Preguntas de práctica

Pregunta 1

Your marketing analytics unit (120 users) plans to adopt Google Cloud for BigQuery and Vertex AI within 30 days, and company policy requires that all identities remain company-owned and all sign-ins use the corporate SAML 2.0 IdP; while attempting to create a new Cloud Identity tenant for example.com, the Platform Engineer discovers that example.com is already verified and actively used by an internal Google Workspace deployment with 850 active accounts and existing SAML SSO, and needs guidance on how to proceed with the least disruption and without violating the policy. What should you advise?

Pregunta 2

(Selecciona 2)

Your company operates eight autonomous product studios, each with approximately 3,000 users and contractors, and about 1,200 Google Cloud projects distributed across those studios. You must delegate access control administration with the following requirements: ✑ Each studio must administer access only for its own projects and not see or change other studios' projects. ✑ Access must be manageable at scale across hundreds of projects per studio. ✑ When a user transfers to a different studio or leaves the company, their access must be removed within 1 hour. ✑ The authoritative source for users and groups is the on-premises Active Directory, and Google accounts are in Cloud Identity. What should you do? (Choose two.)

Pregunta 3

A team operates 60 Compute Engine VMs in a managed instance group that must securely read database passwords and third‑party API tokens both at boot and on demand; security policy requires centrally stored secrets with per‑secret IAM controls, access over TLS, versioning and rotation every 90 days, audit logs for every read, optional CMEK support, and a prohibition on storing secrets in instance metadata or guest attributes—what should you recommend?

Análisis de la pregunta

Core Concept: This question tests choosing the correct managed secret storage service for applications running on Compute Engine, emphasizing centralized secret management, fine-grained IAM, auditability, rotation/versioning, and secure retrieval. In Google Cloud, Secret Manager is the purpose-built service for application secrets, while Cloud KMS is primarily for key management and cryptographic operations. Why the Answer is Correct: Secret Manager directly meets every stated requirement: secrets are centrally stored; access is controlled with per-secret IAM (Secret Manager Secret/Secret Version permissions); retrieval uses Google APIs over TLS; secrets are versioned (each update creates a new version); rotation can be implemented with built-in rotation schedules and Pub/Sub notifications (commonly paired with Cloud Functions/Cloud Run jobs) on a 90-day cadence; and Cloud Audit Logs record Admin Activity and Data Access logs for secret reads (when Data Access logging is enabled for the project). It also supports optional CMEK via Cloud KMS to encrypt secrets at rest with customer-managed keys. Finally, it avoids prohibited patterns like instance metadata or guest attributes. Key Features / Best Practices: Use Workload Identity (service accounts attached to the MIG) and grant least privilege at the secret level (e.g., roles/secretmanager.secretAccessor on only required secrets). Prefer accessing secrets at runtime via the Secret Manager API rather than baking them into images. Use version aliases like "latest" carefully; pin versions for controlled rollouts. Implement rotation with Secret Manager rotation + an automated rotator that updates the upstream system (DB password/API token) and then adds a new secret version. Ensure Data Access audit logs are enabled and routed to a central logging sink for compliance. Common Misconceptions: Cloud KMS is often chosen because it is “security” and supports CMEK, but KMS manages encryption keys, not application secrets lifecycle (no native per-secret secret retrieval semantics, rotation workflows for passwords/tokens, or secret version access patterns). Metadata and guest attributes are convenient for bootstrapping but violate the explicit policy prohibition and are not designed for strong secret governance. Exam Tips: On the Security Engineer exam, map requirements to the managed service designed for that artifact: keys/cert crypto operations -> Cloud KMS/Certificate Authority Service; application secrets (passwords, tokens) -> Secret Manager. Look for keywords like versioning, rotation, per-secret IAM, and audit logs for reads—these strongly indicate Secret Manager. Also note policy constraints (no metadata/guest attributes) that eliminate common bootstrapping shortcuts.

Pregunta 4

(Selecciona 2)

Your security team just created a custom-mode VPC named seg-west (10.30.0.0/16) with one subnet us-west1-prim (10.30.10.0/24) and intentionally no user-defined firewall rules; a VM named gw-01 in that subnet has an ephemeral external IP, and the team tests: (1) from gw-01, curl https://8.8.8.8:443, (2) from the public internet, attempt SSH (TCP/22) and HTTP (TCP/80) to gw-01, and (3) attempt SMTP egress on TCP/25 from gw-01; which two behaviors are guaranteed solely by Google Cloud's implied VPC firewall rules before any custom rules are added? (Choose two.)

Pregunta 5

Your video analytics platform operates 400 Compute Engine VMs across 12 projects in us-central1, europe-west1, and asia-southeast1. Rapid hiring has caused base image drift, inconsistent CIS-level hardening, and missed critical OS patches. Security requires that: (1) all new instances launch only from organization-approved hardened images; (2) critical OS patches are applied within 48 hours across all projects; and (3) baseline controls remain enforced throughout each VM's lifecycle. You need a centrally managed approach to standardize images and automate enforcement from provisioning through ongoing operations. What should you do?

Análisis de la pregunta

Core Concept: This question tests centralized VM security operations: standardized golden images plus continuous configuration/patch enforcement at scale across projects and regions. The key Google Cloud services are Compute Engine image management (image projects, image families, IAM/Org Policy) and VM Manager (OS Config) for patching and OS policy compliance. Why the Answer is Correct: Option A combines the two required control planes: (1) a controlled image supply chain by maintaining hardened, organization-approved images in a dedicated image project and exposing them via image families for consistent provisioning; and (2) ongoing enforcement using OS Config to apply critical patches within a defined window (48 hours) and to continuously evaluate/enforce baseline configuration through OS policies. This meets all three requirements: approved images for new instances, rapid patch rollout across 12 projects, and lifecycle enforcement (not just point-in-time checks). Key Features / How to Implement: - Golden images: Create a central “image factory” project that publishes hardened images (CIS-aligned) as Compute Engine images and uses image families to ensure instance templates always pick the latest approved version. Control access with IAM and optionally Organization Policy constraints (e.g., restrict image projects). - Patching: Use OS Config patch jobs and patch deployments (with schedules and disruption controls) to target fleets by labels, zones/regions, or projects, and to enforce patch SLAs. - Baseline controls: Use OS Config OS policies (OS policy assignments) to enforce packages, files, services, and configuration state continuously, with compliance reporting. - Operations alignment: This supports Google Cloud Architecture Framework operational excellence and security principles by standardizing builds, automating remediation, and providing auditable compliance signals. Common Misconceptions: - Monitoring-only tools (like Security Command Center) don’t enforce patches/config by themselves. - CI/CD image baking alone doesn’t ensure existing VMs stay patched within 48 hours. - Sole-tenant nodes are about isolation/compliance placement, not image governance and patch automation. Exam Tips: When requirements include both “only approved images at provisioning” and “continuous enforcement + patch SLAs,” look for a pairing of image governance (central image project + families + IAM/Org Policy) with OS Config for patching and policy-based configuration management. Distinguish detection (SCC) from enforcement (OS Config/Org Policy).

¿Quieres practicar todas las preguntas en cualquier lugar?

Descarga Cloud Pass gratis — incluye exámenes de práctica, seguimiento de progreso y más.

Pregunta 6

In a fintech company's Google Cloud environment, the SOC needs the on-premises SIEM to ingest only Compute Engine Admin Activity audit logs and VPC Flow Logs from two projects (proj-sec-01 and proj-sec-02). Access must be read-only, limited to the most recent 30 days, and must not require creating or distributing any long-lived service account keys. Your enterprise IdP is SAML 2.0 and supports OIDC via workforce identity federation; the SIEM can call Google Cloud APIs using short-lived OIDC tokens. You want to minimize data exposure in Google Cloud and avoid copying all logs to external systems. What should you do?

Pregunta 7

(Selecciona 2)

Your team is rolling out a global event-ticketing web front end that peaks at 10,000 requests per second across us-central1, europe-west1, and asia-southeast1; to block XSS/SQLi and abusive IP ranges before traffic hits your services, you plan to enforce Google Cloud Armor WAF and rate limiting at the edge—what two infrastructure prerequisites must be in place for the Cloud Armor security policy to actually evaluate and filter requests? (Choose two.)

Análisis de la pregunta

Core concept: Google Cloud Armor security policies are enforced only on supported external load-balancing paths, primarily external HTTP(S) load balancers for WAF features such as XSS/SQLi protection and HTTP rate limiting. For the policy to actually inspect and filter requests, traffic must traverse the external HTTP(S) proxy layer and the policy must be attached to an eligible external backend service. Why the answer is correct: E is correct because Cloud Armor WAF and HTTP rate limiting are evaluated on requests handled by an external HTTP(S) load balancer, such as the external Application Load Balancer or classic external HTTP(S) load balancer. This is the Layer 7 entry point where Google can inspect HTTP attributes, apply preconfigured WAF signatures, and enforce rate-based rules before forwarding traffic to backends. If traffic does not enter through this supported HTTP(S) load-balancing stack, the Cloud Armor policy will not evaluate the web requests in the intended way. D is correct because the Cloud Armor security policy is associated with a backend service used by the external load balancer, and that backend service must be an external backend service. In practice, this means the backend service is configured for external load balancing (loadBalancingScheme=EXTERNAL), which is the supported attachment point for the policy in this scenario. Without an eligible external backend service behind the external HTTP(S) load balancer, there is no valid enforcement point for the Cloud Armor policy. Key features: - Cloud Armor WAF and HTTP rate limiting are Layer 7 protections evaluated on supported external HTTP(S) load balancers. - Security policies are attached to backend services, not directly to instances or unmanaged public endpoints. - External Application Load Balancer and classic external HTTP(S) load balancer are the common exam-relevant entry points for Cloud Armor web protection. Common misconceptions: - Premium Tier is often associated with global load balancing, but it is not the core prerequisite being tested here for Cloud Armor policy evaluation. - External SSL Proxy load balancers are not the standard answer when the question explicitly asks about WAF protections like XSS and SQLi, which are HTTP-specific. - A statement about what fields rules can match is not the same as an infrastructure prerequisite. Exam tips: When a question mentions Cloud Armor WAF, XSS/SQLi, or HTTP rate limiting, first identify the supported Layer 7 entry point: an external HTTP(S) load balancer. Then look for the valid policy attachment target: the external backend service behind that load balancer. Distinguish true deployment prerequisites from descriptive statements about rule behavior or unrelated load balancer types.

Pregunta 8

You manage security for a media analytics firm hosting 3 internal web dashboards (2 on Cloud Run and 1 on a managed instance group behind a global external HTTP(S) Load Balancer) that must be reachable over the public internet but only by 500 employees in your Google Workspace domain; you need to enforce per-user and group-based access with OAuth 2.0 sign-in, optionally apply device-based restrictions via Access Context Manager, avoid using client VPNs or custom reverse proxies, and capture detailed access audit logs in Cloud Logging. Which Google Cloud service should you use to centrally enforce authentication and fine-grained access control for these applications?

Análisis de la pregunta

Core Concept: This question tests centralized, identity-based access control for web applications exposed to the public internet without using VPNs or custom proxies. In Google Cloud, the primary service for per-user OAuth 2.0 authentication and authorization in front of HTTP(S) apps is Identity-Aware Proxy (IAP), often paired with Google Workspace identities and optionally Access Context Manager (BeyondCorp). Why the Answer is Correct: Identity-Aware Proxy sits in front of supported Google Cloud backends (including Cloud Run and external HTTP(S) Load Balancers) and enforces Google identity sign-in (OAuth 2.0) before any request reaches the application. It supports fine-grained access via IAM (users, groups, and service accounts), which directly matches the requirement to allow only 500 employees in a Google Workspace domain and to apply group-based access. Because IAP is identity-aware, it avoids network-based controls like VPNs and does not require building a custom reverse proxy. Key Features / Configurations / Best Practices: 1) IAM-based authorization: grant the IAP-secured Web App User role to Workspace groups for each app. 2) OAuth consent and brand: configure an OAuth brand and client for IAP. 3) Device/context restrictions: integrate with Access Context Manager to require access levels (e.g., managed devices, compliant OS, trusted IP ranges) for IAP-protected resources. 4) Centralized logging: IAP generates detailed audit logs (Admin Activity / Data Access depending on configuration) and request logs that can be exported via Log Router to SIEM or storage, satisfying the Cloud Logging audit requirement. 5) Architecture Framework alignment: implements “Identity and access management” and “Network security” principles by shifting trust from network location to verified identity and context (BeyondCorp). Common Misconceptions: Cloud Armor can restrict traffic by IP/geo and mitigate L7 attacks, but it does not provide per-user OAuth sign-in or group-based authorization. Cloud NAT is egress-only and unrelated to inbound user authentication. Shielded VMs harden VM boot integrity but do not control who can access web dashboards. Exam Tips: When you see “public internet but only specific employees,” “OAuth 2.0 sign-in,” “group-based access,” “no VPN,” and “Cloud Logging auditability,” think IAP + IAM + (optional) Access Context Manager. Also remember IAP works naturally with HTTP(S) Load Balancing and Cloud Run, making it a common exam pattern for BeyondCorp-style access.

Pregunta 9

Your security team plans to roll out VPC Service Controls across 12 production projects organized into 4 service perimeters and wants a 14-day evaluation period to test perimeter rule changes and observe potential violations in logs without interrupting any existing access paths (including BigQuery and Cloud Storage requests from on-prem via Private Service Connect). Which VPC Service Controls mode should you use to validate the impact safely while ensuring no requests are blocked during the evaluation window?

Análisis de la pregunta

Core Concept: VPC Service Controls (VPC SC) provides a service perimeter around Google-managed services (for example, BigQuery and Cloud Storage) to reduce data exfiltration risk. Perimeters can be applied across multiple projects and can restrict access based on identity, network, and access level conditions. VPC SC supports an evaluation approach using “dry-run” to observe what would be denied without enforcing blocks. Why the Answer is Correct: “Dry run” mode is designed specifically to validate perimeter configuration changes safely. In dry-run, VPC SC evaluates requests against the dry-run perimeter configuration and records violations in logs, but it does not block the requests. This matches the requirement for a 14-day evaluation window where the team wants to test rule changes and observe potential violations without interrupting any existing access paths, including on-premises access patterns such as BigQuery/Cloud Storage requests coming through Private Service Connect. Key Features / Best Practices: 1) Dry-run perimeters: You can keep the enforced perimeter stable while iterating on a dry-run configuration to see the impact before turning on enforcement. 2) Logging and monitoring: Dry-run generates VPC SC violation logs (and related audit logs) that can be routed to SIEM/SOAR for analysis. This supports the Google Cloud Architecture Framework principle of “operational excellence” and “security by design” through measurable controls. 3) Gradual rollout: With 12 projects and 4 perimeters, dry-run enables staged validation per perimeter and reduces blast radius. After the evaluation, you can promote the tested rules to enforced mode. Common Misconceptions: Many confuse “native” or “enforced” as required for “real” testing. However, enforced mode will actively deny non-compliant requests, which contradicts the requirement to avoid interruption. Another misconception is that you must enforce to see violations; dry-run is explicitly built to surface violations without blocking. Exam Tips: When a question emphasizes “observe violations,” “test changes,” “no disruption,” or “evaluate impact,” the correct VPC SC choice is almost always “dry run.” If the question instead requires actively preventing data exfiltration immediately, then “enforced” is appropriate. Also remember that complex access paths (hybrid/on-prem, PSC, VPN/Interconnect) are exactly where dry-run helps uncover unexpected dependencies before enforcement.

Pregunta 10

You are launching a payment reconciliation service on Cloud Run in asia-southeast1. A regulatory requirement mandates that application logs be retained for 10 years and that all log data remain within Singapore (asia-southeast1) at all times. The service emits approximately 40 GB of logs per day, and your team wants a low-overhead, cost-effective, Google-managed approach. What should you do?

Análisis de la pregunta

Core concept: This question tests Cloud Logging data residency and retention controls using Log Router and regional log buckets. For Cloud Run, application logs are automatically ingested into Cloud Logging; the compliant, low-overhead approach is to control where logs are stored and how long they are retained using Cloud Logging’s managed storage. Why the answer is correct: A regulatory requirement mandates (1) 10-year retention and (2) all log data must remain in Singapore (asia-southeast1) at all times. Creating a regional Cloud Logging log bucket in asia-southeast1 and routing the Cloud Run service logs to that bucket satisfies both: the bucket’s location enforces regional storage, and the bucket’s retention setting enforces long-term retention without building custom pipelines. Updating the Log Router ensures only the relevant logs are stored in that bucket, and you can optionally exclude them from the default bucket to avoid noncompliant storage locations. Key features and best practices: - Regional log buckets: Cloud Logging supports log buckets with a specified location (regional). Storing logs in a regional bucket is the primary mechanism for log data residency. - Custom retention: Configure the bucket retention to 3650 days (10 years). This is enforced by Cloud Logging and reduces operational burden. - Log Router sinks: Create an inclusion filter targeting the Cloud Run service (resource.type="cloud_run_revision" and service name/region labels) and route to the regional bucket. Use exclusions on the default bucket if needed to prevent duplicate storage. - Compliance alignment: This maps to the Google Cloud Architecture Framework’s compliance and data governance principles—use managed controls, least operational overhead, and explicit data location constraints. Common misconceptions: It’s tempting to export logs to Cloud Storage for “cheap long-term storage,” but that adds pipeline complexity and can violate “remain within Singapore at all times” if logs land in the default global logging bucket first or if routing is misconfigured. Similarly, adding agents/sidecars is not aligned with Cloud Run’s fully managed model and increases maintenance. Exam tips: For residency + retention requirements, prefer Cloud Logging regional buckets + Log Router over DIY exports. Remember: Cloud Run already integrates with Cloud Logging—focus on configuring sinks/buckets rather than modifying the app. Also consider volume (40 GB/day): managed logging buckets scale without you managing ingestion infrastructure, and you can apply filters to control cost.

Practice Test #3

Respuestas y explicaciones verificadas por triple IA

Preguntas de práctica

Historias de éxito(6)

Otros exámenes de práctica

Practice Test #1

Practice Test #2

Comienza a practicar ahora