Visit here for our full Google Professional Cloud Security Engineer exam dumps and practice test questions.
Question 101
Which mechanism ensures that Cloud Run services can only make outbound calls to approved Google APIs and not the public Internet?
A) Assign public IPs
B) Use Serverless VPC Connector + Private Google Access
Use NAT Gateway with open egress
D) Use firewall deny rules
Answer: B
Explanation:
Assigning public IPs to serverless resources such as Cloud Run, Cloud Functions, or App Engine can allow them to access Google APIs and services over the public internet, but doing so increases exposure and weakens the overall security posture. Public IPs make it possible for outbound traffic to be intercepted or misrouted and require additional firewall or routing controls to reduce risks. Even if these services only initiate outbound requests, relying on public internet paths is unnecessary when more secure private alternatives exist. Public IPs also complicate compliance requirements for organizations that must ensure sensitive workloads do not communicate over the public internet.
Using Serverless VPC Connector combined with Private Google Access provides a much more secure and controlled way for serverless workloads to communicate with Google Cloud services privately. The Serverless VPC Connector allows Cloud Run, Cloud Functions, and App Engine to connect into a VPC network, enabling them to reach internal-only resources such as private IP Cloud SQL instances, internal load balancers, or on-premises networks. When Private Google Access is enabled on the subnet used by the connector, these serverless workloads can also reach Google APIs privately without traversing the public internet. This setup ensures traffic remains within Google’s internal backbone network, improving both security and reliability. It also aligns with best practices for enterprises adopting zero trust principles, because access is based on identity and private routing rather than public access paths. This combination is essential for workloads that handle sensitive data or must meet regulatory and compliance requirements where public network exposure must be minimizeD)
Using a NAT Gateway with open egress still allows traffic to exit through a public IP, which does not meet strict privacy or compliance needs. Firewall deny rules can block unwanted access but cannot provide private connectivity to Google APIs.
Given these considerations, using Serverless VPC Connector with Private Google Access is the correct answer because it provides secure, private, controlled, and compliant communication between serverless workloads and Google Cloud services without involving the public internet.
Question 102
Which Google Cloud feature helps detect anomalous IAM role assignments that could indicate privilege escalation?
A) BigQuery BI Engine
B) Event Threat Detection
Scheduler
D) Cloud NAT logs
Answer: B
Explanation:
BigQuery BI Engine is designed to accelerate analytics workloads by providing fast, in-memory analysis for dashboards and business intelligence tools. While it significantly improves query performance and user experience, it does not offer any threat detection, security monitoring, or analysis of potentially malicious activities. Its focus is entirely on speed and efficiency, not on identifying security risks or detecting anomalies within cloud environments. Because of this, BI Engine is not suitable for organizations that need monitoring tools to detect suspicious behavior or security-related events.
Event Threat Detection, on the other hand, is built specifically to analyze security logs and identify threats in real time. It monitors Cloud Audit Logs, VPC Flow Logs, Admin Activity Logs, and other critical logging sources to detect common attack patterns such as brute force attempts, cryptocurrency mining behavior, anomalous IAM activity, suspicious network traffic, and possible data exfiltration events. Event Threat Detection uses rule-based and signature-based analysis to quickly alert security teams when unusual or dangerous behavior occurs. This allows organizations to respond faster, investigate incidents more thoroughly, and reduce the risk of unnoticed breaches. It functions as a foundational security monitoring system by automatically scanning logs that would otherwise require manual review, making it essential for large-scale environments where threats can develop quickly. Event Threat Detection integrates with Security Command Center, enabling centralized visibility and correlation of findings across cloud resources.
Scheduler is an automation service that triggers jobs and workflows on a defined schedule, but it does not analyze logs or detect threats. Cloud NAT logs capture outbound traffic for resources without public IPs but cannot independently detect malicious behavior, as they only record network events rather than interpret them.
Given these considerations, Event Threat Detection is the correct answer because it provides dedicated, automated security monitoring that identifies real threats across the environment, offering capabilities that the other options cannot provide.
Question 103
Which feature ensures encryption of Cloud Storage objects using keys that the customer controls?
A) GMEK
B) CMEK
Public Access Prevention
D) VPC Peering
Answer: B
Explanation:
GMEK provides default encryption for data at rest using keys that are fully managed by Google. This option requires no setup and ensures that all stored data is encrypted automatically, but it does not provide customers with any control over the lifecycle, rotation schedule, or revocation mechanisms of those encryption keys. While sufficient for many general workloads, GMEK does not satisfy organizations that require direct oversight of key management processes for regulatory or internal governance reasons. Industries such as finance, government, healthcare, and other highly regulated sectors often need more granular control to meet compliance standards or security audits.
CMEK offers a significantly stronger and more customizable level of security because it allows customers to manage the keys that protect their datA) With CMEK, organizations can use Cloud KMS to create, rotate, disable, or revoke keys according to their own policies. This provides a higher degree of assurance that access to encrypted data is fully governed by internal controls rather than solely by the cloud provider. CMEK also supports detailed audit logging, enabling teams to verify exactly when and how keys are useD) If a key is disabled or revoked, any resource protected by that key becomes inaccessible until the key is restored, giving organizations direct control over data access at a cryptographic level. This is crucial for sensitive workloads where strict compliance, auditability, and data sovereignty are requireD) CMEK works across various Google Cloud services such as BigQuery, Cloud Storage, Pub/Sub, Compute Engine, and others, creating consistent encryption governance across the environment.
Public Access Prevention protects storage buckets from being shared publicly but does not relate to encryption control. VPC Peering enables private connectivity between networks but has no influence over key management or data encryption.
Given these considerations, CMEK is the correct answer because it empowers organizations with explicit control over their encryption keys, ensuring stronger compliance, governance, and data protection than what default encryption or networking features can provide.
Question 104
Which solution allows you to prevent Cloud Deploy from executing pipelines in unapproved regions?
A) Cloud Armor
B) Organization Policy: resourceLocationRestriction
VPC Route controls
D) DNS filtering
Answer: B
Explanation:
Cloud Armor provides protection for applications exposed to the internet by filtering traffic, blocking malicious IPs, and mitigating denial-of-service attacks. While this is valuable for securing external endpoints, Cloud Armor offers no ability to govern where resources may physically reside or ensure that deployments stay within approved geographic regions. Its functionality focuses on traffic security, not compliance or data residency requirements. Because of this, Cloud Armor cannot enforce regional restrictions for cloud resource creation.
The organization policy resourceLocationRestriction is specifically designed to control the geographic regions where Google Cloud resources may be created or run. This policy helps organizations ensure compliance with regulatory standards, data residency laws, and internal governance requirements by restricting deployments to allowed regions only. For industries that handle sensitive data or operate under strict legal frameworks, preventing resources from being created in unauthorized regions is essential. This policy also prevents accidental creation of services in unintended regions, which could introduce latency issues, increase costs, or violate jurisdictional rules. Applying the resourceLocationRestriction policy at the organization or folder level ensures consistent enforcement across all projects, reducing the risk of misconfigurations and unauthorized deployments. It provides centralized governance and helps maintain a predictable and compliant cloud footprint by ensuring that workloads remain within approved locations, whether for privacy, performance, or regulatory reasons.
VPC Route controls determine how network traffic flows within a virtual private cloud environment, but they do not influence where resources can be createD) DNS filtering affects domain resolution and can support threat prevention, but it has no relevance to enforcing regional constraints on resource deployment.
Given these considerations, the organization policy resourceLocationRestriction is the correct answer because it directly governs where resources may be deployed, ensuring compliance, governance, and proper regional control that other network or security tools cannot provide.
Question 105
Which technology enforces encryption for communication between microservices running inside a GKE cluster?
A) HTTP load balancer
B) Anthos Service Mesh with mTLS
Cloud Router
D) Cloud DNS
Answer: B
Explanation:
An HTTP load balancer provides secure, scalable access for client traffic coming into applications, and it can terminate TLS at the edge to ensure encrypted communication between external users and the entry point of a system. While this is important for protecting traffic from the public internet, it does not secure the internal communication that happens between microservices within a distributed environment. Once traffic passes through the load balancer and enters the backend network, it is typically no longer encrypted unless additional measures are in place. This leaves inter-service traffic vulnerable to interception, tampering, or unauthorized access if a compromised workload or attacker gains access to the internal network. Therefore, relying solely on an HTTP load balancer does not provide end-to-end encryption or identity verification for internal service-to-service communication.
Anthos Service Mesh with mTLS addresses exactly this challenge by enforcing mutual authentication and encryption for every communication occurring between services inside a cluster or across multiple clusters. Mutual TLS not only encrypts traffic but also ensures that both the client and server can verify each other’s identities using certificates automatically issued and rotated by the mesh. This prevents unauthorized workloads, compromised instances, or malicious internal traffic from impersonating services or injecting harmful requests. Anthos Service Mesh also centralizes policy enforcement, allowing administrators to define which services are permitted to communicate and under what conditions. It provides deep observability, traffic control, and security controls that are critical in modern, containerized, microservice architectures. With mTLS enabled, the mesh provides a zero trust communication layer where trust is never assumed based on network placement alone. Instead, every service interaction is authenticated, authorized, and loggeD)
Cloud Router manages routing for hybrid connectivity and dynamic exchange of routes but does not offer application-level security. Cloud DNS provides domain name resolution but cannot secure service-to-service traffic or enforce encryption.
Given these factors, Anthos Service Mesh with mTLS is the correct answer because it delivers strong, identity-based, encrypted communication between microservices, offering far deeper internal protection than load balancers, routers, or DNS tools.
Question 106
Which method ensures that VM service accounts cannot be used from unmanaged networks, even if keys are leaked?
A) VM tags
B) IAM Conditions
NAT restrictions
D) Instance groups
Answer: B
Explanation:
VM tags are simple identifiers applied to virtual machines to help categorize resources and apply firewall rules, but they do not provide any meaningful control over permissions or conditional access. IAM Conditions, on the other hand, offer context-aware access management by enabling administrators to define rules that limit when and how permissions are used based on attributes such as time, IP range, resource name, or request context, making them suitable for enforcing precise and secure access policies. NAT restrictions focus on controlling outbound traffic from private instances by routing it through a NAT gateway, which enhances network security but does not allow for identity-based or context-based permission control. Instance groups allow multiple virtual machines to be managed collectively for purposes like autoscaling and load balancing, yet they do not provide any mechanism for defining conditional or attribute-based authorization. Considering these differences, IAM Conditions are the correct choice because they allow fine-grained, conditional access policies that the other options cannot achieve.
Question 107
Which Google Cloud feature identifies containers with known vulnerabilities before deployment?
A) Cloud DNS
B) Container Analysis
VPC Firewall rules
D) Cloud Functions triggers
Answer: B
Explanation:
Cloud DNS is a scalable and reliable domain name system service that allows organizations to manage domain names and map them to various resources, providing fast and consistent name resolution. While Cloud DNS is essential for routing users to the correct endpoints, it does not provide vulnerability scanning, metadata analysis, or security insights into container images. Container Analysis, however, is specifically designed to offer detailed information about container images by scanning them for known vulnerabilities, tracking metadata, and ensuring that images used across deployments meet security and compliance standards. This makes Container Analysis an important service for maintaining strong supply chain security, identifying potential risks early, and ensuring that workloads deployed in containerized environments are safe and trustworthy. VPC firewall rules operate at the network layer and control how traffic enters or leaves a virtual private cloud; although crucial for securing networks, they do not provide image-level inspection or vulnerability detection. Cloud Functions triggers initiate serverless functions in response to events such as storage changes, HTTP requests, or messaging activity, but they also do not analyze container images or provide security assessments. Given these distinctions, Container Analysis is the appropriate answer because it directly focuses on evaluating container images for vulnerabilities and maintaining a secure container environment, which the other services are not designed to handle.
Question 108
Which technology prevents Cloud SQL from being accessible via public Internet endpoints?
A) Public IP + Firewall blocks
B) Private IP
Public IP + IAM controls
D) Cloud NAT
Answer: B
Explanation:
Public IP combined with firewall blocks can restrict outside access, but it still exposes the resource to the public internet by assigning a publicly reachable IP address. Even if firewall rules are in place, having a public IP inherently increases the risk of unwanted traffic, probing, or accidental exposure, and relies heavily on the proper configuration of rules to prevent unauthorized access. Using IAM controls with a public IP does not solve this underlying exposure either, because IAM governs permission to interact with resources rather than determining who can reach the resource at the network level. IAM cannot prevent general internet traffic from hitting an endpoint that has a public IP assigned, so while permissions may be limited, the entry point still remains visible and reachable across the internet. Cloud NAT allows private instances to initiate outbound connections to the internet without receiving inbound connections, offering a layer of protection; however, Cloud NAT is focused on outbound access and does not directly address the requirement of isolating resources from public exposure if the goal is to avoid any external visibility. Private IP is the strongest choice when the intention is to ensure that a resource is only reachable within an internal network or VPC environment. By assigning only a private IP, the resource cannot be accessed from the public internet at all, removing the possibility of external traffic entirely and avoiding reliance on firewall filtering or IAM policies to achieve isolation. This makes Private IP the most secure and straightforward option for preventing unintended external access and maintaining strict internal-only communication, which aligns with the purpose of ensuring a protected and restricted network environment.
Question 109
Which feature helps detect misconfigured Cloud Storage buckets that allow public access?
A) Security Health Analytics
B) Cloud NAT logs
Memory profiling
D) Cloud DNS logs
Answer: A
Explanation:
Security Health Analytics is a specialized service designed to continuously evaluate cloud environments for misconfigurations, security risks, and compliance violations. It provides automated scanning of resources such as storage buckets, networking configurations, identity permissions, and public exposure risks. By identifying vulnerabilities like overly permissive IAM roles, publicly accessible data, insecure firewall rules, or missing encryption, Security Health Analytics helps organizations enforce best practices and maintain a strong security posture. It also integrates with broader security tools to centralize findings and support remediation workflows. Cloud NAT logs offer insight into outbound traffic from private resources, helping administrators understand network behavior, troubleshoot connectivity problems, and detect unusual patterns. However, while useful for network visibility, these logs do not analyze resource security posture or identify configuration weaknesses. Memory profiling is focused on analyzing memory allocation and performance within applications; it aids developers in understanding consumption patterns, optimizing performance, and detecting memory leaks, but it does not address cloud configuration or security vulnerabilities. Cloud DNS logs track DNS queries and responses, which can help detect abnormal lookups or diagnose name resolution issues, yet they do not evaluate misconfigurations or highlight compliance gaps. Because the goal is to detect and report security misconfigurations automatically, Security Health Analytics is the correct choice, as it directly focuses on identifying weaknesses across cloud resources in a structured and continuous way that the other options are not designed to provide.
Question 110
Which method ensures that only approved users can SSH into Compute Engine VMs and that all access is fully auditable?
A) Manual SSH keys
B) OS Login with IAM
Passing passwords in metadata
D) Cloud NAT
Answer: B
Explanation:
Manual SSH keys require administrators or developers to generate, distribute, and rotate keys themselves, which can quickly become difficult to manage at scale and may lead to inconsistent security practices. When SSH keys are handled manually, there is a higher chance of stale keys, lost keys, or keys remaining active even after a user no longer needs access. Passing passwords in metadata is an even riskier practice, as it exposes sensitive information in a location that is not intended for secure credential storage. Passwords placed in metadata can be accessed by any user or process with the ability to read instance metadata, making it an unsafe and outdated method for authentication. Cloud NAT is unrelated to authentication entirely, as it is a network service enabling outbound internet access for private instances without assigning them public IP addresses. While useful for securing network boundaries, Cloud NAT cannot control or authenticate access to virtual machines. OS Login with IAM is the most secure and scalable approach because it centralizes authentication and ties SSH access directly to a user’s IAM identity. This means access can be granted or revoked seamlessly by modifying IAM roles, without needing to manage keys manually. It also enables audit logging that connects SSH sessions to specific users, improving traceability and accountability. By integrating with IAM policies, OS Login ensures consistent access control across all instances and eliminates the need for risky password transmission or unmanaged SSH keys. This makes OS Login with IAM the most robust and recommended option for secure and maintainable authentication to virtual machines.
Question 111
Which solution allows accessing Google Cloud APIs from an on-premises environment without storing long-lived service account keys?
A) Hard-coded JSON keys
B) Workload Identity Federation
Public API keys
D) SSH tunneling
Answer: B
Explanation:
Hard-coded JSON keys involve embedding long-lived service account credentials directly into applications or configuration files, which creates a significant security risk. These keys can be accidentally committed to version control, exposed in logs, or extracted if attackers gain access to the system, and because they do not automatically rotate, they can provide persistent unauthorized access if compromiseD) Public API keys are intended for low-risk, unauthenticated API access and are not suitable for sensitive workloads, as they cannot strongly identify workloads, are easy to leak, and offer minimal security controls. They are generally restricted to basic use cases and cannot provide the secure identity mapping required for enterprise environments. SSH tunneling is a method used to securely forward traffic through encrypted channels, but it does not solve the problem of securely authenticating cloud workloads to external services or remote identities. It is mainly used for network access scenarios and does not eliminate credential exposure risks. Workload Identity Federation is the most secure and modern solution because it removes the need for long-lived keys entirely by allowing cloud workloads to exchange short-lived credentials using external identity providers such as AWS, Azure, or trusted OIDC systems. Instead of distributing static credentials, workloads authenticate using their environment’s native identity, which greatly reduces the attack surface and prevents key leakage. This approach provides strong, temporary credentials that automatically rotate, simplifies cross-cloud authentication, and follows best practices for secure identity management. Therefore, Workload Identity Federation is the best choice when the goal is to avoid managing sensitive long-lived credentials while ensuring secure, scalable authentication for workloads.
Question 112
Which mechanism detects unexpectedly large-scale downloads from Cloud Storage that could indicate data exfiltration?
A) Cloud NAT logs
B) VPC flow logs
Event Threat Detection
D) Cloud Scheduler
Answer: C
Explanation:
Cloud NAT logs provide visibility into outbound traffic from instances that do not have public IP addresses, helping administrators understand which internal resources are accessing external endpoints. These logs can be useful for troubleshooting connectivity issues or identifying unusual outbound behavior, but they do not actively detect threats or analyze events for signs of malicious activity. VPC flow logs capture network flow information within a VPC, including details about allowed and denied connections, source and destination IPs, ports, and protocols. While these logs are valuable for auditing, monitoring traffic patterns, and diagnosing networking problems, they do not automatically identify threats; instead, they provide raw data that requires additional analysis tools to derive security insights. Cloud Scheduler is a service used to run cron-style scheduled tasks, such as triggering jobs or functions at set intervals. It plays no role in security detection or threat monitoring and is meant purely for automation and task orchestration. Event Threat Detection stands out because it specifically analyzes logs to identify suspicious activity, potential attacks, and configuration anomalies. It uses predefined security rules to detect threats such as malware, brute-force attempts, risky network behavior, and misuse of credentials by continuously scanning audit logs and network logs. This automated analysis helps security teams respond more quickly and effectively to incidents without manually combing through large volumes of log datA) Since the objective is to identify and surface potential security threats automatically, Event Threat Detection is the most appropriate and effective choice among the listed options.
Question 113
Which feature ensures that GKE nodes only pull images from trusted Artifact Registry locations?
A) Public IP assignment
B) Workload Identity
Private Google Access + IAM
D) Cloud VPN
Answer: C
Explanation:
Public IP assignment exposes a resource directly to the internet, making it reachable from any external network unless heavily restricted through firewall rules. While public IPs can be convenient for accessibility, they inherently broaden the attack surface and require careful, continuous monitoring to prevent unauthorized access. They also bypass internal-only communication requirements, making them unsuitable in scenarios where resources must remain isolated from the public internet. Workload Identity focuses on secure identity mapping for workloads by removing the need for long-lived service account keys; however, it does not address the network path required for the workload to reach Google APIs. Although it enhances authentication security, it does not solve the requirement of enabling private communication with Google services. Cloud VPN enables secure, encrypted communication between on-premises environments and cloud networks, but it is designed for hybrid connectivity rather than for determining how resources access Google APIs. It cannot provide private, internet-free communication to Google services on its own. Private Google Access combined with IAM provides exactly what is needed to allow instances with only private IP addresses to interact with Google APIs without requiring a public IP. Private Google Access ensures traffic stays within Google’s internal network rather than traversing the public internet, while IAM enforces granular, identity-based access control to the specific APIs or services permitteD) This combination keeps communication private, secure, and fully controlled, enabling restricted environments such as private subnets to interact safely with Google services without exposing the resources to external networks. Therefore, Private Google Access together with IAM is the correct and most secure choice for maintaining private connectivity while applying precise access controls.
Question 114
Which tool identifies whether users have been granted roles they no longer need?
A) IAM Recommender
B) OS Patch Manager
Cloud Armor
D) VPC routes
Answer: A
Explanation:
IAM Recommender is a service that analyzes how permissions are actually used within an environment and provides data-driven suggestions to remove unnecessary access. Over time, IAM policies often accumulate overly broad roles or legacy permissions that are no longer needeD) IAM Recommender continuously evaluates real usage and identifies which permissions are unused or excessive, helping organizations follow the principle of least privilege without guessing. It reduces risk by tightening access to only what users or service accounts truly require, and it assists in cleaning up complex IAM structures that may have grown difficult to manage. OS Patch Manager focuses on applying operating system updates and security patches to virtual machine instances, ensuring systems stay up to date and reducing vulnerabilities tied to outdated software. Although this is important for system maintenance, it does not address IAM permissions or user access improvements. Cloud Armor provides protection at the application edge by helping defend against distributed denial of service attacks and filtering incoming traffic through customizable security policies. It strengthens external perimeter security but does not manage cloud identity roles or suggest permission reductions. VPC routes determine how network traffic travels within or outside a virtual private cloud environment, defining pathways but offering no assistance with access control decisions or permission optimization. Given these differences, IAM Recommender is the correct choice because it directly examines permission usage and offers actionable recommendations to right-size IAM roles, improve security posture, and minimize unnecessary access in a structured and automated way that the other options do not provide.
Question 115
Which control helps ensure that only approved VPC networks can access sensitive APIs like BigQuery or Cloud Storage?
A) Firewall allowlists
B) VPC Service Controls
IAM alone
D) OS Login
Answer: B
Explanation:
Firewall allowlists control which IP addresses or networks can reach certain resources, and while they offer a basic layer of protection, they are limited to network-level restrictions. They cannot prevent data exfiltration through authorized services, nor can they protect against threats that arise from compromised identities or internal actors who already have access. IAM alone focuses on controlling who can access which resources but does not restrict how data moves between different services or across organizational boundaries. Even with correctly configured IAM policies, an authorized identity could still potentially move sensitive data to unauthorized locations through legitimate APIs, because IAM is not designed to enforce perimeter-style isolation for managed services. OS Login provides a secure method for managing SSH access to virtual machine instances by tying login permissions to IAM identities, helping with authentication and auditability, but it does not govern data movement between Google-managed services nor does it create service perimeters. VPC Service Controls, however, introduce an additional security layer by establishing a virtual service perimeter around sensitive resources such as storage buckets, BigQuery datasets, or other managed services. This prevents data from being accessed or moved outside the defined boundary, even if credentials are compromiseD) It significantly reduces the risk of data exfiltration by ensuring that only traffic originating from trusted networks and authorized contexts can interact with protected services. VPC Service Controls work alongside IAM rather than replacing it, creating a defense-in-depth model that addresses both identity permissions and data-level restrictions. For scenarios requiring strong protection against data leakage or unauthorized access from outside trusted environments, VPC Service Controls are the most appropriate and effective choice.
Question 116
Which encryption method protects memory contents for sensitive workloads in GKE?
A) CMEK
B) Confidential GKE Nodes
SSL certificates
D) VPC Peering
Answer: B
Explanation:
CMEK, or customer-managed encryption keys, allows organizations to control the encryption keys used to protect their data stored in various Google Cloud services. While CMEK is valuable for meeting compliance requirements and maintaining ownership of encryption keys, it does not protect data while it is being processed in memory or during runtime. It mainly addresses encryption at rest, not the risks associated with data exposure inside the compute environment. SSL certificates provide encryption for data in transit between clients and services, ensuring secure communication and protecting against interception or tampering. However, SSL certificates do not safeguard data once it reaches the computing environment, nor do they offer protection against threats such as malicious insiders or access to memory. VPC Peering connects two Virtual Private Cloud networks, enabling private communication between them without using the public internet. It improves network architecture and isolation but does not provide protection for in-memory data or prevent unauthorized access to workloads running within those networks. Confidential GKE Nodes, on the other hand, are specifically designed to protect data during processing by running workloads on confidential computing-enabled hardware. These nodes use secure enclaves and hardware-based memory encryption, ensuring that data remains protected even while in use. This prevents unauthorized access from privileged system components, cloud administrators, or potential attackers who might attempt to read memory contents. By enhancing runtime security, Confidential GKE Nodes provide a strong layer of protection that goes beyond traditional encryption approaches. Therefore, for scenarios requiring robust protection of data while it is being processed, Confidential GKE Nodes are the most suitable and comprehensive option among the choices listeD)
Question 117
Which feature helps identify when a Cloud Storage object is accessed by an unexpected user or service account?
A) Admin Activity Logs
B) Data Access Logs
VPC flow logs
D) Cloud NAT logs
Answer: B
Explanation:
Admin Activity Logs record administrative actions taken on resources, such as creating, modifying, or deleting configurations. These logs focus on control-plane operations that change the state or settings of cloud services. Although they are essential for auditing administrative behavior and tracking configuration changes, they do not capture details about how data itself is accessed or used within a resource. VPC flow logs capture information about network connections, including source and destination IP addresses, ports, and traffic direction. They provide visibility into network activity and help in diagnosing connectivity issues or analyzing traffic patterns, but they do not show which users or service accounts accessed data within a storage system or database. Cloud NAT logs provide insight into outbound connections made by instances that rely on Cloud NAT for internet access. These logs can reveal external endpoints contacted by private instances, which is helpful for understanding egress patterns, but they do not monitor interactions with data stored inside cloud resources. Data Access Logs, however, are specifically designed to record read and write operations on data within managed services. These logs capture who accessed sensitive content, what operations were performed, and when those actions occurreD) This level of detail is critical for compliance, security investigations, and understanding how data is used in an environment. Because the goal is to track access to the data itself rather than administrative changes or network activity, Data Access Logs are the most appropriate and effective choice.
Question 118
Which mechanism protects service-to-service calls inside Cloud Run or GKE by verifying identity via signed tokens?
A) API keys
B) OIDC identity tokens
SSH keys
D) Cloud Logging
Answer: B
Explanation:
API keys are simple credential strings often used for identifying the calling project when accessing certain services, but they offer limited security because they cannot strongly authenticate the identity of a user or workloaD) They are typically used for low-risk or public data scenarios and can be easily exposed, shared, or misused if not handled carefully. API keys also lack granular control, expiration mechanisms, and robust identity guarantees, making them unsuitable for secure authentication to protected services. SSH keys enable secure access to virtual machines through encrypted login sessions, but they are unrelated to verifying identity when calling cloud APIs. SSH keys only protect access to compute instances and do not help authenticate applications or services that need to call APIs securely. Cloud Logging captures logs generated by various services for auditing, troubleshooting, and monitoring purposes, but it does not perform any authentication or provide identity assertions for API access. OIDC identity tokens, however, offer secure, standards-based identity verification for workloads, users, or external systems. These tokens contain signed claims issued by a trusted identity provider and allow services to validate who is making a request without relying on long-lived credentials. OIDC identity tokens support short-lived, automatically rotated credentials and integrate cleanly with modern authentication systems, reducing risk and improving security. Because they provide strong identity assertions, work well for cross-service authentication, and avoid the pitfalls of static keys, OIDC identity tokens are the most appropriate choice for secure and scalable identity-based API access.
Question 119
Which tool detects malware and suspicious runtime behavior inside Compute Engine VMs?
A) Event Threat Detection
B) VM Threat Detection
Cloud Armor
D) VPC firewall rules
Answer: B
Explanation:
Event Threat Detection analyzes logs from various Google Cloud services to identify potential threats such as brute-force attempts, malware indicators, or anomalous behaviors. It operates at the log-analysis layer and focuses on detecting threats based on events recorded across the environment, rather than examining what is happening inside virtual machines themselves. While this provides valuable insights into high-level security issues, it does not monitor runtime activity or detect threats specific to VM workloads. Cloud Armor provides protection at the network edge by filtering incoming HTTP(S) traffic, mitigating distributed denial of service attacks, and enforcing security policies for external-facing applications. Although essential for web security, Cloud Armor does not provide visibility into threats occurring within virtual machines. VPC firewall rules control which traffic is allowed to reach or leave VM instances based on IP addresses, ports, and protocols. These rules help establish a secure network boundary, but they cannot detect malware, suspicious processes, or compromised behavior on the VM itself. VM Threat Detection is specifically built to identify runtime threats occurring inside virtual machine environments. It analyzes signals from within the VM to detect malicious activity such as crypto-mining, unauthorized privilege escalation, rootkits, or suspicious processes. This capability allows organizations to discover threats that traditional network controls or log-based detection tools may miss. Because it provides direct visibility into VM workloads and identifies host-level security risks, VM Threat Detection is the most appropriate and effective choice among the listed options.
Question 120
Which Organization Policy prevents the creation of external IPs on VM instances?
A) restrictVpcPeering
B) disableExternalIp
allowedSecureBoot
D) restrictServiceAccountKeys
Answer: B
Explanation:
The restrictVpcPeering constraint is used to control whether projects are allowed to establish VPC peering connections. While this can help maintain network isolation and prevent unintended cross-project connectivity, it does not directly address the issue of limiting external exposure of virtual machine instances. VPC peering focuses on internal network architecture rather than the public accessibility of resources. The allowedSecureBoot constraint ensures that virtual machines use secure boot features, which help protect the integrity of the boot process and defend against rootkits or low-level compromises. Although Secure Boot is an important security measure, it has no impact on whether external IP addresses are assigned to instances or whether those instances can be accessed from the public internet. The restrictServiceAccountKeys constraint limits the creation or download of service account keys, helping to reduce the risk of key leakage and unauthorized service impersonation. This is valuable for identity and credential security but again does not control network exposure or public IP assignment. The disableExternalIp constraint is specifically designed to prevent the assignment of external IP addresses to VM instances. Enforcing this constraint eliminates the possibility of public internet access by ensuring that instances can operate only with private IP addresses inside the VPC. This improves security by reducing the attack surface and preventing external scanning, probing, or direct access attempts. Because the objective is to prevent VMs from receiving public IPs and therefore eliminate unintended exposure, disableExternalIp is the most appropriate and effective choice among the available options.
