Cloud Security Engineer Advanced Practice Exam: Hard Questions 2025

Your organization uses a centralized CI/CD project to deploy workloads into 30+ application projects. Security requires that (1) CI/CD can only deploy specific resources (GKE clusters, Cloud Run services, and Pub/Sub topics), (2) CI/CD cannot grant IAM roles or change org policies, and (3) every deployed resource must be attributable to the pipeline identity, not to individual engineers. What is the best design?

A security team discovers that developers can create service account keys for a high-privilege runtime service account used by a production GKE workload. They must prevent key creation going forward, ensure workloads still authenticate, and avoid breaking existing deployments. Which approach best meets the requirements with minimal disruption?

An incident response team needs to allow a third-party forensic vendor to access Cloud Logging and Cloud Storage evidence in a dedicated incident project for 72 hours. Requirements: vendor access must be time-bound, must not allow modification or deletion of evidence, and must be revocable immediately. What is the best solution?

You run a shared VPC with multiple service projects. A sensitive service in one project must only be reachable from a specific set of internal subnets and must not be reachable from other service projects—even though they share the same VPC. The service uses Internal HTTP(S) Load Balancing with a managed instance group backend. What is the most effective control?

A company has on-premises networks connected to Google Cloud via Cloud VPN and Cloud Interconnect. They need to prevent data exfiltration from a PCI workload VPC to the internet while still allowing controlled egress to specific third-party payment APIs and OS package repositories. Requirements: centralized policy enforcement, scalable across multiple projects, and visibility into egress. What should you implement?

A private GKE cluster runs critical workloads that must pull images from Artifact Registry and write logs/metrics to Google-managed services. Security mandates no public IPs and no direct internet egress. After enabling Private Google Access, some nodes still fail to pull images intermittently and logs show connection attempts to public endpoints. What is the most robust fix?

A regulated workload stores highly sensitive data in Cloud Storage. Security requires customer-managed encryption keys (CMEK), automatic key rotation, and assurance that data cannot be decrypted if exfiltrated to another project. They also need to prevent accidental disabling or destruction of the key. What design best meets these requirements?

Your company uses BigQuery for analytics on sensitive datasets. You must allow data scientists to run queries but prevent them from exfiltrating raw data to external locations (e.g., Cloud Storage exports, Drive exports) while still permitting aggregated reporting dashboards. Which solution is most appropriate?

A security operations team suspects a compromised workload identity in a production project. They need to (1) identify which principal accessed Secret Manager secrets, (2) determine whether access was via service account impersonation, and (3) rapidly contain the incident without breaking unrelated workloads. What is the best sequence of actions?

A company must demonstrate compliance that only approved regions are used for storing regulated data, and that any attempt to create storage resources outside approved regions is blocked. They also need continuous evidence for auditors showing enforcement. What is the best approach?