Test yourself
GCP security
Final exam · 60 questions · answers explained as you pick
IAM & resource hierarchy
12 questions
01The GCP resource hierarchy, top to bottom, is…
Incorrect — That is upside down; the organization is the root.
Correct — IAM allow policies and org policies are inherited down this tree.
Incorrect — Billing is attached to projects, not the hierarchy root.
Incorrect — Projects nest under folders and an organization.
02An IAM allow policy set at the folder level…
Correct — Allow policies are additive and flow down the hierarchy.
Incorrect — Inheritance is the whole point of the hierarchy.
Incorrect — Grants are additive; there is no override, only union.
Incorrect — It propagates automatically.
03An IAM deny policy differs from an allow policy because it…
Incorrect — Deny policies remove access; they never grant.
Correct — Deny rules are the guardrail that beats an over-broad grant.
Incorrect — It applies to any principal.
Incorrect — Org policies constrain configuration; deny policies constrain IAM permissions.
04Basic roles (Owner/Editor/Viewer) are discouraged because they…
Correct — Prefer predefined or custom roles scoped to the actual need.
Incorrect — They can be granted; they are just too coarse.
Incorrect — They apply to any principal.
Incorrect — Roles have no direct cost.
05IAM Conditions let you…
Incorrect — Conditions are logic, not encryption.
Correct — e.g. access to buckets with a name prefix, or only during business hours.
Incorrect — They refine grants; they do not bypass constraints.
Incorrect — Unrelated to SA creation.
06Organization policy constraints (e.g. disable SA key creation) are…
Correct — They cap what can be configured, separate from IAM permissions.
Incorrect — IAM governs who-can-do-what; org policy governs allowed configuration.
Incorrect — They are enforced.
Incorrect — They inherit from org/folder down.
07A high-value org policy for reducing credential risk is…
Incorrect — That increases risk.
Correct — Blocking downloadable SA keys eliminates a major long-lived-credential leak path.
Incorrect — That removes visibility.
Incorrect — That is a severe misconfiguration.
08domain-restricted sharing (constraints/iam.allowedPolicyMemberDomains) prevents…
Correct — It stops accidental sharing with external Google accounts.
Incorrect — Unrelated to networking.
Incorrect — Unrelated to encryption.
Incorrect — Not what this constraint governs.
09Predefined roles are preferred over custom roles when…
Incorrect — That is exactly when you build a custom role.
Correct — Custom roles need manual upkeep as new permissions appear.
Incorrect — Both are IAM.
Incorrect — Roles are not encryption.
10Granting roles to a Google Group instead of individuals…
Correct — Membership changes in the IdP flow through without editing IAM.
Incorrect — Evaluation cost is the same.
Incorrect — Conditions still apply.
Incorrect — You still scope the role tightly.
11The recommended way to give a human admin access is…
Incorrect — Shared logins destroy attribution.
Correct — Central identity, least privilege, and short-lived elevation.
Incorrect — SA keys are static credentials, not for humans.
Incorrect — Org-wide Owner is maximal blast radius.
12Policy Analyzer / Policy Troubleshooter helps you…
Correct — It surfaces effective access and the binding that grants it.
Incorrect — It analyzes, not encrypts.
Incorrect — Unrelated to rotation.
Incorrect — Not a networking tool.
12 questions · explanations appear as you answer
Network & VPC Service Controls
12 questions
01GCP VPC firewall rules are…
Correct — Return traffic is automatic; you target workloads by identity, not just IP.
Incorrect — GCP firewall rules are stateful and instance-targeted.
Incorrect — They govern packets, not API permissions.
Incorrect — Not a resolver.
02Targeting firewall rules by service account instead of network tag is stronger because…
Incorrect — Neither is encrypted; that is not the difference.
Correct — SA-based targeting is harder to spoof for lateral movement.
Incorrect — Tags work; SAs are just harder to abuse.
Incorrect — Unrelated to logging.
03Hierarchical firewall policies let you…
Correct — Central guardrails like “deny RDP from the internet” apply everywhere.
Incorrect — They filter, not encrypt.
Incorrect — Network control, not authorization.
Incorrect — Not an addressing feature.
04Private Google Access allows VMs without external IPs to…
Incorrect — The opposite — it keeps them private.
Correct — Workloads stay private while still using Cloud Storage, BigQuery, etc.
Incorrect — Firewall rules still apply.
Incorrect — IAM still authorizes API calls.
05Private Service Connect is used to…
Correct — The data plane stays private, off the public internet.
Incorrect — The opposite of its purpose.
Incorrect — Connectivity, not storage encryption.
Incorrect — Unrelated.
06Cloud NAT is used to…
Incorrect — NAT is for outbound; inbound uses load balancers.
Correct — Egress without exposing instances to inbound reach.
Incorrect — Not an encryption service.
Incorrect — That is Cloud DNS policies.
07VPC Service Controls create a…
Correct — A stolen token cannot copy data out of the perimeter to an outside project.
Incorrect — That is VPC firewall; VPC-SC guards managed-API data planes.
Incorrect — It is an API perimeter, not a grant.
Incorrect — Unrelated to keys.
08The threat VPC Service Controls specifically mitigates is…
Incorrect — That is Cloud Armor’s domain.
Correct — IAM alone would allow the copy; the perimeter blocks the cross-boundary move.
Incorrect — Not what perimeters address.
Incorrect — A runtime concern, not VPC-SC.
09A dry-run mode for a VPC Service Controls perimeter lets you…
Correct — Measure violations first, fix legitimate flows, then enforce.
Incorrect — It is not encryption.
Incorrect — IAM still applies.
Incorrect — Unrelated to logging.
10Cloud Armor primarily provides…
Incorrect — Not an encryption service.
Correct — It filters web attacks before they reach the backend.
Incorrect — Unrelated to identity.
Incorrect — That is Cloud KMS.
11Default-deny egress in GCP matters because…
Correct — Open outbound lets a compromised workload phone home freely.
Incorrect — Performance is not the point.
Incorrect — Ingress is filtered too; egress is the neglected half.
Incorrect — Complementary, not a replacement.
12Shared VPC lets an organization…
Incorrect — That describes standalone VPCs, not Shared VPC.
Correct — Network security is owned centrally while teams deploy into it.
Incorrect — Not its function.
Incorrect — Firewall rules still apply.
12 questions · explanations appear as you answer
Encryption, keys & secrets
12 questions
01By default, data at rest in GCP is…
Correct — CMEK lets you take control of the keys for compliance and revocation.
Incorrect — Default encryption is always on.
Incorrect — It applies broadly across services.
Incorrect — Encoding is not encryption.
02CMEK (customer-managed encryption keys) gives you…
Incorrect — Performance is not the point.
Correct — Disabling the key renders the data unreadable, a real kill switch.
Incorrect — Key access is governed by IAM.
Incorrect — The opposite of control.
03Cloud KMS envelope encryption means…
Correct — Only KMS can unwrap the DEK; bulk data never transits KMS.
Incorrect — It is a two-tier hierarchy, not double-encryption.
Incorrect — The payload is protected.
Incorrect — Hashing is one-way, not encryption.
04IAM on a KMS key (e.g. roles/cloudkms.cryptoKeyEncrypterDecrypter) controls…
Correct — A bucket reader without key access sees only ciphertext.
Incorrect — Networking, not KMS.
Incorrect — Unrelated to KMS.
Incorrect — Unrelated.
05Automatic key rotation in Cloud KMS…
Incorrect — New data uses the new primary; old ciphertext still decrypts with prior versions.
Correct — Rotation is cheap and non-disruptive with envelope encryption.
Incorrect — Old data remains readable.
Incorrect — Keys are never public.
06Cloud EKM (External Key Manager) is chosen when…
Correct — Revoking access in your external store makes the data unreadable to Google.
Incorrect — EKM adds cost and an availability dependency.
Incorrect — Not a performance feature.
Incorrect — That is the opposite of EKM.
07Cloud HSM provides…
Incorrect — HSM is hardware-backed, not a cost optimization.
Correct — For regulated workloads needing attestable, non-exportable keys.
Incorrect — It manages keys, not logs.
Incorrect — Unrelated.
08Secret Manager over a CMEK-encrypted config file adds…
Correct — Secrets become a governed resource, not a copied file.
Incorrect — The manager adds lifecycle features a file lacks.
Incorrect — Not the value proposition.
Incorrect — The opposite — tighter control.
09A workload should read a secret from Secret Manager by…
Incorrect — Baked secrets leak with the image and never rotate.
Correct — Nothing sensitive ships in the image or env definition.
Incorrect — Source is committed and copied.
Incorrect — A guaranteed leak.
10Separating the key admin (roles/cloudkms.admin) from key users prevents…
Correct — Dual control: distinct permissions for distinct actions.
Incorrect — It does not block rotation.
Incorrect — Both actions are logged.
Incorrect — Performance is not the point.
11Disabling a CMEK key version has what effect?
Incorrect — It does not affect performance.
Correct — A powerful containment tool; use it deliberately.
Incorrect — It blocks decrypt; it does not re-encrypt.
Incorrect — The opposite happens.
12Secret rotation without consumer refresh…
Correct — Consumers must refresh within the window before the old version is disabled.
Incorrect — Only if consumers re-read within the overlap.
Incorrect — Unrelated to rotation mechanics.
Incorrect — Secret Manager supports rotation.
12 questions · explanations appear as you answer
Detection & Security Command Center
12 questions
01Cloud Audit Logs Admin Activity logs are…
Correct — They are the non-optional backbone of the audit trail.
Incorrect — Admin Activity is always enabled; Data Access is the opt-in one.
Incorrect — They record API/admin actions.
Incorrect — They go to Cloud Logging.
02Data Access audit logs…
Incorrect — They are opt-in (except BigQuery) and can be high-volume.
Correct — Enable them where you need data-plane visibility for detection/forensics.
Incorrect — They record data access, not just auth failures.
Incorrect — They are logs, not encryption.
03An aggregated log sink at the organization level is used to…
Correct — Central, tamper-resistant collection for detection and IR.
Incorrect — The goal is retention and centralization, not deletion.
Incorrect — Unrelated.
Incorrect — Sinks route logs; they do not grant access.
04A locked log bucket with a retention policy defends against…
Incorrect — It is about integrity, not speed.
Correct — Locked retention makes the audit trail tamper-resistant evidence.
Incorrect — It may increase storage cost.
Incorrect — It protects logs, not IAM.
05Security Command Center (Premium/Enterprise) provides…
Correct — It is the central posture + threat surface for the org.
Incorrect — It is a security product.
Incorrect — That is Artifact Registry.
Incorrect — Unrelated.
06Event Threat Detection in SCC works by…
Incorrect — It detects and raises findings, not inline blocking.
Correct — Log-based detection that surfaces likely-malicious behavior.
Incorrect — Not an encryption service.
Incorrect — Unrelated.
07Security Health Analytics primarily catches…
Correct — It is GCP’s CSPM, continuously checking config against best practice.
Incorrect — That is Container Threat Detection.
Incorrect — That is Cloud Armor.
Incorrect — Its scope is far broader.
08Container Threat Detection observes…
Incorrect — That is image scanning; CTD is runtime.
Correct — It catches post-exploitation activity a static scan cannot.
Incorrect — That is Event Threat Detection.
Incorrect — Unrelated.
09Routing SCC findings to a pipeline (Pub/Sub → SIEM/SOAR) enables…
Correct — Findings become action, not just a console entry.
Incorrect — You need the logs feeding it.
Incorrect — Findings stay internal.
Incorrect — Unrelated.
10Alert quality matters because…
Correct — Tune, dedupe, and prioritize by severity and asset criticality.
Incorrect — Volume without signal degrades response.
Incorrect — They are signals, not crypto.
Incorrect — Not the primary reason.
11A metric/log-based alert on mass storage.objects.get or key disable catches…
Correct — A permitted action at abnormal volume/pattern is the tell.
Incorrect — It covers control-plane behavior too.
Incorrect — Behavioral signals are high value.
Incorrect — Far broader than that.
12Enabling SCC at the organization level (not per project) matters because…
Incorrect — Cost is not the reason.
Correct — A quiet attacker hides exactly where detection is not enabled.
Incorrect — It does not change IAM.
Incorrect — Not its function.
12 questions · explanations appear as you answer
Workload identity & IR
12 questions
01Workload Identity Federation lets an external workload…
Correct — CI from GitHub/GitLab/AWS authenticates without a static key to leak.
Incorrect — The whole point is to eliminate that key.
Incorrect — The federated identity still gets scoped IAM.
Incorrect — Unrelated to encryption.
02GKE Workload Identity maps…
Incorrect — Unrelated to identity mapping.
Correct — Per-workload identity instead of a shared, broad node SA.
Incorrect — That is the resource hierarchy.
Incorrect — Unrelated to KMS.
03Downloaded service-account keys are dangerous because they are…
Correct — Prefer federation, impersonation, or attached identities instead.
Incorrect — They are not; that is the problem.
Incorrect — A committed key is plaintext to anyone with the repo.
Incorrect — They work until deleted.
04Service-account impersonation (roles/iam.serviceAccountTokenCreator) is the GCP analog of…
Incorrect — Unrelated to encryption.
Correct — A principal who can impersonate a powerful SA inherits its permissions.
Incorrect — Not a network control.
Incorrect — Unrelated.
05To constrain impersonation safely you should…
Correct — Project-wide impersonation lets a principal become any SA in the project.
Incorrect — That maximizes the escalation surface.
Incorrect — You want it logged.
Incorrect — That reintroduces the static-key risk.
06On a confirmed compromised SA key, the first action is…
Incorrect — Destroying everything is not measured containment.
Correct — Contain first; the trail tells you the blast radius.
Incorrect — Too broad for the immediate threat.
Incorrect — Active compromise is not backlog work.
07Isolating a compromised GCE instance for forensics means…
Correct — Contain and preserve evidence rather than destroying it.
Incorrect — Deletion discards volatile evidence.
Incorrect — A reboot can wipe memory evidence.
Incorrect — That worsens exposure.
08After containment, hunting persistence in GCP means looking for…
Incorrect — A competent attacker plants a second way in.
Correct — Persistence hides in the control plane; find it before restoring.
Incorrect — Metrics are not persistence indicators.
Incorrect — A weak signal, not the hunt.
09Organization Policy plus a landing zone give you…
Correct — New projects arrive fenced, no checklist to forget.
Incorrect — Unrelated.
Incorrect — Not a delivery network.
Incorrect — That is Secret Manager.
10A preventive org-policy constraint differs from an SCC finding because it…
Correct — Prevention beats detection for the non-negotiables.
Incorrect — That is a detective control.
Incorrect — It acts at configuration time.
Incorrect — It is enforced.
11Access Approval / Access Transparency address…
Incorrect — Unrelated to encryption.
Correct — Controls and logs provider-side access for regulated workloads.
Incorrect — Not a network control.
Incorrect — Unrelated.
12A pre-written IR runbook matters because…
Correct — Speed and correctness come from practice, not invention mid-incident.
Incorrect — It uses them; it does not replace them.
Incorrect — Runbooks are procedures.
Incorrect — Not its purpose.
12 questions · explanations appear as you answer