Cloud Security Engineer Practice Exam 2025: Latest Questions

Your security team wants to ensure that developers can only deploy Cloud Run services in a specific project, but cannot modify IAM policies or access data in other services. Which approach is the best practice?

A team stores sensitive objects in a Cloud Storage bucket. They want to ensure the bucket is not publicly accessible, even if someone accidentally grants allUsers access. What should they do?

You need to reduce the risk of service account key exfiltration. Which action is the most effective best practice for most workloads running on Google Cloud?

A security engineer wants to ensure all VM instances in a project can only be reached through an Identity-Aware Proxy (IAP) TCP tunnel, and not directly from the internet. What is the correct configuration?

A company wants to restrict data exfiltration from BigQuery so that only users from managed corporate devices can export query results to Google Drive. Users on unmanaged devices should still be able to run queries but not export. Which solution best meets the requirement?

Your organization uses shared VPC. The security team requires that only a dedicated network admin group can create or modify firewall rules, while application teams can create VM instances and tags. What is the best approach?

A workload in GKE needs to call Google APIs without using node-level service account permissions. Security wants per-pod identity with least privilege and no service account keys. What should you implement?

You suspect that a compromised VM is exfiltrating data to an external IP address. You need to quickly block all egress traffic from that single VM while preserving other workloads. What should you do?

Your organization has a regulatory requirement to ensure encryption keys used for sensitive data are not accessible to Google-managed personnel and must be controlled externally. The workload runs on Compute Engine and uses Cloud Storage and BigQuery. What is the best key management approach?

An auditor reports that some projects can disable Cloud Audit Logs for certain services, creating gaps in administrative activity tracking. You need an organization-wide control to ensure Admin Activity logs are always retained and cannot be disabled in any project. What should you do?

A security team wants a near-real-time inventory of all resources across many projects and folders, plus alerts when noncompliant assets appear (for example, publicly exposed buckets or overly permissive firewall rules). Which Google Cloud service is the best fit?

A team must ensure that whenever a new project is created, certain required security controls are enforced automatically (for example, only approved APIs enabled, required labels present, and specific org policies applied). What is the recommended approach?

A workload running on Compute Engine needs to call Google APIs. The security team wants to avoid long-lived keys and ensure the VM uses a least-privilege identity. What should you do?

Your organization requires that all Cloud Storage objects are encrypted with customer-managed encryption keys (CMEK) and that key usage is auditable and centrally controlled. Which design best meets this requirement?

A company wants to allow developers to SSH into Compute Engine VMs, but only from corporate devices and only when the user’s group membership is verified at connection time. They also want to avoid managing SSH keys on instances. What should they implement?

A production VPC has strict egress requirements. Only a small set of external domains and IPs should be reachable, and all other internet egress must be blocked. The security team needs an approach that is manageable at scale and supports domain-based controls. What should you recommend?

Your team is investigating suspicious activity and needs to determine who changed a firewall rule and what the previous values were. Where should you look first in Google Cloud?

A regulated workload uses BigQuery and Cloud Storage. The company must prevent exfiltration of sensitive data by restricting dataset exports and Storage object sharing to only approved projects within the organization. Which combination is most appropriate?

A security architect wants to enforce that only approved images can be deployed to GKE, and also wants verifiable provenance for container builds. Which approach best meets these requirements?

A team created a new subnet and enabled Private Google Access, but workloads in that subnet still cannot reach Google APIs. They can resolve DNS names but connections time out. What is the most likely cause?

Your company stores sensitive documents in a Cloud Storage bucket. A security policy requires that objects must not be permanently deleted for 30 days, even by project owners, to allow recovery from accidental or malicious deletion. What should you configure?

An organization uses VPC Service Controls to protect sensitive data in BigQuery. A data scientist reports that queries from their Vertex AI Workbench notebook to BigQuery now fail after the project was added to a service perimeter. The notebook VM has external IP disabled and is in a private subnet. What is the most likely fix?

You must ensure that only traffic from a specific on-premises IP range can access an HTTPS application behind an external Application Load Balancer. You want to enforce the restriction at the edge and centrally manage the allowlist. What should you use?

A development team needs to access a production Cloud SQL instance from a GKE cluster. Security policy requires that no long-lived credentials or service account keys be stored in the cluster. What is the recommended approach?

You need an automated control that continuously evaluates whether projects have disabled Cloud Audit Logs for Admin Activity and raises an alert if someone attempts to reduce logging. The solution should be centrally managed and aligned with security governance. What should you implement?