Google Cloud Professional Security Engineer Advanced Practice Exam: Hard Questions 2025

A fintech runs production workloads in a shared VPC with hundreds of projects. Security requires: (1) no human can directly access production resources, (2) all changes must be attributable to an individual, (3) access must be time-bound, and (4) break-glass access must be possible but heavily audited. You use Cloud Build for deployments and want the least operational overhead. What is the best design?

Your organization uses hierarchical folders: /Prod, /NonProd, /Shared. A new policy states that only a central security group may disable audit logging or reduce log retention in any project. A platform team currently has Project IAM Admin in many projects and can change log sinks and exclusions. You must enforce this centrally, with minimal per-project management, and ensure projects cannot opt out. What should you do?

A security team must provide analysts access to sensitive logs stored in BigQuery across multiple projects. Requirements: analysts can run read-only SQL queries, must not be able to copy/export results outside the platform, and access must be revocable immediately. The analytics tool is Looker running on Google Cloud. What is the best approach?

After enabling OS Login and IAP TCP forwarding for SSH to GCE instances, developers report intermittent SSH failures only for instances in a specific project. You confirm firewall rules allow IAP ranges and that users have iap.tunnelResourceAccessor. Audit logs show 'Permission denied (publickey)' even though OS Login is enabled. What is the most likely root cause and fix?

You receive an alert from Security Command Center that multiple service accounts were used from an unusual geography to call Google Cloud APIs. Cloud Audit Logs are enabled. You need to rapidly determine whether these calls were made using service account keys, workload identity federation, or metadata-based tokens from GCE/GKE. What is the most effective method?

A regulated workload uses Cloud Run (fully managed) to process PHI and must not allow any request from the public internet. It must be reachable only from internal clients in a Shared VPC and also from an on-prem network over Cloud VPN. You must minimize exposure and prevent accidental public enablement. What should you implement?

You operate a multi-tenant GKE cluster with strict pod-to-pod isolation requirements. A tenant discovered they can reach another tenant’s service by hitting the ClusterIP directly. You already have Kubernetes NetworkPolicies per namespace, but some traffic still flows due to misconfiguration and default allows. You need an enforceable, centralized model that also restricts egress to approved destinations, with auditability and minimal reliance on developers writing correct policies. What is the best solution?

A company uses Cloud Storage buckets to serve static assets through Cloud CDN. Security requires that only the CDN and a specific internal build pipeline can read objects; direct public access must be prevented. They also want to block data exfiltration to buckets from outside the organization. What architecture best meets these requirements?

An auditor requires evidence that all Compute Engine instances across the organization run only approved images and that any deviation is detected and prevented. Teams frequently create new projects. You must implement a control that is enforced at creation time, centrally managed, and provides audit trails. What should you do?

A healthcare provider stores encrypted data in Cloud Storage with CMEK. They must ensure: (1) keys are rotated and cannot be exported, (2) decryption is only allowed from workloads in specific projects and regions, (3) a compromised project cannot use the key to decrypt data from other projects, and (4) auditing must show every decrypt attempt. What is the best design?