GCPC Professional Security Engineer

25 Free Questions – Google Cloud Certified Professional Security Engineer

Google Cloud Certified Professional Security Engineer Exam validates your understanding of infrastructure security on Google Cloud. As a security engineer, you will be responsible for designing and implementing secure workloads on the Google cloud environment. This is an intermediate-level exam and may look easy to an experienced Google cloud security professional.

We recommend practicing with security engineer exam questions designed by our certified Google cloud trainers.

Google Cloud Certified Professional Security Engineer Exam Questions

Configure access within a cloud solution environment

Q 1. You are part of the security team in an advertising company that wants to migrate its workload to the Google Cloud. The company has an on-premises Active Directory that it intends to keep using to manage its users and groups.
Which of the following can be used to grant its users and groups access to Google Cloud resources?

A. Federating its Active Directory with Cloud Identity.
B. Federating its Active Directory with Organizations.
C. Federating its Active Directory with Cloud Bigtable
D. Federating its Active Directory with Cloud SQL.

Correct Answer: A 

  • Option A is CORRECT. Cloud Identity or Google Workspace account is the top-level container for users, groups, configuration, and data.
  • Option B is incorrect because organizations are used to group resources.
  • Option C is incorrect because Cloud Bigtable is not used for access management to Google Cloud resources but for Data storage.
  • Option D is incorrect because Cloud SQL is used for data storage.

Q 2. You are part of the security team in your company that is responsible for securing data in the cloud. The company uses Cloud Storage to store objects.
Which of the following is TRUE managing access to the Cloud Storage bucket?

A. IAM permissions can be used to grant access to Cloud Storage at the project and bucket levels.
B. IAM permissions can be used to grant access to Cloud Storage at the project, bucket, and object levels.
C. IAM permissions and ACLs are needed to grant access to a bucket or object.
D. It is possible to remove a permission at the bucket level that was granted at the project level.

Correct Answer: A 

  • Option A is CORRECT. IAM permissions for Cloud Storage can be applied at project or bucket level.
  • Option B is incorrect because IAM permissions for Cloud Storage can be applied at project or bucket level.
  • Option C is incorrect. You do not need both IAM and ACL to grant access to a bucket or object.
  • Option D is incorrect because a more permission role at a higher resource (Project) will override a less permissive role at a lower resource (Bucket)

Q 3. As the security engineer of your company. You are responsible for managing IAM permissions for users, groups and service accounts.
Which of the following is NOT a Cloud IAM object?

A. Organization
B. Role.
C. Folder
D. Container

Correct Answer: D 

  • Options A, B, and C are incorrect. They are Cloud IAM objects because users or groups can have permissions attached to them at those levels.
  • Option D is CORRECT. Container is not an IAM object.

Q 4. A large organization currently manages its users with an on-premises Active Directory. They intend to synchronize users from Active Directory to Cloud Identity.
Which of the following services can be used to fulfill the requirement?

A. Managed Service for Microsoft Active Directory.
B. Cloud Identity.
C. Google Workspace.
D. Google Cloud Directory Sync.

Correct Answer: D 

  • Options A, B, and C are incorrect. They cannot be used to synchronize users from on-premises AD to Google Cloud.
  • Option D is CORRECT. Google Cloud Directory Sync is used for one-way synchronization of users from Active Directory to Cloud Identity.

Q 5. You are part of the security team in your company that wants to grant temporary access to an auditor to the files in a Cloud Storage bucket in your Google Cloud project. The auditor does not have a google account.
Which of the following is Google’s recommended practice to grant the auditor access?

A. Create a google account for the auditor and assign the needed permissions.
B. Create a google group for the auditor and assign the needed permissions.
C. Create a service account for the auditor and assign the needed permissions
D. Create a signed URL and share it with the auditor

Correct Answer:

  • Option A is incorrect. The requirement is to grant temporary access to Cloud Storage. Google recommends using signed URLs.
  • Option B is incorrect. Google group is not the recommended way to grant temporary access to Cloud Storage. The requirement was to grant temporary access to Cloud Storage. Google recommends using signed URLs.
  • Option C  is incorrect. The requirement is to grant temporary access to Cloud Storage. Google recommends using signed URLs.
  • Option D is CORRECT because a signed URL is used to give time-limited resource access to anyone in possession of the URL, regardless of whether they have a Google account.

Q 6. You are part of the security team for a new application that will be deployed on Google App Engine. Your team needs to implement a central authorization layer for the application at the application layer.
Which solution should you use to meet this requirement?

A. Create firewall rules to allow HTTPS traffic to the application.
B. Create a group for all users and assign the appropriate IAM permissions.
C. Create an account for all users and assign the appropriate IAM permissions.
D. Use Identity-Aware Proxy (IAP) to enforce access policies for applications and resources.

Correct Answer:

  • Option A is incorrect. This works for network level access, not application level.
  • Option B is incorrect. This is not an application-level access solution, it is an account level access.
  • Option C is incorrect. This is not an application-level access solution, it is an account level access.
  • Option D is CORRECT. IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.

Q 7. You are part of the security team of your company, and you have been tasked with implementing restrictions on how your organization’s resources can be used.
How can you achieve this?

A. Use Google Groups to separate users based on what roles they perform.
B. Utilize IAM to restrict how resources can be used.
C. Create a VPC Service perimeter.
D. Create and apply an organization Policy.

Correct Answer:

  • Option A is incorrect. Identity and Access Management focuses on who, and lets the administrator authorize who can act on specific resources based on permissions. While Organization Policy focuses on what, and lets the administrator set restrictions on specific resources to determine how they can be configured.
  • Option B is incorrect. Identity and Access Management focuses on who, and lets the administrator authorize who can act on specific resources based on permissions. While Organization Policy focuses on what, and lets the administrator set restrictions on specific resources to determine how they can be configured.
  • Option C is incorrect. This is used to reduce the risk of data exfiltration.
  • Option D is CORRECT. The Organization Policy Service gives you centralized and programmatic control over your organization’s cloud resources. As the organization policy administrator, you will be able to configure constraints across your entire resource hierarchy.

Q 8. Your company wants to serve content from Cloud Storage to its internet users with or without authentication. You have been tasked with implementing the access management for the bucket following principle of least privilege.
How can you achieve this?

A. Grant the Storage Object Admin role to the all authenticated users group on the bucket.
B. Grant the Storage Object Viewer role to the all authenticated users group on the bucket.
C. Grant the Storage Object Admin role to the all users group on the bucket.
D. Grant the Storage Object Viewer role to the all users group on the bucket.

Correct Answer:

  • Option A is incorrect. This gives Admin permissions and requires authentication with a Google account.
  • Option B is incorrect. This gives the right permissions but requires authentication with a Google account.
  • Option C is incorrect. This gives Admin permissions.
  • Option D is CORRECT. This gives the viewer role to all users with or without authentication.

Q 9. A company has multiple projects in its Google organization. There is a need to grant temporary access, of a few hours, to resources across different projects. Following Best practices on managing access.
Which of the following would you suggest?

A. Create a user with the appropriate IAM role.
B. Create a signed URL.
C. Create a Service Account with a service account key.
D. Create a Service Account with short-lived credentials.

Correct Answer:

  • Option A is incorrect. Users and IAM roles are more permanent and not short-lived. Someone will have to delete the user or detach the IAM role after some time to revoke access.
  • Option B is incorrect. Signed URL is limited to Cloud Storage only
  • Option C is incorrect. Using a service account key is a long-lived credential and will need to be deleted after some time to revoke access.
  • Option D is CORRECT. This is the recommended option for temporary access to authenticate calls to Google APIs.

Q 10. You are part of the security team in your company that is responsible for the security of its data in the Google Cloud. They use Cloud Storage to store sensitive data.
What of the following does NOT reduce the chance of data exposure?

A. Enable Public access prevention.
B. IAM permissions and ACL.
C. Signed Policy Documents.
D. Firewall rules.

Correct Answer:

  • Option A is incorrect. This restricts public access to your bucket.
  • Option B is incorrect. This determines who can access your bucket and what actions can be taken on objects.
  • Option C is incorrect. This is used to restrict what objects can be uploaded to a bucket.
  • Option D is CORRECT. This is a network-level restriction of traffic into a VPC and does not apply to Cloud Storage. 

 Configure network security

Q 11. Your team has decided to use the default VPC network to deploy its applications to Compute Engine. You have been asked to ensure there is no outbound traffic to the internet.
Which solution should you use to meet this requirement?

A. Create a Deny rule for Ingress traffic with a Priority of 1000 and the source IP ranges set to 0.0.0.0/0.
B. Create a Deny rule for Egress traffic with a Priority of 1000 and the Destination IP ranges set to 0.0.0.0/0.
C. Create the Compute instances with external IP addresses.
D. Ensure the subnets with instances have private Google access enabled.

Correct Answer:

  • Option A is incorrect. The requirement is to deny egress traffic
  • Option B is CORRECT. This creates a rule that denies traffic from reaching the internet (0.0.0.0/0) from the VPC network.
  • Option C is incorrect. External IP Addresses do not prevent traffic from leaving the VPC to the internet.
  • Option D is incorrect. Enabling private Google access does not stop other traffic from reaching the internet.

Ensure data protection

Q 12. You are responsible for implementing edge security for your organization. You have been asking to ensure the security mechanism is deployed closer to the user to block attacks from reaching the backend VMs.
Which solution should you use to meet these requirements?

A. Setup a VPC Security perimeter around the resources to be protected.
B. Enable Cloud Amor to deny unwelcome traffic based on set rules.
C. Use firewall rules to restrict traffic.
D. Implement a third-party web application firewall.

Q 13. A financial institution wants to store its assets in Google Cloud Storage. There is a legal requirement for the institution to manage its encryption keys outside of the cloud.
Which of the following meets the requirement?

A. Upload the objects to Cloud Storage using the console and specify the customer-supplied encryption key.
B. Upload the objects to Cloud Storage using gsutil and specify the customer-supplied encryption key.
C. Create a bucket via the console and specify the customer-supplied encryption key as the default encryption key.
D. Upload the objects to Cloud Storage using the console and specify the customer-managed encryption key.

Correct Answer:

  • Option A is incorrect. VPC Security perimeter does not block attacks at the edge, it is used to reduce the risk of data exfiltration from your network.
  • Option B is CORRECT. Google Cloud Armor security policies enable you to allow or deny access to your external HTTP(S) load balancer at the Google Cloud edge, as close as possible to the source of incoming traffic.
  • Option C is incorrect. Firewall rules are network layer restrictions closer to the backend.
  • Option D is incorrect. Third-party WAF are not deployed at Google edge.

Correct Answer: B 

  • Option A is incorrect. If you use the Google Cloud Console to upload an object, you cannot encrypt the object with a customer-supplied encryption key.
  • Option B is CORRECT. The customer-supplied encryption keys can only be used with gsutil.
  • Option C is incorrect because You can only set customer-supplied encryption keys on individual objects. You cannot set a default customer-supplied encryption key for a bucket.
  • Option D is incorrect. The requirement is to manage encryption keys outside the cloud.

Q 14. An e-commerce company wants to store its data in Google Cloud Storage. Data encryption is a core requirement. The company would like to manage the lifecycle of the encryption keys with minimal overhead.
Which of the following meets the requirement?

A. Customer-supplied encryption keys.
B. Customer-managed encryption keys.
C. Default encryption.
D. Google-managed encryption keys.

Correct Answer: B 

  • Option A is incorrect. The keys will be managed outside Cloud KMS.
  • Option B is CORRECT. The customer-managed encryption keys allow you to control the keys that protect the data with minimal overhead.
  • Options C and D are incorrect because You do not have control over the lifecycle of these keys.

Q 15. A banking client moving to Google Cloud has an on-premises key management system. The company intends to use its key management system for managing the lifecycle of all its encryption keys. How can the client utilize its encryption keys with Cloud Storage for encryption at rest?

A. Use Customer-Supplied Encryption Keys (CSEK) with gsutil.
B. Create a Customer Managed Encryption Keys (CMEK) IN Cloud KMS.
C. Upload the keys to the Cloud Storage bucket that contains objects to be encrypted.
D. Use the default encryption keys provided by Google and update the key material.

Correct Answer:

  • Option A is CORRECT. In order to control the full lifecycle of encryption keys outside of Google Cloud, the Client will use CSEK for encryption.
  • Option B is incorrect. The CSEK are managed within Google Cloud.
  • Option C is incorrect. Keys are supplied to gsutil at object upload so it can use it to encrypt the objects before storing it.
  • Option D is incorrect. You cannot update the default Google-managed keys.

Q 16. A social media company wants to ensure it meets the requirement of GDPR regulation. The key requirement for you as the security engineer is to make sure no customer personal identifiable information (PII) data stored in the company’s Cloud Storage bucket can be exposed internally.
Which step should you use to meet this requirement?

A. Create a VPC Service perimeter around the project that houses the Cloud Storage bucket.
B. Use Cloud Security Scanner to detect and mask sensitive data.
C. Use Cloud DLP to detect and mask sensitive data.
D. Make the bucket is not publicly accessible.

Correct Answer:

  • Option A is incorrect. VPC Service Controls is used to reduce the possibility of data exfiltration. It does not prevent authorised users from viewing customer PII data.
  • Option B is incorrect. Cloud Security Scanner detects any vulnerabilities in resources such as App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications.
  • Option C is CORRECT. Cloud DLP is a fully managed service designed to help you discover, classify, and protect your most sensitive data.
  • Option D is incorrect. This does not prevent authorised users from viewing customer PII data.

Q 17. Your company processes sensitive on-premises. The company plans to use a Compute Engine to process this data. As a part of the security team, you have been asked to ensure data is encrypted in memory during processing in Compute Engine VMs.
How can you achieve this?

A. Encrypt data in transit using SSL.
B. Encrypt data at rest using customer-managed encryption keys (CMEK).
C. Enable Confidential Computing service during the creation of the VM.
D. Encrypt data at rest using customer-supplied encryption keys (CSEK).

Correct Answer: C

  • Option A is incorrect. This does not apply to data in the VM.
  • Option B is incorrect. This encrypts data in the disks not in memory during processing.
  • Option C is CORRECT. Confidential Computing is the GCP service that ensures data remains encrypted during processing.
  • Option D is incorrect. This encrypts data in the disks not in memory during processing.

Q 18. Your company wants to deploy an application on Compute Engine. The application will write data to a Cloud Storage. There is a requirement that all data be encrypted before it is uploaded into Cloud Storage.
How can you achieve this?

A. Data is encrypted at rest by default.
B. Specify a Customer-supplied encryption key when uploading objects to the bucket.
C. Specify a Customer-managed encryption key when creating the bucket.
D. Use Client-side encryption.

Correct Answer:

  • Option A is incorrect. This encryption occurs Server-side in the Cloud.
  • Option B is incorrect. This encryption occurs Server-side in the Cloud.
  • Option C is incorrect. This encryption occurs Server-side in the Cloud.
  • Option D is CORRECT. This option ensures data is encrypted before it is uploaded to Cloud Storage.

Manage operations within a cloud solution environment

Q 19. Your work for a financial institution as the security engineer. The company has a new web-facing application deployed on Managed Instance Groups behind an HTTP(S) load balancer. You want to ensure that connections negotiated between clients and the load balancer meets the strictest compliance requirements with minimal overhead.
What SSL policy should you use on the Load Balancer?

A. Configure the Load Balancer to use the COMPATIBLE policy.
B. Configure the Load Balancer to use the MODERN policy.
C. Configure the Load Balancer to use the RESTRICTED policy.
D. Configure the Load Balancer to use the custom policy.

Correct Answer:

  • Option A is incorrect. The Compatible SSL policy is the most permissible policy.
  • Option B is incorrect. The MODERN SSL policy is more permissible compared to the RESTRICTED policy.
  • Option C is CORRECT. The RESTRICTED policy supports a reduced set of SSL features, intended to meet stricter compliance requirements.
  • Option D is incorrect. This has management overhead because you have to create and maintain the policy.

Q 20. You have been asked to automate a near real-time monitoring based on the logs from a production application. Certain logs are to be sent to a third-party Security Information and Event Management System (SIEM) such as Cisco.
Which solution should you use to meet this requirement?

A. Install the logging agent to capture logs, create a Sink in Cloud Logging with the Sink destination as Cloud Logging bucket.
B. Install the logging agent to capture logs, create a Sink in Cloud Logging with the Sink destination as Cloud Pub/Sub.
C. Install the logging agent to capture logs, create a Sink in Cloud Logging with the Sink destination as BigQuery.
D. Install the logging agent to capture logs, create a Sink in Cloud Logging with the Sink destination as Splunk.

Correct Answer:

  • Option A is incorrect. Cloud Logging Bucket cannot be used for third-party SIEM integration.
  • Option B is CORRECT. Cloud Pub/Sub is the only Sink destination option that can route logs to other third-party applications.
  • Option C is incorrect. BigQuery cannot be used for third-party SIEM integration.
  • Option D is incorrect. Splunk cannot be used for third-party SIEM integration.

Q 21. A company wants to deploy its applications to Google Cloud. A key security requirement is the ability to recover from any disaster.
Which of the following NOT a disaster recovery pattern in Google Cloud?

A. Warm standby.
B. Hot pattern.
C. Cold pattern.
D. Archive pattern

Correct Answer: D

  • Option A is incorrect. This is a DR pattern where a version of the application is running in a very minimal infrastructure and can be quickly scaled up in the event of disaster.
  • Option B is incorrect. This is the most expensive DR option because it requires a full mirror version of your environment to be running and ready to receive traffic if there is a disaster.
  • Option C is incorrect. This is the cheapest option for DR, it involves taking backups and creating your environment from scratch using backups in the event of a failure.
  • Option D is CORRECT. There is no Archive pattern.

Q 22.Your work for a healthcare company as the security engineer. The company has a new web-facing application deployed on Managed Instance Groups behind an HTTP(S) load balancer. You configure the Load Balancer with the default SSL policy.
Which of the following is TRUE?

A. The Load Balancer will use the COMPATIBLE policy.
B. The Load Balancer will use the MODERN policy.
C. The Load Balancer will use the RESTRICTED policy.
D. The Load Balancer will use a custom policy.

Correct Answer:

  • Option A is CORRECT. The Load Balancer will use the Compatible SSL policy if you do not select one of the three pre-configured SSL policies.
  • Option B is incorrect. The MODERN policy is not the default SSL policy.
  • Option C is incorrect. The RESTRICTED policy is not the default SSL policy.
  • Option D is incorrect. The custom policy is not the default SSL policy.

Q 23. Your company has decided to deploy its containerized applications on Google Kubernetes Engine (GKE). A key security requirement is to limit pod-to-pod communications.
How can you achieve this?

A. Use firewall rules to control inter-pod communications.
B. Use network policies to control inter-pod communications.
C. Use IAM to control inter-pod communications.
D. Use Security Context to control inter-pod communications.

Correct Answer: B 

  • Option A is incorrect. This filters traffic at VPC level.
  • Option B is CORRECT. The connection created between Cloud Interconnect and the on-premises network is not encrypted.
  • Option C is incorrect. IAM is used to authenticate and authorise at Instance level.
  • Option D is incorrect. This is used to set security-related options on both pods and containers.

Q 24. Your security team manages the Service perimeters in your organization. There is a need to allow users to access BigQuery in the perimeter from trusted devices over the internet.
What can you do to achieve this?

A. Assign the IAM permissions needed to perform tasks on BigQuery.
B. Set up ingress firewall rules to allow traffic.
C. Setup Private Google Access.
D. Setup Context-aware access with ingress rules.

Correct Answer:

  • Option A is incorrect. IAM permissions will not grant access to resources within a perimeter without ingress rules applied.
  • Option B is incorrect. Firewall rules cannot grant access to resources within a perimeter.
  • Option C is incorrect. Private Google access will only work from a VPC allowed in an ingress rule.
  • Option D is CORRECT. Context-aware access ingress rule setups allow access to resources based on client attributes such as network origin (IP address or VPC network), identity type (service account or user), identity, and device data. Access is defined by ingress rules.

Q 25. A financial organization stores files on Cloud Storage. Government regulation states uploaded files cannot be deleted for 7 years and it should be impossible to reduce the retention period on the bucket after it has been set.
How can you achieve this?

A. Set up object lifecycle rules to move the objects a day after creation to the Coldline storage class.
B. Set a retention period of 7 years on the bucket and lock the bucket.
C. Limit access to the Cloud Storage using IAM to ensure no one has the permission to update the bucket settings.
D. Use a separate project for the Cloud Storage bucket and limit access to the project using IAM.

Correct Answer:

  • Option A is incorrect. object lifecycles do not make it impossible to change the retention period set on a bucket.
  • Option B is CORRECT. Locking the bucket will make it impossible to update the retention policy.
  • Option C is incorrect. Using IAM does not make it impossible to change the retention period set on a bucket if a person has the necessary permissions.
  • Option D is incorrect. Using IAM does not make it impossible to change the retention period set on a bucket if a person has the necessary permissions.

Conclusion:

The above 25 practice questions are designed by a Google Cloud security expert. They offer a glimpse into what kind of questions can be asked. If you are a beginner in the cloud, this certification exam might be tough for you. Ensure enough practice with real exam questions before putting in $200 and booking the exam slot. You can practice more in the actual exam simulator, enroll now for our free tests and practice tests.

Reference Links:

About Jeevitha TP

Jeevitha has a proven experience with a solid understanding of SEO activities such as content strategy, link building, and keyword strategy to increase rankings on all major search networks. Further, she works closely with the editorial and marketing teams to drive SEO in content creation and programming.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top