







































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam evaluates secure coding knowledge, application threat modeling, vulnerability remediation, DevSecOps practices, and secure software-development lifecycle (SDLC) principles. Candidates analyze code snippets, identify vulnerabilities (XSS, SQLi, CSRF, IDOR), implement remediation techniques, and apply secure design principles.
Typology: Exams
1 / 79
This page cannot be seen from the preview
Don't miss anything!








































































Question 1. Which of the following best describes the purpose of an organization node in Google Cloud’s resource hierarchy? A) It stores VM images for reuse across projects. B) It defines a boundary for billing and policy inheritance. C) It provides a DNS zone for all resources. D) It hosts a shared VPC for all folders. Answer: B Explanation: The organization node is the top-level container that groups all resources under a single billing account and allows policies to be inherited down to folders and projects. Question 2. In IAM, which role type grants the most granular set of permissions? A) Primitive role B) Predefined role C) Custom role D) Owner role Answer: C Explanation: Custom roles are created by the user and can include only the specific permissions needed, enabling the principle of least privilege. Question 3. A developer needs read-only access to Cloud Storage buckets in a single project but no access to other services. Which IAM role should be assigned? A) roles/editor B) roles/storage.objectViewer C) roles/viewer D) roles/browser Answer: B
Explanation: roles/storage.objectViewer grants read-only access to objects in Cloud Storage without permissions for other services. Question 4. Which IAM condition would you use to restrict access to a resource only during business hours (9 AM–5 PM UTC)? A) request.time < timestamp("2025-01-01T17:00:00Z") B) resource.name.startsWith("projects/") C) request.time >= timestamp("2025-01-01T09:00:00Z") && request.time <= timestamp("2025-01-01T17:00:00Z") D) request.ip in ["10.0.0.0/8"] Answer: C Explanation: IAM conditions can evaluate request.time to allow access only within a defined time window. Question 5. What is the primary benefit of enabling Multi-Factor Authentication (MFA) for privileged accounts? A) Reduces cost of compute resources. B) Guarantees password complexity. C) Adds a second verification factor, reducing risk of credential theft. D) Allows single sign-on across all Google services. Answer: C Explanation: MFA requires something the user knows (password) and something the user has (token, phone), mitigating compromised passwords. Question 6. Which protocol is typically used by Google Cloud to implement SAML-based Single Sign-On? A) OAuth 2. B) OpenID Connect C) SAML 2.
A) Use long-lived JSON keys. B) Enable Workload Identity Federation with token exchange. C) Assign the Compute Engine default service account. D) Disable all IAM policies. Answer: B Explanation: Workload Identity Federation allows workloads to obtain short-lived access tokens without storing long-lived keys. Question 10. Workload Identity Federation primarily helps to: A) Increase storage capacity. B) Allow external identities (e.g., from Azure AD) to access Google Cloud resources without static keys. C) Duplicate VPC networks across regions. D) Encrypt data at rest using customer-managed keys. Answer: B Explanation: Federation enables identities from external identity providers to obtain short-lived Google Cloud tokens, eliminating static service-account keys. Question 11. Which tool synchronizes on-premises Active Directory groups to Google Cloud Identity? A) Cloud IAM B) Cloud DNS C) Google Cloud Directory Sync (GCDS) D) Cloud Armor Answer: C Explanation: GCDS imports users and groups from on-premises directories into Cloud Identity or Google Workspace.
Question 12. Access Context Manager can enforce access based on which of the following attributes? A) User’s favorite color. B) Device security posture and IP address. C) Number of VMs in a project. D) Size of Cloud Storage bucket. Answer: B Explanation: Access Context Manager creates access levels that evaluate device attributes, IP address, and geographic location. Question 13. Identity-Aware Proxy (IAP) protects which type of resources? A) Only Cloud SQL instances. B) Web-based applications and TCP-based services behind a load balancer. C) Private VPC subnets. D) Cloud DNS zones. Answer: B Explanation: IAP provides authentication and access control for HTTP(S) applications and TCP resources served through a load balancer. Question 14. In VPC design, what is the purpose of using separate subnets for production and non-production workloads? A) To increase the number of IP addresses available. B) To enforce network isolation and limit blast radius. C) To reduce the cost of traffic egress. D) To enable automatic data replication. Answer: B Explanation: Segregating subnets provides logical isolation, reducing the impact of a compromise in one environment on the other.
Explanation: VPC Service Controls create a security perimeter around Google Cloud services, restricting data movement to authorized networks. Question 18. Which Google Cloud service provides DDoS protection at the edge of Google’s network? A) Cloud DNS B) Cloud Armor C) Cloud IDS D) Cloud Storage Answer: B Explanation: Cloud Armor offers DDoS mitigation and WAF capabilities at Google’s edge locations. Question 19. To protect a web application from SQL injection, you would configure which Cloud Armor feature? A) Rate-limiting policy B) Pre-configured WAF rule set for OWASP Top 10 C) VPC peering D) Private Google Access Answer: B Explanation: Cloud Armor’s pre-configured WAF rules include signatures for SQL injection and other OWASP Top 10 attacks. Question 20. Which service can be used to mirror traffic for deep packet inspection without impacting production flow? A) Cloud DNS B) Packet Mirroring C) Cloud Run
D) Cloud Scheduler Answer: B Explanation: Packet Mirroring creates a copy of traffic for analysis by IDS or other monitoring tools. Question 21. Enabling DNSSEC for Cloud DNS primarily protects against: A) Unauthorized VM start-up. B) Man-in-the-middle attacks on DNS responses. C) Data loss in Cloud Storage. D) Insider threats to IAM policies. Answer: B Explanation: DNSSEC adds cryptographic signatures to DNS records, preventing tampering of DNS responses. Question 22. Which connectivity option provides a dedicated, private link between on-premises data centers and Google Cloud? A) Cloud VPN (IPsec) B) Cloud Interconnect (Dedicated) C) VPC Peering D) Cloud NAT Answer: B Explanation: Dedicated Interconnect offers a private, high-throughput physical connection between the customer’s network and Google’s backbone. Question 23. When would you choose VPC Peering over Shared VPC? A) When you need centralized IAM across multiple projects. B) When you want to connect VPCs in different organizations without transitive routing.
B) An individual cryptographic material instance within a key. C) The same as a key policy. D) The IAM role attached to the key. Answer: B Explanation: A key can have multiple versions; each version holds a specific set of cryptographic material, allowing rotation and deprecation. Question 27. Which command creates a new symmetric key in Cloud KMS using the gcloud CLI? A) gcloud kms keys create my-key --location=global --keyring=my-ring -- purpose=encryption B) gcloud kms keyrings create my-key --location=global C) gcloud compute disks create my-key D) gcloud iam service-accounts create my-key Answer: A Explanation: The kms keys create command with --purpose=encryption creates a symmetric encryption key. Question 28. Secret Manager is best used for storing: A) Large video files. B) API keys, passwords, and TLS certificates. C) VM instance images. D) Cloud Logging logs. Answer: B Explanation: Secret Manager is designed for managing small, sensitive secrets such as credentials and certificates.
Question 29. Which DLP feature can automatically replace a credit-card number with a token in a Cloud Storage object? A) Data loss prevention (DLP) job with de-identify transformation using tokenization. B) Cloud Armor rule set. C) IAM deny policy. D) VPC Service Controls. Answer: A Explanation: DLP can run a de-identification job that tokenizes or redacts sensitive data in storage objects. Question 30. Tokenization differs from encryption primarily because: A) Tokenization changes data format to a non-reversible placeholder. B) Tokenization uses asymmetric keys. C) Tokenization is faster than hashing. D) Tokenization can be performed only on databases. Answer: A Explanation: Tokenization replaces sensitive data with a surrogate token that cannot be reversed without a token-mapping system, whereas encryption is reversible with a key. Question 31. Which Cloud SQL setting enforces encryption at rest using a customer-managed key? A) --enable-automatic-backups B) --database-version=POSTGRES_14 C) --kms-key-name=projects/.../locations/.../keyRings/.../cryptoKeys/... D) --activation-policy=ALWAYS Answer: C
D) VPC Service Controls perimeter. Answer: A Explanation: A log sink with includeChildren set to true aggregates logs from the specified organization or folder into the chosen destination. Question 35. Which monitoring metric would you alert on to detect a sudden increase in unauthorized login attempts? A) compute.googleapis.com/instance/cpu/utilization B) iam.googleapis.com/login_failure_count C) cloudsql.googleapis.com/database/disk/bytes_used D) bigquery.googleapis.com/query/count Answer: B Explanation: The login_failure_count metric tracks failed login attempts and is suitable for detecting brute-force attacks. Question 36. Security Command Center (SCC) – Security Health Analytics primarily finds: A) Real-time network traffic anomalies. B) Misconfigurations and compliance violations. C) Malware in container images. D) Data exfiltration events. Answer: B Explanation: Health Analytics scans resources for insecure configurations, missing patches, and policy violations. Question 37. Which SCC finding type indicates a container image contains a known vulnerability? A) Vulnerability
B) Misconfiguration C) SensitiveData D) AnomalousNetworkTraffic Answer: A Explanation: SCC’s Container Threat Detection produces Vulnerability findings when CVEs are detected in container images. Question 38. In an incident response plan, the “containment” phase aims to: A) Perform root-cause analysis. B) Eradicate the attacker’s foothold and limit further damage. C) Notify stakeholders after full remediation. D) Archive logs for compliance. Answer: B Explanation: Containment stops the attacker from moving laterally and prevents additional impact while the incident is investigated. Question 39. Which Cloud Automation tool can automatically remediate a public firewall rule that allows 0.0.0.0/0 to SSH? A) Cloud Scheduler B) Cloud Functions triggered by SCC findings C) Cloud DNS D) Cloud Build Answer: B Explanation: A Cloud Function can be invoked by SCC findings to modify or delete insecure firewall rules. Question 40. To ensure that all VM images in a project have the latest OS patches before deployment, you would use:
Question 43. Under the shared responsibility model, which of the following is the cloud provider’s responsibility? A) Patch management of the guest OS in Compute Engine VMs. B) Physical security of the data centers. C) Configuration of IAM roles for application users. D) Encryption of customer-managed keys. Answer: B Explanation: The provider secures the underlying infrastructure, including physical data-center security; customers manage OS patches, IAM, and key management. Question 44. To satisfy GDPR’s data-subject-access-request (DSAR) requirement, an organization should: A. Store all logs indefinitely. B. Provide a mechanism to retrieve personal data in a portable format within 30 days. C. Encrypt all data with a single global key. D. Disable all data export features. Answer: B Explanation: GDPR requires that data subjects can obtain a copy of their personal data in a commonly used, machine-readable format within a month. Question 45. Which Cloud service can be used to enforce data residency by restricting storage of objects to a specific region? A) Cloud Armor B) Cloud Storage with location-constraint set to a single region. C) Cloud DNS D) Cloud Interconnect
Answer: B Explanation: When creating a Cloud Storage bucket, specifying a single-region location ensures data resides only in that region. Question 46. Which IAM role grants the ability to view but not modify organization-level policies? A) roles/resourcemanager.organizationViewer B) roles/editor C) roles/owner D) roles/iam.securityAdmin Answer: A Explanation: roles/resourcemanager.organizationViewer provides read-only access to organization resources and policies. Question 47. When configuring a firewall rule to allow SSH only from corporate IP ranges, which field must you set? A) destinationRanges B) sourceRanges C) targetTags D) priority Answer: B Explanation: sourceRanges defines the IP CIDR blocks from which traffic is allowed. Question 48. The principle of “defense in depth” is best illustrated by which combination? A) Only using IAM deny policies. B) Applying network firewalls, VPC Service Controls, and runtime application security together.
A) They allow traffic to bypass the perimeter for all services. B) They enable selective access to services outside the perimeter while maintaining protection for protected services. C) They replace firewall rules entirely. D) They are only available for Cloud DNS. Answer: B Explanation: Perimeter bridges let you expose specific services (e.g., Cloud Storage) to external networks while keeping other services inside the protected perimeter. Question 52. Which Cloud service can be used to enforce that all new Compute Engine instances have OS Config patch management enabled? A) Cloud Asset Inventory B) Organization Policy compute.requireOsLogin C) Organization Policy compute.requireShieldedVm D) Organization Policy compute.requireOsConfig (custom constraint) Answer: D Explanation: A custom organization policy constraint can require OS Config for patch compliance on new instances. Question 53. In Cloud Armor, a “rate-limiting” rule is most appropriate to mitigate: A) SQL injection attacks. B) Credential stuffing attempts from a single IP. C) Data exfiltration via Cloud Storage. D) Misconfigured IAM policies. Answer: B Explanation: Rate-limiting throttles the number of requests from a source, helping to block credential-stuffing or brute-force attacks.
Question 54. Which attribute can be used in an IAM condition to restrict access based on the request’s originating VPC network? A) resource.name B) request.time C) request.network D) request.ip Answer: C Explanation: The request.network attribute references the VPC network ID that originated the request, enabling network-based conditions. Question 55. A Cloud Storage bucket is set to Uniform bucket-level access. What is the effect? A) ACLs are ignored; only IAM policies control access. B) Objects can be accessed anonymously. C) Versioning is automatically enabled. D) Multi-regional storage is forced. Answer: A Explanation: Uniform bucket-level access disables object-level ACLs, consolidating permission management under IAM. Question 56. Which of the following is NOT a valid way to grant a principal temporary access to a resource? A) IAM Conditions with time window. B) Short-lived OAuth token via IAP. C) Long-lived service-account JSON key. D) Signed URL with expiration. Answer: C