Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Free Practice Exam Questions (2025 Updated)

Objective: You want to limit the images that can be used as the source for boot disks to a set of images stored in a dedicated project.

Solution: Use the Organization Policy Service.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Organization Policies page.

Step 3: Create a new policy by clicking on "Create Policy".

Step 4: Select the constraint compute.trustedimageProjects.

Step 5: Set the policy to ALLOW and specify the project ID where the trusted images are stored in the whitelist.

Step 6: Save and apply the policy.

By creating a compute.trustedimageProjects constraint at the organization level and specifying the trusted project in the allow list, you ensure that only images from this project can be used for boot disks across the organization.

To enable Engineering Group A to attach a Compute Engine instance to a specific subnet (10.1.1.0/24) in a Shared VPC, you should grant the Compute Network User Role at the subnet level. This role allows users to use the subnetwork for their instances without giving them broader permissions at the project level.

Step-by-Step:

Identify the Subnet: Locate the subnet (10.1.1.0/24) in the host project.

Grant Role:

Navigate to the GCP Console > VPC network > VPC networks.

Select the Shared VPC host project and locate the specific subnet.

Click on "Edit" and go to the "IAM & Admin" section.

Assign the "Compute Network User" role to Engineering Group A at the subnet level.

Verification: Ensure that Engineering Group A can now attach Compute Engine instances to the specified subnet.

Shared VPC Overview

Compute Network User Role

Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud:

Dedicated Interconnect provides a direct physical connection between your on-premises network and Google's network, which is ideal for high-throughput, low-latency connections.

Request a Dedicated Interconnect from the Google Cloud Console, specifying the required bandwidth and location.

Once provisioned, set up the connection on your on-premises router and configure the BGP sessions to exchange routes with Google Cloud.

Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations:

Configure your on-premises DNS server to resolve Google APIs to restricted.googleapis.com. This ensures that the traffic stays within the Google network and is not exposed to the public internet.

Update your DNS settings to use restricted.googleapis.com for the necessary API endpoints.

This setup ensures that all Google Cloud API traffic is routed through the private link and subject to VPC Service Controls for additional security and compliance.

Comprehensive and Detailed Explanation From Exact Extract:

The goal is to deploy 2SV with a phased rollout to control the number of individuals affected at once, minimizing disruption, and keeping management simple.

While OU structure can be used, managing policy exceptions based on Configuration Groups is the recommended and less complex way to handle phased rollouts of security settings like 2SV in Google's Admin console.

Extracts:

"When rolling out 2SV, it is highly recommended to use a phased deployment approach to manage the impact on user access and support resources." (Source 2.1)

"You can use configuration groups to select a subset of users within an OU structure and apply specific settings, such as 2SV enforcement, to them. This allows for a gradual, controlled rollout without needing to alter your primary organizational unit structure." (Source 2.2)

Groups allow you to easily add/remove users from the enforcement scope without moving their identity within the OU hierarchy (Option A), which keeps management complexity low. Options C and D do not allow for the necessary phased control of enforcement.

To meet the requirements of encrypted communication over private IP addresses between Compute Engine instances in different Google Cloud organizations, a Cloud VPN connection is appropriate:

Cloud VPN: Cloud VPN creates a secure, encrypted tunnel between your organization's VPC network and the third party's VPC network. This ensures that data transmitted over the network is encrypted and secure.

Private IP Communication: Cloud VPN allows communication over private IP addresses, which helps maintain security by keeping traffic within the Google Cloud network and not exposing it to the public internet.

Firewall Rules: VPC firewall rules can be configured to control the traffic that flows through the VPN, ensuring that only authorized traffic is allowed, further enhancing security.

By setting up a Cloud VPN connection, you can achieve secure, encrypted communication over private IP addresses between different Google Cloud organizations.

References

Cloud VPN Overview

Uniform bucket-level access allows you to manage permissions at the bucket level, rather than at the object level. This simplifies permission management and ensures that access to objects is controlled consistently via IAM roles, without allowing uploaders full control over the objects.

Steps:

Enable Uniform Bucket-Level Access: In the Google Cloud Console, enable uniform bucket-level access for the Cloud Storage bucket.

Configure IAM Policies: Assign appropriate IAM roles to users and groups to control access to the bucket.

Audit Logging: Enable Cloud Audit Logs to track access and modifications to the bucket.

When a vulnerability patch is released for a running container in Google Kubernetes Engine (GKE), the recommended approach is to update the application code or apply the patch directly to the codebase. Then, a new container image should be built incorporating these changes. After building the new image, it should be deployed to replace the running containers. This method ensures that the containers run the updated, secure code.

Steps:

Update Application Code: Modify the application code or dependencies to incorporate the vulnerability patch.

Build New Image: Use a tool like Docker to build a new container image with the updated code.

Push New Image: Push the new container image to the Container Registry.

Update Deployments: Update the Kubernetes deployment to use the new image. This can be done by modifying the image tag in the deployment YAML file.

Redeploy Containers: Apply the updated deployment configuration using kubectl apply -f .yaml, which will redeploy the containers with the new image.

Enable automatic key version rotation on a regular schedule:

Regularly rotating keys reduces the impact of a potentially compromised key by limiting the amount of data encrypted with a single key version.

Set up automatic key rotation in Cloud KMS to ensure keys are rotated without manual intervention.

Limit the number of messages encrypted with each key version:

Reducing the number of messages encrypted with each key version minimizes the potential data exposure in case of a key compromise.

Implement policies to ensure that new key versions are used periodically to limit the usage of each key version.

For a client concerned about the control of their encryption keys and not wanting to store these keys within the same cloud service provider (CSP) as the data, the following solutions are suitable:

Customer-supplied encryption keys (A):

With customer-supplied encryption keys, clients manage their own encryption keys outside of Google Cloud and supply them to encrypt and decrypt data. This ensures that the keys are not stored in Google Cloud, providing full control over the key management process.

Cloud External Key Manager (D):

Cloud External Key Manager (EKM) allows clients to integrate an external key management system (KMS) with Google Cloud services. This setup enables the client to keep their encryption keys outside Google Cloud while still allowing the data to be encrypted and decrypted within Google Cloud services. This method offers an additional layer of security and control over the encryption keys.

These options provide robust solutions for clients requiring external key management and enhanced control over their encryption processes.

References

Customer-Supplied Encryption Keys

Cloud External Key Manager

Define Trusted Image Projects:

Identify the project or projects where your trusted operating system images are stored.

Ensure these images meet your organization’s security requirements and are regularly updated to mitigate vulnerabilities.

Create an Organization Policy:

Navigate to the Organization Policies page in the Google Cloud Console.

Create a policy constraint that restricts the creation of boot disks to only those images stored in your trusted image project(s).

The policy constraint to use is constraints/compute.trustedImageProjects.

Apply the Policy:

Apply this organization policy at the appropriate level (organization, folder, or project) to enforce that all new VM instances use images from the trusted repository.

This ensures consistency in the security posture across all projects within the organization.

Monitor Compliance:

Regularly monitor the compliance with this policy using audit logs and other monitoring tools.

Update the trusted images as necessary to ensure they remain secure and compliant with your security standards.

To migrate the current data backup and disaster recovery solutions to GCP while keeping the production environment on-premises, the most scalable and cost-efficient solution is using Google Cloud Storage with scheduled tasks and the gsutil command.

Setup Cloud Storage: Create a Cloud Storage bucket to store the backups.

Go to the Cloud Console and navigate to Cloud Storage.

Click "Create bucket" and follow the prompts to configure the storage bucket.

Install gsutil: Ensure gsutil is installed on the on-premises servers.

gsutil is a command-line tool for interacting with Cloud Storage.

Follow the installation guide here.

Create Backup Script: Write a script to upload data to Cloud Storage using gsutil.

#!/bin/bash gsutil -m cp -r /path/to/local/backup gs://your-bucket-name

Schedule Backup Task: Use a scheduling tool like cron on Linux to run the backup script at regular intervals.

Edit the crontab file with crontab -e and add an entry like:

Cloud Storage Documentation

gsutil Documentation

The problem requires automating user provisioning to a Cloud Identity security group using a service account, adhering to Google-recommended practices and the principle of least privilege.

Cloud Identity Groups and Google Workspace: Cloud Identity groups are managed as part of Google Workspace. To programmatically manage Google Workspace resources (like groups), you typically use the Admin SDK APIs.

Domain-Wide Delegation: Service accounts cannot directly authenticate to Google Workspace APIs using IAM roles. Instead, they require "domain-wide delegation" to impersonate a user with the necessary administrative privileges within Google Workspace. This allows a service account to access user data or perform administrative tasks across the domain. The correct scope for managing groups is https://www.googleapis.com/auth/admin.directory.group.Extract Reference: "To allow a service account to access user data on behalf of users in a Google Workspace domain, you must delegate domain-wide authority to your service account." (Google Cloud documentation: https://developers.google.com/identity/protocols/oauth2/service-account#delegating)

Extract Reference (Admin SDK Scopes): The https://www.googleapis.com/auth/admin.directory.group scope is explicitly listed for "View and manage all groups on the domain." (Google Workspace Admin SDK documentation: https://developers.google.com/admin-sdk/directory/v1/scopes)

Application Default Credentials (ADC) with Resource-Attached Service Account: Google-recommended practices strongly advise against using service account keys directly for authentication when running on Google Cloud infrastructure. Instead, it's recommended to use Application Default Credentials (ADC) with a service account attached to the resource (e.g., a Compute Engine VM, Cloud Run service, or Cloud Functions). This method manages credentials automatically and securely, reducing the risk associated with managing and rotating keys.Extract Reference: "For most Google Cloud services, Application Default Credentials (ADC) is the recommended way to authenticate." and "When running code in a Google Cloud environment, such as Compute Engine, Cloud Run, or Cloud Functions, use the built-in service account to authenticate automatically with ADC. This is the most secure approach, as you don't need to manually create or manage service account keys." (Google Cloud documentation: https://cloud.google.com/docs/authentication/production)

Options C and D are incorrect because granting an IAM role like "Groups Editor" in Google Cloud does not enable a service account to manage Google Workspace (Cloud Identity) group memberships; domain-wide delegation is required for that. Option A uses a service account key, which is less secure than ADC with a resource-attached service account according to Google's recommendations.

Therefore, option B is the most aligned with Google's recommended practices for securely automating group provisioning using a service account and domain-wide delegation.

The minimum length for passwords in Cloud Identity can be set to 8 characters. This aligns with common security best practices for password policies, ensuring a basic level of complexity and security.

Step-by-Step:

Access Admin Console: Log in to the Google Admin console.

Navigate to Security Settings: Go to Security > Password Management.

Set Minimum Length: Set the minimum length for passwords to 8 characters.

Save Changes: Save the settings and ensure that all user accounts adhere to the new policy.

Google Cloud Identity Security Settings

Password Policy Best Practices

https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html

Shared responsibility “Security of the Cloud” - GCP is responsible for protecting the infrastructure that runs all of the services offered in the GCP Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run GCP Cloud services.

Comprehensive and Detailed Explanation From Exact Extract:

The key requirements are maintaining a specific set of controls, including data residency and personnel data access controls, specifically to meet a highly regulated industry's compliance program.

Assured Workloads is the specific Google Cloud service designed to help customers meet these stringent regulatory and compliance requirements (e.g., FINRA, FedRAMP, HIPAA, etc.) by enforcing a specific control bundle.

Extracts:

"Assured Workloads helps organizations run their sensitive workloads securely and in a compliant manner... by providing continuous compliance monitoring for specific compliance programs." (Source 4.1)

"When you create an Assured Workloads folder, the platform automatically enforces compliance controls... including: Data residency and location controls... Personnel access controls... Organizational policies..." (Source 4.2)

This service creates a dedicated, compliant environment in a folder, ensuring the necessary configurations and personnel controls are applied automatically and continuously maintained, which is a more complete solution than the posture management in option B (which focuses only on configuration monitoring) or the singular organizational policy in option C.

The Standard Tier network only provides regional load balancing, while the Premium Tier supports global load balancing with a single anycast IP address. To distribute requests across multiple regions, you need to use the Premium Tier and update the load balancer configuration accordingly.

Steps:

Upgrade to Premium Tier: Update the load balancer to use the Premium Tier network in the Google Cloud Console.

Add New Instance Group: Add the instance group in the new region (us-east-2) to the backend configuration of the existing load balancer.

Verify Configuration: Ensure that the frontend configuration of the load balancer uses a single external IP address for global distribution.

nodeSelector is the simplest recommended form of node selection constraint. You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have. Kubernetes only schedules the Pod onto nodes that have each of the labels you specify. => https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don 't guarantee scheduling: the scheduler also evaluates other parameters as part of its function. => https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

Cloud Identity-Aware Proxy (Cloud IAP) provides a way to control access to your web applications and resources running on Google Cloud. It works by verifying the identity of a user trying to access the application and supports multi-factor authentication (MFA). Cloud IAP can restrict access to users on the corporate network and also supports access over the internet securely.

Steps:

Enable Cloud IAP: In the Google Cloud Console, navigate to the IAP section and enable IAP for your web application.

Configure OAuth Consent Screen: Set up the OAuth consent screen to manage how users grant access.

Set Up Authentication: Use Google Identity Platform to manage users and enable two-factor authentication.

Add Users: Grant users access to the application by adding their identities in the IAP settings.