Designing for security and compliance Questions
Practice questions for Designing for security and compliance topic in Google Cloud Professional Cloud Architect. 36 questions covering this domain.
A regulated workload needs secrets replicated only to a custom set of regions selected by the organization. Which Secret Manager replication policy be...
Which IAM role type should generally not be used in production because it is highly permissive and provides broad access to Google Cloud services?
An application needs a managed service to store database passwords and API keys with versioning, rollback support, and fine-grained IAM controls. Whic...
A company wants sensitive Google-managed services reachable only from trusted networks, including its hybrid landing zone, while reducing data exfiltr...
A company wants a central authorization layer for internal HTTPS applications instead of depending only on network firewalls. Which Google Cloud servi...
If you grant an IAM role on a folder, what happens to projects and resources inside that folder?
A security team wants an extra layer of defense that helps prevent data exfiltration from Cloud Storage and BigQuery even if IAM permissions are misco...
Before enforcing a new service perimeter, a security team wants to observe how requests would be affected without blocking traffic. Which VPC Service ...
A Cloud Run service is placed behind a load balancer, and the team enables IAP on the load balancer. Which statement is correct according to Google do...
An architect must prevent specific principals from being granted higher-privilege IAM roles even if a project owner attempts the change. Which control...
Which Google Cloud service manages cryptographic keys for encrypting data with customer control over rotation and access?
An architect must reduce blast radius by ensuring that GKE workloads authenticate as Google Cloud service accounts without long-lived keys. Which feat...
A security architect must enforce that no service account JSON keys can be created in the organization. Which Google Cloud control implements this mos...
A regulated workload requires that a CMEK key used to encrypt Cloud Storage data be located in the same region as the data and that key access events ...
A workload must access workloads in another cloud without storing service account keys. Which Google Cloud capability fits?
An architect must ensure that admin activity audit logs cannot be disabled and are retained tamper-evidently. Which Cloud Logging property fulfils thi...
An architect must apply zero-trust principles to internal HTTPS apps so users authenticate based on identity and device context instead of relying on ...
Which Google Cloud service is purpose-built to centralize security findings and posture across resources?
A security team wants to ensure that service accounts used by Compute Engine VMs follow least privilege and do not use the default service account wit...
An architect must design a solution where multiple teams share a VPC but cannot access each other's sensitive Google-managed service data. The service...
Sign in to see all 36 questions
Create a free account to browse all questions — completely free during our launch phase.