











































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam evaluates competency in implementing secure cloud architectures, managing identity and access, securing data, compliance, threat detection, encryption, and incident response. Candidates must demonstrate ability to design and manage secure cloud environments, enforce policies, and mitigate risks in cloud infrastructure.
Typology: Exams
1 / 83
This page cannot be seen from the preview
Don't miss anything!












































































Question 1. Which Google Cloud service provides a centralized view of security findings across projects? A) Cloud Logging B) Security Command Center C) Cloud Asset Inventory D) Cloud Scheduler Answer: B Explanation: Security Command Center aggregates and visualizes security findings, vulnerabilities, and misconfigurations across all resources. Question 2. In IAM, which role type gives the most granular permissions? A) Primitive role B) Predefined role C) Custom role D) Owner role Answer: C Explanation: Custom roles let you define an exact set of permissions, enabling fine-grained least-privilege access. Question 3. Which feature allows a service account to obtain short-lived tokens without storing a long-lived key? A) Service Account Key B) Workload Identity Federation C) Impersonation D) Service Account User role Answer: B Explanation: Workload Identity Federation exchanges external identities for short-lived Google Cloud tokens, avoiding static keys. Question 4. What does the “Private Google Access” setting enable for a VPC subnet?
A) Access to Google APIs via public IPs B) Direct peering with on-prem networks C) Private connectivity to Google services without external IPs D) Automatic VPN creation Answer: C Explanation: Private Google Access lets resources without external IPs reach Google APIs over Google's internal network. Question 5. Which IAM condition attribute can be used to restrict access based on the requestor’s IP address? A) resource.name B) request.time C) request.ip D) request.auth.principal Answer: C Explanation: The request.ip attribute allows policies that limit access to specific source IP ranges. Question 6. Which Cloud Armor feature protects web applications from SQL injection and XSS attacks? A) Rate limiting B) Preconfigured WAF rules C) IP allowlist D) Geo-blocking Answer: B Explanation: Preconfigured Web Application Firewall (WAF) rules in Cloud Armor detect and block common web exploits. Question 7. When using Cloud KMS with a hardware security module (HSM), what is the primary benefit? A) Lower cost
C) Organization, Folder, or Project D) Only at the resource level Answer: C Explanation: Organization policies can be set at Organization, Folder, or Project levels, cascading down to resources. Question 11. When configuring a Shared VPC, which entity owns the network resources? A) The host project B) The service project C) The organization node D) The billing account Answer: A Explanation: In a Shared VPC, the host project contains the VPC network, while service projects consume it. Question 12. Which Google Cloud service allows you to perform automated scanning of container images for known vulnerabilities? A) Cloud Build B) Artifact Registry C) Container Analysis D) Cloud Run Answer: C Explanation: Container Analysis integrates with Container Registry/Artifact Registry to scan images for CVEs. Question 13. What does the “Data Access” audit log capture? A) Changes to IAM policies B. System events like VM start/stop C) Read/write operations on user data D) Billing changes
Answer: C Explanation: Data Access logs record API calls that read or modify user-owned data, such as Cloud Storage object reads. Question 14. Which DLP transformation replaces detected credit-card numbers with a fixed token? A) Redaction B) Masking C) Tokenization D) Encryption Answer: C Explanation: Tokenization substitutes sensitive data with a non-sensitive placeholder while preserving format. Question 15. Which feature of Secret Manager enables automatic rotation of secrets? A) Versioning B) Replication C) Rotation schedule (via Cloud Scheduler) D) Access control lists Answer: C Explanation: You can configure a rotation schedule that triggers a Cloud Function or Cloud Scheduler to generate new secret versions. Question 16. What is the primary security benefit of enabling VPC Flow Logs? A) Encrypts traffic between VMs B) Provides visibility into network traffic for analysis and alerts C) Blocks all inbound traffic automatically D) Increases VM performance Answer: B
Explanation: Federation lets external identities (e.g., on-prem or other clouds) obtain Google Cloud tokens without static keys. Question 20. What does the “Access Transparency” log provide? A. Detailed logs of all user-initiated actions B. Logs of Google personnel actions on customer data C. Encryption key usage statistics D. Network packet captures Answer: B Explanation: Access Transparency records when Google staff access customer content, enhancing visibility and trust. Question 21. Which method can you use to restrict a service account from being used outside a specific VPC? A. Assigning the Service Account User role B. Using VPC Service Controls with an egress restriction C. Enabling MFA on the service account D. Deleting the service account key Answer: B Explanation: VPC Service Controls create perimeters that prevent service-account-derived credentials from leaving the defined VPC. Question 22. Which Cloud Logging sink type forwards logs to an external SIEM via Pub/Sub? A. Cloud Storage sink B. BigQuery sink C. Pub/Sub sink D. Logging API sink Answer: C Explanation: A Pub/Sub sink publishes logs to a topic that external SIEMs can subscribe to for real-time ingestion.
Question 23. What is the effect of disabling the default Compute Engine service account in a project? A. All VMs lose network connectivity B. No VM can obtain default credentials unless another service account is attached C. Billing stops for the project D. IAM policies are deleted Answer: B Explanation: Disabling the default service account prevents VMs from using its credentials; you must attach a custom service account. Question 24. Which Cloud Armor feature helps mitigate UDP-based reflection attacks? A. Geo-blocking B. Preconfigured WAF rule set C. Adaptive protection (DDoS protection) D. IP allowlist Answer: C Explanation: Adaptive protection detects and mitigates large-scale UDP/ICMP reflection attacks automatically. Question 25. When configuring a Cloud Storage bucket with CMEK, which key must be accessible to the bucket’s service account? A. A key in the same project’s KMS key ring B. Any key in any project C. A key that is public D. No key is needed; CMEK is optional Answer: A Explanation: The bucket’s service account needs cloudkms.cryptoKeyEncrypterDecrypter permission on the specific CMEK key, typically in the same project.
Question 29. Which of the following best describes “Assured Workloads” in Google Cloud? A. A tool for automating CI/CD pipelines B. A service that enforces regulatory controls and data residency requirements C. A managed database service D. A network load balancing solution Answer: B Explanation: Assured Workloads help customers meet compliance (e.g., FedRAMP, GDPR) by applying restrictions on data location and service usage. Question 30. What does the “Policy Analyzer” in IAM help you identify? A. Network latency issues B. Over-privileged permissions and unused roles C. Billing anomalies D. Data encryption status Answer: B Explanation: Policy Analyzer evaluates IAM policies to find excessive permissions, role misconfigurations, and unused bindings. Question 31. Which firewall rule type can be applied to all resources in a VPC regardless of tag or service account? A. Tag-based rule B. Service-account-based rule C. Hierarchical firewall policy default rule D. Network-level rule with “allow all” Answer: C Explanation: Hierarchical firewall policies have a default rule that applies globally unless overridden. Question 32. In Cloud IDS, which mode provides deep packet inspection for encrypted traffic?
A. Passive mode B. Inline mode with TLS termination C. Mirror mode with SSL decryption via a proxy D. No mode supports encrypted traffic inspection Answer: C Explanation: Mirror mode can send traffic to a decryption proxy, allowing IDS to inspect TLS-encrypted payloads. Question 33. Which of the following is a recommended practice for managing service-account keys? A. Store keys in plaintext on developer laptops B. Rotate keys every 90 days and audit usage C. Share a single key across all services D. Disable key rotation to avoid downtime Answer: B Explanation: Regular rotation and auditing reduce the risk of key compromise and provide visibility. Question 34. What does “VPC Service Controls” primarily protect? A. Compute Engine instance firewalls B. Data exfiltration from Google Cloud services C. DNS resolution latency D. Billing information Answer: B Explanation: VPC Service Controls create perimeters that limit data movement from Google-managed services, mitigating exfiltration. Question 35. Which of the following is a valid way to enforce separation of duties for admin roles? A. Granting a single user both Owner and Security Admin roles B. Using IAM Conditions to require MFA for privileged actions
C. Cloud Monitoring dashboards D. Cloud Asset Inventory UI Answer: B Explanation: Filtering by logName:"activity" and the IAM service name isolates IAM audit events. Question 39. Which of the following best describes “Private Service Connect” (PSC)? A. Public IP address allocation for services B. Direct, private connectivity to Google-managed services without using public IPs C. Automatic DNS resolution for internal services D. A VPN tunneling protocol Answer: B Explanation: PSC enables private, internal endpoints to access Google services (e.g., Cloud SQL, Cloud Run) without traversing the internet. Question 40. When using Cloud DLP to de-identify data, which transformation masks all but the last four digits of a credit-card number? A. Redact B. Cryptographic hashing C. Tokenization with format-preserving token D. Masking with a custom character pattern Answer: D Explanation: Masking can be configured to replace characters except the last four, preserving readability while protecting data. Question 41. Which IAM role is required to create a new KMS key ring? A. roles/cloudkms.admin B. roles/editor C. roles/owner D. roles/resourcemanager.projectCreator
Answer: A Explanation: roles/cloudkms.admin grants permission to manage key rings and keys within Cloud KMS. Question 42. What does the “Security Health Analytics” module in SCC provide? A. Real-time network packet capture B. Automated scanning for known misconfigurations and vulnerabilities C. Billing anomaly detection D. Automated backup verification Answer: B Explanation: Security Health Analytics continuously scans resources for common security weaknesses. Question 43. Which of the following is a recommended practice for enabling MFA for privileged users? A. Enforce MFA only for console login, not for API access B. Use 2SV for all users and require hardware security keys for admins C. Disable MFA to avoid user friction D. Allow users to skip MFA on trusted networks Answer: B Explanation: Enforcing MFA for console and requiring stronger factors (e.g., hardware keys) for admins reduces credential-based attacks. Question 44. Which Cloud service can be used to mirror traffic from a VPC subnet to an inspection appliance? A. Cloud NAT B. Packet Mirroring C. Cloud Interconnect D. Cloud CDN Answer: B
Explanation: A scheduled Cloud Function can programmatically delete or disable keys after a defined period. Question 48. In the Shared Responsibility Model, which responsibility lies with the customer? A. Physical security of data centers B. Patching the underlying hypervisor C. Configuration of IAM policies and encryption keys D. Network backbone maintenance Answer: C Explanation: Customers are responsible for securing their workloads, including IAM, keys, and application configuration. Question 49. Which tool helps you test IAM policy simulations for a specific principal and resource? A. Policy Troubleshooter B. Cloud Shell C. Cloud Build D. Cloud DNS Answer: A Explanation: Policy Troubleshooter evaluates whether a given principal has the required permissions on a resource. Question 50. Which Cloud service provides a managed, scalable DLP inspection job that can run on a schedule? A. Cloud Scheduler B. Cloud DLP “Inspect” jobs with Cloud Scheduler trigger C. Cloud Functions D. Cloud Logging Answer: B Explanation: Cloud DLP can create recurring inspection jobs, often triggered by Cloud Scheduler.
Question 51. What does enabling “Uniform bucket-level access” on a Cloud Storage bucket do? A. Allows object-level ACLs alongside IAM B. Disables object ACLs, enforcing IAM only C. Enables public read access by default D. Forces all objects to be encrypted with CMEK Answer: B Explanation: Uniform bucket-level access removes fine-grained ACLs, making IAM the sole access control mechanism. Question 52. Which Cloud service can automatically generate alerts when a new public IP address is assigned to a VM? A. Cloud Monitoring alerting on Compute Engine “instance.networkInterfaces.accessConfigs” metric B. Cloud Logging sink C. Cloud Armor D. Cloud Scheduler Answer: A Explanation: Monitoring can watch the instance.networkInterfaces.accessConfigs metric and trigger alerts on changes. Question 53. Which of the following best describes “Google-managed service accounts”? A. Accounts created by users for custom applications B. Default service accounts automatically generated for services like Compute Engine C. Accounts that require manual key management D. Accounts that cannot be disabled Answer: B Explanation: Google-managed service accounts are automatically provisioned for platform services (e.g., Compute Engine default SA).
Question 57. Which Cloud service can be used to enforce “just-in-time” privileged access for a Cloud SQL instance? A. Cloud IAM B. Privileged Access Manager (PAM) C. Cloud Scheduler D. Cloud DNS Answer: B Explanation: PAM provides JIT access for privileged resources, including Cloud SQL, granting temporary elevated rights. Question 58. Which of the following statements about “Cloud KMS key versions” is true? A. A key can have only one active version at a time B. Older versions can be disabled but still used for decryption C. Versions are immutable once created D. Versions automatically rotate every 30 days Answer: C Explanation: Key versions are immutable; you can create new versions but cannot modify an existing one. Question 59. Which feature allows you to restrict which Google Cloud services can be used in a specific region? A. VPC Service Controls B. Organization Policy constraint “constraints/compute.allowedRegions” C. Firewall rule with region tag D. Cloud Scheduler Answer: B Explanation: The constraints/compute.allowedRegions policy limits the regions where resources can be provisioned.
Question 60. Which of the following is a best practice for protecting API keys stored in Secret Manager? A. Share the secret with all service accounts B. Grant the secretmanager.secretAccessor role at the organization level C. Use short-lived secret versions and rotate regularly D. Store the secret in plain text in Cloud Storage as backup Answer: C Explanation: Rotating short-lived secret versions reduces exposure risk; access should be limited, not organization-wide. Question 61. In Cloud Armor, what does a “pre-configured WAF rule” named “xss-strobe” protect against? A. Cross-site scripting attacks B. SQL injection C. DDoS amplification D. Unauthorized data exfiltration Answer: A Explanation: The xss-strobe rule detects and blocks typical XSS payload patterns. Question 62. Which GCP feature helps you enforce that all Compute Engine disks are encrypted with a CMEK? A. Organization Policy constraint “constraints/compute.requireCmek” B. Firewall rule blocking unencrypted disks C. Cloud Logging filter D. Cloud Scheduler job that checks disk encryption Answer: A Explanation: The constraints/compute.requireCmek policy forces CMEK usage for new disks. Question 63. What is the primary function of “Cloud Asset Inventory”? A. To store encrypted data at rest