Google Cloud Professional Cloud Security Engineer Practice Exam

What the Google Cloud Professional Cloud Security Engineer exam covers

• Configuring Access145 questions
• Securing Communications and Boundary Protection138 questions
• Ensuring Data Protection144 questions
• Managing Operations162 questions
• Supporting Compliance Requirements74 questions

Free Google Cloud Professional Cloud Security Engineer sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 663.

1. Question 1Securing Communications and Boundary Protection

   Two teams migrated workloads into separate VPCs that now must communicate privately using internal IPs, with centralized firewall governance. Which integration is the recommended pattern?

   • AAssign public IPs to all VMs and route over the internet
   • BUse Cloud CDN between the two VPCs
   • CTunnel traffic through a public Cloud Storage bucket
   • DUse Shared VPC (or VPC Network Peering) with hierarchical firewall policies for centralized controlCorrect
   ✓ Correct answer: D

   Firewall rules control network traffic but do not transit across peering connections automatically. Use Shared VPC (or VPC Network Peering) with hierarchical firewall policies for centralized control ensures both connectivity and proper access control.

   Why the other options are wrong

   • AAssign public IPs to all VMs and route over the internet is incorrect because it exposes resources to the internet, violating the security requirement.
   • BUse Cloud CDN between the two VPCs is incorrect because it does not provide the required implementation.
   • CTunnel traffic through a public Cloud Storage bucket is incorrect because it exposes resources to the internet, violating the security requirement.
2. Question 2Securing Communications and Boundary Protection

   Internal VMs with no external IP that previously reached googleapis.com endpoints suddenly fail all calls to Google APIs after a network change, while VMs with external IPs still work. Which setting was most likely changed?

   • AThe VMs lost their CMEK keys
   • BCloud Armor blocked the egress
   • CCloud DNS was deleted from the project
   • DPrivate Google Access was disabled on the subnet, so internal-only VMs can no longer reach Google API endpointsCorrect
   ✓ Correct answer: D

   Network security requires multiple layers of control. Private Google Access was disabled on the subnet, so internal-only VMs can no longer reach Google API endpoints implements the recommended pattern.

   Why the other options are wrong

   • AThe VMs lost their CMEK keys is incorrect because it does not provide the required implementation.
   • BCloud Armor blocked the egress is incorrect because it does not provide the required implementation.
   • CCloud DNS was deleted from the project is incorrect because it does not provide the required implementation.
3. Question 3Configuring Access

   A security team wants to grant a contractor temporary access to a project that automatically expires after the engagement ends, without manual cleanup. Which IAM capability achieves this?

   • AAn IAM Condition with a request.time expiry timestamp on the role bindingCorrect
   • BA firewall rule that blocks the contractor after the date
   • CA shared service-account key handed to the contractor
   • DA primitive Owner grant that is deleted later by hand
   ✓ Correct answer: A

   Temporary access control requires time-bound mechanisms. An IAM Condition with a request.time expiry timestamp on the role binding implements automatic expiry without manual cleanup.

   Why the other options are wrong

   • BA firewall rule that blocks the contractor after the date is incorrect because it does not provide the required implementation.
   • CA shared service-account key handed to the contractor is incorrect because it does not provide the required implementation.
   • DA primitive Owner grant that is deleted later by hand is incorrect because it does not provide the required implementation.
4. Question 4Supporting Compliance Requirements

   Compliance forbids any Cloud Storage bucket in the organization from ever being made public. Which Organization Policy constraint enforces this automatically?

   • AA Cloud DNS DNSSEC configuration
   • BA Cloud Armor security policy on each bucket
   • CA VPC firewall egress rule
   • Dconstraints/storage.publicAccessPrevention enforced at the org or folder levelCorrect
   ✓ Correct answer: D

   Organization Policies enforce inherited guardrails. {answer_text} applies the correct constraint for the requirement.

   Why the other options are wrong

   • AA Cloud DNS DNSSEC configuration is incorrect because it does not provide the required implementation.
   • BA Cloud Armor security policy on each bucket is incorrect because it does not provide the required implementation.
   • CA VPC firewall egress rule is incorrect because it does not provide the required implementation.
5. Question 5Configuring Access

   You configured SAML SSO between your IdP and Google, but users report a redirect loop and an error that the assertion cannot be validated. Which misconfiguration most likely causes a failed SAML assertion signature validation?

   • AThe IdP's signing certificate uploaded to Google does not match the certificate actually used to sign assertionsCorrect
   • BThe Cloud Identity password policy enforces a 12-character minimum
   • CWorkload Identity Federation is disabled in the organization
   • DThe users lack the roles/viewer permission on the project
   ✓ Correct answer: A

   Access control requires understanding IAM hierarchy and resource-level bindings. The IdP's signing certificate uploaded to Google does not match the certificate actually used to sign assertions applies the correct pattern.

   Why the other options are wrong

   • BThe Cloud Identity password policy enforces a 12-character minimum is incorrect because it does not provide the required implementation.
   • CWorkload Identity Federation is disabled in the organization is incorrect because it disables critical security or functionality needed for the requirement.
   • DThe users lack the roles/viewer permission on the project is incorrect because it does not provide the required implementation.
6. Question 6Configuring Access

   An application running on a Compute Engine virtual machine needs to call Google Cloud APIs. A developer asks whether they should create a service account key file for the app. What is the most secure recommendation?

   • ACreate a key and rotate it weekly via a cron job
   • BDo not create a key; attach a least-privilege service account to the VM and use the metadata server for short-lived credentialsCorrect
   • CUse the developer's personal Google account credentials in the app
   • DCreate a key but store it only in environment variables
   • ECreate a key signed with a Cloud HSM-protected KMS key
   ✓ Correct answer: B

   Cross-project service account access requires proper IAM binding on the resource itself. Do not create a key; attach a least-privilege service account to the VM and use the metadata server for short-lived credentials provides the necessary least-privilege scope for resource-level access across projects.

   Why the other options are wrong

   • ACreate a key and rotate it weekly via a cron job is incorrect because it does not provide the required implementation.
   • CUse the developer's personal Google account credentials in the app is incorrect because it does not provide the required implementation.
   • DCreate a key but store it only in environment variables is incorrect because it does not provide the required implementation.
   • ECreate a key signed with a Cloud HSM-protected KMS key is incorrect because it does not provide the required implementation.
7. Question 7Configuring Access

   During an investigation you find that a deleted service account's old downloaded key still appears in a script. A teammate claims the key could still work if the service account is re-created with the same name. Is that correct, and what is the secure stance?

   • ANo; re-creating a service account with the same email generates a new unique ID, so old keys are invalid, and you should still remove and rotate any leaked key materialCorrect
   • BYes; service account keys are tied only to the email address and survive deletion and re-creation
   • CYes; deleted service accounts retain all their keys indefinitely
   • DNo; but the old key automatically becomes the Owner of the project
   • EYes; and the old key gains the Token Creator role automatically
   ✓ Correct answer: A

   Cross-project service account access requires proper IAM binding on the resource itself. No; re-creating a service account with the same email generates a new unique ID, so old keys are invalid, and you should still remove and rotate any leaked key material provides the necessary least-privilege scope for resource-level access across projects.

   Why the other options are wrong

   • BYes; service account keys are tied only to the email address and survive deletion and re-creation is incorrect because it does not provide the required implementation.
   • CYes; deleted service accounts retain all their keys indefinitely is incorrect because it does not provide the required implementation.
   • DNo; but the old key automatically becomes the Owner of the project is incorrect because it does not provide the required implementation.
   • EYes; and the old key gains the Token Creator role automatically is incorrect because it does not provide the required implementation.
8. Question 8Configuring Access

   A team needs to grant a vendor service account access to publish to exactly one Pub/Sub topic named billing-events, but the request must originate only from a trusted network context. They want the least-privilege role plus a context restriction. Which configuration is most appropriate?

   • AGrant roles/pubsub.publisher on the topic billing-events with an IAM Condition referencing an Access Context Manager access level for the allowed network contextCorrect
   • BGrant roles/pubsub.admin at the project level with no condition
   • CGrant roles/editor on the project and rely on firewall rules
   • DAdd the vendor account to a group that already has roles/owner
   ✓ Correct answer: A

   Cross-project service account access requires proper IAM binding on the resource itself. Grant roles/pubsub.publisher on the topic billing-events with an IAM Condition referencing an Access Context Manager access level for the allowed network context provides the necessary least-privilege scope for resource-level access across projects.

   Why the other options are wrong

   • BGrant roles/pubsub.admin at the project level with no condition is incorrect because it does not provide the required implementation.
   • CGrant roles/editor on the project and rely on firewall rules is incorrect because it does not provide the required implementation.
   • DAdd the vendor account to a group that already has roles/owner is incorrect because it grants excessive permissions, violating least-privilege principles.
9. Question 9Securing Communications and Boundary Protection

   A global external Application Load Balancer terminates HTTPS for several domains. Your team wants Google to automatically provision and renew the public TLS certificates and serve the correct certificate per hostname using SNI, without managing renewals manually. Which approach should you use?

   • AUpload self-managed certificates and set a calendar reminder to rotate them before expiry
   • BUse Certificate Manager with Google-managed certificates and a certificate map for per-host selectionCorrect
   • CIssue certificates from Certificate Authority Service and attach the private CA to the load balancer
   • DStore PEM files in Secret Manager and reference them from the target HTTPS proxy
   ✓ Correct answer: B

   Internal-only VMs require Cloud NAT for outbound internet access. Use Certificate Manager with Google-managed certificates and a certificate map for per-host selection provides source address translation without external IPs.

   Why the other options are wrong

   • AUpload self-managed certificates and set a calendar reminder to rotate them before expiry is incorrect because it does not provide the required implementation.
   • CIssue certificates from Certificate Authority Service and attach the private CA to the load balancer is incorrect because it does not provide the required implementation.
   • DStore PEM files in Secret Manager and reference them from the target HTTPS proxy is incorrect because it does not provide the required implementation.
10. Question 10Securing Communications and Boundary Protection

    To prevent data exfiltration even if a service-account credential is stolen, you want to ensure that a principal inside a perimeter cannot copy BigQuery data to a personal project that sits outside the perimeter. Which VPC Service Controls feature most directly prevents this outbound copy?

    • AAn egress rule that restricts which external projects and identities perimeter resources may send data to, denying the unapproved personal projectCorrect
    • BA network tag applied to the BigQuery service account
    • CEnabling uniform bucket-level access on the destination project
    • DA Cloud NAT gateway in the perimeter's host VPC
    ✓ Correct answer: A

    Network security requires multiple layers of control. An egress rule that restricts which external projects and identities perimeter resources may send data to, denying the unapproved personal project implements the recommended pattern.

    Why the other options are wrong

    • BA network tag applied to the BigQuery service account is incorrect because it does not provide the required implementation.
    • CEnabling uniform bucket-level access on the destination project is incorrect because it does not provide the required implementation.
    • DA Cloud NAT gateway in the perimeter's host VPC is incorrect because it does not provide the required implementation.

Google Cloud Professional Cloud Security Engineer practice exam FAQ