Visit here for our full Google Professional Cloud Security Engineer exam dumps and practice test questions.
Question 81
Which solution ensures that Cloud Functions can access secrets securely without exposing them in environment variables?
A) Store secrets in plaintext files
B) Use Secret Manager with runtime access
C) Hard-code secrets into function code
D) Use Cloud Storage public objects
Answer: B
Explanation:
Storing secrets in plaintext files is one of the most insecure methods for managing sensitive information. When secrets such as API keys, database passwords, or access tokens are placed directly in local configuration files, they become vulnerable to accidental exposure. These files may be copied, backed up, logged, or checked into version control systems where they can be accessed by unauthorized individuals. Even within a controlled environment, plaintext files provide no encryption, no access auditing, and no ability to enforce fine-grained permissions. Any compromise of the file system or host machine exposes the stored secrets immediately. This approach also complicates rotation because updates require manually editing files and redeploying workloads, which increases operational risk.
Using Secret Manager with runtime access provides a secure, scalable, and cloud-native method for handling sensitive datA) Secret Manager encrypts secrets at rest and in transit and allows access only to identities that have been granted appropriate IAM permissions. By retrieving secrets at runtime instead of embedding them in code, applications avoid storing long-lived credentials in vulnerable places. Secret Manager supports secret versioning, which makes rotation safe and easy, enabling organizations to regularly refresh credentials without downtime. Audit logs track every access request, helping meet compliance and monitoring requirements. Because Secret Manager integrates seamlessly with Google Cloud services, workloads can retrieve secrets using short-lived tokens rather than relying on static files. This significantly reduces the attack surface and supports modern security practices based on least privilege, centralized governance, and automated credential lifecycle management. It ensures secrets remain protected, traceable, and easy to manage across distributed architectures.
Hard-coding secrets into function code is another risky practice because the secrets become visible to anyone who can view the source code, deployment artifacts, or runtime logs. This also makes rotation difficult, requiring code changes and redeployment. If the code is stored in shared repositories, the secrets may inadvertently leak.
Using Cloud Storage public objects for secret storage is extremely unsafe because public buckets allow any user on the internet to access the stored datA) Even private buckets are not designed for secret management and lack fine-grained secret-specific features.
Given these considerations, using Secret Manager with runtime access is the correct answer because it provides secure storage, controlled access, encrypted handling, and reliable secret lifecycle management.
Question 82
Which Google Cloud feature helps detect when IAM permissions expand unexpectedly or when privileged roles are assigned improperly?
A) Cloud Monitoring
B) IAM Recommender
C) Cloud NAT logs
D) OS Login
Answer: B
Explanation:
Cloud Monitoring provides visibility into the performance and health of applications and infrastructure by collecting metrics, uptime data, and alerts. It is an essential tool for operational oversight, helping teams diagnose latency issues, resource bottlenecks, and service disruptions. While Cloud Monitoring delivers important insights into system behavior, it does not evaluate IAM permissions or identify excessive access privileges. Its role is centered around observability, not security optimization or governance of identity and access policies. Therefore, it cannot help organizations reduce privilege sprawl or determine whether users are over-permissioneD)
IAM Recommender, however, focuses directly on improving access security by analyzing how identities interact with cloud resources over time. It reviews permissions actually used by users and service accounts and compares them to the roles granteD) If a user has been given broad roles that include permissions they never use, IAM Recommender identifies these excessive privileges and suggests more restrictive, least-privilege alternatives. This helps organizations avoid risks associated with overly permissive access, such as unintended data exposure or unauthorized resource modification. The tool evaluates real usage patterns, meaning its suggestions are grounded in observable behavior rather than static policy assumptions. This makes it especially valuable in complex environments where roles accumulate over months or years and manual audits are impractical. IAM Recommender also helps streamline governance by automating repetitive security reviews and providing actionable guidance for administrators. With its ability to reduce unnecessary permissions and strengthen compliance posture, it is a critical tool for improving overall IAM hygiene.
Cloud NAT logs provide insights into outbound network traffic for private instances but have no relationship to permission governance. They cannot determine whether an identity has excessive access rights or whether an IAM role is appropriate.
OS Login centralizes SSH access by tying virtual machine logins to IAM identities. While it improves SSH security and auditability, it does not analyze role usage or suggest permission adjustments.
Given these considerations, IAM Recommender is the correct answer because it directly enhances security by identifying excessive permissions and offering data-driven least-privilege recommendations.
Question 83
Which service helps ensure that API calls from a Cloud Run service to Google Cloud services are authenticated using identity tokens instead of API keys?
A) Service account identity tokens
B) Firewall rules
C) API Gateway keys
D) Cloud NAT identity mapping
Answer: A
Explanation:
Service account identity tokens provide a secure and modern method for authenticating workloads and services in Google ClouD) These tokens are generated dynamically and represent the identity of a service account without requiring the use of long-lived private keys. Because they are short-lived and issued on demand through the metadata server, they reduce the risk associated with credential exposure, accidental leakage, or theft of static keys. Identity tokens are especially important for service-to-service authentication, where workloads must securely prove their identity before interacting with APIs or protected services. By relying on built-in token generation rather than manual key handling, organizations benefit from better security hygiene, easier key rotation, and compatibility with zero trust architectures. Identity tokens integrate seamlessly with IAM, allowing fine-grained authorization decisions based on the service account’s assigned roles. This minimizes operational overhead and ensures that workloads authenticate using standardized, auditable, and centrally managed cloud identity mechanisms instead of custom or insecure methods.
Firewall rules operate at the network layer and help control traffic flow by allowing or denying connections based on IP ranges, ports, and protocols. While they are a critical part of network security, firewall rules do not provide identity-based authentication. They cannot confirm which service or workload is making a request; they only examine network characteristics. Therefore, they cannot serve as a method of secure identity validation or enforce workload-level authorization for cloud services.
API Gateway keys allow access control for public or client-facing APIs, but they offer limited security for internal workloads. API keys do not represent identities, cannot integrate with IAM permissions, and can easily be leaked or reuseD) They are not suitable for secure service-to-service authentication because they lack strong identity guarantees.
Cloud NAT identity mapping does not exist as a mechanism for authentication. NAT is used for routing outbound traffic from private instances, and it does not attach or enforce identity information. It cannot authenticate workloads or secure access to Google Cloud services.
Given these considerations, service account identity tokens are the correct answer because they offer the strongest, identity-centric, short-lived, and secure method for workload authentication in Google ClouD)
Question 84
Which solution ensures that BigQuery data cannot be accessed through direct API calls originating from unmanaged personal devices?
A) IAM deny policies
B) VPC Service Controls
C) Cloud Build triggers
D) Memorystore firewall rules
Answer: B
Explanation:
IAM deny policies are powerful tools that explicitly block certain identities from performing specific actions, regardless of other IAM role bindings that might otherwise grant access. They are useful for enforcing high-confidence restrictions, preventing privilege escalation, and ensuring certain sensitive operations cannot be executed by specific users or service accounts. Despite their importance in access governance, IAM deny policies do not create a network perimeter nor do they restrict where requests originate from. If a user with valid credentials attempts to access a protected service from an untrusted environment, an IAM deny policy will not stop them unless the policy is explicitly configured for that identity and action. Therefore, while useful for targeted control, IAM deny policies do not provide full data perimeter protection.
VPC Service Controls introduce a stronger and more comprehensive layer of security by creating service perimeters around sensitive Google Cloud services such as BigQuery, Cloud Storage, Pub/Sub, and Secret Manager. These perimeters restrict data access so that only requests originating from approved VPC networks, service accounts, or trusted access levels are alloweD) This greatly reduces the risk of data exfiltration, even in situations where an attacker has obtained valid credentials. Without being inside the allowed boundary, the attacker cannot interact with resources protected by the service perimeter. VPC Service Controls also help enforce data residency, prevent unapproved cross-project or cross-environment access, and integrate with other security tools such as Access Context Manager to enforce device or location based policies. Organizations that handle regulated data rely on VPC Service Controls because they offer a robust, context-aware protection model that IAM alone cannot provide. The added network-centric and identity-centric restrictions create a multi-layer boundary, strengthening security from both internal risks and external threats.
Cloud Build triggers automate continuous integration and deployment workflows, allowing builds to start based on events such as commits or tag updates. Although essential for DevOps automation, they offer no protections related to data exfiltration or service boundary enforcement.
Memorystore firewall rules restrict network access to Redis or Memcached instances. While helpful at the network level, they are limited to a single service and cannot control access to APIs or broader cloud resources.
Given these considerations, VPC Service Controls is the correct answer because it provides a comprehensive, service-level perimeter that significantly reduces data exfiltration risks.
Question 85
Which method allows organizations to enforce the use of compliant OS images on all new VMs?
A) VM tagging
B) Organization Policy: allowedComputeEngineImages
C) Firewall policies
D) IAM roles
Answer: B
Explanation:
VM tagging allows administrators to attach metadata labels or tags to virtual machines, making it easier to organize resources, apply network rules, or automate workflows. While tags can help structure environments and simplify management tasks, they do not enforce security restrictions on what machine images users are allowed to deploy. Tags provide classification and grouping, but they offer no mechanism to block unauthorized images or ensure that only approved, secure, and compliant operating system images are used within an organization. Their purpose is organizational and operational rather than regulatory or security-focuseD)
The organization policy allowedComputeEngineImages provides a direct and effective mechanism for enforcing which VM images can be used across the entire organization. This policy allows administrators to restrict the creation of Compute Engine instances to a curated set of trusted images, such as those maintained by the security team, official Google-provided images, or images vetted for compliance with industry or internal standards. By enforcing image restrictions at the organization level, this policy prevents users from deploying outdated, vulnerable, or unauthorized images that could introduce security risks or violate compliance requirements. It ensures uniformity in system configurations, enforces patching baselines, and reduces the attack surface created by inconsistent operating system versions. Organizations that prioritize security and compliance rely on this policy to maintain strong governance over infrastructure deployments. This centralized enforcement also prevents accidental use of personal or unverified images, protecting sensitive workloads from misconfigurations, embedded malware, or unpatched vulnerabilities.
Firewall policies provide network-level control by restricting traffic based on IP, protocols, or ports. While essential for protecting workloads, they cannot restrict which images users deploy. Firewalls focus on traffic flow, not the provenance or validity of VM operating system images.
IAM roles define what actions users and service accounts can take, such as creating or deleting VMs, but they cannot specify which images must be useD) IAM can limit who can create instances but not enforce image selection criteriA)
Given these considerations, the organization policy allowedComputeEngineImages is the correct answer because it provides enforceable, centralized control over which VM images can be deployed, ensuring security, consistency, and compliance across the environment.
Question 86
Which service provides continuous runtime protection for container workloads by identifying suspicious system calls or abnormal behavior?
A) Cloud Armor
B) GKE Sandbox + Runtime Security
C) Cloud DNS
D) VPC Firewall
Answer: B
Explanation:
Cloud Armor is an effective service for protecting applications from external threats such as distributed denial-of-service attacks and malicious traffic reaching internet-facing endpoints. It provides IP-based filtering, geo-restrictions, and managed protection against web-based vulnerabilities. While Cloud Armor is essential for perimeter security at the network and application edge, it does not offer protection for workloads running inside containers, nor does it provide runtime enforcement or isolation for containerized applications within Kubernetes clusters. Because it operates at the load balancer level, its protection does not extend into the internal execution environment of container workloads.
GKE Sandbox combined with runtime security introduces stronger and more granular protection for containerized workloads running in Google Kubernetes Engine. GKE Sandbox uses gVisor, a secure container runtime that provides an additional isolation boundary between containers and the host kernel. This ensures that even if an attacker compromises a container, the ability to escape into the underlying node or interact with other workloads is greatly reduceD) This is particularly important for multi-tenant clusters, environments running untrusted code, or workloads that process sensitive datA) Runtime security tools further enhance protection by monitoring container behavior, detecting anomalies, and preventing unauthorized actions during execution. Together, these capabilities address threats that occur after deployment, such as privilege escalation attempts, malware injection, lateral movement, and exploitation of kernel vulnerabilities. GKE Sandbox and runtime security, therefore, provide defense-in-depth by combining isolation with real-time threat detection.
Cloud DNS is a managed DNS service that helps route traffic reliably and efficiently, but it does not provide workload-level security or runtime isolation. It is purely a networking and name resolution service.
VPC Firewall rules control traffic between network endpoints by filtering packets based on IP addresses, ports, and protocols. Although critical for network segmentation, firewalls cannot protect containers from vulnerabilities inside the runtime environment. They do not prevent kernel exploits or detect malicious behavior occurring within a container.
Given these considerations, GKE Sandbox combined with runtime security is the correct answer because it directly addresses workload isolation, container runtime protection, and in-cluster threat defense, offering a level of security that network-based tools cannot provide.
Question 87
Which mechanism ensures that SQL export operations from BigQuery cannot be performed from outside a protected network boundary?
A) IAM restrictions only
B) VPC Service Controls
C) Firewall rules
D) Cloud Logging
Answer: B
Explanation:
IAM restrictions only help control who can access specific Google Cloud resources and what actions they are allowed to perform. While IAM is fundamental for identity and access management, it does not prevent data from being accessed from untrusted networks, unmanaged devices, or external environments. Even if IAM roles are configured correctly, a compromised identity or a misconfigured service account could still access sensitive data from outside the organization’s trusted boundary. IAM alone cannot enforce data locality, restrict network-level access patterns, or prevent legitimate credentials from being used in malicious ways. Therefore, IAM is necessary but insufficient when the goal is to protect against data exfiltration or unauthorized cross-boundary access.
VPC Service Controls provide an additional, more robust layer of security by creating service perimeters around sensitive Google Cloud services such as BigQuery, Cloud Storage, Secret Manager, and Pub/SuB) These perimeters restrict access to resources based not only on identity but also on context, such as which network the request originates from and whether the environment is trusteD) By ensuring that only requests coming from approved networks or access levels can interact with protected services, VPC Service Controls prevent data from being accessed from outside authorized boundaries, even if the requester possesses valid credentials. This dramatically reduces the attack surface for data exfiltration and mitigates risks associated with phishing, credential leakage, or compromised automation systems. VPC Service Controls can also enforce restrictions across projects and folders, promoting consistent governance and helping organizations comply with regulatory requirements regarding data residency and movement. With integrations such as Access Context Manager, organizations can impose device-based, location-based, or user-based conditions to strengthen perimeter security even further.
Firewall rules operate at the network layer and restrict traffic flow between IP addresses and ports but cannot enforce policies at the service API level. They also cannot prevent data from being copied out of managed cloud services like BigQuery or Cloud Storage using authorized credentials.
Cloud Logging provides visibility into system and audit logs, helping detect anomalous activity, but it is reactive rather than preventive. It cannot stop unauthorized data movement in real time.
Given these considerations, VPC Service Controls is the correct answer because it establishes a powerful service-driven perimeter that significantly enhances data security beyond what identity or network controls alone can provide.
Question 88
Which feature ensures that Cloud SQL backups remain encrypted and inaccessible even if exported outside the Cloud SQL environment?
A) Automated backups only
B) CMEK for Cloud SQL
C) Cloud Monitoring
D) NAT routing
Answer: B
Explanation:
Automated backups only protect a Cloud SQL instance by allowing recovery from accidental deletions, corruption, or operational errors, but they do not provide any form of cryptographic control over how the underlying data is encrypteD) Backups help with point-in-time restoration and business continuity, yet they do not address compliance requirements or organizational mandates that demand customer-managed control over encryption keys. Automated backups rely entirely on Google-managed encryption mechanisms and therefore cannot satisfy environments where customers need explicit ownership or lifecycle control of encryption keys. Although useful and necessary, backups alone do not strengthen the cryptographic security posture of Cloud SQL beyond default protections.
CMEK for Cloud SQL serves a much more advanced role by giving organizations full control over the encryption keys protecting their database storage, transaction logs, and backups. With CMEK, encryption keys are stored and managed in Cloud KMS or, when required, integrated with external key management systems, allowing customers to enforce their own rotation policies, disable keys when needed, and meet strict regulatory or compliance standards. This level of control ensures that even though Google manages the storage infrastructure, the customer controls the cryptographic boundary. If a key is disabled or revoked, Cloud SQL cannot decrypt or access the data, giving customers the final authority over availability and access. CMEK is crucial for industries with stringent data protection rules, such as finance, healthcare, and government, where organizations must demonstrate not only that data is encrypted but also that they govern the lifecycle of the encryption keys. CMEK adds a strong layer of defense by ensuring that unauthorized data access is prevented even in unlikely scenarios involving misconfigurations or compromised credentials.
Cloud Monitoring provides performance metrics, alerting, and observability but does not influence encryption controls or data protection at the storage layer. It enhances operational reliability rather than cryptographic compliance.
NAT routing focuses on outbound connectivity for private resources and has no involvement with encryption or data security inside Cloud SQL.
Given these considerations, CMEK for Cloud SQL is the correct answer because it provides customer-controlled encryption, stronger compliance alignment, and enhanced data governance that cannot be achieved with the other options.
Question 89
Which solution provides identity-based access control to internal web applications hosted on Compute Engine or GKE?
A) Cloud Armor alone
B) Identity-Aware Proxy (IAP)
C) VPC firewall rules
D) Cloud DNS records
Answer: B
Explanation:
Cloud Armor alone provides protection at the network edge by filtering traffic based on IP reputation, geo-blocking, rate limiting, and defense against common web attacks. While it is an important tool for safeguarding public-facing applications, it operates at the network and application layer, not at the identity layer. This means Cloud Armor cannot determine whether a user is authorized to access an application; it only evaluates characteristics of incoming traffiC) Even if Cloud Armor blocks malicious IPs, it cannot enforce authentication, verify user identities, or provide fine-grained access control based on user attributes, group membership, or organizational policies. Because of this, Cloud Armor is not sufficient when the requirement is to ensure that only authenticated and authorized users can access protected applications.
Identity-Aware Proxy provides a much stronger and more identity-centric approach by enforcing user authentication and authorization before any request ever reaches an application or backend service. IAP integrates directly with Google Cloud IAM and Google identity providers to require users to authenticate using secure login methods, including multi-factor authentication if enforceD) Once authenticated, IAP checks IAM permissions to determine whether the user or service account is allowed to access the protected resource. This creates a zero trust security posture where identity verification happens at the perimeter and every request is inspected based on identity rather than network location alone. IAP also ensures that applications do not need to implement their own authentication logic, reducing complexity and preventing common security misconfigurations. It provides audit logging, session controls, and token-based authorization, ensuring that only legitimate, authenticated users can access internal web applications, Cloud Run services, or Compute Engine backends. This level of identity enforcement is essential for internal applications, administrative dashboards, and sensitive workloads that must not be exposed publicly.
VPC firewall rules filter traffic based on IP addresses, ports, and protocols. While effective for segmenting networks, they cannot authenticate users or enforce identity-based access decisions. They only determine whether traffic should pass, not whether the user behind the traffic is authorizeD)
Cloud DNS records manage domain names and routing but offer no security mechanisms related to authentication or authorization.
Given these considerations, Identity-Aware Proxy is the correct answer because it uniquely enforces authentication, IAM-based authorization, and identity-driven access control, providing far stronger application security than network-based tools alone.
Question 90
Which tool can verify whether a user or service account has permissions to access a specific Cloud Storage bucket and explain the reason?
A) Cloud NAT logs
B) IAM Policy Troubleshooter
C) Cloud Build
D) Artifact Registry
Answer: B
Explanation:
Cloud NAT logs provide information about outbound traffic flowing through the Network Address Translation gateway and can be useful for analyzing egress patterns, debugging connectivity issues, and monitoring which internal resources are accessing external IP addresses. Although these logs are important for understanding network behavior, they do not provide any insight into why an identity is unable to perform an operation, nor do they help troubleshoot IAM permission problems. Cloud NAT logs cannot evaluate IAM role bindings, inherited permissions, or organization policies, and they cannot identify whether a user’s denied action is due to a missing role, a conflicting condition, or a higher-level restriction.
IAM Policy Troubleshooter, however, is specifically designed to identify and diagnose permission-related issues in Google Cloud environments. When a user or service account attempts an action and receives a permission denied error, administrators often face the challenge of determining whether the denial originated from insufficient IAM roles, an overridden binding at a higher level, an IAM condition expression failing to match, or an organization policy restricting access. IAM Policy Troubleshooter analyzes all relevant IAM bindings across the resource hierarchy including project, folder, and organization levels. It also evaluates role definitions, access scopes, conditional role bindings, and any restrictions imposed by policies such as domain constraints. By simulating the access request, it clearly explains whether the action is allowed or denied and identifies the exact reason for the decision, greatly reducing the time spent diagnosing permission misconfigurations. This tool is essential for organizations with complex IAM structures, as it helps ensure correct permissions, reduces operational friction, and assists in enforcing least privilege without accidental disruptions.
Cloud Build is a CI/CD service used for automating builds and deployments. Although valuable for DevOps workflows, it has no role in diagnosing IAM permission issues for users or workloads.
Artifact Registry stores container images, language packages, and related artifacts. While it supports IAM-based access control for storage and retrieval, it does not help troubleshoot permission denials across the broader cloud environment.
Given these considerations, IAM Policy Troubleshooter is the correct answer because it directly addresses the need to diagnose and understand why access is denied, offering detailed, identity-specific, and resource-specific analysis that no other option provides.
Question 91
Which mechanism prevents VMs from interacting with unwanted Google APIs, even when they hold valid credentials?
A) VPC routes
B) VPC Service Controls
C) OS Login
D) Cloud Deploy
Answer: B
Explanation:
VPC routes are an essential part of network configuration because they determine how traffic travels between subnets, instances, and external destinations. While routes ensure packets reach the correct endpoints, they do not provide any security controls related to data protection or access governance. VPC routing cannot prevent sensitive data in managed services from being accessed from unauthorized networks, nor can it enforce restrictions on API-level interactions. It simply dictates network paths, and therefore cannot act as a security boundary for protecting data stored in higher-level services such as BigQuery, Cloud Storage, or Secret Manager.
VPC Service Controls provide a far more comprehensive security capability by building a service-level perimeter around sensitive Google Cloud resources. This perimeter helps prevent data exfiltration, even in cases where an attacker acquires valid credentials. VPC Service Controls restrict access so that only requests originating from approved networks, devices, or access levels are permitted to interact with protected services. This protects against unauthorized API calls made from external environments, unmanaged networks, or compromised locations. The advantage of VPC Service Controls is the additional layer of context-aware protection that operates beyond IAM. While IAM ensures identities have the right permissions, VPC Service Controls verify that the environment from which the request is made is trusteD) This ensures that even if a service account key is leaked or a user’s identity is compromised, an attacker outside the trusted perimeter cannot access sensitive datA) Industries that must comply with regulatory requirements rely on VPC Service Controls to ensure that data remains within defined trust boundaries, enforce data residency, and apply device and network-level restrictions through Access Context Manager. This combination of identity-based and perimeter-based enforcement makes VPC Service Controls one of the strongest defenses against data leakage in Google ClouD)
OS Login improves SSH security by binding Linux user accounts to IAM identities. Although it enhances VM access management, it does not protect data in managed services or provide a service boundary for preventing exfiltration.
Cloud Deploy automates application delivery in Kubernetes and related environments but has no relevance to data perimeter enforcement.
Given these considerations, VPC Service Controls is the correct answer because it creates a powerful, context-aware, service-level perimeter that prevents data exfiltration and strengthens security beyond what network routing, VM access controls, or deployment tools can achieve.
Question 92
Which feature ensures that attacker-controlled code cannot tamper with system boot components inside Compute Engine VMs?
A) Custom metadata
B) Shielded VM Integrity Monitoring
C) Cloud Functions
D) IAM roles
Answer: B
Explanation:
Custom metadata allows administrators to attach user-defined key–value pairs to virtual machine instances. This metadata can be used for automation tasks, configuration scripts, boot processes, or labeling resources. While useful for operational workflows, it does not provide any security guarantees regarding the underlying integrity of a virtual machine. Because metadata is simply informational and easily editable, it cannot detect unauthorized modifications to the VM, such as tampering with the bootloader, altering kernel components, or injecting malicious code into the operating system. Therefore, custom metadata is not a security control for validating VM integrity or protecting workloads from sophisticated threats targeting the virtualization layer.
Shielded VM Integrity Monitoring, however, provides a strong and essential layer of protection by verifying that a VM’s boot environment is secure and unaltereD) Using features such as secure boot, virtual trusted platform modules, and boot measurement, Shielded VMs ensure that the kernel, bootloader, and firmware have not been tampered with by unauthorized actors. Integrity Monitoring continuously checks these measurements against expected values, generating alerts whenever discrepancies occur. This helps detect rootkits, bootkits, and other persistent threats that attempt to compromise a machine before the operating system is fully loadeD) Organizations handling sensitive workloads rely on this capability because it protects against advanced attacks that might bypass traditional security controls. Shielded VM Integrity Monitoring also integrates with logs and security tools, allowing administrators to audit VM state, enforce compliance requirements, and ensure that workload environments remain trustworthy across their lifecycle. This protection is particularly important for multi-tenant environments or scenarios where VM images may be inherited, cloned, or modified without oversight.
Cloud Functions is a serverless compute platform for event-driven tasks, providing flexibility for applications but offering no ability to monitor VM boot integrity since it does not operate at the VM or kernel level. Similarly, IAM roles manage permissions for identities but cannot verify the integrity of a machine’s boot process or detect malicious modifications.
Given these considerations, Shielded VM Integrity Monitoring is the correct answer because it uniquely provides tamper detection, secure boot validation, and continuous integrity assurance that cannot be achieved through metadata, serverless functions, or IAM permissions.
Question 93
Which approach enforces encryption for inter-service traffic in a GKE cluster automatically?
A) SSL-enabled load balancer
B) Anthos Service Mesh mTLS
C) Cloud NAT
D) VPC firewall rules
Answer: B
Explanation:
An SSL-enabled load balancer provides encryption for traffic flowing between clients and the load balancer, ensuring that data is protected while in transit over the public internet. Although this is essential for securing external client-facing communications, it does not provide encryption within the internal service-to-service communication paths inside a microservices environment. Once traffic passes through the load balancer and enters the internal network, SSL termination typically occurs, meaning the communication between backend services is no longer encrypted unless additional mechanisms are implementeD) An SSL-enabled load balancer therefore addresses only the perimeter but does not guarantee end-to-end secure communication within the service mesh or microservices architecture.
Anthos Service Mesh mTLS provides far stronger and more comprehensive protection by enabling mutual TLS authentication between all services communicating inside the mesh. This ensures that every service not only encrypts traffic in transit but also authenticates itself to the other service before communication begins. With mTLS, both parties verify each other’s identity through certificates, preventing impersonation, man-in-the-middle attacks, and unauthorized service interactions. Anthos Service Mesh automatically manages certificate issuance, rotation, and revocation, removing the operational burden of managing encryption manually. It also enforces consistent security policies across all microservices, ensuring that communication cannot occur unless mTLS and identity verification succeeD) This creates a zero trust communication model where no internal traffic is implicitly trusted simply because it originates inside the network. Anthos Service Mesh mTLS also provides observability, fine-grained security controls, and policy enforcement, which are critical for modern distributed architectures where internal traffic may traverse shared or multi-tenant environments.
Cloud NAT provides outbound internet access for private compute resources but does not encrypt internal traffic or authenticate services. It is unrelated to workload identity or microservice-to-microservice communication security.
VPC firewall rules control which IP addresses and ports are allowed to communicate but cannot authenticate workloads or encrypt traffiC) Firewalls operate at the network layer, not the service identity layer, and therefore cannot prevent compromised workloads from communicating internally.
Given these considerations, Anthos Service Mesh mTLS is the correct answer because it delivers strong, automatic, identity-based encryption and authentication for all internal service communications, providing far deeper security than perimeter SSL, NAT, or firewalls.
Question 94
Which feature helps organizations detect when sensitive data is stored accidentally in Cloud Storage?
A) Cloud Trace
B) Cloud DLP Inspection Jobs
C) Memorystore
D) Cloud Router
Answer: B
Explanation:
Cloud Trace is designed to analyze latency and performance characteristics of applications by tracing requests as they move through distributed systems. It helps developers identify slow endpoints, bottlenecks, and inefficiencies in application code or microservices. While Cloud Trace is valuable for performance tuning and operational troubleshooting, it provides no capability for discovering sensitive data, assessing data exposure risks, or performing data classification. It focuses entirely on observability and performance metrics rather than data protection or privacy compliance.
Cloud DLP Inspection Jobs address a completely different set of requirements by providing automated, scalable inspection of structured and unstructured data to identify sensitive information such as personally identifiable data, financial records, medical information, credentials, and other regulated content. These jobs allow organizations to routinely scan Cloud Storage, BigQuery, and other data repositories for sensitive data that may have been stored inadvertently or without proper protections. By detecting patterns like names, addresses, credit card numbers, national identifiers, and custom-defined sensitive formats, Cloud DLP helps organizations understand where sensitive data resides and ensures compliance with regulatory frameworks such as GDPR, HIPAA, and PCI-DSS. Inspection jobs can be scheduled to run regularly, enabling continuous monitoring and reducing the risk of unnoticed data accumulation. They also support customizable masking, tokenization, and de-identification workflows, helping organizations remediate findings and implement safe data-handling practices. This capability is particularly important for large environments where manual data review is impractical and where visibility into data exposure risks must be automated, consistent, and enforceable.
Memorystore provides managed Redis and Memcached services for caching and in-memory data handling. While useful for application performance, it is not designed for detecting sensitive data or identifying privacy risks.
Cloud Router facilitates dynamic routing for hybrid connectivity, enabling exchange of routes between on-premises networks and Google ClouD) It does not perform any data scanning or classification and offers no functionality related to information protection.
Given these considerations, Cloud DLP Inspection Jobs is the correct answer because it provides automated, scalable detection of sensitive data, enabling organizations to manage data privacy risks, meet compliance obligations, and maintain visibility into where critical information is storeD)
Question 95
Which strategy prevents service accounts from being created freely in lower-level projects?
A) IAM denies
B) Organization Policy: restrictServiceAccountCreation
C) Firewall logging
D) Pub/Sub permissions
Answer: B
Explanation:
IAM denies provide a powerful mechanism to explicitly block certain identities from performing specific operations, even if those identities have roles that would normally permit the action. They are useful for preventing high-risk operations, enforcing strong restrictions, and overriding overly broad inherited permissions. However, IAM deny policies do not stop the creation of new service accounts across a project, folder, or organization unless the deny rule is written very specifically. They also require careful maintenance and can become complex in large environments. Most importantly, IAM denies do not offer a simple, centralized enforcement mechanism designed explicitly to prevent the proliferation of service accounts across cloud environments. Because of this, they are not ideal for governing the structural policy of whether service accounts may be created in the first place.
The organization policy restrictServiceAccountCreation is specifically designed to block or control the creation of new service accounts at scale. This policy ensures that only authorized automation or trusted administrators can create service accounts, preventing widespread sprawl of identities. Service account sprawl is a major security risk because each unnecessary service account represents a potential attack surface, especially if keys are generated, shared, or accidentally leakeD) By enforcing this policy at the organization or folder level, companies can maintain strict governance over identity creation, reduce human errors, and ensure all identities follow the organization’s identity lifecycle processes. This is particularly important for regulated industries or security-sensitive workloads where identity management must remain tightly controlleD) Restricting service account creation ensures that all new service accounts go through approval workflows, automated deployment systems, or centralized provisioning pipelines, maintaining consistency and reducing the likelihood of shadow identities appearing in the environment. The policy also supports least-privileged identity hygiene by ensuring that only vetted, intentional service accounts exist, each with a clear operational purpose.
Firewall logging offers insights into network traffic flows for debugging and monitoring but has no impact on identity creation or IAM governance. Pub/Sub permissions control access to messaging resources but do not govern whether service accounts can be createD)
Given these considerations, the organization policy restrictServiceAccountCreation is the correct answer because it directly enforces governance over identity proliferation and ensures that service account creation remains strictly controlled and compliant across the environment.
Question 96
Which control helps detect misconfigured Open Firewall rules that unintentionally expose internal systems?
A) Cloud DNS logging
B) Security Health Analytics
C) Cloud Build validation
D) NAT logs
Answer: B
Explanation:
Cloud DNS logging provides visibility into DNS queries and responses within a cloud environment, helping administrators understand which domains workloads are resolving and how DNS is being useD) While DNS logs are valuable for detecting suspicious lookup patterns or diagnosing name resolution issues, they do not assess the security posture of resources, nor do they identify misconfigurations or vulnerabilities across an environment. DNS logging is strictly an observability feature and does not perform automated analysis, risk scoring, or compliance checks. Therefore, it cannot give organizations a holistic view of security risks present in their cloud infrastructure.
Security Health Analytics, on the other hand, plays a critical role in proactively identifying misconfigurations, vulnerabilities, and high-risk conditions across Google Cloud environments. As part of Security Command Center, it continuously scans resources such as Compute Engine, Cloud Storage, BigQuery, IAM policies, and networking components to detect weaknesses that could lead to security breaches. These findings include publicly exposed storage buckets, overly permissive firewall rules, VMs using unapproved images, service accounts with excessive privileges, API keys without restrictions, and many other issues. Security Health Analytics provides detailed reports and categorizes findings based on severity, helping security teams prioritize remediation efforts. It acts as an automated security auditor, enforcing best practices and ensuring compliance with organizational and regulatory requirements. Unlike logging tools, it actively analyzes configurations instead of simply recording events. This allows organizations to detect potential problems before they are exploited and maintain a strong security posture across large and complex cloud deployments. Security Health Analytics is especially valuable for enterprises aiming to adopt zero trust principles and minimize misconfiguration risk, which remains one of the leading causes of cloud breaches.
Cloud Build validation focuses on securing build pipelines and verifying artifact integrity, but it does not provide broad infrastructure scanning or misconfiguration detection. Similarly, NAT logs provide insights into outbound traffic through Cloud NAT but do not perform any type of security assessment or posture management.
Given these considerations, Security Health Analytics is the correct answer because it automatically identifies misconfigurations and vulnerabilities across cloud resources, providing comprehensive security posture analysis that logging tools and build systems cannot deliver.
Question 97
Which method provides automated renewal and provisioning of HTTPS certificates for load balancers?
A) Self-managed certificates
B) Google-managed certificates
C) JSON key rotation
D) Secrets Manager
Answer: B
Explanation:
Self-managed certificates require administrators to manually generate, upload, renew, and rotate TLS certificates for their applications and load balancers. While this approach provides full control over the certificate lifecycle, it also introduces operational overhead and increases the risk of outages if certificates expire unexpectedly. Managing certificates manually can be error-prone, especially in environments with many domains or frequent updates. It requires dedicated processes and monitoring to ensure timely renewal, and any misconfiguration can lead to service interruptions or security weaknesses. Although some organizations choose self-managed certificates for specific compliance needs, the burden of maintaining them often outweighs their benefits in typical cloud workloads.
Google-managed certificates provide a far more efficient and reliable solution by automating the entire certificate lifecycle, including provisioning, validation, renewal, and rotation. When used with supported Google Cloud load balancers, these certificates are issued and maintained automatically without requiring administrators to handle private keys or certificate signing requests. This reduces operational complexity and eliminates the risk of accidental expiration. Google-managed certificates scale easily, integrate seamlessly with domain verification processes, and ensure that TLS connections remain secure with up-to-date cryptographic standards. They are ideal for production environments where reliability, automation, and reduced overhead are priorities. Because Google handles renewal in the background, organizations benefit from improved security posture and operational continuity without needing to manually track certificate lifecycles.
JSON key rotation relates to service account key management and has no direct connection to TLS certificates or HTTPS configuration. Similarly, Secrets Manager is designed for securely storing API keys, tokens, and confidential configuration data, not for managing public TLS certificates used on load balancers.
Given these considerations, Google-managed certificates are the correct answer because they provide seamless, automated TLS protection with minimal administrative effort and strong reliability for secure application delivery.
Question 98
Which tool helps identify vulnerabilities in Compute Engine VMs at scale?
A) VM Manager + OS Patch
B) Cloud SQL Insights
C) Cloud Tasks
D) Data Catalog
Answer: A
Explanation:
VM Manager with OS patching provides a centralized and automated solution for maintaining operating system security and compliance across Compute Engine instances. By regularly applying patches, updates, and security fixes, organizations can significantly reduce the risk of vulnerabilities being exploited by attackers. VM Manager helps administrators keep systems up to date without relying on manual processes, which are often inconsistent and prone to oversight. Automated patching ensures that critical security fixes are deployed quickly, minimizing the window of exposure. It also allows teams to schedule maintenance windows, track patch compliance, and generate reports to support auditing and governance requirements. This capability is especially important in environments with many VMs, where manual patching becomes impractical and risky. VM Manager further integrates with inventory management, providing visibility into the software packages installed on each VM and identifying outdated components that may require remediation. This strengthens overall security posture and aligns with best practices for system hardening and lifecycle management.
Cloud SQL Insights focuses on performance monitoring for Cloud SQL instances, helping diagnose slow queries or inefficient database workloads. While valuable for database tuning, it does not address VM-level operating system patching or infrastructure security.
Cloud Tasks manages asynchronous workloads and task scheduling for application architectures, enabling reliable processing of background jobs but offering no capabilities related to patch management or system security.
Data Catalog provides metadata management for datasets, enabling better organization and discovery of data assets. Although essential for data governance, it does not relate to VM security or patching.
Given these considerations, VM Manager combined with OS patching is the correct answer because it directly addresses the need for automated, scalable, and consistent operating system maintenance, which is fundamental to securing and managing Compute Engine environments.
Question 99
Which approach ensures that only specific service accounts can invoke a Cloud Run service?
A) VPC firewall
B) Assigning IAM roles with run.invoker
C) Public access toggle ON
D) NAT restrictions
Answer: B
Explanation:
A VPC firewall provides network-level filtering based on IP addresses, ports, and protocols, helping control which sources and destinations can communicate with a given service. While this is crucial for limiting unwanted network access, it does not provide identity-based access control for serverless applications such as Cloud Run. A firewall can restrict where traffic originates from, but it cannot determine who the caller is, whether the caller has the appropriate permissions, or whether the request should be allowed based on IAM policies. Network filtering alone is not sufficient for controlling access to Cloud Run services that rely on authenticated and authorized invocation patterns tied to Google identities.
Assigning IAM roles with the run.invoker permission directly addresses this need by enabling identity-based access control to Cloud Run services. When Cloud Run is configured to require authentication, only identities that have been granted the run.invoker role can invoke the service. This includes users, service accounts, groups, and even external identities depending on configuration. The run.invoker permission ensures that every request is evaluated through Google Cloud IAM, allowing administrators to tightly control who can access the service. This approach aligns with zero trust principles because access is determined by authenticated identities rather than IP ranges or network location. It also supports secure service-to-service communication, where a calling service account must be explicitly granted invoker permissions. IAM-based access enforcement is essential for internal APIs, backend workloads, and sensitive applications that must not be exposed to the publiC) Additionally, IAM provides full audit logging for invocations, allowing organizations to trace which identity accessed the service and when. This level of visibility and control cannot be achieved through firewall rules or network restrictions alone.
Public access toggle ON makes the Cloud Run service fully anonymous and accessible to anyone on the internet. While useful for public APIs, this option removes all identity-based protections and is unsuitable for securing private or sensitive workloads.
NAT restrictions relate to outbound routing and do not govern who can invoke Cloud Run. NAT affects how traffic leaves a VPC, not how a Cloud Run service is securely accesseD)
Given these considerations, assigning IAM roles with run.invoker is the correct answer because it provides strong, identity-driven, auditable, and least-privilege access control that properly secures Cloud Run services.
Question 100
Which mechanism restricts Cloud SQL to be accessed only through private networking, eliminating public exposure risk?
A) Public IP + firewall rules
B) Private IP configuration
C) Cloud NAT routing
D) External load balancer
Answer: B
Explanation:
Using a public IP combined with firewall rules allows a resource such as a database or virtual machine to be accessible from the internet while restricting inbound connections to approved sources. Although this method can be functional, it still exposes the resource to the public network, increasing the risk of scanning, probing, and attempted exploitation from external attackers. Even with strict firewall filtering, the presence of a public IP represents an attack surface that organizations may prefer to avoid, especially when handling sensitive workloads or operating in regulated environments. Publicly reachable endpoints also depend heavily on precise firewall configurations, and any misconfiguration can inadvertently allow unauthorized access. Because of these risks and the operational overhead of maintaining safe firewall rules, relying on a public IP is often discouraged for internal or security-critical systems.
Private IP configuration eliminates these risks by ensuring that resources such as Cloud SQL, internal APIs, or private services are accessible only within a private VPC network or via secure connections such as VPN or interconnect. This greatly reduces exposure by removing any public entry point and restricting connectivity to trusted internal networks. When a resource uses a private IP, communication happens through the internal Google Cloud network rather than the public internet, resulting in lower latency, improved security, and less reliance on firewall complexity. Private IPs also integrate seamlessly with VPC peering, shared VPC architectures, and hybrid network designs, enabling secure access from on-premises environments. This approach aligns with zero trust principles because access is controlled through identity, networking boundaries, and private routing rather than open internet exposure. Furthermore, private IP usage simplifies compliance for organizations that must guarantee that sensitive data does not transit the public internet.
Cloud NAT routing addresses outbound connectivity for resources without public IPs but does not enable secure inbound access to privately hosted services. Similarly, an external load balancer exposes applications publicly and is inappropriate for securing internal-only systems or databases.
Given these considerations, private IP configuration is the correct answer because it ensures that resources remain isolated within trusted networks, minimizes exposure to external threats, and provides a secure and compliant approach to internal connectivity.
