CCNA Pcse Configuring Access Questions

60 of 135 questions · Page 2/2 · Pcse Configuring Access topic · Answers revealed

76
MCQeasy

An administrator needs to grant a network team the ability to create and manage firewall rules, but not delete VPC networks. Which IAM role should be assigned?

A.roles/compute.networkAdmin
B.roles/compute.securityAdmin
C.roles/compute.viewer
D.roles/compute.admin
AnswerB

Allows managing firewall rules without network deletion.

Why this answer

The roles/compute.securityAdmin role grants permissions to create, modify, and delete firewall rules and SSL certificates, but explicitly excludes permissions to delete VPC networks or modify their configurations. This aligns exactly with the requirement to manage firewall rules without being able to delete VPC networks.

Exam trap

Cisco often tests the distinction between networkAdmin and securityAdmin, where candidates mistakenly choose networkAdmin thinking it covers firewall rules, but it actually grants broader VPC management permissions including deletion.

How to eliminate wrong answers

Option A is wrong because roles/compute.networkAdmin provides full control over VPC networks, including the ability to delete them, which exceeds the required scope. Option C is wrong because roles/compute.viewer only allows read-only access to compute resources, with no permissions to create or manage firewall rules. Option D is wrong because roles/compute.admin grants full administrative access to all compute resources, including the ability to delete VPC networks, which violates the restriction.

77
MCQmedium

An organization uses Active Directory (AD) on-premises and wants to synchronize user accounts and groups to Google Cloud Identity for SSO with SAML 2.0. The AD contains 50,000 users and 10,000 groups. The solution must support automatic provisioning and deprovisioning of users. Which tool should they use?

A.Use SAML 2.0 federation with AD FS to synchronize users.
B.Use Workload Identity Federation to connect AD to Google Cloud.
C.Use the Cloud Identity API to manually create users and groups.
D.Use Google Cloud Directory Sync (GCDS) to synchronize users and groups from AD to Cloud Identity.
AnswerD

GCDS is designed for this exact purpose: one-way sync from AD/LDAP to Google Cloud Directory, including automatic provisioning and deprovisioning.

Why this answer

Google Cloud Directory Sync (GCDS) is the official tool for synchronizing users and groups from Active Directory (or LDAP) to Google Cloud Directory. It supports one-way sync, automatic provisioning, and deprovisioning. SAML SSO is configured separately using an IdP like Active Directory Federation Services (AD FS) or third-party.

Workload Identity Federation is for external workloads (e.g., AWS, Azure) to access GCP resources, not for user identity synchronization. Cloud Identity API can be used programmatically but is not a ready-to-use sync tool. GCDS is the correct answer.

78
MCQhard

A security engineer needs to prevent creation of long-lived service account keys across all projects in an organization. The solution should also block any existing keys older than 90 days. Which approach meets these requirements?

A.Use the built-in constraint constraints/iam.disableServiceAccountKeyCreation and write a custom organization policy to enforce key rotation (max age 90 days).
B.Use a deny policy to deny the permission iam.serviceAccountKeys.create and another deny policy to deny use of keys older than 90 days.
C.Use a custom organization policy constraint to disable key creation and another custom constraint to delete keys older than 90 days.
D.Use a VPC Service Controls perimeter to block access to the IAM API for creating keys.
AnswerA

The built-in constraint prevents new keys; a custom constraint can enforce rotation on existing keys.

Why this answer

Option A is correct because the built-in constraint `constraints/iam.disableServiceAccountKeyCreation` prevents the creation of new long-lived keys, and a custom organization policy with a condition like `resource.serviceAccountKey.expireTime < duration(90d)` enforces automatic rotation, effectively blocking keys older than 90 days. This combination directly addresses both requirements without manual intervention or deletion.

Exam trap

Cisco often tests the misconception that custom organization policies can delete existing resources, when in reality they only enforce conditions on new resource creation or updates, not retroactive actions.

How to eliminate wrong answers

Option B is wrong because deny policies cannot enforce a time-based condition like 'older than 90 days' on existing keys; they only block permission-based actions, not key age. Option C is wrong because custom organization policy constraints cannot delete resources; they can only enforce conditions on creation or update, not retroactively remove existing keys. Option D is wrong because VPC Service Controls block network access to APIs but do not prevent key creation or enforce key age; they are designed for data exfiltration prevention, not IAM key lifecycle management.

79
MCQmedium

A company has a security policy that service account keys should not be created. They want to prevent anyone from creating keys for any service account in the organization. Which organization policy constraint should they use?

A.Custom constraint with iam.serviceAccountKeys.create
B.constraints/iam.allowedPolicyMemberDomains
C.constraints/compute.requireShieldedVm
D.constraints/iam.disableServiceAccountKeyCreation
AnswerD

Prevents creation of service account keys.

Why this answer

Option D is correct because the `constraints/iam.disableServiceAccountKeyCreation` organization policy constraint explicitly prevents the creation of user-managed service account keys across the entire organization. This aligns with the security policy that service account keys should not be created, as it enforces the use of short-lived credentials or workload identity federation instead of long-lived keys.

Exam trap

Cisco often tests the distinction between IAM permissions and organization policy constraints, so the trap here is that candidates confuse the permission `iam.serviceAccountKeys.create` with the constraint name, leading them to incorrectly select Option A instead of the correct predefined constraint.

How to eliminate wrong answers

Option A is wrong because custom constraints are used for organization policies that are not covered by predefined constraints, but `iam.serviceAccountKeys.create` is a permission, not a constraint; the correct predefined constraint for this purpose is `constraints/iam.disableServiceAccountKeyCreation`. Option B is wrong because `constraints/iam.allowedPolicyMemberDomains` restricts which external domains can be added as members in IAM policies, not service account key creation. Option C is wrong because `constraints/compute.requireShieldedVm` enforces that Compute Engine VMs must use Shielded VM features, which is unrelated to IAM service account key management.

80
MCQeasy

Which of the following is a benefit of using organization policies over IAM policies for enforcing restrictions on resources?

A.Organization policies can grant permissions to users.
B.Organization policies can restrict resources even if the user has Owner role.
C.Organization policies are applied to identities.
D.Organization policies are easier to audit than IAM policies.
AnswerB

Organization policies override IAM allow policies, so even Owners can be restricted.

Why this answer

Organization policies can enforce restrictions on resources regardless of the IAM roles assigned to users. They are applied to resources, not identities, and are evaluated before IAM policies.

81
Multi-Selectmedium

A company uses Google Cloud Directory Sync (GCDS) to synchronize users from an on-premises Active Directory to Cloud Identity. The security team wants to ensure that only synchronized users can access Google Cloud resources. Which TWO actions are part of a secure configuration? (Choose two.)

Select 2 answers
A.Enable automatic license assignment for all synchronized users.
B.Configure GCDS to sync user passwords.
C.Create a custom role that allows only synchronized users to access resources.
D.Disable manual user creation in the Cloud Identity admin console.
E.Use the Organization Policy constraint constraints/iam.allowedPolicyMemberDomains to restrict IAM members to the company's domain.
AnswersD, E

This ensures that only synchronized users exist, preventing rogue manual accounts.

Why this answer

Correct actions: 1) Disable the creation of manual users in Cloud Identity to ensure all users come from AD only. 2) Restrict the allowed domains for IAM members to the company's domain (e.g., example.com) using Organization Policy constraint 'constraints/iam.allowedPolicyMemberDomains' to prevent external users from being added. Enabling automatic license assignment is not a security measure. Using the default admin account is not recommended.

Syncing passwords is not recommended; GCDS does not sync passwords.

82
MCQhard

A company has multiple projects under an organization node. A security engineer needs to deny all principals in the organization from creating service account keys, except for a specific project where it must be allowed. Which approach should be used?

A.Use a custom organization policy constraint to allow key creation only in the specific project, and deny in all others.
B.Create an IAM deny policy at the organization level denying iam.serviceAccountKeys.create, and then create an IAM allow policy at the project level granting the same permission.
C.Create an IAM deny policy at the organization level denying the permission, and create another IAM deny policy at the project level that allows the permission by omitting the deny rule for that project's service accounts.
D.Apply the constraint constraints/iam.disableServiceAccountKeyCreation at the organization level with value True, and then set it to False at the project level.
AnswerC

Deny policies at a lower level can effectively allow by not including the deny rule for specific principals. This is the correct way to create an exception.

Why this answer

Use an organization-level deny policy with the constraint constraints/iam.disableServiceAccountKeyCreation set to deny, and then a project-level allow policy override. However, deny policies override allow policies by default. To allow in a specific project, you can use a project-level deny policy that allows (i.e., not deny) or use an organization policy with an exception using the 'grantedValues' or 'allowedValues'? Actually, the constraint is a boolean constraint; you cannot have exceptions.

The correct approach is to use a deny policy at the organization level that denies the iam.serviceAccountKeys.create permission, and then create a deny policy at the project level that allows that permission (i.e., not deny). But deny policies are evaluated together; the most specific policy wins? Actually, deny policies are hierarchical and deny is deny; you cannot allow via deny. The proper way is to use an organization policy (constraint) that disables key creation, and then use a policy exception at the folder or project level using the 'allowedValues' or 'deniedValues'? For boolean constraints, you cannot set exceptions; you have to use a different constraint.

The correct answer is to use an organization policy with constraints/iam.disableServiceAccountKeyCreation set to 'True' at the org, and then create a custom constraint at the project level that allows? No, custom constraints don't override boolean constraints. The recommended approach is to use a deny policy (v2) at the organization level that denies the permission, and then create a deny policy at the project level that allows the permission by not denying it. But deny policies are hierarchical; the most specific (project-level) deny policy can allow if it doesn't include the deny rule? Actually, deny policies can include 'denial_condition' and 'exception_principals'.

You can set an exception for the specific project's service accounts. The correct answer: Use an organization policy with constraints/iam.disableServiceAccountKeyCreation = True, then create a project-level policy that overrides it? But boolean constraints don't support override. The correct approach is to use a deny policy with an exception for the project.

So I'll go with option D.

83
MCQeasy

A security engineer wants to ensure that no IAM keys are created for service accounts in a Google Cloud organization. Which organization policy constraint should be applied?

A.constraints/compute.restrictCloudArmorPolicies
B.constraints/compute.requireShieldedVm
C.constraints/iam.allowedPolicyMemberDomains
D.constraints/iam.disableServiceAccountKeyCreation
AnswerD

Correct: Prevents creation of service account keys.

Why this answer

The correct answer is D because the `constraints/iam.disableServiceAccountKeyCreation` organization policy constraint specifically prevents the creation of IAM keys for service accounts, which is exactly what the security engineer needs to enforce. This constraint, when applied at the organization level, blocks all users from creating or uploading service account keys, ensuring that no long-lived credentials are generated for service accounts.

Exam trap

Cisco often tests the distinction between constraints that control IAM policy membership (Option C) versus those that control service account key creation (Option D), leading candidates to confuse domain restrictions with key management policies.

How to eliminate wrong answers

Option A is wrong because `constraints/compute.restrictCloudArmorPolicies` is a Compute Engine policy that restricts the use of Cloud Armor security policies, not IAM key creation. Option B is wrong because `constraints/compute.requireShieldedVm` enforces that new VMs must use Shielded VM features (secure boot, vTPM, integrity monitoring), which is unrelated to IAM service account key management. Option C is wrong because `constraints/iam.allowedPolicyMemberDomains` restricts which external domains can be members of IAM policies (e.g., to prevent cross-org access), but does not control service account key creation.

84
MCQmedium

An organization wants to grant a DevOps team the ability to create and manage service accounts in a specific project, but prevent them from deleting existing service accounts or managing IAM policies. Which IAM role should be assigned to the team?

A.roles/iam.serviceAccountUser
B.roles/iam.serviceAccountAdmin
C.roles/iam.serviceAccountKeyAdmin
D.roles/editor
AnswerB

ServiceAccountAdmin includes permissions to create, update, and delete service accounts, but not manage IAM policies.

Why this answer

The roles/iam.serviceAccountAdmin role grants permissions to create, update, and delete service accounts, but not to manage IAM policies for them. The basic role (Editor) is too permissive, ServiceAccountUser only allows using existing service accounts, and ServiceAccountKeyAdmin focuses on key management.

85
MCQmedium

A company wants to grant a group of external auditors read-only access to all resources in a GCP project. The auditors authenticate via a SAML 2.0 identity provider. What is the most secure way to grant access?

A.Create a Cloud Identity group, add the auditors, and assign the Viewer role to the group at the project level.
B.Create a service account for each auditor and assign the Viewer role.
C.Use IAP to restrict access to the GCP console.
D.Create a custom role with only list permissions and assign to each auditor individually.
AnswerA

Group-based access is secure and scalable.

Why this answer

Cloud Identity groups can be used to manage access. The auditors should be added to a Google Group, and that group is assigned the Viewer role at the project level. This avoids managing individual accounts.

IAP is for application access, not project-level. Service accounts are for workloads. Custom roles are not needed for read-only.

86
MCQmedium

An organization uses Cloud Identity to manage users and groups. They want to enforce that only users from their corporate domain (example.com) can be granted IAM roles on GCP resources. Which organization policy constraint should they use?

A.constraints/iam.disableServiceAccountKeyCreation
B.constraints/compute.restrictCloudArmorPolicies
C.constraints/iam.allowedPolicyMemberDomains
D.constraints/iam.workloadIdentityPoolProviders
AnswerC

This constraint restricts IAM members to specified domains.

Why this answer

The constraint 'constraints/iam.allowedPolicyMemberDomains' restricts which domains can be used in IAM policy bindings. By setting it to allow only 'example.com', any binding that includes a user from another domain will be denied.

87
MCQeasy

A developer needs to deploy a web application on Compute Engine that must access Cloud Storage buckets. The best practice for providing credentials to the VM is to:

A.Generate a JSON key for a service account and store it on the instance.
B.Use the Compute Engine default service account and grant it the required roles.
C.Create a service account with the required roles and attach it to the Compute Engine instance.
D.Store the user's personal credentials in the instance metadata.
AnswerC

This uses the instance's default service account or a custom one, with credentials obtained automatically via metadata server.

Why this answer

The best practice is to create a service account, assign the appropriate roles to it, and attach it to the Compute Engine instance. This avoids managing static keys and uses the instance's metadata server for automatic credential retrieval.

88
MCQeasy

A development team needs to grant a third-party auditor read-only access to a specific project's resources but must not allow the auditor to view any data stored in Cloud Storage buckets. Which IAM approach should be used?

A.Assign the predefined roles/viewer role and add a condition to deny access to Cloud Storage.
B.Use a deny policy to block access to storage.objects.get for the auditor.
C.Assign the basic roles/reader role to the auditor.
D.Create a custom role that includes only the required read permissions except those for Cloud Storage.
AnswerD

Custom roles allow exact permission selection, excluding storage read permissions.

Why this answer

Custom roles allow you to curate a specific set of permissions. You can create a role that includes read permissions for Compute Engine and Cloud SQL but excludes storage.objects.get on Cloud Storage. Predefined roles like Viewer include storage.objects.get, and basic roles are too broad.

Condition-based access can be complex and error-prone.

89
MCQhard

A company runs a batch job on Compute Engine that processes sensitive data. The job uses a service account with a JSON key file stored on the VM. A security audit recommends removing long-lived keys. The job must run unattended. What is the best alternative?

A.Store the service account key in Secret Manager and retrieve it at runtime.
B.Create a new service account and attach it to the VM instance; remove the old key.
C.Use the default compute engine service account instead.
D.Use Workload Identity Federation to authenticate the batch job.
AnswerB

Attached service accounts use short-lived tokens from the metadata server, no keys needed.

Why this answer

Using a service account attached to the VM instance is the best practice. Compute Engine automatically obtains short-lived tokens from the metadata server, eliminating the need for keys. Workload Identity Federation is for external workloads.

Secret Manager still requires a key to access. Default compute service account is less secure than a custom one.

90
MCQhard

A company uses SAML 2.0 federation with an external IdP. Users are synced from Active Directory to Cloud Identity using Google Cloud Directory Sync (GCDS). The security engineer needs to ensure that only users from a specific Active Directory group can access Google Cloud resources. What should be configured?

A.Configure the SAML IdP to include a custom attribute indicating group membership, and use attribute-based access control in Google Cloud.
B.Use IAP to restrict access based on user identity.
C.Configure an organization policy constraint (constraints/iam.allowedPolicyMemberDomains) to restrict IAM policies to the company's domain.
D.Create a Cloud Identity group that is synced with the AD group via GCDS, and assign IAM roles to that group.
AnswerD

This ensures only users in the AD group are members of the Cloud Identity group, and thus have access.

Why this answer

The correct approach is to configure the IdP to only send SAML assertions for users in that specific AD group, and then in Cloud Identity, map that group to a Cloud Identity group or use attribute-based access. Alternatively, use organization policies with constraints/iam.allowedPolicyMemberDomains to restrict members to specific domains. But the question is about user access, not policy binding.

The best answer is to create a Cloud Identity group that syncs with the AD group, and grant IAM roles to that group. This ensures only members of the AD group get access.

91
Multi-Selectmedium

A company wants to deploy a containerized application on GKE that needs to access Cloud SQL. They want to avoid storing database credentials in the application. Which THREE components should they use?

Select 3 answers
A.Cloud SQL Auth Proxy (sidecar container)
B.Cloud SQL private IP
C.Workload Identity
D.Service account key stored in a Kubernetes secret
E.IAM database authentication
AnswersA, C, E

Handles TLS and IAM authentication to Cloud SQL.

Why this answer

Workload Identity binds a Kubernetes service account to a GCP service account. The Cloud SQL Auth Proxy provides secure access to Cloud SQL using IAM database authentication. IAM database authentication allows the service account to authenticate to Cloud SQL without passwords.

92
MCQmedium

A company wants to allow their employees to access an internal web application running on Compute Engine using Identity-Aware Proxy (IAP). They want to ensure that only users from their corporate domain (example.com) can access the app. What is the recommended approach?

A.Grant the IAP-secured Web App User role to each individual user from the corporate domain.
B.Create a Cloud Identity group containing all corporate users, and grant the IAP-secured Web App User role to that group.
C.Use a custom SAML attribute in the IdP to filter access.
D.Configure a firewall rule that allows traffic only from the corporate IP range.
AnswerB

Scalable and maintainable approach.

Why this answer

Option B is correct because Identity-Aware Proxy (IAP) uses Cloud Identity groups to manage access at scale. By creating a group containing all corporate users (e.g., from example.com) and granting the IAP-secured Web App User role to that group, you enforce domain-level access without managing individual users. This approach leverages IAP's integration with Cloud Identity to verify the user's email domain against the group membership, ensuring only example.com users can reach the application.

Exam trap

Cisco often tests the misconception that IP-based firewall rules (Option D) are sufficient for access control, but the trap here is that IAP is specifically designed to replace network-level controls with identity-based access, making IP filtering an outdated and insecure approach in this context.

How to eliminate wrong answers

Option A is wrong because granting the IAP-secured Web App User role to each individual user is not scalable and violates the principle of least privilege management; it also does not inherently restrict to the corporate domain unless each user is manually verified. Option C is wrong because custom SAML attributes in the IdP are used for attribute-based access control (ABAC) but are not the recommended approach for domain-level filtering with IAP; IAP relies on Cloud Identity groups or OAuth scopes, not SAML attributes, to enforce domain restrictions. Option D is wrong because configuring a firewall rule based on corporate IP ranges bypasses IAP's identity-aware access control, exposing the application to network-level risks and failing to authenticate individual users; IAP is designed to replace IP-based restrictions with user identity verification.

93
MCQhard

An organization has a deny policy that denies the compute.instances.create permission for all principals on a folder. A user is granted the Compute Admin role (which includes compute.instances.create) at the project level within that folder. Can the user create Compute Engine instances in that project?

A.No, because deny policies take precedence over allow policies.
B.No, because the user is not an organization administrator.
C.Yes, if the user also has the Owner role at the project level.
D.Yes, because the project-level IAM grant overrides the folder-level deny.
AnswerA

Deny policies are evaluated after allow policies and take precedence.

Why this answer

Deny policies override allow policies regardless of hierarchy. If a deny policy denies the permission, it cannot be granted by any allow policy. The user will be denied even though they have the role.

94
MCQmedium

An organization uses Google Workspace for email and collaboration. They want to allow employees to sign in to a custom web application using their Google Workspace credentials. The application runs on Compute Engine and uses a PostgreSQL database. Which identity solution should they implement?

A.Workload Identity Federation.
B.Cloud Identity-Aware Proxy (IAP) with OIDC.
C.SAML 2.0 federation with the web app.
D.Firebase Authentication with Google provider.
AnswerB

IAP provides authentication using Google identity and works with OIDC for web apps.

Why this answer

IAP with OIDC is the correct approach. IAP integrates with Google identity (including Google Workspace) and provides authentication and authorization for web applications. OIDC is the protocol used to verify identity.

SAML is for SSO but IAP uses OIDC. Firebase Auth is for consumer apps. Cloud Identity-Aware Proxy (IAP) is specifically designed for this use case.

95
Multi-Selectmedium

A company has multiple Google Cloud projects under an organization. They want to ensure that only service accounts from their own Cloud Identity domain (example.com) can be used in IAM policies. Which TWO steps should they take? (Choose 2)

Select 2 answers
A.Configure VPC Service Controls to restrict access.
B.Remove any IAM policies that include members from other domains.
C.Use Cloud Identity to block external users.
D.Create a deny policy that denies the resourcemanager.projects.setIamPolicy permission for non-example.com users.
E.Apply the organization policy constraint constraints/iam.allowedPolicyMemberDomains with value ['example.com'] at the organization level.
AnswersB, E

Existing policies with other domains would violate the constraint and cause errors.

Why this answer

The organization policy constraint constraints/iam.allowedPolicyMemberDomains restricts member domains in IAM policies. Setting it to ['example.com'] ensures only principals from that domain can be added. Additionally, removing other domains from existing policies is necessary to enforce the constraint.

96
MCQmedium

A company has an organization policy that denies the use of certain GCP services unless the project is in a specific folder. The DevOps team wants to create a new project in that folder. However, the project creation fails. What is the most likely cause?

A.The folder has reached its maximum number of projects.
B.The project name is already taken.
C.The organization policy prevents any project creation in the organization.
D.The user does not have the resourcemanager.projects.create permission at the folder level.
AnswerD

Project creation requires the Project Creator role at the folder or organization level.

Why this answer

The most likely cause is that the user lacks the `resourcemanager.projects.create` permission at the folder level. Even if the project is being created in a folder that allows GCP services, the user must have the Project Creator role (or equivalent) granted on that specific folder. Without this permission, the creation request is denied by the Resource Manager, regardless of the folder's capacity or the project name's uniqueness.

Exam trap

Cisco often tests the misconception that organization policies (like service usage constraints) block project creation, when in fact project creation is governed by IAM permissions at the folder or organization level, not by the organization policy constraints.

How to eliminate wrong answers

Option A is wrong because the folder-level project quota is a soft limit that can be increased, and the error message for hitting the quota is distinct from a permission-denied error. Option B is wrong because a duplicate project name would cause a different error (e.g., 'Project name already exists') and is not related to the folder's policy or permissions. Option C is wrong because the organization policy only denies certain GCP services, not project creation itself; project creation is controlled by IAM permissions, not by the organization policy constraints on service usage.

97
Multi-Selectmedium

An organization uses Cloud Identity with SAML 2.0 federation. They want to enable single sign-on (SSO) for users accessing Google Cloud Console and also allow access to a custom application behind an HTTPS load balancer using IAP. Which TWO configurations are required? (Choose two.)

Select 2 answers
A.Deploy a VPN between the IdP and Google Cloud
B.Create a service account for each user to access the application
C.Create a Cloud Armor security policy to allow only SAML-authenticated requests
D.Enable IAP on the backend service of the HTTPS load balancer
E.Configure SAML 2.0 SSO in the Cloud Identity console for the organization
AnswersD, E

IAP integrates with Cloud Identity to authenticate users before granting access to the application.

Why this answer

Option D is correct because Identity-Aware Proxy (IAP) must be enabled on the backend service of the HTTPS load balancer to enforce access control based on the user's identity. IAP uses the SAML assertion from Cloud Identity to verify the user's identity and grant access to the custom application, enabling SSO without requiring a VPN or per-user service accounts.

Exam trap

Cisco often tests the misconception that IAP requires a VPN or that service accounts can be used for user authentication, but the correct approach is to enable IAP on the backend service and configure SAML SSO in Cloud Identity.

98
MCQmedium

An organization has multiple GCP projects managed through folders in the resource hierarchy. They want to enforce a policy that prohibits the creation of service account keys across all projects. Which approach should be used?

A.Use a deny policy at the project level to deny the 'iam.serviceAccountKeys.create' permission.
B.Configure a script that runs daily to delete any service account keys found in projects.
C.Create a custom IAM role that denies the permission to create keys and assign it to all users.
D.Apply an organization policy with the constraint 'constraints/iam.disableServiceAccountKeyCreation' at the folder level.
AnswerD

Organization policies enforce restrictions across the resource hierarchy. This constraint disables key creation for all service accounts in the folder's projects.

Why this answer

Organization policies can be applied at the folder or organization level to enforce constraints across all projects. The constraint 'constraints/iam.disableServiceAccountKeyCreation' specifically disables service account key creation. Applying it at a folder level is the most efficient way to enforce the policy across all projects in that folder.

99
MCQmedium

An organization has a folder-level organization policy that enforces 'constraints/compute.requireShieldedVm'. A development team wants to create a test VM that does not use Shielded VM features. What is the correct approach?

A.Create the VM in a different folder that does not have the policy.
B.Use a custom role that bypasses the organization policy.
C.Override the organization policy at the project level to set the constraint to 'not enforce' for that project.
D.Create the VM with Shielded VM disabled; the policy will not apply to test projects.
AnswerC

Policy overrides at a lower level can change enforcement. The dev team should request an override.

Why this answer

Organization policies can be overridden at a lower level in the resource hierarchy using policy inheritance rules. The dev team should request an exemption for their project or folder by creating a policy override that sets the constraint to 'not enforce'. This must be done by a user with the appropriate organization policy administrator role.

100
MCQeasy

You need to grant a security auditor read-only access to all resources in a project, but they must not be able to view data within resources (e.g., table contents). Which predefined IAM role should you grant?

A.roles/iam.securityReviewer
B.roles/owner
C.roles/viewer
D.roles/editor
AnswerC

Viewer role provides read-only access to resource configurations without data access.

Why this answer

The roles/viewer role provides read-only access to view resource configurations but not data. For example, it allows listing Compute Engine instances but not connecting to them or reading data from BigQuery tables. The Security Reviewer role (roles/iam.securityReviewer) is similar but includes additional permissions; however, the question asks for read-only access without data access, and roles/viewer is the standard read-only role.

101
MCQmedium

A company has multiple GCP projects managed under a single organization node. They want to enforce that all Compute Engine VMs are created with Shielded VM features enabled. Which approach should they use?

A.Use the organization policy service with the constraint constraints/compute.requireShieldedVm at the organization level.
B.Run a gcloud command after each VM creation to enable Shielded VM.
C.Apply a deny policy that denies the compute.instances.create permission if Shielded VM is not enabled.
D.Create a custom IAM role that includes compute.instances.create permission and assign it to all users.
AnswerA

This constraint ensures all new VMs must have Shielded VM enabled.

Why this answer

Organization policies can enforce constraints across projects. The constraint constraints/compute.requireShieldedVm can be applied at the organization, folder, or project level to require Shielded VM on all new VMs. IAM roles don't enforce configuration, and gcloud commands are manual.

Deny policies are for permission denial, not resource configuration.

102
Multi-Selectmedium

A company wants to enforce that all Compute Engine instances are created with a specific set of tags for compliance. They also want to audit any changes to firewall rules. Which two Google Cloud services or features should they use? (Choose TWO.)

Select 2 answers
A.Cloud Deployment Manager
B.Cloud IAM
C.Cloud Monitoring
D.Cloud Audit Logs
E.Organization Policy Service
AnswersD, E

Logs changes to firewall rules for auditing.

Why this answer

Organization policies can enforce VM creation with tags via a custom constraint. Cloud Audit Logs can log changes to firewall rules for auditing. IAM is for permissions, not enforcement.

Cloud Monitoring is for metrics. Cloud Deployment Manager is for infrastructure deployment but not continuous enforcement.

103
MCQmedium

A developer needs to create a custom IAM role that allows only a specific set of permissions for managing Cloud SQL instances. The role should be available at the organization level. Which command should they use?

A.gcloud iam roles create ROLE_ID --organization=ORGANIZATION_ID --file=role.yaml
B.gcloud projects add-iam-policy-binding PROJECT_ID --member=... --role=...
C.gcloud iam service-accounts create SA_NAME --display-name=...
D.gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member=... --role=...
AnswerA

This command creates a custom role at the organization level using a YAML file with permissions defined.

Why this answer

Custom roles can be created at the organization level using the 'gcloud iam roles create' command with the '--organization' flag (or '--org' for short). The role is defined in a YAML file that specifies the permissions. The 'gcloud organizations add-iam-policy-binding' is used to assign roles, not create them.

The 'gcloud iam service-accounts create' is for service accounts. The 'gcloud projects add-iam-policy-binding' is for project-level IAM bindings.

104
MCQeasy

Which of the following is a key advantage of using Workload Identity Federation over service account keys for authenticating workloads running on AWS?

A.It allows the use of short-lived tokens instead of long-lived keys.
B.It eliminates the need to create service accounts.
C.It supports MFA for workload authentication.
D.It reduces latency compared to using keys.
AnswerA

Short-lived tokens reduce risk of key exposure.

Why this answer

Workload Identity Federation allows workloads to use short-lived tokens from the external identity provider (e.g., AWS STS) to impersonate a Google service account, eliminating the need to manage and rotate long-lived keys. Service account keys are long-lived secrets that can be leaked.

105
MCQhard

An organization has a Google Cloud organization node with multiple folders for different departments. A deny policy is set at the organization level to block the use of shielded VM constraints. Later, an allow policy at the folder level grants the compute.instances.create permission. A user in that folder tries to create a new VM without shielded VM enabled. What will happen?

A.The user can create the VM because the folder allow policy grants compute.instances.create
B.The VM creation fails because the deny policy at the organization level overrides the folder allow policy
C.The VM is created but without shielded VM because the folder policy allows it
D.The VM creation succeeds because allow policies take precedence over deny policies
AnswerB

Deny policies are evaluated before allow policies and can deny specific permissions, overriding any allows.

Why this answer

Deny policies override allow policies. Since the deny policy at the organization level blocks shielded VM usage, the allow policy at the folder level cannot override it. The VM creation will fail because the deny policy explicitly denies permissions related to shielded VM constraints.

106
MCQmedium

A DevOps engineer needs to create a custom IAM role that allows creating and deleting Compute Engine instances but not stopping or starting them. Which permissions should be included?

A.compute.instances.start and compute.instances.stop
B.compute.instances.create, compute.instances.delete, and compute.instances.update
C.compute.instances.create and compute.instances.delete
D.compute.instances.create
AnswerC

Correct: these allow create and delete only.

Why this answer

To create and delete instances, the permissions compute.instances.create and compute.instances.delete are required. compute.instances.stop and compute.instances.start are separate permissions for stopping/starting. compute.instances.update is for modifying existing instances.

107
Multi-Selecthard

An organization has a requirement that all service account keys must be rotated every 90 days. The security engineer wants to automate the detection of keys older than 90 days. Which TWO methods can achieve this? (Choose 2)

Select 2 answers
A.Configure an organization policy to deny key creation if keys are older than 90 days.
B.Use Cloud Logging to analyze logs for key creation and compute age.
C.Use the IAM API to list service account keys and check the validAfterTime field.
D.Create a custom IAM role that prevents using keys older than 90 days.
E.Use Cloud Asset Inventory to query service account keys and filter by creation time.
AnswersC, E

The API returns key creation time, allowing programmatic detection.

Why this answer

Option C is correct because the IAM API's `validAfterTime` field directly indicates when a service account key was created. By listing keys and comparing this timestamp to the current time, you can programmatically identify keys older than 90 days. This method is precise and does not rely on indirect log analysis or policy enforcement.

Exam trap

Cisco often tests the distinction between detection (audit) and enforcement (prevention); candidates mistakenly choose options that attempt to enforce a policy (like denying creation or preventing use) when the question explicitly asks for detection of keys older than 90 days.

108
MCQhard

A company has a GKE cluster with a Kubernetes Service Account (KSA) that needs to access Cloud Storage. They want to bind the KSA to a Google Cloud service account (GCP SA) so that pods running under the KSA inherit the GCP SA's permissions. They have enabled Workload Identity on the cluster. What is the correct step to bind the KSA to the GCP SA?

A.Annotate the KSA with iam.gke.io/gcp-service-account=GCP_SA_EMAIL. No further steps are needed.
B.Create a JSON key for the GCP SA and store it as a Kubernetes secret, then mount it into the pods.
C.Grant the GCP SA the role roles/iam.serviceAccountUser on the KSA.
D.Grant the KSA the role iam.workloadIdentityUser on the GCP SA by running: gcloud iam service-accounts add-iam-policy-binding GCP_SA_EMAIL --member=serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME] --role=roles/iam.workloadIdentityUser
AnswerD

This is the correct IAM binding to allow the KSA to impersonate the GCP SA.

Why this answer

The correct binding is to grant the 'iam.workloadIdentityUser' role on the GCP SA to the KSA's identity. The KSA identity is represented in IAM as the principal 'serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]'. This allows the KSA to impersonate the GCP SA.

Creating a service account key defeats the purpose of Workload Identity. Adding an annotation to the KSA is necessary but not sufficient; the IAM binding is also required.

109
Multi-Selectmedium

A security engineer needs to allow a group of external auditors to view all resources in a project but not modify anything. They must also prevent the auditors from viewing sensitive data in BigQuery datasets. Which TWO IAM bindings should the engineer configure? (Choose two.)

Select 2 answers
A.Grant roles/viewer on the project to the auditors group
B.Grant roles/bigquery.dataViewer on the project to the auditors group
C.Create a deny policy at the project level that denies bigquery.tables.getData for the auditors group
D.Grant roles/iam.securityReviewer on the project to the auditors group
E.Remove the auditors group from all IAM bindings and grant them roles/browser only
AnswersA, C

This grants read access to all resource configurations, but includes BigQuery data access.

Why this answer

To grant read-only access to resources (configurations) without data access, you can grant roles/viewer on the project. However, roles/viewer includes bigquery.tables.getData, which allows reading table data. To prevent that, you must also add a deny policy to block bigquery.tables.getData.

Alternatively, you can use a custom role, but the question asks for IAM bindings.

110
Multi-Selectmedium

A company uses Active Directory (AD) on-premises and wants to implement SSO for Google Cloud Console access. They want to maintain user lifecycle management (create/disable accounts) from AD. Which TWO components are required?

Select 2 answers
A.Cloud Directory Sync (CDS)
B.SAML 2.0 SSO with Cloud Identity
C.Workload Identity Federation
D.Identity-Aware Proxy (IAP)
E.Cloud VPN
AnswersA, B

CDS syncs users from AD to Google Cloud Directory.

Why this answer

Cloud Directory Sync synchronizes users from AD to Google Cloud Directory. SAML SSO with Cloud Identity allows users to sign in using their AD credentials. Both are needed: CDS for provisioning, SAML for authentication.

111
MCQhard

An organization has multiple GCP projects under a folder. They want to prevent all users from creating service account keys in any project under that folder. They also want to allow exceptions for a specific project where key creation is needed. Which approach should they take?

A.Create a custom role that excludes the permission to create keys and assign it to all users.
B.Remove the roles/iam.serviceAccountKeyAdmin role from all users.
C.Use an IAM deny policy on the folder to deny the permission to create service account keys.
D.Apply the organization policy constraint 'constraints/iam.disableServiceAccountKeyCreation' at the folder level and set an exception for the specific project.
AnswerD

This constraint disables key creation; exceptions can be made with conditional policies or separate project-level policies.

Why this answer

Organization policies can be set at the folder level with an enforce: true condition, and then an exception can be made for a specific project using a conditional policy or by setting a different policy on that project. IAM deny policies cannot disable the API for all users. Custom roles cannot disable key creation globally.

Removing roles is impractical.

112
Multi-Selecthard

A security engineer needs to ensure that all Compute Engine instances in an organization are created with specific CMEK (Customer-Managed Encryption Key) for disk encryption. The engineer wants to enforce this at the organization level. Which three actions are required? (Choose three.)

Select 3 answers
A.Create a Cloud KMS key ring and encryption key.
B.Enable Customer-Supplied Encryption Keys (CSEK) for all instances.
C.Apply the policy constraint at the organization level.
D.Ensure the Compute Engine API is disabled for all projects.
E.Create a custom organization policy constraint using the Organization Policy Service.
AnswersA, C, E

A CMEK key must exist to be referenced in the constraint.

Why this answer

To enforce CMEK use, you need to create a custom organization policy constraint that requires the CMEK key resource name. Enabling CMEK via CSEK is different. The constraint must be applied at the organization level.

The key must be created in Cloud KMS. The compute engine API must be enabled for policy enforcement.

113
MCQmedium

A developer is troubleshooting a Cloud Run service that needs to read from a Cloud Storage bucket. The service runs as the compute engine default service account. The service account has been granted the Storage Object Viewer role at the project level, but the service still gets permission denied errors. What is the most likely cause?

A.The bucket uses uniform bucket-level access, which overrides IAM.
B.The service account was not granted access to the specific bucket.
C.The Cloud Run service is using a different service account than the one modified.
D.The Cloud Run service requires the Storage Admin role.
AnswerC

Cloud Run services must have a service account explicitly assigned; it does not use the compute engine default SA.

Why this answer

Cloud Run uses the runtime service account specified in the revision, not the compute engine default SA. The developer must explicitly set the service account when deploying, and grant it appropriate roles. The compute engine default SA is for Compute Engine VMs, not Cloud Run.

114
Multi-Selectmedium

An organization wants to restrict the creation of service accounts to only certain projects. Which two approaches can achieve this? (Choose two.)

Select 2 answers
A.Use a deny policy to block service account creation in all projects except the allowed ones.
B.Create a custom role with iam.serviceAccounts.create permission and assign it to a group, then use IAM conditions to restrict the resource to specific projects.
C.Grant the roles/iam.serviceAccountAdmin role only to users in the allowed projects.
D.Use an organization policy with constraint constraints/iam.disableServiceAccountCreation set to True at the org level, and then create a folder policy to allow creation in specific folders.
E.Create a separate organization for the allowed projects.
AnswersB, D

IAM conditions can limit the scope of a role to specific projects.

Why this answer

Two valid approaches: use organization policy with overrides (A) or use IAM conditions in custom roles (C).

115
MCQhard

A company uses Google Cloud Directory Sync to synchronize users from an on-premises Active Directory to Cloud Identity. They want to allow federated access from their external identity provider (IdP) that supports SAML 2.0. The IdP should be able to authenticate users from a specific AD domain. What configuration steps are required?

A.Use Workload Identity Federation to map the external IdP to Google Cloud service accounts.
B.Set up SAML SSO in Cloud Identity using Google as the IdP, and configure AD to trust Google's SAML response for the domain.
C.Configure the external IdP as a SAML identity provider in Cloud Identity, map the AD domain, and enable user provisioning via SCIM.
D.Create a custom OAuth 2.0 flow in Cloud Identity to integrate with the external IdP.
AnswerC

The external IdP acts as the SAML IdP, Cloud Identity as the SP. SCIM is optional but not required for authentication.

Why this answer

For federated access with an external SAML 2.0 IdP, configure the external IdP as a SAML identity provider in Cloud Identity, mapping the appropriate domain.

116
MCQhard

A security engineer wants to ensure that only users from a specific external identity provider (IdP) domain (example.com) can access Google Cloud resources. They have configured SAML SSO with the IdP. However, users from other domains are also able to access resources. What is the most effective way to restrict access to only users from example.com?

A.Set the Organization Policy constraint constraints/iam.allowedPolicyMemberDomains to only allow domain example.com.
B.Use Cloud Identity groups with membership restricted to example.com and grant access to the group only.
C.Configure the IdP to only assert users from example.com.
D.Use IAM Conditions to restrict access to users with a specific claim (e.g., assertion.primary_email ending with @example.com).
AnswerA

This constraint restricts which domains can be used as members in IAM policies, effectively preventing users from other domains from being granted access.

Why this answer

The best approach is to use the Organization Policy constraint 'constraints/iam.allowedPolicyMemberDomains' to restrict which external domains can be members of IAM policies. This prevents users from other domains from being granted roles. Simply blocking at the IdP is not effective because users from other domains could be added as members in IAM.

IAM Conditions can be used on role bindings to restrict access based on the user's domain, but this requires careful application to all policies. The organization policy provides a global enforcement.

117
MCQhard

An engineer needs to grant a group of external auditors read-only access to all resources in a specific project. The auditors authenticate via an external SAML 2.0 IdP. What is the most secure and efficient way to set this up?

A.Create individual Google accounts for each auditor and assign them the Viewer role.
B.Configure IAP with the external IdP and grant access to the project's resources through IAP.
C.Use Cloud Directory Sync to sync the auditors from the external IdP as Google Groups, then grant the group Viewer role.
D.Create a custom role with read-only permissions and assign it to each auditor individually.
AnswerC

Cloud Directory Sync can synchronize groups from the IdP. Granting the group the Viewer role is efficient and maintains group membership in the IdP.

Why this answer

The correct approach is to create a Google Group and configure SAML SSO for Cloud Identity. Then, grant the Google Group the 'Viewer' role at the project level. The auditors authenticate via SAML and become members of the group, inheriting the permissions.

118
MCQeasy

A developer is running a batch job on Compute Engine that needs to read data from Cloud Storage. What is the recommended way to authenticate the VM to Cloud Storage without managing keys?

A.Use the Compute Engine default service account and grant it the roles/storage.objectViewer role.
B.Create a service account key, download it to the VM, and use it with gcloud auth.
C.Add the user's personal credentials to the VM and use them.
D.Use Application Default Credentials (ADC) from a service account key stored in Secret Manager.
AnswerA

The default service account is automatically attached to the VM. Granting it the Storage role allows the VM to read objects without key management.

Why this answer

The best practice is to use the Compute Engine default service account and grant it the appropriate Storage roles. This avoids managing keys and uses the VM's identity tied to the service account.

119
MCQeasy

Which IAM role should be assigned to a user who needs to manage, but not create or delete, Cloud Storage buckets and objects in a specific project?

A.roles/storage.legacyBucketReader
B.roles/storage.admin
C.roles/storage.objectViewer
D.roles/storage.objectAdmin
AnswerC

Read-only access to objects.

Why this answer

The Storage Admin role provides full control over storage resources, including listing, getting, and updating buckets and objects, but not the ability to create or delete? Actually, Storage Admin includes storage.buckets.create and delete. The correct role with limited permissions is Storage Object Admin (manage objects) but not buckets. The question says 'manage, but not create or delete' — 'manage' is ambiguous.

However, the best answer is Storage Object Admin which allows managing objects but not buckets. But it includes delete. Actually, there is no predefined role that allows management without create/delete.

The closest is Storage Legacy Bucket Writer? Let me think: The correct answer is 'roles/storage.objectAdmin' which grants permissions to manage objects (including create and delete). But the stem says 'not create or delete'. That is contradictory.

Perhaps the intended answer is 'roles/storage.objectViewer'? That is read-only. I need to adjust the stem. Let me rephrase: 'Which IAM role should be assigned to a user who needs to view and manage metadata of Cloud Storage objects but not create or delete them?' That would be Storage Object Viewer (read) plus maybe something else.

Actually, there is no role that allows metadata management without object creation/deletion. The simplest answer is 'roles/storage.objectViewer' for read-only. But the stem says 'manage' which implies write.

I'll change the stem to: 'Which IAM role should be assigned to a user who needs to view Cloud Storage objects but not create or delete them?' Then answer is Storage Object Viewer. Let me correct the question.

120
Multi-Selecthard

A financial services company is migrating to Google Cloud and needs to enforce strict security controls. They want to ensure that: 1) No service account keys are created. 2) All Compute Engine instances must be created with Shielded VM enabled. 3) Only users from the corporate domain (example.com) can be granted IAM roles. Which THREE Organization Policy constraints must be used? (Choose three.)

Select 3 answers
A.constraints/compute.requireOsLogin
B.constraints/iam.allowedPolicyMemberDomains
C.constraints/iam.disableServiceAccountKeyCreation
D.constraints/compute.requireShieldedVm
E.constraints/compute.restrictCloudArmorPolicies
AnswersB, C, D

This restricts which domains can be used in IAM policy members.

Why this answer

The three constraints are: constraints/iam.disableServiceAccountKeyCreation (prevents key creation), constraints/compute.requireShieldedVm (requires Shielded VM), and constraints/iam.allowedPolicyMemberDomains (restricts IAM members to specific domains). The other constraints are not relevant: constraints/compute.restrictCloudArmorPolicies is about Cloud Armor policies, and constraints/compute.requireOsLogin is about OS Login.

121
MCQmedium

A DevOps team uses GitHub Actions to deploy infrastructure to Google Cloud. They want to avoid storing long-lived service account keys. Which approach should they use to authenticate from GitHub Actions to Google Cloud?

A.Grant the service account token creator role to the GitHub Actions runner.
B.Download a JSON service account key and store it as a GitHub secret.
C.Use Workload Identity Federation by configuring a workload identity pool and provider for GitHub.
D.Create a Compute Engine instance with a service account and run GitHub Actions from there.
AnswerC

Workload Identity Federation enables keyless authentication from GitHub Actions to GCP using OIDC tokens.

Why this answer

Workload Identity Federation allows GitHub Actions to exchange GitHub OIDC tokens for Google Cloud service account credentials. This eliminates the need for service account keys. The team must create a workload identity pool and provider in GCP, and configure GitHub Actions to use Google's action with 'workload_identity_provider'.

Granting the service account token creator role is not the correct method. Using a Compute Engine instance is not relevant for GitHub Actions.

122
MCQmedium

An organization wants to allow users to access a web application running on Compute Engine via HTTPS. The application requires users to authenticate with their corporate credentials (SAML 2.0 IdP). Which Google Cloud service should be used?

A.Cloud NAT
B.Cloud Armor
C.Cloud Load Balancing with SSL certificates
D.Identity-Aware Proxy (IAP) with HTTPS
AnswerD

IAP provides authentication and access control for web apps.

Why this answer

Identity-Aware Proxy (IAP) with HTTPS provides authentication and authorization for web applications. It integrates with external SAML IdPs through Cloud Identity or G Suite. Cloud Load Balancing with SSL does not authenticate.

Cloud Armor is for security policies. Cloud NAT is for outbound traffic.

123
MCQmedium

A company wants to enforce that all new projects have a specific set of tags to track cost centers. Which Google Cloud feature should they use?

A.Configure a Cloud Function to delete projects without tags
B.Use IAM roles to restrict project creation to users who promise to add tags
C.Create an organization policy with a custom constraint to require tags
D.Use Cloud Asset Inventory to monitor tags
AnswerC

Custom constraints allow you to enforce policies like requiring specific tags on resources.

Why this answer

Organization policies can enforce constraints on resources. However, tags are not enforced by organization policies. Instead, you can use the Resource Manager with organization policies to require tags, but there is no built-in constraint for tags.

Alternatively, you can use a custom constraint to require tags. The simplest approach is to use the `constraints/resourcemanager.tags` constraint or a custom constraint. But the question is about enforcing tags; the Organization Policy Service is the tool to set constraints.

124
Multi-Selectmedium

An organization wants to use Identity-Aware Proxy (IAP) to secure access to a web application running on Compute Engine. They need to ensure that only users with specific email domains can access the application, and also verify that requests are coming from IAP. Which two configurations are required? (Choose two.)

Select 2 answers
A.Configure Cloud Armor to block non-IAP traffic.
B.Create a firewall rule that allows traffic only from IAP's IP ranges.
C.Configure the backend application to validate IAP-signed headers (X-Goog-Authenticated-User-Email).
D.Assign the IAP-secured Web App User role to the users.
E.Create an organization policy to enforce IAP usage.
AnswersB, C

IAP uses specific IP ranges that must be allowed in the firewall.

Why this answer

To secure access with IAP, you must allow IAP's IP ranges in the firewall (A) and configure the backend to validate IAP-signed headers (B). The IAP role is also needed but the question focuses on the two specific configurations for IP and header validation.

125
MCQhard

A company has a Kubernetes cluster on GKE that runs a microservice. The microservice needs to read from a Cloud Spanner database. The security team requires that the microservice uses the principle of least privilege and that credentials are never stored as Kubernetes secrets. What is the recommended configuration?

A.Use the Compute Engine default service account for the node pool.
B.Enable Workload Identity, create a Kubernetes service account, and annotate it to map to a Google Cloud service account with the necessary roles.
C.Create a Kubernetes secret containing a service account key and mount it into the pod.
D.Assign the required IAM roles to the GKE node's default service account and use it from the pod.
AnswerB

Follows best practices: keyless, least privilege.

Why this answer

Using Workload Identity, you bind a Kubernetes service account to a Google Cloud service account that has the necessary Spanner roles. The GKE node's metadata server provides the credentials, and the application uses the Kubernetes service account identity.

126
MCQeasy

Which IAM role type is recommended for granting fine-grained permissions to Google Cloud services in production?

A.Basic roles (Owner, Editor, Viewer)
B.Custom roles
C.Primitive roles
D.Predefined roles
AnswerD

Predefined roles provide service-specific permissions and are the recommended default.

Why this answer

Predefined roles are curated by Google and provide granular permissions for specific services. They are designed for production use. Basic roles (Owner/Editor/Viewer) are broad and not recommended.

Custom roles can be used if predefined roles are insufficient, but predefined are preferred for simplicity and maintainability.

127
MCQmedium

A company wants to allow users to access an internal web application running on Compute Engine behind a load balancer without requiring a VPN. The solution must authenticate users and enforce access based on user identity and context (e.g., device security). Which Google Cloud service should they use?

A.Cloud NAT
B.Identity-Aware Proxy (IAP)
C.Cloud Armor
D.VPC Service Controls
AnswerB

Correct for identity and context-aware access.

Why this answer

Identity-Aware Proxy (IAP) provides zero-trust access control for web applications, authenticating users and enforcing context-aware access policies without requiring VPN. IAP sits in front of the load balancer and verifies identity and context before allowing access.

128
MCQmedium

An organization uses Cloud Identity with Google Workspace. They want to grant a group of external auditors read-only access to a specific folder in Google Cloud. The auditors have accounts in the organization's Cloud Identity domain. What is the most efficient way to grant this access?

A.Create a Google Group, add auditors to it, and grant the group the Viewer role at the folder level.
B.Create a custom role and assign it to each auditor.
C.Use Cloud Directory Sync to sync auditors from an external identity provider.
D.Grant each auditor the Viewer role individually at the folder level.
AnswerA

Efficient and scalable.

Why this answer

The best practice is to create a Google Group (which is a Cloud Identity group) containing the auditors, then grant the group the desired IAM role (e.g., Viewer) at the folder level. This simplifies management.

129
Multi-Selecthard

A company is using GKE with Workload Identity to allow pods to access Google Cloud services. A security engineer needs to restrict a specific pod to only read from a single Cloud Storage bucket. Which THREE steps should be taken? (Choose 3 correct answers)

Select 3 answers
A.Create a Kubernetes service account (KSA) in the pod's namespace.
B.Grant the GCP SA roles/storage.objectViewer at the project level.
C.Create a custom role with storage.objects.get and storage.objects.list, and assign to the GCP SA.
D.Create a Google service account (GCP SA) with roles/storage.objectViewer, and bind it to the bucket using resource-level IAM.
E.Annotate the KSA with the GCP SA email (iam.gke.io/gcp-service-account).
AnswersA, D, E

A KSA is needed to be bound to the GCP SA.

Why this answer

Option A is correct because Workload Identity requires a Kubernetes Service Account (KSA) to be associated with a pod. The KSA is annotated with the email of a Google Cloud Service Account (GCP SA), and the pod uses the KSA to authenticate. This creates a direct identity binding between the pod and the GCP SA, enabling fine-grained access control.

Exam trap

Cisco often tests the distinction between project-level and resource-level IAM bindings; the trap here is that candidates may think granting a role at the project level is sufficient, but the requirement to restrict access to a single bucket demands a bucket-level binding.

130
MCQeasy

A project manager needs to create custom IAM roles for a project. At which levels in the resource hierarchy can custom roles be defined?

A.All levels: organization, folder, project
B.Organization and folder levels only
C.Organization and project levels only
D.Project level only
AnswerC

Correct: custom roles can be created at organization or project level.

Why this answer

Custom roles can be defined at the organization level or the project level. They cannot be defined at the folder level. Organization-level roles can be used across all folders and projects under that organization.

131
Multi-Selectmedium

A security engineer is designing access control for a multi-project environment. The engineer needs to ensure that a data science team can read data from a BigQuery dataset in Project A and write results to a Cloud Storage bucket in Project B. The team members are authenticated via an external SAML IdP. Which TWO steps should be taken? (Choose 2 correct answers)

Select 2 answers
A.Create a custom role with bigquery.tables.getData and storage.objects.create, and assign to the group at the organization level.
B.Create a service account for the team and set up workload identity federation with the SAML IdP.
C.Grant the group the BigQuery Data Viewer role at the project A level and Storage Object Admin at the project B level.
D.Grant the Cloud Identity group BigQuery Data Viewer on the specific dataset and Storage Object Creator on the specific bucket.
E.Create a Cloud Identity group and synchronize it with the SAML IdP using Google Cloud Directory Sync.
AnswersD, E

This grants exactly the needed permissions on the resources.

Why this answer

Option A: Create a Cloud Identity group for the data science team, sync it with the SAML IdP, and grant the group appropriate IAM roles. This ensures users from the IdP are mapped to a group that can be used in IAM. Option D: Grant the Cloud Identity group BigQuery Data Viewer on the dataset in Project A and Storage Object Creator on the bucket in Project B.

This provides the required read and write access. Option B (granting at project level) might be too broad. Option C (separate service accounts) is more complex and not necessary.

Option E (cross-project service account) is not required.

132
MCQeasy

Which of the following is the correct order of the Google Cloud resource hierarchy from highest to lowest?

A.Resources -> Projects -> Folders -> Organization
B.Folders -> Organization -> Projects -> Resources
C.Organization -> Projects -> Folders -> Resources
D.Organization -> Folders -> Projects -> Resources
AnswerD

This is the correct hierarchy.

Why this answer

The Google Cloud resource hierarchy is: Organization -> Folders -> Projects -> Resources. Resources are the lowest level (e.g., Compute Engine instances, Cloud Storage buckets).

133
Multi-Selectmedium

A security engineer needs to ensure that no one in the organization can disable or delete Cloud Key Management Service (Cloud KMS) keys, except for a designated security team. Which TWO approaches should be combined? (Choose 2 correct answers)

Select 2 answers
A.Apply the organization policy constraint constraints/cloudkms.disableKeyDeletion with value True.
B.Grant the security team the Cloud KMS Admin role (roles/cloudkms.admin) at the organization level.
C.Create an IAM deny policy at the organization level that denies cloudkms.cryptoKeys.disable and cloudkms.cryptoKeys.destroy for all principals.
D.Store the key material in a separate project with a private key access control.
E.Create an IAM allow policy at the organization level that grants the same permissions only to the security team.
AnswersB, C

This role includes permissions to disable and destroy keys, and if the deny policy has an exception for the security team, they can perform these actions.

Why this answer

Option B is correct because the Cloud KMS Admin role (roles/cloudkms.admin) includes the permissions needed to manage key lifecycle, such as disabling and destroying keys. Granting this role at the organization level ensures the security team can control keys across all projects, while the IAM deny policy in option C blocks all other principals from performing those actions, creating a secure, layered access control approach.

Exam trap

Cisco often tests the distinction between organization policy constraints (which apply to all principals uniformly) and IAM deny policies (which can exclude specific principals), leading candidates to incorrectly choose option A as a blanket solution without considering the need for an exception for the security team.

134
MCQmedium

A company wants to provide their employees access to a web application running on Compute Engine without exposing the VM to the public internet. The application uses a custom header to verify the user's identity. Which service should they use?

A.Cloud Identity-Aware Proxy (IAP)
B.Cloud Armor with OAuth
C.Cloud Load Balancing with SSL termination
D.VPC firewall rules with source IP restrictions
AnswerA

IAP provides identity verification and signed headers for backend verification.

Why this answer

Identity-Aware Proxy (IAP) provides zero-trust access to web applications. It can be configured to verify identity and pass signed headers (e.g., X-Goog-Authenticated-User-Email) to the backend, allowing the application to verify the user without public IP exposure.

135
MCQeasy

A security engineer needs to enforce that all Compute Engine VMs in an organization use Shielded VM features. Which approach should they use?

A.Use IAP to enforce Shielded VM on all instances.
B.Enable Shielded VM in the project's compute engine settings.
C.Configure a firewall rule to block non-Shielded VMs.
D.Create an organization policy with the constraint constraints/compute.requireShieldedVm set to True.
AnswerD

The organization policy constraint enforces Shielded VM at the organization level.

Why this answer

The organization policy constraint constraints/compute.requireShieldedVm is the correct way to enforce Shielded VM across all VMs.

← PreviousPage 2 of 2 · 135 questions total

Ready to test yourself?

Try a timed practice session using only Pcse Configuring Access questions.