Sample Questions and Answers
What is a key benefit of using Google Cloud’s VPC Service Controls?
Improved network performance
B. Prevents data exfiltration by creating security perimeters around resources
C. Enables automatic key rotation
D. Provides firewall management
Answer: B. Prevents data exfiltration by creating security perimeters around resources
Explanation: Service perimeters restrict unauthorized access and data movement.
What is the main purpose of the Cloud Key Management Service (KMS)?
To create firewall rules
B. To create, manage, and use cryptographic keys for data encryption
C. To audit IAM roles
D. To monitor network traffic
Answer: B. To create, manage, and use cryptographic keys for data encryption
Explanation: Cloud KMS provides secure key lifecycle management.
Which of the following practices improves security for API access tokens?
Using short-lived tokens with automatic renewal
B. Embedding tokens in client-side code
C. Sharing tokens among applications
D. Avoiding token expiration
Answer: A. Using short-lived tokens with automatic renewal
Explanation: Short-lived tokens reduce the risk of misuse if compromised.
What is the role of Cloud Armor in Google Cloud security?
Encrypt data at rest
B. Protect applications from Distributed Denial of Service (DDoS) attacks and web application attacks
C. Manage IAM policies
D. Provide identity management
Answer: B. Protect applications from Distributed Denial of Service (DDoS) attacks and web application attacks
Explanation: Cloud Armor uses policies and rules to block malicious traffic.
How can you audit and monitor access to Cloud Storage buckets?
Use Cloud Audit Logs and configure bucket-level logging and IAM policies
B. Use firewall rules only
C. Use VPC Service Controls only
D. Disable public access
Answer: A. Use Cloud Audit Logs and configure bucket-level logging and IAM policies
Explanation: Audit logs and IAM provide visibility and control over access.
Which service allows automatic rotation of encryption keys in Google Cloud?
Cloud Armor
B. Cloud KMS
C. Cloud Audit Logging
D. Security Command Center
Answer: B. Cloud KMS
Explanation: Cloud KMS supports automated key rotation policies.
What security principle does “defense in depth” refer to?
Using a single security control for protection
B. Applying multiple layers of security controls to protect resources
C. Disabling all network traffic
D. Sharing credentials securely
Answer: B. Applying multiple layers of security controls to protect resources
Explanation: Defense in depth ensures if one layer fails, others remain to protect.
Which Google Cloud service enables automated security posture management by providing actionable recommendations?
Cloud Armor
B. Security Health Analytics
C. Cloud CDN
D. Cloud Functions
Answer: B. Security Health Analytics
Explanation: Security Health Analytics continuously scans your resources for misconfigurations and vulnerabilities and provides recommendations.
How can you ensure compliance with data residency requirements in Google Cloud?
Use region-specific resource deployment and enforce Organization Policies restricting locations
B. Encrypt all data in Cloud Storage
C. Disable public access to all resources
D. Use a single global region for all resources
Answer: A. Use region-specific resource deployment and enforce Organization Policies restricting locations
Explanation: Organization Policies can restrict resource creation to approved locations ensuring compliance.
What is the best way to securely manage multiple service accounts for your applications?
Share one service account across all applications
B. Create separate service accounts with least privilege and use Workload Identity Federation where applicable
C. Store service account keys in public repositories
D. Avoid using service accounts
Answer: B. Create separate service accounts with least privilege and use Workload Identity Federation where applicable
Explanation: Separation of service accounts limits blast radius and improves security.
What is the purpose of Google Cloud’s Access Transparency logs?
To provide visibility into Google personnel’s access to customer data
B. To encrypt data at rest
C. To manage firewall rules
D. To monitor network traffic
Answer: A. To provide visibility into Google personnel’s access to customer data
Explanation: Access Transparency gives audit logs when Google employees access your content for support or maintenance.
How does Google Cloud help mitigate the risk of insider threats?
By restricting network access only
B. Through IAM policies, audit logging, and Access Transparency
C. By disabling all external access
D. By sharing credentials securely
Answer: B. Through IAM policies, audit logging, and Access Transparency
Explanation: These tools help control and monitor internal access effectively.
Which of the following describes a best practice for managing API access scopes for service accounts?
Grant the broadest possible API scopes
B. Grant only the necessary scopes required for the application’s function
C. Avoid setting API scopes
D. Use default scopes for all applications
Answer: B. Grant only the necessary scopes required for the application’s function
Explanation: Limiting API scopes reduces potential abuse and limits exposure.
What does the principle of “defense in depth” encourage in cloud security design?
Relying solely on perimeter security
B. Multiple layers of security controls including identity, network, data, and application protections
C. Disabling all user access
D. Encrypting only data in transit
Answer: B. Multiple layers of security controls including identity, network, data, and application protections
Explanation: Layered defenses improve resilience against attacks.
How can you enforce MFA for Google Cloud Console access?
Use password-only authentication
B. Enable Google Workspace or Cloud Identity MFA for user accounts accessing the console
C. Share MFA codes among users
D. Use only IP-based restrictions
Answer: B. Enable Google Workspace or Cloud Identity MFA for user accounts accessing the console
Explanation: MFA adds a strong second factor to reduce account compromise risk.
What Google Cloud feature provides automatic encryption of data at rest without requiring user intervention?
Customer-Supplied Encryption Keys
B. Default encryption with Google-managed keys
C. Cloud KMS manual encryption
D. Customer-Managed Encryption Keys
Answer: B. Default encryption with Google-managed keys
Explanation: Google Cloud automatically encrypts data at rest using Google-managed keys by default.
How does Google Cloud’s VPC Service Controls help prevent data exfiltration?
By blocking all external internet traffic
B. By defining security perimeters that restrict resource access and communication across projects
C. By encrypting data in transit
D. By disabling firewall rules
Answer: B. By defining security perimeters that restrict resource access and communication across projects
Explanation: VPC Service Controls create boundaries to limit data movement.
What is the benefit of enabling Audit Configs on Google Cloud Storage buckets?
To encrypt data in the bucket
B. To track and log accesses and changes to the bucket for compliance and security investigations
C. To restrict bucket access to the public
D. To enable faster data retrieval
Answer: B. To track and log accesses and changes to the bucket for compliance and security investigations
Explanation: Audit configs ensure detailed logs are maintained.
Which of the following is true about Cloud Security Scanner?
It scans for network anomalies only
B. It identifies vulnerabilities in App Engine, Compute Engine, and Google Kubernetes Engine apps
C. It manages IAM roles
D. It controls firewall rules
Answer: B. It identifies vulnerabilities in App Engine, Compute Engine, and Google Kubernetes Engine apps
Explanation: Cloud Security Scanner detects web app vulnerabilities such as cross-site scripting and outdated libraries.
What is a recommended approach to secure Google Cloud SQL instances?
Use public IP addresses without restrictions
B. Use private IP, enable SSL connections, and restrict access with authorized networks
C. Share the root user password with all developers
D. Disable backups
Answer: B. Use private IP, enable SSL connections, and restrict access with authorized networks
Explanation: These practices reduce exposure and protect data in transit.
How does Google Cloud’s Organization Policy Service help security teams?
By automatically encrypting data at rest
B. By centrally managing and enforcing constraints such as allowed regions, allowed APIs, and resource types
C. By scanning VMs for vulnerabilities
D. By managing firewall rules
Answer: B. By centrally managing and enforcing constraints such as allowed regions, allowed APIs, and resource types
Explanation: Organization policies enforce guardrails at scale.
Which service allows you to encrypt data before sending it to Google Cloud?
Cloud KMS
B. Client-Side Encryption
C. VPC Service Controls
D. Security Command Center
Answer: B. Client-Side Encryption
Explanation: Client-Side Encryption encrypts data locally before upload.
What does enabling “Context-Aware Access” in Google Cloud IAM enable?
Access control based on user identity and device context (location, security status)
B. Automatic encryption of data
C. Removal of MFA requirements
D. Open access to all users
Answer: A. Access control based on user identity and device context (location, security status)
Explanation: It enforces access policies dynamically based on conditions.
What is the primary function of the Cloud Security Command Center’s “Threat Detection” feature?
To block network traffic
B. To provide continuous monitoring and alert on security threats and vulnerabilities
C. To manage encryption keys
D. To create firewall rules
Answer: B. To provide continuous monitoring and alert on security threats and vulnerabilities
Explanation: It aggregates findings from multiple sources for proactive security.
Which of the following is a recommended best practice for service account key management?
Store keys in source code repositories
B. Use short-lived keys and rotate keys regularly
C. Share keys among multiple projects
D. Avoid using service accounts
Answer: B. Use short-lived keys and rotate keys regularly
Explanation: Key rotation reduces the risk of key compromise.
How can you prevent accidental public exposure of Cloud Storage buckets?
Disable all bucket-level IAM policies
B. Use Organization Policy to restrict public access and enable Access Transparency
C. Grant all users the Storage Object Viewer role
D. Use default permissions without review
Answer: B. Use Organization Policy to restrict public access and enable Access Transparency
Explanation: Restricting public access and auditing helps prevent leaks.
What is a key advantage of using Workload Identity Federation in Google Cloud?
It allows workloads outside Google Cloud to access Google Cloud resources without managing service account keys
B. It disables IAM roles
C. It manages firewall rules
D. It encrypts data at rest
Answer: A. It allows workloads outside Google Cloud to access Google Cloud resources without managing service account keys
Explanation: This reduces operational complexity and improves security.
What is the recommended way to handle secrets in Google Kubernetes Engine?
Store secrets in plaintext in pod specs
B. Use Kubernetes Secrets integrated with Secret Manager for secure storage and access
C. Embed secrets in container images
D. Share secrets among all pods
Answer: B. Use Kubernetes Secrets integrated with Secret Manager for secure storage and access
Explanation: Secure secret management prevents leakage and unauthorized access.
How does Binary Authorization contribute to supply chain security?
By encrypting container images
B. By enforcing signature-based policies to ensure only trusted images are deployed
C. By managing firewall rules
D. By scanning network traffic
Answer: B. By enforcing signature-based policies to ensure only trusted images are deployed
Explanation: It prevents unauthorized or vulnerable images from running.
Which logging tool provides insights into firewall rule effectiveness in Google Cloud?
Cloud Armor logs
B. VPC Flow Logs
C. Security Health Analytics
D. Cloud Audit Logs
Answer: B. VPC Flow Logs
Explanation: VPC Flow Logs capture detailed info about network traffic and firewall rule matches.
What is the benefit of enabling Google Cloud’s Data Loss Prevention (DLP) API?
To create firewall rules
B. To detect and redact sensitive data in storage or data streams
C. To encrypt data at rest
D. To monitor audit logs
Answer: B. To detect and redact sensitive data in storage or data streams
Explanation: DLP helps protect sensitive info from exposure.
Which practice improves security posture when granting IAM roles?
Grant roles at the organization level by default
B. Apply roles at the lowest scope possible, e.g., project or resource level
C. Grant broad roles to all users
D. Avoid using custom roles
Answer: B. Apply roles at the lowest scope possible, e.g., project or resource level
Explanation: Limiting scope follows least privilege and minimizes risk.
Reviews
There are no reviews yet.