Practice Questions

Question 1

Your healthcare analytics startup is building a multi-region telemetry pipeline on Google Cloud that spans Compute Engine VMs, a GKE Autopilot cluster, Cloud Storage buckets, BigQuery datasets (~50 TB), and Pub/Sub topics processing ~80,000 messages per second. Under your GDPR data protection by design program, the security review mandates that: (1) you—not Google—must control key creation, 90-day rotation, and IAM-scoped usage of encryption keys; (2) keys must reside in Google Cloud KMS/HSM with no dependency on external key stores; and (3) a single key management approach must be supported uniformly across all listed services. Which option should you choose to meet these requirements?

Question Analysis

Core Concept: This question tests encryption key management choices on Google Cloud—specifically the difference between Google-managed encryption, customer-managed encryption keys (CMEK) in Cloud KMS/Cloud HSM, customer-supplied encryption keys (CSEK), and External Key Manager (EKM). It also tests uniform applicability across multiple services (Compute Engine, GKE, Cloud Storage, BigQuery, Pub/Sub) and compliance-driven controls (GDPR “data protection by design”). Why the Answer is Correct: Customer-managed encryption keys (CMEK) is the only option that satisfies all three requirements simultaneously: (1) you control key creation, rotation (including 90-day rotation), and IAM-scoped usage via Cloud KMS permissions; (2) keys reside in Google Cloud KMS and can be backed by Cloud HSM (still Google Cloud–native, no external keystore dependency); and (3) CMEK is broadly supported across the listed services, enabling a single consistent approach. Key Features / How to Implement: - Use Cloud KMS key rings/keys (regional) aligned to your multi-region architecture; for higher assurance, use Cloud HSM-backed keys. - Enforce IAM least privilege: grant services access to the CryptoKey via roles/cloudkms.cryptoKeyEncrypterDecrypter (or narrower where possible) and use separation of duties for key admins. - Configure rotation: set rotation period to 90 days and ensure new key versions are used automatically where supported. - Service integrations: Cloud Storage bucket default KMS key, BigQuery dataset/table CMEK, Pub/Sub topic CMEK, Compute Engine disk/image/snapshot CMEK, and GKE (Autopilot) integrates with CMEK for supported encryption use cases (e.g., node boot disks and certain control-plane related encryption features depending on configuration). Common Misconceptions: - “External Key Manager” sounds like stronger control, but it explicitly depends on external key stores—disallowed here. - “Customer-supplied encryption keys” can look like maximum control, but it is operationally brittle, not uniformly supported across all services, and does not meet the requirement to keep keys in Cloud KMS/HSM. - Google default encryption is always on, but you do not control key lifecycle or IAM-scoped key usage. Exam Tips: When requirements say: control key creation/rotation + IAM-scoped key usage + keys in Cloud KMS/HSM + broad service support, the exam almost always points to CMEK (Cloud KMS/Cloud HSM). If external key custody is required, then EKM/Cloud HSM with external systems may appear—but here external dependency is explicitly prohibited.

Question 2

Your logistics company runs a route-optimization model as a managed Vertex AI Batch Predictions job on Google Cloud. Twenty external carriers upload up to 1,000 CSV files per day (each <= 100 MB) to a dedicated Cloud Storage bucket via 15-minute signed URLs; a Cloud Function triggers the batch predictions and writes results to partner-specific buckets. You are conducting a configuration review with stakeholders and must clearly describe your security responsibilities for this managed AI workflow. What should you do?

Question 3

Your fintech organization operates 12 Google Cloud projects under 2 folders and uses 25 service accounts; an internal review found some accounts assigned roles/editor and external contractors from two partner domains with excessive access, and you must gain within 5 minutes detailed visibility into IAM policy changes, user activity, service account key usage, and access to three restricted projects, retain these records for at least 400 days, and correlate them centrally with AWS and on-prem security events without deploying any agents on VMs—what should you do?

Question Analysis

Core Concept: This question tests centralized security visibility and auditability using Cloud Logging/Cloud Audit Logs, plus near-real-time export to an external SIEM without installing VM agents. It aligns with the Google Cloud Architecture Framework (Operational Excellence and Security) by emphasizing centralized logging, least privilege verification, and continuous monitoring. Why the Answer is Correct: Option C directly satisfies every requirement: visibility within ~5 minutes into IAM policy changes (Admin Activity logs), user activity and API calls (Admin Activity and Data Access logs), service account key usage (Audit logs for IAM/Service Account Key operations and relevant Data Access where applicable), and access to restricted projects (Data Access logs for sensitive services). It also enables central correlation with AWS and on-prem events by exporting logs in near real time via aggregated sinks to Pub/Sub (or other supported destinations) feeding an external SIEM—no agents required. Key Features / Configurations: 1) Enable Cloud Audit Logs at the organization level: Admin Activity and System Event are on by default and should be retained; explicitly enable Data Access logs for the three restricted projects (and any critical services) because Data Access is not enabled by default and can be high volume/cost. 2) Use aggregated log sinks at the organization or folder level to capture logs from all 12 projects and both folders, simplifying management and ensuring coverage even as projects change. 3) Route to Pub/Sub for streaming to a SIEM (common pattern), or to BigQuery/Cloud Storage for analytics/archival; then set retention to >= 400 days using Logging buckets with custom retention or by exporting to Cloud Storage with lifecycle policies / BigQuery retention controls. 4) Use log views and exclusions carefully to control cost while preserving compliance-relevant events. Common Misconceptions: It’s tempting to use Monitoring metrics (option B) or custom automation (option A), but those do not provide authoritative, comprehensive audit trails across IAM, data access, and key usage, nor do they meet long retention and cross-environment correlation requirements as cleanly as Audit Logs + sinks. Exam Tips: When you see “IAM policy changes,” “who did what,” “service account key usage,” “central correlation,” “no agents,” and “long retention,” think: Cloud Audit Logs + aggregated sinks + SIEM integration. Remember Data Access logs must be explicitly enabled and can be scoped to sensitive projects/services to balance cost and compliance.

Question 4

A regional engineering group at a healthcare company registered a separate Google Workspace with Cloud Identity and created a new Organization resource. Within 90 days, they launched 180 projects across 8 folders to host regulated analytics workloads and connected them to a shared VPC. Your centralized platform security team must assume control of who can grant permissions across this Organization and ensure the ability to audit access and configuration activity across all projects and folders. Which type of access should be granted to your team at the Organization level to meet this requirement?

Question 5

Your biomedical analytics team is migrating a bursty batch-processing render farm to a Compute Engine cluster that uses autoscaling Managed Instance Groups (MIGs) across 3 zones and can scale from 8 to 200 VMs in under 5 minutes, and security requires that you retain full control of the boot disk encryption key lifecycle (including quarterly rotation, immediate disablement during incidents, and audit visibility); which boot disk encryption solution should you configure to meet these requirements without slowing rapid instance creation?

Question Analysis

Core Concept: This question tests Google Cloud disk encryption choices for Compute Engine at scale, specifically the difference between CSEK (customer-supplied keys) and CMEK (customer-managed keys in Cloud KMS) and how they affect operational control, auditability, and autoscaled Managed Instance Group (MIG) performance. Why the Answer is Correct: Customer-managed encryption keys (CMEK) with Cloud KMS best matches the stated requirements: full control of the key lifecycle (quarterly rotation), immediate disablement during incidents, and audit visibility, while still supporting rapid VM creation in autoscaling MIGs. With CMEK, the boot disk is encrypted with a key you control in Cloud KMS. You can rotate keys on a schedule, disable or destroy a key version to prevent future disk attach/VM boot operations that require decrypt, and rely on Cloud Audit Logs for key usage visibility. This aligns with the Google Cloud Architecture Framework’s security and compliance principles: centralized key management, auditable controls, and operational resilience. Key Features / Configurations / Best Practices: - Use Cloud KMS key rings/keys in the same region as the disks; grant the Compute Engine service agent the required KMS permissions (e.g., cloudkms.cryptoKeyEncrypterDecrypter) on the key. - Enable rotation policy (e.g., 90 days) and manage key versions; understand that rotation affects new encrypt operations and re-encryption workflows, not magically re-encrypting existing disks unless you perform re-encryption. - Incident response: disabling a key version can immediately block new decrypt operations (impacting new instance boots/attaches that need decrypt), providing a strong “kill switch.” - Audit: Cloud KMS generates detailed audit logs for encrypt/decrypt and key access, supporting compliance evidence. - Performance: CMEK is designed for cloud-scale automation; MIG instance creation remains fast because key operations are handled by Google infrastructure with KMS integration, avoiding per-instance key material injection. Common Misconceptions: CSEK can look like “more control” because you supply the key, but it shifts heavy operational burden to you (secure distribution to every create/attach call) and is poorly suited to bursty autoscaling. Google-managed keys are simplest but fail the “full control” and “immediate disablement” requirements. Pre-encrypting files doesn’t address boot disk encryption or VM lifecycle controls. Exam Tips: For Compute Engine disks: choose CMEK (Cloud KMS) when you need centralized lifecycle management, audit logs, and the ability to disable access quickly at scale. Choose CSEK only when you must provide raw key material per request and can tolerate significant automation complexity—rare for autoscaling MIG scenarios.

Want to practice all questions on the go?

Download Cloud Pass for free — includes practice tests, progress tracking & more.

Question 6

You are designing the key management strategy for a U.S.-based fintech launching a payment tokenization API on Google Cloud. Requirements:

Rotate the root (key-encryption) key at least every 45 days via a managed schedule.
The system that stores the root key must be FIPS 140-2 Level 3 validated.
Keep the root key within multiple regions in the United States for redundancy (US-only residency). Which option best satisfies these requirements?

Question 7

You are the security lead for a fintech company with PCI DSS scope operating across 3 Google Cloud projects under a single organization. An external assessor requests downloadable evidence (CSV or JSON) listing who currently has which permissions to all 58 Cloud Storage buckets and 12 BigQuery datasets in the prod folder, including access granted via groups and inherited roles, as of today; you must produce this access review without changing any policies and be able to filter by principals and permissions for the audit. Which Google Cloud tool should you use?

Question Analysis

Core Concept: This question tests IAM visibility for compliance evidence: producing an access review that enumerates effective access (including group membership and inheritance) across many resources, exportable for auditors, without modifying policies. In Google Cloud, this is addressed by IAM Policy Analyzer (part of Policy Intelligence), which can analyze who has access to what across a scope (project/folder/org) and supports filtering and exporting results. Why the Answer is Correct: Policy Analyzer is designed for access reviews and compliance reporting. It can answer “who has what access” to resources such as Cloud Storage buckets and BigQuery datasets by evaluating IAM policies, including access granted through Google Groups and inherited roles from higher in the resource hierarchy (organization/folder/project). It supports querying by principal, role/permission, and resource, and it can produce downloadable outputs (CSV/JSON) suitable as point-in-time evidence for PCI DSS audits. Importantly, it is read-only analysis: it does not require changing IAM policies. Key Features: - Organization/folder/project scoping: ideal for a fintech with multiple projects under one org and a “prod” folder. - Effective access analysis: includes direct bindings, group-derived access, and inherited bindings. - Filtering: auditors often ask to filter by principal (user/service account/group) and by permission/role; Policy Analyzer supports these dimensions. - Exportable evidence: results can be exported/downloaded (CSV/JSON) for audit artifacts. - Aligns with Google Cloud Architecture Framework (Security, Governance, Risk & Compliance): continuous visibility, least privilege validation, and auditability without operational disruption. Common Misconceptions: Policy Troubleshooter is often confused with Policy Analyzer because both are in Policy Intelligence. Troubleshooter is optimized for answering a single “can principal X access resource Y” question and explaining why, not for generating a comprehensive inventory across dozens of buckets/datasets. IAM Recommender suggests least-privilege changes (and would imply policy changes), and Policy Simulator is for testing hypothetical policy changes—both are not appropriate for producing current-state evidence. Exam Tips: When the prompt emphasizes “downloadable evidence,” “access review,” “who currently has which permissions,” “including groups and inherited roles,” and “no policy changes,” think Policy Analyzer. Use Troubleshooter for one-off access debugging, Simulator for what-if testing, and Recommender for rightsizing permissions. Also note the compliance framing (PCI DSS) and the need to operate at folder/org scope—strong signals for Policy Analyzer.

Question 8

Your company is onboarding a construction subcontractor for a 4-month engagement; the subcontractor uses an external SAML 2.0/OIDC IdP (e.g., Okta) for its 180 users, and you must provide them least-privilege access to two Google Cloud projects via both the Google Cloud Console and gcloud while strictly avoiding creation or synchronization of any subcontractor identities in Cloud Identity/Google Workspace, preventing any password storage/replication in your environment, and allowing the subcontractor to retain full user lifecycle control; what is the most secure way to enable SSO under these constraints?

Question Analysis

Core concept: This question tests identity federation for external users without creating local identities, specifically Google Cloud Workforce Identity Federation (WIF) for console and gcloud access. It aligns with the Google Cloud Architecture Framework security principles of centralized identity, least privilege, and reducing credential risk. Why the answer is correct: Workforce Identity Federation lets you trust an external SAML 2.0 or OIDC IdP (such as Okta) and allow users to obtain short-lived Google credentials to access Google Cloud resources. Crucially, you do not create or sync subcontractor users into Cloud Identity/Google Workspace, and you do not store or replicate passwords in your environment. The subcontractor retains full lifecycle control (joiner/mover/leaver) in their IdP; when a user is disabled there, federation immediately prevents new token issuance. You then grant IAM roles directly to federated principals (workforce pool subjects/groups/attributes) at the project level for least privilege across the two projects. Key features / configuration notes: 1) Create a workforce identity pool and provider that trusts the subcontractor IdP (SAML or OIDC) and configure attribute mapping (for example, map IdP groups to google.subject or custom attributes). 2) Use IAM principal identifiers like principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/… or attribute-based access to bind roles to only the needed users/groups. 3) Users access the Cloud Console via workforce federation sign-in and use gcloud via workforce identity federation login flows, receiving short-lived tokens rather than long-lived passwords/keys. 4) Apply least privilege with predefined roles, conditions (IAM Conditions) if needed, and separate bindings per project. Common misconceptions: Many assume SSO requires Cloud Identity/Workspace accounts. That’s true for some legacy patterns, but WIF is designed specifically to avoid local account provisioning and password handling. Another misconception is that service accounts are needed for human access; for external workforce users, workforce federation is the correct pattern. Exam tips: If requirements include: no user provisioning/sync, no password replication, external IdP remains source of truth, and access via console + gcloud, think “Workforce Identity Federation.” If the users are from another Google Cloud organization (partners) you might consider cross-org IAM, but for non-Google identities with SAML/OIDC, WIF is the secure, modern approach.

Question 9

You are investigating 403 access denied errors when Compute Engine instances in a service project (svc-proj-200) attached to a Shared VPC in a host project (host-proj-100) attempt to read objects from a Cloud Storage bucket (gs://org-logs-bucket) located in a data project (data-proj-300). The data project is protected by a VPC Service Controls service perimeter named perimeter-data that currently includes only data-proj-300 and restricts Cloud Storage and BigQuery. The instances have roles/storage.objectViewer, the subnet has Private Google Access enabled, and egress firewall rules allow Google APIs. You must resolve the errors without weakening the perimeter's protections. What should you do?

Question Analysis

Core Concept: This question tests VPC Service Controls (VPC-SC) service perimeters and how they enforce data exfiltration boundaries for Google-managed services like Cloud Storage. VPC-SC evaluates the “project of the caller” (the project associated with the credentials/access token) and whether that project is inside the same perimeter as the protected resource. Why the Answer is Correct: The Cloud Storage bucket is in data-proj-300, which is inside perimeter-data. The Compute Engine VMs run in svc-proj-200 and access the bucket using identities (VM service account or attached service account) that belong to the service project context. Even though networking uses a Shared VPC from host-proj-100 and Private Google Access is enabled, VPC-SC is not a network firewall; it is an API-level boundary. If svc-proj-200 is outside the perimeter, requests to Cloud Storage in the perimeter are treated as coming from outside and are denied (403) unless an explicit perimeter exception applies. To fix access without weakening protections, you should add svc-proj-200 to the existing perimeter so the caller project and the protected bucket project are within the same perimeter. Key Features / Best Practices: - Service perimeters protect supported services (here: Cloud Storage and BigQuery) by restricting access based on perimeter membership and Access Context Manager policies. - Shared VPC host project membership does not automatically make service projects “inside” the perimeter for API access decisions. - Private Google Access and egress firewall rules only ensure connectivity to Google APIs; they do not satisfy VPC-SC perimeter checks. - Adding the service project to the same perimeter preserves the boundary while enabling legitimate intra-perimeter access. Common Misconceptions: A common trap is assuming the Shared VPC host project controls the security boundary for API access (option A). Another is thinking a perimeter bridge is needed for any cross-project access (option D); bridges are for connecting two separate perimeters, not for allowing access from outside into a perimeter. Exam Tips: When you see 403s with VPC-SC and a protected resource, identify (1) which project holds the resource, (2) which project the caller identity is associated with, and (3) whether both are in the same perimeter. If not, the typical fix is to add the caller project to the perimeter (or redesign perimeters), rather than changing IAM, routes, or firewall rules.

Question 10

You administer 8 production projects under a parent folder named prod-services in organization org-123. Compliance requires centralizing all audit and application logs from those projects with a 400-day retention period. Analysts must query these logs using Logs Explorer from a dedicated project named sec-logging without being granted direct access to the production projects. What should you do?

Question Analysis

Core Concept: This question tests centralized logging architecture using Cloud Logging: aggregated sinks (folder/org scope), centralized Log Analytics via log buckets, retention configuration, and IAM that enables analysts to query logs without granting access to source projects. Why the Answer is Correct: An aggregated sink at the prod-services folder captures logs from all descendant projects (the 8 production projects) without needing per-project sinks. Routing to a centralized log bucket in the sec-logging project enables a single place to store and analyze logs. Setting the log bucket retention to 400 days satisfies compliance. Analysts can be granted permissions (for example, roles/logging.viewer or roles/logging.viewAccessor scoped to the destination bucket/project, and optionally Log Analytics roles depending on configuration) to use Logs Explorer against the centralized bucket, without any IAM bindings on the production projects. This meets the requirement: centralized audit + application logs, long retention, and query access isolated from production. Key Features / Configurations: - Aggregated sink at folder scope (prod-services) to collect from all child projects. - Destination: Cloud Logging log bucket in sec-logging (not just a storage export). - Configure bucket retention to 400 days (bucket-level retention is the correct control for log retention in Cloud Logging). - Grant analysts least-privilege access on the destination (sec-logging project and/or specific log bucket) so they can query via Logs Explorer. - Ensure inclusion of Admin Activity, Data Access (if required), and application logs as needed; note that some audit log types may have special considerations, but routing to a central bucket is the standard approach. Common Misconceptions: - Confusing Monitoring workspaces with Logging centralization: Monitoring workspaces don’t centralize log storage/retention. - Assuming org-level Logs Explorer access is sufficient: it typically requires broad permissions across production projects, violating the isolation requirement. - Exporting to Cloud Storage for retention: Cloud Storage exports are not queryable in Logs Explorer and shift analysis to other tools. Exam Tips: When you see “centralize logs,” “long retention,” and “query in Logs Explorer without access to source projects,” think: aggregated sink (folder/org) -> centralized log bucket with configured retention -> IAM on destination only. This aligns with Google Cloud Architecture Framework principles of centralized governance, least privilege, and auditability for compliance.

Practice Test #1

Triple AI-Verified Answers & Explanations

Practice Questions

Success Stories(6)

Other Practice Tests

Practice Test #2

Practice Test #3

Start Practicing Now