50 Cloud Security Engineer Practice Questions: Question Bank 2025

Your organization needs to grant a third-party application temporary access to read objects from a specific Cloud Storage bucket without creating a service account. The access should expire automatically after 2 hours. What is the most appropriate solution?

A financial services company wants to ensure that all VM instances in their production environment are encrypted with customer-managed encryption keys (CMEK) stored in Cloud KMS. What is the best way to enforce this requirement across all projects?

Your security team needs to investigate suspicious API calls made to your GCP resources. They need to see who made the calls, when they were made, and whether they succeeded or failed. Which Google Cloud service should you use?

A healthcare application processes protected health information (PHI) and must comply with HIPAA requirements. The application uses Cloud Storage to store patient records. What Google Cloud feature should you enable to ensure the storage location meets data residency requirements for healthcare data?

Your company runs a multi-tier application on GCP with web servers in one VPC and database servers in another VPC. The web servers need to communicate with the database servers privately. You want to implement the most secure and scalable solution. What should you do?

A development team accidentally granted the 'Project Editor' role to a service account used by a containerized application running on GKE. Following the principle of least privilege, what is the best approach to remediate this security issue?

Your organization uses Binary Authorization to ensure only approved container images run on GKE clusters. A developer reports that their deployment is being blocked even though the image is signed by the correct authority. The attestation was created yesterday. What is the most likely cause?

A company needs to implement DDoS protection for their public-facing application hosted on Google Cloud. The application receives traffic from global users and runs on a regional managed instance group behind a global load balancer. What combination of services provides the best protection?

Your organization has implemented VPC Service Controls to protect sensitive data in BigQuery. A data analyst working from a compliant device within the security perimeter reports they cannot access BigQuery datasets, while other analysts can. The analyst has the correct IAM permissions. Audit logs show access requests being denied by VPC Service Controls. What is the most likely root cause?

A financial institution must ensure that all cryptographic keys used for data encryption are generated, stored, and managed in a FIPS 140-2 Level 3 validated hardware security module, and that Google cannot access these keys. The keys must be used to encrypt data in BigQuery. Which solution meets these requirements?

Your organization needs to ensure that all Cloud Storage buckets are encrypted with customer-managed encryption keys (CMEK) and that these keys are automatically rotated. What is the recommended approach to implement this requirement?

A financial services company must maintain an audit trail of all administrative actions in their GCP environment for compliance purposes. The audit logs must be tamper-proof and retained for 7 years. Which combination of services best meets these requirements?

Your development team needs temporary elevated access to production GCP resources for an emergency fix. What is the most secure way to grant this access while maintaining audit compliance?

A company is migrating workloads to GCP and needs to implement network segmentation to isolate different application tiers. The security team requires that database servers cannot initiate outbound connections to the internet but can receive connections from application servers. What is the best approach?

Your organization uses Binary Authorization to ensure only approved container images run in GKE. A developer reports that their deployment is failing with an attestation error. What is the most likely cause and solution?

A healthcare organization must ensure that Protected Health Information (PHI) in BigQuery is de-identified before being accessed by data analysts. The solution must support re-identification by authorized personnel when necessary. What combination of services should be used?

Your company needs to allow third-party contractors to access specific GCP resources without creating Google accounts or sharing credentials. The contractors will use their existing corporate identities. What is the recommended solution?

An application running on GKE needs to access Cloud SQL securely without exposing database credentials in environment variables or configuration files. What is the best practice approach?

Your organization needs to monitor and prevent exfiltration of sensitive data from GCP services to external destinations. Which combination of controls provides the most comprehensive protection?

A startup is deploying their first application on GCP and wants to implement security best practices from the start. They need to monitor for misconfigurations and security vulnerabilities. Which service should they prioritize enabling?

Your organization needs to ensure that all Cloud Storage buckets are encrypted with customer-managed encryption keys (CMEK) stored in Cloud KMS. Which approach provides the most effective preventive control?

A financial services company requires all API calls to GCP services to be logged and retained for 7 years for compliance purposes. The logs must be tamper-proof and verifiable. What solution should you implement?

Your team is implementing a defense-in-depth strategy for GKE clusters. Which combination of security controls provides the most comprehensive protection?

A developer accidentally granted the 'roles/owner' role to a service account used by a Compute Engine instance. What is the LEAST privileged approach to identify all resources this service account can access?

Your organization uses Cloud SQL for PostgreSQL with sensitive customer data. You need to ensure that database administrators cannot view the data while maintaining their ability to manage the database infrastructure. What solution should you implement?

An application running on GKE needs to access Cloud Storage buckets. The security team requires that pods cannot use the node's service account credentials. What is the recommended authentication method?

Your company is migrating on-premises applications to GCP and needs to maintain the same IP addresses for regulatory reasons. The applications must be highly available across multiple zones. What networking solution should you implement?

During a security audit, you discover that several BigQuery datasets containing PII are shared with external partners. What is the most secure way to provide controlled access while maintaining data protection?

Your organization has implemented VPC Service Controls with a service perimeter around sensitive projects. Users report that they cannot access Cloud Console for resources within the perimeter. What is the most likely cause and solution?

A security scan reveals that several Compute Engine instances have public IP addresses and are directly accessible from the internet. What is the best practice to reduce the attack surface while maintaining necessary external connectivity?

Your organization needs to ensure that all Cloud Storage buckets are encrypted with customer-managed encryption keys (CMEK) and that these keys are automatically rotated. What is the recommended approach?

A development team is using Secret Manager to store API keys. They report that their application running on GKE cannot access secrets. The service account has the 'Secret Manager Secret Accessor' role. What is the most likely cause?

Your company must comply with PCI DSS requirements for cardholder data stored in BigQuery. Which combination of security controls best addresses this requirement?

You need to configure a security architecture where GKE workloads can only access specific Cloud SQL databases based on their namespace. What is the most secure and scalable approach?

Your organization wants to prevent the creation of external IP addresses for Compute Engine instances. What is the correct approach?

A security audit reveals that several service account keys have not been rotated in over 180 days. What Google Cloud tools can help identify and remediate this issue?

Your company needs to ensure that all network traffic between GKE pods and Cloud SQL instances is encrypted and never traverses the public internet. What configuration achieves this?

What is the primary purpose of VPC Service Controls in Google Cloud security architecture?

Your organization requires that all sensitive data in BigQuery be automatically de-identified before being shared with the analytics team. What is the recommended approach?

Which Google Cloud service should you use to discover, classify, and protect sensitive data across multiple GCP services including Cloud Storage, BigQuery, and Datastore?

Your organization is deploying a multi-tier application on GKE and needs to ensure that pods in the frontend tier cannot directly communicate with pods in the database tier, while allowing communication through the application tier. What is the most effective GKE-native approach to implement this security control?

A financial services company must ensure that all API calls to their GCP resources are logged and that these logs cannot be deleted by any user, including project owners, for a period of 7 years. What combination of configurations achieves this requirement?

Your company's security team needs to detect when Cloud Storage buckets are made publicly accessible. They want to receive alerts within 5 minutes and automatically remediate by removing public access. What is the most efficient solution?

A healthcare application running on Compute Engine needs to access patient data stored in Cloud SQL. The application should authenticate without embedding credentials in code or configuration files. What is the recommended secure authentication method?

Your organization operates in multiple countries and needs to ensure that customer data for EU citizens is stored and processed only within EU regions, while US customer data remains in US regions. Some services like BigQuery may need to process combined analytics. What architecture best implements this data residency requirement?

A company's GKE cluster is experiencing intermittent connection issues to external HTTPS endpoints. Security policy requires that all egress traffic be inspected and logged. The current setup uses Cloud NAT for outbound connectivity. What configuration would provide the required visibility while maintaining connectivity?

An application development team needs temporary elevated access to production Cloud SQL instances for debugging a critical issue. The access should be granted for only 4 hours, require approval from two security team members, and be fully auditable. What GCP feature best addresses this requirement?

Your organization is implementing customer-managed encryption keys (CMEK) for Cloud Storage and BigQuery. The security team requires that cryptographic operations be performed in FIPS 140-2 Level 3 validated hardware, and key material should never leave the hardware module. Which solution meets these requirements?

A company must demonstrate compliance with PCI DSS requirements for their payment processing application on GCP. Security Command Center has identified several high-severity vulnerabilities and misconfigurations. What is the most effective approach to address these findings and maintain ongoing compliance?

An application running on GKE needs to access multiple Google Cloud APIs (Cloud Storage, BigQuery, and Pub/Sub) with different permission levels for each API. The security team wants to follow the principle of least privilege and avoid using service account keys. What is the recommended approach?