1. Which security principle ensures that users have only the permissions they need to perform their job?
A) Least Privilege
B) Role-Based Access Control (RBAC)
C) Zero Trust
D) Identity Federation
✅ Answer: A) Least Privilege
Explanation: The principle of Least Privilege ensures users and services are granted only the permissions necessary to perform their tasks, reducing the attack surface.
2. What GCP service allows you to manage encryption keys used for securing data?
A) Cloud HSM
B) Cloud KMS
C) Secret Manager
D) Cloud Identity
✅ Answer: B) Cloud KMS
Explanation: Google Cloud Key Management Service (Cloud KMS) allows users to manage encryption keys for securing sensitive data across GCP.
3. How can you restrict access to Google Cloud resources using identity-based policies?
A) IAM Policies
B) Network ACLs
C) Firewall Rules
D) Cloud VPN
✅ Answer: A) IAM Policies
Explanation: IAM (Identity and Access Management) Policies allow you to define who has access to what resources in GCP based on roles and permissions.
4. Which tool helps in detecting misconfigurations and security risks in GCP?
A) Cloud Armor
B) Security Command Center
C) Stackdriver Logging
D) Cloud NAT
✅ Answer: B) Security Command Center
Explanation: Google Cloud Security Command Center (SCC) helps identify misconfigurations, vulnerabilities, and threats across GCP resources.
5. What is the purpose of VPC Service Controls in GCP?
A) To control external IP access
B) To restrict data movement between services
C) To block unauthorized firewall rules
D) To monitor API calls
✅ Answer: B) To restrict data movement between services
Explanation: VPC Service Controls create a security perimeter around sensitive resources to prevent unauthorized data exfiltration.
6. Which of the following methods strengthens authentication in GCP?
A) Multi-Factor Authentication (MFA)
B) Static passwords
C) Service accounts with broad access
D) Disabling audit logs
✅ Answer: A) Multi-Factor Authentication (MFA)
Explanation: MFA adds an additional layer of security by requiring users to provide multiple forms of authentication, such as a password and a security key.
7. What GCP service enables audit logging to track access and modifications to resources?
A) Cloud Monitoring
B) Cloud Logging
C) Cloud Audit Logs
D) BigQuery
✅ Answer: C) Cloud Audit Logs
Explanation: Cloud Audit Logs provide records of who accessed or modified resources in GCP, helping in security monitoring and compliance.
8. What is the primary use of Cloud Identity-Aware Proxy (IAP)?
A) Encrypt data at rest
B) Enforce identity-based access to web apps
C) Manage user permissions
D) Prevent DDoS attacks
✅ Answer: B) Enforce identity-based access to web apps
Explanation: Cloud IAP controls access to web applications and services based on a user’s identity and context.
9. How does Google Cloud Armor help protect applications?
A) By scanning for malware
B) By providing a Web Application Firewall (WAF)
C) By encrypting data
D) By backing up resources
✅ Answer: B) By providing a Web Application Firewall (WAF)
Explanation: Google Cloud Armor protects applications from DDoS attacks and common web vulnerabilities using WAF rules.
10. Which GCP service helps detect and respond to security threats in real-time?
A) Security Command Center
B) Cloud Armor
C) Cloud Interconnect
D) Cloud CDN
✅ Answer: A) Security Command Center
Explanation: Security Command Center (SCC) provides threat detection, vulnerability assessment, and compliance monitoring.
11. What is the best way to securely store sensitive environment variables in GCP?
A) Hardcode them in the application
B) Use Google Cloud Storage
C) Use Secret Manager
D) Store in plaintext files
✅ Answer: C) Use Secret Manager
Explanation: Secret Manager securely stores and manages API keys, passwords, and sensitive environment variables.
12. What role does Cloud Identity play in GCP security?
A) Provides access to on-premises networks
B) Manages user identities and authentication
C) Creates network firewalls
D) Controls API permissions
✅ Answer: B) Manages user identities and authentication
Explanation: Cloud Identity is a user management and authentication service that integrates with GCP to enforce secure access policies.
13. What is the recommended way to protect GCP workloads from malware?
A) Cloud HSM
B) Binary Authorization
C) Cloud Build
D) Cloud Load Balancing
✅ Answer: B) Binary Authorization
Explanation: Binary Authorization ensures that only trusted and signed container images are deployed to GCP workloads.
14. Which encryption mechanism does Google Cloud use by default for data at rest?
A) RSA
B) AES-256
C) SHA-256
D) ECC
✅ Answer: B) AES-256
Explanation: Google Cloud encrypts data at rest using AES-256 encryption by default, providing a high level of security.
15. Which service is used to define and enforce organizational security policies in GCP?
A) IAM
B) Cloud Organization Policy
C) Cloud Functions
D) Cloud Storage
✅ Answer: B) Cloud Organization Policy
Explanation: Cloud Organization Policies allow administrators to define security rules and enforce governance policies.
16. What is the primary benefit of Google Cloud’s Shielded VMs?
A) Increased virtual machine performance
B) Protection against rootkits and boot-level attacks
C) Faster storage access
D) Better networking capabilities
✅ Answer: B) Protection against rootkits and boot-level attacks
Explanation: Shielded VMs protect against rootkits, bootkits, and unauthorized firmware modifications.
17. How does Cloud Identity Federation improve security?
A) It allows users to sign in with their existing credentials from external identity providers
B) It automatically assigns all permissions to new users
C) It stores user credentials in plaintext
D) It replaces IAM policies
✅ Answer: A) It allows users to sign in with their existing credentials from external identity providers
Explanation: Cloud Identity Federation allows users to authenticate via third-party identity providers (e.g., Azure AD, Okta) without creating a separate Google account.
18. What security feature should be used to prevent unauthorized changes to sensitive GCP resources?
A) Cloud Armor
B) IAM Conditions
C) Organization Policy Constraints
D) Cloud CDN
✅ Answer: C) Organization Policy Constraints
Explanation: Organization Policy Constraints prevent unauthorized modifications to critical GCP resources.
19. Which firewall rule should be used to deny all inbound traffic by default?
A) Allow all internal traffic
B) Deny all incoming traffic
C) Allow SSH access
D) Open all ports
✅ Answer: B) Deny all incoming traffic
Explanation: A default deny-all inbound rule prevents unauthorized access while allowing explicit exceptions.
20. What tool can be used to manage compliance and security posture in GCP?
A) Cloud CDN
B) Security Command Center
C) Cloud DNS
D) Cloud Interconnect
✅ Answer: B) Security Command Center
Explanation: Security Command Center monitors compliance, vulnerabilities, and security risks across GCP.
21. What is the primary purpose of Google Cloud Identity?
A) Providing a firewall for cloud workloads
B) Managing identities, authentication, and security policies
C) Encrypting data at rest
D) Automating infrastructure deployment
✅ Answer: B) Managing identities, authentication, and security policies
Explanation: Google Cloud Identity is used to manage user authentication, access control, and security policies, helping enforce secure access to resources.
22. Which GCP service can help detect and mitigate DDoS attacks?
A) Cloud NAT
B) Cloud Armor
C) Cloud Run
D) Cloud Build
✅ Answer: B) Cloud Armor
Explanation: Cloud Armor provides DDoS protection and Web Application Firewall (WAF) features to help mitigate large-scale attacks.
23. What is the best practice for securing API keys in GCP?
A) Store them in plaintext in the source code
B) Hardcode them in the application
C) Store them in Secret Manager with IAM-based access
D) Share them publicly for better collaboration
✅ Answer: C) Store them in Secret Manager with IAM-based access
Explanation: Secret Manager securely stores sensitive data like API keys while IAM policies control access.
24. What IAM role should be assigned to a user who only needs to read logs in Cloud Logging?
A) Owner
B) Editor
C) Logs Viewer
D) Security Admin
✅ Answer: C) Logs Viewer
Explanation: The Logs Viewer role grants read-only access to Cloud Logging, allowing users to view logs without modifying configurations.
25. How can you prevent unintended public access to a Cloud Storage bucket?
A) Assign “Storage Admin” role to all users
B) Use Signed URLs for temporary access
C) Enable automatic backup
D) Store data unencrypted
✅ Answer: B) Use Signed URLs for temporary access
Explanation: Signed URLs provide temporary, time-limited access to Cloud Storage objects without making them public.
26. What tool can be used to investigate security threats and perform forensic analysis in GCP?
A) Cloud SQL
B) Security Command Center
C) Cloud VPN
D) Cloud CDN
✅ Answer: B) Security Command Center
Explanation: Security Command Center provides threat detection, monitoring, and forensic analysis tools for investigating security incidents.
27. What is the function of Cloud IAM Conditions?
A) Define advanced access control rules based on attributes
B) Encrypt data in Cloud Storage
C) Monitor VPC network traffic
D) Manage cloud billing
✅ Answer: A) Define advanced access control rules based on attributes
Explanation: IAM Conditions enable granular access control based on resource attributes, device status, or request origin.
28. How does Binary Authorization enhance security for containerized workloads?
A) It enforces signed and verified container images
B) It restricts network access to containers
C) It automatically scales Kubernetes workloads
D) It manages API access
✅ Answer: A) It enforces signed and verified container images
Explanation: Binary Authorization ensures that only trusted and signed container images are deployed, reducing the risk of running compromised images.
29. Which Google Cloud service provides identity federation with external identity providers?
A) Cloud Identity-Aware Proxy
B) Cloud Identity
C) Cloud KMS
D) Cloud Functions
✅ Answer: B) Cloud Identity
Explanation: Cloud Identity allows integration with external identity providers like Okta, Azure AD, and SAML-based providers for authentication.
30. What security feature should be used to protect sensitive Compute Engine instances from unauthorized SSH access?
A) Cloud Armor
B) VPC Service Controls
C) OS Login
D) Cloud Scheduler
✅ Answer: C) OS Login
Explanation: OS Login integrates with IAM to control SSH access based on Google accounts and IAM roles.
31. What should be enabled to ensure logs are retained and not accidentally deleted in Cloud Logging?
A) Enabling Cloud Load Balancer
B) Creating Log Sinks
C) Disabling IAM permissions
D) Disabling logs
✅ Answer: B) Creating Log Sinks
Explanation: Log Sinks allow long-term log retention by exporting logs to BigQuery, Cloud Storage, or Pub/Sub.
32. What feature of GCP helps control the egress traffic of workloads?
A) VPC Firewall Rules
B) Identity-Aware Proxy
C) Binary Authorization
D) Cloud Scheduler
✅ Answer: A) VPC Firewall Rules
Explanation: VPC Firewall Rules allow defining ingress and egress rules to control network traffic for workloads.
33. What GCP service helps in detecting misconfigurations in IAM policies?
A) IAM Recommender
B) Cloud Interconnect
C) Cloud Spanner
D) Cloud NAT
✅ Answer: A) IAM Recommender
Explanation: IAM Recommender analyzes IAM policies and suggests role optimizations to follow the principle of least privilege.
34. How can you enforce data residency requirements in GCP?
A) Use Regional Storage and Organization Policies
B) Use Cloud NAT
C) Use Global Storage options
D) Disable IAM policies
✅ Answer: A) Use Regional Storage and Organization Policies
Explanation: Regional Storage ensures data stays in a specific location, and Organization Policies enforce residency rules.
35. What GCP service can be used to securely manage SSH keys for Compute Engine instances?
A) Cloud KMS
B) OS Login
C) Cloud VPN
D) Cloud Spanner
✅ Answer: B) OS Login
Explanation: OS Login integrates SSH key management with IAM roles to improve security and auditability.
36. How does Cloud Armor adaptive protection work?
A) By analyzing traffic patterns and blocking suspicious requests
B) By encrypting data in transit
C) By providing network connectivity
D) By scanning code for vulnerabilities
✅ Answer: A) By analyzing traffic patterns and blocking suspicious requests
Explanation: Adaptive Protection in Cloud Armor detects and mitigates DDoS attacks and abnormal traffic behavior.
37. Which Google Cloud security feature allows granular control over API access?
A) VPC Firewall
B) IAM Conditions
C) API Gateway
D) Cloud CDN
✅ Answer: C) API Gateway
Explanation: API Gateway provides authentication, authorization, and rate limiting for API services.
38. What tool can be used to scan container images for vulnerabilities in GCP?
A) Cloud Build
B) Container Analysis
C) Cloud Run
D) Cloud Load Balancer
✅ Answer: B) Container Analysis
Explanation: Container Analysis scans container images for vulnerabilities and misconfigurations.
39. What feature of GCP can prevent unauthorized VM startup or modifications?
A) Shielded VMs
B) Cloud Armor
C) Cloud CDN
D) Cloud Spanner
✅ Answer: A) Shielded VMs
Explanation: Shielded VMs protect against boot-level malware and unauthorized modifications.
40. What tool can be used to centrally enforce security policies across multiple GCP projects?
A) Cloud Identity
B) Organization Policy Service
C) Cloud KMS
D) Cloud VPN
✅ Answer: B) Organization Policy Service
Explanation: Organization Policy Service enables administrators to enforce security rules and governance across multiple projects.
41. Which Google Cloud service is specifically designed to store and manage sensitive application secrets like API keys and passwords?
A) Cloud Storage
B) Cloud KMS
C) Secret Manager
D) Cloud Identity
✅ Answer: C) Secret Manager
Explanation: Secret Manager allows secure storage, access control, and versioning of API keys, passwords, and other sensitive secrets.
42. What security practice ensures that only authorized users can make API calls to a GCP service?
A) Using API Gateway with IAM authentication
B) Enabling public API access
C) Assigning Owner roles to all users
D) Allowing anonymous access
✅ Answer: A) Using API Gateway with IAM authentication
Explanation: API Gateway provides authentication, authorization, and security policies to control access to API services.
43. Which of the following can be used to enforce time-based access restrictions for GCP resources?
A) IAM Conditions
B) Cloud Armor
C) Binary Authorization
D) Cloud DNS
✅ Answer: A) IAM Conditions
Explanation: IAM Conditions allow enforcing access controls based on time, device attributes, and request source.
44. What is the best way to prevent privilege escalation attacks in GCP?
A) Assigning users the “Owner” role by default
B) Implementing the principle of least privilege with IAM roles
C) Using shared credentials for all employees
D) Disabling audit logging
✅ Answer: B) Implementing the principle of least privilege with IAM roles
Explanation: Least privilege ensures users only have the minimum permissions required, preventing privilege escalation.
45. Which Google Cloud tool provides risk insights into IAM policy misconfigurations?
A) IAM Recommender
B) Cloud Run
C) Cloud SQL
D) Cloud Spanner
✅ Answer: A) IAM Recommender
Explanation: IAM Recommender identifies overly permissive roles and provides recommendations for reducing unnecessary access.
46. What is the purpose of Organization Policies in GCP?
A) To manage IAM users and permissions
B) To set and enforce security and compliance rules across projects
C) To encrypt all API requests
D) To manage VM instances
✅ Answer: B) To set and enforce security and compliance rules across projects
Explanation: Organization Policies enforce security, compliance, and governance rules across GCP projects.
47. Which GCP service should you use to restrict access to sensitive resources based on network perimeters?
A) Cloud Interconnect
B) VPC Service Controls
C) Cloud CDN
D) Cloud Run
✅ Answer: B) VPC Service Controls
Explanation: VPC Service Controls create security perimeters around sensitive GCP services to prevent data exfiltration.
48. How does Cloud HSM enhance security in Google Cloud?
A) Provides a cloud-based VPN
B) Manages encryption keys with a hardware security module
C) Blocks all external API requests
D) Controls access to VM instances
✅ Answer: B) Manages encryption keys with a hardware security module
Explanation: Cloud HSM is a hardware security module (HSM) that allows secure encryption key management.
49. What security feature ensures that only trusted devices can access GCP resources?
A) Cloud Armor
B) Binary Authorization
C) Endpoint Verification
D) Cloud Interconnect
✅ Answer: C) Endpoint Verification
Explanation: Endpoint Verification ensures only company-managed and trusted devices can access sensitive GCP resources.
50. What is the best way to enforce compliance policies across multiple GCP projects?
A) Using separate IAM roles for each project
B) Enabling Cloud Billing Reports
C) Using Organization Policies
D) Granting administrative access to all users
✅ Answer: C) Using Organization Policies
Explanation: Organization Policies allow setting global security rules across all projects to maintain compliance.
51. How can GCP users securely connect to private instances in a VPC without public IP addresses?
A) Cloud VPN or Identity-Aware Proxy (IAP)
B) Assigning public IPs to all instances
C) Enabling unrestricted SSH access
D) Disabling firewall rules
✅ Answer: A) Cloud VPN or Identity-Aware Proxy (IAP)
Explanation: Cloud VPN and Cloud IAP allow secure remote access to private instances without exposing them publicly.
52. What is the primary function of Forseti Security in GCP?
A) Encrypting data stored in Cloud Storage
B) Automatically detecting security misconfigurations and policy violations
C) Managing IAM roles and permissions
D) Preventing DDoS attacks
✅ Answer: B) Automatically detecting security misconfigurations and policy violations
Explanation: Forseti Security is an open-source tool that scans for IAM, firewall, and compliance misconfigurations.
53. What security mechanism prevents unauthorized access to Cloud SQL databases?
A) IAM-based authentication and Cloud SQL Proxy
B) Allowing public IP access
C) Using a default password for all instances
D) Disabling audit logs
✅ Answer: A) IAM-based authentication and Cloud SQL Proxy
Explanation: Cloud SQL Proxy and IAM-based authentication provide secure access to Cloud SQL without exposing public endpoints.
54. What feature of GCP provides protection against brute force attacks?
A) Cloud Armor
B) Identity-Aware Proxy (IAP)
C) Stackdriver Logging
D) Cloud KMS
✅ Answer: A) Cloud Armor
Explanation: Cloud Armor provides rate limiting and request filtering to protect against brute force attacks.
55. How does Google Cloud’s BeyondCorp security model enhance security?
A) Eliminates VPN dependency and enforces zero trust access
B) Grants unrestricted access to all users
C) Allows public access to Cloud Storage
D) Encrypts all network traffic
✅ Answer: A) Eliminates VPN dependency and enforces zero trust access
Explanation: BeyondCorp enforces zero trust security, allowing secure access without VPNs.
56. What GCP feature can help detect leaked credentials and security threats in real-time?
A) Security Health Analytics
B) Cloud NAT
C) Cloud Pub/Sub
D) Cloud Spanner
✅ Answer: A) Security Health Analytics
Explanation: Security Health Analytics scans for leaked credentials, misconfigurations, and security risks.
57. How can users prevent phishing attacks in GCP?
A) Enforcing Multi-Factor Authentication (MFA)
B) Disabling IAM roles
C) Granting all users administrative access
D) Storing passwords in plaintext
✅ Answer: A) Enforcing Multi-Factor Authentication (MFA)
Explanation: MFA adds an extra layer of security, helping prevent phishing attacks by requiring multiple authentication factors.
58. What tool provides real-time insights into security vulnerabilities in GCP workloads?
A) Security Command Center
B) Cloud Run
C) Cloud SQL
D) Cloud Spanner
✅ Answer: A) Security Command Center
Explanation: Security Command Center provides real-time security insights across GCP workloads.
59. Which encryption method is used by Google Cloud for encrypting data at rest?
A) AES-256
B) SHA-512
C) MD5
D) RSA-128
✅ Answer: A) AES-256
Explanation: Google Cloud encrypts all data at rest using AES-256 encryption, ensuring strong security.
60. What is the recommended method for securely rotating service account keys?
A) Using short-lived access tokens instead of keys
B) Storing keys in plaintext
C) Hardcoding keys in applications
D) Disabling all IAM roles
✅ Answer: A) Using short-lived access tokens instead of keys
Explanation: Short-lived access tokens eliminate the risk of long-lived credentials being compromised.
61. Which GCP service allows you to define fine-grained access controls for Cloud Storage objects?
A) IAM Policies
B) Cloud Storage ACLs
C) Cloud CDN
D) Cloud Functions
✅ Answer: B) Cloud Storage ACLs
Explanation: Cloud Storage ACLs (Access Control Lists) allow setting fine-grained permissions at the object level.
62. How can organizations enforce region-based access restrictions for their GCP resources?
A) Using IAM policies
B) Implementing Organization Policies with location constraints
C) Disabling Cloud Logging
D) Enabling unrestricted firewall rules
✅ Answer: B) Implementing Organization Policies with location constraints
Explanation: Organization Policies allow enforcing geographical restrictions for data storage and access.
63. What is the primary purpose of Google Cloud’s “Deny” IAM policies?
A) Prevent access to resources even if other policies grant it
B) Encrypt data at rest
C) Assign permissions dynamically
D) Manage cloud billing
✅ Answer: A) Prevent access to resources even if other policies grant it
Explanation: Deny IAM policies explicitly block access, taking priority over any other granted permissions.
64. How does Cloud DNS security help protect against domain hijacking?
A) Enabling DNSSEC (Domain Name System Security Extensions)
B) Disabling IAM roles
C) Storing all DNS records locally
D) Using unencrypted DNS requests
✅ Answer: A) Enabling DNSSEC (Domain Name System Security Extensions)
Explanation: DNSSEC prevents spoofing and tampering of DNS records by digitally signing responses.
65. What security mechanism does GCP use to prevent unauthorized access to Virtual Private Cloud (VPC) networks?
A) VPC Firewall Rules
B) Cloud Build
C) Cloud CDN
D) Cloud IAM
✅ Answer: A) VPC Firewall Rules
Explanation: VPC Firewall Rules control inbound and outbound network traffic to secure cloud resources.
66. What is the primary function of GCP’s Cloud Identity-Aware Proxy (IAP)?
A) Restricts access to applications based on identity and context
B) Provides distributed denial-of-service (DDoS) protection
C) Encrypts API requests
D) Enables multi-region data storage
✅ Answer: A) Restricts access to applications based on identity and context
Explanation: Cloud IAP enforces identity and context-based access to web applications and services.
67. Which GCP service helps organizations maintain compliance by detecting security misconfigurations?
A) Security Health Analytics
B) Cloud Scheduler
C) Cloud Spanner
D) Cloud VPN
✅ Answer: A) Security Health Analytics
Explanation: Security Health Analytics scans for compliance and security misconfigurations.
68. What is the purpose of Google Cloud’s Binary Authorization?
A) Ensures that only trusted container images are deployed
B) Encrypts data at rest
C) Blocks all inbound network traffic
D) Stores access logs
✅ Answer: A) Ensures that only trusted container images are deployed
Explanation: Binary Authorization enforces signature-based validation to verify container integrity before deployment.
69. How can you ensure that logs are stored securely and are not tampered with?
A) Enable Log Export to Cloud Storage with retention policies
B) Disable Cloud Logging
C) Store logs in plaintext files
D) Allow all users full access to logs
✅ Answer: A) Enable Log Export to Cloud Storage with retention policies
Explanation: Exporting logs to Cloud Storage with IAM-based restrictions and retention policies prevents unauthorized modifications.
70. What is the main advantage of using IAM Workload Identity Federation?
A) Enables access to GCP resources without storing long-term credentials
B) Grants administrative access to all users
C) Encrypts API requests
D) Disables audit logging
✅ Answer: A) Enables access to GCP resources without storing long-term credentials
Explanation: Workload Identity Federation allows using external identities to authenticate without storing service account keys.
71. What GCP service allows real-time monitoring of network threats?
A) Packet Mirroring
B) Cloud CDN
C) Cloud SQL
D) Cloud Build
✅ Answer: A) Packet Mirroring
Explanation: Packet Mirroring captures network traffic for real-time threat detection and forensic analysis.
72. What is the recommended method for securing sensitive data in transit?
A) Enabling TLS/SSL encryption
B) Using plaintext transmission
C) Disabling IAM policies
D) Storing data unencrypted
✅ Answer: A) Enabling TLS/SSL encryption
Explanation: TLS/SSL encryption ensures that data in transit is protected against interception.
73. How does Google Cloud Armor mitigate SQL injection attacks?
A) By blocking malicious SQL queries using WAF rules
B) By encrypting all network traffic
C) By enabling public database access
D) By automatically patching application code
✅ Answer: A) By blocking malicious SQL queries using WAF rules
Explanation: Cloud Armor WAF provides predefined rules to block SQL injection and other web-based attacks.
74. Which feature provides automatic protection against unauthorized API requests in GCP?
A) API Gateway with IAM authentication
B) Allowing anonymous access
C) Storing API keys in plaintext
D) Disabling IAM policies
✅ Answer: A) API Gateway with IAM authentication
Explanation: API Gateway enforces IAM-based authentication and authorization for API security.
75. What is the best way to monitor failed login attempts in GCP?
A) Using Cloud Audit Logs
B) Enabling unrestricted access
C) Disabling user authentication
D) Storing logs in plaintext
✅ Answer: A) Using Cloud Audit Logs
Explanation: Cloud Audit Logs track authentication failures and security events.
76. How does Cloud Identity help improve security?
A) By managing users, devices, and access policies
B) By encrypting all GCP resources
C) By allowing unrestricted network access
D) By automatically deleting IAM policies
✅ Answer: A) By managing users, devices, and access policies
Explanation: Cloud Identity manages authentication, device security, and access controls.
77. What security practice helps prevent insider threats in GCP?
A) Implementing IAM policies with least privilege
B) Assigning Owner role to all users
C) Disabling audit logging
D) Using shared credentials
✅ Answer: A) Implementing IAM policies with least privilege
Explanation: Least privilege restricts access to only necessary permissions, reducing insider threat risks.
78. Which security feature in GCP ensures that VM instances only run verified boot firmware?
A) Shielded VMs
B) Cloud SQL
C) Cloud VPN
D) Cloud Functions
✅ Answer: A) Shielded VMs
Explanation: Shielded VMs verify boot firmware to prevent rootkits and unauthorized modifications.
79. What security measure should be implemented to limit access to GCP APIs?
A) IAM Conditions with API restrictions
B) Allowing unrestricted access
C) Disabling IAM roles
D) Using default credentials
✅ Answer: A) IAM Conditions with API restrictions
Explanation: IAM Conditions restrict API access based on user roles, IP ranges, and devices.
80. What GCP feature allows tracking of IAM role changes for security audits?
A) Cloud Audit Logs
B) Cloud CDN
C) Cloud NAT
D) Cloud Run
✅ Answer: A) Cloud Audit Logs
Explanation: Cloud Audit Logs track IAM role modifications for compliance and security audits.
81. Which Google Cloud service provides end-to-end visibility into security threats?
A) Security Command Center
B) Cloud Storage
C) Cloud CDN
D) Cloud Run
✅ Answer: A) Security Command Center
Explanation: Security Command Center provides a centralized view of security threats, misconfigurations, and vulnerabilities across GCP.
82. What is the primary function of Google Cloud’s Access Transparency logs?
A) Provide visibility into Google’s administrative access to customer data
B) Manage Cloud IAM roles
C) Encrypt network traffic
D) Store API access keys
✅ Answer: A) Provide visibility into Google’s administrative access to customer data
Explanation: Access Transparency logs show when and why Google support personnel accessed customer data, ensuring compliance.
83. What security feature ensures that a Compute Engine VM boots securely and hasn’t been tampered with?
A) Shielded VMs
B) Cloud CDN
C) Cloud NAT
D) Cloud Functions
✅ Answer: A) Shielded VMs
Explanation: Shielded VMs prevent unauthorized firmware and boot-level attacks.
84. Which GCP security feature helps restrict API access based on the origin IP address?
A) IAM Conditions
B) Cloud SQL
C) Cloud Build
D) Cloud Interconnect
✅ Answer: A) IAM Conditions
Explanation: IAM Conditions allow setting fine-grained access controls, including restricting API access based on IP address.
85. What is the best way to manage SSH access to GCP instances securely?
A) Enforce OS Login with IAM
B) Use a shared SSH key across all users
C) Disable firewall rules
D) Store SSH credentials in a public repository
✅ Answer: A) Enforce OS Login with IAM
Explanation: OS Login ensures IAM-based control over SSH access, eliminating the need for static SSH keys.
86. How does Google Cloud ensure encryption of data at rest by default?
A) Using AES-256 encryption
B) By storing data in plaintext
C) By using manual encryption only
D) By requiring user intervention for encryption
✅ Answer: A) Using AES-256 encryption
Explanation: Google Cloud encrypts all data at rest by default using AES-256 encryption.
87. Which GCP security tool allows security teams to create custom security policies?
A) Policy Intelligence
B) Cloud Run
C) Cloud CDN
D) Cloud VPN
✅ Answer: A) Policy Intelligence
Explanation: Policy Intelligence helps security teams create, analyze, and optimize IAM and security policies.
88. What security best practice should be followed when granting permissions in IAM?
A) Assign the least privilege necessary
B) Assign the “Owner” role to all users
C) Disable all IAM policies
D) Use shared accounts for all administrators
✅ Answer: A) Assign the least privilege necessary
Explanation: The principle of least privilege ensures users only receive the necessary permissions, reducing security risks.
89. What GCP security service helps detect security misconfigurations in Kubernetes clusters?
A) Security Health Analytics
B) Cloud CDN
C) Cloud Spanner
D) Cloud Storage
✅ Answer: A) Security Health Analytics
Explanation: Security Health Analytics detects Kubernetes misconfigurations, vulnerabilities, and compliance issues.
90. Which feature in GCP allows restricting access to data based on user location?
A) VPC Service Controls
B) Cloud DNS
C) Cloud CDN
D) Cloud Interconnect
✅ Answer: A) VPC Service Controls
Explanation: VPC Service Controls enforce location-based access control to prevent unauthorized data exfiltration.
91. What mechanism should be used to grant temporary access to GCP resources?
A) IAM Role with Time-Bound Conditions
B) Assigning permanent admin privileges
C) Using hardcoded credentials
D) Storing passwords in plaintext
✅ Answer: A) IAM Role with Time-Bound Conditions
Explanation: Time-bound IAM Conditions grant temporary access based on time constraints, improving security.
92. How does Cloud Logging help with security auditing?
A) Tracks and stores access and modification logs
B) Encrypts all API requests
C) Blocks all incoming traffic
D) Disables IAM roles
✅ Answer: A) Tracks and stores access and modification logs
Explanation: Cloud Logging stores audit logs, providing visibility into access and security events.
93. Which Google Cloud feature helps enforce data loss prevention (DLP) policies?
A) Cloud DLP
B) Cloud NAT
C) Cloud Storage
D) Cloud CDN
✅ Answer: A) Cloud DLP
Explanation: Cloud DLP detects, masks, and protects sensitive data to prevent data loss.
94. What feature in GCP helps prevent unauthorized exfiltration of data from a project?
A) VPC Service Controls
B) Cloud DNS
C) Cloud Spanner
D) Cloud CDN
✅ Answer: A) VPC Service Controls
Explanation: VPC Service Controls prevent unauthorized data exfiltration by restricting data movement.
95. What is the purpose of Google Cloud’s “Deny Policies” in IAM?
A) Explicitly block access to certain resources
B) Assign permissions dynamically
C) Encrypt all GCP resources
D) Manage billing accounts
✅ Answer: A) Explicitly block access to certain resources
Explanation: Deny IAM Policies prevent access to resources, even if other IAM policies grant access.
96. Which GCP service allows enforcing per-user and per-device security policies?
A) BeyondCorp Enterprise
B) Cloud SQL
C) Cloud CDN
D) Cloud Storage
✅ Answer: A) BeyondCorp Enterprise
Explanation: BeyondCorp Enterprise implements zero-trust access, enforcing user and device security policies.
97. What is the best way to prevent brute-force attacks against GCP services?
A) Implement Cloud Armor rate limiting rules
B) Allow unlimited login attempts
C) Disable all IAM policies
D) Use shared credentials
✅ Answer: A) Implement Cloud Armor rate limiting rules
Explanation: Cloud Armor provides rate limiting and bot protection, helping prevent brute-force attacks.
98. What security practice ensures that API keys do not get exposed in public repositories?
A) Store API keys in Secret Manager
B) Hardcode API keys in source code
C) Store API keys in a shared Google Doc
D) Use static API keys for all projects
✅ Answer: A) Store API keys in Secret Manager
Explanation: Secret Manager provides secure storage and controlled access to API keys.
99. Which feature in Google Cloud helps in automatic remediation of security threats?
A) Security Command Center with automated response actions
B) Cloud Interconnect
C) Cloud SQL
D) Cloud CDN
✅ Answer: A) Security Command Center with automated response actions
Explanation: Security Command Center can trigger automated security responses based on detected threats.
100. What is the best practice for protecting service account credentials in GCP?
A) Use Workload Identity Federation instead of long-lived credentials
B) Store credentials in a public repository
C) Assign broad permissions to service accounts
D) Disable IAM auditing
✅ Answer: A) Use Workload Identity Federation instead of long-lived credentials
Explanation: Workload Identity Federation eliminates the need for storing static service account keys, improving security.
101. Which GCP service provides centralized monitoring and analysis of security logs?
A) Cloud Logging
B) Cloud KMS
C) Cloud Build
D) Cloud Spanner
✅ Answer: A) Cloud Logging
Explanation: Cloud Logging allows you to collect, monitor, and analyze logs across GCP services, providing visibility into security events.
102. What is the primary security benefit of using IAM Conditions in Google Cloud?
A) Fine-grained access control based on attributes like time, location, and device
B) Encrypting storage automatically
C) Preventing network-based attacks
D) Monitoring API usage
✅ Answer: A) Fine-grained access control based on attributes like time, location, and device
Explanation: IAM Conditions allow defining attribute-based access controls (ABAC), restricting access based on specific conditions.
103. What is the purpose of Google Cloud’s Event Threat Detection?
A) Detects security threats using real-time event analysis
B) Encrypts database contents
C) Stores security credentials
D) Creates IAM policies automatically
✅ Answer: A) Detects security threats using real-time event analysis
Explanation: Event Threat Detection analyzes Cloud Logging events to detect security threats like brute-force attacks, compromised credentials, and malware.
104. Which service can be used to detect misconfigurations and enforce security best practices?
A) Security Health Analytics
B) Cloud Storage
C) Cloud NAT
D) Cloud CDN
✅ Answer: A) Security Health Analytics
Explanation: Security Health Analytics continuously scans GCP configurations to detect misconfigurations and security risks.
105. What is the best practice for securing Google Cloud service account keys?
A) Rotate keys regularly and use short-lived credentials
B) Store them in plaintext files
C) Share them with all employees
D) Upload them to public GitHub repositories
✅ Answer: A) Rotate keys regularly and use short-lived credentials
Explanation: Rotating keys and using short-lived credentials (Workload Identity Federation) reduces the risk of compromise.
106. What feature in Google Cloud allows organizations to control resource creation across multiple projects?
A) Organization Policies
B) Cloud CDN
C) Cloud Interconnect
D) Cloud Storage
✅ Answer: A) Organization Policies
Explanation: Organization Policies enforce security and governance rules, restricting resource creation, API usage, and network configurations.
107. What type of encryption is used by Google Cloud for customer data in transit?
A) TLS/SSL
B) RSA-1024
C) MD5
D) DES
✅ Answer: A) TLS/SSL
Explanation: Google Cloud encrypts data in transit using TLS/SSL protocols, protecting against interception and man-in-the-middle attacks.
108. What is the recommended method to securely access Cloud SQL instances without exposing them publicly?
A) Use Cloud SQL Proxy
B) Enable public IP access
C) Disable all authentication
D) Store credentials in plaintext
✅ Answer: A) Use Cloud SQL Proxy
Explanation: Cloud SQL Proxy establishes a secure connection between applications and Cloud SQL without exposing databases to the public internet.
109. Which security feature should be used to prevent unauthorized access to Google Kubernetes Engine (GKE) clusters?
A) Private GKE clusters
B) Assigning all users admin access
C) Disabling audit logging
D) Using default passwords
✅ Answer: A) Private GKE clusters
Explanation: Private GKE clusters ensure that nodes and control planes are not exposed to the public internet, enhancing security.
110. How does Google Cloud’s Assured Workloads service enhance security?
A) Enforces compliance with regulatory frameworks (e.g., FedRAMP, CJIS, HIPAA)
B) Encrypts API requests
C) Blocks all network traffic
D) Assigns all users administrative roles
✅ Answer: A) Enforces compliance with regulatory frameworks (e.g., FedRAMP, CJIS, HIPAA)
Explanation: Assured Workloads help organizations maintain compliance with regulatory and security requirements.
111. What GCP feature helps protect against account takeovers by detecting suspicious login activities?
A) Cloud Identity with Risk-Based Authentication
B) Cloud Spanner
C) Cloud CDN
D) Cloud Storage
✅ Answer: A) Cloud Identity with Risk-Based Authentication
Explanation: Cloud Identity uses risk-based authentication to detect suspicious login activities and enforce stronger security measures.
112. What is the purpose of Cloud Armor’s adaptive protection feature?
A) Detect and mitigate Layer 7 attacks dynamically
B) Encrypt database records
C) Store IAM credentials
D) Provide faster data transfer speeds
✅ Answer: A) Detect and mitigate Layer 7 attacks dynamically
Explanation: Adaptive Protection in Cloud Armor uses machine learning to detect and mitigate Layer 7 attacks (e.g., DDoS, bot traffic).
113. What is the best way to enforce strong password policies in Google Cloud?
A) Use Cloud Identity and enforce password complexity requirements
B) Allow weak passwords
C) Store passwords in plaintext
D) Disable multi-factor authentication
✅ Answer: A) Use Cloud Identity and enforce password complexity requirements
Explanation: Cloud Identity allows enforcing strong password policies, such as complexity rules, expiration policies, and multi-factor authentication (MFA).
114. What security feature helps prevent unauthorized network access in a Virtual Private Cloud (VPC)?
A) Firewall Rules
B) Cloud CDN
C) Cloud Run
D) Cloud Spanner
✅ Answer: A) Firewall Rules
Explanation: Firewall Rules allow controlling inbound and outbound traffic, preventing unauthorized network access.
115. How does Identity-Aware Proxy (IAP) improve security for web applications?
A) It enforces authentication and authorization before granting access
B) It encrypts all network traffic
C) It provides unlimited access to all users
D) It replaces IAM policies
✅ Answer: A) It enforces authentication and authorization before granting access
Explanation: Cloud IAP ensures that only authorized users can access web applications based on identity and context.
116. What should organizations use to centrally manage security configurations in Google Cloud?
A) Security Command Center
B) Cloud Run
C) Cloud Interconnect
D) Cloud Build
✅ Answer: A) Security Command Center
Explanation: Security Command Center provides centralized security monitoring, policy enforcement, and threat detection.
117. How does Google Cloud prevent unauthorized API requests?
A) IAM-based API access control
B) Disabling all IAM policies
C) Storing API keys in plaintext
D) Allowing anonymous API access
✅ Answer: A) IAM-based API access control
Explanation: IAM-based API access control ensures that only authenticated and authorized users can make API requests.
118. What feature in GCP helps prevent misconfigured IAM roles from granting excessive privileges?
A) IAM Recommender
B) Cloud SQL
C) Cloud CDN
D) Cloud NAT
✅ Answer: A) IAM Recommender
Explanation: IAM Recommender provides role recommendations, ensuring least privilege access control.
119. What security practice should be followed when creating firewall rules in GCP?
A) Use a default deny-all rule and allow only necessary traffic
B) Allow unrestricted access to all instances
C) Disable firewall rules entirely
D) Open all ports by default
✅ Answer: A) Use a default deny-all rule and allow only necessary traffic
Explanation: A default deny-all rule helps prevent unauthorized access, allowing only explicitly permitted traffic.
120. How does Workload Identity Federation improve security?
A) It eliminates the need for long-lived service account keys
B) It provides network security policies
C) It encrypts all logs automatically
D) It replaces IAM policies
✅ Answer: A) It eliminates the need for long-lived service account keys
Explanation: Workload Identity Federation allows workloads to authenticate to GCP without storing long-lived credentials.
121. What security principle ensures that users and services have only the minimum permissions necessary to perform their tasks?
A) Role-Based Access Control (RBAC)
B) Zero Trust Security
C) Principle of Least Privilege
D) Identity Federation
✅ Answer: C) Principle of Least Privilege
Explanation: The Principle of Least Privilege (PoLP) limits users’ and services’ access to only what is necessary, reducing potential attack vectors.
122. How does Google Cloud’s BeyondCorp security model differ from traditional VPN-based security?
A) It removes VPN dependency and enforces zero-trust security
B) It encrypts all GCP network traffic
C) It blocks all public access to cloud resources
D) It eliminates the need for IAM policies
✅ Answer: A) It removes VPN dependency and enforces zero-trust security
Explanation: BeyondCorp applies zero-trust principles, verifying identity and context before granting access without requiring a VPN.
123. What is the primary security risk of assigning the “Owner” role in IAM to a user?
A) The user gets unrestricted access to all GCP resources in the project
B) The user can only read logs
C) The user cannot create new instances
D) The user loses access to API services
✅ Answer: A) The user gets unrestricted access to all GCP resources in the project
Explanation: The Owner role grants full administrative control, which increases the risk of misconfigurations and privilege abuse.
124. Which Google Cloud service enables proactive detection of security misconfigurations and vulnerabilities?
A) Security Command Center
B) Cloud CDN
C) Cloud Run
D) Cloud Storage
✅ Answer: A) Security Command Center
Explanation: Security Command Center continuously scans GCP environments for misconfigurations, vulnerabilities, and potential threats.
125. What is the recommended way to secure API access in Google Cloud?
A) Use API Gateway with IAM authentication
B) Store API keys in public repositories
C) Allow unrestricted API access
D) Disable IAM authentication for APIs
✅ Answer: A) Use API Gateway with IAM authentication
Explanation: API Gateway enforces IAM-based authentication, ensuring only authorized users and services can access APIs.
126. How can organizations prevent accidental data exposure in Cloud Storage buckets?
A) Enable IAM-based access control and remove public access
B) Allow anonymous access to storage objects
C) Store all data in unencrypted form
D) Use default settings without verification
✅ Answer: A) Enable IAM-based access control and remove public access
Explanation: IAM-based access controls and removing public access ensure only authorized users can access sensitive data.
127. Which security tool in GCP helps organizations assess and manage policy violations?
A) Policy Intelligence
B) Cloud SQL
C) Cloud DNS
D) Cloud Load Balancing
✅ Answer: A) Policy Intelligence
Explanation: Policy Intelligence assists administrators in assessing, optimizing, and enforcing IAM policies to reduce security risks.
128. What is the primary function of Forseti Security in GCP?
A) Detects and remediates IAM policy misconfigurations
B) Encrypts all network traffic
C) Monitors application performance
D) Manages service account keys
✅ Answer: A) Detects and remediates IAM policy misconfigurations
Explanation: Forseti Security is an open-source tool that helps detect IAM misconfigurations and enforce security best practices.
129. How can organizations enforce multi-factor authentication (MFA) for their GCP accounts?
A) By configuring Cloud Identity policies
B) By allowing weak passwords
C) By disabling IAM policies
D) By using plaintext credentials
✅ Answer: A) By configuring Cloud Identity policies
Explanation: Cloud Identity allows enforcing MFA policies, adding an extra security layer for user authentication.
130. What is the benefit of using Cloud IAM Recommender?
A) Identifies and suggests role optimizations based on least privilege
B) Automatically assigns all users administrative privileges
C) Disables API access for all services
D) Removes IAM roles from the organization
✅ Answer: A) Identifies and suggests role optimizations based on least privilege
Explanation: IAM Recommender analyzes role assignments and provides recommendations for minimizing excessive permissions.
131. What GCP feature can help detect compromised user credentials in real-time?
A) Event Threat Detection
B) Cloud Storage
C) Cloud Interconnect
D) Cloud CDN
✅ Answer: A) Event Threat Detection
Explanation: Event Threat Detection analyzes logs to detect compromised credentials, suspicious logins, and security breaches.
132. What is the best way to securely manage database credentials in Google Cloud?
A) Store them in Secret Manager
B) Hardcode them in application code
C) Share them via email
D) Store them in plaintext files
✅ Answer: A) Store them in Secret Manager
Explanation: Secret Manager allows secure storage and controlled access to sensitive credentials like database passwords.
133. What Google Cloud feature helps organizations track IAM policy changes over time?
A) Cloud Audit Logs
B) Cloud NAT
C) Cloud Storage
D) Cloud DNS
✅ Answer: A) Cloud Audit Logs
Explanation: Cloud Audit Logs provide detailed records of IAM role modifications, helping track security changes.
134. Which GCP security service is used to manage cryptographic keys?
A) Cloud Key Management Service (Cloud KMS)
B) Cloud Storage
C) Cloud NAT
D) Cloud SQL
✅ Answer: A) Cloud Key Management Service (Cloud KMS)
Explanation: Cloud KMS allows organizations to create, store, and manage encryption keys securely.
135. What is a primary advantage of using Workload Identity Federation?
A) It eliminates the need for long-lived service account keys
B) It provides firewall protection
C) It disables IAM authentication
D) It allows unrestricted API access
✅ Answer: A) It eliminates the need for long-lived service account keys
Explanation: Workload Identity Federation allows workloads to authenticate using external identities without static service account keys.
136. How can Google Cloud customers detect potential insider threats?
A) By analyzing Cloud Audit Logs and access patterns
B) By granting “Owner” role to all employees
C) By disabling security monitoring
D) By allowing shared credentials
✅ Answer: A) By analyzing Cloud Audit Logs and access patterns
Explanation: Cloud Audit Logs track user actions, helping detect unusual access patterns and insider threats.
137. What is the best way to restrict SSH access to GCP Compute Engine instances?
A) Use OS Login with IAM
B) Allow unrestricted SSH access
C) Use weak passwords
D) Store SSH keys in public repositories
✅ Answer: A) Use OS Login with IAM
Explanation: OS Login with IAM ensures that only authorized users can access Compute Engine instances using their Google credentials.
138. How can organizations prevent accidental deletion of critical GCP resources?
A) Enable resource deletion protection
B) Assign Owner role to all users
C) Store backup configurations in plaintext
D) Disable IAM policies
✅ Answer: A) Enable resource deletion protection
Explanation: Resource deletion protection prevents accidental or malicious deletion of critical resources.
139. What GCP service helps manage network security policies at scale?
A) Firewall Rules with Hierarchical Policies
B) Cloud SQL
C) Cloud Spanner
D) Cloud CDN
✅ Answer: A) Firewall Rules with Hierarchical Policies
Explanation: Hierarchical Firewall Policies enable consistent enforcement of network security rules across multiple projects.
140. What security feature ensures that only signed container images are deployed?
A) Binary Authorization
B) Cloud NAT
C) Cloud SQL
D) Cloud Interconnect
✅ Answer: A) Binary Authorization
Explanation: Binary Authorization enforces signature-based validation, ensuring only trusted container images are deployed.
141. Which Google Cloud service helps prevent accidental misconfigurations by scanning infrastructure as code?
A) Cloud Infrastructure Manager
B) Security Health Analytics
C) Cloud Armor
D) Binary Authorization
✅ Answer: B) Security Health Analytics
Explanation: Security Health Analytics continuously scans GCP configurations and detects security misconfigurations and policy violations.
142. What is the most effective way to restrict external access to Compute Engine instances?
A) Using VPC firewall rules to block external traffic
B) Assigning public IP addresses to all instances
C) Removing all IAM policies
D) Disabling Compute Engine
✅ Answer: A) Using VPC firewall rules to block external traffic
Explanation: VPC firewall rules can be configured to block unauthorized external access, ensuring security for Compute Engine instances.
143. What is the best practice for securing Google Kubernetes Engine (GKE) workloads?
A) Enable Workload Identity
B) Disable network policies
C) Grant all users admin access
D) Allow unrestricted API access
✅ Answer: A) Enable Workload Identity
Explanation: Workload Identity ensures that GKE workloads authenticate to Google Cloud APIs without using long-lived service account keys.
144. What feature in Google Cloud allows restricting VM image usage to approved images?
A) Organization Policy Constraints
B) Cloud CDN
C) Cloud DNS
D) Cloud Run
✅ Answer: A) Organization Policy Constraints
Explanation: Organization Policy Constraints can restrict VM image usage to ensure only approved images are used for security compliance.
145. What security measure should be implemented to protect Google Cloud VMs from rootkit attacks?
A) Use Shielded VMs
B) Disable logging
C) Enable unrestricted network access
D) Store credentials in plaintext
✅ Answer: A) Use Shielded VMs
Explanation: Shielded VMs provide protections against rootkits and boot-level malware, ensuring a secure startup process.
146. What is the recommended approach to secure inter-service communication in Google Cloud?
A) Use mutual TLS authentication
B) Disable IAM authentication
C) Use shared service account credentials
D) Store API keys in environment variables
✅ Answer: A) Use mutual TLS authentication
Explanation: Mutual TLS (mTLS) ensures that both client and server authenticate each other, preventing unauthorized access.
147. Which Google Cloud tool provides security insights for containerized workloads?
A) Container Threat Detection
B) Cloud Spanner
C) Cloud CDN
D) Cloud Interconnect
✅ Answer: A) Container Threat Detection
Explanation: Container Threat Detection analyzes containerized workloads for security threats and vulnerabilities.
148. How can an organization monitor API usage and detect anomalies in Google Cloud?
A) Enable API Monitoring in Cloud Logging
B) Disable IAM policies
C) Remove all API rate limits
D) Allow unrestricted API requests
✅ Answer: A) Enable API Monitoring in Cloud Logging
Explanation: Cloud Logging provides API monitoring, allowing organizations to detect anomalies and monitor API usage.
149. What is the benefit of enabling Cloud Audit Logs for all services?
A) Provides a detailed history of access and changes for security auditing
B) Automatically blocks all external network traffic
C) Encrypts all database contents
D) Grants full access to all users
✅ Answer: A) Provides a detailed history of access and changes for security auditing
Explanation: Cloud Audit Logs track access and modifications, ensuring security auditing and compliance monitoring.
150. What is the primary function of Cloud Identity-Aware Proxy (IAP)?
A) Controls access to cloud applications based on user identity
B) Encrypts all GCP network traffic
C) Disables IAM authentication
D) Allows anonymous access to web applications
✅ Answer: A) Controls access to cloud applications based on user identity
Explanation: Cloud IAP enforces identity-based access controls, ensuring only authorized users can access applications.
151. What security feature should be enabled to protect Google Cloud Storage objects from unauthorized modifications?
A) Bucket Lock
B) Cloud NAT
C) Cloud Interconnect
D) Cloud DNS
✅ Answer: A) Bucket Lock
Explanation: Bucket Lock enforces retention policies, preventing unauthorized modifications or deletions of storage objects.
152. How can an organization ensure service account keys are not exposed in source code repositories?
A) Use Workload Identity Federation
B) Store keys in GitHub repositories
C) Hardcode service account keys in code
D) Disable API authentication
✅ Answer: A) Use Workload Identity Federation
Explanation: Workload Identity Federation eliminates the need for long-lived service account keys, reducing security risks.
153. What Google Cloud service should be used to detect and prevent sensitive data leaks?
A) Cloud Data Loss Prevention (DLP)
B) Cloud Run
C) Cloud CDN
D) Cloud SQL
✅ Answer: A) Cloud Data Loss Prevention (DLP)
Explanation: Cloud DLP helps identify, mask, and prevent sensitive data exposure across GCP environments.
154. How does VPC Service Controls enhance security for Google Cloud services?
A) Restricts data movement between GCP services and external networks
B) Allows unrestricted API access
C) Grants all users administrative privileges
D) Removes IAM policies
✅ Answer: A) Restricts data movement between GCP services and external networks
Explanation: VPC Service Controls prevent data exfiltration by creating security perimeters around GCP services.
155. What is the best way to protect Google Cloud SQL databases from unauthorized access?
A) Use Private IP and IAM authentication
B) Enable public access to the database
C) Store database credentials in plaintext
D) Disable audit logging
✅ Answer: A) Use Private IP and IAM authentication
Explanation: Private IP ensures databases are not publicly accessible, while IAM authentication enforces access controls.
156. Which security practice helps prevent unauthorized access to Google Cloud APIs?
A) Implement IAM-based API restrictions
B) Allow unrestricted API access
C) Store API keys in environment variables
D) Use default IAM roles for all users
✅ Answer: A) Implement IAM-based API restrictions
Explanation: IAM-based API restrictions ensure only authorized users and services can interact with Google Cloud APIs.
157. What is the best way to enforce compliance policies across multiple GCP projects?
A) Use Organization Policies
B) Assign “Owner” roles to all users
C) Disable IAM policies
D) Allow unrestricted resource creation
✅ Answer: A) Use Organization Policies
Explanation: Organization Policies allow organizations to enforce security and compliance rules across multiple GCP projects.
158. What feature in Google Cloud ensures that only signed container images are deployed in Kubernetes clusters?
A) Binary Authorization
B) Cloud NAT
C) Cloud CDN
D) Cloud Storage
✅ Answer: A) Binary Authorization
Explanation: Binary Authorization ensures that only trusted, signed container images are deployed in Kubernetes clusters.
159. How does Google Cloud’s Security Command Center help organizations?
A) Identifies security threats and vulnerabilities across cloud resources
B) Encrypts all network traffic
C) Automatically assigns administrative access
D) Blocks all external API calls
✅ Answer: A) Identifies security threats and vulnerabilities across cloud resources
Explanation: Security Command Center provides real-time visibility into security risks, threats, and misconfigurations.
160. What is the purpose of Identity Federation in Google Cloud?
A) Allows users to authenticate using external identity providers
B) Disables IAM authentication
C) Stores passwords in plaintext
D) Grants unrestricted access to all users
✅ Answer: A) Allows users to authenticate using external identity providers
Explanation: Identity Federation allows GCP resources to be accessed using external identity providers like Azure AD or Okta.
161. Which Google Cloud feature helps enforce security policies by preventing accidental exposure of private resources?
A) VPC Service Controls
B) Cloud CDN
C) Cloud Spanner
D) Cloud Interconnect
✅ Answer: A) VPC Service Controls
Explanation: VPC Service Controls enforce security perimeters to prevent unauthorized access and data exfiltration.
162. What is the primary function of Cloud Identity in Google Cloud?
A) Manage user identities, authentication, and access policies
B) Store encrypted API keys
C) Encrypt all network traffic
D) Disable IAM authentication
✅ Answer: A) Manage user identities, authentication, and access policies
Explanation: Cloud Identity helps secure user access by enforcing authentication and identity-based policies.
163. What GCP service helps identify security misconfigurations and compliance risks in virtual machines?
A) Security Health Analytics
B) Cloud NAT
C) Cloud CDN
D) Cloud SQL
✅ Answer: A) Security Health Analytics
Explanation: Security Health Analytics detects misconfigurations, vulnerabilities, and compliance risks in VMs and other cloud resources.
164. Which feature allows Google Cloud administrators to enforce security rules globally across projects?
A) Organization Policies
B) Cloud IAM Viewer
C) Cloud Run
D) Cloud Functions
✅ Answer: A) Organization Policies
Explanation: Organization Policies provide centralized governance to enforce security and compliance rules across multiple projects.
165. How can organizations enforce a security policy to restrict public access to Cloud Storage buckets?
A) Using IAM conditions and Organization Policies
B) Assigning the “Owner” role to all users
C) Storing bucket access keys in plaintext
D) Removing all security policies
✅ Answer: A) Using IAM conditions and Organization Policies
Explanation: IAM Conditions and Organization Policies help enforce rules that restrict public access to Cloud Storage buckets.
166. What is the best practice for handling service account permissions in Google Cloud?
A) Assign only the required roles using the principle of least privilege
B) Assign the “Owner” role to all service accounts
C) Use shared credentials for all accounts
D) Store service account keys in public repositories
✅ Answer: A) Assign only the required roles using the principle of least privilege
Explanation: Applying the principle of least privilege ensures service accounts have only the minimum permissions required to operate.
167. What is the primary function of Google Cloud’s Cloud Armor security service?
A) Protects applications from DDoS attacks and web threats
B) Encrypts all database contents
C) Disables IAM policies
D) Blocks all API requests
✅ Answer: A) Protects applications from DDoS attacks and web threats
Explanation: Cloud Armor provides DDoS protection and Web Application Firewall (WAF) capabilities.
168. What security mechanism prevents unauthorized Google Cloud API calls?
A) IAM API permissions
B) Public API access
C) Default service account with full permissions
D) Storing API keys in plaintext
✅ Answer: A) IAM API permissions
Explanation: IAM API permissions ensure only authorized users and services can make API calls.
169. Which security tool helps organizations monitor and protect against anomalous behavior in their GCP environment?
A) Event Threat Detection
B) Cloud Spanner
C) Cloud CDN
D) Cloud SQL
✅ Answer: A) Event Threat Detection
Explanation: Event Threat Detection helps monitor security logs and identify anomalous activities in real-time.
170. What Google Cloud feature prevents accidental deletion of critical resources?
A) Resource Manager’s Deletion Protection
B) Cloud Interconnect
C) Cloud Storage lifecycle rules
D) IAM role inheritance
✅ Answer: A) Resource Manager’s Deletion Protection
Explanation: Deletion Protection ensures critical resources are not accidentally deleted.
171. What is the best way to enforce encryption for all data stored in Google Cloud Storage?
A) Use Customer-Managed Encryption Keys (CMEK)
B) Store unencrypted data
C) Disable encryption for faster access
D) Allow public access to encrypted files
✅ Answer: A) Use Customer-Managed Encryption Keys (CMEK)
Explanation: CMEK allows organizations to manage and control their own encryption keys for Cloud Storage.
172. What Google Cloud feature helps prevent unauthorized access to Cloud Functions?
A) IAM-based access control
B) Disabling logging
C) Assigning the Owner role to all users
D) Removing all IAM policies
✅ Answer: A) IAM-based access control
Explanation: IAM-based access control ensures only authorized users and services can execute Cloud Functions.
173. What is the best way to protect sensitive environment variables in Google Cloud applications?
A) Use Secret Manager
B) Store them in plaintext in the application code
C) Share them via email
D) Allow all users to view environment variables
✅ Answer: A) Use Secret Manager
Explanation: Secret Manager securely stores and manages sensitive environment variables.
174. Which service provides real-time monitoring of VPC network traffic in Google Cloud?
A) Packet Mirroring
B) Cloud CDN
C) Cloud Spanner
D) Cloud Run
✅ Answer: A) Packet Mirroring
Explanation: Packet Mirroring enables real-time network monitoring to detect security threats.
175. What is the primary function of IAM Recommender?
A) Suggests role optimizations based on usage patterns
B) Encrypts network traffic
C) Stores user passwords in plaintext
D) Disables IAM policies
✅ Answer: A) Suggests role optimizations based on usage patterns
Explanation: IAM Recommender analyzes IAM role usage and suggests security improvements.
176. Which service helps ensure compliance with industry security regulations in GCP?
A) Assured Workloads
B) Cloud Build
C) Cloud Functions
D) Cloud CDN
✅ Answer: A) Assured Workloads
Explanation: Assured Workloads helps organizations meet compliance requirements such as FedRAMP, CJIS, and HIPAA.
177. What is the benefit of enabling Identity-Aware Proxy (IAP) for web applications?
A) Enforces authentication and access control before allowing traffic
B) Disables all network traffic
C) Encrypts all storage objects
D) Allows public access without authentication
✅ Answer: A) Enforces authentication and access control before allowing traffic
Explanation: IAP enforces identity-based authentication before allowing access to web applications.
178. How can organizations prevent exfiltration of sensitive data from Cloud Storage?
A) Enable VPC Service Controls
B) Disable IAM policies
C) Store data in unencrypted format
D) Allow public access to Cloud Storage
✅ Answer: A) Enable VPC Service Controls
Explanation: VPC Service Controls restrict unauthorized data exfiltration from Cloud Storage.
179. What is the best way to protect Google Kubernetes Engine (GKE) clusters from unauthorized access?
A) Use Private Clusters and IAM roles
B) Enable public access to the control plane
C) Assign full administrative access to all users
D) Store credentials in plaintext
✅ Answer: A) Use Private Clusters and IAM roles
Explanation: Private GKE clusters and IAM-based access control prevent unauthorized access.
180. What GCP service helps detect potential security threats based on log analysis?
A) Security Command Center
B) Cloud CDN
C) Cloud SQL
D) Cloud Spanner
✅ Answer: A) Security Command Center
Explanation: Security Command Center analyzes logs and security events to detect potential security threats.
181. Which Google Cloud feature helps detect security misconfigurations in Kubernetes clusters?
A) GKE Security Posture
B) Cloud CDN
C) Cloud Interconnect
D) Cloud Storage
✅ Answer: A) GKE Security Posture
Explanation: GKE Security Posture provides insights into Kubernetes security misconfigurations and best practices.
182. How does Google Cloud’s Access Approval feature enhance security?
A) Requires explicit customer approval before Google Support accesses data
B) Blocks all external API calls
C) Encrypts all database contents
D) Provides free DDoS protection
✅ Answer: A) Requires explicit customer approval before Google Support accesses data
Explanation: Access Approval ensures that Google support staff must get customer consent before accessing sensitive data.
183. What is the recommended way to secure Cloud Run services?
A) Restrict access using IAM policies and Identity-Aware Proxy (IAP)
B) Assign public permissions to all services
C) Use hardcoded API keys in applications
D) Disable authentication
✅ Answer: A) Restrict access using IAM policies and Identity-Aware Proxy (IAP)
Explanation: IAM policies and IAP provide fine-grained access control to Cloud Run services, preventing unauthorized access.
184. Which GCP feature helps organizations identify overly permissive IAM policies?
A) IAM Recommender
B) Cloud Interconnect
C) Cloud CDN
D) Cloud Spanner
✅ Answer: A) IAM Recommender
Explanation: IAM Recommender helps identify and reduce unnecessary IAM permissions, following the least privilege principle.
185. How does Cloud Identity improve security for GCP users?
A) Enforces multi-factor authentication (MFA) and device security policies
B) Assigns admin rights to all users
C) Stores API keys in plaintext
D) Disables IAM policies
✅ Answer: A) Enforces multi-factor authentication (MFA) and device security policies
Explanation: Cloud Identity helps enforce MFA and device security policies, reducing unauthorized access risks.
186. Which Google Cloud service allows for logging and monitoring API access patterns?
A) Cloud Audit Logs
B) Cloud DNS
C) Cloud Spanner
D) Cloud Run
✅ Answer: A) Cloud Audit Logs
Explanation: Cloud Audit Logs track API requests, user activity, and resource modifications, helping with security monitoring.
187. What is the function of Security Command Center’s Risk Insights feature?
A) Provides risk analysis for IAM policies and resource configurations
B) Encrypts all network traffic
C) Automatically assigns IAM roles
D) Blocks external API requests
✅ Answer: A) Provides risk analysis for IAM policies and resource configurations
Explanation: Risk Insights in Security Command Center detects IAM misconfigurations and security vulnerabilities.
188. How can organizations ensure only approved container images are deployed in GKE?
A) Enable Binary Authorization
B) Allow all users to push images
C) Store images in public repositories
D) Disable authentication
✅ Answer: A) Enable Binary Authorization
Explanation: Binary Authorization ensures only signed and approved container images are deployed in Google Kubernetes Engine (GKE).
189. What security feature should be enabled to enforce encryption for Cloud SQL instances?
A) Customer-Managed Encryption Keys (CMEK)
B) Cloud DNS
C) Cloud Build
D) Cloud CDN
✅ Answer: A) Customer-Managed Encryption Keys (CMEK)
Explanation: CMEK allows organizations to control encryption keys, ensuring data stored in Cloud SQL is encrypted.
190. What is the recommended approach to secure API access in Google Cloud?
A) Use OAuth 2.0 authentication and IAM policies
B) Allow anonymous API access
C) Store API keys in plaintext
D) Disable API authentication
✅ Answer: A) Use OAuth 2.0 authentication and IAM policies
Explanation: OAuth 2.0 and IAM policies help ensure secure API access by requiring authentication and authorization.
191. How does Google Cloud ensure network security in a Virtual Private Cloud (VPC)?
A) By enforcing VPC Firewall Rules and Hierarchical Policies
B) By allowing unrestricted inbound traffic
C) By disabling IAM roles
D) By storing passwords in plaintext
✅ Answer: A) By enforcing VPC Firewall Rules and Hierarchical Policies
Explanation: VPC Firewall Rules and Hierarchical Policies provide network segmentation and access control.
192. What GCP feature helps organizations detect brute-force attacks?
A) Event Threat Detection
B) Cloud Build
C) Cloud CDN
D) Cloud DNS
✅ Answer: A) Event Threat Detection
Explanation: Event Threat Detection identifies brute-force login attempts and suspicious authentication behavior.
193. Which Google Cloud service provides scalable identity management for users and groups?
A) Cloud Identity
B) Cloud Interconnect
C) Cloud Spanner
D) Cloud NAT
✅ Answer: A) Cloud Identity
Explanation: Cloud Identity provides scalable identity and access management, including user authentication and group policies.
194. What is the best way to prevent unauthorized modifications to Cloud Storage buckets?
A) Enable Bucket Lock and IAM restrictions
B) Assign the Owner role to all users
C) Allow public write access
D) Store data without encryption
✅ Answer: A) Enable Bucket Lock and IAM restrictions
Explanation: Bucket Lock prevents modifications or deletions, ensuring data integrity.
195. How can organizations protect GCP workloads from malware infections?
A) Enable Shielded VMs and Binary Authorization
B) Assign administrative privileges to all users
C) Disable audit logs
D) Allow unrestricted SSH access
✅ Answer: A) Enable Shielded VMs and Binary Authorization
Explanation: Shielded VMs protect against malware and bootkits, while Binary Authorization prevents unauthorized software execution.
196. What GCP security feature provides real-time threat intelligence?
A) Security Command Center’s Threat Intelligence
B) Cloud CDN
C) Cloud Storage
D) Cloud Run
✅ Answer: A) Security Command Center’s Threat Intelligence
Explanation: Threat Intelligence in Security Command Center provides real-time insights into security threats.
197. What is the best way to secure SSH access to Compute Engine instances?
A) Use OS Login with IAM roles
B) Allow unrestricted SSH access
C) Disable logging
D) Store credentials in plaintext
✅ Answer: A) Use OS Login with IAM roles
Explanation: OS Login integrates with IAM to ensure only authorized users can access Compute Engine instances via SSH.
198. How can organizations enforce security policies at scale in Google Cloud?
A) Using Organization Policies and IAM Conditions
B) Assigning the Owner role to all users
C) Storing access credentials in shared locations
D) Disabling security logging
✅ Answer: A) Using Organization Policies and IAM Conditions
Explanation: Organization Policies and IAM Conditions allow enforcing consistent security rules across multiple projects.
199. What GCP service enables compliance enforcement for regulated industries?
A) Assured Workloads
B) Cloud CDN
C) Cloud NAT
D) Cloud Spanner
✅ Answer: A) Assured Workloads
Explanation: Assured Workloads help organizations comply with FedRAMP, CJIS, HIPAA, and other regulatory standards.
200. How can organizations ensure data residency compliance in Google Cloud?
A) Use Organization Policies to enforce region-based data storage
B) Store data in multiple locations
C) Allow unrestricted data movement
D) Disable compliance monitoring
✅ Answer: A) Use Organization Policies to enforce region-based data storage
Explanation: Organization Policies can be used to enforce data residency requirements, ensuring compliance with local regulations.