Free GCP-PCSE Sample Questions — Google Cloud Platform - Professional Cloud Security Engineer

You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data. Specifically, your company is concerned about internal Google employees' ability to access your company's data on Google Cloud. What solution should you propose?

• A. Use customer-managed encryption keys
• B. Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud
• C. Enable Admin activity logs to monitor access to resources
• D. Enable Access Transparency logs with Access Approval requests for Google employees

The InfoSec team has mandated that all new Cloud Run jobs and services in production must have Binary Authorization enabled. You need to enforce this requirement. What should you do?

• A. Configure an organization policy to require Binary Authorization enforcement on images deployed to Cloud Run
• B. Configure a Security Health Analytics (SHA) custom rule that prevents the execution of Cloud Run jobs and services without Binary Authorization
• C. Ensure the Cloud Run admin role is not assigned to developers
• D. Configure a Binary Authorization custom policy that is not editable by developers and auto-attaches to all Cloud Run jobs and services

You are auditing all your Google Cloud resources in the production project. You want to identify all principals who can change firewall rules. What should you do?

• A. Use Policy Analyzer to query the permissions compute.firewalls.get or compute.firewalls.list.
• B. Use Firewall Insights to understand your firewall rules usage patterns
• C. Reference the Security Health Analytics – Firewall Vulnerability Findings in the Security Command Center
• D. Use Policy Analyzer to query the permissions compute.firewalls.create or compute.firewalls.update or compute.firewalls.delete.

Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?

• A. Cloud DNS with DNSSEC
• B. Cloud NAT
• C. HTTP(S) Load Balancing
• D. Google Cloud Armor

Your application development team is releasing a new critical feature. To complete their final testing, they requested 10 thousand real transaction records. The new feature includes format checking on the primary account number (PAN) of a credit card. You must support the request and minimize the risk of unintended personally identifiable information (PII) exposure. What should you do?

• A. Run the new application by using Confidential Computing to ensure PII and card PAN is encrypted in use
• B. Scan and redact PII from the records by using the Cloud Data Loss Prevention API. Perform format-preserving encryption on the card PAN
• C. Encrypt the records by using Cloud Key Management Service to protect the PII and card PAN
• D. Build a tool to replace the card PAN and PII fields with randomly generated values

You define central security controls in your Google Cloud environment. For one of the folders in your organization, you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later, you receive an alert about a new VM with an external IP address under that folder. What could have caused this alert?

• A. The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set
• B. The organizational policy constraint wasn't properly enforced and is running in "dry run" mode
• C. project level, the organizational policy control has been overwritten with an "allow" value
• D. The policy constraint on the folder level does not have any effect because of an "allow" value for that constraint on the organizational level

Applications often require access to `secrets` - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of `who did what, where, and when?` within their GCP projects. Which two log streams would provide the information that the administrator is looking for? (Choose two.)

• A. Admin Activity logs
• B. System Event logs
• C. Data Access logs
• D. VPC Flow logs
• E. Agent logs

A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location. How should the company accomplish this?

• A. Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995
• B. Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location
• C. Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region
• D. Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address

Your organization strives to be a market leader in software innovation. You provided a large number of Google Cloud environments so developers can test the integration of Gemini in Vertex AI into their existing applications or create new projects. Your organization has 200 developers and a five-person security team. You must prevent and detect proper security policies across the Google Cloud environments. What should you do? (Choose two.)

• A. Apply organization policy constraints. Detect and monitor drifts by using Security Health Analytics
• B. Publish internal policies and clear guidelines to securely develop applications
• C. Use Cloud Logging to create log filters to detect misconfigurations. Trigger Cloud Run functions to remediate misconfigurations
• D. Apply a predefined AI-recommended security posture template for Gemini in Vertex AI in Security Command Center Enterprise or Premium tiers
• E. Implement the least privileged access Identity and Access Management roles to prevent misconfigurations

A database administrator notices malicious activities within their Cloud SQL instance. The database administrator wants to monitor the API calls that read the configuration or metadata of resources. Which logs should the database administrator review?

• A. Admin Activity
• B. System Event
• C. Access Transparency
• D. Data Access

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized. Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

• A. App Engine
• B. Cloud Functions
• C. Compute Engine
• D. Google Kubernetes Engine
• E. Cloud Storage

You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?

• A. Upload the logs to both the shared bucket and the bucket with PII that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain PII from the shared bucket
• B. On the shared bucket, configure Object Lifecycle Management to delete objects that contain PII
• C. On the shared bucket, configure a Cloud Storage trigger that is only triggered when PII is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain PII
• D. Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket

Your organization has a workload that is regulated by European laws. You must restrict the creation of resources outside of the EU for this specific workload. You must find an effective way to implement this security control without disrupting the other global applications. What should you do?

• A. Create a Cloud Function triggered at asset creation that detects and deletes resources outside of the EU
• B. Create all your workload’s assets in a regional subnet in the EU in one project or folder
• C. Segment your workload in the EU in one project or folder by using VPC Service Controls
• D. Implement an organization policy that only allows the EU as the location for your workload’s project or folder

Your organization processes sensitive health information. You want to ensure that data is encrypted while in use by the virtual machines (VMs). You must create a policy that is enforced across the entire organization. What should you do?

• A. Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection
• B. Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances
• C. Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection
• D. No action is necessary because Google encrypts data while it is in use by default

Your company's Google Cloud organization has about 200 projects and 1,500 virtual machines. There is no uniform strategy for logs and events management, which reduces visibility for your security operations team. You need to design a logs management solution that provides visibility and allows the security team to view the environment's configuration. What should you do?

• A. 1. Create a dedicated log sink for each project that is in scope. 2. Use a BigQuery dataset with time partitioning enabled as a destination of the log sinks. 3. Deploy alerts based on log metrics in every project. 4. Grant the role "Monitoring Viewer" to the security operations team in each project
• B. 1. Create one log sink at the organization level that includes all the child resources. 2. Use as destination a Pub/Sub topic to ingest the logs into the security information and event. management (SIEM) on-premises, and ensure that the right team can access the SIEM. 3. Grant the Viewer role at organization level to the security operations team
• C. 1. Enable network logs and data access logs for all resources in the "Production" folder. 2. Do not create log sinks to avoid unnecessary costs and latency. 3. Grant the roles "Logs Viewer" and "Browser" at project level to the security operations team
• D. 1. Create one sink for the "Production" folder that includes child resources and one sink for the logs ingested at the organization level that excludes child resources. 2. As destination, use a log bucket with a minimum retention period of 90 days in a project that can be accessed by the security team. 3. Grant the security operations team the role of Security Reviewer at organization level

You work for a banking organization. You are migrating sensitive customer data to Google Cloud that is currently encrypted at rest while on-premises. There are strict regulatory requirements when moving sensitive data to the cloud. Independent of the cloud service provider, you must be able to audit key usage and be able to deny certain types of decrypt requests. You must choose an encryption strategy that will ensure robust security and compliance with the regulations. What should you do?

• A. Utilize Google default encryption and Cloud IAM to keep the keys within your organization's control
• B. Implement Cloud External Key Manager (Cloud EKM) with Access Approval, to integrate with your existing on-premises key management solution
• C. Implement Cloud External Key Manager (Cloud EKM) with Key Access Justifications to integrate with your existing one premises key management solution
• D. Utilize customer-managed encryption keys (CMEK) created in a dedicated Google Compute Engine instance with Confidential Compute encryption, under your organization's control

Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS). Which steps should your team take before an incident occurs? (Choose two.)

• A. Disable and revoke access to compromised keys
• B. Enable automatic key version rotation on a regular schedule
• C. Manually rotate key versions on an ad hoc schedule
• D. Limit the number of messages encrypted with each key version
• E. Disable the Cloud KMS API

When working with agents in the support center via online chat, your organization's customers often share pictures of their documents with personally identifiable information (PII). Your leadership team is concerned that this PII is being stored as part of the regular chat logs, which are reviewed by internal or external analysts for customer service trends. You want to resolve this concern while still maintaining data utility. What should you do?

• A. Use Cloud Key Management Service to encrypt PII shared by customers before storing it for analysis
• B. Use Object Lifecycle Management to make sure that all chat records containing PII are discarded and not saved for analysis
• C. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis
• D. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects. Which two steps should the company take to meet these requirements? (Choose two.)

• A. Create a project with multiple VPC networks for each environment
• B. Create a folder for each development and production environment
• C. Create a Google Group for the Engineering team, and assign permissions at the folder level
• D. Create an Organizational Policy constraint for each folder environment
• E. Create projects for each environment, and grant IAM rights to each engineering user

You have placed several Compute Engine instances in a private subnet. You want to allow these instances to access Google Cloud services, like Cloud Storage, without traversing the internet. What should you do?

• A. Enable Private Google Access for the private subnet
• B. Configure Private Service Connect for the private subnet's Virtual Private Cloud (VPC) and allocate an IP range for the Compute Engine instances
• C. Reserve and assign static external IP addresses for the Compute Engine instances
• D. Create a Cloud NAT gateway for the region where the private subnet is configured