50 Google Cloud Professional Security Engineer Practice Questions: Question Bank 2025

Your organization wants all newly created Google Cloud projects to prohibit public access to Cloud Storage buckets by default, even if developers attempt to grant allUsers or allAuthenticatedUsers access. What should you implement?

A security engineer needs to ensure that production VM instances do not have external IP addresses. Developers must still be able to access the instances for administration from a controlled path. What is the recommended approach?

You want to detect and receive near real-time alerts when Cloud IAM policy changes occur in any project in an organization. Which solution best meets this requirement with minimal operational overhead?

A team needs to ensure that objects uploaded to a Cloud Storage bucket are encrypted using customer-managed keys (CMEK) by default. What should you do?

A company uses Cloud Run for a public API. Security wants to ensure only requests coming through the global HTTPS load balancer are accepted, and direct requests to the Cloud Run URL are blocked. What should you do?

Your organization must ensure separation of duties: the team that manages KMS keys must not be able to decrypt application data, while application service accounts must be able to encrypt/decrypt but not manage key policies. Which IAM approach best meets this requirement?

A security engineer is investigating suspicious outbound connections from a VM in a private subnet. They need to identify the destination IPs and ports and correlate the activity to a specific VM interface. Which logging should be enabled to provide this information?

You must enforce that only approved container images can be deployed to GKE, and block workloads using images that fail vulnerability policy requirements. The control should be preventive (not just detective). What should you implement?

A regulated workload requires that data in BigQuery be protected such that even Google operators cannot access plaintext, and the organization must control key access with an external key management system. Which design best meets this requirement?

You are designing a multi-project environment where sensitive datasets in Cloud Storage must only be accessible from specific approved services (Cloud Run and GKE) in a set of projects, and you need to reduce the risk of data exfiltration to the public internet or to other projects even if IAM permissions are mistakenly granted. What is the best architecture?

A security team wants to prevent engineers from creating external IP addresses on Compute Engine VMs across an entire project. Existing VMs with external IPs should remain unchanged. What is the best approach?

Your organization needs to centrally review all administrative actions (for example, IAM policy changes) across all projects and retain logs for at least one year. What should you implement?

A team stores sensitive documents in Cloud Storage. They need to ensure the documents are encrypted with a key they manage and can be disabled immediately if compromise is suspected. What should they use?

An internal application on GKE uses a service account key file stored in a Kubernetes Secret to call Google APIs. The security team wants to eliminate long-lived keys and follow Google-recommended practices for workload identity. What should you do?

You have a Cloud Storage bucket used for daily exports. A new compliance requirement mandates that objects cannot be deleted or overwritten for 30 days, even by project owners. What should you implement?

A company wants to reduce the blast radius of a compromised VM. The VM should have permissions only to write objects to a specific Cloud Storage bucket prefix and nowhere else. What is the best practice configuration?

Your organization uses Shared VPC. A service project team needs to create firewall rules for their own application, but must not be able to modify the host project's network or other teams' firewall rules. What should you do?

A security analyst needs to identify which principal performed a specific BigQuery dataset IAM change and from where it originated. Which logs should they use?

A regulated enterprise requires that private keys used for TLS termination and code signing are generated and remain in a FIPS 140-2 validated hardware security module, and that signing operations are auditable. What is the best solution on Google Cloud?

A company wants to allow only compliant devices (corporate-managed laptops) to access the Google Cloud Console and gcloud for production projects. They also need to enforce multi-factor authentication and prevent access from unmanaged devices, even if credentials are stolen. What should they implement?

Your security team wants to ensure that every new Google Cloud project automatically enables Cloud Audit Logs for Admin Activity and Data Access where supported, without relying on developers to configure it. What is the recommended approach?

A developer reports that they can list objects in a Cloud Storage bucket but cannot download them. The bucket uses Uniform bucket-level access. What is the most likely cause?

You need to encrypt a Compute Engine persistent disk with a customer-managed key (CMEK) stored in Cloud KMS. Which additional permission must the Compute Engine service agent have on the KMS key to use it for disk encryption?

Your organization requires that only corporate-managed devices can access the Google Cloud Console and Google Cloud APIs. Access should be denied for unmanaged devices even if the user has valid credentials. What should you implement?

You are designing a solution to reduce data exfiltration risk from BigQuery. Only workloads running inside a specific set of projects should be able to read datasets, and access from outside that boundary must be blocked even if credentials are compromised. What is the best approach?

Security Command Center (SCC) is generating findings for publicly accessible Cloud Storage buckets. Your compliance team wants to automatically open a ticket and notify the on-call channel whenever a new HIGH severity finding of this type appears. What is the recommended implementation?

A team has a private GKE cluster. They need to allow administrators to reach the Kubernetes API server only from a specific on-premises IP range over Cloud VPN, and block all other sources. Which configuration best meets the requirement?

You must ensure that only approved container images are deployed to GKE across multiple projects. Images must come from a specific Artifact Registry repository and must be signed. What is the best solution on Google Cloud?

Your organization wants to use customer-managed encryption keys (CMEK) for sensitive data across several projects. Compliance requires that the key administrators cannot decrypt data, and the data administrators cannot manage keys. What design best meets separation of duties?

A regulated workload requires that security administrators review and approve any firewall rule changes before they take effect. Network engineers should be able to propose changes, but not apply them directly. The solution must be enforceable and auditable. What should you implement?

A security team wants to prevent accidental exposure of Google Cloud Storage buckets to the public internet across all projects in an organization. They still want to allow sharing with specific users and service accounts. What should they do?

You need to grant a third-party auditor read-only access to BigQuery datasets and Cloud Storage logs for 2 weeks. You want the access to automatically expire without manual cleanup. What is the best approach?

An application running on Compute Engine must access a Cloud SQL database without storing passwords in configuration files. The security team also requires automatic credential rotation and minimal operational overhead. What should you use?

A team wants to ensure that only approved container images are deployed to their GKE clusters. They want policy enforcement at deploy time. What should they implement?

Your organization uses VPC Service Controls to reduce data exfiltration risk from BigQuery. A data scientist reports that queries from Cloud Shell to BigQuery now fail, but queries from a notebook VM inside the VPC work. What is the most likely cause?

A company needs to route on-premises DNS queries for private.googleapis.com to Google Cloud so that workloads can access Google APIs privately. The solution must work for multiple VPC networks. What should they implement?

You need to detect and alert when a service account is granted a highly privileged role (for example, roles/owner or roles/editor) in any project. You want near-real-time visibility with minimal custom infrastructure. What should you do?

A security engineer must ensure that only approved Google-managed encryption keys (CMEK) are used for new BigQuery datasets across an organization. Teams frequently create datasets via scripts and the console. What is the best way to enforce this requirement?

A company has workloads in two projects: one hosts a sensitive BigQuery dataset, the other runs Dataflow jobs that process the data. They use VPC Service Controls with a perimeter around the BigQuery project. The Dataflow jobs fail to read from BigQuery. They want to keep the BigQuery project protected but allow only these Dataflow jobs to access it. What should they do?

Your organization must provide cryptographic proof that only authorized key usage occurred for a Cloud KMS key that encrypts regulated data. Auditors require immutable, centrally retained logs and the ability to correlate key usage with specific principals. What should you implement?

You discover that a contractor was granted the primitive Editor role at the project level and has been creating unnecessary resources. You need to quickly reduce privilege while keeping the contractor able to view resources and submit Cloud Build triggers. What should you do?

A security policy requires that all changes to IAM policies across your organization be detectable and attributable. You want to alert when IAM bindings are modified in any project. What is the most appropriate approach?

You need to restrict a Cloud Storage bucket so that objects can only be read by requests coming from your corporate public IP ranges. The bucket is used by external partners via HTTPS. What should you implement?

A team wants to avoid service account key files entirely while allowing a third-party SaaS to access a BigQuery dataset in your project. The SaaS supports OIDC and can exchange tokens. What is the recommended solution?

Your organization requires that all Cloud Storage buckets be protected against public access and accidental exposure. You need a control that prevents anyone from granting allUsers/allAuthenticatedUsers access, even if they have permission to change IAM. What should you use?

A Cloud Run service must call a Google API over the public internet, but your security team requires that the API credentials never be stored as long-lived secrets and that access be tightly scoped. What is the best approach?

You operate an internal HTTPS application behind an external Application Load Balancer. The security team wants to enforce that only TLS 1.2+ and a restricted set of strong ciphers are used. Where should you configure this?

A production incident occurred, and you need to determine whether a specific Compute Engine VM’s service account was used to access Secret Manager during the incident window. Which data source is most appropriate to investigate?

You must ensure that only images from a trusted pipeline can run on GKE. Developers currently can deploy arbitrary container images from public registries. You want an enforceable control that blocks noncompliant images at deploy time. What should you implement?

A regulated workload in a shared VPC must access Cloud Storage and BigQuery without any possibility of data exfiltration to consumer Gmail accounts or external projects. The workload must still access those Google APIs. What architecture provides the strongest control?