Practice Free Professional Cloud Security Engineer Exam Online Questions
Question #71
Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?
- A . Network Load Balancing
- B . HTTP(S) Load Balancing
- C . TCP Proxy Load Balancing
- D . SSL Proxy Load Balancing
Correct Answer: D
D
Explanation:
https://cloud.google.com/load-balancing/docs/ssl – SSL Proxy Load Balancing is a reverse proxy load balancer that distributes SSL traffic coming from the internet to virtual machine (VM) instances in your Google Cloud VPC network.
Reference: https://cloud.google.com/load-balancing/docs/ssl/
D
Explanation:
https://cloud.google.com/load-balancing/docs/ssl – SSL Proxy Load Balancing is a reverse proxy load balancer that distributes SSL traffic coming from the internet to virtual machine (VM) instances in your Google Cloud VPC network.
Reference: https://cloud.google.com/load-balancing/docs/ssl/
Question #72
Your organization is developing a sophisticated machine learning (ML) model to predict customer behavior for targeted marketing campaigns. The BigQuery dataset used for training includes sensitive personal information. You must design the security controls around the AI/ML pipeline. Data privacy must be maintained throughout the model’s lifecycle and you must ensure that personal data is not used in the training process Additionally, you must restrict access to the dataset to an authorized subset of people only.
What should you do?
- A . Implement at-rest encryption by using customer-managed encryption keys (CMEK) for the pipeline. Implement strict Identity and Access Management (IAM) policies to control access to BigQuery.
- B . De-identify sensitive data before model training by using Cloud Data Loss Prevention (DLP) APIs, and implement strict Identity and Access Management (IAM) policies to control access to BigQuery.
- C . Implement Identity-Aware Proxy to enforce context-aware access to BigQuery and models based on user identity and device.
- D . Deploy the model on Confidential VMs for enhanced protection of data and code while in use. Implement strict Identity and Access Management (IAM) policies to control access to BigQuery.
Correct Answer: B
B
Explanation:
The core security and privacy requirement is to prevent personal data from being used in the training process, which necessitates de-identification. Cloud Data Loss Prevention (DLP), also referred to as Sensitive Data Protection (SDP), is the specific Google Cloud tool for this purpose. The secondary requirement, restricting access, is handled by IAM.
Extracts:
"Sensitive Data Protection (SDP)… De-identification enables you to transform your data to reduce data risk while retaining data utility." (Source 1.4)
"De-identification techniques like encryption, obfuscate raw sensitive identifiers in your data. These techniques let you preserve the utility of your data for joining or analytics, while reducing the risk of handling the data." (Source 1.1)
"DLP provides tools to classify and de-identify sensitive elements or unwanted content within your data… Find and remove sensitive elements from your data before model training." (Source 1.4)
IAM policies are the standard mechanism to satisfy the requirement to "restrict access to the dataset to an authorized subset of people only." Option B combines the precise technical solution for privacy (DLP De-identification) with the necessary access control (IAM).
B
Explanation:
The core security and privacy requirement is to prevent personal data from being used in the training process, which necessitates de-identification. Cloud Data Loss Prevention (DLP), also referred to as Sensitive Data Protection (SDP), is the specific Google Cloud tool for this purpose. The secondary requirement, restricting access, is handled by IAM.
Extracts:
"Sensitive Data Protection (SDP)… De-identification enables you to transform your data to reduce data risk while retaining data utility." (Source 1.4)
"De-identification techniques like encryption, obfuscate raw sensitive identifiers in your data. These techniques let you preserve the utility of your data for joining or analytics, while reducing the risk of handling the data." (Source 1.1)
"DLP provides tools to classify and de-identify sensitive elements or unwanted content within your data… Find and remove sensitive elements from your data before model training." (Source 1.4)
IAM policies are the standard mechanism to satisfy the requirement to "restrict access to the dataset to an authorized subset of people only." Option B combines the precise technical solution for privacy (DLP De-identification) with the necessary access control (IAM).
Question #73
You are responsible for the operation of your company’s application that runs on Google Cloud. The database for the application will be maintained by an external partner. You need to give the partner team access to the database. This access must be restricted solely to the database and can not extend to any other resources within your company’s network. Your solution should follow Google-recommended practices.
What should you do?
- A . Add a public IP address to the application’s database. Create database users for each of the partner’s employees. Securely distribute the credentials for these users to the partner team.
- B . Ask the partner team to set up Cloud Identity accounts within their own corporate environment and identity provider. Grant the partner’s Cloud Identity accounts access to the database.
- C . Create accounts for the partner team in your corporate identity provider. Synchronize these accounts with Google Cloud Identity. Grant the accounts access to the database.
- D . Configure Workforce Identity Federation for the partner. Connect the identity pool provider to the partner’s identity provider. Grant the workforce pool resources access to the database.
Correct Answer: D
D
Explanation:
Workforce Identity Federation is the modern, Google-recommended way to grant external partners access to Google Cloud resources using their own identity provider (IdP). This avoids the "Identity Lifecycle Management" burden of creating guest accounts in your own directory.
According to Google Cloud Documentation (Workforce Identity Federation Overview):
"Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce―a group of users, such as employees, partners, and contractors―so that the users can access Google Cloud services. With Workforce Identity Federation, you don’t need to synchronize user identities from your existing IdP to Google Cloud identities."
Advantages of this approach:
Syncless: You don’t create or manage partner accounts in your Cloud Identity/Workspace (eliminating Option C).
Security: If a partner employee leaves their company, their access to your Google Cloud database is automatically revoked when their home IdP account is disabled.
Scoped Access: You grant IAM roles (like roles/cloudsql.client) specifically to the Workforce Pool or specific groups within that pool, ensuring they can’t touch other resources.
Why other options are incorrect:
A is incorrect: Public IPs are a major security risk and don’t provide centralized identity governance.
B is incorrect: You cannot "grant access" to accounts in another organization’s Cloud Identity directly
in a secure, manageable way for production databases without federation.
Reference: Google Cloud Documentation: "Workforce Identity Federation" (https://cloud.google.com/iam/docs/workforce-identity-federation).
Google Cloud Security Engineer Study Guide: Section on "Advanced Identity Management – Federation."
D
Explanation:
Workforce Identity Federation is the modern, Google-recommended way to grant external partners access to Google Cloud resources using their own identity provider (IdP). This avoids the "Identity Lifecycle Management" burden of creating guest accounts in your own directory.
According to Google Cloud Documentation (Workforce Identity Federation Overview):
"Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce―a group of users, such as employees, partners, and contractors―so that the users can access Google Cloud services. With Workforce Identity Federation, you don’t need to synchronize user identities from your existing IdP to Google Cloud identities."
Advantages of this approach:
Syncless: You don’t create or manage partner accounts in your Cloud Identity/Workspace (eliminating Option C).
Security: If a partner employee leaves their company, their access to your Google Cloud database is automatically revoked when their home IdP account is disabled.
Scoped Access: You grant IAM roles (like roles/cloudsql.client) specifically to the Workforce Pool or specific groups within that pool, ensuring they can’t touch other resources.
Why other options are incorrect:
A is incorrect: Public IPs are a major security risk and don’t provide centralized identity governance.
B is incorrect: You cannot "grant access" to accounts in another organization’s Cloud Identity directly
in a secure, manageable way for production databases without federation.
Reference: Google Cloud Documentation: "Workforce Identity Federation" (https://cloud.google.com/iam/docs/workforce-identity-federation).
Google Cloud Security Engineer Study Guide: Section on "Advanced Identity Management – Federation."
Question #74
You are managing a set of Google Cloud projects that are contained in a folder named Data Warehouse A new data analysis team has been approved to perform data analysis for all BigQuery data in the projects within the Data Warehouse folder. They should only be able to read the data and not have permissions to modify or delete the data. You want to reduce the operational overhead of provisioning access while adhering to the principle of least privilege.
What should you do?
- A . Grant the BigQuery Data Viewer role at the dataset level for each BigQuery dataset within each project in the Data Warehouse folder
- B . Grant the BigQuery Data Viewer role at the Data Warehouse folder.
- C . Grant the BigQuery Data Viewer role at the project level for each project within the Data Warehouse folder.
- D . Grant the BigQuery Metadata Viewer role at the Data Warehouse folder
Correct Answer: B
B
Explanation:
The requirements are met by granting access at the highest point in the resource hierarchy that encompasses all the necessary resources, using the least privileged role required.
Least Privilege Role: The team needs to read data and not modify or delete it. The roles/bigquery.dataViewer role is the correct least privileged role for read-only access to data.
Minimize Operational Overhead: Granting the role at the Folder level ensures that the access is automatically inherited by all current and future projects within that folder, drastically reducing the operational overhead compared to granting the role per project (C) or per dataset (A).
Scope: The Folder scope (Data Warehouse folder) is the container for all BigQuery data in the projects within the folder, making it the ideal single point of granting access.
Extracts:
"IAM roles are inherited down the resource hierarchy… Granting a role at the folder level will grant the principal that role across all projects within that folder, including any projects created in the future." (Source 10.1)
"The BigQuery Data Viewer (roles/bigquery.dataViewer) role grants permission to read data in BigQuery tables and views… It does not grant permissions to modify or delete the data, adhering to the principle of least privilege for read-only tasks." (Source 10.2)
B
Explanation:
The requirements are met by granting access at the highest point in the resource hierarchy that encompasses all the necessary resources, using the least privileged role required.
Least Privilege Role: The team needs to read data and not modify or delete it. The roles/bigquery.dataViewer role is the correct least privileged role for read-only access to data.
Minimize Operational Overhead: Granting the role at the Folder level ensures that the access is automatically inherited by all current and future projects within that folder, drastically reducing the operational overhead compared to granting the role per project (C) or per dataset (A).
Scope: The Folder scope (Data Warehouse folder) is the container for all BigQuery data in the projects within the folder, making it the ideal single point of granting access.
Extracts:
"IAM roles are inherited down the resource hierarchy… Granting a role at the folder level will grant the principal that role across all projects within that folder, including any projects created in the future." (Source 10.1)
"The BigQuery Data Viewer (roles/bigquery.dataViewer) role grants permission to read data in BigQuery tables and views… It does not grant permissions to modify or delete the data, adhering to the principle of least privilege for read-only tasks." (Source 10.2)
Question #75
An organization’s typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?
- A . Use Forseti with Firewall filters to catch any unwanted configurations in production.
- B . Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.
- C . Route all VPC traffic through customer-managed routers to detect malicious patterns in production.
- D . All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.
Correct Answer: B
B
Explanation:
To enable developer teams to deploy new applications without the extensive overhead of network and security reviews, it’s recommended to mandate the use of infrastructure as code (IaC) and enforce policies through static analysis in CI/CD pipelines. This approach ensures that security and compliance policies are checked automatically during the development process.
Step-by-Step:
Adopt IaC: Use tools like Terraform or Google Cloud Deployment Manager to manage infrastructure as code.
CI/CD Pipeline Integration: Integrate static analysis tools such as TFLint or Checkov in the CI/CD pipeline to enforce security policies.
Policy Definition: Define security policies and best practices that need to be adhered to in the code.
Automated Checks: Configure automated checks in the CI/CD pipeline to review code against these policies before deployment.
Monitor and Audit: Continuously monitor and audit deployed applications to ensure ongoing compliance.
Infrastructure as Code on Google Cloud
Static Analysis for Terraform
Checkov for IaC
B
Explanation:
To enable developer teams to deploy new applications without the extensive overhead of network and security reviews, it’s recommended to mandate the use of infrastructure as code (IaC) and enforce policies through static analysis in CI/CD pipelines. This approach ensures that security and compliance policies are checked automatically during the development process.
Step-by-Step:
Adopt IaC: Use tools like Terraform or Google Cloud Deployment Manager to manage infrastructure as code.
CI/CD Pipeline Integration: Integrate static analysis tools such as TFLint or Checkov in the CI/CD pipeline to enforce security policies.
Policy Definition: Define security policies and best practices that need to be adhered to in the code.
Automated Checks: Configure automated checks in the CI/CD pipeline to review code against these policies before deployment.
Monitor and Audit: Continuously monitor and audit deployed applications to ensure ongoing compliance.
Infrastructure as Code on Google Cloud
Static Analysis for Terraform
Checkov for IaC
Question #76
Your company has recently enabled Security Command Center at the organization level. You need to implement runtime threat detection for applications running in containers within projects residing in the production folder. Specifically, you need to be notified if additional libraries are loaded or malicious scripts are executed within these running containers. You need to configure Security Command Center to meet this requirement while ensuring findings are visible within Security Command Center.
What should you do?
- A . Ensure that the containers in the production folder are running on hosts that are using Container-Optimized OS.
- B . Enable Container Threat Detection in Security Command Center Premium tier for the projects within the production folder.
- C . Configure Security Health Analytics within Security Command Center to monitor container runtime vulnerabilities in the production folder.
- D . Create log-based metrics and alerts in Cloud Logging and Cloud Monitoring for suspicious container activity within the production folder.
Correct Answer: B
B
Explanation:
The requirements are runtime threat detection for containers that specifically detects activities like loading additional libraries or executing malicious scripts, with findings visible in Security Command Center (SCC).
Container Threat Detection (CTD) is the specific SCC service component designed to monitor container runtimes for suspicious events like reverse shells, suspicious library loading, and execution of malicious scripts. It is available only with the Security Command Center Premium tier.
Extracts:
"Container Threat Detection (CTD) is a Security Command Center Premium service that provides runtime threat detection for Google Kubernetes Engine (GKE) and Kubernetes clusters." (Source 4.1)
"CTD detects specific runtime events, such as: Execution of malicious scripts… Loading of suspicious libraries… CTD creates high-fidelity Security Command Center findings for these threats." (Source 4.2)
"Security Health Analytics (Option C) identifies misconfigurations and compliance violations, such as overly permissive IAM roles or open firewall ports, but it does not perform runtime threat detection." (Source 4.3)
While using log-based metrics (Option D) is possible, enabling CTD (Option B) is the specific, managed, and authoritative way to generate verified runtime threat findings directly within Security Command Center as required by the prompt.
B
Explanation:
The requirements are runtime threat detection for containers that specifically detects activities like loading additional libraries or executing malicious scripts, with findings visible in Security Command Center (SCC).
Container Threat Detection (CTD) is the specific SCC service component designed to monitor container runtimes for suspicious events like reverse shells, suspicious library loading, and execution of malicious scripts. It is available only with the Security Command Center Premium tier.
Extracts:
"Container Threat Detection (CTD) is a Security Command Center Premium service that provides runtime threat detection for Google Kubernetes Engine (GKE) and Kubernetes clusters." (Source 4.1)
"CTD detects specific runtime events, such as: Execution of malicious scripts… Loading of suspicious libraries… CTD creates high-fidelity Security Command Center findings for these threats." (Source 4.2)
"Security Health Analytics (Option C) identifies misconfigurations and compliance violations, such as overly permissive IAM roles or open firewall ports, but it does not perform runtime threat detection." (Source 4.3)
While using log-based metrics (Option D) is possible, enabling CTD (Option B) is the specific, managed, and authoritative way to generate verified runtime threat findings directly within Security Command Center as required by the prompt.
Question #77
You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.
What could have caused this alert?
- A . The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.
- B . The organizational policy constraint wasn’t properly enforced and is running in "dry run mode.
- C . At project level, the organizational policy control has been overwritten with an ‘allow’ value.
- D . The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level.
Correct Answer: C
C
Explanation:
Understand Organization Policies:
Organization policies allow you to enforce restrictions on Google Cloud resources to adhere to your organization’s security and compliance requirements.
Policies can be set at the organization, folder, or project level, with project-level policies able to override higher-level policies unless explicitly prevented.
Identify the Policy Constraint:
The specific constraint in question is likely constraints/compute.vmExternalIpAccess, which controls whether VMs can have external IP addresses.
Check Policy Overwrites:
Navigate to the Organization Policies page in the Google Cloud Console.
Check the policy settings at the project level under the affected folder to see if there is an override in place with an ‘allow’ value.
This override would permit the creation of VMs with external IP addresses despite the higher-level restriction.
Resolve the Policy Conflict:
If an override is found, remove or modify the project-level policy to align with the organizational policy denying external IP addresses.
Communicate with project administrators to ensure they understand and comply with the overarching security policies.
Reference: Organization Policy Best Practices
Managing Policy Constraints
C
Explanation:
Understand Organization Policies:
Organization policies allow you to enforce restrictions on Google Cloud resources to adhere to your organization’s security and compliance requirements.
Policies can be set at the organization, folder, or project level, with project-level policies able to override higher-level policies unless explicitly prevented.
Identify the Policy Constraint:
The specific constraint in question is likely constraints/compute.vmExternalIpAccess, which controls whether VMs can have external IP addresses.
Check Policy Overwrites:
Navigate to the Organization Policies page in the Google Cloud Console.
Check the policy settings at the project level under the affected folder to see if there is an override in place with an ‘allow’ value.
This override would permit the creation of VMs with external IP addresses despite the higher-level restriction.
Resolve the Policy Conflict:
If an override is found, remove or modify the project-level policy to align with the organizational policy denying external IP addresses.
Communicate with project administrators to ensure they understand and comply with the overarching security policies.
Reference: Organization Policy Best Practices
Managing Policy Constraints
Question #78
What are the steps to encrypt data using envelope encryption?
- A . Generate a data encryption key (DEK) locally.Use a key encryption key (KEK) to wrap the DEK.
Encrypt data with the KEK.Store the encrypted data and the wrapped KEK. - B . Generate a key encryption key (KEK) locally.Use the KEK to generate a data encryption key (DEK).
Encrypt data with the DEK.Store the encrypted data and the wrapped DEK. - C . Generate a data encryption key (DEK) locally.Encrypt data with the DEK.Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
- D . Generate a key encryption key (KEK) locally.Generate a data encryption key (DEK) locally. Encrypt data with the KEK.Store the encrypted data and the wrapped DEK.
Correct Answer: C
C
Explanation:
Objective: Encrypt data using envelope encryption.
Solution: Follow the envelope encryption process.
Steps:
Step 1: Generate a Data Encryption Key (DEK) locally. The DEK is used to encrypt the actual data.
Step 2: Encrypt the data using the DEK.
Step 3: Use a Key Encryption Key (KEK) to wrap the DEK. The KEK is used to encrypt the DEK.
Step 4: Store the encrypted data and the wrapped DEK. This ensures that the data can be securely decrypted in the future using the KEK to unwrap the DEK.
Envelope encryption enhances security by adding an additional layer of encryption to the data encryption key, which is particularly useful for managing large volumes of encrypted data.
Reference: Envelope Encryption Overview
Google Cloud Key Management Service Documentation
C
Explanation:
Objective: Encrypt data using envelope encryption.
Solution: Follow the envelope encryption process.
Steps:
Step 1: Generate a Data Encryption Key (DEK) locally. The DEK is used to encrypt the actual data.
Step 2: Encrypt the data using the DEK.
Step 3: Use a Key Encryption Key (KEK) to wrap the DEK. The KEK is used to encrypt the DEK.
Step 4: Store the encrypted data and the wrapped DEK. This ensures that the data can be securely decrypted in the future using the KEK to unwrap the DEK.
Envelope encryption enhances security by adding an additional layer of encryption to the data encryption key, which is particularly useful for managing large volumes of encrypted data.
Reference: Envelope Encryption Overview
Google Cloud Key Management Service Documentation
Question #79
You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner.
What should you do?
- A . Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.
- B . Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a user-defined sink, and select the new log bucket as the sink destination.
- C . Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.
- D . Edit the _Default sink, and select the new log bucket as the sink destination.
Correct Answer: D
D
Explanation:
In Google Cloud’s Logging service, log entries are automatically routed to the _Default log bucket unless configured otherwise. When you create a new log bucket and intend to redirect all log entries from the _Default bucket to this new bucket, the most efficient approach is to modify the existing _Default sink to point to the new log bucket.
Option A: Creating a new user-defined sink with filters replicated from the _Default sink is redundant and may lead to configuration complexities.
Option B: Implementing exclusion filters on the _Default sink and then creating a new sink introduces unnecessary steps and potential for misconfiguration.
Option C: Disabling the _Default sink would stop all log routing to it, but creating a new sink to replicate its functionality is inefficient.
Option D: Editing the _Default sink to change its destination to the new log bucket ensures a seamless transition of log routing without additional configurations.
Therefore, Option D is the most efficient and straightforward method to achieve the desired log routing.
Reference: Routing and Storage Overview
Configure Default Log Router Settings
D
Explanation:
In Google Cloud’s Logging service, log entries are automatically routed to the _Default log bucket unless configured otherwise. When you create a new log bucket and intend to redirect all log entries from the _Default bucket to this new bucket, the most efficient approach is to modify the existing _Default sink to point to the new log bucket.
Option A: Creating a new user-defined sink with filters replicated from the _Default sink is redundant and may lead to configuration complexities.
Option B: Implementing exclusion filters on the _Default sink and then creating a new sink introduces unnecessary steps and potential for misconfiguration.
Option C: Disabling the _Default sink would stop all log routing to it, but creating a new sink to replicate its functionality is inefficient.
Option D: Editing the _Default sink to change its destination to the new log bucket ensures a seamless transition of log routing without additional configurations.
Therefore, Option D is the most efficient and straightforward method to achieve the desired log routing.
Reference: Routing and Storage Overview
Configure Default Log Router Settings
Question #80
Your company’s Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company’s global expansion plans. After working on the details to implement this requirement, you determine the following:
The services in scope are included in the Google Cloud Data Residency Terms.
The business data remains within specific locations under the same organization.
The folder structure can contain multiple data residency locations.
You plan to use the Resource Location Restriction organization policy constraint.
At which level in the resource hierarchy should you set the constraint?
- A . Folder
- B . Resource
- C . Project
- D . Organization
Correct Answer: D
D
Explanation:
The Resource Location Restriction organization policy constraint ensures that business data is stored in specific geographic locations, which is critical for compliance with regulatory requirements.
Organization Level: Setting the constraint at the organization level ensures that all resources within the organization, including those in different folders or projects, adhere to the location restrictions. This provides a unified policy application across the entire organization, ensuring compliance with regulatory requirements.
Policy Application: The policy will propagate down the resource hierarchy, ensuring that all relevant services within the organization comply with the specified data residency requirements.
This approach provides centralized control and simplifies the management of data residency constraints.
Reference
Organization Policy Service Documentation
D
Explanation:
The Resource Location Restriction organization policy constraint ensures that business data is stored in specific geographic locations, which is critical for compliance with regulatory requirements.
Organization Level: Setting the constraint at the organization level ensures that all resources within the organization, including those in different folders or projects, adhere to the location restrictions. This provides a unified policy application across the entire organization, ensuring compliance with regulatory requirements.
Policy Application: The policy will propagate down the resource hierarchy, ensuring that all relevant services within the organization comply with the specified data residency requirements.
This approach provides centralized control and simplifies the management of data residency constraints.
Reference
Organization Policy Service Documentation