Q1
Professional Cloud Security Engineer Free Practice Questions
View all Google practice testsSample Questions
Q2
A security auditor is reviewing your organization's resource hierarchy. They have identified a critical folder containing production projects. The auditor requires a non-modifiable policy that prevents any user, including Organization Administrators, from linking projects in this critical folder to a non-approved billing account. Which IAM feature should you use to enforce this?
Q3Multiple answers
You are designing a security strategy for a large-scale data analytics platform on Google Cloud. The platform ingests sensitive customer data into Cloud Storage, which is then processed by Dataproc clusters. You need to ensure that the raw data is de-identified before being loaded into a BigQuery data warehouse for analysis. The de-identification must be format-preserving and reversible by a small, authorized group of data custodians for auditing purposes. Which combination of services should you use? (Select TWO)
Q4
A healthcare organization is deploying a new patient portal application on Google Kubernetes Engine (GKE). To comply with HIPAA, they must log all administrator actions and all access events to patient data stored in a backend Cloud SQL database. The security team wants to retain these specific logs for 10 years in a low-cost, immutable storage solution for potential audits. What is the most efficient way to configure this?
Q5
Your company uses an on-premises Active Directory (AD) as its primary identity provider. You need to grant developers access to Google Cloud projects based on their AD group memberships. The security policy requires that users authenticate directly against the on-premises AD, and their session with Google Cloud should be valid for a maximum of 8 hours. What should you configure to meet these requirements?
Q6
A startup has deployed its entire infrastructure on Google Cloud. The CTO is concerned about the security posture and wants to proactively identify misconfigurations, such as publicly exposed Cloud Storage buckets, overly permissive IAM policies, and open firewall rules. The solution must be a managed Google Cloud service that provides a centralized dashboard of findings and integrates with the existing resource hierarchy. Which service should they implement?
Q7
True or False: A VPC Service Controls perimeter, when configured with an access level based on IP address, can restrict access to Google Cloud APIs like BigQuery to only requests originating from a corporate on-premises network.
Q8
A new regulation requires your company to use FIPS 140-2 Level 3 validated hardware security modules (HSMs) for managing the encryption keys used to protect your most sensitive data in Cloud Storage. Your security policy prohibits Google personnel from having any access to the key material. Which Cloud KMS solution should you implement?
Q9Multiple answers
You are the security lead for a retail company. During a post-incident review of a data breach, it was discovered that a compromised service account key with Project Owner permissions was used to exfiltrate data from a production project. To prevent this from happening again, you want to implement a defense-in-depth strategy that limits the potential damage of a compromised credential. Which TWO controls would be most effective? (Select TWO)
Q10