Practice Free Professional Cloud Security Engineer Exam Online Questions
Question #51
Your organization enforces a custom organization policy that disables the use of Compute Engine VM instances with external IP addresses.1 However, a regulated business unit requires an exception to temporarily use external IPs for a third-party audit process. The regulated business workload must comply with least privilege principles and minimize policy drift. You need to ensure secure policy management and proper handling.
What should you do?
- A . Apply the restrictive organization policy at the organization level. Create an IAM custom role with permissions to bypass organization policies. Assign the custom role to the regulated business team for the specific project.
- B . Modify the custom organization policy at the organization level to allow external IPs for all projects. Configure VPC firewall rules to restrict egress traffic except for the regulated business workload.
- C . Apply the custom organization policy at the organization level to restrict external IPs. Move the regulated business workload to a separate folder. Override the policy at that folder level.
- D . Create a folder. Apply the restrictive organization policy for non-regulated business workloads in the folder. Place the regulated business workload in that folder.
Correct Answer: C
C
Explanation:
The Google Cloud Resource Hierarchy is designed to allow inheritance with the ability to override policies at lower levels (Folders or Projects).2 This is the standard way to handle exceptions for specific business units without weakening the security posture of the entire organization.
According to Google Cloud Documentation (Understanding Hierarchy Evaluation):
"By default, organization policies are inherited by the descendants of the resource on which the policy is enforced. However, you can explicitly override a policy on a child resource (Folder or Project) by setting a new policy that either adds to or replaces the inherited values.3 This allows for granular control and exception handling."
Why this is the correct approach:
Isolation: By moving the workload to a specific folder, you isolate the exception.
Least Privilege: Only the resources within that folder gain the exception; the rest of the organization remains protected by the constraints/compute.vmExternalIpAccess constraint.
No "Bypass" Role: There is no standard IAM role that allows a user to "bypass" an Org Policy (Option A). Policies are enforced at the API level regardless of user roles.
Auditability: Having a specific folder with an override makes it easy for auditors to see exactly where and why an exception exists.
Reference: Google Cloud Documentation: "Creating and managing organization policies" (https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-policies).
Google Cloud Security Engineer Study Guide: Chapter 2 – Resource Management.
C
Explanation:
The Google Cloud Resource Hierarchy is designed to allow inheritance with the ability to override policies at lower levels (Folders or Projects).2 This is the standard way to handle exceptions for specific business units without weakening the security posture of the entire organization.
According to Google Cloud Documentation (Understanding Hierarchy Evaluation):
"By default, organization policies are inherited by the descendants of the resource on which the policy is enforced. However, you can explicitly override a policy on a child resource (Folder or Project) by setting a new policy that either adds to or replaces the inherited values.3 This allows for granular control and exception handling."
Why this is the correct approach:
Isolation: By moving the workload to a specific folder, you isolate the exception.
Least Privilege: Only the resources within that folder gain the exception; the rest of the organization remains protected by the constraints/compute.vmExternalIpAccess constraint.
No "Bypass" Role: There is no standard IAM role that allows a user to "bypass" an Org Policy (Option A). Policies are enforced at the API level regardless of user roles.
Auditability: Having a specific folder with an override makes it easy for auditors to see exactly where and why an exception exists.
Reference: Google Cloud Documentation: "Creating and managing organization policies" (https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-policies).
Google Cloud Security Engineer Study Guide: Chapter 2 – Resource Management.
Question #52
You have been tasked with inspecting IP packet data for invalid or malicious content.
What should you do?
- A . Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.
- B . Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.
- C . Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.
- D . Configure Google Cloud Armor access logs to perform inspection on the log data.
Correct Answer: A
A
Explanation:
Packet Mirroring Setup: Configure Packet Mirroring in your Google Cloud VPC to capture traffic to and from specific VM instances. This allows you to analyze the traffic for security and compliance purposes.
Security Software: Use specialized security software to inspect the mirrored traffic. This software can detect invalid or malicious content in the IP packets.
Mirroring Configuration: Specify the instances, network, and traffic direction (ingress, egress, or both) to be mirrored. Ensure that the mirrored traffic is directed to an appropriate analysis destination.
Traffic Analysis: Continuously monitor and analyze the mirrored traffic for any signs of malicious activity or anomalies. Use the findings to enhance your security posture and respond to potential
threats.
Reference: Google Cloud – Packet Mirroring
Google Cloud – Packet Mirroring Best Practices
A
Explanation:
Packet Mirroring Setup: Configure Packet Mirroring in your Google Cloud VPC to capture traffic to and from specific VM instances. This allows you to analyze the traffic for security and compliance purposes.
Security Software: Use specialized security software to inspect the mirrored traffic. This software can detect invalid or malicious content in the IP packets.
Mirroring Configuration: Specify the instances, network, and traffic direction (ingress, egress, or both) to be mirrored. Ensure that the mirrored traffic is directed to an appropriate analysis destination.
Traffic Analysis: Continuously monitor and analyze the mirrored traffic for any signs of malicious activity or anomalies. Use the findings to enhance your security posture and respond to potential
threats.
Reference: Google Cloud – Packet Mirroring
Google Cloud – Packet Mirroring Best Practices
Question #53
Process Cloud Storage objects in SIEM.
Correct Answer: C
Explanation:
"Your team needs to obtain a unified log view of all development cloud projects in your SIEM" – This means we are ONLY interested in development projects. "The development projects are under the NONPROD organization folder with the test and pre-production projects" – We will need to filter out development from others i.e test and pre-prod. "The development projects share the ABC-BILLING billing account with the rest of the organization." – This is unnecessary information.
Explanation:
"Your team needs to obtain a unified log view of all development cloud projects in your SIEM" – This means we are ONLY interested in development projects. "The development projects are under the NONPROD organization folder with the test and pre-production projects" – We will need to filter out development from others i.e test and pre-prod. "The development projects share the ABC-BILLING billing account with the rest of the organization." – This is unnecessary information.
Question #54
Your company recently published a security policy to minimize the usage of service account keys. On-premises Windows-based applications are interacting with Google Cloud APIs. You need to implement Workload Identity Federation (WIF) with your identity provider on-premises.
What should you do?
- A . Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure a rule to let principals in the pool impersonate the Google Cloud service account.
- B . Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let all principals in the pool impersonate the Google Cloud service account.
- C . Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine
Configure a rule to let principals in the pool impersonate the Google Cloud service account. - D . Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let all principals in the pool impersonate the Google Cloud service account.
Correct Answer: A
A
Explanation:
To minimize the usage of service account keys and implement Workload Identity Federation (WIF) with your on-premises identity provider, you can use a workload identity pool integrated with your corporate Active Directory Federation Service (ADFS). This setup allows your on-premises Windows-based applications to authenticate to Google Cloud APIs without using long-lived service account keys.
Set Up a Workload Identity Pool:
In the Google Cloud Console, go to IAM & Admin > Workload Identity Federation.
Create a new workload identity pool.
Configure the pool to trust your corporate ADFS by specifying the federation provider details.
Create a Workload Identity Provider:
Within the created pool, set up a new provider for ADFS.
Configure the provider with the necessary details such as the issuer URL and credentials.
Configure Impersonation Rules:
Set up rules to allow principals in the workload identity pool to impersonate specific Google Cloud service accounts.
This is done by specifying the identity provider and the conditions under which the service accounts can be impersonated.
Update Applications:
Modify your on-premises applications to use the configured ADFS authentication to obtain tokens.
These tokens can then be exchanged for Google Cloud access tokens to interact with Google Cloud APIs securely.
By setting up the workload identity pool and configuring impersonation rules, you achieve secure authentication without needing to distribute and manage service account keys.
Workload Identity Federation Documentation
Federating On-Premises Identities to Workload Identity Federation
A
Explanation:
To minimize the usage of service account keys and implement Workload Identity Federation (WIF) with your on-premises identity provider, you can use a workload identity pool integrated with your corporate Active Directory Federation Service (ADFS). This setup allows your on-premises Windows-based applications to authenticate to Google Cloud APIs without using long-lived service account keys.
Set Up a Workload Identity Pool:
In the Google Cloud Console, go to IAM & Admin > Workload Identity Federation.
Create a new workload identity pool.
Configure the pool to trust your corporate ADFS by specifying the federation provider details.
Create a Workload Identity Provider:
Within the created pool, set up a new provider for ADFS.
Configure the provider with the necessary details such as the issuer URL and credentials.
Configure Impersonation Rules:
Set up rules to allow principals in the workload identity pool to impersonate specific Google Cloud service accounts.
This is done by specifying the identity provider and the conditions under which the service accounts can be impersonated.
Update Applications:
Modify your on-premises applications to use the configured ADFS authentication to obtain tokens.
These tokens can then be exchanged for Google Cloud access tokens to interact with Google Cloud APIs securely.
By setting up the workload identity pool and configuring impersonation rules, you achieve secure authentication without needing to distribute and manage service account keys.
Workload Identity Federation Documentation
Federating On-Premises Identities to Workload Identity Federation
Question #55
You work for a healthcare provider that is expanding into the cloud to store and process sensitive patient data.
You must ensure the chosen Google Cloud configuration meets these strict regulatory requirements:
Data must reside within specific geographic regions.
Certain administrative actions on patient data require explicit approval from designated compliance officers.
Access to patient data must be auditable.
What should you do?
- A . Select multiple standard Google Cloud regions for high availability. Implement Access Control Lists (ACLs) on individual storage objects containing patient data. Enable Cloud Audit Logs.
- B . Deploy an Assured Workloads environment in multiple regions for redundancy. Utilize custom IAM roles with granular permissions. Isolate network-level data by using VPC Service Controls.
- C . Deploy an Assured Workloads environment in an approved region. Configure Access Approval for sensitive operations on patient data. Enable both Cloud Audit Logs and Access Transparency.
- D . Select a standard Google Cloud region. Restrict access to patient data based on user location and job function by using Access Context Manager. Enable both Cloud Audit Logging and Access Transparency.
Correct Answer: C
C
Explanation:
To ensure compliance with strict regulatory requirements for storing and processing sensitive patient data in the cloud, the following measures should be implemented:
Assured Workloads: Deploying an Assured Workloads environment in an approved region ensures that data residency requirements are met by restricting data storage and processing to specific geographic locations. Assured Workloads provide predefined controls and configurations tailored to meet regulatory compliance needs.
Access Approval: Configuring Access Approval ensures that certain administrative actions on patient data require explicit approval from designated compliance officers. This adds a layer of control over sensitive operations, aligning with the need for explicit approvals.
Cloud Audit Logs and Access Transparency: Enabling Cloud Audit Logs provides a detailed record of actions taken on your data, supporting the requirement for auditability. Access Transparency logs offer visibility into Google’s administrative access to your content, enhancing transparency and compliance.
Therefore, Option C is the most appropriate choice, as it comprehensively addresses data residency, administrative control, and auditability requirements.
Reference: Assured Workloads Overview
Access Approval Documentation
Cloud Audit Logs Overview
Access Transparency Overview
C
Explanation:
To ensure compliance with strict regulatory requirements for storing and processing sensitive patient data in the cloud, the following measures should be implemented:
Assured Workloads: Deploying an Assured Workloads environment in an approved region ensures that data residency requirements are met by restricting data storage and processing to specific geographic locations. Assured Workloads provide predefined controls and configurations tailored to meet regulatory compliance needs.
Access Approval: Configuring Access Approval ensures that certain administrative actions on patient data require explicit approval from designated compliance officers. This adds a layer of control over sensitive operations, aligning with the need for explicit approvals.
Cloud Audit Logs and Access Transparency: Enabling Cloud Audit Logs provides a detailed record of actions taken on your data, supporting the requirement for auditability. Access Transparency logs offer visibility into Google’s administrative access to your content, enhancing transparency and compliance.
Therefore, Option C is the most appropriate choice, as it comprehensively addresses data residency, administrative control, and auditability requirements.
Reference: Assured Workloads Overview
Access Approval Documentation
Cloud Audit Logs Overview
Access Transparency Overview
Question #56
You are a member of your company’s security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site.
How should you enable this access?
- A . Implement Cloud VPN for the region where the bastion host lives.
- B . Implement OS Login with 2-step verification for the bastion host.
- C . Implement Identity-Aware Proxy TCP forwarding for the bastion host.
- D . Implement Google Cloud Armor in front of the bastion host.
Correct Answer: C
Question #56
You are a member of your company’s security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site.
How should you enable this access?
- A . Implement Cloud VPN for the region where the bastion host lives.
- B . Implement OS Login with 2-step verification for the bastion host.
- C . Implement Identity-Aware Proxy TCP forwarding for the bastion host.
- D . Implement Google Cloud Armor in front of the bastion host.
Correct Answer: C
Question #56
You are a member of your company’s security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site.
How should you enable this access?
- A . Implement Cloud VPN for the region where the bastion host lives.
- B . Implement OS Login with 2-step verification for the bastion host.
- C . Implement Identity-Aware Proxy TCP forwarding for the bastion host.
- D . Implement Google Cloud Armor in front of the bastion host.
Correct Answer: C
Question #59
Your organization s record data exists in Cloud Storage. You must retain all record data for at least seven years This policy must be permanent.
What should you do?
- A . • 1 Identify buckets with record data
• 2 Apply a retention policy and set it to retain for seven years
• 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs - B . • 1 Identify buckets with record data
• 2 Apply a retention policy and set it to retain for seven years
• 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission - C . • 1 Identify buckets with record data
• 2 Enable the bucket policy only to ensure that data is retained
• 3 Enable bucket lock - D . • 1 Identify buckets with record data
• 2 Apply a retention policy and set it to retain for seven years
• 3 Enable bucket lock
Correct Answer: D
D
Explanation:
To ensure that your organization’s record data is retained for at least seven years in Cloud Storage, you need to apply a retention policy and enable bucket lock. This prevents the policy from being altered or the data from being deleted before the retention period ends.
Identify Buckets: Determine which Cloud Storage buckets contain the record data that needs to be retained.
Apply Retention Policy:
Go to the Google Cloud Console and navigate to "Cloud Storage".
Select the bucket you identified.
Go to the "Retention" tab and set a retention policy to retain objects for seven years.
Enable Bucket Lock:
Once the retention policy is set, you need to lock the bucket to make the retention policy permanent. This is done by enabling the bucket lock. Go to the "Retention" tab and click "Lock". Confirm and Monitor:
Confirm that the bucket lock is applied.
Monitor the bucket using log-based alerts to ensure compliance.
Reference: Cloud Storage Retention Policy
Cloud Storage Bucket Lock
D
Explanation:
To ensure that your organization’s record data is retained for at least seven years in Cloud Storage, you need to apply a retention policy and enable bucket lock. This prevents the policy from being altered or the data from being deleted before the retention period ends.
Identify Buckets: Determine which Cloud Storage buckets contain the record data that needs to be retained.
Apply Retention Policy:
Go to the Google Cloud Console and navigate to "Cloud Storage".
Select the bucket you identified.
Go to the "Retention" tab and set a retention policy to retain objects for seven years.
Enable Bucket Lock:
Once the retention policy is set, you need to lock the bucket to make the retention policy permanent. This is done by enabling the bucket lock. Go to the "Retention" tab and click "Lock". Confirm and Monitor:
Confirm that the bucket lock is applied.
Monitor the bucket using log-based alerts to ensure compliance.
Reference: Cloud Storage Retention Policy
Cloud Storage Bucket Lock
Question #60
You need to set up a Cloud interconnect connection between your company’s on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs.
How should you configure the network?
- A . Enable Private Google Access on the regional subnets and global dynamic routing mode.
- B . Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.
- C . Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.
- D . Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.
Correct Answer: D
D
Explanation:
https://cloud.google.com/vpc/docs/private-service-connect
An API bundle:
All APIs (all-apis): most Google APIs
(same as private.googleapis.com).
VPC-SC (vpc-sc): APIs that VPC Service Controls supports
(same as restricted.googleapis.com).
VMs in the same VPC network as the endpoint (all regions) On-premises systems that are connected to the VPC network that contains the endpoint
D
Explanation:
https://cloud.google.com/vpc/docs/private-service-connect
An API bundle:
All APIs (all-apis): most Google APIs
(same as private.googleapis.com).
VPC-SC (vpc-sc): APIs that VPC Service Controls supports
(same as restricted.googleapis.com).
VMs in the same VPC network as the endpoint (all regions) On-premises systems that are connected to the VPC network that contains the endpoint