Google Cloud Professional Security Engineer Practice Exam 2025: Latest Questions

Your security team wants to enforce that all newly created Cloud Storage buckets in a project cannot be publicly accessible (no allUsers/allAuthenticatedUsers access), even if a developer tries to grant it. What should you configure?

A security engineer needs to ensure a service account used by a CI pipeline can only deploy to Cloud Run and cannot access other Google Cloud resources. What is the recommended approach?

You suspect a Compute Engine VM is exfiltrating data. You want to quickly investigate by reviewing network flow information for the VM’s subnet without installing agents on the VM. What should you enable?

Your organization must ensure that none of its projects can create external IP addresses for Compute Engine VMs to reduce internet exposure. What should you implement?

A regulated workload requires that Google Cloud APIs are accessed privately and must not traverse the public internet. Your applications run on Compute Engine in a VPC without external IPs. What is the best solution to access Google APIs privately?

You need to ensure that security findings across multiple projects are centrally visible to the security operations team, and that high-severity findings generate notifications to a SIEM. Which approach best meets this requirement?

A team uses Cloud Build to deploy applications. Your organization requires that builds only run from approved repositories and that any build that includes a known leaked secret is blocked. What should you implement?

An auditor asks you to prove that Cloud Storage objects containing PII have not been modified unexpectedly and that you can detect and investigate any changes. Which combination best satisfies this requirement?

Your organization uses a shared VPC with multiple service projects. A new policy requires that only traffic from a managed IDS solution can reach sensitive backends, and you must inspect east-west traffic between VMs in different subnets. Which design best meets the requirement with minimal impact to applications?

A company must use customer-controlled encryption keys for BigQuery datasets and ensure that data is not accessible if a key is disabled during an incident response. They also want to minimize key exposure and centralize key administration. What is the best approach?

You need to ensure new projects in an organization cannot disable Cloud Audit Logs or reduce their retention settings. What should you implement?

A security team wants to ensure that only approved container images are deployed to GKE. The team also needs an auditable policy with enforcement at deployment time. What is the best approach?

An application running on Compute Engine needs to call Google APIs without using long-lived service account keys. What is the recommended solution?

A company must restrict which external IP addresses can access its internal HTTPS application running on a managed instance group behind an external HTTP(S) Load Balancer. The security team also needs centralized management and logging of allow/deny decisions. What should you use?

You are investigating suspicious activity and need to determine which principal changed a firewall rule in a specific project. Where should you look first?

A security team wants a near-real-time alert when a service account is granted high-privilege roles (for example, Owner or Project IAM Admin) in any project. What is the best approach?

A regulated workload requires that encryption keys for Cloud Storage objects are customer-managed and that key usage be limited to requests originating from a specific set of projects. How can you best meet this requirement?

A company uses Cloud Run services that must only be invoked by workloads in the same project and by a specific service account from another project. Public access must be prevented. What configuration best meets the requirement?

Your organization uses Shared VPC with multiple service projects. A new requirement states that service project admins must not be able to create firewall rules that affect other tenants or the host project network posture. What should you do?

A security engineer must enable organization-wide visibility into misconfigurations across multiple projects, including overly permissive IAM, public storage buckets, and exposed VM services. The solution must support continuous monitoring and provide a single pane of glass with findings. What should you implement?

Your company uses a vendor to administer a single GKE cluster in one project. The vendor must be able to run kubectl commands but must NOT be able to create or update any IAM policies in the project, nor access other projects. What is the best approach?

A security engineer needs to ensure that VM instances in a shared VPC project cannot exfiltrate data to the public internet, but they must still be able to reach a small set of approved external SaaS endpoints. The control should be enforceable centrally and apply even if developers create new VMs and subnets. What should you implement?

An organization wants to detect and alert on the creation of new service account keys across all projects. The security team also wants to retain an auditable history for investigations. What is the recommended solution?

A regulated workload must ensure that sensitive objects in Cloud Storage are encrypted with customer-managed encryption keys (CMEK) and that accidental writes using Google-managed encryption are prevented. The solution should enforce this across multiple projects with minimal operational overhead. What should you do?

Your organization is seeing occasional access-denied errors when a Cloud Run service reads from a Secret Manager secret. The service is deployed from Cloud Build using a dedicated service account. The runtime identity for Cloud Run is set to a different service account. Which change best fixes the issue while maintaining least privilege?