Cloud Security Engineer Intermediate Practice Exam: Medium Difficulty 2025

A security team wants to enforce that only users from a specific corporate identity group can impersonate a production service account to deploy workloads. They also want to avoid granting broad permissions directly to developers. What is the BEST approach?

A company runs workloads in multiple projects under a shared folder. They need to ensure that no one can disable Cloud Audit Logs for Admin Activity and that logs are centrally retained in a dedicated logging project. What should they do?

A team uses Cloud Build to deploy to GKE. Security requires that the Cloud Build service account can only deploy to a specific namespace and cannot read secrets outside that namespace. Which approach best meets the requirement?

A web application is hosted on a regional managed instance group behind an external HTTPS load balancer. The security team wants to block common web attacks and restrict access to only a set of countries. What should you implement?

A company has two VPCs in different projects. They need to allow private communication between workloads while ensuring that only specific subnets can talk to each other, and they want centralized control and minimal peering complexity. What is the BEST solution?

A regulated workload uses Cloud Storage and BigQuery. The security team wants to prevent data exfiltration by ensuring that access to these services is only possible from approved VPC networks, and that copies of data cannot be written to projects outside the perimeter. What should you implement?

A company stores sensitive customer documents in a Cloud Storage bucket. They must ensure encryption keys are controlled by the company and that key usage can be audited and restricted by IAM. What is the BEST approach?

A team needs to share a BigQuery dataset with analysts from a partner company. The data contains PII and must be anonymized before sharing. The partner should not be able to re-identify individuals, and access should be limited to only the anonymized view. What should you do?

Your organization requires that all security-relevant events generate timely notifications, including changes to IAM policies and firewall rules. You need a managed approach that scales across projects and can route alerts to a ticketing system. What should you implement?

A company must demonstrate compliance by proving that public access to Cloud Storage buckets is prevented across the organization, except for a small set of explicitly approved buckets in a specific folder. What is the BEST way to implement this?