Google Cloud Professional Security Engineer Practice Exam: Test Your Knowledge 2025

Your organization needs to grant temporary access to external contractors to specific GCS buckets for a 2-week project. The contractors should not have the ability to create new resources or modify IAM policies. What is the most secure approach?

A financial services company must ensure that all Cloud Storage buckets are encrypted with customer-managed encryption keys (CMEK) and that keys are rotated every 90 days. Which combination of services should they use?

Your company's security team needs to monitor and detect potential privilege escalation attempts across all GCP projects in your organization. What is the best approach?

A healthcare application running on GKE needs to comply with HIPAA requirements. The application must ensure that pods handling PHI are isolated from other workloads. What is the recommended approach?

You need to implement least privilege access for a service account that will only read objects from a specific Cloud Storage bucket. What IAM role should you assign?

Your organization requires that all VM instances must not have external IP addresses and must route internet traffic through a centralized egress point for inspection. Which configuration achieves this?

A company discovered that a compromised service account key was used to access their Cloud Storage buckets. What steps should be taken immediately to mitigate the risk? (Choose the BEST comprehensive approach)

Your application requires accessing secrets stored in Secret Manager from Cloud Run services. What is the most secure way to grant this access?

A regulated industry client needs to ensure that data stored in BigQuery cannot leave the EU region and cannot be accessed by Google support without explicit approval. What configuration satisfies these requirements?

You need to implement defense-in-depth for a web application on Google Cloud. Which combination of services provides layered security?

Your organization wants to prevent developers from creating Compute Engine instances with external IP addresses. What is the most effective way to enforce this policy?

A company needs to detect and respond to cryptomining activities in their GCP environment. Which Security Command Center capability should they enable?

Your company must maintain an audit trail of all administrative actions taken in GCP for compliance purposes. The logs must be tamper-proof and retained for 7 years. What is the recommended solution?

An application running on GKE needs to access Cloud SQL. What is the most secure connection method?

You need to implement a zero-trust security model for applications accessing Google Cloud services. Several applications run on-premises and in multi-cloud environments. What should you use?

A security incident has been detected. You need to quickly identify all IAM policy changes made in the last 24 hours across all projects in your organization. What is the most efficient approach?

Your organization needs to enforce that all GKE clusters must use Binary Authorization and have Shielded GKE Nodes enabled. How can you implement this requirement?

A microservices application on GKE requires mutual TLS authentication between services. What is the recommended Google Cloud solution?

Your organization stores sensitive customer data in BigQuery. A recent audit revealed that several users have overly broad access. What approach should you take to implement least privilege access?

You are implementing a CI/CD pipeline that deploys to GKE. The pipeline must verify that container images are signed and meet security requirements before deployment. What should you implement?