Google Cloud Professional Security Engineer Intermediate Practice Exam: Medium Difficulty 2025

A platform team manages 30 Google Cloud projects. They want all projects to enforce that only approved regions can be used for new resources, and they want violations to be automatically remediated where possible. What is the best approach?

A security engineer needs to grant a third-party auditor read-only access to view logs in Cloud Logging for a single project for 30 days. The auditor must not be able to view resources or modify settings. What should you do?

A company uses Cloud Run services that read sensitive data from Cloud Storage. They want to reduce the risk of data exfiltration by ensuring Cloud Run can access only specific buckets and that data cannot be copied to other projects’ buckets. What is the best solution?

Your organization is migrating workloads to Google Cloud. The security team wants a centralized way to detect misconfigurations (for example, overly permissive IAM, public buckets) across all projects and route high-severity findings to an on-call system. What should you implement?

A team stores customer PII in BigQuery. They need column-level protection so that analysts can query non-sensitive columns freely, but only a small group can see PII columns. They also want queries on PII to be auditable. What should you do?

A company uses a shared VPC with multiple service projects. They want to ensure that only approved administrators can create or modify firewall rules in the host project, while application teams can still deploy instances in their service projects. What is the best approach?

Your organization requires that all administrative actions (for example, IAM changes) generate near-real-time alerts when performed outside business hours. The solution must be centrally managed and scalable across projects. What should you implement?

A financial services application runs on GKE and must restrict egress so pods can only reach specific Google APIs and a small set of external partner endpoints. The team wants to minimize public internet exposure while keeping operations manageable. What should you do?

A company must ensure that backups of Compute Engine persistent disks are encrypted with keys they manage, and that key access can be revoked quickly if compromise is suspected. They also want to rotate keys regularly without redesigning the application. What should you use?

A regulated enterprise needs to demonstrate that only compliant machine images are used to create new VMs. They want an automated control that prevents non-compliant images from being deployed and provides evidence for audits. What should you do?