Google Cloud professional cloud security engineer practice test

This practice test provides targeted preparation for aspiring Cloud Security Engineers on the Google Cloud platform. It covers essential skills such as identity management, data protection, network security, threat monitoring, security automation, AI security, and regulatory compliance. This resource aids individuals in assessing their readiness and refining their expertise in cloud security practices.

Welcome to your GCP Professional cloud security engineer practice test

Q1. Which type of IAM member belongs to an application or virtual machine instead of an individual end user?

A. Service Account

B. Google Account

C. Google group

D. Cloud identity Domain

Q2. Which IAM role contains permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates?

A. Network Admin

B. Security Admin

C. Network viewer

Q3. You want two VM instances in different VPC networks to communicate over internal IP addresses. Which feature lets you configure this capability?

A. Bring your own IP address to each VM.

B. Cloud DNS to direct traffic between the VMs.

C. Set up two network interfaces on each VM.

D. Configure a custom static route between the VMs.

Q4.You have been asked by your supervisor to compare resource utilization for VMs used for production, development, and testing. What should you do?

A. Export all machine logs to Cloud Storage and use Cloud Functions to build reports based on the VM tags.

B. Name the VMs with a prefix like “dev-”, “test-”, and “prod-” and filter on the name property when reporting.

C. Add a label called “state” to your VMs with the values “dev”, “test”, and “prod” and group by that label in your monitoring chart.

D. Put those resources in different projects and use dataflow to create an aggregation of log values for each.

Q5. A financial institution lending department stores sensitive information, such as your customers’ credit history, address and phone number, in parquet files. You need to upload this personally identifiable information (PII) to Cloud Storage so that it’s secure and compliant with ISO 27018. How should you protect this sensitive information using the financial institution encryption keys and using the least amount of computational resources.

A. Generate an RSA key as a 32-byte bytestring. Decode it as a base-64 string. Upload the blob to the bucket using this key.

B. Generate a customer-managed encryption key (CMEK) using RSA or AES256 encryption. Decode it as a base-64 string. Upload the blob to the bucket using this key.

C. Generate a customer-managed encryption key (CMEK) using Cloud KMS. Decode it as a base-64 string. Upload the blob to the bucket using this key.

D. Generate an AES-256 key as a 32-byte bytestring. Decode it as a base-64 string. Upload the blob to the bucket using this key.

Q6. You are a cloud security engineer at your organization. You need to share the auditing and compliance standards with your CTO that cover controls over financial reporting and both public and private controls over security, availability, and confidentiality. Which compliance standard covers this?

A. FIPs 140-2

B. PCI-DSS

C. SOX

D. GDPR

Q7. Which feature of Google Cloud will your organization use to prevent unauthorized container images from being deployed into production environments?

A. Cloud Monitoring

B. Audit logs

C. Binary Authorization

D. Cloud Build

Q8. A Retail company runs a Node.js application on a Compute Engine instance. Your organization needs to share this base image with a ‘development’ Google Group. This base image should support secure boot for the Compute Engine instances deployed from this image. How would you automate the image creation?

A- Stop the Compute Engine instance. Set up Measured Boot for secure boot. Prepare a cloudbuild.yaml configuration file. Specify the persistent disk location of the Compute Engine instance and the ‘development’ group. Use the command gcloud builds submit --tag, and specify the configuration file path

B- Prepare a shell script. Add the command gcloud compute instances start to the script to start the Node.js Compute Engine instance. Set up Measured Boot for secure boot. Add gcloud compute images create, and specify the persistent disk and zone of the Compute Engine instance.

C- Prepare a shell script. Add the command gcloud compute instances stop with the Node.js instance name. Set up certificates for secure boot. Add gcloud compute images create, and specify the Compute Engine instance’s persistent disk and zone and the certificate files. Add gcloud compute images add-iam-policy-binding and specify the ‘development’ group.

D- Start the Compute Engine instance. Set up certificates for secure boot. Prepare a cloudbuild.yaml configuration file. Specify the persistent disk location of the Compute Engine and the ‘development’ group. Use the command gcloud builds submit --tag, and specify the configuration file path and the certificates.

Q9. ENZ Solar company uses Docker containers to interact with APIs for its personal banking application. These APIs are under PCI-DSS compliance. The Kubernetes environment running the containers will not have internet access to download required packages. How would you automate the pipeline that is building these containers?

A- Create a Dockerfile with container definition and cloudbuild.yaml file. Use Cloud Build to build the image from Dockerfile. Upload the built image to a Google Container registry and Dockerfile to a Git repository. In the cloudbuild.yaml template, include attributes to tag the Git repository path with a Google Kubernetes Engine cluster. Create a trigger in Cloud Build to automate the deployment using the Git repository.

B- Create a Dockerfile with a container definition and a Cloud Build configuration file. Use the Cloud Build configuration file to build and deploy the image from Dockerfile to a Google Container registry. In the configuration file, include the Google Container Registry path and the Google Kubernetes Engine cluster. Upload the configuration file to a Git repository. Create a trigger in Cloud Build to automate the deployment using the Git repository.

C- Build an immutable image. Store all artifacts and a Packer definition template in a Git repository. Use Container Registry to build the artifacts and Packer definition. Use Cloud Build to extract the built container and deploy it to a Google Kubernetes Engine Cluster (GKE). Add the required users and groups to the GKE project.

D- Build a foundation image. Store all artifacts and a Packer definition template in a Git repository. Use Container Registry to build the artifacts and Packer definition. Use Cloud Build to extract the built container and deploy it to a Google Kubernetes Engine (GKE) cluster. Add the required users and groups to the GKE project.

10.

Q10. Your organization has suffered a remote botnet attack on Compute Engine instances in an isolated project. The affected project now requires investigation by an external agency. An external agency requests that you provide all admin and system events to analyze in their local forensics tool. You want to use the most cost-effective solution to enable the external analysis. What should you do?

A- Use Event Threat Detection. Trigger the IAM Anomalous Grant detector to detect all admins and users with admin or system permissions. Export these logs to the Security Command Center. Give the external agency access to the Security Command Center.

B- Use Cloud Monitoring and Cloud Logging. Filter Cloud Monitoring to view only system and admin logs. Expand the system and admin logs in Cloud Logging. Use Pub/Sub to export the findings from Cloud Logging to the external agency’s forensics tool or storage

C- Use Cloud Audit Logs. Filter Admin Activity audit logs for only the affected project. Use a Pub/Sub topic to stream the logs from Cloud Audit Logs to the external agency’s forensics tool.

D- Use the Security Command Center. Select Cloud Logging as the source, and filter by category: Admin Activity and category: System Activity. View the Source property of the Finding Details section. Use Pub/Sub topics to export the findings to the external agency’s forensics tool.

11.

Q11. ABC Limited experienced a recent security issue. A rogue employee with admin permissions for Compute Engine assigned existing Compute Engine users some arbitrary permissions. You are tasked with finding all these arbitrary permissions. What should you do to find these permissions most efficiently?

A- Use Event Threat Detection and trigger the IAM Anomalous grants detector. Publish results to the Security Command Center. In the Security Command Center, select Event Threat Detection as the source, filter by category: iam, and sort to find the attack time window. Click on Persistence: IAM Anomalous Grant to display Finding Details. View the Source property of the Finding Details section

B- Use Event Threat Detection and configure Continuous Exports to filter and write only Firewall logs to the Security Command Center. In the Security Command Center, select Event Threat Detection as the source, filter by evasion: Iam, and sort to find the attack time window. Click on Persistence: IAM Anomalous Grant to display Finding Details. View the Source property of the Finding Details section.

C- Use Event Threat Detection and configure Continuous Exports to filter and write only Firewall logs to the Security Command Center. In the Security Command Center, select Event Threat Detection as the source, filter by category: anomalies, and sort to find the attack time window. Click on Evasion: IAM Anomalous Grant to display Finding Details. View the Source property of the Finding Details section.

D- Use Event Threat Detection and trigger the IAM Anomalous Grant detector. Publish results to Cloud Logging. In the Security Command Center, select Cloud Logging as the source, filter by category: anomalies, and sort to find the attack time window. Click on Persistence: IAM Anomalous Grant to display Finding Details. View the Source property of the Finding Details section.

12.

Q12. LLM Cooperation wants to use Cloud Storage and BigQuery to store safe deposit usage data. LLM cooperation needs a cost-effective approach to auditing only Cloud Storage and BigQuery data access activities. How would you use Cloud Audit Logs to enable this analysis?

A.Enable Data Access Logs for ADMIN_READ, DATA_READ, and DATA_WRITE for Cloud Storage. All Data Access Logs are enabled for BigQuery by default.

B. Enable Data Access Logs for ADMIN_READ, DATA_READ, and DATA_WRITE for BigQuery. All Data Access Logs are enabled for Cloud Storage by default.

C. Enable Data Access Logs for ADMIN_READ, DATA_READ, and DATA_WRITE at the service level for BigQuery and Cloud Storage.

D. Enable Data Access Logs for ADMIN_READ, DATA_READ, and DATA_WRITE at the organization level.

13.

Q13. Which tool can a company use to synchronize their identities from their on-premise identity management system to Google Cloud?

A. Google Cloud Directory Sync(GCDS)

B.SSO

C. Active Directory

D. Cloud Identity

14.

Q14. Which feature of Google Cloud will an organization use to control the source locations and times that authorized identities will be able to access resources?

A. Identity-aware Proxy

B. IAM Roles

C. Service Accounts

D. IAM Conditions

15.

Q15. How can you enable resources with only internal IP addresses to make requests to the Internet?

A.Shared VPC

B. Cloud NAT

C. Google private access

D. Dedicated Interconnect

16.

Q16. Which tool will you use to enforce authentication and authorization for services deployed to Google Cloud?

A. HTTP(S) load balancer

B. Google Cloud Armor

C. Identity-Aware proxy

D. Firewall rules

17.

Q17. Which Google cloud tool can an organization use to determine who performed a particular administrative action and when?

A. Cloud Monitoring

B. VPC flow logs

C. VPC service controls

D. Audit logs

18.

Q18. You have recently joined your company as a cloud security engineer. You want to encrypt a connection from a user on the internet to a VM in your development project. This is at the layer 3/4 (network/transport) level and you want to set up user configurable encryption for the in transit network traffic. What architecture choice best suits this use case?

A. Set up a managed SSL certificate by configuring a load balancer. By default, this will encrypt at the L3/L4 layer.

B. Set up app layer transport security (ALTS). This is a mutual authentication and transport encryption system developed by Google. This is configured for L3/L4 network connections.

C.Set up transport layer security (TLS). This will encrypt data sent to the Google Front End, and in turn, your VM. This is not setup by default.

D. Set up an IPsec tunnel. This will allow you to create L3/L4 encryption between a user and a VM instance in her project.

19.

Q19. A company wants to deploy an n-tier web application. The frontend must be supported by an App Engine deployment, an API with a Compute Engine instance, and Cloud SQL for a MySQL database. This application is only supported during working hours, App Engine is disabled, and Compute Engine is stopped. How would you enable the infrastructure to access the database?

A. Use Project metadata to read the current machine’s IP address and use a gcloud command to add access to Cloud SQL. Store Cloud SQL’s connection string and username in Cloud Key Management Service, and store the password in Secret Manager.

B. Use VM metadata to read the current machine’s IP address and use a startup script to add access to Cloud SQL. Store Cloud SQL’s connection string, username, and password in Secret Manager.

C. Use Project metadata to read the current machine’s IP address, and use a startup script to add access to Cloud SQL. Store Cloud SQL’s connection string in Cloud Key Management Service, and store the password in Secret Manager. Store the Username in Project metadata.

D. Use VM metadata to read the current machine’s IP address, and use a gcloud command to add access to Cloud SQL. Store Cloud SQL’s connection string and password in Cloud Key Management Service. Store the Username in Project metadata

20.

Q20. Your organization has a Cloud SQL instance that must be shared with an external agency. The agency’s developers will be assigned roles and permissions through a Google Group in Identity and Access Management (IAM). The external agency is on an annual contract and will require a connection string, username, and password to connect to the database. How would you configure the group’s access?

A. Use Secret Manager. Use the resource attribute to set a key-value pair with key as duration and values as expiry period one year from now. Add secretmanager.viewer role for the group that contains external developers.

B. Use Secret Manager. Use the duration attribute to set the expiry period to one year. Add the secretmanager.secretAccessor role for the group that contains external developers.

C. Use Secret Manager for the connection string and username, and use Cloud Key Management Service for the password. Use tags to set the expiry period to the timestamp one year from now. Add secretmanager.secretVersionManager and secretmanager.secretAccessor roles for the group that contains external developers.

D. Use Cloud Key Management Service. Use the destination IP address and Port attributes to provide access for developers at the external agency. Remove the IAM access after one year and rotate the shared keys. Add cloudkms.cryptoKeyEncryptorDecryptor role for the group that contains the external developers.

21.

Q21. Your organization is divided into separate departments. Each department is divided into teams. Each team works on a distinct product that requires Google Cloud resources for development. How would you design a Google Cloud organization hierarchy to best match your organization structure and needs?

A. Create an Organization node. Under the Organization node, create Department folders. Under each Department, create Teams folders. Add Projects to the Teams folders.

B. Create an Organization node. Under the Organization node, create Department folders. Under each Department, create Product folders. Under each Product, create Teams folders. In the Teams folder, add Projects.

C. Create an Organization node. Under the Organization node, create Department folders. Under each Department, create a Teams folder. Under each Team, create Product folders. Add Projects to the Product folders.

D. Create an Organization node. Under the Organization node, create Department folders. Under each Department, create Product folders. Add Projects to the Product folders.

22.

Q22. You recently discovered service account key misuse in one of the teams during a security audit. As a precaution, going forward you do not want any team in your organization to generate new external service account keys. You also want to restrict every new service account’s usage to its associated Project. What should you do?

A. Navigate to Organizational policies in the Google Cloud Console. Select your organization. Select iam.disableServiceAccountKeyCreation. Under Policy Enforcement, select Merge with parent. Click Save. Repeat the process for iam.disableCrossProjectServiceAccountLienRemoval.

B.Run the gcloud resource-manager org-policies allow command with the boolean constraints iam.disableServiceAccountKeyCreation and iam.disableCrossProjectServiceAccountUsage with Organization ID.

C. Navigate to Organizational policies in the Google Cloud Console. Select your organization. Select iam.disableServiceAccountKeyCreation. Customize the applied to property, and set Enforcement to ‘On’. Click Save. Repeat the process for iam.disableCrossProjectServiceAccountUsage.

D. Run the gcloud resource-manager org-policies enable-enforce command with the constraints iam.disableServiceAccountKeyCreation, and iam.disableCrossProjectServiceAccountUsage and the Project IDs you want the constraints to apply to.

23.

Q23. QWERTY Bank has certain default permissions and access for their analyst, finance, and teller teams. These teams are organized into groups that have a set of role-based IAM permissions assigned to them. After a recent acquisition of a small bank, you find that the small bank directly assigns permissions to their employees in IAM. You have been tasked with applying QWERTY Bank’s organizational structure to the small bank. Employees will need access to Google Cloud services. What should you do?

A. Reset all user permissions in the small bank’s IAM. Use Cloud Identity to create the required Google Groups. Upgrade the Google Groups to Security Groups. Use a Python script to allocate users to the groups.

B. Leave all user permissions as-is in the small bank’s IAM. Use the Directory API in the Google Workspace Admin SDK to create Google Groups. Use a Python script to allocate users to the Google Groups.

C. Reset all user permissions in the small bank’s IAM. Use Cloud Identity to create dynamic groups for each of the bank’s teams. Use the dynamic groups’ metadata field for team type to allocate users to their appropriate group with a Python script.

D. Reset all user permissions in the small bank’s IAM. Use the Directory API in the Google Workspace Admin SDK to create Google Groups. Use a Python script to allocate users to the groups.

24.

Q24. You want a simple way to see the latency of requests for a web application you deployed to Cloud Run. What Google Cloud tool should you use?

A.logs Explorer

B. Profiler

C. Metrics Explorer

D. Trace

25.

Q25. You want to calculate the uptime of a service and receive alerts if the uptime value falls below a certain threshold. Which tool will help you with this requirement?

A. Error Reporting

B. Profiler

C. Logs Explorer

D. Cloud Monitoring