CCNA Pcse Managing Operations Questions

75 of 80 questions · Page 1/2 · Pcse Managing Operations topic · Answers revealed

1
MCQmedium

A company wants to automate patching of operating system vulnerabilities on their Compute Engine instances. They need a solution that supports both Windows and Linux and can schedule patch deployments with rolling updates. Which service should they use?

A.OS Config Management
B.Cloud Scheduler
C.VM Manager
D.Deployment Manager
AnswerC

VM Manager provides patch management with scheduling and rolling updates.

Why this answer

VM Manager is the OS management service that includes patch management. It supports both Windows and Linux, allows scheduling, and can perform rolling updates. OS Config Management and Cloud Scheduler are not patch management solutions.

2
Multi-Selecthard

A security team needs to detect anomalous outbound traffic from Compute Engine instances. They want to enable logging and analyze the data. Which three steps should they take? (Choose three.)

Select 3 answers
A.Enable Cloud NAT logging to capture outbound traffic.
B.Enable Packet Mirroring to duplicate all outbound packets.
C.Enable VPC Flow Logs on the subnets where the instances are located.
D.Create a log sink to export VPC Flow Logs to BigQuery.
E.Use BigQuery to query the exported flow logs for anomalous patterns.
AnswersC, D, E

VPC Flow Logs capture IP traffic, including outbound flows.

Why this answer

To detect anomalous outbound traffic, you need to enable VPC Flow Logs (which log outbound traffic), export them to BigQuery for analysis (using a log sink), and query the data. Cloud NAT is for outbound connectivity with NAT, but not logging. Packet Mirroring copies traffic but is not necessary for flow logs.

Firewall Rules logging logs firewall hits, not all outbound traffic.

3
MCQmedium

A security team needs to detect and respond to a potential data exfiltration via VPC Flow Logs. They want to identify traffic to known malicious IP addresses in real-time. Which architecture should they use?

A.Create a log sink to send VPC Flow Logs to Pub/Sub, trigger a Cloud Function that checks IP addresses against a threat list and sends alerts.
B.Enable VPC Flow Logs and use Dataflow to stream logs to a third-party SIEM.
C.Use Cloud NAT to block traffic to malicious IPs based on a predefined list.
D.Export VPC Flow Logs to BigQuery and schedule a query every minute to check for matches.
AnswerA

This architecture provides near real-time detection via streaming Pub/Sub and serverless processing.

Why this answer

VPC Flow Logs can be streamed via a log sink to Pub/Sub, then processed by Cloud Functions to compare against a threat feed. BigQuery is for analysis, not real-time. Dataflow could be used but is more complex.

Cloud NAT is unrelated.

4
MCQeasy

Your organization wants to monitor and audit IAM permission changes in real time. Which type of Cloud Audit Log is enabled by default and cannot be disabled?

A.Admin Activity audit logs
B.Data Access audit logs
C.System Event audit logs
D.Policy Denied audit logs
AnswerA

Admin Activity logs are enabled by default and cannot be disabled. They log API calls and administrative actions that modify the configuration or metadata of resources.

Why this answer

Admin Activity audit logs record API calls and administrative actions that modify the configuration or metadata of resources. They are enabled by default and cannot be disabled, making them ideal for monitoring IAM permission changes.

5
MCQmedium

Your company uses Security Command Center (SCC) Standard tier and wants to detect threats like cryptocurrency mining or anomalous network behavior in real-time. You need to recommend an upgrade to SCC Premium tier and configure the appropriate module. Which SCC Premium module should be enabled?

A.Container Threat Detection
B.Event Threat Detection
C.Web Security Scanner
D.Security Health Analytics
AnswerB

ETD detects threats from logs, including cryptomining, which is exactly the requirement.

Why this answer

Event Threat Detection (ETD) monitors logs (e.g., Cloud Audit Logs, DNS, network) and uses machine learning to detect threats like cryptomining, C2 communication, and data exfiltration. It provides real-time detection and is a Premium tier feature.

6
MCQmedium

A security engineer needs to automatically remediate a high-severity finding in Security Command Center. The remediation involves restarting a Compute Engine instance. What is the recommended approach?

A.Configure a log sink to Cloud Functions and parse logs for the finding.
B.Use a Compute Engine startup script to check SCC and restart.
C.Create a Cloud Function triggered by a Pub/Sub notification from SCC, and use the Compute Engine API to restart the instance.
D.Use Cloud Scheduler to periodically check SCC and restart instances.
AnswerC

SCC can send notifications to Pub/Sub, which triggers a Cloud Function that performs the remediation action.

Why this answer

SCC notifications to Pub/Sub and Cloud Functions is the standard pattern for automated remediation.

7
MCQmedium

A security engineer needs to archive Cloud Audit Logs for regulatory compliance for 7 years. The logs should be immutable and cost-effective. Which solution should they choose?

A.Export logs to Pub/Sub and store them in a Cloud Spanner table with 7-year TTL.
B.Export logs to Cloud Storage using a sink, and enable Bucket Lock with retention policy.
C.Export logs to BigQuery and set a 7-year table expiration.
D.Use the default log retention of 400 days and copy logs to a persistent disk snapshot.
AnswerB

This provides immutable, durable, and low-cost archival storage for the required duration.

Why this answer

Cloud Storage with the Archive storage class and retention policy using Bucket Lock provides immutable, low-cost storage for long-term archival. Logging exports can be configured via a sink to write logs to a bucket with these settings. BigQuery is not suitable for long-term archival due to cost; Pub/Sub is for streaming; Cloud Spanner is transactional and expensive.

8
Multi-Selecthard

A security team is designing an incident response workflow for container threats detected by Security Command Center Premium. They want to automatically capture forensic evidence from compromised GKE nodes. Which THREE steps should they include? (Choose THREE.)

Select 3 answers
A.Export the container image from Artifact Registry for analysis.
B.Collect pod logs and container logs from the node using kubectl logs.
C.Immediately drain and delete all pods on the node.
D.Delete the compromised node pool to prevent further damage.
E.Take a snapshot of the node's boot disk.
AnswersA, B, E

The image may contain vulnerabilities or malware.

Why this answer

When a container threat is detected, the team should capture evidence by taking snapshots of persistent disks, collecting pod logs from the node, and exporting container logs. Deleting the cluster or creating a new node pool would destroy evidence.

9
Multi-Selectmedium

A security team is setting up Binary Authorization for their GKE clusters. They want to enforce that only images signed by an approved attestor can be deployed. Which TWO of the following are required for this setup?

Select 2 answers
A.Create an attestor in Binary Authorization.
B.Enable Vulnerability Scanning on Artifact Registry.
C.Disable the default 'Allow All' policy.
D.Create a Container Analysis note for each image.
E.Create a Cloud KMS key pair and associate it with the attestor.
AnswersA, E

Required to define who can attest to an image.

Why this answer

Binary Authorization requires creating an attestor and associating it with a Cloud KMS key pair for signing verification. The attestor's public key must be added to the Binary Authorization policy. A Container Analysis note is used to store attestations, but it is not a separate requirement for the policy itself; it is used when creating attestations.

Disabling vulnerability scanning is not required.

10
MCQeasy

Which Security Command Center tier provides Event Threat Detection and Container Threat Detection?

A.Both tiers
B.Standard tier
C.Premium tier
D.Neither tier, they are separate services
AnswerC

Premium tier adds these threat detection capabilities.

Why this answer

These threat detection services are available only in the Premium tier of Security Command Center. The Standard tier includes Security Health Analytics, Web Security Scanner, and Anomaly Detection. Compliance monitoring is also Premium-only.

11
MCQeasy

A security engineer wants to export all Cloud Audit Logs from a Google Cloud project to a BigQuery dataset for long-term analysis. Which type of log sink should be configured?

A.Create a folder-level sink and assign it to the project
B.Create an organization-level sink with includeChildren set to true
C.Create a project-level aggregated sink with destination set to BigQuery dataset
D.Create a sink for each log type individually
AnswerC

A project-level aggregated sink exports all logs from the project to the specified destination, such as BigQuery.

Why this answer

A project-level aggregated sink collects logs from all resources within the project. BigQuery is the appropriate destination for analysis. The sink must include all log types, but Admin Activity logs are enabled by default and cannot be disabled.

12
MCQhard

A DevOps team is implementing Binary Authorization for a GKE cluster. They want to ensure that only container images signed by a specific attestor can be deployed. They have created the attestor and configured Cloud KMS for signing. Which additional step is required to enforce the policy?

A.Enable the 'gke-binary-authorization' feature flag on the cluster and update the kubeconfig.
B.Create a Binary Authorization policy that requires at least one attestation and attach it to the GKE cluster.
C.Create a policy that allows all images and then override it with an admission webhook.
D.Configure the container registry to block unsigned images by setting a repository-level policy.
AnswerB

The policy must require attestation and be applied to the cluster for enforcement.

Why this answer

Binary Authorization requires a policy to enforce attestation. The policy must be set to 'Require Attestations' and attached to the GKE cluster (via a policy binding). Creating the attestor alone is insufficient.

The policy can be set at project level.

13
MCQmedium

An organization wants to use Chronicle for SIEM. They need to ingest logs from an on-premises firewall. Which method should they use?

A.Configure a log sink from Cloud Logging to Chronicle
B.Export logs to Cloud Storage and have Chronicle import them
C.Use a forwarder (e.g., Syslog to UDM) to send logs to Chronicle
D.Directly send logs to a Pub/Sub topic that is ingested by Chronicle
AnswerC

Chronicle supports third-party log ingestion via forwarders that convert logs to UDM format.

Why this answer

Chronicle provides forwarders (e.g., Syslog, Winlogbeat) that parse and send logs to the Chronicle backend.

14
MCQmedium

A security engineer needs to ensure that all Google Cloud API calls in the organization are logged and retained for 7 years for compliance. Admin Activity logs are enabled by default but retention is limited. Which combination of actions should the engineer take?

A.Create a log sink with _Required log view filter to export Admin Activity logs to Cloud Storage with a retention policy of 7 years.
B.Create a log sink to export Admin Activity logs to BigQuery and set the table expiration to 7 years.
C.Enable Data Access logs for all services and set a custom retention period of 7 years on the log bucket.
D.Enable the 'Admin Activity logs' retention to 7 years in the Logging settings.
AnswerA

The _Required log view includes Admin Activity logs. Exporting to Cloud Storage allows archiving with retention policies.

Why this answer

Admin Activity logs are enabled by default but cannot be retained beyond the default period (400 days for audit logs). To retain for 7 years, you must use a log sink to export them to Cloud Storage (which can be configured with retention policies). BigQuery is for analysis, not archival.

The default retention cannot be changed.

15
MCQmedium

An organization uses Security Command Center Premium tier. They want to receive notifications when a finding of type 'Cryptomining' is detected in their Compute Engine instances. What should they configure?

A.Container Threat Detection and an email alert
B.Security Health Analytics and a Cloud Storage bucket
C.Web Security Scanner and a Cloud Function
D.Event Threat Detection and a Pub/Sub notification config
AnswerD

Event Threat Detection (Premium) identifies cryptomining activity, and a notification config sends findings to Pub/Sub.

Why this answer

Event Threat Detection (Premium) detects cryptomining. You set up a notification config in SCC to send findings of that type to Pub/Sub.

16
MCQmedium

Your organization wants to use Chronicle SIEM to analyze security events from both Google Cloud and on-premises firewalls. They want to normalize firewall logs into a common schema. Which Chronicle feature should they use?

A.Log forwarder
B.Investigation timeline
C.YARA-L rules
D.Unified Data Model (UDM)
AnswerD

UDM normalizes logs into a standard schema regardless of source.

Why this answer

Chronicle's Unified Data Model (UDM) normalizes logs from different sources into a common schema, making it easier to search and analyze. Forwarders can send logs, but normalization is done via UDM parsing.

17
MCQeasy

A security engineer wants to review all IAM permission changes made in the last 30 days. Which type of Cloud Audit Log should they query?

A.Admin Activity logs
B.Data Access logs
C.System Event logs
D.Policy Denied logs
AnswerA

Correct. Admin Activity logs record configuration changes including IAM policy modifications.

Why this answer

Admin Activity logs contain all API calls that modify configurations or metadata, such as IAM policy changes. They are enabled by default and retained for 400 days. Data Access logs would capture read events but not permission changes, System Event logs are for GCP infrastructure actions, and Policy Denied logs record denied requests.

18
MCQmedium

Which Google Cloud service should be used for long-term archival of Audit Logs that must be immutable and stored for 10 years for compliance?

A.Cloud SQL with backups
B.Cloud Storage with Archive storage class and retention policy
C.BigQuery with time-based partitioning
D.Pub/Sub with message retention
AnswerB

Archive storage class is low-cost for long-term storage, and retention policies prevent deletion.

Why this answer

Cloud Storage with Archive storage class offers the lowest cost for long-term storage, and retention policies enforce immutability.

19
MCQmedium

A company wants to receive real-time notifications when Security Command Center (SCC) detects a high-severity vulnerability in their Google Cloud projects. They need to integrate with their existing SIEM. Which approach should they use?

A.Create a Pub/Sub notification config in SCC for the desired finding types and have the SIEM subscribe to the Pub/Sub topic.
B.Use the SCC API to poll for new findings every minute and push them to the SIEM via a custom script.
C.Enable Event Threat Detection in SCC Premium tier and configure it to stream findings to Cloud Logging via a log sink.
D.Configure SCC to send findings to Cloud Logging and set up a log-based metric that triggers a Cloud Function to send to the SIEM.
AnswerA

SCC supports Pub/Sub notifications for findings, enabling real-time SIEM integration.

Why this answer

SCC findings can be exported to Pub/Sub for real-time integration. The SIEM can subscribe to the Pub/Sub topic. Cloud Logging can also be used but SCC does not directly write findings to Logging.

Cloud Functions alone would require Pub/Sub as trigger.

20
Multi-Selectmedium

A financial services company uses Security Command Center (SCC) Premium tier to monitor its GCP environment. The security team wants to automatically respond to high-severity threat findings, such as 'Cryptomining' from Event Threat Detection. The response should include isolating the affected VM by removing its external IP and applying a firewall rule to block egress traffic. Which two steps should the team implement? (Choose two.)

Select 2 answers
A.Deploy a Cloud Function that listens on the Pub/Sub topic and uses Compute Engine API to modify the VM's network tags and update firewall rules
B.Create a Security Health Analytics scan to detect similar threats
C.Set up a log sink to export Admin Activity logs to BigQuery
D.Enable VPC Flow Logs for the affected VM's subnet
E.Create a Pub/Sub topic and subscribe SCC findings to it using a notification config
AnswersA, E

Cloud Functions can automate remediation based on SCC findings.

Why this answer

SCC can be integrated with Pub/Sub to send real-time notifications for findings, and Cloud Functions can execute automated remediation actions like modifying VM network tags or applying firewall rules.

21
MCQmedium

A security team wants to analyze VPC Flow Logs for potential data exfiltration. They need a solution that allows querying with SQL and requires minimal setup. Which approach should they take?

A.Ingest VPC Flow Logs into Chronicle and use YARA-L rules.
B.Stream VPC Flow Logs to Cloud SQL using a custom pipeline.
C.Export VPC Flow Logs to BigQuery via a log sink, then run SQL queries.
D.Export VPC Flow Logs to Cloud Logging and use Log Analytics with SQL.
AnswerC

This is the simplest way to enable SQL analysis on VPC Flow Logs with minimal setup.

Why this answer

VPC Flow Logs can be exported to BigQuery via a logs sink, which enables SQL analysis. BigQuery is the best option because it supports standard SQL and requires no management. Chronicle is a SIEM with its own query language (YARA-L) and requires ingestion configuration; Cloud Logging has limited query power compared to BigQuery; Cloud SQL would require additional ingestion logic.

22
MCQhard

During a security incident, a forensic investigator needs to analyze a compromised Compute Engine instance without affecting the live environment. The instance has persistent disks with critical data. What is the best first step to preserve evidence?

A.Clone the instance to a new VM.
B.Export the disk image to Cloud Storage.
C.Enable VPC Flow Logs for the instance's network.
D.Create a snapshot of the persistent disks.
AnswerD

Snapshot preserves data without downtime.

Why this answer

Creating a snapshot of the persistent disks preserves a point-in-time copy without affecting the running instance. The snapshot can then be used to create a new disk attached to a forensic VM for analysis. Disk cloning requires stopping the instance.

23
MCQmedium

An organization wants to enforce that all container images deployed to a GKE cluster must be signed by an approved authority. They have set up Binary Authorization with a policy that requires attestation. Where should the signing key be stored to meet security best practices?

A.Store the private key in a GCS bucket with uniform bucket-level access.
B.Store the private key in Secret Manager.
C.Store the private key in Cloud Key Management Service (Cloud KMS).
D.Store the private key on the developer's workstation.
AnswerC

Cloud KMS is the secure and managed way to store keys for Binary Authorization.

Why this answer

Binary Authorization integrates with Cloud Key Management Service (KMS) to store attestor keys. Cloud KMS provides centralized key management, access control via IAM, and audit logging. Using a key stored in Cloud KMS is the recommended approach.

24
Multi-Selectmedium

A company wants to ensure compliance with PCI DSS by monitoring access to BigQuery datasets containing sensitive data. They need to log all read operations and enable real-time alerting for anomalous access. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Create a log sink to export BigQuery Data Access logs to Pub/Sub.
B.Enable Admin Activity logs for BigQuery.
C.Enable Data Access logs for BigQuery.
D.Use Security Command Center to detect sensitive data access.
E.Create a BigQuery view to restrict access to sensitive columns.
AnswersA, C

Pub/Sub enables real-time streaming for alerting.

Why this answer

BigQuery Data Access logs record read operations but are not enabled by default. To enable them, you must explicitly enable Data Access logs for BigQuery. For real-time alerting, you can export logs to Pub/Sub and process them with a Cloud Function.

25
MCQmedium

A company uses Security Command Center (SCC) Premium tier and wants to automatically trigger a Cloud Function to remediate a threat finding. Which approach should they use?

A.Configure SCC to send findings to a Pub/Sub topic, and subscribe a Cloud Function to that topic.
B.Use Cloud Tasks to periodically invoke Cloud Functions after reading findings from Security Command Center API.
C.Create a Cloud Scheduler job that polls SCC findings periodically and invokes Cloud Functions.
D.Export SCC findings to Cloud Storage, and set up a Cloud Function on object finalize.
AnswerA

This is the correct pattern: SCC notifications via Pub/Sub trigger a Cloud Function for automated response.

Why this answer

SCC can send real-time notifications via Pub/Sub when findings of certain types or severities are created. A Cloud Function can subscribe to that topic to perform automated remediation. Cloud Scheduler cannot be triggered by events; Cloud Tasks is for asynchronous task execution but not designed for event-driven triggers from SCC; Logs Router exports logs but does not directly trigger Cloud Functions based on findings.

26
MCQhard

A security engineer is investigating a compromised Compute Engine VM. They need to take a forensic snapshot of the disk without losing any data, including deleted files, and ensure the snapshot is not tampered with. Which steps should they take?

A.Use dd to copy the disk over SSH to a forensic workstation.
B.Stop the instance, create a snapshot of the disk, then detach the disk.
C.Detach the disk first, then create a snapshot of the detached disk.
D.Create a snapshot of the disk while the instance is running, then detach the disk.
AnswerD

This captures the current state including deleted files, and detaching prevents further modifications. Running snapshot is possible.

Why this answer

The correct approach is to first create a snapshot of the disk for forensic analysis, which captures the disk state including deleted files (unless overwritten). Then detach the disk from the instance to prevent further changes. Creating a snapshot after detaching would lose the current state.

Powering off the instance may alter data. Using dd over SSH may change file access times.

27
MCQmedium

A company wants to use Chronicle to ingest logs from their on-premises firewalls into Google Cloud. They need to normalize logs into a common schema for analysis. Which Chronicle capability should they use?

A.Log forwarders
B.YARA-L rules
C.Chronicle dashboards
D.Unified Data Model (UDM)
AnswerD

UDM normalizes logs into a common schema for analysis.

Why this answer

Chronicle uses the Unified Data Model (UDM) to normalize logs from various sources into a common schema. Log forwarders can collect and send logs to Chronicle, but UDM is the normalization engine. YARA-L rules are for detection, not normalization.

The dashboard is for visualization.

28
Multi-Selecthard

A multinational organization uses Chronicle SIEM to aggregate and analyze security logs from multiple GCP projects and on-premises systems. The security team wants to detect a known threat pattern: a user authenticating from an anomalous geographic location followed by a large data egress from a Compute Engine instance within 10 minutes. Which three steps are necessary to create this detection? (Choose three.)

Select 3 answers
A.Ingest Cloud Audit Logs and VPC Flow Logs into Chronicle via forwarders or native integration
B.Deploy a forwarder to send on-premises authentication logs to Chronicle
C.Configure a BigQuery export of VPC Flow Logs for long-term analysis
D.Enable the Standard tier of Security Command Center to generate finding notifications
E.Create a YARA-L rule that matches on a UDM 'authentication' event with unusual geo-location followed by a 'network' event with large bytes out
AnswersA, B, E

These log sources provide authentication events and network traffic data.

Why this answer

Chronicle uses YARA-L rules to detect patterns across different log sources. UDM normalizes logs into a common schema. The rule can reference events from multiple log types (e.g., authentication logs and network logs) and define temporal relationships.

29
MCQeasy

A company needs to archive Cloud Audit Logs for compliance purposes for 7 years. The logs are rarely accessed after the first year. Which storage option is the most cost-effective?

A.Export logs to Cloud Storage with Standard storage class
B.Export logs to BigQuery dataset
C.Export logs to Pub/Sub topic
D.Export logs to Cloud Storage with Archive storage class
AnswerD

Archive class is the cheapest for long-term, rarely accessed data.

Why this answer

Cloud Storage offers Archive class for long-term, low-cost storage. BigQuery is for analysis, not archival. Pub/Sub is for streaming.

Cloud Storage is the right choice; Archive class is cheaper than Nearline or Coldline.

30
MCQeasy

A security engineer wants to monitor all actions that create or modify resources in a Google Cloud project. Which type of audit log is enabled by default and cannot be disabled?

A.Policy Denied logs
B.Data Access logs
C.Admin Activity logs
D.System Event logs
AnswerC

Admin Activity logs are enabled by default and cannot be disabled.

Why this answer

Admin Activity logs record all API calls that modify configuration or metadata. They are enabled by default and cannot be disabled. Data Access logs are opt-in, System Event logs are enabled by default but cannot be disabled either, and Policy Denied logs are generated when access is denied by IAM policies.

31
MCQmedium

An organization uses Binary Authorization to enforce that only images signed by an approved attestor are deployed in GKE. They want to allow a specific set of images from a trusted registry to bypass the policy. Which Binary Authorization policy type should they use?

A.Deny All
B.Allow All
C.Require Attestation
D.Allow by Registry
AnswerC

This policy requires attestation for all images except those explicitly exempted via a breakglass or exception rule.

Why this answer

Binary Authorization supports policy types like 'Require Attestation', 'Allow All', and 'Deny All'. To allow specific images while requiring attestation for others, they would use 'Require Attestation' with an exception list. There is no 'Allow by Registry' built-in type.

32
MCQeasy

A security analyst wants to search for a specific IAM role change across all projects in the organization. Which tool can query Cloud Audit Logs across projects?

A.Cloud Shell with gcloud logging read
B.Activity page in the Cloud Console (Home > Activity)
C.Cloud Monitoring dashboard
D.Cloud Logging Logs Explorer with a query that includes all projects in the organization
AnswerD

Logs Explorer can query logs across projects if the analyst has the necessary permissions at the organization level.

Why this answer

Logs Explorer allows querying logs across projects via resource scope, provided the user has the appropriate permissions.

33
Multi-Selecteasy

A startup uses Cloud SQL for MySQL and wants to implement automated daily backups with a 7-day retention period. The database is 50 GB and experiences moderate write traffic. The team wants to minimize cost and operational overhead. Which two actions should they take? (Choose two.)

Select 2 answers
A.Use gcloud sql backups create to take on-demand backups daily
B.Configure point-in-time recovery (PITR) with a 7-day log retention
C.Set up a cron job on a Compute Engine instance to run pg_dump
D.Enable automated backups in Cloud SQL with a 7-day retention period
E.Create a Cloud Function to export the database to Cloud Storage daily using mysqldump
AnswersB, D

PITR enables recovery to any point in time within the retention window and is built into Cloud SQL.

Why this answer

Cloud SQL provides built-in automated backups. Configuring them through the UI or CLI is straightforward and cost-effective. The default backup window can be customized, and retention is set per backup configuration.

34
Multi-Selectmedium

A company wants to implement a vulnerability management program for their Google Cloud environment. They need to scan Compute Engine instances for OS vulnerabilities and container images for known vulnerabilities. Which two services should they use? (Choose two.)

Select 2 answers
A.VM Manager (OS patch assessment)
B.Cloud Security Scanner
C.Container Analysis (Artifact Registry vulnerability scanning)
D.Binary Authorization
E.Web Security Scanner
AnswersA, C

VM Manager provides vulnerability assessment for OS packages.

Why this answer

VM Manager patch management can assess and patch OS vulnerabilities on Compute Engine instances. Container Analysis (Artifact Registry) scans container images for vulnerabilities. Web Security Scanner is for web apps.

Binary Authorization is for attestation. Cloud Security Scanner does not exist.

35
MCQhard

An organization uses Chronicle SIEM to ingest logs from multiple GCP projects and on-premises firewalls. They need to write a detection rule that triggers when an IP address makes more than 100 failed login attempts across different GCP projects within 10 minutes. Which Chronicle feature should they use?

A.Dashboard and alerting
B.Reference list
C.Unified Data Model (UDM)
D.YARA-L detection rule
AnswerD

YARA-L rules can correlate events across multiple data sources and time windows.

Why this answer

YARA-L is the detection language for Chronicle. It allows multi-event correlation across data sources, including timestamps and grouping by source IP. UDM is the data model.

Dashboards are visual. Reference lists are for static data.

36
MCQhard

During a forensic investigation, you need to analyze a Compute Engine instance that has been compromised. You want to preserve the disk state for analysis without affecting the running instance. Which action should you take?

A.Delete the instance but keep the disk, then attach the disk to a new instance.
B.Create a snapshot of the persistent disk and attach the snapshot to a new instance for analysis.
C.Stop the instance and create a custom image from the boot disk.
D.Use gcloud compute disks export to export the disk to Cloud Storage.
AnswerB

Snapshots capture the disk state at a point in time and can be used to create new disks attached to a forensic VM.

Why this answer

Creating a snapshot is the non-disruptive, best practice for forensic preservation.

37
MCQeasy

Which type of Cloud Audit Logs must be explicitly enabled and incur additional cost?

A.Admin Activity logs
B.System Event logs
C.Policy Denied logs
D.Data Access logs
AnswerD

Must be explicitly enabled and incur costs for storage and processing.

Why this answer

Data Access logs track read and write operations on resources. They are opt-in, cost extra, and have additional retention costs. Admin Activity logs are free and enabled by default.

System Event logs are also free. Policy Denied logs are generated automatically when access is denied.

38
MCQmedium

An organization needs to scan container images stored in Artifact Registry for vulnerabilities before deployment. They want to use a managed service that integrates with their CI/CD pipeline. Which Google Cloud service should they use?

A.Container Analysis
B.Web Security Scanner
C.Cloud Security Scanner
D.VM Manager patch management
AnswerA

Container Analysis automatically scans images in Artifact Registry for known vulnerabilities.

Why this answer

Artifact Registry integrates with Container Analysis (also known as Artifact Analysis) to automatically scan images for vulnerabilities. This is a managed service that works out-of-the-box for images stored in Artifact Registry. Web Security Scanner is for web applications, VM Manager patch management is for VM patches, and Cloud Security Scanner is not a real service.

39
MCQmedium

A DevOps team wants to enforce that only container images signed by a specific authority can be deployed in a GKE cluster. They plan to use Binary Authorization. Which configuration is required?

A.Create an attestor and set the policy to 'Deny all' and then add exceptions for signed images
B.Create an attestor and set the policy to 'Allow all' so that signed images are allowed
C.Create an attestor, generate a key pair with Cloud KMS, and configure the policy to require at least one attestation from that attestor
D.Create a vulnerability scan policy in Artifact Registry to block unsigned images
AnswerC

This is the correct approach: attestor with KMS key, policy requires attestation before deployment.

Why this answer

Binary Authorization enforces deployment policies. To require signed images, you create an attestor (e.g., using Cloud KMS) and a policy that requires at least one attestation from that attestor. The policy type must be 'Require attestations' (not 'Allow all' or 'Deny all').

40
MCQhard

An organization uses Binary Authorization with multiple attestors. They want to allow a deployment only if at least two attestors have signed the image. Which policy type should be used?

A.Allow all images
B.Require attestation with a single attestor
C.Require attestation with a list of attestors and a minimum number of 2
D.Deny all images
AnswerC

Binary Authorization policies can specify a list of attestors and a minimum number of required attestations.

Why this answer

Binary Authorization allows you to define a policy with multiple attestors and set a minimum number of attestations required.

41
MCQeasy

Which of the following is a feature available only in Security Command Center Premium tier, not in Standard tier?

A.Security Health Analytics
B.Event Threat Detection
C.Anomaly Detection
D.Web Security Scanner
AnswerB

Event Threat Detection is Premium-only.

Why this answer

Event Threat Detection is a Premium-only feature. Security Health Analytics, Web Security Scanner, and Anomaly Detection are available in both tiers.

42
MCQmedium

A company needs to archive their VPC Flow Logs for 10 years for compliance. They also need to run occasional queries on the logs. What is the most cost-effective approach?

A.Export VPC Flow Logs to both Cloud Storage and BigQuery simultaneously.
B.Create a log sink to export VPC Flow Logs to Cloud Storage with a retention policy of 10 years and use BigQuery external tables for occasional queries.
C.Create a log sink to export VPC Flow Logs to BigQuery and set a table partition expiration to 10 years.
D.Enable VPC Flow Logs and set the log bucket retention to 10 years.
AnswerB

Cloud Storage provides low-cost archival, and BigQuery external tables allow querying without loading.

Why this answer

Exporting logs to Cloud Storage with a retention policy is the most cost-effective for long-term archival. BigQuery is more expensive for storage but allows queries. Using a log sink with _Default log view includes VPC Flow Logs (if enabled).

43
MCQhard

During an incident response, a security engineer needs to analyze a Pub/Sub message that was produced by a Cloud Function triggered by a SCC finding. The message has been acknowledged and deleted from the subscription. How can the engineer retrieve the message again?

A.Submit a support ticket to Google to recover the message from internal storage.
B.Check the Cloud Function logs to view the message payload.
C.Create a new subscription to the same topic and enable 'retain_acked_messages' before the message was published.
D.Use the 'gcloud pubsub subscriptions seek' command with a snapshot or timestamp to replay the message.
AnswerD

Seek allows replaying messages from a specific point, including acked messages if a snapshot was taken or retention is enabled.

Why this answer

Pub/Sub supports message replay by seeking a snapshot or a timestamp. This allows reprocessing messages that have been acknowledged. There is no 'dead-letter queue' for this scenario.

Cloud Logging logs the message payload if configured, but not by default.

44
MCQmedium

A security team wants to scan a web application hosted on Compute Engine for vulnerabilities like XSS and outdated libraries. They want the scan to be authenticated to cover areas behind login. Which Google Cloud service and configuration should they use?

A.VM Manager patch management to check for outdated libraries.
B.Cloud Security Scanner with a custom scan configuration including authentication headers.
C.Container Analysis with a custom scanning schedule.
D.Web Security Scanner with a managed scan and custom login credentials.
AnswerD

Web Security Scanner supports authenticated scanning.

Why this answer

Web Security Scanner can perform authenticated scans by providing login credentials. It can scan applications on Compute Engine and App Engine. It identifies vulnerabilities like XSS, mixed content, and outdated libraries.

45
Multi-Selecthard

A gaming company deploys a multiplayer game backend on Google Kubernetes Engine (GKE) with multiple microservices. The operations team needs to collect structured logs from containers, analyze them in real-time for anomalies, and store them for 30 days for compliance. They also need to monitor custom application metrics (e.g., player count per game server). Which three Google Cloud services should they use? (Choose three.)

Select 3 answers
A.Cloud Logging to collect container logs and store them for 30 days using a log bucket retention policy
B.Chronicle to ingest logs from Cloud Logging and apply anomaly detection rules
C.BigQuery to store logs for 30 days and run real-time queries
D.Cloud SQL to store application metrics
E.Cloud Monitoring to collect custom metrics via the Monitoring API and set up dashboards
AnswersA, B, E

Cloud Logging is the native log management service for GCP, supporting custom retention.

Why this answer

Cloud Logging collects and stores logs, Cloud Monitoring collects metrics and supports custom metrics, and Chronicle can analyze logs for anomalies in real-time. BigQuery is for long-term analysis but not real-time anomaly detection.

46
MCQeasy

A company wants to scan all container images stored in Artifact Registry for vulnerabilities before deployment. Which Google Cloud service should they use?

A.Binary Authorization
B.Cloud Build
C.Container Analysis
D.Security Command Center
AnswerC

Container Analysis scans images for vulnerabilities and provides findings.

Why this answer

Container Analysis (now part of Artifact Registry) provides vulnerability scanning for images. Binary Authorization enforces policies. Security Command Center aggregates findings.

Cloud Build is for building images.

47
MCQmedium

Your organization uses VPC Flow Logs for network forensics. During an incident, you need to analyze traffic to a compromised instance for the last 72 hours. The Flow Logs are stored in Cloud Logging. Which approach allows you to query the logs most efficiently?

A.Export logs to BigQuery and run SQL queries
B.Use the gcloud logging read command with appropriate filters
C.Use Logs Explorer in Cloud Logging to filter by instance and time range
D.Download logs as CSV from Cloud Storage
AnswerC

Logs Explorer allows real-time querying of log entries.

Why this answer

Cloud Logging's Logs Explorer provides a query interface to filter and analyze logs. BigQuery is better for large-scale analysis, but for ad-hoc querying of recent logs, Logs Explorer is efficient. Note: Logs can be exported to BigQuery for complex analysis, but the question asks for efficient querying now.

48
MCQeasy

A developer wants to be notified when a new vulnerability is found in a container image stored in Artifact Registry. Which service should they configure?

A.Container Analysis
B.Cloud Security Scanner
C.Binary Authorization
D.VM Manager
AnswerA

Container Analysis scans images in Artifact Registry and publishes findings to Pub/Sub.

Why this answer

Artifact Registry integrates with Container Analysis to scan images for vulnerabilities. Notifications can be sent via Pub/Sub when new vulnerabilities are discovered.

49
Multi-Selecteasy

Your organization uses VM Manager for patch management. You need to configure patch deployments to run weekly on all Windows VMs. Which two resources must be configured? (Choose two.)

Select 2 answers
A.Enable VPC Flow Logs on the VMs
B.Create a patch job manually each week
C.Create a patch deployment with a weekly schedule
D.Specify the target VMs using instance filters (e.g., OS = Windows)
E.Install the OS Config agent on all VMs
AnswersC, D

Patch deployment defines the schedule and target.

Why this answer

VM Manager uses patch deployments and patch jobs. You create a patch deployment with a schedule (weekly) and target VMs (e.g., by OS type). You also need to configure a maintenance window or use a rolling update.

50
MCQhard

An organization uses Binary Authorization with a GKE cluster that enforces attestation. A developer builds a container and pushes it to Artifact Registry. The image must be signed before it can be deployed. Which steps are required to allow this image to run on the cluster?

A.Push the image to Artifact Registry and allow the Binary Authorization policy to automatically sign it.
B.Configure the cluster to allow all images by setting the policy to 'Allow All' for the developer's namespace.
C.Sign the image using Cloud KMS and an attestor, then create a signed attestation in Container Analysis, and deploy the image.
D.Use the Binary Authorization API to create an attestation by specifying the image URL and the attestor, then deploy.
AnswerC

This is the correct workflow: sign the image digest with the attestor's key, store the attestation as a note in Container Analysis, and the policy will verify it.

Why this answer

Binary Authorization requires a signed attestation from a trusted attestor, stored in Cloud KMS. The image must be signed using a private key associated with the attestor, and the attestation is typically stored as a note in Container Analysis. Simply having a vulnerability scan or pushing without signing will not satisfy the policy.

51
Multi-Selectmedium

Your company needs to implement real-time monitoring of security events from Google Cloud resources. They want to ingest logs into a third-party SIEM system. Which two services should they use together? (Choose two.)

Select 2 answers
A.Cloud Storage export
B.Cloud Logging log sink with Pub/Sub destination
C.Chronicle SIEM
D.BigQuery export
E.Pub/Sub subscription with a subscriber pulling logs
AnswersB, E

This enables streaming logs to Pub/Sub for real-time consumption.

Why this answer

Cloud Logging can export logs to Pub/Sub, and a subscriber (SIEM connector) can ingest them. Chronicle is a Google SIEM, but the question asks for third-party SIEM integration.

52
MCQhard

A security team uses Security Command Center Premium to detect threats. They want to receive real-time notifications when a finding of type 'Threat' with severity 'CRITICAL' or 'HIGH' is created. Which approach should they use?

A.Use BigQuery to query SCC findings and schedule a query that pushes results to Pub/Sub.
B.Create a log sink to export SCC findings to Pub/Sub and then filter using Cloud Functions.
C.Create a SCC notification config with a filter for threat type and severity levels, sending to a Pub/Sub topic.
D.Enable Event Threat Detection and configure it to send alerts via email.
AnswerC

This is the standard way to get real-time notifications for specific findings.

Why this answer

SCC Premium provides built-in Pub/Sub notifications for findings. You can configure notification configs with filters to receive only specific finding types and severities. There is no need to export to BigQuery or use Cloud Functions to poll; the notification config pushes to a Pub/Sub topic.

53
MCQmedium

A security engineer wants to export Cloud Audit Logs to a third-party SIEM in real time. Which log sink destination should they configure?

A.Pub/Sub
B.BigQuery
C.Cloud Storage
D.Logging bucket
AnswerA

Pub/Sub enables real-time streaming of logs to a SIEM via a push subscription.

Why this answer

To export logs in real time, configure a log sink with a Pub/Sub topic as the destination. The SIEM can then subscribe to that topic.

54
MCQeasy

Which Security Command Center tier includes Event Threat Detection and Container Threat Detection?

A.Premium tier
B.Standard tier
C.Basic tier
D.Enterprise tier
AnswerA

Premium tier includes Event Threat Detection, Container Threat Detection, VM Threat Detection, Rapid Vulnerability Detection, and Compliance monitoring.

Why this answer

Premium tier adds threat detection services beyond the Standard tier's health analytics and scanner.

55
Multi-Selecthard

A company runs containerized applications on GKE and uses Binary Authorization. They want to enforce that only images from a specific Artifact Registry repository can be deployed, and those images must be signed by a trusted attestor. Which THREE configurations are required?

Select 3 answers
A.Set up a Binary Authorization policy that requires attestation.
B.Create an attestation note and attestor in Binary Authorization.
C.Configure an Artifact Registry repository with a vulnerability scanning policy.
D.Add a constraint to the GKE cluster's Binary Authorization policy that restricts the allowed registry to the specific Artifact Registry repository.
E.Create a Cloud KMS key and an attestor in the same project as the repository.
AnswersA, B, D

This is the core policy to require signed images.

Why this answer

The three requirements: a Binary Authorization policy requiring attestation, an attestor (with note), and a policy constraint to restrict allowed registries.

56
MCQeasy

Which Google Cloud SIEM solution ingests logs from various sources, normalizes them into the Unified Data Model (UDM), and allows detection using YARA-L rules?

A.Chronicle
B.Cloud Logging
C.BigQuery
D.Security Command Center
AnswerA

Chronicle is the SIEM that uses UDM and YARA-L.

Why this answer

Chronicle is Google Cloud's SIEM solution that ingests logs, normalizes them into UDM, and enables detection rules with YARA-L. Security Command Center is a security posture management tool, not a SIEM. Cloud Logging is for log storage and analysis, not SIEM.

BigQuery is a data warehouse.

57
MCQmedium

A security analyst needs to mute a recurring false positive finding in Security Command Center so that it no longer appears in the active findings list. The analyst wants to keep the finding for historical reference. What should they do?

A.Set the finding's state to 'INACTIVE'
B.Create a filter to exclude the finding from view
C.Mute the finding using the SCC console or API
D.Delete the finding from SCC
AnswerC

Muting hides the finding but retains it.

Why this answer

Muting a finding in SCC hides it from active views but retains it for auditing. Muting can be done individually or via mute rules based on properties.

58
Multi-Selectmedium

A company wants to use Cloud Audit Logs to monitor for security incidents. They need to retain logs for 6 months for analysis and then archive them for 5 years. Which TWO steps should they take?

Select 2 answers
A.Create a log sink to Cloud Storage with the Archive storage class and Bucket Lock retention of 5 years.
B.Rely on the default 400-day retention in Cloud Logging.
C.Enable Data Access logs for all services.
D.Create a log sink to Pub/Sub and store in Cloud SQL.
E.Create a log sink to BigQuery with a table expiration of 6 months.
AnswersA, E

Provides immutable, cost-effective archival.

Why this answer

Create a log sink to BigQuery for short-term analysis (6 months) with a table expiration. Create another sink to Cloud Storage with an archive class and a retention policy for long-term archival. A single sink cannot do both.

Pub/Sub is not archival. Default retention is only 400 days.

59
MCQmedium

A company is using Security Command Center (SCC) Standard tier and wants to detect threats like crypto mining attacks and anomalous IAM activity in their GCP environment. Which built-in service should they enable?

A.Event Threat Detection
B.Security Health Analytics
C.Web Security Scanner
D.VM Threat Detection
AnswerA

Event Threat Detection is a Premium SCC service that monitors logs for malicious activity, including crypto mining.

Why this answer

Event Threat Detection is a premium tier service that detects threats such as crypto mining and suspicious IAM activity. Security Health Analytics is misconfigurations. Web Security Scanner is for web apps.

VM Threat Detection is also premium but for VMs.

60
Multi-Selectmedium

A security team wants to automatically detect anomalies in user behavior across Google Workspace and Google Cloud. Which TWO Security Command Center features can help?

Select 2 answers
A.Event Threat Detection
B.VM Threat Detection
C.Compliance monitoring (Premium tier)
D.Anomaly Detection (Standard tier)
E.Security Health Analytics
AnswersC, D

Compliance monitoring helps detect deviations from compliance standards, which can indicate anomalous behavior.

Why this answer

Anomaly Detection (Standard) and Compliance monitoring (Premium) can both identify anomalous behavior patterns in user and resource activity.

61
MCQhard

Your company has hundreds of GKE clusters across multiple projects. You need to ensure that all clusters have Container Threat Detection enabled. Which approach is most scalable?

A.Create a new organization policy that enforces Container Threat Detection on all clusters
B.Deploy a DaemonSet that enables Container Threat Detection
C.Write a script using gcloud container clusters update with --enable-threat-detection flag
D.Manually enable Container Threat Detection in each cluster via the Cloud Console
AnswerC

The gcloud command can enable Container Threat Detection on existing clusters; scripting iterates over all clusters.

Why this answer

SCC Premium includes Container Threat Detection. To enable it across clusters, you can use an organization policy or a custom script. Using Terraform or Config Controller to manage clusters as code is scalable.

The most straightforward way: enable SCC Premium at the organization level and then enable Container Threat Detection per cluster via the API or gcloud. A script using gcloud commands can iterate through all clusters.

62
Multi-Selectmedium

An organization wants to detect and respond to potential data exfiltration attempts via VPC Flow Logs. They plan to export VPC Flow Logs to BigQuery for analysis. Which TWO actions should they take to enable this? (Choose TWO.)

Select 2 answers
A.Create a log sink with a filter for compute.googleapis.com/vpc_flows and destination BigQuery.
B.Set up a Cloud Function to copy logs from Cloud Logging to BigQuery.
C.Create a BigQuery view to filter VPC Flow Logs.
D.Enable Data Access logs for Compute Engine.
E.Enable VPC Flow Logs on the subnet.
AnswersA, E

This exports the flow logs to BigQuery.

Why this answer

To export VPC Flow Logs to BigQuery, you need to create a log sink that filters for VPC Flow Logs and exports to BigQuery. The sink must be configured with a destination of BigQuery. Enabling Data Access logs is not required for VPC Flow Logs.

63
MCQmedium

An organization wants to use Security Command Center to detect misconfigurations in their Google Cloud resources. They need a service that can automatically check for common security issues like open firewall ports and IAM policy violations. Which SCC feature should they enable?

A.Anomaly Detection
B.Event Threat Detection
C.Security Health Analytics
D.Web Security Scanner
AnswerC

SHA automatically scans resources for misconfigurations.

Why this answer

Security Health Analytics (SHA) is the SCC built-in scanner that checks for misconfigurations such as open firewall ports, overly permissive IAM roles, and other security best practices. Web Security Scanner targets web app vulnerabilities. Event Threat Detection is for threat detection.

Anomaly Detection identifies unusual behavior.

64
MCQeasy

A security analyst needs to investigate a potential breach in a Compute Engine instance. They want to create an offline forensic copy of the disk without affecting the running instance. Which action should they take?

A.Create an image from the disk while the instance is running.
B.Use the gcloud compute disks copy command to replicate the disk.
C.Attach a new blank disk to the instance and use dd to clone the data.
D.Stop the instance and create a snapshot of the boot disk.
AnswerD

Stopping ensures a consistent snapshot; the snapshot can be used for forensics without affecting the original instance.

Why this answer

Creating a snapshot is the correct method to create a point-in-time copy of a persistent disk for forensic analysis. The snapshot can be used to create a new disk for analysis. Stopping or creating an image modifies the instance state or does not preserve all data.

65
MCQeasy

Which Security Command Center (SCC) tier provides built-in compliance monitoring for standards like CIS and PCI DSS?

A.Neither; compliance monitoring is part of Cloud Audit Logs
B.Both Standard and Premium
C.Premium tier
D.Standard tier
AnswerC

Premium tier includes compliance monitoring for standards like CIS, PCI DSS, and others.

Why this answer

Compliance monitoring is a feature of SCC Premium tier. Standard tier includes Security Health Analytics but not compliance monitoring. Event Threat Detection is also Premium.

66
MCQmedium

A security team wants to analyze VPC Flow Logs to investigate a potential data exfiltration incident. The logs are currently stored in Cloud Logging. What is the MOST efficient method to query and visualize the network traffic patterns?

A.Use Log Analytics in Cloud Logging with SQL queries
B.Enable VPC Flow Logs on a new VM and capture traffic
C.Export logs to Cloud Storage and analyze with a local tool
D.Create a log sink to BigQuery and use BigQuery for analysis
AnswerA

Log Analytics allows SQL queries on logs stored in Logging buckets, enabling analysis without export.

Why this answer

Log Analytics (powered by BigQuery) in Cloud Logging provides SQL-based analysis directly on logs without needing to export.

67
Multi-Selectmedium

An organization wants to use Web Security Scanner to find vulnerabilities in their web application. Which TWO finding types can Web Security Scanner detect?

Select 2 answers
A.Cross-site scripting (XSS)
B.Insecure deserialization
C.Server-side request forgery (SSRF)
D.Outdated libraries
E.SQL injection
AnswersA, D

Web Security Scanner detects XSS vulnerabilities.

Why this answer

Web Security Scanner detects XSS, mixed content, outdated libraries, and other common web vulnerabilities, but not SQL injection or SSRF.

68
MCQhard

A company uses Chronicle as their SIEM. They need to ingest logs from an on-premises firewall that does not support direct integration with Chronicle. What is the recommended approach to ingest these logs?

A.Use the firewall's syslog capabilities to send logs directly to a Chronicle endpoint.
B.Export firewall logs to Cloud Storage and then create a BigQuery external table for Chronicle.
C.Use a Cloud Function to pull logs from the firewall and push them to Chronicle via API.
D.Install a Chronicle forwarder on a local server to collect and forward logs to Chronicle.
AnswerD

The forwarder is the standard way to ingest third-party logs.

Why this answer

Chronicle provides forwarders (software agents) that can be installed on a machine to collect logs from various sources like firewalls and forward them to Chronicle. The forwarder normalizes logs into UDM. The forwarder can be deployed on-premises or in a VM.

69
MCQmedium

A security team wants to use Web Security Scanner to find vulnerabilities in their web application hosted on Compute Engine. They need to scan the public-facing URL weekly and receive a report of findings. Which configuration is required?

A.Install the Web Security Scanner agent on the VM
B.Create a managed scan in Security Command Center with the target URL and schedule
C.Use gcloud compute instances scan command
D.Deploy the application to App Engine, then enable Web Security Scanner
AnswerB

Managed scans in SCC allow you to set a target URL and schedule.

Why this answer

Web Security Scanner requires a managed scan target (URL) to be configured. Scans can be scheduled. It does not require an App Engine or GKE; it can scan any public URL.

The scan is managed by Google Cloud and reports findings to SCC.

70
Multi-Selecthard

An incident responder needs to collect forensic evidence from a compromised Compute Engine instance for later analysis. They want to preserve disk state and network logs. Which THREE actions should they take?

Select 3 answers
A.Export and analyze VPC Flow Logs for the instance's network traffic.
B.Delete the instance to stop billing.
C.Create a snapshot of the boot disk.
D.Power off the instance to prevent further compromise.
E.Isolate the instance by applying a firewall rule that blocks all traffic except from a forensic workstation.
AnswersA, C, E

Provides network evidence.

Why this answer

Creating a disk snapshot captures the disk state including deleted files. Analyzing VPC Flow Logs can reveal network connections. Isolating the instance with a firewall rule prevents further damage.

Powering off the instance may alter evidence. Deleting the instance loses evidence. Cloning the instance may preserve some state but is not standard forensic practice.

71
MCQhard

During a security incident, a forensics team needs to capture a disk snapshot of a compromised Compute Engine instance for analysis. They want to ensure the snapshot is consistent and includes data in memory. Which step should be taken before taking the snapshot?

A.Take a snapshot while the instance is running; consistency is automatic
B.Enable VPC Flow Logs on the network
C.Stop the instance before taking the snapshot
D.Create an image from the disk first
AnswerC

Stopping the instance ensures the disk is in a consistent state; the snapshot will be crash-consistent. Memory is not captured.

Why this answer

For consistent snapshots of a running instance, you should first stop the instance (or at least freeze the filesystem). To capture memory, you would need to use a tool like LiME or dump the memory via a hypervisor; standard disk snapshots do not capture memory. However, the question asks about disk snapshot consistency; the best practice is to stop the instance.

72
Multi-Selectmedium

A company is using Security Command Center (SCC) Premium tier and wants to automatically remediate certain high-severity findings. Which two services can be used together to achieve this? (Choose two.)

Select 2 answers
A.Pub/Sub
B.Dataflow
C.Cloud Scheduler
D.Cloud IAM
E.Cloud Functions
AnswersA, E

SCC can export findings to Pub/Sub, which then triggers Cloud Functions.

Why this answer

SCC findings can be sent to Pub/Sub, which then triggers a Cloud Function (or Cloud Run) that performs automated remediation actions. Cloud Functions can be used for lightweight automation. Cloud Scheduler is for cron jobs, not event-driven.

Dataflow is for data processing. IAM is for access control.

73
MCQhard

A security engineer needs to implement a logging pipeline that sends real-time Cloud Audit Logs to a third-party SIEM. They must ensure that if the SIEM is unavailable, logs are not lost. Which approach should they use?

A.Create a log sink that writes to a Pub/Sub topic, and use a subscription with a dead letter topic.
B.Configure a Cloud Run service to pull logs from Cloud Logging API and forward to SIEM.
C.Export logs to Cloud Storage via a sink, and have the SIEM ingest from there.
D.Use a log sink to BigQuery and have the SIEM query BigQuery periodically.
AnswerA

This ensures real-time delivery with retry and dead letter handling to avoid data loss.

Why this answer

Using a Pub/Sub subscription with a dead letter topic allows messages to be retried and, if delivery fails persistently, moved to a dead letter topic for later reprocessing. This prevents data loss. Cloud Storage is not real-time; BigQuery is not for streaming to SIEM; Cloud Run without Pub/Sub would miss retries.

74
MCQmedium

A security team needs to automatically respond to high-severity vulnerability findings in Security Command Center. They want to trigger a Cloud Function that quarantines the affected VM. What is the recommended way to connect SCC findings to Cloud Functions?

A.Use Cloud Scheduler to poll SCC API every minute and invoke Cloud Function.
B.Configure Cloud Logging to capture SCC findings and create a log-based metric with an alert that triggers Cloud Function.
C.Create a SCC notification config that sends findings to a Pub/Sub topic, and set up a Cloud Function to subscribe to that topic.
D.Export SCC findings to BigQuery and set up a BigQuery scheduled query to trigger Cloud Function.
AnswerC

This is the real-time event-driven approach.

Why this answer

SCC can publish findings to a Pub/Sub topic via notification configs. Cloud Functions can subscribe to that topic and execute the remediation logic. This is the recommended event-driven architecture.

75
MCQmedium

A company wants to enforce that all GKE clusters in their organization use Binary Authorization with a specific attestor. They have multiple projects and want to set this policy centrally. Which approach should they use?

A.Use the organization policy service to set a constraint that requires Binary Authorization enforcement across all projects.
B.Create a Binary Authorization policy in each project and use a script to apply it.
C.Create a shared VPC and enable Binary Authorization on the host project.
D.Use Deployment Manager to deploy Binary Authorization configuration to all projects.
AnswerA

Organization policies can enforce that Binary Authorization is enabled and configured.

Why this answer

Organization policies can enforce constraints at the organization, folder, or project level. The Binary Authorization policy can be set at the organization level using a constraint, but the specific attestor configuration is done via the Binary Authorization API per project. However, to enforce the use of Binary Authorization, you can use an organization policy constraint 'constraints/gcp.restrictBinaryAuthorizationPolicy'.

Page 1 of 2 · 80 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Pcse Managing Operations questions.

CCNA Pcse Managing Operations Questions — Page 1 of 2 | Courseiva