Google Cloud Platform Security Certification Practice Exam, Exams of Technology

A set of practice questions and answers designed to help individuals prepare for the google cloud platform (gcp) security certification exam. It covers key areas such as identity and access management, network security, data protection, and security monitoring. Each question is accompanied by a detailed explanation to enhance understanding and retention. The practice exam focuses on mitigating security vulnerabilities and implementing best practices within the gcp environment, making it a valuable resource for those seeking to validate their expertise in cloud security.

Typology: Exams

2025/2026

Available from 12/20/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 89

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Mitigating Security Vulnerabilities on Google
Cloud Platform Certificate Practice Exam
**Question 1.** Which component of the Google Cloud shared responsibility model is the
customer's primary responsibility?
A) Physical security of data centers
B) Hypervisor patching
C) Identity and access management for resources
D) Network backbone maintenance
Answer: C
Explanation: Customers must manage IAM policies, roles, and permissions for their resources,
while Google secures the underlying infrastructure.
**Question 2.** In a defenseindepth strategy on GCP, which layer should enforce
leastprivilege network access?
A) Application code
B) VPC firewall rules
C) Cloud IAM policies
D) Data encryption keys
Answer: B
Explanation: VPC firewall rules provide networklevel segmentation, limiting traffic before it
reaches services.
**Question 3.** Which Google architecture principle aligns with a Zero Trust model?
A) Perimeterbased security
B) Implicit trust for internal traffic
C) Verify every request, regardless of origin
D) Rely on static IP allowlists
Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59

Partial preview of the text

Download Google Cloud Platform Security Certification Practice Exam and more Exams Technology in PDF only on Docsity!

Cloud Platform Certificate Practice Exam

Question 1. Which component of the Google Cloud shared responsibility model is the customer's primary responsibility? A) Physical security of data centers B) Hypervisor patching C) Identity and access management for resources D) Network backbone maintenance Answer: C Explanation: Customers must manage IAM policies, roles, and permissions for their resources, while Google secures the underlying infrastructure. Question 2. In a defense‑in‑depth strategy on GCP, which layer should enforce least‑privilege network access? A) Application code B) VPC firewall rules C) Cloud IAM policies D) Data encryption keys Answer: B Explanation: VPC firewall rules provide network‑level segmentation, limiting traffic before it reaches services. Question 3. Which Google architecture principle aligns with a Zero Trust model? A) Perimeter‑based security B) Implicit trust for internal traffic C) Verify every request, regardless of origin D) Rely on static IP allowlists Answer: C

Cloud Platform Certificate Practice Exam

Explanation: Zero Trust requires continuous verification of identity, device, and context for every request. Question 4. To enforce that all new projects must reside in the “us‑central1” region, which tool should you use? A) VPC Service Controls B) Organization Policy constraint constraints/compute.requireOsLogin C) Organization Policy constraint constraints/gcp.resourceLocations D) Cloud Scheduler Answer: C Explanation: The constraints/gcp.resourceLocations policy limits resource locations across the organization. Question 5. Which feature helps you troubleshoot why a specific IAM permission was denied? A) Policy Analyzer B) Policy Troubleshooter C) Cloud Asset Inventory D) Cloud DNS Answer: B Explanation: Policy Troubleshooter evaluates the effective permissions for a principal on a resource and explains denials. Question 6. When creating a hierarchical firewall policy, where should it be attached to affect all projects in a folder? A) At each individual VM network tag B) On the organization node

Cloud Platform Certificate Practice Exam

C) HTTP GET flood (Layer 7) D) ICMP ping flood (Layer 3) Answer: C Explanation: Layer 7 attacks overwhelm web servers with legitimate‑looking HTTP requests. Question 10. In Cloud Armor, which expression blocks requests from a specific country? A) origin.ip == "203.0.113.0" B) request.path.matches("/admin") C) request.headers["User-Agent"].contains("bot") D) origin.region_code == "CN" Answer: D Explanation: The origin.region_code field identifies the requester’s country code. Question 11. Which GCP product creates a security perimeter around Cloud Storage buckets containing sensitive data? A) VPC Service Controls B) Cloud Armor C) Cloud DNS D) Cloud Interconnect Answer: A Explanation: VPC Service Controls protect data exfiltration by defining service perimeters. Question 12. What is the primary benefit of using Cloud NAT for egress traffic? A) Encrypts outbound traffic with TLS B) Provides static public IPs for all VMs

Cloud Platform Certificate Practice Exam

C) Allows VMs without external IPs to reach the internet securely D) Blocks inbound traffic to VMs Answer: C Explanation: Cloud NAT translates internal IPs to external ones, enabling outbound internet access while keeping VMs private. Question 13. Which encryption method is applied by default to data stored in Cloud BigQuery? A) Customer‑Managed Encryption Keys (CMEK) only B) Customer‑Supplied Encryption Keys (CSEK) only C) Google‑managed default encryption D) No encryption unless configured Answer: C Explanation: All GCP storage services, including BigQuery, are encrypted at rest with Google‑managed keys by default. Question 14. To use a customer‑managed key for a Cloud Storage bucket, which API must you enable? A) Cloud KMS API B) Cloud IAM API C) Cloud DNS API D) Cloud Scheduler API Answer: A Explanation: Cloud KMS provides the CMEK that can be attached to a bucket for encryption. Question 15. Which key rotation strategy minimizes service disruption?

Cloud Platform Certificate Practice Exam

Question 18. When configuring a DLP inspection template, which InfoType would you select to detect U.S. Social Security Numbers? A) US_TAX_ID B) US_SSN C) PERSON_NAME D) FINANCIAL_ACCOUNT_NUMBER Answer: B Explanation: The US_SSN InfoType is designed to locate Social Security Numbers. Question 19. Which feature of Secret Manager ensures that a secret version cannot be accessed after a certain date? A) Automatic rotation B) IAM deny policy C) Expiration time on secret version D) Replication to multiple regions Answer: C Explanation: Secret versions can be set with an expiration timestamp, after which they become inaccessible. Question 20. Which Cloud Audit Log type records changes made via the Cloud Console, CLI, or API? A) Data Access logs B) System Event logs C) Admin Activity logs D) Access Transparency logs Answer: C

Cloud Platform Certificate Practice Exam

Explanation: Admin Activity logs capture all administrative actions across GCP services. Question 21. To retain Cloud Audit logs for 365 days, which resource must you configure? A) Log bucket with a retention policy b) IAM policy on the project C) Cloud Scheduler job D) Cloud Armor security policy Answer: A Explanation: Log buckets can be set with a custom retention period for stored logs. Question 22. Which destination is NOT supported for a Cloud Logging sink? A) BigQuery dataset B) Cloud Pub/Sub topic C) Cloud Storage bucket D) Cloud Functions runtime Answer: D Explanation: Sinks can export to BigQuery, Pub/Sub, or Cloud Storage, but not directly to Cloud Functions. Question 23. In Security Command Center Standard tier, which finding type is automatically generated? A) Vulnerability findings from Container Analysis B) Misconfiguration findings from Security Health Analytics C) Threat intelligence from Mandiant D) Penetration test results Answer: B

Cloud Platform Certificate Practice Exam

D) Cloud Build webhook Answer: B Explanation: SCC can publish findings to Pub/Sub; a function subscribed to that topic can act on them. Question 27. Which Shielded VM feature verifies the integrity of the bootloader at startup? A) vTPM B) Secure Boot C) Integrity Monitoring D) Confidential VM Answer: B Explanation: Secure Boot checks the bootloader and firmware signatures before allowing boot. Question 28. How does OS Patch Management in GCP apply updates to Compute Engine instances? A) By reinstalling the OS image B) Using OS Config agent to apply patches on schedule C) Through manual SSH commands only D) By migrating workloads to a patched instance group Answer: B Explanation: OS Config’s patching service installs updates automatically based on defined policies. Question 29. Which method provides secure remote access to a VM without exposing SSH ports to the internet? A) Cloud VPN

Cloud Platform Certificate Practice Exam

B) Identity‑Aware Proxy (IAP) TCP forwarding C) VPC firewall rule allowing 0.0.0.0/0 on port 22 D) Cloud NAT Answer: B Explanation: IAP TCP forwarding tunnels SSH over HTTPS, eliminating the need for public SSH ports. Question 30. Which Artifact Registry feature scans container images for known CVEs? A) Binary Authorization B) Artifact Analysis (Vulnerability Scanning) C) Cloud Build D) Cloud Run Answer: B Explanation: Artifact Analysis automatically scans images stored in Artifact Registry for vulnerabilities. Question 31. What does Binary Authorization enforce before a container image runs on GKE? A) Image size limit B) Signature verification against an attestation authority C) Automatic vulnerability patching D) Runtime resource quotas Answer: B Explanation: Binary Authorization requires images to have valid attestations (signatures) before deployment.

Cloud Platform Certificate Practice Exam

Explanation: Confidential GKE Nodes use AMD SEV to encrypt VM memory, protecting data in use. Question 35. Which Cloud Armor rule helps mitigate credential stuffing attacks? A) Rate limiting based on client IP B) Blocking all traffic from a specific ASN C) Allowing only GET requests D) Enabling HTTP/2 only Answer: A Explanation: Rate limiting caps the number of login attempts per IP, reducing automated credential stuffing. Question 36. reCAPTCHA Enterprise primarily protects against which threat? A) Data exfiltration B) DDoS volumetric attacks C) Automated bot traffic and fraud D) Insider threats Answer: C Explanation: reCAPTCHA Enterprise distinguishes human users from bots, preventing automated abuse. Question 37. Which organization policy constraint can prevent the creation of external IP addresses on VM instances? A) constraints/compute.requireOsLogin B) constraints/compute.vmExternalIpAccess C) constraints/compute.disableSerialPortAccess

Cloud Platform Certificate Practice Exam

D) constraints/compute.restrictVpcPeering Answer: B Explanation: The compute.vmExternalIpAccess constraint disables allocation of external IPs for VMs. Question 38. What does the Policy Analyzer tool help you determine? A) Real‑time network latency B) Overlap and conflicts between multiple organization policies C) Cost estimation for new projects D) Encryption key usage statistics Answer: B Explanation: Policy Analyzer evaluates effective policies across the hierarchy and highlights conflicts. Question 39. Which VPC feature allows you to create a peered connection between two VPC networks without using the public internet? A) Cloud Router B) VPC Peering C) Cloud Interconnect D) Cloud NAT Answer: B Explanation: VPC Peering establishes a private, direct link between two VPCs. Question 40. Which Cloud Armor security policy action blocks traffic and returns a custom response code? A) allow

Cloud Platform Certificate Practice Exam

Question 43. Which IAM role grants read‑only access to view all Security Command Center findings? A) roles/securitycenter.admin B) roles/securitycenter.viewer C) roles/owner D) roles/logging.viewer Answer: B Explanation: The securitycenter.viewer role provides read‑only access to SCC resources. Question 44. Which log type would you enable to capture read operations on Cloud Storage objects? A) Admin Activity logs B) System Event logs C) Data Access logs D) Audit Logging for IAM Answer: C Explanation: Data Access logs record read/write operations on data resources like Cloud Storage objects. Question 45. Which of the following is a best practice for managing service‑account keys? A) Store keys in plain text on developer laptops B) Rotate keys every 90 days and use IAM to limit usage C) Share a single key across all services D) Disable IAM policies for service accounts Answer: B

Cloud Platform Certificate Practice Exam

Explanation: Regular rotation and principle‑of‑least‑privilege limit exposure if a key is compromised. Question 46. What does the gcloud compute firewall-rules create command with -- direction=INGRESS do? A) Blocks outbound traffic from a VPC B) Allows inbound traffic to matching instances C) Creates a VPN tunnel D) Enables Cloud NAT Answer: B Explanation: An ingress firewall rule controls traffic entering instances in the VPC. Question 47. Which Cloud Armor feature provides automatic protection against known bad IPs? A) Rate limiting B) Preconfigured WAF rules C) Bot management D) IP allowlist only Answer: B Explanation: Preconfigured WAF rules include IP reputation lists that block known malicious sources. Question 48. Which resource type is NOT directly protected by VPC Service Controls? A) BigQuery datasets B) Cloud Storage buckets C) Compute Engine VM instances

Cloud Platform Certificate Practice Exam

B) Cloud Storage (nearline) C) BigQuery dataset D) Cloud Functions Answer: C Explanation: Exporting logs to BigQuery enables powerful SQL‑based analysis over large datasets. Question 52. Which Cloud Armor policy action can be used to throttle abusive clients without completely blocking them? A) deny(403) B) allow C) rate_based_ban D) redirect Answer: C Explanation: rate_based_ban temporarily bans clients that exceed a request threshold. Question 53. Which Cloud KMS feature lets you delegate decryption rights to a service account without exposing the key material? A) Key version export B) IAM policy binding on the key C) Key rotation schedule D) External key manager integration Answer: B Explanation: Assigning IAM roles (e.g., cloudkms.cryptoKeyDecrypter) to a service account permits decryption without revealing the key.

Cloud Platform Certificate Practice Exam

Question 54. Which GCP service provides a managed, serverless environment for running container images without managing nodes? A) Cloud Run B) App Engine Standard C) Compute Engine D) Kubernetes Engine (Autopilot) Answer: A Explanation: Cloud Run runs stateless containers on a fully managed platform. Question 55. Which IAM condition can you use to restrict a service account to act only within a specific project? A) resource.name.startsWith('projects/PROJECT_ID') B) request.time < timestamp('2025- 01 - 01') C) principal.type == 'user' D) resource.type == 'compute.googleapis.com/Instance' Answer: A Explanation: The condition checks the resource’s project prefix, limiting actions to that project. Question 56. Which Cloud Armor configuration is best suited to block HTTP requests with the header User-Agent: BadBot? A) Rate limiting rule on IP address B) Preconfigured WAF rule for SQL injection C) Custom rule with expression request.headers['User-Agent'].contains('BadBot') set to deny(403) D) Network firewall rule blocking port 80 Answer: C