selected Cloud Functions and Cloud Run as they are the most commonly cited serverless compute options.

88
MCQmedium

A multinational corporation operates multiple Google Cloud projects across several folders. They have a security requirement to enforce that all Cloud Storage buckets are created with uniform bucket-level access enabled and that no bucket has public access. They want to automatically remediate any non-compliant bucket that violates these policies. Currently, they use Organization Policies to enforce uniform bucket-level access, but they still find some buckets with public access due to exceptions. They have Cloud Security Command Center (Cloud SCC) enabled and receive findings about public buckets. The operations team wants to build a solution that automatically disables public access on non-compliant buckets. Which approach should they take?

A.Create a new Organization Policy that denies public access to all buckets.
B.Configure a Cloud Monitoring alert policy that triggers a webhook to a third-party automation tool.
C.Create a Cloud Security Command Center notification channel for public bucket findings, publish to a Pub/Sub topic, and trigger a Cloud Function that removes public IAM bindings from the bucket.
D.Write a script using gsutil and run it daily via Cloud Scheduler to check all buckets and remove public access.
AnswerC

Automates detection and response in near real-time.

Why this answer

Option B is correct because using Cloud Functions triggered by Cloud SCC notifications allows real-time remediation. Option A is incorrect because Organization Policies can't automatically fix individual buckets after creation. Option C is incorrect because script runs on schedule, not real-time.

Option D is incorrect because Cloud Monitoring alerts are not designed for this automatic remediation.

89
Multi-Selecthard

A company is implementing a zero-trust network architecture on Google Cloud. They want to ensure that all traffic between their on-premises data center and Google Cloud is encrypted and authenticated. Additionally, they need to support high availability across multiple regions. Which two Google Cloud services should they use? (Choose two.)

Select 2 answers
A.Cloud NAT
B.VPC Network Peering
C.Cloud CDN
D.Cloud Interconnect (Dedicated)
E.Cloud VPN
AnswersD, E

Dedicated Interconnect provides high-bandwidth, low-latency connections and supports high availability via multiple VLAN attachments.

Why this answer

Cloud VPN provides encrypted tunnels for secure connectivity. Cloud Interconnect (Dedicated) offers dedicated, low-latency, high-availability connections. Combining both provides encryption (via VPN over Interconnect) and HA.

Option C is incorrect because Cloud NAT is for outbound traffic only. Option D is incorrect because VPC Network Peering is for connecting VPCs within Google Cloud. Option E is incorrect because Cloud CDN is for content delivery, not network connectivity.

90
Multi-Selectmedium

An organization wants to enforce data loss prevention (DLP) for sensitive data stored in Cloud Storage. Which THREE of the following Google Cloud services can be used together to inspect, classify, and automatically redact sensitive data in Cloud Storage? (Choose three.)

Select 3 answers
A.BigQuery
B.Cloud Storage
C.Dialogflow CX
D.Cloud Data Loss Prevention (DLP) API
E.Cloud Functions
AnswersB, D, E

Cloud Storage stores the data and can store inspection results or redacted copies.

Why this answer

Cloud Storage is the target data repository where sensitive data resides, making it a necessary component of the DLP workflow. The Cloud Data Loss Prevention (DLP) API inspects and classifies the data, and Cloud Functions can be triggered by Cloud Storage events to automatically redact or transform the sensitive content before it is stored or accessed.

Exam trap

Google Cloud often tests the misconception that BigQuery is required for DLP on Cloud Storage, but BigQuery is only needed if you are analyzing structured tables; for object-level inspection and redaction in Cloud Storage, the combination of Cloud Storage, Cloud DLP API, and Cloud Functions is the correct serverless pipeline.

91
MCQeasy

A security engineer wants to ensure that all API calls to Google Cloud services are logged for audit purposes. Which service should they enable?

A.VPC Flow Logs
B.Cloud Audit Logs
C.Cloud NAT Logs
D.Firewall Rules Logging
AnswerB

Cloud Audit Logs record all API calls and administrative actions.

Why this answer

Cloud Audit Logs record administrative and data access activities. Other logs serve different purposes.

92
MCQhard

A large enterprise has a security command center that uses SIEM to analyze logs. They are migrating to Google Cloud and want to export all Cloud Audit Logs (Admin Activity, Data Access, and System Events) from all projects into a centralized BigQuery dataset for analysis. They also need to ensure logs are available within 5 minutes of being generated. Which sink configuration should they use?

A.Create an aggregated sink at the organization level that includes all projects and uses a BigQuery dataset as destination, with inclusion filters for all audit log types.
B.Create a single aggregated sink at the organization level that uses a Pub/Sub topic as destination, and have a subscriber stream logs into BigQuery.
C.Create a sink in each project that exports Audit Logs to a shared BigQuery dataset.
D.Enable logging export using Cloud Logging's beta feature to stream logs to an external SIEM via syslog.
AnswerA

Aggregated sinks can export logs from all projects under the organization to a single BigQuery dataset.

Why this answer

Option D is correct because aggregating sinks across all projects into a single BigQuery dataset via inclusion filters is the standard method. Option A is incorrect because sink at project level requires individual setup per project. Option B is incorrect because Logs Router cannot route to SIEM directly.

Option C is incorrect because inclusion filters without aggregation would not capture all projects efficiently.

93
MCQmedium

A security engineer is reviewing the IAM policy of a Cloud Storage bucket that contains sensitive data. The exhibit shows the current policy. A developer reports that they can read objects in the bucket using service account sa-2, but they cannot delete objects. What is the most likely reason?

A.There is an explicit deny on the bucket for sa-2
B.The service account sa-2 has roles/storage.objectAdmin, which includes delete permissions, but there might be a condition or organization policy preventing deletion
C.The bucket has uniform bucket-level access disabled, so ACLs override IAM
D.The service account sa-2 actually has roles/storage.objectViewer, not objectAdmin
AnswerB

objectAdmin includes delete, so the issue is likely an additional constraint.

Why this answer

Option B is correct because the IAM policy shows that service account sa-2 has the roles/storage.objectAdmin role, which includes the storage.objects.delete permission. However, the presence of a condition or an organization policy (such as a VPC Service Controls perimeter or a boolean constraint) can override this permission, preventing deletion even though the role is assigned. The developer can read objects (permitted by the role) but cannot delete them, indicating that a higher-level policy is blocking the delete action.

Exam trap

Google Cloud often tests the misconception that a role with delete permissions always allows deletion, ignoring that IAM conditions or organization policies can override the permission, leading candidates to incorrectly choose a role mismatch or ACL override.

How to eliminate wrong answers

Option A is wrong because there is no explicit deny statement in the IAM policy for sa-2; explicit denies are rare and would appear as a separate 'Deny' rule, not as a missing permission. Option C is wrong because uniform bucket-level access being disabled would allow ACLs to coexist with IAM, but ACLs cannot override IAM permissions for the same principal; if sa-2 has the objectAdmin role via IAM, ACLs cannot restrict that permission unless they explicitly deny (which is not shown). Option D is wrong because the exhibit clearly shows the role is roles/storage.objectAdmin, not objectViewer; the developer can read objects, which is consistent with objectAdmin, but the inability to delete points to a condition or org policy, not a role mismatch.

94
MCQmedium

A company uses Cloud Functions and wants to ensure that only authorized services can invoke them. The functions are triggered via HTTP. What is the best way to achieve this?

A.Set a VPC connector and allow only internal traffic.
B.Use Cloud Endpoints with API keys and IAM.
C.Rely on the Cloud Functions URL being unguessable.
D.Use Firebase Authentication.
AnswerB

Cloud Endpoints provides robust authentication and authorization for HTTP triggers.

Why this answer

Option A is correct because Cloud Endpoints can authenticate and authorize requests using API keys and IAM, providing fine-grained access control. Option B is not suitable for HTTP-triggered Cloud Functions as VPC connectors are for internal network access. Option C is designed for Firebase mobile clients, not service-to-service.

Option D is insecure as URLs can be guessed or leaked.

95
MCQmedium

A security engineer notices that a service account has been granted the 'roles/editor' role on a project. According to least privilege, what is the best course of action?

A.Create a custom role with only the necessary permissions and reassign it to the service account.
B.Remove the service account and create a new one with a custom role containing only required permissions.
C.Change the role to 'roles/viewer' to be more restrictive.
D.Keep the role but add an access boundary using VPC Service Controls.
AnswerA

Custom roles allow precise permission assignment, adhering to least privilege.

Why this answer

Option D is correct because creating a custom role with only the necessary permissions and reassigning it minimizes privileges while maintaining functionality. Option A is too drastic and may break services. Option B may be too restrictive.

Option C doesn't change the permissions; VPC Service Controls restrict access at the network level, not permissions.

96
MCQmedium

A security engineer needs to ensure that all compute instances are patched with the latest security updates. What is the recommended approach?

A.Use OS Config Management with patch compliance reporting.
B.Use a configuration management tool like Chef.
C.Use the VM Manager patch deployment feature.
D.Use Cloud Scheduler to run a script that patches instances.
AnswerC

VM Manager patch deployment automates patching across instances with compliance tracking.

Why this answer

Option D is correct. The VM Manager patch deployment feature within OS Config Management provides a managed, automated patching solution. Option A is not a built-in Google Cloud service.

Option B is partially correct, but VM Manager is the specific managed patching service. Option C is less reliable and manual. Option D is the most comprehensive and automated.

97
Multi-Selectmedium

Which TWO are benefits of using Cloud Armor with a global external HTTPS Load Balancer?

Select 2 answers
A.Automatic content caching
B.Traffic management based on latency
C.Built-in load balancing
D.DDoS protection at the edge
E.Web Application Firewall (WAF) rules
AnswersD, E

Cloud Armor offers built-in DDoS protection using Google's global infrastructure.

Why this answer

Options A and B are correct. Cloud Armor provides DDoS protection and WAF capabilities. Option C (load balancing) is the load balancer's function, not Cloud Armor's.

Option D (CDN) is provided by Cloud CDN. Option E (traffic management) is not a primary Cloud Armor feature.

98
MCQeasy

Your company runs a production application on Google Kubernetes Engine (GKE) with a Regional cluster. The application uses a custom domain with TLS certificates that are stored as Kubernetes secrets and mounted into the ingress. The certificates expire every 90 days and are currently renewed manually by a DevOps engineer. Last week, the certificate expired, causing an outage until it was renewed. Management requires an automated solution to renew certificates before expiration. The team wants to minimize changes to the existing architecture and avoid additional costs. What should you do?

A.Configure Cloud Load Balancing with a Google-managed SSL certificate and update the DNS to point to the load balancer IP.
B.Deploy cert-manager on the GKE cluster and configure it with an Issuer or ClusterIssuer to automatically obtain and renew certificates from Let's Encrypt.
C.Set up Cloud DNS to automatically respond to ACME HTTP-01 challenges and configure the ingress to use certificates from a public CA.
D.Store the certificate and private key in Cloud Secret Manager and configure the ingress to reference the secrets via the Secret Manager CSI driver.
AnswerB

cert-manager fully automates certificate lifecycle and stores certificates as Kubernetes secrets, matching the existing architecture.

Why this answer

Option B is correct because cert-manager is a native Kubernetes add-on that automates the lifecycle of TLS certificates from public CAs like Let's Encrypt. It integrates directly with GKE Ingress and can handle ACME HTTP-01 or DNS-01 challenges without altering the existing architecture or incurring additional cloud costs, as it runs within the cluster.

Exam trap

Google Cloud often tests the distinction between certificate storage solutions (like Secret Manager) and automated renewal mechanisms (like cert-manager), leading candidates to choose a storage-only option that does not solve the renewal problem.

How to eliminate wrong answers

Option A is wrong because switching to a Google-managed SSL certificate requires changing the load balancer configuration and DNS records, which modifies the existing architecture and may incur additional costs for the load balancer. Option C is wrong because Cloud DNS alone cannot automatically respond to ACME HTTP-01 challenges; the challenge response must be served by the ingress controller, and this option does not provide an automated renewal mechanism. Option D is wrong because storing certificates in Cloud Secret Manager and using the CSI driver only centralizes secret storage but does not automate the renewal process; certificates would still need to be manually updated before expiry.

99
MCQmedium

A security engineer is reviewing an IAM policy for a Cloud Storage bucket. The engineer wants to ensure that the service account 'sa@project.iam.gserviceaccount.com' can only read objects. What is the current effective permission?

A.The service account has objectCreator access by default.
B.The service account has objectViewer access as assigned.
C.The service account has no access because the policy is incomplete.
D.The service account has objectAdmin access because it is not explicitly denied.
AnswerB

The policy explicitly grants objectViewer role to the service account.

Why this answer

Option C is correct because the service account is assigned the objectViewer role, which allows read-only access. Option A is incorrect because the service account does not have objectAdmin. Option B is incorrect because there is no explicit deny; the viewer role is assigned.

Option D is incorrect because objectCreator is not granted.

100
MCQmedium

A security operations team is using Cloud Audit Logs to investigate a suspicious data export from a Cloud Storage bucket. They need to see which user accessed a specific object and when. Which log type should they examine?

A.Data Access logs
B.Policy Denied logs
C.System Event logs
D.Admin Activity logs
AnswerD

Admin Activity logs record configuration changes, not data access.

Why this answer

Data Access logs record object-level operations on Cloud Storage. Admin Activity logs only cover configuration changes.

101
Multi-Selecteasy

A security engineer is configuring Cloud Armor to protect a global external HTTP(S) Load Balancer. Which TWO of the following are valid Cloud Armor security policies? (Choose two.)

Select 2 answers
A.Web Security Scanner scan rule
B.Signed URL policy
C.Preconfigured Identity-Aware Proxy (IAP) rule
D.Preconfigured OWASP Top 10 rules
E.Custom rule with rate limiting based on IP
AnswersD, E

Cloud Armor includes predefined WAF rules for OWASP vulnerabilities.

Why this answer

Option D is correct because Cloud Armor includes preconfigured rules that map directly to the OWASP Top 10 web application vulnerabilities, such as SQL injection and cross-site scripting (XSS). These rules are managed by Google and automatically updated to protect against the latest attack patterns, making them a valid security policy for a global external HTTP(S) Load Balancer.

Exam trap

Google Cloud often tests the distinction between Cloud Armor security policies and other Google Cloud security services (like IAP, Signed URLs, or Web Security Scanner), so the trap here is confusing access control or URL signing mechanisms with the WAF-like rule engine of Cloud Armor.

102
MCQmedium

Refer to the exhibit. A developer working from a workstation with IP 203.0.113.5 cannot SSH to a VM in the my-vpc network. Which firewall rule is most likely blocking the connection?

A.allow-ssh-from-bastion
B.deny-ssh-all
C.default-allow-http
D.default-allow-ssh
AnswerB

This rule denies SSH from all IPs with a higher priority, blocking all SSH traffic.

Why this answer

Option C is correct because the deny-ssh-all rule has a priority of 200 (higher priority than the allow rules at 500 and 1000) and blocks SSH from all IPs. The order in GCP is based on priority (lower number = higher priority), so the deny overrides the allows. The allow-ssh-from-bastion only permits SSH from 10.0.1.2, not the developer's IP.

103
MCQhard

A large enterprise runs a streaming data pipeline using Dataflow to process events from Pub/Sub, apply aggregations with fixed windows, and write results to BigQuery. They are experiencing high costs and long processing times. The Dataflow job uses Streaming Engine, but the workers show high CPU utilization. The pipeline has autoscaling enabled, but the number of workers rarely increases. The team wants to reduce processing time and cost. What should they do?

A.Use a larger machine type for workers, such as n1-standard-8.
B.Increase the number of workers by setting maxNumWorkers higher.
C.Optimize the windowing interval to reduce data shuffling.
D.Switch from Streaming Engine to batch mode to reduce resource overhead.
AnswerC

Shorter windows or aligning windows with data patterns can reduce state size and shuffling, lowering CPU usage and improving throughput.

Why this answer

Optimizing the windowing interval reduces data shuffling and can improve performance without adding resources. Long windows cause more state to be kept, increasing CPU and memory demands. Option A is incorrect because increasing maxNumWorkers may help but the job is already CPU-bound and not scaling; more workers might not reduce CPU per worker if the issue is data shuffling.

Option B is incorrect because larger machines increase cost and may not address the root cause. Option D is incorrect because switching to batch would not meet real-time requirements and may cause data loss.

104
MCQhard

During a security incident, the forensic team needs to capture the memory and disk state of a compromised Compute Engine VM without shutting it down. The VM is running a critical application and cannot be stopped. What is the best approach to gather forensic data?

A.Clone the VM and perform forensics on the clone while the original continues running.
B.Use gcloud compute ssh to connect and run a memory capture tool, then create a disk snapshot at the same time.
C.Take a snapshot of the disk while the VM is running, and use Cloud Memorystore to capture memory.
D.Stop the VM, take a snapshot of the disk, and then start the VM.
AnswerB

Memory can be acquired using tools like 'memory capture' via SSH; disk snapshot can be taken concurrently.

Why this answer

Option D is correct because Cloud Memorystore is not relevant; the best practice is to use a forensic tool via OS Login or gcloud compute ssh to acquire memory, and create a snapshot after using gcloud compute disks snapshot for disk state. Option A is incorrect because stopping the VM loses memory state. Option B is incorrect because snapshots while running are crash-consistent but memory is not captured.

Option C is incorrect because Cloud Memorystore does not handle VM memory.

105
Multi-Selecthard

Which TWO techniques can be used to secure a Cloud Storage bucket containing sensitive data? (Choose 2.)

Select 2 answers
A.Enable uniform bucket-level access
B.Use a VPC Service Control perimeter
C.Set a retention policy
D.Use a Customer-managed encryption key (CMEK)
E.Enable object versioning
AnswersA, B

Uniform access disables ACLs and relies solely on IAM, reducing complexity and misconfiguration.

Why this answer

Uniform bucket-level access simplifies permissions, and VPC Service Controls restrict access to the bucket from specific networks.

106
MCQhard

A company requires a secure, dedicated connection between their on-premises data center and Google Cloud with bandwidth of 10 Gbps and a 99.99% SLA. Which connectivity option should they use?

A.Use Direct Peering
B.Use Partner Interconnect with a 10 Gbps connection
C.Use Cloud VPN with two tunnels for redundancy
D.Use Dedicated Interconnect with two VLAN attachments
AnswerD

Dedicated Interconnect provides 10 Gbps connections with a 99.99% SLA when using redundant links.

Why this answer

Option B is correct because Dedicated Interconnect offers 10 Gbps or 100 Gbps connections with a 99.99% SLA when configured with redundant connections. Option A is wrong because Cloud VPN supports lower bandwidth (up to 3 Gbps per tunnel) and does not offer a 99.99% SLA. Option C is wrong because Direct Peering uses public IPs and lacks SLA guarantees.

Option D is wrong because Partner Interconnect typically offers lower bandwidth (up to 10 Gbps) but SLA varies by partner.

107
MCQmedium

A security engineer needs to investigate a potential data exfiltration incident in a Google Cloud environment. The engineer has access to Cloud Logging and wants to identify any unusual outbound network traffic from Compute Engine instances. Which log sink filter should the engineer create to capture VPC flow logs for traffic destined to an external IP address not in the internal network ranges?

A.Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
B.Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.reporter="src" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
C.Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip!="10.0.0.0/8" AND jsonPayload.connection.dest_ip!="172.16.0.0/12" AND jsonPayload.connection.dest_ip!="192.168.0.0/16"'
D.Create a sink with filter: 'compute.googleapis.com/vpc_flows'
AnswerC

This filter captures VPC flow logs where destination IP is not in private ranges, thus external traffic.

Why this answer

Option C is correct because it uses a log sink filter that captures VPC flow logs for traffic destined to external IP addresses by explicitly excluding the private RFC 1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). This filter ensures only outbound traffic to non-internal IPs is captured, which is essential for investigating potential data exfiltration. The filter correctly uses the `resource.type="gce_subnetwork"` to target VPC flow logs from Compute Engine instances.

Exam trap

Google Cloud often tests the misconception that you can use `0.0.0.0/0` as a wildcard in log filters to match any IP, but in Cloud Logging filters, CIDR notation is not supported for matching; you must explicitly exclude private ranges to capture external traffic.

How to eliminate wrong answers

Option A is wrong because it uses `jsonPayload.connection.dest_ip="0.0.0.0/0"` which is an invalid IP address for matching actual destination IPs (0.0.0.0/0 is a CIDR notation for 'all IPs', not a specific destination), and it omits the `jsonPayload.reporter="src"` field, which is necessary to capture only outbound traffic from the source. Option B is wrong because while it correctly includes `jsonPayload.reporter="src"`, it still uses the invalid `dest_ip="0.0.0.0/0"` filter, which will not match any real destination IP in VPC flow logs. Option D is wrong because `compute.googleapis.com/vpc_flows` is not a valid log filter syntax; VPC flow logs are identified by `resource.type="gce_subnetwork"` and the log name is `compute.googleapis.com/vpc_flows`, but the filter must use the resource type, not a log name string.

108
MCQhard

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project uses Cloud Storage and BigQuery. The engineer wants to ensure that data cannot be exfiltrated to external IP addresses outside the perimeter, but internal users should still be able to access the data from on-premises via a VPN. Which configuration should be applied?

A.Do not use VPC Service Controls; instead, rely on IAM permissions and firewall rules to control access
B.Add the project to a VPC Service Controls perimeter and configure an ingress rule to allow traffic from the on-premises VPN CIDR ranges
C.Create a separate perimeter that denies all traffic and apply it to the project
D.Add the project to a VPC Service Controls perimeter with no additional ingress rules
AnswerB

Ingress rules allow specific external sources (like VPN CIDR) to access the perimeter.

Why this answer

VPC Service Controls (VPC-SC) allow you to define a security perimeter around Google Cloud services like Cloud Storage and BigQuery, preventing data exfiltration to external IPs. By adding the project to a perimeter and configuring an ingress rule that permits traffic from the on-premises VPN CIDR ranges, internal users can access the data via VPN while all other external traffic is blocked. This meets the requirement of preventing exfiltration to external IPs while allowing authorized on-premises access.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls are a simple on/off switch, but the trap here is that without explicit ingress rules, all external traffic (including from VPNs) is denied, so candidates must remember to configure ingress rules for authorized sources.

How to eliminate wrong answers

Option A is wrong because relying solely on IAM and firewall rules does not prevent data exfiltration via external IPs; VPC Service Controls provide a higher layer of security that blocks data movement outside the perimeter regardless of IAM permissions. Option C is wrong because creating a separate perimeter that denies all traffic would block all access, including legitimate on-premises VPN users, which violates the requirement to allow internal user access. Option D is wrong because adding the project to a perimeter with no ingress rules would block all traffic from outside the perimeter, including the on-premises VPN, preventing authorized access.

109
MCQeasy

An organization uses Cloud Audit Logs to monitor admin activity. The security team wants to be alerted when a user creates a new IAM role at the organization level. Which type of audit log should they analyze?

A.Policy Denied audit logs
B.System Event audit logs
C.Data Access audit logs
D.Admin Activity audit logs
AnswerD

Admin Activity logs record changes to metadata, configurations, and IAM policies.

Why this answer

Admin Activity audit logs (option D) are the correct choice because they record operations that modify the configuration or metadata of resources, such as creating or modifying IAM roles and policies at the organization level. In Google Cloud, Admin Activity audit logs are enabled by default and capture all 'admin write' events, including the creation of an IAM role, which is a configuration change. The security team needs to monitor these logs to detect when a user creates a new IAM role, as this is an administrative action that alters the organization's security posture.

Exam trap

Google Cloud often tests the distinction between Admin Activity and Data Access logs, and the trap here is that candidates mistakenly choose Data Access logs because they think 'creating a role' involves accessing data, when in fact it is a pure configuration change that falls under Admin Activity logs.

How to eliminate wrong answers

Option A is wrong because Policy Denied audit logs record only when a user or service account is denied access due to a deny policy or an organization policy constraint, not when an IAM role is created. Option B is wrong because System Event audit logs capture non-human Google Cloud system actions, such as automatic scaling or maintenance events, not user-initiated IAM role creation. Option C is wrong because Data Access audit logs track API calls that read or modify user-provided data (e.g., reading a Cloud Storage object), not administrative configuration changes like creating an IAM role.

← PreviousPage 2 of 2 · 109 questions total

Ready to test yourself?

Try a timed practice session using only Gcp Security Operations questions.