Practice Free Professional Cloud Security Engineer Exam Online Questions
Question #11
You work for a large organization that runs many custom training jobs on Vertex AI. A recent compliance audit identified a security concern. All jobs currently use the Vertex AI service agent. The audit mandates that each training job must be isolated, with access only to the required Cloud Storage buckets, following the principle of least privilege. You need to design a secure, scalable solution to enforce this requirement.
What should you do?
- A . Create a custom service account. Assign it the storage object user role at the project level.
Configure all Vertex AI custom training jobs to run as this service account. - B . Continue to use the default Vertex AI service agent. Implement VPC Service Controls around the Vertex AI and Cloud Storage services.
- C . Modify the IAM policy of each Cloud Storage bucket to grant the default Vertex AI service agent the storage Legacy Object Reader role.
- D . Use a dedicated service account for each custom training job. Grant each account the storage Legacy Object Reader role for the necessary Cloud Storage buckets.
Correct Answer: D
D
Explanation:
By default, Vertex AI uses a "Service Agent" (a Google-managed service account) which often has broad permissions across the project. To achieve isolation and least privilege, you must use Custom Service Accounts for each training job.
According to Google Cloud Documentation (Use a custom service account for Vertex AI):
"When you perform custom training, you can configure Vertex AI to use a custom service account. This allows you to grant the job only the specific permissions it needs (e.g., access to a specific Cloud Storage bucket) rather than using the default service agent which may have broader access. This is the recommended practice for multi-tenant or highly regulated environments."
Implementation Strategy:
Identity: Create a unique User-Managed Service Account (UMSA) for each specific training workload or team.
Permissions: Grant that UMSA the roles/storage.objectViewer (or Legacy Reader) only on the specific bucket containing the training data.
Job Config: When submitting the Vertex AI job, specify the service Account field in the job request.
Why other options are incorrect:
A is incorrect: Using one custom service account for all jobs still doesn’t provide isolation between the jobs themselves.
B and C are incorrect: These use the default service agent, which is shared across the project. If one job is compromised or misconfigured, it could potentially access data intended for other jobs because they share the same identity.
Reference: Google Cloud Documentation: "Use a custom service account" (https://cloud.google.com/vertex-ai/docs/general/custom-service-account).
Google Cloud Security Engineer Study Guide: Section on "Vertex AI Security Best Practices."
D
Explanation:
By default, Vertex AI uses a "Service Agent" (a Google-managed service account) which often has broad permissions across the project. To achieve isolation and least privilege, you must use Custom Service Accounts for each training job.
According to Google Cloud Documentation (Use a custom service account for Vertex AI):
"When you perform custom training, you can configure Vertex AI to use a custom service account. This allows you to grant the job only the specific permissions it needs (e.g., access to a specific Cloud Storage bucket) rather than using the default service agent which may have broader access. This is the recommended practice for multi-tenant or highly regulated environments."
Implementation Strategy:
Identity: Create a unique User-Managed Service Account (UMSA) for each specific training workload or team.
Permissions: Grant that UMSA the roles/storage.objectViewer (or Legacy Reader) only on the specific bucket containing the training data.
Job Config: When submitting the Vertex AI job, specify the service Account field in the job request.
Why other options are incorrect:
A is incorrect: Using one custom service account for all jobs still doesn’t provide isolation between the jobs themselves.
B and C are incorrect: These use the default service agent, which is shared across the project. If one job is compromised or misconfigured, it could potentially access data intended for other jobs because they share the same identity.
Reference: Google Cloud Documentation: "Use a custom service account" (https://cloud.google.com/vertex-ai/docs/general/custom-service-account).
Google Cloud Security Engineer Study Guide: Section on "Vertex AI Security Best Practices."
Question #12
Your financial services company needs to process customer personally identifiable information (PII) for analytics while adhering to strict privacy regulations. You must transform this data to protect individual privacy to ensure that the data retains its original format and consistency for analytical integrity. Your solution must avoid full irreversible deletion.
What should you do?
- A . Configure Sensitive Data Protection (SDP) to de-identify PII using format-preserving encryption (FPE).
- B . Use Cloud Key Management Service (Cloud KMS) to encrypt the entire dataset with a customer-managed encryption key (CMEK).
- C . Implement a custom BigQuery user-defined function (UDF) by using JavaScript to hash all sensitive fields before they are loaded into the analytical tables.
- D . Set up VPC Service Controls around the BigQuery project. Implement row-level encryption.
Correct Answer: A
A
Explanation:
The critical requirements are:
De-identify PII (protect individual privacy).
Retain original format and consistency (analytical integrity).
Avoid full irreversible deletion (the process must be reversible/re-identifiable).
Sensitive Data Protection (SDP), also known as Cloud DLP, is Google Cloud’s specialized service for discovering, classifying, and de-identifying sensitive data. The specific de-identification technique that meets the need to retain the original format and consistency is Format-Preserving Encryption (FPE).
Extracts:
"Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or ‘re-identified.’" (Source 5.3)
"Pseudonymization by replacing with cryptographic format preserving token (CryptoReplaceFfxFpeConfig)… Preserves format… Reversible transformations can be reversed to re-identify the sensitive data using the content.reidentify method." (Source 5.3)
"Format Preserving Encryption (FPE) is an encryption algorithm that preserves the format of the original data set, but it replaces it with tokens that have no inherent meaning or value… FPE ensures the ciphertext maintains the same format (length, number of hyphens, etc.) as the original
plaintext." (Source 5.1)
FPE is necessary for analytical integrity when the structure/format (e.g., 9-digit SSN, 16-digit credit card number) is required for processing in downstream systems.
A
Explanation:
The critical requirements are:
De-identify PII (protect individual privacy).
Retain original format and consistency (analytical integrity).
Avoid full irreversible deletion (the process must be reversible/re-identifiable).
Sensitive Data Protection (SDP), also known as Cloud DLP, is Google Cloud’s specialized service for discovering, classifying, and de-identifying sensitive data. The specific de-identification technique that meets the need to retain the original format and consistency is Format-Preserving Encryption (FPE).
Extracts:
"Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or ‘re-identified.’" (Source 5.3)
"Pseudonymization by replacing with cryptographic format preserving token (CryptoReplaceFfxFpeConfig)… Preserves format… Reversible transformations can be reversed to re-identify the sensitive data using the content.reidentify method." (Source 5.3)
"Format Preserving Encryption (FPE) is an encryption algorithm that preserves the format of the original data set, but it replaces it with tokens that have no inherent meaning or value… FPE ensures the ciphertext maintains the same format (length, number of hyphens, etc.) as the original
plaintext." (Source 5.1)
FPE is necessary for analytical integrity when the structure/format (e.g., 9-digit SSN, 16-digit credit card number) is required for processing in downstream systems.
Question #13
You need to centralize your team’s logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer.
What should you do?
- A . Enable Cloud Monitoring workspace, and add the production projects to be monitored.
- B . Use Logs Explorer at the organization level and filter for production project logs.
- C . Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket.
- D . Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
Correct Answer: D
D
Explanation:
https://cloud.google.com/logging/docs/export/aggregated_sinks#supported-destinations
You can use aggregated sinks to route logs within or between the same organizations and folders to the following destinations: – Another Cloud Logging bucket: Log entries held in Cloud Logging log buckets.
D
Explanation:
https://cloud.google.com/logging/docs/export/aggregated_sinks#supported-destinations
You can use aggregated sinks to route logs within or between the same organizations and folders to the following destinations: – Another Cloud Logging bucket: Log entries held in Cloud Logging log buckets.
Question #14
Your organization deploys a large number of containerized applications on Google Kubernetes Engine (GKE). Node updates are currently applied manually. Audit findings show that a critical patch has not been installed due to a missed notification. You need to design a more reliable, cloud-first, and scalable process for node updates.
What should you do?
- A . Migrate the cluster infrastructure to a self-managed Kubernetes environment for greater control over the patching process.
- B . Develop a custom script to continuously check for patch availability, download patches, and apply the patches across all components of the cluster.
- C . Schedule a daily reboot for all nodes to automatically upgrade.
- D . Configure node auto-upgrades for node pools in the maintenance windows.
Correct Answer: D
D
Explanation:
To establish a reliable, cloud-native, and scalable process for updating nodes in your GKE clusters, configuring node auto-upgrades within designated maintenance windows is the most effective approach.
Option A: Migrating to a self-managed Kubernetes environment would increase operational overhead and complexity, as your team would be responsible for managing the entire infrastructure, including patching and updates. This contradicts the goal of adopting a cloud-first strategy and does not inherently provide a more reliable update process.
Option B: Developing custom scripts for patch management introduces potential risks and maintenance burdens. Ensuring the reliability, security, and scalability of such scripts can be challenging, and this approach may not align with best practices for managing GKE environments.
Option C: Scheduling daily reboots does not guarantee that nodes will apply the latest patches or updates. Without a mechanism to manage and apply updates, reboots alone are insufficient to maintain node security and compliance.
Option D: Configuring node auto-upgrades ensures that GKE automatically keeps your nodes up-to-date with the latest stable versions, reducing the risk of missed critical patches. By setting maintenance windows, you can control when these upgrades occur, minimizing disruptions to your workloads. This approach leverages GKE’s managed services to maintain security and compliance efficiently.
Therefore, Option D is the optimal solution, as it aligns with a cloud-first strategy and leverages GKE’s native capabilities to automate and schedule node updates effectively.
Reference: Auto-upgrading nodes | Google Kubernetes Engine (GKE)
Maintenance windows and exclusions | Google Kubernetes Engine
D
Explanation:
To establish a reliable, cloud-native, and scalable process for updating nodes in your GKE clusters, configuring node auto-upgrades within designated maintenance windows is the most effective approach.
Option A: Migrating to a self-managed Kubernetes environment would increase operational overhead and complexity, as your team would be responsible for managing the entire infrastructure, including patching and updates. This contradicts the goal of adopting a cloud-first strategy and does not inherently provide a more reliable update process.
Option B: Developing custom scripts for patch management introduces potential risks and maintenance burdens. Ensuring the reliability, security, and scalability of such scripts can be challenging, and this approach may not align with best practices for managing GKE environments.
Option C: Scheduling daily reboots does not guarantee that nodes will apply the latest patches or updates. Without a mechanism to manage and apply updates, reboots alone are insufficient to maintain node security and compliance.
Option D: Configuring node auto-upgrades ensures that GKE automatically keeps your nodes up-to-date with the latest stable versions, reducing the risk of missed critical patches. By setting maintenance windows, you can control when these upgrades occur, minimizing disruptions to your workloads. This approach leverages GKE’s managed services to maintain security and compliance efficiently.
Therefore, Option D is the optimal solution, as it aligns with a cloud-first strategy and leverages GKE’s native capabilities to automate and schedule node updates effectively.
Reference: Auto-upgrading nodes | Google Kubernetes Engine (GKE)
Maintenance windows and exclusions | Google Kubernetes Engine
Question #15
A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?
- A . Use Cloud Storage as a federated Data Source.
- B . Use a Cloud Hardware Security Module (Cloud HSM).
- C . Customer-managed encryption keys (CMEK).
- D . Customer-supplied encryption keys (CSEK).
Correct Answer: C
C
Explanation:
If you want to manage the key encryption keys used for your data at rest, instead of having Google manage the keys, use Cloud Key Management Service to manage your keys. This scenario is known as customer-managed encryption keys (CMEK).
https://cloud.google.com/bigquery/docs/encryption-at-rest
Reference: https://cloud.google.com/bigquery/docs/encryption-at-rest
C
Explanation:
If you want to manage the key encryption keys used for your data at rest, instead of having Google manage the keys, use Cloud Key Management Service to manage your keys. This scenario is known as customer-managed encryption keys (CMEK).
https://cloud.google.com/bigquery/docs/encryption-at-rest
Reference: https://cloud.google.com/bigquery/docs/encryption-at-rest
Question #16
Your organization is worried about recent news headlines regarding application vulnerabilities in production applications that have led to security breaches. You want to automatically scan your deployment pipeline for vulnerabilities and ensure only scanned and verified containers can run in the environment.
What should you do?
- A . Enable Binary Authorization and create attestations of scans.
- B . Use gcloud artifacts docker images describe LOCATION-
docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID@sha256: HASH –show-package-vulnerability in your CI/CD pipeline, and trigger a pipeline failure for critical vulnerabilities. - C . Use Kubernetes role-based access control (RBAC) as the source of truth for cluster access by granting "container clusters.get" to limited users. Restrict deployment access by allowing these users to generate a kubeconfig file containing the configuration access to the GKE cluster.
- D . Enforce the use of Cloud Code for development so users receive real-time security feedback on vulnerable libraries and dependencies before they check in their code.
Correct Answer: A
A
Explanation:
The core requirement is to ensure only scanned and verified containers can run in the environment, which is a deployment-time enforcement action.
Binary Authorization is the service designed for this purpose. It is a deployment-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or other supported container platforms. The core mechanism it uses to verify that an image has
completed required steps (like a vulnerability scan) is an attestation.
Extracts:
"GCP Binary Authorization is a security feature designed to prevent the deployment of unverified, unauthorized, or potentially malicious container images to Kubernetes clusters." (Source 1.1)
"Binary Authorization ensures that only images that are signed by trusted entities (such as a trusted attestation authority) are allowed to be deployed." (Source 1.1)
"Binary Authorization aims to reduce the risk of deploying defective, vulnerable, or unauthorized software in this type of environment. Using this service, you can prevent images from being deployed unless it satisfies a policy you define." (Source 1.2)
"The most common Binary Authorization use cases involve attestations. An attestation certifies that a specific image has completed a previous stage… Attestations signify that the associated image was built by successfully executing a specific, required process. For example, the attestation might indicate that the image has passed all required end-to-end functional testing in a staging environment." (Source 1.2, 1.4)
"After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test." (Source 1.5)
Option A correctly identifies the two necessary components for this deployment-time enforcement: Binary Authorization for policy enforcement and attestations to certify that the vulnerability scan (or other required check) has been completed and verified.
A
Explanation:
The core requirement is to ensure only scanned and verified containers can run in the environment, which is a deployment-time enforcement action.
Binary Authorization is the service designed for this purpose. It is a deployment-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or other supported container platforms. The core mechanism it uses to verify that an image has
completed required steps (like a vulnerability scan) is an attestation.
Extracts:
"GCP Binary Authorization is a security feature designed to prevent the deployment of unverified, unauthorized, or potentially malicious container images to Kubernetes clusters." (Source 1.1)
"Binary Authorization ensures that only images that are signed by trusted entities (such as a trusted attestation authority) are allowed to be deployed." (Source 1.1)
"Binary Authorization aims to reduce the risk of deploying defective, vulnerable, or unauthorized software in this type of environment. Using this service, you can prevent images from being deployed unless it satisfies a policy you define." (Source 1.2)
"The most common Binary Authorization use cases involve attestations. An attestation certifies that a specific image has completed a previous stage… Attestations signify that the associated image was built by successfully executing a specific, required process. For example, the attestation might indicate that the image has passed all required end-to-end functional testing in a staging environment." (Source 1.2, 1.4)
"After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test." (Source 1.5)
Option A correctly identifies the two necessary components for this deployment-time enforcement: Binary Authorization for policy enforcement and attestations to certify that the vulnerability scan (or other required check) has been completed and verified.
Question #16
Your organization is worried about recent news headlines regarding application vulnerabilities in production applications that have led to security breaches. You want to automatically scan your deployment pipeline for vulnerabilities and ensure only scanned and verified containers can run in the environment.
What should you do?
- A . Enable Binary Authorization and create attestations of scans.
- B . Use gcloud artifacts docker images describe LOCATION-
docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID@sha256: HASH –show-package-vulnerability in your CI/CD pipeline, and trigger a pipeline failure for critical vulnerabilities. - C . Use Kubernetes role-based access control (RBAC) as the source of truth for cluster access by granting "container clusters.get" to limited users. Restrict deployment access by allowing these users to generate a kubeconfig file containing the configuration access to the GKE cluster.
- D . Enforce the use of Cloud Code for development so users receive real-time security feedback on vulnerable libraries and dependencies before they check in their code.
Correct Answer: A
A
Explanation:
The core requirement is to ensure only scanned and verified containers can run in the environment, which is a deployment-time enforcement action.
Binary Authorization is the service designed for this purpose. It is a deployment-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or other supported container platforms. The core mechanism it uses to verify that an image has
completed required steps (like a vulnerability scan) is an attestation.
Extracts:
"GCP Binary Authorization is a security feature designed to prevent the deployment of unverified, unauthorized, or potentially malicious container images to Kubernetes clusters." (Source 1.1)
"Binary Authorization ensures that only images that are signed by trusted entities (such as a trusted attestation authority) are allowed to be deployed." (Source 1.1)
"Binary Authorization aims to reduce the risk of deploying defective, vulnerable, or unauthorized software in this type of environment. Using this service, you can prevent images from being deployed unless it satisfies a policy you define." (Source 1.2)
"The most common Binary Authorization use cases involve attestations. An attestation certifies that a specific image has completed a previous stage… Attestations signify that the associated image was built by successfully executing a specific, required process. For example, the attestation might indicate that the image has passed all required end-to-end functional testing in a staging environment." (Source 1.2, 1.4)
"After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test." (Source 1.5)
Option A correctly identifies the two necessary components for this deployment-time enforcement: Binary Authorization for policy enforcement and attestations to certify that the vulnerability scan (or other required check) has been completed and verified.
A
Explanation:
The core requirement is to ensure only scanned and verified containers can run in the environment, which is a deployment-time enforcement action.
Binary Authorization is the service designed for this purpose. It is a deployment-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or other supported container platforms. The core mechanism it uses to verify that an image has
completed required steps (like a vulnerability scan) is an attestation.
Extracts:
"GCP Binary Authorization is a security feature designed to prevent the deployment of unverified, unauthorized, or potentially malicious container images to Kubernetes clusters." (Source 1.1)
"Binary Authorization ensures that only images that are signed by trusted entities (such as a trusted attestation authority) are allowed to be deployed." (Source 1.1)
"Binary Authorization aims to reduce the risk of deploying defective, vulnerable, or unauthorized software in this type of environment. Using this service, you can prevent images from being deployed unless it satisfies a policy you define." (Source 1.2)
"The most common Binary Authorization use cases involve attestations. An attestation certifies that a specific image has completed a previous stage… Attestations signify that the associated image was built by successfully executing a specific, required process. For example, the attestation might indicate that the image has passed all required end-to-end functional testing in a staging environment." (Source 1.2, 1.4)
"After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test." (Source 1.5)
Option A correctly identifies the two necessary components for this deployment-time enforcement: Binary Authorization for policy enforcement and attestations to certify that the vulnerability scan (or other required check) has been completed and verified.
Question #18
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?
- A . ISO 27001
- B . ISO 27002
- C . ISO 27017
- D . ISO 27018
Correct Answer: C
C
Explanation:
Create a new Service Account that should be able to list the Compute Engine instances in the project.
You want to follow Google-recommended practices.
https://cloud.google.com/security/compliance/iso-27017
C
Explanation:
Create a new Service Account that should be able to list the Compute Engine instances in the project.
You want to follow Google-recommended practices.
https://cloud.google.com/security/compliance/iso-27017
Question #19
An organization’s security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google’s responsibility lies. They are mostly running workloads using Google Cloud’s Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?
- A . Configuring and monitoring VPC Flow Logs
- B . Defending against XSS and SQLi attacks
- C . Manage the latest updates and security patches for the Guest OS
- D . Encrypting all stored data
Correct Answer: B
B
Explanation:
When using Google Cloud’s Platform-as-a-Service (PaaS) offerings like App Engine, Google manages the infrastructure, including the underlying OS, runtime, and scaling. However, securing the application code itself, such as defending against cross-site scripting (XSS) and SQL injection (SQLi) attacks, remains the responsibility of the user. This involves implementing secure coding practices, validating inputs, and employing appropriate security measures within the application.
Reference: Google Cloud: Shared responsibility model
App Engine security
B
Explanation:
When using Google Cloud’s Platform-as-a-Service (PaaS) offerings like App Engine, Google manages the infrastructure, including the underlying OS, runtime, and scaling. However, securing the application code itself, such as defending against cross-site scripting (XSS) and SQL injection (SQLi) attacks, remains the responsibility of the user. This involves implementing secure coding practices, validating inputs, and employing appropriate security measures within the application.
Reference: Google Cloud: Shared responsibility model
App Engine security
Question #20
You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine.
Which option should you recommend?
- A . Cloud Key Management Service
- B . Compute Engine guest attributes
- C . Compute Engine custom metadata
- D . Secret Manager
Correct Answer: D
D
Explanation:
Objective: Store and retrieve sensitive configuration data for an application running on Compute Engine.
Solution: Use Secret Manager to securely store and manage access to sensitive configuration data.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the Secret Manager section.
Step 3: Create a new secret and add the sensitive configuration data.
Step 4: Set appropriate IAM policies to control access to the secret.
Step 5: Update the application to retrieve the secret from Secret Manager using the appropriate client libraries or APIs.
Secret Manager provides a secure and centralized way to manage sensitive information, with fine-grained access control and audit logging capabilities.
Reference: Secret Manager Documentation
Storing and Accessing Secrets
D
Explanation:
Objective: Store and retrieve sensitive configuration data for an application running on Compute Engine.
Solution: Use Secret Manager to securely store and manage access to sensitive configuration data.
Steps:
Step 1: Open the Google Cloud Console.
Step 2: Navigate to the Secret Manager section.
Step 3: Create a new secret and add the sensitive configuration data.
Step 4: Set appropriate IAM policies to control access to the secret.
Step 5: Update the application to retrieve the secret from Secret Manager using the appropriate client libraries or APIs.
Secret Manager provides a secure and centralized way to manage sensitive information, with fine-grained access control and audit logging capabilities.
Reference: Secret Manager Documentation
Storing and Accessing Secrets