Practice Free Professional Cloud Security Engineer Exam Online Questions
Question #101
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside
on “in- scope” Nodes only. These Nodes can only contain the “in-scope” Pods.
How should the organization achieve this objective?
- A . Add a node Selector field to the pod configuration to only use the Nodes labeled inscope: true.
- B . Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
- C . Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
- D . Run all in-scope Pods in the namespace “in-scope-pci”.
Correct Answer: A
A
Explanation:
nodeSelector is the simplest recommended form of node selection constraint. You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have. Kubernetes only schedules the Pod onto nodes that have each of the labels you specify. => https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don’t guarantee scheduling: the scheduler also evaluates other parameters as part of its function. => https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
A
Explanation:
nodeSelector is the simplest recommended form of node selection constraint. You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have. Kubernetes only schedules the Pod onto nodes that have each of the labels you specify. => https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don’t guarantee scheduling: the scheduler also evaluates other parameters as part of its function. => https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
Question #101
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside
on “in- scope” Nodes only. These Nodes can only contain the “in-scope” Pods.
How should the organization achieve this objective?
- A . Add a node Selector field to the pod configuration to only use the Nodes labeled inscope: true.
- B . Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
- C . Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
- D . Run all in-scope Pods in the namespace “in-scope-pci”.
Correct Answer: A
A
Explanation:
nodeSelector is the simplest recommended form of node selection constraint. You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have. Kubernetes only schedules the Pod onto nodes that have each of the labels you specify. => https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don’t guarantee scheduling: the scheduler also evaluates other parameters as part of its function. => https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
A
Explanation:
nodeSelector is the simplest recommended form of node selection constraint. You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have. Kubernetes only schedules the Pod onto nodes that have each of the labels you specify. => https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don’t guarantee scheduling: the scheduler also evaluates other parameters as part of its function. => https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
Question #103
Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren’t compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution.
What should you do?
- A . • 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
• 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly - B . • 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium
• 2 Monitor the findings in SCC - C . • 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
• 2 Activate Confidential Computing
• 3 Enforce these actions by using organization policies - D . • 1 Use secure hardened images from the Google Cloud Marketplace
• 2 When deploying the images activate the Confidential Computing option
• 3 Enforce the use of the correct images and Confidential Computing by using organization policies
Correct Answer: C
C
Explanation:
Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring: Shielded VMs provide verifiable integrity of the VM by ensuring that it was not tampered with or compromised at the boot level. They use features like Secure Boot, vTPM, and integrity monitoring to detect and prevent malicious changes to the VM’s operating system and firmware.
Activate Confidential Computing: Confidential Computing provides a secure environment for processing sensitive data. It uses hardware-based enclaves to protect data in use by ensuring it cannot be accessed by the underlying host or any other unauthorized entity. By leveraging Intel SGX or AMD SEV, it ensures that data remains encrypted even when it is being processed.
Enforce these actions by using organization policies: Organization policies can enforce the use of Shielded VMs and Confidential Computing across your organization. This ensures that all VMs comply with these security measures without requiring manual configuration for each VM.
Reference
Shielded VMs documentation
Confidential Computing documentation
Organization Policies documentation
C
Explanation:
Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring: Shielded VMs provide verifiable integrity of the VM by ensuring that it was not tampered with or compromised at the boot level. They use features like Secure Boot, vTPM, and integrity monitoring to detect and prevent malicious changes to the VM’s operating system and firmware.
Activate Confidential Computing: Confidential Computing provides a secure environment for processing sensitive data. It uses hardware-based enclaves to protect data in use by ensuring it cannot be accessed by the underlying host or any other unauthorized entity. By leveraging Intel SGX or AMD SEV, it ensures that data remains encrypted even when it is being processed.
Enforce these actions by using organization policies: Organization policies can enforce the use of Shielded VMs and Confidential Computing across your organization. This ensures that all VMs comply with these security measures without requiring manual configuration for each VM.
Reference
Shielded VMs documentation
Confidential Computing documentation
Organization Policies documentation
Question #104
You are setting up Cloud Identity for your company’s Google Cloud organization. User accounts will be provisioned from Microsoft Entra ID through Directory Sync and there will be a single sign-on through Entra ID. You need to secure the super administrator accounts for the organization. Your solution must follow the principle of least privilege and implement strong authentication.
What should you do?
- A . Create dedicated accounts for super administrators. Ensure that 2-step verification is enforced for the super administrator accounts in Entra ID.
- B . Create dedicated accounts for super administrators. Enforce Google 2-step verification for the super administrator accounts.
- C . Create accounts that combine the organization administrator and the super administrator privileges. Ensure that 2-step verification is enforced for the super administrator accounts in Entra ID.
- D . Create accounts that combine the organization administrators and the super administrator privileges. Enforce Google 2-step verification for the super administrator accounts.
Correct Answer: B
B
Explanation:
Google’s Super Administrator security best practices emphasize that these accounts should be handled differently from standard user accounts, especially when using third-party SSO (like Entra ID).
According to Google Cloud Best Practices for Admin Accounts:
"You should maintain at least two super administrator accounts that are not part of your standard SSO (Single Sign-On) flow. These should be ‘Cloud-only’ accounts. This ensures that if your external IdP (Entra ID) is down or misconfigured, you can still sign in to Google Cloud. Furthermore, you must
enforce Google 2-step verification (2SV)―ideally using hardware security keys―directly on these accounts to provide the strongest level of protection independent of the IdP."
Key Best Practices:
Dedicated Accounts: Do not use the same account for daily work (Email/Docs) and Admin tasks.
Avoid SSO for Admins: If Entra ID has an issue, you could be locked out of your Google Org. Cloud-only accounts solve this.
Strong 2SV: Google’s native 2SV is required to protect these highly privileged identities from phishing and credential theft.
Reference: Google Cloud Documentation: "Super administrator account best practices" (https://cloud.google.com/resource-manager/docs/super-admin-best-practices).
Google Workspace Admin Help: "Security best practices for administrator accounts"
(https://support.google.com/a/answer/9011373).
B
Explanation:
Google’s Super Administrator security best practices emphasize that these accounts should be handled differently from standard user accounts, especially when using third-party SSO (like Entra ID).
According to Google Cloud Best Practices for Admin Accounts:
"You should maintain at least two super administrator accounts that are not part of your standard SSO (Single Sign-On) flow. These should be ‘Cloud-only’ accounts. This ensures that if your external IdP (Entra ID) is down or misconfigured, you can still sign in to Google Cloud. Furthermore, you must
enforce Google 2-step verification (2SV)―ideally using hardware security keys―directly on these accounts to provide the strongest level of protection independent of the IdP."
Key Best Practices:
Dedicated Accounts: Do not use the same account for daily work (Email/Docs) and Admin tasks.
Avoid SSO for Admins: If Entra ID has an issue, you could be locked out of your Google Org. Cloud-only accounts solve this.
Strong 2SV: Google’s native 2SV is required to protect these highly privileged identities from phishing and credential theft.
Reference: Google Cloud Documentation: "Super administrator account best practices" (https://cloud.google.com/resource-manager/docs/super-admin-best-practices).
Google Workspace Admin Help: "Security best practices for administrator accounts"
(https://support.google.com/a/answer/9011373).
Question #105
Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company’s banking app with customers’ credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.
This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database.
Which cryptographic token format should you use to meet these requirements?
- A . Deterministic encryption
- B . Secure, key-based hashes
- C . Format-preserving encryption
- D . Cryptographic hashing
Correct Answer: A
A
Explanation:
”This encryption method is reversible, which helps to maintain referential integrity across your database and has no character-set limitations.” https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy
https://cloud.google.com/dlp/docs/pseudonymization
FPE provides fewer security guarantees compared to other deterministic encryption methods such as AES-SIV. For these reasons, Google strongly recommends using deterministic encryption with AES-SIV instead of FPE for all security sensitive use cases. Other methods like deterministic encryption using AES-SIV provide these stronger security guarantees and are recommended for tokenization use cases unless length and character set preservation are strict requirements―for example, for backward compatibility with a legacy data system.
A
Explanation:
”This encryption method is reversible, which helps to maintain referential integrity across your database and has no character-set limitations.” https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy
https://cloud.google.com/dlp/docs/pseudonymization
FPE provides fewer security guarantees compared to other deterministic encryption methods such as AES-SIV. For these reasons, Google strongly recommends using deterministic encryption with AES-SIV instead of FPE for all security sensitive use cases. Other methods like deterministic encryption using AES-SIV provide these stronger security guarantees and are recommended for tokenization use cases unless length and character set preservation are strict requirements―for example, for backward compatibility with a legacy data system.
Question #106
You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data.
Your solution has the following requirements:
Schedule key rotation for sensitive data.
Control which region the encryption keys for sensitive data are stored in.
Minimize the latency to access encryption keys for both sensitive and non-sensitive data.
What should you do?
- A . Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
- B . Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
- C . Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
- D . Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
Correct Answer: D
D
Explanation:
Encrypt non-sensitive data with Google default encryption:
Google Cloud automatically encrypts data at rest using AES-256 by default. This minimizes key management complexity for non-sensitive data as it is handled entirely by Google.
No additional setup is required for default encryption, ensuring low latency access to the encrypted data.
Encrypt sensitive data with Cloud Key Management Service (Cloud KMS):
Cloud KMS allows you to create and manage cryptographic keys in a centralized cloud service.
To meet the requirement of scheduling key rotation, configure Cloud KMS to automatically rotate keys on a regular schedule (e.g., every 90 days).
Control the region where the keys are stored by selecting the appropriate key ring location during key creation. This ensures compliance with data residency requirements.
Cloud KMS provides low-latency access to keys, ensuring minimal impact on data access performance.
Reference: Cloud Key Management Service Documentation
Encryption at Rest in Google Cloud
D
Explanation:
Encrypt non-sensitive data with Google default encryption:
Google Cloud automatically encrypts data at rest using AES-256 by default. This minimizes key management complexity for non-sensitive data as it is handled entirely by Google.
No additional setup is required for default encryption, ensuring low latency access to the encrypted data.
Encrypt sensitive data with Cloud Key Management Service (Cloud KMS):
Cloud KMS allows you to create and manage cryptographic keys in a centralized cloud service.
To meet the requirement of scheduling key rotation, configure Cloud KMS to automatically rotate keys on a regular schedule (e.g., every 90 days).
Control the region where the keys are stored by selecting the appropriate key ring location during key creation. This ensures compliance with data residency requirements.
Cloud KMS provides low-latency access to keys, ensuring minimal impact on data access performance.
Reference: Cloud Key Management Service Documentation
Encryption at Rest in Google Cloud
Question #107
You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don’t support uniform bucket-level access policies.
How should you resolve this error?
- A . Change the access control model for the bucket
- B . Update your sink with the correct bucket destination.
- C . Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
- D . Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
Correct Answer: A
A
Explanation:
https://cloud.google.com/logging/docs/export/troubleshoot#errors_exporting_to_cloud_storage
https://cloud.google.com/logging/docs/export/troubleshoot
Unable to grant correct permissions to the destination: Even if the sink was successfully created with the correct service account permissions, this error message displays if the access control model for the Cloud Storage bucket was set to uniform access when the bucket was created. For existing Cloud Storage buckets, you can change the access control model for the first 90 days after bucket creation by using the Permissions tab. For new buckets, select the Fine-grained access control model during bucket creation. For details, see Creating Cloud Storage buckets.
A
Explanation:
https://cloud.google.com/logging/docs/export/troubleshoot#errors_exporting_to_cloud_storage
https://cloud.google.com/logging/docs/export/troubleshoot
Unable to grant correct permissions to the destination: Even if the sink was successfully created with the correct service account permissions, this error message displays if the access control model for the Cloud Storage bucket was set to uniform access when the bucket was created. For existing Cloud Storage buckets, you can change the access control model for the first 90 days after bucket creation by using the Permissions tab. For new buckets, select the Fine-grained access control model during bucket creation. For details, see Creating Cloud Storage buckets.