

















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A set of practice questions and answers designed to help individuals prepare for the google cloud platform (gcp) security certification exam. It covers key areas such as identity and access management, network security, data protection, and security monitoring. Each question is accompanied by a detailed explanation to enhance understanding and retention. The practice exam focuses on mitigating security vulnerabilities and implementing best practices within the gcp environment, making it a valuable resource for those seeking to validate their expertise in cloud security.
Typology: Exams
1 / 89
This page cannot be seen from the preview
Don't miss anything!


















































































Question 1. Which component of the Google Cloud shared responsibility model is the customer's primary responsibility? A) Physical security of data centers B) Hypervisor patching C) Identity and access management for resources D) Network backbone maintenance Answer: C Explanation: Customers must manage IAM policies, roles, and permissions for their resources, while Google secures the underlying infrastructure. Question 2. In a defense‑in‑depth strategy on GCP, which layer should enforce least‑privilege network access? A) Application code B) VPC firewall rules C) Cloud IAM policies D) Data encryption keys Answer: B Explanation: VPC firewall rules provide network‑level segmentation, limiting traffic before it reaches services. Question 3. Which Google architecture principle aligns with a Zero Trust model? A) Perimeter‑based security B) Implicit trust for internal traffic C) Verify every request, regardless of origin D) Rely on static IP allowlists Answer: C
Explanation: Zero Trust requires continuous verification of identity, device, and context for every request. Question 4. To enforce that all new projects must reside in the “us‑central1” region, which tool should you use? A) VPC Service Controls B) Organization Policy constraint constraints/compute.requireOsLogin C) Organization Policy constraint constraints/gcp.resourceLocations D) Cloud Scheduler Answer: C Explanation: The constraints/gcp.resourceLocations policy limits resource locations across the organization. Question 5. Which feature helps you troubleshoot why a specific IAM permission was denied? A) Policy Analyzer B) Policy Troubleshooter C) Cloud Asset Inventory D) Cloud DNS Answer: B Explanation: Policy Troubleshooter evaluates the effective permissions for a principal on a resource and explains denials. Question 6. When creating a hierarchical firewall policy, where should it be attached to affect all projects in a folder? A) At each individual VM network tag B) On the organization node
C) HTTP GET flood (Layer 7) D) ICMP ping flood (Layer 3) Answer: C Explanation: Layer 7 attacks overwhelm web servers with legitimate‑looking HTTP requests. Question 10. In Cloud Armor, which expression blocks requests from a specific country? A) origin.ip == "203.0.113.0" B) request.path.matches("/admin") C) request.headers["User-Agent"].contains("bot") D) origin.region_code == "CN" Answer: D Explanation: The origin.region_code field identifies the requester’s country code. Question 11. Which GCP product creates a security perimeter around Cloud Storage buckets containing sensitive data? A) VPC Service Controls B) Cloud Armor C) Cloud DNS D) Cloud Interconnect Answer: A Explanation: VPC Service Controls protect data exfiltration by defining service perimeters. Question 12. What is the primary benefit of using Cloud NAT for egress traffic? A) Encrypts outbound traffic with TLS B) Provides static public IPs for all VMs
C) Allows VMs without external IPs to reach the internet securely D) Blocks inbound traffic to VMs Answer: C Explanation: Cloud NAT translates internal IPs to external ones, enabling outbound internet access while keeping VMs private. Question 13. Which encryption method is applied by default to data stored in Cloud BigQuery? A) Customer‑Managed Encryption Keys (CMEK) only B) Customer‑Supplied Encryption Keys (CSEK) only C) Google‑managed default encryption D) No encryption unless configured Answer: C Explanation: All GCP storage services, including BigQuery, are encrypted at rest with Google‑managed keys by default. Question 14. To use a customer‑managed key for a Cloud Storage bucket, which API must you enable? A) Cloud KMS API B) Cloud IAM API C) Cloud DNS API D) Cloud Scheduler API Answer: A Explanation: Cloud KMS provides the CMEK that can be attached to a bucket for encryption. Question 15. Which key rotation strategy minimizes service disruption?
Question 18. When configuring a DLP inspection template, which InfoType would you select to detect U.S. Social Security Numbers? A) US_TAX_ID B) US_SSN C) PERSON_NAME D) FINANCIAL_ACCOUNT_NUMBER Answer: B Explanation: The US_SSN InfoType is designed to locate Social Security Numbers. Question 19. Which feature of Secret Manager ensures that a secret version cannot be accessed after a certain date? A) Automatic rotation B) IAM deny policy C) Expiration time on secret version D) Replication to multiple regions Answer: C Explanation: Secret versions can be set with an expiration timestamp, after which they become inaccessible. Question 20. Which Cloud Audit Log type records changes made via the Cloud Console, CLI, or API? A) Data Access logs B) System Event logs C) Admin Activity logs D) Access Transparency logs Answer: C
Explanation: Admin Activity logs capture all administrative actions across GCP services. Question 21. To retain Cloud Audit logs for 365 days, which resource must you configure? A) Log bucket with a retention policy b) IAM policy on the project C) Cloud Scheduler job D) Cloud Armor security policy Answer: A Explanation: Log buckets can be set with a custom retention period for stored logs. Question 22. Which destination is NOT supported for a Cloud Logging sink? A) BigQuery dataset B) Cloud Pub/Sub topic C) Cloud Storage bucket D) Cloud Functions runtime Answer: D Explanation: Sinks can export to BigQuery, Pub/Sub, or Cloud Storage, but not directly to Cloud Functions. Question 23. In Security Command Center Standard tier, which finding type is automatically generated? A) Vulnerability findings from Container Analysis B) Misconfiguration findings from Security Health Analytics C) Threat intelligence from Mandiant D) Penetration test results Answer: B
D) Cloud Build webhook Answer: B Explanation: SCC can publish findings to Pub/Sub; a function subscribed to that topic can act on them. Question 27. Which Shielded VM feature verifies the integrity of the bootloader at startup? A) vTPM B) Secure Boot C) Integrity Monitoring D) Confidential VM Answer: B Explanation: Secure Boot checks the bootloader and firmware signatures before allowing boot. Question 28. How does OS Patch Management in GCP apply updates to Compute Engine instances? A) By reinstalling the OS image B) Using OS Config agent to apply patches on schedule C) Through manual SSH commands only D) By migrating workloads to a patched instance group Answer: B Explanation: OS Config’s patching service installs updates automatically based on defined policies. Question 29. Which method provides secure remote access to a VM without exposing SSH ports to the internet? A) Cloud VPN
B) Identity‑Aware Proxy (IAP) TCP forwarding C) VPC firewall rule allowing 0.0.0.0/0 on port 22 D) Cloud NAT Answer: B Explanation: IAP TCP forwarding tunnels SSH over HTTPS, eliminating the need for public SSH ports. Question 30. Which Artifact Registry feature scans container images for known CVEs? A) Binary Authorization B) Artifact Analysis (Vulnerability Scanning) C) Cloud Build D) Cloud Run Answer: B Explanation: Artifact Analysis automatically scans images stored in Artifact Registry for vulnerabilities. Question 31. What does Binary Authorization enforce before a container image runs on GKE? A) Image size limit B) Signature verification against an attestation authority C) Automatic vulnerability patching D) Runtime resource quotas Answer: B Explanation: Binary Authorization requires images to have valid attestations (signatures) before deployment.
Explanation: Confidential GKE Nodes use AMD SEV to encrypt VM memory, protecting data in use. Question 35. Which Cloud Armor rule helps mitigate credential stuffing attacks? A) Rate limiting based on client IP B) Blocking all traffic from a specific ASN C) Allowing only GET requests D) Enabling HTTP/2 only Answer: A Explanation: Rate limiting caps the number of login attempts per IP, reducing automated credential stuffing. Question 36. reCAPTCHA Enterprise primarily protects against which threat? A) Data exfiltration B) DDoS volumetric attacks C) Automated bot traffic and fraud D) Insider threats Answer: C Explanation: reCAPTCHA Enterprise distinguishes human users from bots, preventing automated abuse. Question 37. Which organization policy constraint can prevent the creation of external IP addresses on VM instances? A) constraints/compute.requireOsLogin B) constraints/compute.vmExternalIpAccess C) constraints/compute.disableSerialPortAccess
D) constraints/compute.restrictVpcPeering Answer: B Explanation: The compute.vmExternalIpAccess constraint disables allocation of external IPs for VMs. Question 38. What does the Policy Analyzer tool help you determine? A) Real‑time network latency B) Overlap and conflicts between multiple organization policies C) Cost estimation for new projects D) Encryption key usage statistics Answer: B Explanation: Policy Analyzer evaluates effective policies across the hierarchy and highlights conflicts. Question 39. Which VPC feature allows you to create a peered connection between two VPC networks without using the public internet? A) Cloud Router B) VPC Peering C) Cloud Interconnect D) Cloud NAT Answer: B Explanation: VPC Peering establishes a private, direct link between two VPCs. Question 40. Which Cloud Armor security policy action blocks traffic and returns a custom response code? A) allow
Question 43. Which IAM role grants read‑only access to view all Security Command Center findings? A) roles/securitycenter.admin B) roles/securitycenter.viewer C) roles/owner D) roles/logging.viewer Answer: B Explanation: The securitycenter.viewer role provides read‑only access to SCC resources. Question 44. Which log type would you enable to capture read operations on Cloud Storage objects? A) Admin Activity logs B) System Event logs C) Data Access logs D) Audit Logging for IAM Answer: C Explanation: Data Access logs record read/write operations on data resources like Cloud Storage objects. Question 45. Which of the following is a best practice for managing service‑account keys? A) Store keys in plain text on developer laptops B) Rotate keys every 90 days and use IAM to limit usage C) Share a single key across all services D) Disable IAM policies for service accounts Answer: B
Explanation: Regular rotation and principle‑of‑least‑privilege limit exposure if a key is compromised. Question 46. What does the gcloud compute firewall-rules create command with -- direction=INGRESS do? A) Blocks outbound traffic from a VPC B) Allows inbound traffic to matching instances C) Creates a VPN tunnel D) Enables Cloud NAT Answer: B Explanation: An ingress firewall rule controls traffic entering instances in the VPC. Question 47. Which Cloud Armor feature provides automatic protection against known bad IPs? A) Rate limiting B) Preconfigured WAF rules C) Bot management D) IP allowlist only Answer: B Explanation: Preconfigured WAF rules include IP reputation lists that block known malicious sources. Question 48. Which resource type is NOT directly protected by VPC Service Controls? A) BigQuery datasets B) Cloud Storage buckets C) Compute Engine VM instances
B) Cloud Storage (nearline) C) BigQuery dataset D) Cloud Functions Answer: C Explanation: Exporting logs to BigQuery enables powerful SQL‑based analysis over large datasets. Question 52. Which Cloud Armor policy action can be used to throttle abusive clients without completely blocking them? A) deny(403) B) allow C) rate_based_ban D) redirect Answer: C Explanation: rate_based_ban temporarily bans clients that exceed a request threshold. Question 53. Which Cloud KMS feature lets you delegate decryption rights to a service account without exposing the key material? A) Key version export B) IAM policy binding on the key C) Key rotation schedule D) External key manager integration Answer: B Explanation: Assigning IAM roles (e.g., cloudkms.cryptoKeyDecrypter) to a service account permits decryption without revealing the key.
Question 54. Which GCP service provides a managed, serverless environment for running container images without managing nodes? A) Cloud Run B) App Engine Standard C) Compute Engine D) Kubernetes Engine (Autopilot) Answer: A Explanation: Cloud Run runs stateless containers on a fully managed platform. Question 55. Which IAM condition can you use to restrict a service account to act only within a specific project? A) resource.name.startsWith('projects/PROJECT_ID') B) request.time < timestamp('2025- 01 - 01') C) principal.type == 'user' D) resource.type == 'compute.googleapis.com/Instance' Answer: A Explanation: The condition checks the resource’s project prefix, limiting actions to that project. Question 56. Which Cloud Armor configuration is best suited to block HTTP requests with the header User-Agent: BadBot? A) Rate limiting rule on IP address B) Preconfigured WAF rule for SQL injection C) Custom rule with expression request.headers['User-Agent'].contains('BadBot') set to deny(403) D) Network firewall rule blocking port 80 Answer: C