Google Exams Lab

Professional Cloud Security Engineer - questions & answers

Study template for gradually building a Q&A bank. Adjust topics and structure to your plan.

Back to overview Jump to questions

Status: In progress · Questions: 40 · Notes: 40

How to use it

Every question follows the same format: short answer, explanation and steps.

  • Frame the question as a real-world scenario.
  • Answer in one or two sentences.
  • Add detail (why, trade-offs, risks).
  • List steps/diagnostics and tag it.
Template

Question standard

A consistent structure keeps the bank readable and easy to revise.

  • Question - scenario or decision point
  • Short answer - 1-2 sentences
  • Explanation - why this solution fits
  • Steps - implementation or diagnostics
  • Tags - domain, tool, priority

Status legend

Draft Review Mastered Needs revisit

Update the badge in each question to guide your review cycles.

Quick tips

  • Add 1-2 references for every question.
  • Write answers as if explaining to a junior engineer.
  • Capture common pitfalls and anti-patterns.

Question bank

The study blocks are working drafts - adapt them to your plan or the exam guide.

Study block 1 · IAM & access control

Identity, permissions, privileged access, and account lifecycle governance.

[Question] least-privilege role design for admin teams. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "least-privilege role design for admin teams" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "least-privilege role design for admin teams" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "least-privilege role design for admin teams" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "least-privilege role design for admin teams".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer IAM Review

Source: Cloudpeakify original question

[Question] group-based access governance model. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "group-based access governance model" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "group-based access governance model" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "group-based access governance model" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "group-based access governance model".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer IAM Review

Source: Cloudpeakify original question

[Question] eliminating long-lived service account keys. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "eliminating long-lived service account keys" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "eliminating long-lived service account keys" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "eliminating long-lived service account keys" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "eliminating long-lived service account keys".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer IAM Review

Source: Cloudpeakify original question

[Question] workforce identity federation for contractors. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "workforce identity federation for contractors" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "workforce identity federation for contractors" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "workforce identity federation for contractors" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "workforce identity federation for contractors".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer IAM Review

Source: Cloudpeakify original question

[Question] context-aware access for privileged operations. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "context-aware access for privileged operations" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "context-aware access for privileged operations" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "context-aware access for privileged operations" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "context-aware access for privileged operations".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer IAM Review

Source: Cloudpeakify original question

[Question] break-glass account process and controls. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "break-glass account process and controls" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "break-glass account process and controls" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "break-glass account process and controls" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "break-glass account process and controls".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer IAM Review

Source: Cloudpeakify original question

[Question] separation of duties for high-risk changes. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "separation of duties for high-risk changes" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "separation of duties for high-risk changes" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "separation of duties for high-risk changes" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "separation of duties for high-risk changes".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer IAM Review

Source: Cloudpeakify original question

[Question] periodic privileged access reviews. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "periodic privileged access reviews" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "periodic privileged access reviews" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "periodic privileged access reviews" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "periodic privileged access reviews".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer IAM Review

Source: Cloudpeakify original question

Study block 2 · Data protection

Encryption, key management, DLP, and protection of sensitive data.

[Question] CMEK key hierarchy for a multi-project estate. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "CMEK key hierarchy for a multi-project estate" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "CMEK key hierarchy for a multi-project estate" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "CMEK key hierarchy for a multi-project estate" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "CMEK key hierarchy for a multi-project estate".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Data protection Review

Source: Cloudpeakify original question

[Question] Cloud KMS rotation and key-version policy. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "Cloud KMS rotation and key-version policy" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "Cloud KMS rotation and key-version policy" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Cloud KMS rotation and key-version policy" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Cloud KMS rotation and key-version policy".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Data protection Review

Source: Cloudpeakify original question

[Question] Secret Manager lifecycle governance. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "Secret Manager lifecycle governance" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "Secret Manager lifecycle governance" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Secret Manager lifecycle governance" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Secret Manager lifecycle governance".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Data protection Review

Source: Cloudpeakify original question

[Question] tokenization strategy for sensitive records. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "tokenization strategy for sensitive records" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "tokenization strategy for sensitive records" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "tokenization strategy for sensitive records" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "tokenization strategy for sensitive records".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Data protection Review

Source: Cloudpeakify original question

[Question] DLP inspection in ETL pipelines. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "DLP inspection in ETL pipelines" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "DLP inspection in ETL pipelines" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "DLP inspection in ETL pipelines" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "DLP inspection in ETL pipelines".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Data protection Review

Source: Cloudpeakify original question

[Question] encrypted immutable backups for ransomware resilience. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "encrypted immutable backups for ransomware resilience" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "encrypted immutable backups for ransomware resilience" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "encrypted immutable backups for ransomware resilience" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "encrypted immutable backups for ransomware resilience".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Data protection Review

Source: Cloudpeakify original question

[Question] dynamic data masking for analytics users. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "dynamic data masking for analytics users" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "dynamic data masking for analytics users" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "dynamic data masking for analytics users" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "dynamic data masking for analytics users".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Data protection Review

Source: Cloudpeakify original question

[Question] key access justification and approval workflow. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "key access justification and approval workflow" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "key access justification and approval workflow" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "key access justification and approval workflow" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "key access justification and approval workflow".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Data protection Review

Source: Cloudpeakify original question

Study block 3 · Detection & response

Threat detection, triage, incident response, and forensic readiness.

[Question] central audit-log architecture. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "central audit-log architecture" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "central audit-log architecture" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "central audit-log architecture" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "central audit-log architecture".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Detection Review

Source: Cloudpeakify original question

[Question] Security Command Center findings triage workflow. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "Security Command Center findings triage workflow" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "Security Command Center findings triage workflow" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Security Command Center findings triage workflow" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Security Command Center findings triage workflow".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Detection Review

Source: Cloudpeakify original question

[Question] SIEM integration with Chronicle or Splunk. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "SIEM integration with Chronicle or Splunk" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "SIEM integration with Chronicle or Splunk" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "SIEM integration with Chronicle or Splunk" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "SIEM integration with Chronicle or Splunk".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Detection Review

Source: Cloudpeakify original question

[Question] incident severity classification matrix. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "incident severity classification matrix" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "incident severity classification matrix" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "incident severity classification matrix" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "incident severity classification matrix".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Detection Review

Source: Cloudpeakify original question

[Question] threat-hunting queries over cloud logs. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "threat-hunting queries over cloud logs" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "threat-hunting queries over cloud logs" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "threat-hunting queries over cloud logs" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "threat-hunting queries over cloud logs".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Detection Review

Source: Cloudpeakify original question

[Question] SOAR-style response playbook automation. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "SOAR-style response playbook automation" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "SOAR-style response playbook automation" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "SOAR-style response playbook automation" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "SOAR-style response playbook automation".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Detection Review

Source: Cloudpeakify original question

[Question] forensic snapshot and evidence preservation process. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "forensic snapshot and evidence preservation process" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "forensic snapshot and evidence preservation process" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "forensic snapshot and evidence preservation process" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "forensic snapshot and evidence preservation process".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Detection Review

Source: Cloudpeakify original question

[Question] tabletop exercise program cadence. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "tabletop exercise program cadence" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "tabletop exercise program cadence" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "tabletop exercise program cadence" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "tabletop exercise program cadence".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Detection Review

Source: Cloudpeakify original question

Study block 4 · Infrastructure hardening

Secure-by-default guardrails, workload hardening, and runtime risk prevention.

[Question] Org Policy baseline for secure-by-default projects. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "Org Policy baseline for secure-by-default projects" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "Org Policy baseline for secure-by-default projects" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Org Policy baseline for secure-by-default projects" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Org Policy baseline for secure-by-default projects".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Hardening Review

Source: Cloudpeakify original question

[Question] Shielded VM enforcement at scale. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "Shielded VM enforcement at scale" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "Shielded VM enforcement at scale" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Shielded VM enforcement at scale" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Shielded VM enforcement at scale".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Hardening Review

Source: Cloudpeakify original question

[Question] GKE hardening with network policies and workload identity. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "GKE hardening with network policies and workload identity" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "GKE hardening with network policies and workload identity" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "GKE hardening with network policies and workload identity" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "GKE hardening with network policies and workload identity".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Hardening Review

Source: Cloudpeakify original question

[Question] Cloud Run ingress restrictions and authentication model. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "Cloud Run ingress restrictions and authentication model" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "Cloud Run ingress restrictions and authentication model" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Cloud Run ingress restrictions and authentication model" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Cloud Run ingress restrictions and authentication model".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Hardening Review

Source: Cloudpeakify original question

[Question] public-access prevention controls for Cloud Storage. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "public-access prevention controls for Cloud Storage" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "public-access prevention controls for Cloud Storage" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "public-access prevention controls for Cloud Storage" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "public-access prevention controls for Cloud Storage".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Hardening Review

Source: Cloudpeakify original question

[Question] vulnerability patch cadence for images and hosts. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "vulnerability patch cadence for images and hosts" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "vulnerability patch cadence for images and hosts" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "vulnerability patch cadence for images and hosts" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "vulnerability patch cadence for images and hosts".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Hardening Review

Source: Cloudpeakify original question

[Question] Binary Authorization enforcement for production. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "Binary Authorization enforcement for production" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "Binary Authorization enforcement for production" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Binary Authorization enforcement for production" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Binary Authorization enforcement for production".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Hardening Review

Source: Cloudpeakify original question

[Question] terraform policy checks before apply. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "terraform policy checks before apply" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "terraform policy checks before apply" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "terraform policy checks before apply" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "terraform policy checks before apply".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Hardening Review

Source: Cloudpeakify original question

Study block 5 · Compliance & governance

Audit readiness, compliance workflow, evidence management, and exception handling.

[Question] automated evidence collection for audits. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "automated evidence collection for audits" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "automated evidence collection for audits" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "automated evidence collection for audits" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "automated evidence collection for audits".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Compliance Review

Source: Cloudpeakify original question

[Question] retention and legal-hold policy implementation. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "retention and legal-hold policy implementation" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "retention and legal-hold policy implementation" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "retention and legal-hold policy implementation" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "retention and legal-hold policy implementation".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Compliance Review

Source: Cloudpeakify original question

[Question] regional compliance boundary controls. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "regional compliance boundary controls" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "regional compliance boundary controls" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "regional compliance boundary controls" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "regional compliance boundary controls".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Compliance Review

Source: Cloudpeakify original question

[Question] third-party risk and vendor-access integration. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "third-party risk and vendor-access integration" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "third-party risk and vendor-access integration" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "third-party risk and vendor-access integration" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "third-party risk and vendor-access integration".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Compliance Review

Source: Cloudpeakify original question

[Question] audit-readiness checkpoint calendar. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "audit-readiness checkpoint calendar" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Share privileged accounts across team members for convenience.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: A. Design and validate "audit-readiness checkpoint calendar" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "audit-readiness checkpoint calendar" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "audit-readiness checkpoint calendar".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Compliance Review

Source: Cloudpeakify original question

[Question] exception workflow for policy deviations. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Design and validate "exception workflow for policy deviations" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Keep long-lived credentials without rotation or expiration.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: B. Design and validate "exception workflow for policy deviations" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "exception workflow for policy deviations" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "exception workflow for policy deviations".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Compliance Review

Source: Cloudpeakify original question

[Question] continuous compliance scoring dashboard. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Design and validate "continuous compliance scoring dashboard" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Disable audit logging for sensitive changes to reduce cost.

Short answer: C. Design and validate "continuous compliance scoring dashboard" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "continuous compliance scoring dashboard" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "continuous compliance scoring dashboard".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Compliance Review

Source: Cloudpeakify original question

[Question] temporary vendor access with expiration controls. Which approach is most suitable for production? Review

Options:

  • A. Share privileged accounts across team members for convenience.
  • B. Keep long-lived credentials without rotation or expiration.
  • C. Disable audit logging for sensitive changes to reduce cost.
  • D. Design and validate "temporary vendor access with expiration controls" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "temporary vendor access with expiration controls" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "temporary vendor access with expiration controls" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "temporary vendor access with expiration controls".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Security Engineer Compliance Review

Source: Cloudpeakify original question

Want to add another certification?

Duplicate this page, adjust the blocks and start adding new questions.

Back to exams overview