Professional-Cloud-Security-Engineer Google Cloud Certified - Professional Cloud Security Engineer Free Practice Exam Questions (2026 Updated)

Cloud Asset Inventory: Using Cloud Asset Inventory allows you to quickly identify all the external assets and resources in your Google Cloud environment. This includes information about your projects, instances, storage buckets, and more. This step is crucial for understanding the scope of your audit. Network Security Scanner: Once you have identified the external assets, you can run a network security scanner to assess the security of these assets. Network security scanners can help identify vulnerabilities and potential security risks quickly.

This option directly addresses the needs of the business user who must access curated reports. By creating curated tables in a separate dataset, you can control access to specific data. Assigning the roles/bigquery.dataViewer role allows the business user to view the data in BigQuery.

When using Google Cloud's generative AI platforms like Vertex AI for model tuning, the contractual and technical safeguards are designed to protect customer data from being used for public model training.

Google's policy is that the content (data) uploaded for model tuning is used only for that specific, express purpose (tuning your model) and is not used to tune Google's foundational public models or shared with other customers.

Extracts:

"Google only uses content that you import or upload to our model tuning feature for that express purpose." (Source 6.1)

"Tuning content may be retained in connection with your tuned models for purposes of re-tuning when supported models change. When you delete a tuned model, the related tuning content is also deleted." (Source 6.1)

Therefore, based on the documented commitment for Vertex AI model tuning, no additional action is required (Do nothing) to prevent Google from using the data for general model tuning.

https://cloud.google.com/storage/docs/public-access-prevention

Public access prevention protects Cloud Storage buckets and objects from being accidentally exposed to the public. If your bucket is contained within an organization, you can enforce public access prevention by using the organization policy constraint storage.publicAccessPrevention at the project, folder, or organization level.

To enforce Data Residency at a platform level, Google Cloud provides the Resource Locations Organization Policy (constraints/gcp.resourceLocations).6 This is the authoritative way to prevent resources (like GKE clusters, Persistent Disks, or Cloud Storage buckets) from being created outside of a specific region.

According to Google Cloud Documentation (Organization Policy - Resource Locations):

"The Resource Locations constraint allows you to define the allowed locations (regions or multi-regions) for all supported Google Cloud services.7 By setting this policy at the project or folder level, you ensure that no user—regardless of their IAM permissions—can create resources in any region other than the one specified (e.g., europe-west4)."

Why this is the best solution:

Preventative: It blocks the API call itself if a user tries to deploy elsewhere.

Efficient: It applies to all services within the project without needing custom code (like Option D) or manual reviews (Option B).

Compliance-focused: It provides a clear audit trail and hard guarantee for compliance officers.

Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint

Understand Organization Policies:

Organization policies allow you to enforce restrictions on Google Cloud resources to adhere to your organization’s security and compliance requirements.

Policies can be set at the organization, folder, or project level, with project-level policies able to override higher-level policies unless explicitly prevented.

Identify the Policy Constraint:

The specific constraint in question is likely constraints/compute.vmExternalIpAccess, which controls whether VMs can have external IP addresses.

Check Policy Overwrites:

Navigate to the Organization Policies page in the Google Cloud Console.

Check the policy settings at the project level under the affected folder to see if there is an override in place with an 'allow' value.

This override would permit the creation of VMs with external IP addresses despite the higher-level restriction.

Resolve the Policy Conflict:

If an override is found, remove or modify the project-level policy to align with the organizational policy denying external IP addresses.

Communicate with project administrators to ensure they understand and comply with the overarching security policies.

Identity-Aware Proxy (IAP) controls access to web resources based on user identity and context, not network firewalls (like Option B). The tool used to define the contextual requirements (IP range) and identity (group membership) is an Access Level within Access Context Manager.

Access Level: Defines the required context (e.g., source IP range of the internal network) and the required identity attributes (e.g., user is a member of the AppDev group).

IAP Policy: The IAP policy for the Cloud Run application is then configured to only allow access if the user meets the conditions defined in the Access Level.

Extracts:

"Identity-Aware Proxy works by verifying a user's identity and context of the request to determine if the user should be allowed to access an application." (Source 3.1)

"When you set an IAP policy, you can define an Access Level from Context-Aware Access to enforce conditions based on user location (IP address), security status, and device policy, along with user identity/group membership." (Source 3.2)

"IAP with Context-Aware Access is the recommended zero-trust approach for enforcing both identity (AppDev group) and context (internal IP address) requirements." (Source 3.3)

https://cloud.google.com/vpc/docs/packet-mirroring

Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.

The Standard Tier network only provides regional load balancing, while the Premium Tier supports global load balancing with a single anycast IP address. To distribute requests across multiple regions, you need to use the Premium Tier and update the load balancer configuration accordingly.

Steps:

Upgrade to Premium Tier: Update the load balancer to use the Premium Tier network in the Google Cloud Console.

Add New Instance Group: Add the instance group in the new region (us-east-2) to the backend configuration of the existing load balancer.

Verify Configuration: Ensure that the frontend configuration of the load balancer uses a single external IP address for global distribution.

Use the org policy constraint "Google Cloud Platform - Resource Location Restriction" on your Google Cloud organization node: This organizational policy constraint allows you to restrict the locations where your resources can be created. By setting this constraint to allow only Europe regions, you can ensure compliance with GDPR and other regional regulations.

Implementation: To implement this, you need to configure the organization policy with the constraint constraints/gcp.resourceLocations. You can specify allowed regions such as europe-west1 and europe-west4 to ensure resources are only created in these locations.

References

Resource Location Restriction documentation

GDPR compliance on Google Cloud

To evaluate Google Cloud Platform (GCP) for PCI compliance and identify Google's inherent controls, you should review the "Google Cloud Platform: Customer Responsibility Matrix". This document provides detailed information about the shared responsibility model, outlining the security controls managed by Google and those that are the responsibility of the customer.

Steps to access and use the document:

Access the Document:

Go to the Google Cloud compliance resource center.

Locate the "Customer Responsibility Matrix" for PCI DSS compliance.

Review Inherent Controls:

The document lists various controls and specifies whether they are managed by Google, the customer, or both.

It covers different aspects such as infrastructure security, data protection, and compliance requirements.

Analyze PCI Compliance:

Use the matrix to understand which PCI DSS requirements are inherently addressed by Google Cloud.

Identify the controls you need to implement and manage as a customer to ensure full compliance.

By reviewing this document, you can gain a comprehensive understanding of the inherent controls provided by Google Cloud and the responsibilities you must fulfill to achieve PCI compliance.

Google Cloud Compliance Documentation

PCI DSS Compliance on Google Cloud

Objective: Create a Service Account that can list Compute Engine instances in the project following Google-recommended practices.

Solution: Create a custom role and assign it to the Service Account.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the IAM & Admin page and select "Roles".

Step 3: Click on "Create Role" and define a new role with a suitable name and description.

Step 4: Add the permission compute.instances.list to the custom role.

Step 5: Save the custom role.

Step 6: Go to the "Service Accounts" section.

Step 7: Create a new Service Account or select an existing one.

Step 8: Assign the newly created custom role to the Service Account.

By creating a custom role with the specific permission to list Compute Engine instances, you follow the principle of least privilege, which is a recommended security practice.

The Organization Administrator and Super Admin roles have extensive administrative privileges at the organization level. Restricting these roles is crucial to limit the number of users who have the ability to manage critical resources and configurations within the organization, thereby enhancing security and minimizing potential risks.

Organization Administrator: Has comprehensive permissions to manage all aspects of the Google Cloud organization, including projects, folders, and IAM policies.

Super Admin: In Google Workspace (formerly G Suite), the Super Admin has access to all administrative features and can manage user accounts, services, and settings across the organization.