Cloud Security Engineer Practice Exam: Test Your Knowledge 2025

Your organization needs to grant temporary access to external auditors to view specific BigQuery datasets without creating permanent Google accounts. The auditors should only have read access for 30 days. What is the most appropriate solution?

A financial services company requires all VM instances to use customer-managed encryption keys (CMEK) stored in Cloud KMS. How should you enforce this requirement across all projects in your organization?

You need to configure a secure network architecture where web servers in GCP can be accessed from the internet, but application servers should only be accessible from the web servers. Database servers should only be accessible from application servers. What is the best approach?

Your company must ensure that all API calls to GCP services are logged and retained for 7 years for compliance purposes. Which combination of services should you use?

An application running on GKE needs to access Cloud SQL without exposing database credentials in the application code or configuration files. What is the recommended approach?

You need to prevent data exfiltration from your GCP environment. Specifically, you want to ensure that data from BigQuery and Cloud Storage in your production project cannot be copied to projects outside your organization. What should you implement?

Your organization requires that all cryptographic keys used for encryption must be generated and stored in FIPS 140-2 Level 3 validated hardware security modules. Which Cloud KMS key type should you use?

A development team needs the ability to create and delete GCE instances in a development project, but they should not be able to modify IAM policies or create service accounts. Which predefined role should you assign?

You are implementing defense-in-depth for a web application. Cloud Armor is already configured for DDoS protection. The application backend needs additional protection against SQL injection and cross-site scripting attacks. What should you add?

Your security team needs to receive real-time alerts when someone attempts to disable Cloud Audit Logging or modify VPC firewall rules that allow public access. How should you implement this monitoring?

A multi-tenant application stores customer data in separate Cloud Storage buckets per customer. Each customer should only be able to access their own bucket. The application uses a single service account. How should you implement this access control?

Your company's compliance policy requires that sensitive data at rest must be encrypted with keys that can be immediately destroyed in an emergency, rendering the data unrecoverable. How should you implement this requirement?

You need to allow your on-premises data center to access specific Google Cloud APIs while ensuring that traffic never traverses the public internet. What connectivity solution should you implement?

Your organization needs to ensure that only approved container images from your organization's Artifact Registry can be deployed to GKE clusters. How should you enforce this policy?

A Security Incident Response team needs view-only access to all resources across all projects in your organization for forensic investigations, but should not be able to modify anything. What is the most appropriate approach?

You discover that a service account key has been compromised. What immediate actions should you take to mitigate the risk?

Your healthcare application must comply with HIPAA requirements. Patient data in BigQuery must be de-identified before analysts can access it. What GCP service should you use for automated de-identification?

Your company runs microservices on GKE that need to communicate securely with mutual TLS authentication. Service-to-service traffic must be encrypted and authenticated without modifying application code. What solution should you implement?

You need to implement least privilege access for a CI/CD pipeline that deploys to Cloud Run. The pipeline needs to deploy services but should not be able to modify IAM policies. What is the minimal set of permissions required?

Your security team needs to implement automated vulnerability scanning for all container images stored in Artifact Registry and prevent deployment of images with critical vulnerabilities. What combination of services should you use?