Professional Cloud Architect · 20% of the exam

Design for security and compliance: free practice questions

5 sample questions from our 50-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Google Cloud exam.

1. A company uses Workload Identity Federation to allow an on-premises application (using an OIDC-compatible identity provider) to access Google Cloud APIs without service account keys. The application is intermittently receiving PERMISSION_DENIED errors even though the Workload Identity Pool and provider are configured correctly. Which configuration issue is MOST likely causing the problem?

  • A. The on-premises OIDC token has expired before being exchanged for a Google OAuth 2.0 token at the Security Token Service (STS)
  • B. The service account that the federated identity impersonates does not have the roles/iam.workloadIdentityUser role granted to the correct principal identifier from the pool✓ Correct
  • C. Workload Identity Federation requires a VPN connection between on-premises and Google Cloud for the STS endpoint to be reachable
  • D. The attribute mapping in the Workload Identity Pool provider does not include google.subject, causing identity resolution to fail completely for all requests
Explanation

The most common misconfiguration in Workload Identity Federation — especially when setup appears correct but access is denied — is the service account impersonation binding. The federated identity must be granted roles/iam.workloadIdentityUser on the target service account, and the principal must be specified using the exact format: principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE. A mismatch in this principal identifier (e.g., wrong attribute mapping or pool ID) causes PERMISSION_DENIED. A (Token expiry) is wrong — While OIDC tokens do expire, an expiry would cause the STS exchange to fail with an authentication error or a more specific token-related error, not an intermittent PERMISSION_DENIED on the final Google API call. The STS exchange is a separate step. C (VPN required) is wrong — Workload Identity Federation uses the public STS endpoint (sts.googleapis.com); no VPN is required. This is a fundamental misunderstanding of how WIF works. D (Missing google.subject mapping) is wrong — A completely missing google.subject mapping would cause all authentications to fail consistently, not intermittently. The question specifies intermittent failures, pointing to a binding/attribute-matching issue, not a total configuration failure.

2. A financial services firm processes trading data in BigQuery. Due to regulatory requirements, they must ensure that data never leaves their designated Google Cloud regions (us-central1 and us-east1), including during processing by Google's backend infrastructure. They also want to prevent accidental dataset creation in other regions. Which combination of controls BEST enforces data residency? (Select TWO)

  • A. Apply the Organization Policy constraint constraints/gcp.resourceLocations with allowed values set to in:us-locations or specific regions us-central1 and us-east1 at the organization or folder level.✓ Correct
  • B. Configure BigQuery dataset location at dataset creation time and rely on BigQuery's immutable location enforcement — datasets cannot be moved once created.
  • C. Use VPC Service Controls to create a perimeter around the BigQuery projects and configure an access level that only allows requests originating from the US.
  • D. Enable BigQuery's column-level security to tag sensitive columns and restrict access based on data location tags.
  • E. Create a Cloud Asset Inventory feed that monitors for BigQuery dataset creation and alerts when datasets are created outside the approved regions.
  • F. Apply a Assured Workloads folder configured for the US regions compliance framework, which enforces data residency and restricts which Google personnel can access the data.✓ Correct
Explanation

Option A (constraints/gcp.resourceLocations) is a preventive Organization Policy that blocks resource creation — including BigQuery datasets — outside the specified regions, directly enforcing data residency at the resource level. Option F (Assured Workloads) is the purpose-built GCP solution for data residency and sovereignty — it restricts data processing and personnel access to the specified regions and is specifically designed for regulatory compliance in financial services. Together they provide both preventive location enforcement and a comprehensive compliance framework. Option B is partially true (datasets cannot be moved) but it does not prevent creation in wrong regions — it only enforces immutability after creation. Option C (VPC Service Controls) controls which principals and networks can access BigQuery, not where data resides or where Google's infrastructure processes it. Option D (column-level security) is a data governance control, not a data residency mechanism. Option E (Cloud Asset Inventory alerting) is a detective control, not preventive.

3. A company's compliance team needs to ensure that all Cloud Storage objects containing PII are encrypted with a Customer-Managed Encryption Key (CMEK) at rest. However, during an audit, they discover that several buckets in various projects across the organization still use Google-managed default encryption. Which Organization Policy constraint should the administrator configure to enforce CMEK on all new Cloud Storage buckets going forward?

  • A. constraints/gcp.resourceLocations to restrict bucket creation to compliant regions
  • B. constraints/storage.uniformBucketLevelAccess to enforce consistent IAM-based access control
  • C. constraints/gcp.restrictServiceUsage to disable Cloud Storage in non-compliant projects
  • D. constraints/gcp.restrictCmekCryptoKeyProjects to require an approved KMS key project for CMEK-protected resources✓ Correct
Explanation

The constraints/gcp.restrictCmekCryptoKeyProjects (and the related constraints/gcp.restrictNonCmekServices) Organization Policy constraints enforce that certain services must use CMEK and that the KMS keys used must come from approved projects. This prevents creation of new resources without CMEK. constraints/gcp.resourceLocations restricts where resources can be created (data residency), not the encryption model. constraints/storage.uniformBucketLevelAccess enforces IAM-based access control over legacy ACLs and is unrelated to encryption. constraints/gcp.restrictServiceUsage would disable Cloud Storage entirely in projects, which is far too disruptive and does not enforce CMEK.

4. An enterprise architect is designing a VPC Service Controls perimeter to protect sensitive BigQuery datasets in a project. The architect needs to allow a specific group of data scientists who work from a corporate office (known IP range) to access the protected BigQuery project even though they are outside the perimeter. Which VPC Service Controls construct enables this exception?

  • A. A service perimeter bridge connecting the data scientists' project to the protected project
  • B. An Access Level defined with the corporate IP range, referenced in the perimeter's ingress policy✓ Correct
  • C. A VPC firewall rule allowing traffic from the corporate IP range to the BigQuery API endpoint
  • D. A private Google Access configuration on the subnet used by the data scientists
Explanation

VPC Service Controls Access Levels define conditions (such as IP ranges, device attributes, or identity) under which access to a protected perimeter is permitted from outside. By defining an Access Level that matches the corporate IP range and referencing it in the perimeter's ingress policy, data scientists from that IP range can access the protected BigQuery project. A service perimeter bridge is used to allow two perimeters to share resources with each other, not to grant external user access. VPC firewall rules control network-level traffic between VMs and do not affect the VPC Service Controls enforcement layer, which operates at the Google API level. Private Google Access enables VMs without external IPs to reach Google APIs but does not create an exception in a VPC Service Controls perimeter for external users.

5. A media company runs a public video streaming platform on Google Cloud. Their security operations team uses Security Command Center (SCC) Premium. They receive an SCC finding of category 'Persistence: IAM Anomalous Grant' on a production project. What does this finding most likely indicate, and what is the FIRST recommended response action?

  • A. A Cloud Storage bucket in the project has been made publicly accessible; immediately revoke allUsers and allAuthenticatedUsers ACLs.
  • B. An unusual IAM role binding was detected — potentially indicating a compromised account granting itself elevated access; investigate the binding, identify the actor via Audit Logs, and revoke the suspicious grant.✓ Correct
  • C. A service account key has not been rotated in more than 90 days; rotate all user-managed service account keys in the project immediately.
  • D. A Compute Engine VM is communicating with a known command-and-control IP; isolate the VM by removing its external IP and applying a deny-all firewall rule.
Explanation

The SCC finding 'Persistence: IAM Anomalous Grant' specifically indicates that an unusual or suspicious IAM role binding was detected, which is a common persistence technique used by attackers after gaining initial access — granting themselves or a backdoor account elevated permissions. The first response is to review the suspicious binding using Admin Activity Audit Logs to identify the actor and time, then revoke the grant if unauthorized. A publicly accessible bucket generates a 'Public Bucket ACL' or 'Public object ACL' finding, not an IAM Anomalous Grant. Unrotated service account keys generate a 'Service Account Key Not Rotated' finding. A VM communicating with a C2 IP would generate a 'Malware: Outgoing DoS' or similar network threat finding, not an IAM finding.

45 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free
Design for security and compliance — Free Professional Cloud Architect Practice Questions | DataCertPrep — Certification Prep